My last post explained how the recent First Circuit decision in U.S. v. Ackies misconstrued the Tracking Device Statute by an unduly cramped reading of its key defined term, holding that 3117(b)’s tech-neutral definition of ‘tracking device’ excludes cell phones. Here I discuss the other huge error in statutory construction committed by the Ackies court, this time in the opposite direction – an unduly expansive reading of the Stored Communications Act to authorize real time cell phone tracking
BACKGROUND
Recall that Ackies had challenged the jurisdictional basis for two ‘precise location information warrants’ leading to his arrest and conviction for drug trafficking. Specifically, these PLI warrants authorized the acquisition of “specific longitude or other precise location information” for two target phones Ackies used, by “directing AT&T, the service provider for [the target phones], to initiate a signal to determine the location of [the target phones] at such times and intervals as directed by law enforcement for a period of 30 days.”[1]
The asserted legal authority for these PLI warrants’[2] was SCA § 2703(c)(1)(A). Unlike the TDS (as discussed in the previous post), the SCA does not impose significant territorial limits on its legal process. Under its provisions, any “court of competent jurisdiction” could issue such a warrant; since the drug offenses under investigation occurred partly within the District of Maine, its magistrate judges arguably had competent jurisdiction to authorize cellphone tracking in another state.[3]
The 1st Circuit held that the PLI warrants were properly issued under the combined authority of SCA 2703 and Rule 41. Specifically, SCA 2703(c)(1)(A) provides:
A government entity may require a provider of electronic communication service . . . to disclose a record or other information pertaining to a subscriber to or customer of such service only when the governmental entity –
(A) obtains a warrant using the procedures described in the Federal Rules of Criminal Procedure . . . by a court of competent jurisdiction[.]
This holding is not just wrong, but egregiously wrong. It suffers from not one but two fatal errors, as explained below.
PROBLEM #1: RECORDS PRODUCTION VS. ONGOING SURVEILLANCE
As Peter Swire and Orin Kerr, two noted scholars on ECPA, have flatly stated, “Congress never intended the Stored Communications Act to govern ongoing surveillance.”[4] The first tip-off is in the official name Congress gave to this part of ECPA--STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS. See P.L. 99-508, 100 Stat. 1848. This law is designed to regulate government access to existing subscriber records and stored communications (e.g. email, voicemail, text messages) in the hands of third party service providers.
Other parts of ECPA regulate real-time monitoring of crime-related activity, such as wiretapping (Title I of ECPA) and pen registers (Title III). What those schemes have in common are forward-looking mechanisms -- duration periods for installation and use, renewals, automatic sealing -- aimed at regulating ongoing activity, as opposed to a one-time event.[5]
By contrast, the SCA (Title II) has no such provisions. Instead it is a record production mechanism, like an administrative subpoena or a request for production under FRCP Rule 34. A warrant under SCA 2703 authorizes “disclosure” of communications content or non-content records in storage – not interception or monitoring in real time.[6]
Fourth Amendment law recognizes the fundamental difference between ongoing surveillance and a one-time search. In Berger v. New York the Supreme Court imposed heightened standards for this type of snooping, explaining that “authorization of eavesdropping for a two-month period is the equivalent of a series of intrusions, searches, and seizures pursuant to a single showing of probable cause.”[7] In the case of an ordinary search warrant, police are not allowed to return to your home and repeatedly search hour after hour, day after day, week after week, for months on end.
The First Circuit erred by expansively reading SCA 2703(c) ‘disclosure’ as authority to track a cell phone’s movement in real time. This enables law enforcement to do an end-run around the existing tracking device regime approved by Congress. It would be no different than a 2703(a)[8] order purporting to allow the government real-time access to your emails over a 30-day period. Such an order would be rightly condemned as an illegitimate circumvention of the Wiretap Act.[9]
In short, Ackies makes a hash of ECPA’s basic structure. By removing the careful boundaries laid out by the ECPA Congress, the court’s opinion allows the SCA to swamp other carefully crafted statutory regimes for ongoing surveillance.
PROBLEM #2: GPS PINGS ARE NOT PROVIDER RECORDS SUBJECT TO THE SCA
There is an even more fundamental problem with the PLI warrant: the GPS data it seeks is not covered by SCA 2703. Surprisingly, the FBI’s own Domestic Investigation and Operations Guide explains why:
In the ordinary course of providing service to the customer, the provider does not typically use this GPS location data. Accordingly, the data may not constitute a “record or other information” in the provider’s custody within the meaning of 18 U.S.C. 2702 and 2703. Consequently, a FRCP Rule 41 search warrant should be obtained to compel the disclosure of such provider-assisted geo-location data.
FBI, Domestic Investigations and Operations Guide, § 18.6.8.4.2.5.3, at 18-114 (2011).[10]
As the FBI correctly instructed its agents, cell site location data (CSLI) is typically generated and kept by providers in the ordinary course of its business, while more precise GPS data is not. Nothing in 2703 requires, or authorizes the government to demand that a provider create records which would not otherwise exist in the normal course of business.[11] Yet that is exactly what the PLI warrants did here. The requested warrant directed AT&T “to initiate a signal to determine the location of TT1 at such times and intervals as directed by law enforcement for a period of 30 days.”[12] This technique, known as “pinging”, is not something normally done by providers, except in emergency situations.
The First Circuit is not the first appellate court to trip over this key difference between GPS pings and CSLI. Recently, in U.S. v. Wallace, the Fifth Circuit did exactly the same thing. Ultimately in that case, the mistake was recognized and corrected – but not before the court was forced to withdraw not one but two published opinions.[13]
Like Ackies, Wallace had been convicted of drug trafficking based partly on real time GPS data obtained via two “Ping Orders.” In its initial opinion issued May 22, 2017, the court concluded that the GPS location data was acquired by AT&T in the ordinary course of business, and therefore no different than the historical CSLI it had previously held unprotected by the 4th Amendment.[14] In response to Wallace’s rehearing motion, the government not only conceded the panel’s error, but (even more remarkably) apologized for its role in creating the confusion:
The state obtained a court order that required AT&T to collect E911 [GPS] location information for Wallace’s phone. E911 location information is different from cell-site data, in part because cellular-service providers typically do not collect and maintain E911 location information in the ordinary course of business. To the extent that our brief did not adequately draw this distinction, we apologize.[15]
(Emphasis added). The 5th Circuit soon after withdrew its initial opinion and issued another in its place on August 3, deleting the problematic 4th Amendment ruling while still affirming the conviction on good faith grounds.
The two-month interval between the first and second Wallace opinions may have been fateful for Ackies’ case. During that time, the district court filed its decision holding GPS location data to be business records obtainable via the SCA, expressly relying upon the initial Wallace opinion.[16] While the First Circuit did not cite Wallace in its own opinion, the court likewise incorrectly assumed that GPS data are kept in the ordinary course of business like other phone records.[17]
We do not know for certain how the First Circuit would have reacted had this misconception been brought to its attention by the government, as it commendably did at the Fifth Circuit. It’s hard to believe they would have persisted in holding the PLI warrants were valid under the SCA’s broader jurisdictional reach, particularly if they had seen the following instructions to FBI agents in the Guide quoted above:
[A] FRCP Rule 41 search warrant should be obtained to compel the disclosure of such provider-assisted geo-location data. The order should . . . be obtained in the district where the phone is located (as determined by tower data, visual surveillance, or CHS reporting) . . . The return should note “the exact date and time the device was installed and the period during which it was used”---i.e. it should conform to the FRCP Rule 41 tracking device rule (which does not, by its terms, apply but which is analogous). . . .
(Emphasis added). In other words, the FBI was advising exactly what Ackies was advocating: real-time cell phone tracking warrants “should conform” to the FRCP Rule 41 tracking device rule, including the venue limitation of Rule 41(b)(4).
To be clear, I do not accuse the government lawyers handling Ackies’ appeal of misconduct. Perhaps they were unaware of the initial opinion in Wallace (available for only a short time before it was withdrawn and then disappeared from Westlaw and PACER), or the government’s concession on rehearing, or the FBI’s internal guidance to agents. Now that the mistake is apparent, however, candor would seem to require that the government renew its Wallace concession in response to Ackies’ cert petition, and request remand to the First Circuit for reconsideration in light of the corrected record.
CONCLUSION
SCA 2703(c) was intended to provide the means for government to compel disclosure of existing communications and transaction records in the hands of service providers. Nothing in the SCA contemplates a new form of ongoing surveillance in which law enforcement uses co-opted provider facilities to track cell phone users in real-time. There really is no such thing as a PLI warrant under the SCA.
In my next post, I will address the larger significance of the First Circuit’s mistake-ridden analysis, and why--assuming the case is not sent back for reconsideration in light of the Wallace concession as noted above -- the Supreme Court should take the opportunity to clarify the legal regime governing this increasingly common law enforcement tool.
[1] 2017 WL 3184178, *2 (D. Me. July, 26, 2017).
[2] Also known as “ping warrants”, referring to the technique used by the phone company to initiate the signal without alerting the user. The term ‘PLI’ included both GPS and cell site location information. Id. at *8 n.24
[3] 918 F.3d at 200.
[4] 2004 WL 2058257 at *4.
[5] See In re Application for Pen Register and Trap/Trace Device, 396 F.Supp.2d 747, 760-61 (S.D. Tex. 2005). The 2006 amendments to Rule 41 imposed similar duration and renewal requirements for tracking warrants.
[6] For a fuller discussion of these points, see In re Order Authorizing Prospective and Continuous Release of CSLI, 31 F.Supp.3d 889, 894-95 (S.D. Tex. 2014).
[7] 388 U.S. 41, 57 (1967).
[8] SCA 2703(a) deals with disclosure of wire or electronic communications content less than 6 months old.
[9] Ironically, a literal reading of the court’s opinion would give rise to exactly this scenario. The court repeatedly and mysteriously refers to the warrants in question as authorized by SCA 2703(a) (“Contents of wire or electronic communications in electronic storage”) rather than 2703(c) (“Records concerning electronic communications service or remote computing service”). These are not mere typos – the opinion quotes 2703(a) in full. Yet the lower court left no doubt that the PLI warrants were issued under 2703(c)(1)(A). 2017 WL 3184178, *2.
[10] Available at https:// www.documentcloud.org/documents/3416775-DIOG-Redactions-Marked-Redacted..... The FBI has not officially made public the full DIOG, but an unredacted version was obtained by The Intercept and published on its website in 2017.
[11] See In re Application for an Order Authorizing Disclosure of Location-Based Services, 2007 WL 2086663, at *1 (S.D. Tex. 2007).
[12] 2017 WL 3184178 at *2.
[13] The initial Wallace opinion, published in advance sheets at 857 F.3d 685 (5th Cir. 2017), was withheld from the bound volume after it was superseded by a second opinion, see 2017 WL 3304087 (5th Cir. Aug. 3, 2017). That second opinion was itself later withdrawn and superseded by a third opinion on March 20, 2018, which now appears at 885 F.3d 806 (5th Cir. 2018).
[14] That case, In Re Historical Cell Site Data, 724 F.3d 600 (5th Cir. 2013), was one of 5 circuit decisions overruled by Carpenter in June 2018.
[15] Govt Response to Petition for Rehearing En Banc, at i (filed 7/20/2017).
[16] 2017 WL 3184178 at *10 (D. Me. July 26, 2017).
[17] 918 F.3d at 200 (“The government requested precise location information from the “provider of electronic communication service” and this precise location information “pertain[ed] to a subscriber to or customer of such service.”) (quoting 2703). Actually, this raises another interesting issue--Ackies was described as a “user” of the phones, but not an AT&T subscriber or customer. SCA 2703(c) does not mention user records, it only refers to customer or subscriber records. It is an open legal question whether the SCA applies to location records of users (e.g. children or seniors) who are neither subscribers or customers.