Cybersecurity, the ECPA, Carpenter, and Government Transparency

By Stephanie Pell
Friday, July 22, 2022, 8:02 AM

December 2020 and January 2021 saw two successive intrusions—SolarWinds and Microsoft Exchange—that were committed by nation-states and affected both public and private sectors. Two months after these intrusions, Gen. Paul Nakasone, the dual-hatted commander of Cyber Command (CYBERCOM) and director of the National Security Agency (NSA), testified publicly about a “blind spot” preventing the government from detecting these intrusions.

During the question-and-answer session of Nakasone’s testimony, he explained that U.S. adversaries are launching attacks from inside the country using U.S. infrastructure. According to Nakasone, adversaries understand that there is a “blind spot for us not being able to see them.” They are able to “come into the United States and rapidly use an internet service provider, come up and do their activities and take that down before a warrant can be issued, before we can actually have surveillance by a civilian authority here in the United States.”

Nakasone also indicated that there are “legal barriers and disincentives for the private sector to share information with the government,” further frustrating the government’s ability to connect all of the dots because it simply “can’t see all the dots.” He thus explained that there is a need to strengthen information sharing in order to “drive a better partnership between what the public needs and what the private sector can offer.” And, while Nakasone readily acknowledged that there are important privacy protections in the law preventing CYBERCOM and the NSA from directly conducting surveillance inside the United States, he implied that some domestic government agency may need new surveillance or collection authorities to address the blind spot because “the nation needs the ability to be able to see what’s going on within the U.S.”

Notwithstanding the Biden administration’s ongoing efforts to improve the nation’s cybersecurity, Nakasone’s statements continue to demand particular attention since he essentially indicated that U.S. law unduly hamstrings the government’s ability to detect intrusions by sophisticated adversaries operating inside private networks in the United States. But part of the difficulty for Congress and the public to evaluate this claim stems from the government’s lack of transparency with respect to how it interprets its Fourth Amendment obligations and applies its existing surveillance authorities to different technologies and forms of interception or collection.

To date, the administration’s whole-of-nation effort does not include any sort of public request for new or expanded surveillance authorities. Given Nakasone’s testimony, however, it is reasonable to question the extent to which the government’s sight remains impaired and what the parameters of the supposed blind spot might be. Answering these questions is hard to do without greater government transparency about its current collection practices and its interpretation of existing surveillance authorities and Fourth Amendment obligations. Moreover, the government’s lack of transparency actually carries risks, not only that it will fail to gain new authorities it may need but also that it will suffer further restrictions on existing collection or acquisition practices integral to its cybersecurity efforts as a result of future congressional action or court decisions.

The Limited Publicly Known Information About the Government’s Purported “Blind Spot”

To date, Nakasone’s statements are the most detailed public description of the government’s purported blind spot. While they do not provide a great deal of information about the scope of the problem, they suggest that the term “blind spot” represents the government’s inability to see when a foreign adversary may launch a nefarious cyber operation from inside a private U.S. network—that is, an operation that does not appear to emanate from abroad.

While the NSA has broad authority to engage in surveillance and collect information on foreign networks, the Fourth Amendment and various statutes impose requirements and place certain limits on when and how the government can conduct surveillance and collect data on domestic private (nongovernment) networks. In the domestic sphere, the government doesn’t have unfettered access to data; it must obtain court orders and specify the information it seeks to collect. So, if a foreign adversary purchases space on a domestic server—perhaps by using a stolen U.S. credit card number—and then launches a malicious cyber operation from that platform inside the U.S., Nakasone’s statements seem to suggest that the court order requirements imposed by U.S. law challenge the government’s ability to detect and address this activity in a timely fashion. Nakasone also referenced the fact that there are legal barriers and disincentives for the private sector to share information with the government. He did not, however, elaborate on how such barriers contribute to the government’s purported blind spot. He also did not specify what kinds of private-sector data would be necessary to enhance the government’s sight and limit the scope of the blind spot, or the degree to which the government might already be receiving at least some commercial data that provides partial sight into private-sector networks.

In an effort to understand more about both the government’s purported blind spot and the need for greater transparency by the government, it is useful to reflect on the failed efforts to reform the Electronic Communication Privacy Act (ECPA) in 2010 and the subsequent Supreme Court case law addressing law enforcement access to location data.

The Electronic Communication Privacy Act

The ECPA is a statute that provides standards governing when and how law enforcement can compel electronic communications and associated data from certain kinds of communications providers, like phone companies or platforms that have direct relationships with consumers. It also provides rules for when these providers can voluntarily share data with both law enforcement and other non-law enforcement entities. If, for example, law enforcement wants to compel a telephone company to disclose all of the numbers called by a particular phone on a specific date, the ECPA requires that law enforcement issue a subpoena.

The ECPA would not, however, prevent the company from providing or selling this and other noncontent information to non-U.S. governmental entities, like data brokers or even foreign governments. Data brokers can then sell this information to a range of entities, including the U.S. government. Moreover, infrastructure companies that do not provide services to the public, and are thus not subject to the ECPA’s rules, but have access to user data because they are delivering communications on behalf of ECPA-covered entities could in theory also give or sell data to data brokers or the government.

In 2010, the House Judiciary Committee held a series of hearings focused on reforming the ECPA.  (In the interests of full disclosure, at the time, I was on detail from the Department of Justice to the House Judiciary Committee, where I was the majority lead counsel on ECPA reform.) This reform effort began at the urging of the Digital Due Process (DDP) coalition, a joint civil society and industry group, which lobbied for a series of principles that it believed should guide ECPA reform. The overarching message communicated by the DDP was that the ECPA, when it was enacted in 1986, was a “forward-looking statute” that afforded “important privacy protections to subscribers of emerging wireless and Internet technologies.” But, because technology had advanced significantly since 1986, the ECPA’s privacy protections had “been outpaced.”

One major area of focus was law enforcement access to location data. The ECPA, a statute passed well before the advent of smartphones, did not provide clear rules on what legal standards governed law enforcement’s ability to compel either prospective or historical location data generated by cell phones. Was something akin to the Terry-stop reasonable suspicion standard sufficient for law enforcement to compel the data it wanted through a 2703(d) order, or did the ECPA require a higher probable cause standard and thus a warrant? A clear, definitive answer could not be found in either the plain text of the statute or its legislative history. Because location data was becoming increasingly more precise and revelatory—and hence more privacy invasive—the DDP argued that law enforcement should be required to obtain a warrant to compel any amount of historical or prospective location data. Law enforcement argued that requiring a probable cause warrant for all compelled disclosures of location data would unduly inhibit investigations in their early stages when the government might have difficulty building probable cause to get a warrant.

The House Judiciary Committee’s efforts at reforming the ECPA failed to produce any viable legislation to govern law enforcement access to location data. Indeed, the ECPA still has not been amended to address the privacy implications of law enforcement access to location data generated by myriad products and services. The ECPA has thus become progressively irrelevant over time, with respect to governing both law enforcement’s ability to compel the disclosure of location data and providers’ ability to share or sell the data to non-law enforcement entities.

One issue that contributed to this failure was the difficulty Congress faced in acquiring fully accurate information about how the government was interpreting existing statutory authorities or its Fourth Amendment requirements with respect to law enforcement access and collection of location data. To be fair to the government, this was likely an area where its position was evolving because location-based information was becoming increasingly precise, and the technologies and services generating it were growing rapidly. Nevertheless, Congress, when it was legitimately trying to determine how the law was being applied and how it should be amended, should not have had to piece together and interpret statements in what might be outdated law enforcement manuals or wait for the next published magistrate judge opinion in order to understand the Justice Department’s current interpretation of that law. Unfortunately, that is exactly what happened.

The Carpenter Opinion

Into this void, the Supreme Court issued a very pro-privacy opinion with implications for government surveillance far beyond the specific kind of location data at issue in the case. In Carpenter v. U.S., a case involving the FBI’s compelled disclosure of 127 days of historical location data, which it had obtained without a warrant, the Court’s most basic holding was that a warrant was required for at least seven days of location data. But a new set of factors provided in Carpenter to determine if law enforcement acquisition of third-party records is a Fourth Amendment search was nothing short of revolutionary, possibly extending Fourth Amendment protections to other kinds of third-party records well beyond location data—perhaps even to data analytics methods and processes. In explaining the contours of this analysis, Paul Ohm notes that “when the police seek to obtain information about individual behavior contained in a private party’s database,” courts must examine “(1) ‘the deeply revealing nature’ of the information; (2) ‘its depth, breadth, and comprehensive reach’; and (3) ‘the inescapable and automatic nature of its collection’” to determine whether or not a warrant is needed. Applying these factors, law enforcement may now, for example, be required to obtain a warrant to access records contained in large noncontent database sets, even when certain records—like telephone or bank records—did not receive Fourth Amendment protections under prior case law.

While the Court attempted to narrow the opinion by suggesting that it was not considering “other collection techniques involving foreign affairs or national security,” Jim Baker, the former FBI general counsel, does not believe such separation is realistic given that, at least for the FBI, these matters and criminal investigative activities are often intertwined. Accordingly, Carpenter cannot easily be relegated only to the criminal investigative sphere. It will also have implications for national security activities.

The ECPA, Carpenter, and Cybersecurity

When Nakasone made statements about the “vision” challenges presented by U.S. law, he was likely referring, at least in part, to the ways in which the government interprets how the ECPA and Carpenter control government access to relevant data collected inside the U.S. from private networks. The ECPA is likely a mixed bag on this front. On the one hand, it restricts the government from compelling the disclosure of content and noncontent data from certain types of providers without a warrant or other legal process. Moreover, the ECPA does not authorize the government to compel the production of bulk, indiscriminate data or to engage in the general monitoring of private networks to detect future network intrusions. But for one National Security Letter provision, the government’s collection and surveillance authorities in the ECPA—the Wiretap Act, the Pen/Trap Statute, and the Stored Communications Act (SCA)—are all tied to the work of conducting criminal investigations. The government must thus show some nexus or relevance to such investigations. These authorities do not affirmatively allow the government to demand data in bulk or generally monitor private networks for the purpose of watching out for some yet unidentified future nefarious activity.

On the other hand, as previously noted, the Stored Communications Act, which is Title II of the ECPA, doesn’t prevent the government from buying such data in bulk from companies that aren’t regulated by the SCA, even when the data might have originated from an SCA-covered entity. To illustrate this point, there have been a number of news stories about various government agencies purchasing location data from data brokers.

With this background in mind, consider a February 2022 Wall Street Journal story that alleges the U.S. government is “obtaining bulk [commercial] data about network usage ... and has fought disclosure about such activities.” The article further describes these data as “several kinds of internet logs showing the connections between computers, typically collected on networking devices such as switches or routers. They are the rough internet equivalent of logs of phone calls—showing which computers are connecting and when, but not necessarily revealing anything about the content of the transmissions.” Current and former government officials are quoted as saying these data sets “possess enormous intelligence value ... especially as the power of computers to derive insights from massive data sets has grown in recent years. Such network data can help governments and companies detect and counter cyberattacks.”

The accuracy of these claims is, of course, unknown to the public and, even if accurate, it is similarly unknown whether ongoing access to these kinds of data sets is providing the government with at least partial vision into private networks. In other words, it is unclear whether the government’s ability to buy these or other data sets has become an integral part of its ability to address its purported blind spot. But, as reported by Joseph Cox, it is apparently an “open secret in the cybersecurity world” that these data sets are sold to a “range of third parties.” Some lawmakers are, however, seeking to close loopholes in the law that allow the government to buy data from data brokers it would otherwise need a warrant to obtain when compelling the same information from providers like phone companies, social media sites, or other entities that have direct relationships with consumers. With that goal in mind, they’ve introduced a bipartisan bill entitled the Fourth Amendment Is Not For Sale Act.

Carpenter has complicated this issue of just when the government would need a warrant to compel such noncontent data from a third party, whether or not the third-party provider is an ECPA-covered entity. As Jim Baker notes, prior to Carpenter, the government relied on the distinction between communications content and noncontent data in making a determination about whether a probable cause warrant was needed. For the most part, it concluded a warrant was not required when it sought to compel the disclosure of noncontent data from a third party. But Carpenter prevents the government from applying this once-foundational distinction without further analysis. Now the government must consider whether the information it seeks to compel is deeply revealing in nature, comprehensive in reach, and automatically and inescapably collected.

To the extent that the government is purchasing Carpenter-protected noncontent records without obtaining a warrant, whether for criminal investigative, threat detection/intelligence related to cybersecurity, or some other purpose, there are conflicting views on whether the Fourth Amendment would prohibit this activity. While acknowledging that it is a difficult question, Matthew Tokson has argued that “the government must obtain a warrant before purchasing sensitive personal data from a data vendor” because these data are “hardly publicly available or exposed” and, in a number of cases, users don’t “meaningfully consent” to its collection. In contrast, Orin Kerr has argued that “the government can buy business records without a warrant or any cause. The Fourth Amendment does not apply. ... [A] company will have common authority over business records that it has created and controls. That common authority permits third-party consent. When a company voluntarily sells its business records, its consent renders any search of the records reasonable.” But Kerr does not rule out the possibility that, in the future, if buying records became “a substitute for the kind of detailed surveillance Carpenter addressed,” a more “restrictive approach” might be justified.

A Complex, Potentially Fraught Path for the Government

Notwithstanding the efforts taken by the Biden administration to improve the state of the nation’s cybersecurity, questions remain about how the government is addressing its purported blind spot, including the extent to which it is buying data to improve its vision. Perhaps the government has sufficiently mitigated any blind spot through these measures and efforts. Perhaps it has determined that new surveillance or collection authorities aren’t needed. I am not suggesting that they are. But if the government believes that new collection authorities are needed, then a healthier discussion and legislative process could result if the government were more transparent about how it interprets its existing authorities and how Carpenter may complicate the ways in which it compels and collects information. If, over time, the government ultimately determines it cannot have these kinds of discussions openly before the public and consequently decides not to ask for what it needs directly, then it risks putting itself in the position of having to find gaps or loopholes in existing statutory authorities or stretching them to cover technologies or forms of collection that are a far cry from the kind of activities those authorities were drafted to regulate.

In failing to seek or engage in a legislative process that can allow for more nuanced regulation of government surveillance practices—as the ECPA originally did—the government also risks future case law that, for better or worse, has implications for its surveillance practices far beyond the specific technology at issue in a particular case. Jim Baker has rightly noted that Carpenter did not come out of the blue. The writing was on the wall following two other Supreme Court opinions—Jones and Riley—where the Court recognized Fourth Amendment interests when the government attaches a GPS tracking device to a car or searches a phone incident to arrest. In a future case, the Supreme Court could take up the question of whether the Fourth Amendment restricts the government’s ability to buy Carpenter-protected records, potentially limiting government collection practices even further. Over time, if the government fails to engage in some greater degree of transparency about how it interprets and applies its existing surveillance authorities, thus preventing frank, public legislative discussions about surveillance authorities, the U.S. risks significant and unnecessary diminution of national interests in both security and privacy and civil liberties.