“Cloud” Atlas—A Map to Amending Metadata Privacy Law in the Modern Era

GRAY 6/6/2017 1:33 PM

“CLOUD” ATLAS—A MAP TO AMENDING METADATA PRIVACY LAW IN THE MODERN ERA

Andrew Gray*

Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content. . . . [It’s] sort of embarrassing how predictable we are as human beings.1

—Stewart Baker, former General Counsel of the NSA

TABLE OF CONTENTS

I. INTRODUCTION ...... 148 II. WHAT IS METADATA, AND WHY DOES IT DESERVE PROTECTION UNDER THE LAW? ...... 149 III. THE CURRENT METHODS OF LAW ENFORCEMENT ACCESS TO DATA AND METADATA ...... 152 A. Who Owns Data and Metadata? ...... 152 B. The Electronic Communications Privacy Act ...... 153 C. The Current Law Enforcement Request Process ...... 156 IV. WHAT TYPE OF TREATMENT SHOULD DATA AND METADATA BE AFFORDED UNDER THE LAW? ...... 159 V. THE PRIVACY IMPLICATIONS OF ELECTRONIC COMMUNICATION INFORMATION REQUESTS...... 164 VI. A REALISTIC SOLUTION TO THE ISSUE OF ELECTRONIC COMMUNICATION INFORMATION ...... 166 A. Current Reform Proposals In Congress ...... 166 B. New Proposed Amendments to the SCA and the MLAT Process...... 168 VII. CONCLUSION ...... 172

* I’d like to thank Professors Stacy Brainin and Barry McNeil, as well as Ari Herbert. I would also like to thank Professor Andrew K. Woods, for his guidance and advice in writing this piece. 1. Alan Rusbridger, The Snowden Leaks and the Public, N.Y. REV. BOOKS (Nov. 21, 2013), http://www.nybooks.com/articles/2013/11/21/snowden-leaks-and-public/ (quoting Stewart Baker, former General Counsel of the NSA).

147 GRAY 6/6/2017 1:33 PM

148 GONZAGA LAW REVIEW Vol. 52:2

I. INTRODUCTION

Imagine an Italian police officer, investigating a crime perpetrated by an Italian citizen, against an Italian victim. Crucial evidence lies in a server farm in California, so the police officer must work to get it. To access the content of an inculpatory email, the process takes around ten months, and in many cases, even longer.2 But what if the officer wants access to the metadata of the email? The “non-content” metadata can provide both the recipient’s and sender’s addresses, IP addresses, and countless other pieces of valuable information.3 Accessing this metadata is a gamble for the officer, because there are no uniform laws, or even a set of acceptable standards governing how the officer’s metadata requests are honored.4 In addition, if the officer’s request is granted, the metadata in question will include not only the information of his suspect, but also of innocent people. Under the current rules of data and metadata requests, oversight is shaky at best, and personal privacy is compromised.5 The unequal treatment of data and metadata poses a significant risk for users, corporations, and law enforcement agencies. As communications technology advances, our current laws become even more outdated. In the era of big data, where the world’s technological ability to create, capture, and process information is ever growing,6 this issue has never been more relevant.7 By reforming the laws surrounding these law enforcement requests, criminal investigations can be more efficient, while at the same time protecting the privacy of users.8

2. RICHARD A. CLARKE ET AL., LIBERTY AND SECURITY IN A CHANGING WORLD: REPORT AND RECOMMENDATIONS OF THE PRESIDENT’S REVIEW GROUP ON INTELLIGENCE AND COMMUNICATIONS TECHNOLOGIES 227 (Dec. 12, 2013). 3. Rebecca Greenfield, What Your Email Metadata Told the NSA About You, THE ATLANTIC (June 27, 2013), http://www.thewire.com/technology/2013/06/email-metadata-nsa/ 66657/. 4. See Jennifer Daskal, The Microsoft Warrant Case: The Policy Issues, JUST SECURITY (Sept. 28, 2015, 12:48 PM), https://www.justsecurity.org/25901/microsoft-warrant -case-policy-issues/ (discussing the lack of standards for U.S. companies receiving metadata requests from foreign governments). 5. Id. 6. See EXEC. OFFICE OF THE PRESIDENT, BIG DATA: SEIZING OPPORTUNITIES, PRESERVING VALUES 1-2 (2014) (“Most definitions [of big data] reflect the growing technological ability to capture, aggregate, and process an ever-greater volume, velocity, and variety of data.”). 7. Id. 8. Id. at 33. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 149

This article argues that in light of our current law enforcement and surveillance capabilities, the rules regarding metadata disclosure are woefully inadequate. Part II of this article gives a brief introduction into metadata, and why it should be protected. Part III examines the current framework of data and metadata requests by law enforcement. Part IV considers how the law should treat metadata, in comparison to data. Part V looks at the effect of metadata rules on personal privacy, and the implications of law enforcement access. Finally, Part VI concludes by recommending a framework for amending data privacy law, protecting user privacy, and increasing law enforcement investigative efficiency.

II. WHAT IS METADATA, AND WHY DOES IT DESERVE PROTECTION UNDER THE LAW?

Data and metadata exist in all electronic communications. When an email is sent, the content of the email is data: the subject, the body, and any attachments.9 The metadata of the email is the recipient’s and sender’s email addresses, their IP addresses, and the date and time the email was sent.10 When a cell phone call is made or text message is sent, the data consists of the communication between parties.11 The metadata can include each phone number, the date and time, the call duration, and the route the call took through cell towers.12 Simply put, data is the message that a user wants to communicate, and metadata is when and how he or she does so.13 Why should an individual be wary of law enforcement access to metadata? People share information with friends, acquaintances, and countless websites. How much can really be told from these small pieces of information? Given the choice to have someone read through your mind, or read through your phone, many people would choose the latter. However, your brain can only hold so much information, and not all of it is accurate.14 A cell phone contains a perfect record

9. Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending it, 72 GEO. WASH. L. REV. 1208, 1228 (2004). 10. Id. 11. See id. 12. Id. at 1228; JULIE K. PETERSEN, THE ILLUSTRATED TELECOM-MUNICATIONS DICTIONARY 147 (CRC Press, 2d ed. 2002) (defining a “call detail record” to include phone call metadata “such as call duration, caller and/or callee, time of day, etc.”). 13. See Kerr, supra note 9, at 1228 (“Although the line between [data and metadata] occasionally blurs, in most cases the line is clear: it is the line between a message that a person wants to communicate and information about when and how he does so.”). 14. CGP Grey, Footnote *: I, Phone, YOUTUBE (Apr 14, 2016), https://youtu.be/e- ZpsxnmmbE. GRAY 6/6/2017 1:33 PM

150 GONZAGA LAW REVIEW Vol. 52:2 of where you go, what you do, with whom you do it with,15 and the records on that phone are the very metadata law enforcement will attempt to access.16 A 2014 Stanford University study agreed, showing that phone metadata is extremely sensitive.17 Using 546 participants, the study analyzed metadata from the participant’s phones, to reveal the following about certain individuals:

 Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.

 Participant B spoke at length with cardiologists at a major medical center, talked briefly with a medical laboratory, received calls from a pharmacy, and placed short calls to a home reporting hotline for a medical device used to monitor cardiac arrhythmia.

 Participant C made a number of calls to a firearm store that specializes in the AR semiautomatic rifle platform. They also spoke at length with customer service for a firearm manufacturer that produces an AR line.

 In a span of three weeks, Participant D contacted a home improvement store, locksmiths, a hydroponics dealer, and a head shop.

 Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.18

15. Id. 16. John Kelly, Cellphone Data Spying: It’s Not Just the NSA, USA TODAY (Dec. 8, 2013), http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- police/3902809/. 17. Johnathan Mayer & Patrick Mutchler, MetaPhone: The Sensitivity of Telephone Metadata, WEB POLICY (Mar. 12, 2014), http://webpolicy.org/2014/03/12/metaphone-the- sensitivity-of-telephone-metadata/; Bill Ockenden, Metadata Mining: Stanford University Researchers Shocked by Success of NSA-Style Phone Data Trawl, ABC NEWS AUSTL. (Mar. 13, 2014, 12:32 PM), http://www.abc.net.au/news/2014-03-13/metadata-research-reveals- phone-privacy-risks/5319486. 18. Mayer & Mutchler, supra note 17. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 151

By gathering enough telephone or email metadata from an individual, law enforcement agencies can extrapolate a great deal about that person’s life.19 On its face, law enforcement requests for metadata seem much less invasive than requesting the data of electronic communications. However, over a prolonged period, the same information can be equally sensitive.20 For organizations like the NSA, metadata may be all that is needed for a meaningful inference about an individual.21 When law enforcement agencies have access to email or phone metadata, they have an in-depth look into someone’s personal life, and the people he or she interacts with.22 These agencies can create a profile on criminal suspects, linking pieces of metadata to each other to create a mosaic of information.23 Problems arise, however, with how these mosaics are created.24 Not only do these webs of metadata hold information on a criminal suspect, but they also give insight into the personal lives of anyone that suspect may have interacted with.25 Holding that the NSA’s bulk collection of metadata is likely unconstitutional, Judge Richard Leon noted that “the metadata from each person’s phone ‘reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.’”26 General Michael Hayden, former Director of both the NSA and the CIA, explained bluntly that “[w]e kill people based on metadata.”27 For law enforcement, the best characteristic of metadata, beyond the information it provides, is how easily it can be accessed in comparison to data.28

19. See id. (demonstrating the ease with which the researchers could make accurate predictions about a person’s personal life through metadata). 20. Id. 21. Id. 22. Id. 23. See James Risen & Laura Poitras, N.S.A. Examines Social Networks of U.S. Citizens, N.Y. TIMES, (Sept. 29, 2013), http://www.nytimes.com/2013/09/29/us/nsa-examines -social-networks-of-us-citizens.html. 24. See id. 25. Id. 26. Klayman v. Obama, 957 F. Supp. 2d 1, 32, 36 (D.D.C. 2013) (quoting U.S. v. Jones, 132 S. Ct. 946, 955 (2012) (Sotomayor, J. concurring)), vacated, 800 F.3d 559 (D.C. Cir. 2015). 27. David Cole, We Kill People Based on Metadata, N.Y. REV. BOOKS (May 10, 2014, 10:12 AM), http://www.nybooks.com/daily/2014/05/10/we-kill-people-based-metadata/. 28. Id. GRAY 6/6/2017 1:33 PM

152 GONZAGA LAW REVIEW Vol. 52:2

III. THE CURRENT METHODS OF LAW ENFORCEMENT ACCESS TO DATA AND METADATA

A. Who Owns Data and Metadata?

While it may seem obvious that a user owns all of the information produced by sending emails, text messages, and making phone calls, the reality is more complex. When someone signs up for a service like Gmail, data and metadata are not solely present on the customer’s computer or cell phone.29 Gmail stores data and metadata on their own servers, in “the cloud,” where a copy of the information remains indefinitely.30 So while the user has control of their personal computer or phone, precise ownership and control over this cloud-stored information is unclear under both the law and corporate guidelines. Generally, the ownership of specific data in the cloud is negotiated between the user and service providers.31 In addition, the user and corporation will agree on the extent of the corporation’s ability to process and store the data on servers.32 Most corporations follow a similar formula in their user agreements, giving all ownership rights to the user, and allowing the corporation to act as bailee for the information.33 Unfortunately, few service providers give clear rules on ownership and control of metadata.34

29. See Eddie Wrenn, Ever Wonder How Your Email Goes From A to B? Google’s New Animation Shows You How, DAILYMAIL.COM (May 15, 2012), http://www.dailymail. co.uk/sciencetech/article-2144735/The-Story-Send-Googles-animation-explaining-email- goes-A-B-reveals-interesting-trivia-giants-data-farms.html (I cite this article in lieu of the Google animation itself because the animation website has been removed). 30. See id. 31. See Thomas J. Trappler, Opinion, When Your Data’s in the Cloud, is it Still Your Data?, COMPUTERWORLD (Jan. 17, 2012, 9:28 AM), http://www.computerworld.com/article/ 2501452/data-center/when-your-data-s-in-the-cloud-is-it-still-your-data-.html (discussing the increasing number of negotiations between corporations and users regarding data ownership). 32. David Howell, The Cloud Conundrum: Who Actually Owns Your Data?, TECHRADAR (Sept. 7, 2014), http://www.techradar.com/us/news/internet/cloud-services/the- cloud-conundrum-who-actually-owns-your-data—1260464. 33. See, e.g., AWS Customer Agreement, AMAZON WEB SERVICES, https://aws.ama zon.com/agreement/ (last visited Feb. 25, 2017) (“As between you and us, you or your licensors own all right, title, and interest in and to Your Content . . . we obtain no rights under this Agreement from you or your licensors to Your Content, including any related intellectual property rights.”); see also Google Term of Service, GOOGLE, https://www.google.com/ policies/terms/ (last visited Feb. 25, 2017) (“Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.”). 34. See Howell, supra note 32. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 153

From a legal perspective, information stored on third-party servers is subject to the third-party doctrine, meaning that when a customer voluntarily provides information to a third party, the customer has no reasonable expectation of privacy.35 In Smith v. Maryland, the Court extended the doctrine to prospective information provided to a third party.36 However, the Supreme Court in 1979 could not have predicted the way in which modern society relies on data and metadata for basic communication and social interaction. In fact, Smith involved information collected from a rotary telephone.37 Is today’s user voluntarily providing a third party with the content and records of their emails and communications? Or are they simply relying on the third party as a necessary means of having their message sent?38

B. The Electronic Communications Privacy Act

Realizing the technological advancements before them and the inability of the third-party doctrine to govern data and metadata, Congress passed the Electronic Communications Privacy Act (ECPA) in 1986.39 While the act is broad in scope, the Stored Communications Act40 is the most relevant section of ECPA to the subject of this article. The Stored Communications Act (SCA) criminalizes unauthorized access to a user’s data and metadata.41 In addition, it restricts corporations from voluntarily sharing the information they store42 and it regulates law enforcement requests for data and metadata from these corporations.43 As a result, requests by law enforcement to access data or metadata are governed by the SCA. For the content of an email, phone call, or text message, a law enforcement agency is required to obtain a warrant, administrative subpoena, or court order to compel production of the information from a corporation that stores it.44 Often,

35. See Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (explaining that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” (citations omitted)). 36. Id. at 744–45. 37. Id. 38. See Gabriel R. Schlabach, Privacy in the Cloud: The Mosaic Theory and the Stored Communications Act, 67 STAN. L. REV. 677, 694–97 (2015) (providing a more in-depth discussion of metadata and the third-party doctrine). 39. Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended at 18 U.S.C. §§ 2510–22, 2701–12, 3121–27 (2015)). 40. 18 U.S.C. §§ 2701–12 (2015). 41. Id. § 2701. 42. Id. § 2702. 43. Id. § 2703. 44. Id. GRAY 6/6/2017 1:33 PM

154 GONZAGA LAW REVIEW Vol. 52:2 a user is not notified that a corporation has disclosed the content of his or her communications.45 In addition, the SCA distinguishes between communications that are more or less than 180 days old.46 This rule, called the 180-day rule,47 requires a warrant for disclosure of content created within 180 days, and allows older content to be compelled with an administrative subpoena or court order, neither of which are subject to a finding of probable cause.48 When a law enforcement agency requests access to metadata, the process is largely the same, save for certain metadata called subscriber information. When a law enforcement agency requests the:

 name;

 address;

 local and long distance telephone connection records, or records of session times and durations;

 length of service (including start date) and types of service utilized;

 telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

 means and source of payment for such service (including any credit card or bank account number) of a subscriber or customer, no showing of probable cause or reasonable suspicion is ordinarily required; the request itself is usually sufficient.49 When ECPA and the SCA were passed, the laws were intended to legislate a Fourth Amendment-like alternative to the third-party doctrine, specifically for telephones and network computing.50 Since then, the law has continually

45. Id. 46. Id. 47. See, e.g., Ryan J. Reilly, DOJ: Electronic Communications Privacy Act’s 180-Day Stored Email Rule Not ‘Principled’, HUFFINGTON POST (May 19, 2013, 11:33 AM), http:// www.huffingtonpost.com/ryan-j-reilly/ecpa-180-day-email-rule_b_2907846.html (describing and referencing the 180-day rule by name). 48. 18 U.S.C. § 2703(a), (b); see 18 U.S.C. § 2703(d) (describing requirements for a court order); see also CHARLES DOYLE, CONG. RESEARCH SERV., RL33321, ADMINISTRATIVE SUBPOENAS IN CRIMINAL INVESTIGATIONS: A BRIEF LEGAL ANALYSIS 2 (2006) (explaining the evidentiary standard for obtaining an administrative subpoena). 49. 18 U.S.C. § 2703; see DOYLE, supra note 48, at 2–3, 8. 50. Kerr, supra note 9, at 1212–13; see also Orin S. Kerr, The Next Generation Communications Privacy Act, 16 U. PA. L. REV. 373, 400 (2014) (“In a historical sense, ECPA GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 155 increased in scope and been applied to a much wider range of computer and phone activity.51 In 1993, only 22.9% of Americans owned a personal computer.52 By 1995, only 14% of Americans used the internet.53 For a law passed at least seven years before these statistics, the SCA was remarkably foresighted. But like the Supreme Court in Smith v. Maryland, there was no way for Congress to predict how computing and communications technology would evolve. The current issues with the SCA revolve around the law’s outdated terminology, the insufficient protection against law enforcement data and metadata collection, and the law’s basis in 1980s computing and communications processes, of which modern technology has long surpassed. While there has been effort to reform the SCA as well as ECPA generally,54 the law and the process of law enforcement requests for data and metadata remain largely the same as they were in 1986.55 The principal portions of the SCA lie in 18 U.S.C. §§ 2702 and 2703. Section 2702 governs a corporation’s ability to voluntarily disclose data and metadata to law enforcement agencies, other government entities, or third parties.56 Section 2703 provides the rules for compelled disclosure of data and metadata, including the 180-day rule, disclosure of subscriber information, and the requirements of a court order for disclosure.57 Within the context of the SCA, the term “government entities” mentioned in § 2702, only means the U.S. government, not any foreign government or law enforcement agency.58

has served its purpose: Congress intended it as a stopgap measure designed to impose statutory protections until Fourth Amendment precedents became established.”). 51. See id. at 1214, 1217. 52. THOM FILE, U.S. CENSUS BUREAU, COMPUTER AND INTERNET USE IN THE UNITED STATES 2 (2013). 53. Internet Use Over Time, PEW RESEARCH CENTER, http://www.pewinternet.org/ data-trend/internet-use/internet-use-over-time/ (last visited Sept. 26, 2016). 54. See generally Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015) (proposed ECPA reform currently in the Senate Judiciary Committee); Electronic Communications Privacy Act Amendments Act of 2015, H.R. 283, 114th Cong. (2015) (House of Representatives equivalent to S. 356). 55. Compare 18 U.S.C. §§ 2701–04 (2015), with 18 U.S.C. §§ 2701–04 (1988). 56. 18 U.S.C. § 2702 (2015). 57. Id. § 2703. 58. Id. §§ 2702(c)(6), 2711(4); Greg Nojeim, MLAT Reform Proposal: Protecting Metadata, LAWFARE (Dec. 10, 2015, 2:43PM), https://www.lawfareblog.com/mlat-reform- proposal-protecting-metadata. GRAY 6/6/2017 1:33 PM

156 GONZAGA LAW REVIEW Vol. 52:2

C. The Current Law Enforcement Request Process

When American law enforcement seeks access to data or metadata, the process is fairly straightforward. For example, if the FBI needs data stored in California, they need only comport with the SCA by obtaining a warrant, subpoena, or court order for the request, and the corporation storing the data is obligated to give access. The same is true for metadata access, except for certain subscriber information.59 When state or local law enforcement requests access to data, they are also bound by any state law equivalent of the SCA.60 Currently, only five states have these types of laws.61 The process of how American law enforcement agencies request information stored in a foreign country is currently being litigated.62 In Microsoft Ireland, a magistrate judge in New York issued a warrant for data and metadata stored by Microsoft.63 While Microsoft produced the relevant data and metadata stored on its American servers,64 they, like many corporations, store a significant portion of their information abroad.65 In this particular case, the majority of the data and metadata was stored in Ireland66 so Microsoft refused to give access, arguing that the SCA does not apply extraterritorially.67 A number of corporations, even direct competitors, filed amicus briefs in support of Microsoft, arguing that

59. See supra Part III(B). 60. See Kim Zetter, California Now Has the Nation’s Best Digital Privacy Law, WIRED (Oct. 8, 2015, 9:58PM), http://www.wired.com/2015/10/california-now-nations- best-digital-privacy-law/ (explaining California’s ECPA and its jurisdiction). 61. Id. 62. In re Warrant to Search a Certain E-mail Account Controlled & Maintained by Microsoft Corp., 15 F. Supp. 3d 466, 467–68 (S.D.N.Y. 2014), appeal docketed sub nom. Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) [hereinafter Microsoft Ireland]. 63. Id. 64. Id. at 468. 65. See Pablo Valerio, US Firms Looking to Europe For Data Protection, NETWORK COMPUTING (May 26, 2016, 6:30 AM), http://www.networkcomputing.com/cloud-infra structure/us-firms-looking-europe-data-protection/129277031; Orin S. Kerr, What Legal Protections Apply to E-mail Stored Outside the U.S.?, WASH. POST: VOLOKH CONSPIRACY (July 7, 2014), https://www.washingtonpost.com/news/volokh-conspiracy/wp/2014/07/07/ what-legal-protections-apply-to-e-mail-stored-outside-the-u-s/ (“Why is the data outside the U.S.? Well, it turns out that Microsoft has designed its network so that it often maintains the e-mails of individuals who signed up for accounts using foreign country codes on servers in Ireland instead of in the U.S.”). 66. Microsoft Ireland, 15 F. Supp. 3d at 467–68 (“[B]ased on the “country code” that the customer enters at registration, Microsoft may migrate the account to the datacenter in Dublin.”). 67. Id. at 470 (“Federal courts are without authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.”). GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 157 allowing law enforcement access to this data and metadata would infringe on foreign sovereignty.68 The Second Circuit Court of Appeals decided the case on July 14, 2016.69 Judge Carney, writing for the court, reversed the district court’s decision, stating that Congress did not intend for the SCA’s warrant provisions to apply extraterritorially.70 Although Microsoft seems to have won this battle, the case will inevitably go to the U.S. Supreme Court. If Microsoft prevails in the Supreme Court, then law enforcement will be required to request access for the information directly from the Irish government, through the Mutual Legal Assistance Treaty (MLAT) between the U.S. and Ireland.71 If the government wins the case, then the process for requesting foreign data and metadata from an American corporation will be functionally equivalent to if the data were stored in U.S. servers.72 Regardless of the outcome, Microsoft Ireland will present serious problems for data and metadata security as well as for law enforcement, and will directly affect how foreign data and metadata requests can be reformed.73 When a foreign government or law enforcement agency requests cloud- stored data or metadata from an American corporation, they may compel production through the MLAT process.74 This process requires the foreign agency to transmit a request for the data or metadata to the Department of Justice, which is then fed to the appropriate U.S. Attorney’s office.75 The U.S. Attorney’s office then obtains a warrant from a magistrate or district court judge, and the FBI executes it.76 Throughout the process, each agency must comport with

68. Kerr, supra note 65; see, e.g., Brief in Support of Appellant Microsoft, Inc. by Apple Inc. as Amicus Curiae at 3, Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (No. 14-2985). 69. Microsoft Corp. v. United States, 829 F.3d 197 (2nd Cir. 2016). 70. Id. at 222. 71. See Brief for the United States of America at 48, 52–53, Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (No. 14-2985 ) (noting the consequences of a Microsoft victory). 72. See id. at 44, 53. 73. For more on this idea, see generally Jennifer Daskal, The Un-Territoriality of Data, 125 YALE L.J. 326 (2015) (discussing search and seizure of electronic data in different territories). 74. T. Markus Funk, Mutual Legal Assistance Treaties and Letters Rogatory: A Guide for Judges, FEDERAL JUDICIAL CENTER 5 (2014), www.fjc.gov/public/pdf.nsf/lookup/mlat-lr- guide-funk-fjc-2014.pdf/$file/mlat-lr-guide-funk-fjc-2014.pdf. For metadata, if voluntary disclosure is denied, a foreign government or law enforcement agency may use the MLAT process to obtain the information. 75. See Kate Westmoreland, Process for Obtaining User Data from California Under a Mutual Legal Assistance Treaty (MLAT), http://cyberlaw.stanford.edu/files/blogs/MLAT %20flowchart%20-%2012.19.14.pdf (last visited Feb. 25, 2017). 76. Id. GRAY 6/6/2017 1:33 PM

158 GONZAGA LAW REVIEW Vol. 52:2

ECPA and SCA requirements.77 The entire MLAT process usually takes around 10 months, but can last much longer.78 In all instances, the SCA acts as a blocking statute.79 It prevents corporations from voluntarily complying with law enforcement data requests, regardless of whether the requesting agency is American or foreign.80 For metadata, the SCA is decidedly more ambiguous. Absent an emergency or other exception, corporations are barred from voluntarily disclosing metadata to a “government entity,”81 but there is no limit on voluntary disclosure to other parties, including foreign governments or foreign law enforcement agencies.82 If a corporation voluntarily discloses metadata to a foreign government or law enforcement agency, the U.S. government may never know that a metadata request was made.83 Only when a corporation refuses to voluntarily disclose metadata are foreign and domestic requests for metadata treated equally.84 However, corporations are generally incentivized to voluntarily disclose what a requesting agency seeks.85 If a corporation volunteers metadata to a foreign government or law enforcement agency, they have no duty to notify the customer or subscriber which the metadata describes,86 and they can also avoid the hassle of the MLAT process.87 Generally, corporate metadata disclosure practices vary wildly.88 Currently, the United States is putting its trust in corporations to determine if, and

77. Id. 78. CLARKE ET. AL., supra note 2, at 227. 79. See Andrew K. Woods, Against Data Exceptionalism, 68 STAN. L. REV. 729, 731, 772–73, 780–81 (2016) (noting the purpose of the SCA). 80. See 18 U.S.C. § 2702 (2015). The SCA also provides for some exceptions, such as allowing voluntary disclosure of stored communications to governments without a warrant in the case of certain emergencies. Id. § 2702(b)(8) (stating that a provider may supply the contents of communications “to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”). 81. 18 U.S.C. § 2702(c)(4), (c)(6). 82. Nojeim, supra note 58 (“Although ECPA bars U.S. service providers from voluntarily disclosing metadata to ‘governmental entities’, the Act defines governmental entity to include only U.S. federal, state and local government agencies. This definition does not include foreign governments. Therefore, U.S. communication service providers are permitted to voluntarily disclose user metadata—be it of a U.S. or non-U.S. person—to other governments.” (citations omitted)). 83. Id. 84. Id. 85. Id. 86. See id.; 18 U.S.C. §§ 2702(a)(3), 2711. 87. Nojeim, supra note 58. 88. Id. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 159 specifically which, metadata can be divulged to foreign governments and law enforcement agencies.89 Many technology giants have recognized the problems inherent in this process, and have refused to disclose both data and metadata without a warrant, subpoena, or court order.90 Corporations have also begun to notify their users about government and law enforcement information requests.91 However, a user attempting to protect his or her personal privacy must search through pages of terms and conditions for each service they use in order to not only find a corporate metadata disclosure procedure, but to know which service offers the most protection.92 It is possible, perhaps even likely, that the average user has no knowledge of the disclosure practices for the companies s/he uses.

IV. WHAT TYPE OF TREATMENT SHOULD DATA AND METADATA BE AFFORDED UNDER THE LAW?

While general ECPA and SCA reforms are supported by corporations,93 academics,94 members of Congress,95 and even the White House,96 the issue of metadata is largely ignored. Reform efforts may seem to simply endorse the metadata status quo, but they are ignoring a growing problem: with current technology, metadata can be even more revealing than data.97 This article argues

89. See id. 90. Nate Cardozo et al., Who Has Your Back?: Protecting Your Data from Government Requests, ELEC. FRONTIER FOUND. 18 (May 15, 2014), https://www.eff.org/ files/2014/05/15/who-has-your-back-2014-govt-data-requests.pdf; see Zack Whittaker, What Google Does When a Government Requests Your Data, ZDNET (Jan. 28, 2013), http://www. zdnet.com/article/what-google-does-when-a-government-requests-your-data/. 91. Cardozo et al., supra note 90, at 18. 92. An investment company, Skandia, performed a study which found that the average length of terms of service for a website is 2514 words, that the average person would need 76 days to read the terms of service for the websites he or she uses, and that only 7% of Britons read terms and conditions for said products or services. Ross McGuinness, Terms and conditions may apply. . . Does anybody read internet T&Cs?, METRO (July 1, 2014, 6:00 AM), http://metro.co.uk/2014/07/01/terms-and-conditions-may-apply-does-anybody-read-internet- tcs-4781976/. 93. Mark Jaycox, Seventy Public Interest Organizations and Companies Urge Congress to Update Email Privacy Law, ELEC. FRONTIER FOUND. (Jan. 23, 2015), https:// www.eff.org/deeplinks/2015/01/more-x-public-interest-organizations-and-companies-urge- congress-update-email. 94. E.g., Woods, supra note 79, at 751, 778–80. 95. E.g., H.R. 1852, 113th Cong. (2013). 96. Press Release, White House, Fact Sheet: Big Data and Privacy Working Group Review (May 1, 2014), https://obamawhitehouse.archives.gov/the-press-office/2014/05/01/ fact-sheet-big-data-and-privacy-working-group-review. 97. Jane Mayer, What’s the Matter with Metadata?, NEW YORKER (June 6, 2013), http://www.newyorker.com/news/news-desk/whats-the-matter-with-metadata (“It’s much GRAY 6/6/2017 1:33 PM

160 GONZAGA LAW REVIEW Vol. 52:2 that under the law, data and metadata should be treated equally, combined, and called electronic communication information. With the rise of even more complex surveillance and communications technology, the distinction between data and metadata has become increasingly unclear, and may no longer be an “appropriate [measure] for the degree of intrusion that [metadata] makes into individuals’ private lives and associations.”98 Considering the revealing nature of metadata, the simplest solution to the issue of disclosures and user privacy is to treat all electronic communication information equally under the law. From a judicial perspective, equal treatment of data and metadata is preferable to the current law. When data and metadata are combined as electronic communication information, (1) the SCA becomes simpler and easier to enforce, (2) can help to increase judicial efficiency in prosecuting cybercrimes,99 and (3) would resolve judicial uncertainty about how this information differs from data under the Fourth Amendment.100 From a legislative perspective, this treatment would resolve many current problems and prevent future issues with privacy legislation. Equitable treatment would prevent corporations from varying their metadata disclosure practices and allow Congress to uniformly ensure user privacy without subjecting ignorant users to different standards and rules of disclosure.101 Looking at current ECPA and SCA reform efforts, treating data and metadata equally would streamline this reform and prevent metadata issues from being overlooked.102 By legislating both data and metadata together, Congress could eliminate many current loopholes for corporations and law enforcement agencies while preventing future loopholes as well. For example, a law enforcement agency is required to give notice to a user for a data request if the request was made by an administrative

more intrusive than content. . . If you can track that [metadata], you know exactly what is happening—you don’t need the content.” (quoting Susan Landau, author of “Surveillance or Security?”)). 98. International Principles on the Application of Human Rights to Communications Surveillance, NECESSARY & PROPORTIONATE (2014), https://en.necessaryandproportionate. org/files/2016/03/04/en_principles_2014.pdf. 99. See Cameron S. D. Brown, Investigating and Prosecuting Cyber Crime: Forensic Dependencies and Barriers to Justice, 9 INT’L J. CYBER CRIMINOLOGY 55, 94 (2015) (“The enactment of clear and transparent legislation would likewise reduce scope for technical objections to the admissibility of electronic evidence.”). 100. See Schlabach, supra note 38, at 680–81 (explaining issues with Orin Kerr’s mosaic theory of the 4th Amendment with regard to metadata and privacy). 101. See Cardozo et al., supra note 90 for an example of different corporate practices of data and metadata disclosure. 102. See supra Parts III(C), IV. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 161 subpoena or court order.103 However, notice is never required for a metadata request,104 despite what the information can reveal about a user and regardless of how the request is made. Legislating equal standards for data and metadata disclosure would also help the third-party doctrine adapt to the modern era. Given the exponentially larger amount of metadata created today in comparison to the time of Smith v. Maryland, experts have called for a broad reexamination of the third-party doctrine.105 Giving particular consideration to the information that metadata can reveal about a user, it makes little sense to apply the third-party doctrine to disclosure laws. In United States v. Warshak, the Sixth Circuit Court of Appeals held that a subscriber has a reasonable expectation of privacy in his or her email communications.106 In essence, the court held that the warrant requirement applies to all user data held by third parties, regardless of the 180-day rule.107 However, the warrant requirement in Warshak has not yet been extended to metadata, and the third-party doctrine still applies.108 Yet, in U.S. v. Jones, Justice Sotomayor expressed the view, in a concurring opinion, that the third- party doctrine should not apply to data and metadata disclosure to law enforcement.109 She called for a new perspective on the third-party doctrine because the current approach is “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”110 In addition, other federal courts have noted the increasing tension between the third-party doctrine and modern electronic communication disclosure procedures.111 By treating data and metadata equally, the third-party doctrine issue would be resolved, and metadata disclosures could be held to the same Warshak standard. This would ensure that these pieces of information, which can reveal so much about the personal lives of American citizens, require a showing of probable cause to obtain.

103. 18 U.S.C. §2703(b)(1)(B) (2015). 104. Id. §§ 2702(a)(3), (c)(3), 2703(c). 105. See Fred H. Cate, Comments to the White House 60-Day Cybersecurity Review, CENTER FOR APPLIED CYBERSECURITY RESEARCH (Mar. 27, 2009), https://obamawhite house.archives.gov/files/documents/cyber/Center%20for%20Applied%20Cybersecurity%20 Research%20-%20Cybersecurity%20Comments.Cate.pdf (calling into question the use of the third-party doctrine in today’s world). 106. United States v. Warshak, 631 F.3d 266, 274 (6th Cir. 2010). 107. See id. at 288; 18 U.S.C. § 2703. 108. EXEC. OFFICE OF THE PRESIDENT, BIG DATA: SEIZING OPPORTUNITIES, PRESERVING VALUES 33 (2014). 109. United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayor, J., concurring). 110. Id. (While Justice Sotomayor expressed this view, she made it clear that this opinion would not be considered in deciding Jones). 111. United States v. Graham, 796 F.3d 332, 360 (4th Cir. 2015). GRAY 6/6/2017 1:33 PM

162 GONZAGA LAW REVIEW Vol. 52:2

This standard would also resolve differences between domestic and foreign metadata requests. Currently, corporations are free to voluntarily disclose metadata to foreign law enforcement agencies and governments, but are barred from doing the same domestically.112 While this gives corporations the freedom to prevent countries with poor human rights records from accessing user metadata, it also allows them to compromise user privacy at their own discretion and unbeknownst to their customers. In addition, corporations can voluntarily disclose this metadata to “any person other than a governmental entity.”113 Simply put, a corporation can share its users’ metadata with anyone in the world, so long they are not a part of the American government.114 In 1979, this entailed sharing of land-line telephone records.115 In the modern era, these disclosures represent a much larger problem concerning the personal information of billions worldwide, including users who are not suspected of any crime. Increasing the standards by which metadata is accessed would protect user’s privacy interests by eliminating these loopholes which allow corporations to freely disclose personal information. Equal treatment of data and metadata solves many problems, but it also creates issues of a different nature. Combining data and metadata into electronic communication information, under the current law, would decrease efficiency of law enforcement access and cause the process to be even more prolonged. For even simple requests, domestic law enforcement agencies would be required to produce a warrant, or at the very least, an administrative subpoena or court order, which would require notification of the party. Phone data and metadata requests alone totaled over 1.3 million in 2011.116 In combination with email and other communication’s data and metadata, requiring this process for all electronic communication information would complicate law enforcement investigatory procedure. The SCA in its current form requires, with a simple request from a law enforcement agency, disclosure of the name, address, local and long distance telephone connection records, of a corporation’s users, among other pieces of information.117 While the ability to obtain subscriber information is an essential

112. See supra Part III(B). 113. 18 U.S.C. § 2702(c)(6) (2015). 114. Id. “Government entity” is defined as “a department or agency of the United States . . . .” 18 U.S.C. § 2711(4). 115. Schlabach, supra note 38, at 692. 116. Press Release, Mass. Sen. Ed Markey, For Second Year in a Row, Markey Investigation Reveals More Than One Million Requests By Law Enforcement for Americans Mobile Phone Data (Dec. 9, 2013), http://www.markey.senate.gov/news/press-releases/for- second-year-in-a-row-markey-investigation-reveals-more-than-one-million-requests-by-law- enforcement-for-americans-mobile-phone-data. 117. 18 U.S.C. § 2703(c)(2). For a full list of the metadata subject to this rule, see supra text accompanying note 49. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 163 aspect of the criminal investigative process, the subscriber information listed above is designed for 1986 technology.118 In the modern era, a user can subscribe to an electronic communications provider without an address, phone number, or credit card. As technology changes and advances, so must the meaning of subscriber information. Amending these portions of the law to comply with equal treatment of data and metadata would provide a remedy to this inefficiency, allowing certain subscriber information to be gathered with a formal request, providing law enforcement with the information necessary to determine if a warrant will be required. By amending and streamlining the process by which requests are made, law enforcement investigatory efficiency can be increased, while simultaneously protecting against unjustified metadata disclosures. Many of the changes this article proposes have been done before, in forming state privacy laws. The ECPA equivalent law in California treats data and metadata equally, using the same terminology: electronic communication information.119 A warrant is required to compel disclosure of both types of information, subject to other listed exceptions.120 California’s statute protects the privacy of users, while clearly outlining rules of access for law enforcement. The statute received critical acclaim and praise for its ability to modernize privacy rules given current technology.121 This law provides a model example of federalism, where states act as laboratories for democracy.122 The U.S. government can look to this statute as an experiment in privacy law and use the statute’s language to implement similar provisions on the federal level. By reforming these specific provisions of the SCA, and treating all electronic communication information equally, users’ metadata could be afforded adequate protection under the law, and law enforcement investigative efficiency could be improved. By allowing subscriber information to be disclosed with a formal request, law enforcement agencies could precisely determine whether further

118. See 18 U.S.C. § 2703(c)(2). 119. CAL. PENAL CODE §§ 1546(d), 1546.1(b) (Deering 2016). 120. Id. § 1546.1(a). Section 1546.1(c) lists exceptions to when “a government entity may access electronic device information by means of physical interaction or electronic communication with the device” such as (1) when a warrant is issued; (2) when there’s specific consent from the information’s authorized possessor or owner; (3) if the device containing the sought information is taken from an inmate; (4) in an emergency situation; or (5) if the device is believed to be lost, stolen, or abandoned. Id. § 1546.1(c). 121. See, e.g., Zetter, supra note 60; G.S. Hans, A Major Win for Privacy: California ECPA Signed into Law, CTR. FOR DEMOCRACY AND TECH. (Oct. 9, 2015), https://cdt.org /blog/a-major-win-for-privacy-california-ecpa-signed-into-law/ (praising the California law for modernizing protections for data and metadata). 122. As Justice Brandeis wrote, “[i]t is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory.” New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting). GRAY 6/6/2017 1:33 PM

164 GONZAGA LAW REVIEW Vol. 52:2 information will be necessary, instead of requesting “cell phone tower dumps,”123 which can inadvertently compromise the privacy of users uninvolved with the investigation.124 Further, this would allow foreign governments to request this information without going through the MLAT process. So in the event of an uncooperative corporation, the foreign law enforcement agency could still request this subscriber information, saving time and effort for both the agency, and the American entities involved in the MLAT process.

V. THE PRIVACY IMPLICATIONS OF ELECTRONIC COMMUNICATION INFORMATION REQUESTS

The efforts to reform the ECPA and the SCA have been concerned mostly with efficiency of law enforcement access.125 The ECPA is a statute designed to protect data and metadata from unjustified law enforcement access,126 and when reforming it, we must weigh the needs of law enforcement against a right to personal privacy.127 However, by improving the efficiency of law enforcement access to electronic communication information, personal privacy can be protected at the same time. Without a proper and efficient framework in place for law enforcement access to user data and metadata, states and foreign governments may continue policies that erode personal privacy interests.

123. Press Release, Mass. Sen. Ed Markey, For Second Year in a Row, Markey Investigation Reveals More Than One Million Requests By Law Enforcement for Americans Mobile Phone Data (Dec. 9, 2013), http://www.markey.senate.gov/news/press-releases/for- second-year-in-a-row-markey-investigation-reveals-more-than-one-million-requests-by-law- enforcement-for-americans-mobile-phone-data. (highlighting the current use of “cell phone tower dumps”). 124. Katie Haas, Cell Tower Dumps: Another Surveillance Technique, Another Set of Unanswered Questions, AM. CIV. LIBERTIES UNION BLOG (Mar. 27, 2014, 11:58 AM), https:// www.aclu.org/blog/cell-tower-dumps-another-surveillance-technique-another-set- unanswered-questions (explaining what a cell phone tower dump is, as well as how inadvertent users are involved). 125. Andrew K. Woods, Procedural Options for Improving Cross-Border Requests for Data, LAWFARE BLOG (Oct. 13, 2015, 7:58 AM), https://www.lawfareblog.com/procedural- options-improving-cross-border-requests-data (in the context of Woods’ proposal, “improving” requests for data centers around ease of access for foreign law enforcement, with seemingly little regard to protecting personal privacy interests). 126. S. Rep. No. 99-541, as reprinted in 1986 U.S.C.C.A.N. 3555 (1986) (the need for the ECPA is to protect communications stored by third parties, “in light of dramatic changes in new computer and telecommunications technologies.”). 127. The purpose of the 4th Amendment is to “safeguard the privacy and security of individuals against arbitrary invasions by governmental officials.” Camara v. Mun. Ct. of City and Cty. of S.F., 387 U.S. 523, 528 (1967). GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 165

Allowing electronic communication information to be efficiently accessed across borders decreases the need for forced data localization.128 Forced data localization measures include “rules preventing information from being sent outside the country, rules requiring prior consent of the data subject before information is transmitted across national borders, [and] rules requiring copies of information to be stored domestically.”129 Countries that cannot access data and metadata stored abroad may turn to these measures to force ease of access for law enforcement. But, forced data localization poses a much larger threat to personal privacy than the privacy risks inherent in the current level of law enforcement access.130 Forced data localization increases threats of cyber- criminal hacking131 and does nothing to prevent foreign surveillance.132 One estimate suggests that roughly half of Americans had their data compromised in 2015, a number which will only increase if data and metadata is stored in only one place.133 Like forced data localization, governments may require companies to undertake other measures to ensure that data and metadata can be easily accessed. When a company implements end-to-end encryption on all of their communication information, there is no way of complying with a law enforcement request for metadata.134 If companies are incentivized to encrypt their communication information, governments will be equally incentivized to either prevent them from doing so or to shut the company down entirely.135 If electronic communication information can be justly and efficiently accessed, then the risks inherent in encryption decrease. Without an adequate framework for accessing electronic communication information, governments are also incentivized to rely on extra-legal means of

128. See Woods, supra note 79, at 59–60. 129. Anupam Chander & Uyen P. Le, Data Nationalism, 64 EMORY L.J. 677, 680 (2015) (addressing the potential negative consequences of data localization). 130. Id. at 713, 718–19. 131. See id. at 718–20. 132. Id. at 714–18. 133. Jose Pagliery, Half of American Adults Hacked This Year, CNN MONEY (May 28, 2014, 9:25 AM), http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/. 134. Cade Metz, Forget Apple vs. The FBI: WhatsApp Just Switched On Encryption for a Billion People, WIRED (Apr. 5, 2016, 11:00 AM), http://www.wired.com/2016/04/forget- apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/ (“With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service.”). 135. Id. (“Just recently, a Brazilian court had ordered a temporary shutdown of WhatsApp in the country after the company failed to turn over messages to the government that had been sent across a part of the service that was already encrypted.”). GRAY 6/6/2017 1:33 PM

166 GONZAGA LAW REVIEW Vol. 52:2 access. Foreign governments and law enforcement agencies often threaten and coerce corporations into complying with data and metadata requests.136 While these companies are circumventing American law, which governs these corporations’ data and metadata disclosure rules, there is little consequence for these actions.137 Foreign governments and law enforcement agencies will also utilize covert surveillance to access data and metadata.138 Under the current framework of data and metadata requests, these problems and series of unsavory solutions will continue to plague the internet.139 Although reforming the ECPA and the SCA with the goal of increasing law enforcement efficiency seems counterintuitive, it will also protect user privacy in an, albeit unorthodox, way. While the wariest of users and privacy advocates would prefer absolute anonymity and protection from surveillance or law enforcement access, a properly reformed ECPA would certainly be preferable to the current alternatives. In the long term, allowing governments and law enforcement agencies lawful, efficient, and justified access to electronic communication information can increase personal privacy on the internet by giving clear and simple rules to when and how this information is disclosed.

VI. A REALISTIC SOLUTION TO THE ISSUE OF ELECTRONIC COMMUNICATION INFORMATION

A. Current Reform Proposals In Congress

Given the outdated nature of the ECPA and the SCA, and the lack of protection from unjustified metadata disclosures, it should come as no surprise that this article is one of many arguing for broad reform.140 However, in reforming these laws, rules regarding metadata must be given adequate

136. See Song Jung-a, South Korean Police Raid Google Offices, FIN. TIMES (Aug. 10, 2010), http://www.ft.com/intl/cms/s/2/b8d7bb26-a46c-11df-abf7-00144feabdc0. html; Brazilian Police Detain Local Google President, BBC NEWS (Sept. 27, 2012), http://www.bbc.com/news/world-latin-america-19737364. 137. See Andrew K. Woods, Why Does Microsoft Want a Global Convention on Government Access to Data?, JUST SECURITY (Feb. 19, 2014, 9:45 AM), https://www.just security.org/7246/microsoft-global-convention-government-access-data/ for an explanation of the coercive influence exerted by foreign law enforcement. These pressures may outweigh concerns about potential liability. 138. See Chander & Le, supra note 129, at 716 (explaining governments would rather share information about their citizens with foreign governments than allow foreign surveillance of their citizens). 139. See id. at 681 (arguing that increased foreign surveillance and data localization “would dramatically alter this fundamental architecture of the Internet.”). 140. See supra Part IV. GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 167 consideration. Further, the reforms must balance domestic law enforcement access with Fourth Amendment protections, and the investigatory interests of foreign entities. There have been dozens of proposals for reforming these laws, and many are pending in Congress.141 However, these proposals either seek to codify Warshak,142 or respond to the Microsoft Ireland case.143 While these potential changes address important points, none go far enough to address the key problems, especially concerning metadata in the ECPA or the SCA. In the Senate, the ECPA Amendments Act of 2015 and its house equivalent, the Email Privacy Act, both require warrants for a law enforcement data request.144 They also eliminate the required disclosure of certain pieces of subscriber information and metadata.145 While corporations would no longer be required to disclose some metadata upon request, warrantless law enforcement access would hinge on an administrative subpoena or a court order,146 neither of which require a finding of probable cause.147 Further, these acts continue to use the confusing distinction between content and non-content which exists within the current statute.148 The LEADS Act performs a similar function to the two former bills. It will require a warrant for content disclosure, but do nothing to amend requests for

141. See, e.g., Greg Nojeim, MLAT Reform Proposal: Protecting Metadata, LAWFARE (Dec. 10, 2015, 2:43 PM), https://www.lawfareblog.com/mlat-reform-proposal- protecting-metadata. 142. Recall in Warshak the court essentially held that the warrant requirement applies to all user data held by third parties, regardless of the 180-day rule. See supra notes 106–111 and accompanying text. The ECPA Amendments Act of 2015, and its House equivalent, the Email Privacy Act, will reform ECPA and the SCA to require a warrant for a data request. Email Privacy Act, H.R. 699, 114th Cong. (2015); Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015). 143. The LEADS Act will require a warrant for data requests, as well as reform the MLAT process, by establishing online tracking of requests, and implementing transparency requirements. See Law Enforcement Access to Data Stored Abroad (LEADS) Act, S. 512, 114th Cong. (2015). 144. Compare Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015), with Email Privacy Act, H.R. 699, 114th Cong. (2015). 145. Compare Email Privacy Act, H.R. 699, 114th Cong. (2015), with Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015). 146. Email Privacy Act, H.R. 699, 114th Cong. (2015); Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015). 147. See CHARLES DOYLE, supra note 48, at 2–3, 8; 18 U.S.C. § 2703(d) (2015) for the evidentiary standards required to obtain an ECPA court order. 148. Email Privacy Act, H.R. 699, 114th Cong. (2015); Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015); 18 U.S.C. § 2702. GRAY 6/6/2017 1:33 PM

168 GONZAGA LAW REVIEW Vol. 52:2 metadata.149 The act makes meaningful steps for MLAT reform, but without drastic changes, the process will continue to be slow and inefficient. If the MLAT process is not streamlined, the LEADS Act’s transparency measures will do little to inform users of foreign government’s inevitable extra-legal efforts to access data and metadata. As this article has shown, large amounts of metadata can provide insights into people’s personal lives and can be just as, if not more, revealing than communications content itself. Both proposals in Congress fail to meaningfully address metadata and continue to allow the unsupervised disclosure of metadata to any non-government entity.150 By doing so, reform efforts continue to ignore a growing threat while compromising personal privacy.

B. New Proposed Amendments to the SCA and the MLAT Process

The ECPA and the SCA are outdated, and fail to adequately protect against sweeping requests for metadata. Fortunately, the fix is relatively simple. The law can be properly changed with only a few significant amendments and can provide a solution to problems with metadata, increase the efficiency of law enforcement access, while protecting personal privacy interests. The first, and most significant change would be to amend 18 U.S.C. § 2703. The text of the proposed amendment to § 2703 is shown below: The Amended Statute— 18 U.S.C. § 2703:

(a) Electronic Communication Information—A governmental entity may require the disclosure by a service provider of electronic communication information only under the following circumstances—

(1) pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a state court, issued using state warrant procedures) by a court of competent jurisdiction, except as described under subsection (b); or

(2) pursuant to a subpoena issued pursuant to existing federal law, provided that the information is not sought for the purpose of investigating or prosecuting a criminal offense, and compelling

149. Compare Law Enforcement Access to Data Stored Abroad Act, S. 512, 114th Cong. (2015), with 18 U.S.C. § 2703(c). 150. Compare Email Privacy Act, H.R. 699, 114th Cong. (2015), and Electronic Communications Privacy Act Amendments Act of 2015, S. 356, 114th Cong. (2015), with 18 U.S.C. § 2702(a)(3). GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 169

the production of or access to the information via the subpoena is not otherwise prohibited by federal law.

(b) Subscriber Information—A provider of electronic communication information shall disclose to a governmental entity the—

(1) name;

(2) address;

(3) local and long distance telephone connection records, or records of session times and durations;

(4) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address, or email address;

(5) similar contact information provided to the subscriber to establish or maintain an online account;

of a subscriber to an electronic communication service, only when the governmental entity submits a formal written request relevant to a law enforcement investigation, when the provider has the consent of the subscriber or customer of such disclosure, or by the process outlined under subsection (a).151

This proposal changes several parts of § 2703. First, data and metadata are treated equally, and disclosure of either requires a warrant in the case of a criminal investigation. This amendment gives adequate user protection for metadata, by requiring a warrant for information sought as part of a criminal investigation. This is done by removing the distinction between data and metadata, in favor of electronic communication information, which encompasses the contents of a communication and records like location, time of creation, and IP addresses of the sender and recipient. This language is adapted from Cali- fornia’s recently-passed amendment to the state’s Electronic Communications Privacy Act.152

151. This amended statute would replace sections (a) through (c) of the original § 2703. Section (d) would be deleted through the codification of Warshak. Sections (e) through (g) would remain unchanged. 152. See CAL. PENAL CODE § 1546(d) (Deering 2016) (defining electronic communication information as “any information about an electronic communication or the use of an electronic communication service, including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the GRAY 6/6/2017 1:33 PM

170 GONZAGA LAW REVIEW Vol. 52:2

In addition, the proposed amendment to § 2703 allows for non-warrant disclosure of certain pieces of subscriber information upon request from law enforcement. This subscriber information is different from the original statute and includes an email address, and any similar contact information used to establish or maintain an online account with a service provider.153 By requiring that the request be relevant to a law enforcement investigation, law enforcement agencies are blocked from making cell phone tower dumps, or other sweeping requests for metadata. However, these required requests are simple, and increase the ability of law enforcement to quickly determine whether to seek a warrant by changing what pieces of information the law considers to be subscriber information.154 Lastly, this amendment eliminates the 180-day rule, which created lower evidentiary requirements to compel disclosure of content stored for less than 180 days.155 This change, proposed in the ECPA Amendments Act of 2015 and the Email Privacy Act,156 helps to comport the law with modern email technology and codifies Warshak. In 1986, unopened emails (the emails which the 180-day rule targets) were stored on a remote server, then deleted after opening, often without a backup.157 Emails that were older than 180 days were subject to a lower standard because they had been considered abandoned by the user and would only be stored on a third-party server.158 Today’s email technology is quite different. The majority of email services,159 like Gmail and Outlook, store email content and metadata on remote servers and the content is only deleted, if at all,

communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address.”). 153. Compare supra Part VI, with 18 U.S.C. § 2703(c)(2). 154. See generally supra Part IV. 155. See 18 U.S.C. § 2703 (noting the difference in treatment at the 180-day mark). 156. Electronic Communications Privacy Act Amendments Act, S. 356, 114th Cong. (2015); Email Privacy Act, H.R. 699, 114th Cong. (2015). 157. Melissa Medina, The Stored Communications Act: An Old Statute for Modern Times, 63 AM. U. L. REV. 267, 271–72 (2013). 158. Schlabach, supra note 38, at 694 (“Thus, opened e-mails generally were not stored on the third-party server, and unopened e-mails stored for longer than 180 days were arguably abandoned because the user had failed to check her e-mail for six months (and likely never would).”). 159. See Alyson Shontell, Gmail Now Has More Than 1 Billion Monthly Active Users, Along with 6 Other Google Products, BUS. INSIDER (Feb. 1, 2016, 5:12 PM), http://www. businessinsider.com/gmail-has-1-billion-monthly-active-users-2016-2 (noting that Gmail’s email service boasts over 1 billion active users worldwide); Microsoft by the Numbers, MICROSOFT, http://news.microsoft.com/bythenumbers/ (Last visited Jan. 5, 2017) (noting that Microsoft’s Outlook has more than 400 million active users worldwide). GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 171 when the user deletes the email.160 Eliminating the 180-day rule allows the ECPA and the SCA to adapt to the modern age of email where emails remain in the hands of third parties after a user opens them. A second major change to the SCA would amend § 2702, which regulates voluntary disclosures of data and metadata. Professor Andrew Woods, in his article Against Data Exceptionalism, proposes a suggestion for reforming this statute.161 Woods, a prominent cybersecurity scholar, proposes amendments to the ECPA and the SCA at the end of his article, addressing territorial notions of jurisdiction with regard to data.162 Specifically, Woods proposes amendments to § 2702 by allowing corporations to voluntarily disclose data to foreign governments when “(1) the data belongs to a non-U.S. citizen, (2) it is being requested in connection with a law enforcement or counterterrorism operation in which the state has a legitimate interest, and (3) an independent third party (judge, magistrate, commission, etc.) has approved the request, (4) in reasonable accordance with shared standards of due process and human rights.”163 This proposal uses international standards to govern data requests from foreign law enforcement agencies while still allowing for U.S. oversight, ensuring an acceptable level of due process.164 Woods’ proposal could easily be adjusted to comport with the arguments advanced in this article by requiring the same four- step system for both data and metadata voluntary disclosures. Woods also proposes broad changes to the MLAT process to increase efficiency of foreign law enforcement data and metadata requests when a company refuses to volunteer the information.165 He uses similar ideas proposed in the LEADS Act, arguing that the MLAT process should be standardized and made electronic.166 His proposal differs from the LEADS Act in that Woods allows a corporation to voluntarily disclose electronic communication information, which would decrease the overall number of requests within the MLAT system, ergo decreasing strain on the entities involved in the MLAT process.167 When used in conjunction with the standardization proposals in the LEADS Act, the process is greatly streamlined. Woods, like the LEADS Act, also supports

160. Medina, supra note 157, at 272–73. 161. Woods, supra note 79, at 55–56. Although Woods does not specifically mention § 2702 by name in his proposal, his suggestions reference the voluntary disclosure rules outlined in § 2702. In addition, Woods uses “data” in his article to refer to data and metadata together. Id. at 5 n. 12. 162. Id. at 65. 163. Id. at 57. 164. Id. at 59. 165. Id. at 62–63. 166. Id. 167. See id. GRAY 6/6/2017 1:33 PM

172 GONZAGA LAW REVIEW Vol. 52:2 increased transparency efforts to allow corporations to distinguish between requests from domestic and foreign law enforcement agencies.168 By improving the MLAT process in this manner and allowing corporations to voluntarily disclose communication data, foreign governments would be disincentivized from resorting to less favorable methods of obtaining the information they seek. Woods’ comprehensive proposal fits well with the framework proposed in this article, by increasing efficiency of law enforcement access while protecting the privacy of foreign users. Aligning Woods’ proposal with the arguments advanced in this article, data and metadata would be treated equally, and voluntarily disclosed to foreign law enforcement agencies under the supervision of the U.S. government. The first step in this process is to implement transparency procedures for what information, data or metadata, corporations are voluntarily disclosing. It is a mistake to put the burden on corporations to develop procedures for voluntary disclosure of information, nor is it right to assume that future corporations will be as rights-focused as today’s.169 By implementing government supervision for all voluntary disclosures instead of only those regarding data, these issues are resolved. Further, any request would be subject to a showing that the electronic communication information in question is part of a criminal or counterterrorism investigation. By doing so, the privacy rights of users are protected against unnecessary and unjustified disclosures, and law enforcement agencies will continue to have access to necessary metadata for criminal investigations. Although amending specific language of § 2702 is contingent on a court determination of the ECPA and the SCA’s scope,170 these proposed changes suggest a realistic method of improving law enforcement access to electronic communication information while protecting user privacy, providing transparency to the process, and allowing government supervision of voluntary disclosures.

VII. CONCLUSION

The ECPA and the SCA are clearly outdated and in need of reform. The laws are complicated, ambiguous, and provide little protection in the modern era. By implementing this article’s proposals, the law would be adapted to modern technology and would accomplish the statute’s original goal of ensuring user privacy against unjustified law enforcement investigative processes. The implications of metadata privacy laws have a broad scope. Since 1986, the use of, and technology behind metadata has become more widespread and

168. See id. 169. See Daskal, supra note 4. 170. Woods, supra note 79, at 61 (noting that “[b]efore [§ 2702] is revised, however, courts will have to resolve disputes regarding ECPA’s reach.”). GRAY 6/6/2017 1:33 PM

2016/17 “CLOUD” ATLAS 173 advanced than anyone could have predicted. It is not impossible, or even unlikely that twenty years from today, the use of metadata will become even more pervasive and more connected to users. In a world where computer brain implants,171 radio frequency identification implants,172 and other advanced computing technology is not an increasing probability but an inevitability, access to the metadata associated with this technology is a real issue that needs to be addressed. With the wide publication of the Microsoft Ireland case, the ECPA and SCA amendments are more supported than ever. The reforms proposed by this article are feasible, simple, and effective.

171. See Kristen V. Brown, DARPA is Testing Implanting Chips in Soldiers’ Brains, FUSION (Sept. 28, 2015, 1:19 PM), http://fusion.net/story/204316/darpa-is-implanting -chips-in-soldiers-brains/ (last updated Sept 28, 2015 3:19 PM) (“When DARPA launched its RAM (Restoring Active Memory) program last year, it projected it would be about four years until researchers were implanting permanent chips in humans.”). 172. See Laura K. Donahue, The Dawn of Social Intelligence (SOCINT), 63 DRAKE L. REV. 1061, 1072 (2015) (identifying radio frequency identification chips as an increasing source of social information and metadata).