Can You Subpoena "Big Brother?" Obtaining Information in the Digital Age Can You Subpoena "Big Brother?" Obtaining Information in the Digital Age

Can You Subpoena "Big Brother?" Obtaining Information in the Digital Age

In today’s legal landscape, electronic paper trails left behind by individuals and businesses alike can be leveraged in various legal situations. Typically, parties are required to disclose certain information in response to discovery requests.  However, questions remain as to whether cell phone companies are required to provide telephone/text records and whether email providers are required to provide emails if subpoenaed. Additionally, further questions remain as to whether non-content information, such as IP addresses, location data, and digital timestamps, are required to be disclosed. As such, individuals and corporate entities should be aware of what types of digital information they can obtain in a civil lawsuit, as well as what digital information they are required to disclose themselves if subpoenaed.

Cell Phone Location Information (“CSLI”)

Each time a cell phone call is made, the provider records cell-site location information (“CSLI”) that can be used to trace the caller’s approximate location. This information might be useful, for example, in a lawsuit in which the locations of an individual or the location(s) of where certain communications took place are relevant. In other words, such location information might be critical in a criminal case in which the defendant’s movements could play a vital role. In situations such as the examples provided, as well as other situations in which CSLI may be relevant, the question remains: Who can obtain this type of information? Civil litigants can obtain this type of information with a court order; however, when it comes to the government, federal circuits are split as to whether a warrant is required. If your business is a wireless service provider and you face a demand from the government for CSLI, it is imperative that you understand the state of the law in the relevant jurisdiction.

Internet Protocol (IP) Addresses

A computer’s IP address can be used to identify the location of a network access point used to access certain data (e.g., over the Internet). For example, an IP address can show when a specific computer belonging to a particular individual accessed a website, which could be used as evidence to prove or disprove that that particular individual had knowledge of a certain issue at a certain time. In another example, if a business has been the victim of illegal file sharing, the business may use the IP address to determine where the file accesses originated to identify possible users of illegal file download websites. Similarly, in a criminal case, proof that a defendant’s computer, based on the IP address associated with the defendant’s computer at the time of access, accessed a “black market” website with the intent to sell drugs might be key to the prosecution’s case.

Typically, civil litigants can obtain an IP address from a subpoena to a third party, such as a website host. From there, an online search can be conducted through one of the many public IP address locators online, through which the Internet service provider (ISP) that owns that IP address can be ascertained. Next, the civil litigants can subpoena the ISP for information relating to the customer who used that IP address at that particular date and time. However, it is important to note that many ISPs are cable providers covered by the Cable Privacy Act, 47 U.S.C. § 551, and may not release any personally identifying customer information without a court order. A mobile network carrier or internet provider, on the other hand, can release this information. As for the government, courts universally agree that the government may access this information without a warrant.

These nuanced rules mean that it is important that website owners/hosts and ISPs understand just what they may disclose, may not disclose, and must disclose, as well as under what circumstances disclosure may be required. It is equally important that both businesses and individuals understand these rules so that they can get the information they need from website owners/hosts and ISPs.

Non-Content Information

Civil litigants are generally able to obtain non-content information from cell phone service providers or ISPs through a subpoena. This may include a list of email addresses to whom emails were sent or the phone number that the subscriber is calling, which could prove quite useful in certain types of litigation. For instance, in an insider trading case, the duration of telephone calls may provide circumstantial evidence that substantive conversations occurred between certain individuals, rather than just voicemails. In addition, non-content information, such as telephone numbers called or texted by the suspected malicious insider, or numbers that called or texted that person, can indicate who approached whom with the information, as well as generate leads of potential witnesses or wrongdoers. If the suspected malicious insider claims he or she did not know another individual well or that they rarely spoke, he or she can be impeached with non-content data from the cell phone service provider showing that he or she in fact frequently called and was called by that individual. Juries typically place a high value on documentary evidence, such as from a cell phone service provider, because it cannot be manipulated and comes from a reliable, impartial source. Additionally, timelines based on non-content information can be very powerful demonstratives to a jury, showing when the illegal trades were made in relation to the phone calls or text messages.

Further, non-content information from an ISP can be very persuasive for a jury. For example, in a lawsuit based on anonymous harassing emails, it may be possible to determine who the individual is behind the harassing messages. If the individual was using a Gmail account to send the messages, a litigant can subpoena Google to obtain the times and dates that the Gmail account was being used, as well as the IP address that accessed the Gmail site. It is important to note that this is not exclusive to Gmail; the same process may be followed no matter what email provider the harasser used. Subsequently, a simple online lookup of this IP address will typically reveal the ISP that services that IP address. A litigant armed with the dates, times, and IP address can then subpoena the ISP to obtain information about the subscriber who was assigned that IP address at those particular times. In some cases, the ISP may object that it is covered by the Cable Act and claim that it cannot release this information without a court order. However, such an order is typically easy to obtain, especially in a case such as this, where the defendant is unknown and this is the only way to determine the defendant’s identity.

A business that wishes to obtain this information should consult with a privacy law professional to determine the extent of information that is obtainable and the best way to go about getting it.

The Stored Communications Act (“SCA”)

To clarify under what circumstances both government and private litigants can obtain various types of electronically stored information, Congress enacted the Stored Communications Act (“SCA”) as part of the broader Electronic Communications Privacy Act of 1986 (“EPCA”). The SCA prohibits third parties, including cell phone providers and ISPs, from disclosing certain aspects of the electronic communications that they store, maintain, or carry.  However, the requirements generally differ based on the circumstances.
Under the SCA, a court in a civil matter cannot order an electronic services provider to release the content of a subscriber’s communications without the subscriber’s consent. However, non-content information can be revealed under certain circumstances. Therefore, if a civil litigant wants to obtain the contents of a communication, the best route is to obtain it from the party to the communication (e.g., through a discovery request). However, a subpoena to a third-party electronic services provider is typically sufficient to obtain non-content information. If seeking either content or non-content information, one should first check with a professional to determine whether this information is obtainable directly from the ISP or the wireless service provider. Additionally, if you operate an ISP or wireless service provider, it is imperative to know what types of information must be released.

Generally, the government has broader powers to obtain contents of electronic communications, but circumstances will likely vary based on details such as how long the information was stored and what kind of notice is given. If commanded to produce either content or non-content information by a governmental subpoena or warrant, a business should seek professional legal assistance to determine how much of the requested information the government may legally obtain.

What this means for Businesses

If a private entity wants to obtain content information from a third party, it will typically not be able to do so through a subpoena. However, a court in a civil matter can issue a discovery order compelling a party to the litigation (not the third-party provider) to release this information.

In an illustrative example in which a business suspects a former employee sent trade secret information to his Gmail account before he left the company, Gmail cannot produce the emails themselves nor can it provide subject lines or keywords. However, if the business has sued the employee, then the employee must produce those messages if the employee is responding to discovery requests, because the messages are presumably in the employee’s possession, custody, and control. How about if a business wants to find out who’s been illegally downloading its content? The business can follow the yellow-brick road of subpoenaing the file-sharing website for the individual’s IP address, and then subpoena the ISP for the downloader’s account information. If the ISP is a cable provider, the business will need a court order to allow the provider to release the information.

If you are a wireless service provider or an ISP and are subpoenaed for the electronic information of your customers, it is important to be aware of exactly what is being asked for, who is asking for it, and the controlling law of the jurisdiction. Third parties must also adhere to their own privacy policies about disclosure, so it is important to thoroughly review your most current privacy policy and have a clear understanding of its implications.

Because this area of the law is changing so rapidly, it is imperative that businesses stay abreast of new developments and actively seek appropriate legal counsel in order to determine if and how they are required to respond to a subpoena or how best they can obtain this information in the event they are seeking information themselves.

For more information on securing data, contact Stephen Reynolds, Martha O'Connor or another member of our Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 





View Full Site View Mobile Optimized