As technology continues to evolve, the courts are being asked to apply existing laws to the new technology. In some cases, the answer is fairly straightforward, but in other cases it is more complicated and can yield varying outcomes based on how each court understands the technology and the legislators’ intent in passing the law. The presentation addressed cases over the past year in three main areas: (1) “unauthorized access” under the Computer Fraud and Abuse Act (CFAA), (2) encryption, and (3) searches and seizures generally.
In the case of Nosal II1 the Ninth Circuit dealt with whether a company can use the CFAA to pursue criminal charges against employees or ex-employees who use their authorized access to misappropriate trade secrets in violation of company policy. The court in Nosal I2 narrowed the application of the “hacking statute” to require “circumvention of a technological access barrier” rather than the mere violation of the company’s terms of service in dismissing Nosal’s use of his own password to take trade secrets. Somewhat surprisingly it held in Nosal II that asking another person to use that person’s password to do the same thing was a circumvention of a technological access barrier, because Nosal’s own password had been revoked.
The Ninth Circuit reach an equally curious decision in Vachani3. In that case a company offered to integrate all of a user’s social media accounts into a single experience. It did so by getting the user’s consent, account name and password, so that it could scrape each social media account’s site. Facebook was not pleased with this arrangement and issues a cease and desist order and blocked the offending company’s IP address. The company merely obtained a different IP address and continued its business, reasoning that it had the consent of the user. The court held obtaining a new IP address was a circumvention of a technological barrier, even though doing so was trivial, inexpensive and not itself a “hack.”
The courts remain split on whether a court can force a person to divulge the contents of an encrypted device. Some courts seem to have taken the position that requiring a person to “say” his password poses Fifth Amendment problems, but requiring him to “produce” a decrypted device may not. The theory seems to be that saying one’s password, if it actually decrypts the device, constitutes testimony that the device is that person’s, which may be self-incriminating. Producing a decrypted device (especially if the act of production is not usable) is seen as coming within the “foregone conclusion” doctrine. The analogy is to forcing one to reveal a combination to a wall safe (where the combination only exists in one’s mind) versus forcing one to surrender a physical key to a strongbox. Whether it is a foregone conclusion that the government would be able to obtain the contents of a device using a modern encryption algorithm and a reasonably long password (especially if the device is programmed to wipe the contents after a number of unsuccessful attempts) is itself somewhat questionable however. In Stahl4, the court rejected the distinction and held the defendant must “say” his password.
The presentation addressed a large number of search cases spanning a wide set of circumstances. Highlighting only a few, one court held a police request that a carrier ping a phone to help them geolocate him may or may not have been a search, but in any event it was justified by exigent circumstances under the facts of Caraballo.5 Another court is still addressing whether Best Buy’s Geek Squad was acting as a government agent when it found child porn in the unallocated space of a dentist’s computer at a time that several Geek Squad members were acting as paid informants for the FBI.6 And the courts went both ways in deciding whether a provider of cloud email services abroad could be made to comply with a Stored Communications Act “warrant” where the data was stored abroad. In the Microsoft7 case, the Second Circuit held Congress’s use of the term “warrant” made such unenforceable extraterritorially.
But in a similar case against Google8, a different court held Google could be required to produce emails from abroad. The distinction may have been based on how the two companies stored the emails. Arguably, in the Microsoft case, the United States could use a Mutual Legal Assistance Treaty to obtain the emails through the Irish courts because Microsoft stored the emails in the closest data center to the user and they were retrievable within Ireland. But Google stored the emails in many countries and even individual emails could be divided up between countries, making it impossible for anyone but a Google representative in the United States to pull the emails all together. The practical impossibility in the latter case would still not overcome the extraterritorial warrant enforcement issue, but to address that the court held collecting emails from abroad did not constitute a seizure. The latter holding seems ripe for appeal, though the issue of whether email is “territorial” is itself still being debated.
In sum, laws written with one or more technologies in mind may not have a long shelf life as technologies continue to change or merge. Some technologies are also creating practical problems for law enforcement and intelligence agencies, such as the concerns about “going dark” or being unable to access cloud data that may be scattered amongst a large number of foreign countries. These and other problems will continue to vex the courts, while increasingly forcing attorneys to stay abreast of the legal implications of the latest technological breakthroughs.
1 United States v. Nosal, Nos. 14-10037, 14-10275 (9th Cir., July 5, 2016).
2 United States v. Nosal, 676 F.3d 854 (9th Cir. 2012).
3 Facebook v. Vachani, No. 13-17154, (9th Cir., Jul 12, 2016).
4 State v. Stahl, (No. 2D14-4283, 2d.D. Fla. Ct. App., Dec. 7, 2016).
5 United States v. Caraballo, No. 12-3839-cr (2nd Cir. 2016).
6 United States v. Rettenmaier.
7 Microsoft v. United States, No. 14-2985 (2d Cir., 2017).
8 In re Search Warrant No. 16-0960-M-01 to Google (E.D. Penn., 3 Feb 2017).