Get a Warrant: Reforming the Electronic Communications Privacy Act in 2016
II. The ECPA: Origins and Constitutionality
III. The All Writs Act and Apple
IV. H.R. 699 and Reforming the ECPA
Encrypted data and user-locked devices present a challenge to federal investigators. In their attempts to access such data and devices in criminal investigations, the FBI and the Department of Justice have obtained warrants and court orders citing existing laws as giving them the authority to access the data. They have also called upon these laws to compel businesses to divulge the encryption keys which not only secure that data but the data of all the companies’ customers. Recently, the FBI has even demanded Apple create new software which would unlock smart phones for them. The requests for court orders have met with mixed response from federal judges who have at times issued the orders and at times denied them. Companies have sometimes complied with these orders and other times challenged them.
The challenges include many legal and business concerns. They range from the ideas of free speech and privacy to the scope of the government’s authority to coerce a business to undermine the data security at the very core of its services. These challenges are not easily dismissed, considering investigators are appealing to laws created long before the modern Internet.
For example, recent court orders involving Apple cited the All Writs Act of 1789. The FBI’s attempt to use this broad law to establish authority over electronic data should come as no surprise considering the resistance Lavabit offered to the FBI’s use of the Pen Register Act. That resistance resulted in contempt of court charges for Lavabit’s owner and the eventual closure of the company (Silver, 2016). The Pen Register Act was created in 1986 as part of the Electronic Communications Privacy Act (ECPA), a decade before the widespread use of email and search engines. Even as amended by the Patriot Act to cover electronic and Internet communications, the ECPA suffers from applying an old way of thinking to new problems. As it currently stands, the ECPA’s constitutionality is questionable for several reasons we will explore.
In April 2016, the House of Representatives took a step to correct this policy by unanimously voting in favor of H.R. 699, the Email Privacy Act. This Act would update the ECPA to require a warrant to access emails and data stored in the cloud. H.R. 699 now awaits a vote from the Senate before going to the President for enactment into law. H.R. 699 potentially solves the questions of constitutionality that arise when federal investigators access stored data without a warrant, and it also sets new boundaries about notifying customers when a service provider has been compelled to disclose the content of customers’ electronic communication.
II. The ECPA: Origins and Constitutionality.
As Title III of the Electronic Communications Privacy Act of 1986 (ECPA), the Pen Register Act was passed by Congress “to provide some protection for consumers’ financial records and to regulate law enforcement’s use of pen registers” following the landmark privacy cases United States v. Miller and Smith v. Maryland (Lipman, 2014, p. 473). The concept of the pen register comes from the era of pre-Internet telephone communication. “A pen register records all the phone numbers dialed from a particular telephone, and a trap and trace device records all numbers that dial a specific phone number” (MacArthur, 2007, p. 448). Both of these devices are now governed by the Pen Register Act (West, p. 55).
But while The Pen Register Act originally applied to numbers dialed to and from a specific phone, it was amended to include modern electronic forms of communication. In 2001, the Patriot Act amended it to cover “dialing, routing, addressing, or signaling information”, including “IP addresses and email addressing information” (Schwartz, 2009, p. 10). This data does not include the content of emails and communications, and the court’s majority opinion in Smith v. Maryland agreed that “pen registers do not acquire the contents of communications” (Lipman, 2014, p. 475).
To access the contents of communication, rather than data about it and its users, government agencies can invoke either the Wiretap Act or Title II of the ECPA, the Stored Communications Act. The Wiretap Act of 1968 was updated by the ECPA (US DOJ, 2016). It covers communications in the process of being transmitted, such as a live phone call. But emails are transmitted quickly and are often not a live communication but an asynchronous one. For emails, transmission is “the time it takes from clicking on the ‘send’ command to the moment the message arrives at the server of the recipient’s ISP” (Schwartz, 2009, p. 11). Therefore, statutory authority to access emails in a criminal investigation often comes from the Stored Communications Act of the ECPA. Law enforcement agencies typically seek “collection of email from ISPs [Internet Service Providers] under the Stored Communications Act,” which generally has “less rigorous” requirements than the Wiretap Act (ibid). The rigorous requirement in question is a warrant.
Accessing emails 180 days old or less requires a warrant. But under the Stored Communications Act, “opened e-mails stored for longer than 180 days can be accessed by a government official with an administrative subpoena, a grand jury subpoena, a trial subpoena, or a court order” (Lipman, 2014, p. 476). Unlike the probable cause requirement for a warrant, court orders merely require an official to show “reasonable grounds to believe that the contents… are relevant and material to an ongoing criminal investigation” (ibid).
Is the 180-day demarcation arbitrary? At least one Justice Department official believes so, having declared to the House Judiciary Committee there is “no principled basis to treat e-mail less than 180 days old differently than e-mail more than 180 days old” (Lee, 2013). Google and Yahoo agree, having stated they “require warrants for the contents of email messages or user documents stored in the cloud” regardless of the Stored Communications Act’s provisions (Lipman, 2014, p. 477). Google has claimed warrantless access to communication content violates the Fourth Amendment, and “at least one Circuit Court has agreed” (ibid.) The Sixth Circuit Court, in its opinion on United States v. Warshak, argued that where the Stored Communications Act allows the government warrantless access to emails, it is “unconstitutional” (6th Circuit, 2010).
The Third Party Exception.
But questions about the ECPA’s constitutionality go even deeper. In their attempts to access electronic communications and data about them without a warrant, federal investigators have often appealed to the “third party exception”. This idea arises from the court’s opinion in Smith v. Maryland that “individuals have no privacy interest in the information they voluntarily reveal to third parties” (Lipman, 2014, p. 475). The court’s ruling has been taken to mean that by voluntarily revealing information to a service provider (the third party) to communicate, users have abandoned a reasonable expectation of privacy about the communication, and such information could therefore be obtained without a warrant.
Justice Marshall’s dissenting opinion in Smith argued to the contrary, calling into question just how “voluntary” the reveal was to the phone company in this case. How else would a person possibly make a phone call? Marshall wrote, “It is idle to speak of ‘assuming’ risks in contexts where, as a practical matter, individuals have no realistic alternative” (ibid, p. 480-481). Marshall’s opinion was echoed in Justice Sotomayor’s concurring opinion in United States v. Jones, where she further argued she could not assume “all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection” (ibid). She quoted Justice Marshall’s dissent in Smith, where he expressed the same sentiments: “Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.”
As if to further call this third party exception into question, Congress created several laws after the Smith v. Maryland case, all of which contained provisions to protect privacy in some way, especially where telecommunications and banking were involved: the Right to Financial Privacy Act, the 1996 Telecommunications Act, the Pen Register Act, and the Stored Communications Act. “Taken as a whole, these statutes enacted by Congress indicate that records released to a third-party have some constitutional privacy value.” (MacArthur, 2007, p. 456-457).
Encryption and the ECPA.
The scope of the ECPA was further called into question when the FBI invoked it to demand a company’s SSL keys to unencrypt communications data in United States v. Lavabit. In the course of a criminal investigation, “the Government obtained court orders under both the Pen/Trap Statute… and the Stored Communications Act” (4th Circuit, 2014, p. 4). “Lavabit employed two stages of encryption for its paid subscribers: storage encryption and transport encryption” (ibid, p. 5-6). In other words, Lavabit’s service encrypted both stored emails and emails in the process of transmission, and the encryption covered not just the contents but non-content data about the emails.
When Lavabit contested the original orders, more court orders were issued until the FBI was first demanding they receive unencrypted data and eventually demanding the SSL (Secure Socket Layers) keys (ibid, p. 9-12). Lavabit used five key-pairs, one for each email protocol it supported, and the Court of Appeals’ decision admits that if even one private key-pair became “anything less than private” it could “affect all of Lavabit’s estimated 400,000-plus email users” (ibid p. 7-8). The district court was well aware that the keys would “practically enable the Government” to “collect all users’ data” (ibid, p. 17). Lavabit attempted to negotiate these orders with proposals that included limiting the duration of the register’s installation, requesting payments for the unencryption services, and offering to unencrypt certain metadata relevant to the investigation before giving it to the FBI.
But, having had enough of Lavabit’s delays, “the Government obtained a seizure warrant from the District Court under the Stored Communications Act” which demanded all “information necessary to decrypt communications sent to or from (the target’s) Lavabit email account… including encryption and SSL keys” (ibid, p. 13). The warrant is important because it sought to clarify something about the court orders which remained in question; namely, did the Pen/Trap Order provide sufficient authority to compel Lavabit to hand over its encryption keys? “The district court observed that the Pen/Trap Order’s ‘technical assistance’ provision may or may not encompass the keys, but it declined to reach the issue during the show cause hearing” because the search warrant had been issued (ibid, p. 14). “The government agreed that it had sought the seizure warrant to ‘avoid litigating [the] issue’ of whether the Pen/Trap Order reached the encryption keys” despite having contended that it did (ibid p.14-15).
Lavabit did eventually hand over the keys, first in the form of an “11-page printout containing largely illegible characters in 4-point type” and then, at the investigators’ insistence, in an “industry-standard electronic format” (ibid, p. 17-18). But the process raises the question of whether or not the Pen Register Act’s provision mandating the company provide technical assistance during the register’s court-ordered installation could be broadly expanded to include handing over encryption keys which could render vulnerable the data for all users of the service. The Court of Appeals declined to reach a clear verdict on this question, finding it immaterial to the question of whether or not Lavabit was in contempt, and further finding that Lavabit had not sufficiently raised this question prior to the appeal.
We are left with a judicially unresolved question about the scope of court orders under the ECPA. Do they contain sufficient authority to do more than simply monitor or access data? Do they also contain authority to compel companies to hand over the encryption keys which are at the very heart of the secure communications service they provide to all their users? The FBI’s obtaining a warrant to get the keys suggests the court orders do not have such authority, and the FBI’s reticence to litigate this point suggests they know this. The case further suggests that a seizure warrant does have this authority. This point will become relevant when we examine the new provisions of H.R. 699 which require warrants.
III. The All Writs Act and Apple.
Encrypted data is not the only security measuring frustrating federal law enforcement agencies. Devices locked with user-created passwords or codes also prevent access to the data they hold. Recently, the FBI has attempted to use the All Writs Act of 1789 to force Apple to help them unlock iPhones. Though not a part of the ECPA, the All Writs Act is worth examining briefly, for the public debate over the Apple incidents contributed to the privacy and due process concerns which spurred congressional reformation of the ECPA. It also highlights the tension over accessing data without a warrant, for the “writs” in question are court orders.
The All Writs Act, predating the invention of the phonograph by nearly 100 years, is perhaps an unusual law to invoke in matters of electronic communication. It simply states, “The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law” (28 U.S. Code § 1651-Writs). This broad and somewhat vague language allows federal investigators to invoke the Act, but that same language calls its constitutionality and applicability into question.
Demanding New Software.
Pursuant to the FBI’s request in the course of a criminal investigation, Sheri Pym, a United States Magistrate Judge for the Central District of California, ordered Apple to create “a new software bundle” to load onto the suspect’s iPhone (Davidson, 2016). The FBI sought this court order to give it access to a phone “locked by a user-determined, numeric passcode” (US District Court, 2016). Apple has complied with past court orders to help extract information from iPhones; however, the operating system (iOS9) on this phone was created with no “back door” for bypassing the security measure (Davidson, 2016).
The software ordered would need to be digitally signed by Apple so the phone would recognize it as legitimate software (Yadron, 2016). Articles in the press voiced a fear that if the FBI had software signed by Apple, it could potentially send out software updates to any iPhone on the planet. “For instance, if the FBI were able to intercept the net connection of a target (known as a ‘man in the middle’ attack), with Apple’s private key it could plausibly push an update that looked like a real software release from the company” (Hern, 2016). The FBI demanded that Apple create new software the FBI could load on the phone to gain access and enter passcodes electronically instead of using the touch screen, with a request that it only work on that phone rather than all iPhones (Davidson, 2016). Whether or not this exclusivity was technologically feasible was a matter of debate.
Apple had already provided assistance to the FBI in this case. Apple accessed the phone’s backup in iCloud and provided all its data on the user to the FBI; however, the backups ended six weeks before the crime under investigation took place (Yadron, 2016). Apple’s voluntary assistance ended when the FBI asked for the new software. Apple objected to creating a new means of bypassing its own security protocols for its product. Such a move would undermine the company’s products and services, and this is no small objection. Apple’s business faced a threat much like the one which ultimately destroyed Lavabit and also damaged a Lavabit rival (Hushmail) when it complied with a similar FBI request in 2007 (Rushe, 2014). Court orders which threaten to destroy a business might be defended against as “unreasonable” (ibid).
Questions of Authority.
Does the All Writs Act give courts authority to compel businesses to create such software? If it does, then Apple had a legal obligation to comply, or at least attempt to. But the language of the All Writs Act is vague and open to interpretation. Was the new software “necessary”, “appropriate”, and “agreeable to the usage and principles of law”?
The FBI’s request certainly appeared necessary to the District Court Magistrate, who was convinced by the FBI’s claim that “Apple has the exclusive technical means which would assist the government” (US District Court, 2016). But it turns out to have not been necessary at all. The FBI got what they wanted via an undisclosed third party using an undisclosed method (Selyukh, 2016). Contrary to the FBI’s assertion, Apple clearly held no “exclusive means” to get the data. In fact, the FBI had the technological means to try every possible four-digit code, but it would have taken a long time—possibly thousands of hours (Davidson, 2016). Therefore, the FBI sought something that was not necessary, but merely expedient.
The appropriateness of the FBI’s request remains disputed. In a similar investigation in February 2016, James Orenstein, a United States Magistrate Judge for the Eastern District of New York, rejected a similar Department of Justice request made under the All Writs Act. When the FBI wanted to order Apple to unlock an accused drug dealer’s phone, Judge Orenstein argued that “the All Writs Act (AWA) can’t be used to order a technology company to manipulate its products,” and that the implications of applying the Act in this way would “produce impermissibly absurd results” (Ackerman, February 2016). He argued that issuing the order would be “in such tension of the doctrine of separation of powers” that it would “cast doubt on the AWA’s constitutionality” (ibid). Unconstitutional and absurd do not sound appropriate.
What about agreeableness to usage and principles of law? Frankly, no one knows. The All Writs Act was last used 1977 to compel a telecommunications company to allow the FBI to install two phone lines to surveil other specific phone lines under investigation (Shahani, 2016). In this action, the telco was not tasked with creating any new hardware or software, so it does not establish a clear principle of law relevant to the Apple order. Instead, executive agencies are asking federal judges to base court orders on a vague statute that establishes no clear limits on the government’s authority to compel action in its investigations.
Taken altogether, these questions cast doubt on the All Writs Act as a source of legal authority in these matters. But for the sake of argument, let us accept the position that companies should be compelled to create new software to circumvent their own security and encryption protocols, and to give that software to federal investigators. Then, we either need to base a request for a court order on some other statute, or we need Congress to create a new statue.
Members of Congress from both parties expressed this viewpoint when the House Judiciary Committee reviewed the Apple order and heard testimonies from both sides (Ackerman, March 2016). The solution is not asking the judiciary to establish legal precedent in the absence of detailed legislation. The solution is asking Congress to define the reasonable limits of personal security and national security at stake. Congress holds the responsibility of establishing a clear legal authority, and the All Writs Act is not it.
IV. H.R. 699 and Reforming the ECPA.
Given the public uproar, corporate resistance, and mixed judicial response in the cases thus far discussed, it makes sense for Congress to establish clearer legislative guidelines. Both the legislature and the general public appear to agree with the American Civil Liberties Union which said, “Online privacy law shouldn’t be older than the Web, and Americans shouldn’t have to choose between technology and privacy” (ACLU, 2016). Or, as Google declares in their Transparency Report, the ECPA “was passed in 1986, before the web as we know it even existed. It has failed to keep pace with how people use the Internet today” (Google, 2016).
Now, Congress has taken action. On April 27, the House of Representatives unanimously voted in favor of H.R. 699, the Email Privacy Act (Skley, 2016). This follows a unanimous agreement by the House Judiciary Committee to advance the bill for a vote (Center, 2016). Enjoying bipartisan support, the bill now moves to the Senate.
Notifying Investigated Parties.
A suit recently filed by Microsoft challenges the existing ECPA in another way that is relevant to this new legislation. Microsoft Corp v. United States Department of Justice, filed in the US District Court, Western District of Washington, made headlines only two weeks before the House voted on H.R. 699. Microsoft seeks the right to notify its customers when federal agencies request access to customer emails and data (McBride, 2016). Microsoft argues, “People do not give up their rights when they move their private information from physical storage to the cloud” (ibid). This argument echoes the increasing public concern about federal agencies’ accessing electronic communications data without the knowledge of the parties under investigation, a practice which arguably contravenes Fourth Amendment rights.
H.R. 699 includes a provision specifically addressing Microsoft’s concern by allowing companies to notify their subscribers “of a receipt of warrant, court order, subpoena”, or other types of requests specified in the bill. It does, however, create an exception in section 2705, the delayed notice provision. The bill permits delaying notification of up to 180 days if it may be “reasonably believed” to potentially result in five conditions: flight from prosecution, witness intimidation, jeopardizing the investigation, destroying or tampering with the device, and threats to a person’s physical safety. This is a significant change for the ECPA, which has allowed not only a ninety-day delay in notification, but “indefinite ninety-day extensions available by court order, as long as notification would seriously jeopardize an investigation or unduly delay a trial” (Lipman, 2014, p. 476).
Stricter Warrant Requirements.
But H.R. 699 goes even further, addressing the concerns raised when agencies use the third party exception to access data without a warrant. H.R. 699 “would require a warrant to obtain the content of emails, online documents, and other private electronic communications,” and “creates no special carve-outs for federal civil agencies” (Center, 2016). This is an important change, because the threshold for granting a warrant under the ECPA is higher than that for a court order, which is in turn higher than a subpoena. Warrants under the ECPA are currently only available for criminal investigations.
This new requirement for a warrant appears in Section 3, “Amendments to Required Disclosure”. With a few exceptions, this section requires governmental agencies to obtain a warrant from a federal or state court before requesting the “contents of wire or electronic communications in electronic storage with or otherwise stored, held, or maintained by” a service provider. H.R. 699 then extends this same requirement where “remote computing services” are concerned.
However, these mandates for a warrant only apply to the contents of the communication. “Subscriber or customer information” may be disclosed by non-warrant means such as “an administrative subpoena authorized by federal or state statute, a grand jury, trial, or civil discovery subpoena”. In these instances where subscriber data is disclosed without disclosing the contents of the communications, H.R. 699 does not require notifying the customer. This subscriber information includes name, address, local and long distance telephone connection records, records of session times and durations, length of service (including start date), types of service used, telephone or instrument number, any temporarily assigned network address, and the means and source of payment for services (including credit card or bank account number).
H.R. 699 also clarifies, in the section “Rule of Construction of Legal Process”, that the government can use any of the non-warrant methods to require the “originator, addressee, or intended recipient” to disclose the contents of a communication. In other words, people sending and receiving the communication can be compelled to disclose the contents, though the service provider cannot (without a warrant, at least). The same applies to persons or entities who provide communications and who own the communications system itself. This seems to admit that if a communicator owns the communication system, that system is not a third party and may be considered differently by investigators. The non-warrant methods also apply to persons or entities when the communication “promotes a product or service” and has “been made readily accessible to the general public”. In other words, advertisements.
Another notable exception involves Congress itself. Congress enjoys the power to compel disclosures in its investigations (the power of inquiry, per Article I of the Constitution). This bill will not restrict that power. Congress, though not law enforcement or other governmental agencies, can still compel the disclosure of the contents of stored communications from persons or entities under investigation by Congress.
And finally, H. R. 699 explicitly states that nothing about this bill limits the provisions of the Wiretap Act and the Foreign Intelligence Surveillance Act of 1978. This potentially leaves a wide-open door for the kinds of secret surveillance activities which have made headlines the past few years, particularly by the National Security Agency (NSA). It was, after all, the Foreign Intelligence Surveillance Court that granted the court order allowing the NSA to obtain Verizon’s call data (Greenwald, 2013).
Overall, the pending Email Privacy Act appears to be an improvement for all parties involved. It clarifies the procedure for the executive branch by drawing a distinct boundary about what can be obtained by court order versus a warrant. This provides a stronger and clearer rule for the judiciary who must both issue the warrants and decide cases where the scope and authority of court orders come into question. And, it is a winning move for the legislature which has proven responsive to the pressure from the general public, the corporate sector, and the other branches to craft more clearly defined and technologically relevant legislation on matters of electronic communication. The ECPA has become increasingly outdated as technology advances, and this update is well overdue.
On the other hand, the Email Privacy Act still allows for a great measure of secrecy in its delayed notification provisions and its unwillingness to address matters that fall under the Foreign Intelligence Surveillance Act. It may also receive criticism for continuing to allow access to metadata merely by court order and not by warrant. It does, however, take a major step in clearing up questions over the legality and constitutionality of accessing metadata versus content.
At the very least, the public will have a firm legal basis for expecting privacy regarding the content of electronic communications and the content of documents stored in the cloud. And, both citizens and their corporate service providers will have a clear expectation about when customers will or will not be notified when agencies request access to their data. While it may not be hailed as a perfect solution by all parties, it achieves its stated goal of improving privacy protections, and it will clear up legal questions which have plagued the judiciary and the executive since the dawn of the Internet.
Ackerman, Spencer, et. al. (29 February, 2016). “Apple Case: Judge Rejects FBI Request for Access to Drug Dealer’s iPhone.” The Guardian. Retrieved from https://www.theguardian.com/technology/2016/feb/29/apple-fbi-case-drug-dealer-iphone-jun-feng-san-bernardino
Ackerman, Spencer, et. al. (1 March, 2016). “Congress Tells FBI that Forcing Apple to Unlock iPhones is ‘a Fool’s Errand’.” The Guardian. Retrieved from https://www.theguardian.com/technology/2016/mar/01/apple-fbi-congress-hearing-iphone-encryption-san-bernardino
American Civil Liberties Union (ACLU). (2016). “It’s Time for a Privacy Update.” Retrieved from https://www.aclu.org/infographic/its-time-privacy-update?redirect=technology-and-liberty/its-time-privacy-update
Center for Democracy & Technology. (2016, April 13). “ECPA Reform Takes a Leap Forward: Email Privacy Act to Receive a Vote.” Retrieved from https://cdt.org/press/ecpa-reform-takes-a-leap-forward-email-privacy-act-to-receive-a-vote/
Davidson, Amy. (19 February, 2016). “The Dangerous All Writs Act Precedent in the Apple Encryption Case.” The New Yorker. Retrieved from http://www.newyorker.com/news/amy-davidson/a-dangerous-all-writ-precedent-in-the-apple-case
Google. (2016). “Google Transparency Report: User Data Requests.” Retrieved from https://www.google.com/transparencyreport/userdatarequests/legalprocess/#whats_the_difference
Greenwald, Glenn. (2013, June 6). “NSA Collecting Phone Records of Millions of Verizon Customers Daily.” The Guardian. Retrieved from http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order
Hern, Alex. (2016, March 11). “FBI ‘Could Force Apple to Hand over Private Key’.” The Guardian. Retrieved from https://www.theguardian.com/technology/2016/mar/11/fbi-could-force-apple-to-hand-over-private-key
H.R. 699. The Email Privacy Act. Retrieved from https://www.congress.gov/bill/114th-congress/house-bill/699/text
Lee, Timothy B. (16 May, 2013). “Eric Holder Endorses Warrants for E-mail. It’s About Time.” Washington Post. Retrieved from http://www.washingtonpost.com/blogs/wonkblog/wp/2013/05/16/eric-holder-endorses-warrants-for-e-mail-its-about-time/
Lipman, Rebecca. (2014). “The Third Party Exception: Reshaping an Imperfect Doctrine for the Digital Age.” Harvard Law & Policy Review, 8(2): 471-490.
MacArthur, Andrew P. (2007, Spring). “The NSA Phone Call Database: The Problematic Acquisition and Mining of Call Records in the United States, Canada, the United Kingdom, and Australia.” Duke Journal of Comparative & International Law, 17(2): 441-481. Retrieved from http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1086&context=djcil
McBride, Sarah. (2016, April 15). “Microsoft Sues U.S. Government over Data Requests.” Reuters. Retrieved from http://www.reuters.com/article/us-microsoft-privacy-idUSKCN0XB22U
Rushe, Dominic. (2014, February 1). “Lawyers for Lavabit Founder: Judges May Dismiss Civil Liberties Concerns.” The Guardian. Retrieved from https://www.theguardian.com/technology/2014/feb/01/lavabit-ladar-levison-snowden-contempt-court
Schwartz, Paul M. (2009, Sep.). “Keeping Track of Telecommunications Surveillance.” Communications of the ACM, 52(9): 24-26.
Selyukh, Alina. (29 March, 2016). “Apple Vs. the FBI: The Unanswered Questions and Unsettled Issues.” National Public Radio (NPR). Retrieved from http://www.npr.org/sections/alltechconsidered/2016/03/29/472141323/apple-vs-the-fbi-the-unanswered-questions-and-unsettled-issues
Shahani, Aarti. (21 March, 2016). “How a Gambling Case Does, and Doesn’t, Apply to the iPhone Debate.” National Public Radio (NPR). Retrieved from http://www.npr.org/sections/alltechconsidered/2016/03/21/471312150/how-a-gambling-case-does-and-doesnt-apply-to-the-iphone-debate
Silver, Joe. (2106, April 14). “Lavabit Held in Contempt of Court for Printing Crypto Key in Tiny Font [Updated].” ArsTechnica. Retrieved from http://arstechnica.com/tech-policy/2014/04/lavabit-held-in-contempt-of-court-for-printing-crypto-key-in-tiny-font/ Includes a link to an audio excerpt from the contempt appeals hearing at http://coop.ca4.uscourts.gov/OAarchive/mp3/13-4625-20140128.mp3
Skley, Dennis. (2016, April 27). “U.S. House Unanimously Passed Bill Requiring Warrants for E-mail.” ArsTechnica. http://arstechnica.com/tech-policy/2016/04/us-house-unanimously-passed-bill-requiring-warrants-for-e-mail/
United States Code. 18 U.S. Code § 206. Pen Registers and Trap and Trace Devices. Retrieved from https://www.law.cornell.edu/uscode/text/18/part-II/chapter-206
United States Code. 28 U.S.C. § 1651. The All Writs Act. Retrieved from https://www.law.cornell.edu/uscode/text/28/1651#a
United States Department of Justice. Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2510-22. Informational summary of the ECPA retrieved from https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285
United States District Court for the Central District of California. (16 February, 2016). ED No. 15-0451M, Government’s Ex Parte Application for Order Compelling Apple Inc. to Assist Agents in Search; Memorandum of Points and Authorities; Declaration of Christopher Pluhar; Exhibit. (The original request for the order in question.) Retrieved from https://www.washingtonpost.com/news/volokh-conspiracy/wp-content/uploads/sites/14/2016/02/AWAApplication.pdf
United States Court of Appeals for the Fourth Circuit. (2014). Appeal 13-4625 in United States v. Lavabit. Judge G. Steven Agee joined by Judge Paul Niemeyer and Judge Roger Gregory. Retrieved from http://pdfserver.amlaw.com/nlj/lavabit-usca4-op.pdf
United States Court of Appeals for the Sixth Circuit. (2010). United States v. Warshak, 631 F.3d 266, 286 (Qtd in Lipman, 2014, p. 477).
West Legal Studies in Business, a Division of Thomson Learning. “Pen Register Act.” Privacy, Slide 55. INT 658 Law of Cyberspace, Course Materials.
Yadron, Danny, et. al. (21 February, 2016). “FBI Told San Bernardino County Staff to Tamper with Gunman’s Apple Account.” The Guardian. Retrieved from https://www.theguardian.com/technology/2016/feb/20/san-bernadino-county-fbi-gunman-apple-account