National Security – The Cybersecurity Lawyer

Russia’s Other Cyber Attack

Russia’s meddling in the 2016 Presidential election obviously has captured plenty of media attention. Less well known is that, according to a recent U.S. CERT Report, Russia has been “targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” with cyber intrusions. The CERT Report notes that the initial intrusions proceeded through trusted third-party suppliers with networks that were less secure than those of the infrastructure entities and that the targets were deliberately chosen.

Russia’s manipulation of social media to influence U.S. elections is a deep concern, but the fact that Russia is probing weaknesses in our power, water, air, and other critical networks is even more sobering. Coincidentally, this week I’m teaching a class on cybersecurity and the international law of war. Cyberwar is a fuzzy domain that does not map neatly onto the existing international law of war. Here’s a video lecture of the materials for that class:

Facebook and Terrorism: Cohen v. Facebook and Force v. Facebook

It’s well-known that Facebook, Twitter, YouTube, and other social media platforms are used for propaganda and recruiting purposes by terrorist groups such as ISIL. A number of Jewish groups filed lawsuits alleging that Facebook should be held civilly liable for facilitating terrorist attacks against Jews. Two of these cases recently were dismissed by Judge Nicholas Garaufis in the U.S. District Court for the Eastern District of New York. A copy of Judge Garaufis’ Memorandum and Order is available below.

In Cohen v. Facebook, the plaintiffs asserted negligence and civil conspiracy theories under Israeli and U.S. law. That case was removed to federal court by Facebook. In Force v. Facebook, the plaintiffs asserted claims under the federal “Providing Material Support to Terrorists” statute, 18 U.S.C. § 2339A and the civil remedies provision for terrorist acts, 18 U.S.C. § 2333A, as well as for negligence and other breaches of duty under Israeli law. Copies of the Cohen and Force Complaints are available below.

Judge Garaufis dismissed the Cohen case for lack of standing because the individual plaintiffs asserted only a threat or fear of possible future harm. He also dismissed the Force case under the immunity provision of section 230 of the Communications Decency Act, 47 U.S.C. § 230(c)(1). This provision states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Id.

The Second Circuit has established a three-part test for determining whether section 230 immunity applies: the law “shields conduct if the defendant (1) is a provider or user of an interactive computer service, (2) the claim is based on information provided by another information content provider and (3) the claim would treat [the defendant] as the publisher or speaker of that information.” FTC v. LeadClick Media, LLC, 838 F.3d 158, 173 (2nd Cir. 2016).

The primary issue in these cases was whether the third element would be satisfied. Here, the focus is on whether the provider exercises “a publisher’s traditional editorial functions — such as deciding whether to publish, withdraw, postpone, or alter content.” Id. at 174. The plaintiffs in the Force case argued that Facebook was not acting as a publisher but rather was providing content-neutral services in support of terrorist activities by Hamas. The court rejected this argument and found the section 230 immunity applies to Facebook. Memorandum and Order, at 17-23.

The plaintiffs in the Force case also raised a creative argument: section 230 should not apply because the terrorist acts occurred in Israel and there is a presumption against extraterritoriality. Judge Garaufis also rejected this argument and held that the focus of section 230 is to limit civil liability of internet service providers and that the relevant events relating to such liability involve the location of the speaker. Since Facebook is a U.S. corporation, Judge Garaufis held that section 230 did not require extraterritorial application in this case even though the terrorist acts happened in Israel. Memorandum and Order, at 23-27.

Judge Garaufis’ interpretation of section 230, including the question of extraterritoriality raised by this case, seems correct. Section 230, however, was a legislative solution to Internet publisher liability in a simpler age, before the explosion of social media platforms and their cooptation by terrorists. There may be good policy arguments today for imposing some legal duties on social media sites to screen for materials that incite violence and terrorism.

Cohen and Force Opinion

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xeHRxOEZZdkFJYXc/preview?usp=drivesdk” title=”Cohen v. Facebook.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Cohen Complaint

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xWkVUb21jM2dUaDQ/preview?usp=drivesdk” title=”Cohen v. Facebookcomplaint.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Force Complaint

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xN28zMFhXa3piUGM/preview?usp=drivesdk” title=”force v facebook.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Trump Cybersecurity Executive Order

President Trump Signing an Earlier Executive Order (Img Src = ZDNet)

President Trump signed today a long-awaited Executive Order on Cybersecurity. I think it is mostly a non-event. There are some helpful provisions, including a requirement that government agencies implement the NIST Framework. Otherwise, it requires a series of executive reports on cybersecurity preparedness, generally within 90 days of the Order. As others have noted, those reports are likely to show that government cybersecurity is significantly lacking because of outdated infrastructure. The real test will come when changes must be implemented and government cyber infrastructure moves towards a more centralized cloud-based model.

The text of the Order is below.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xVGNIR3ZWdGI1eDQ/preview?usp=drivesdk” title=”Trump-cybersecurity-executive-order.pdf” icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/pdf” width=”100%” height=”400″ style=”embed”]

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.” The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2^nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq. The SCA was enacted in 1986. Microsoft Corp., 2016 WL 3770056 at *6. The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication. See id. at 7. The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause. See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)). For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber. See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)). When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.” See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland. Outlook is part of Microsoft’s “’enterprise cloud service offerings.’” See id. at *2. Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries. See id. The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network. Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer. Id.

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect. Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S. See id. at *3. The Magistrate denied the motion to quash, and the District Court affirmed. Id. at 4. The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990. Id. The SCA therefore was adopted in a very different technological context than today’s networked world. In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago. The court noted that there is a presumption against extraterritorial application of statutes. Id. at *9. Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA. Id. at *11-12. Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant. Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment. Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.” Id. at *19. Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S. Id. at *20. He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement. Id. Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.” Id. at 21. Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality. Id. He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S. Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer. See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016. In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” Id., Complaint for Declaratory Judgment, ¶ ¶ 2-3. For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments. But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention. This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xbHlmR2pJa2dra0U/preview?usp=drivesdk” title=”microsoftcertified.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xQUs4S3Z6dkg5SEk/preview?usp=drivesdk” title=”microsftdj.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

Klayman v. Obama Stay Left in Place

On November 9, 2015, Judge Richard Leon issued a preliminary injunction against the NSA bulk data collection program. On November 10, in a per curiam Order, the D.C. Circuit stayed the preliminary injunction pending the government’s appeal. Last Friday, November 20, the Circuit denied the plaintiffs’ emergency request for rehearing of the stay order en banc. In a somewhat unusual move, Circuit Judge Brett Kavanaugh wrote a concurrence to the Order denying the request for hearing en banc. Judge Kavanaugh states in the concurrence that “the Government’s metadata collection program is entirely consistent with the Fourth Amendment.” Concurrence at 1. Judge Kavanaugh states that the bulk data collection program satisfies the “special needs” exception under the Fourth Amendment because it “serves a critically important special need — preventing terrorist attacks on the United States.” Id. at 2. According to Judge Kavanaugh, “that critical national security need outweighs the impact on privacy occasioned by the program.” Id.

In my view, Judge Kavanaugh’s concurrence is troubling. An emergency petition for en banc review is an extraordinary request that can be denied for many reasons without opining on the merits. It is difficult to see how Judge Kavanaugh could reach such an easy conclusion about the NSA program in the context of an emergency en banc petition, without full briefing and argument on the merits. Unfortunately, it seems that the threat of terrorist attacks will remain with us in the foreseeable future. While the threat is deadly serious, the ordinary rule of law cannot remain suspended in a perpetual state of exception, or else it is a rule of power and not of law.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xb3dKMUJJT3V3LXM/preview?usp=drivesdk” title=”klaymanappeal.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]

Klayman v. Obama Preliminary Injunction of NSA Program

Judge Richard Leon in the District of Columbia federal court has again issued a preliminary injunction against the continuation of the NSA bulk telephony metadata collection program. The bulk collection program is set to expire on November 29, 2015 under the USA FREEDOM Act, so the injunction in this case will not have long-term impact. Judge Leon’s reasoning, however, could be important to the evaluation of future government data collection programs. As Judge Leon stated in his November 9, 2015 Memorandum Opinion, this

will not . . . be the last chapter in the ongoing struggle to balance privacy rights and national security interests under our Constitution in an age of evolving technological wizardry. Although this Court appreciates the zealousness with which the Government seeks to protect the citizens of our Nation, that same Government bears just as great a responsibility to protect the individual liberties of those very citizens.

Mem. Op. at 42. The first portion of Judge Leon’s Opinion addresses the plaintiffs’ standing to challenge the NSA program. I will address the standing issue in another post.

On the likelihood of success on the merits, Judge Leon found that the plaintiffs likely will be able to prove that the NSA bulk collection program violates the Fourth Amendment. According to Judge Leon, plaintiffs “have a very significant expectation of privacy in an aggregated collection of their telephony metadata,” the government’s intrusion on that interest is very broad, and the government has not shown the program has successfully fulfilled the goal of protecting the nation from terrorism. Mem. Op. at 28-37. Judge Leon also found that the plaintiffs likely would suffer irreparable harm absent a preliminary injunction and that the public interest favors injunctive relief. Id. at 37-42.

One notable aspect of Judge Leon’s Opinion is his discussion of expectations of privacy in relation to mobile technology. He suggests that “Americans’ constant use of cellphones for increasingly diverse and private purposes illustrates the attitude with which people approach this technology as a whole” and that “a person’s expectation of privacy is not radically different when using his or her cellphone to make a call versus to check his or her bank account balance.” Id. at 29. Moreover, Judge Leon notes, mobile devices are a necessary part of modern life and therefore entail stronger expectations of privacy than high-security environments that most people enter only occasionally, such as airports.

Another notable aspect of the Opinion is Judge Leon’s often colorful descriptions of the NSA program and the government’s arguments in its favor. Here is a sampling: the bulk data collection program “is a sweeping, and truly astounding program that targets millions of Americans arbitrarily and indiscriminately” (Id. at 31); it is “absurd to suggest that the Constitution favors, or even tolerates, such extreme measures!” (Id. at 32 (exclamation point in original)); the government’s evidence in support of the program’s efficacy is “[n]ot exactly confidence inspiring!” (Id. at 35 (exclamation point in original)); “the Government . . . suggests that this Court should defer to [its] judgment . . . Please!” (exclamation point in original)); “the Government incredibly argues that the [newly added] plaintiffs’ claim of irreparable harm is necessarily undercut by their more than two-year delay in joining this suit . . . . Come on!” (Id. at 38, n. 22 (exclamation point in original)); the government argues that the Court must “defer to Congress’ ‘determination’ that continuing the Program during the 180-day transition period is the best way to protect the public interest. . . . Not quite!” (Id. at 39 (exclamation point in original)); “Congress, of course, is not permitted to prioritize any policy goal over the Constitution . . . . Nor am I!” (Id. at 40 (exclamation point in original)); “[t]his Court simply cannot, and will not, allow the Government to trump the Constitution merely because it suits the exigencies of the moment”) (Id.).

Earlier today, Judge Leon denied the government’s emergency application for a stay of the preliminary injunction pending appeal, and the government filed an appeal with the D.C. Circuit.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xNm1BRDVyQ2VfTEk/preview?usp=drivesdk” title=”klayman.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]