Summary
- E-discovery is expensive, time-consuming, and subject to gamesmanship,
- It often yields little relevant information in comparison with the costs.
- Early and open discussions regarding e-discovery matters will help you address client concerns.
It used to start with a knock on the door. Agents would appear at a target’s home or office, warrant in hand, to search through closets, desk drawers, and filing cabinets for papers and handwritten notes. But today, even seizing and searching a target’s home computer, which has the effect of putting the target on notice that he or she is in the crosshairs, have become less of a priority.
Instead, investigators access brontobytes of emails, photos, text messages, voicemails, calendar appointments, and other private data files stored in the electronic clouds that Apple, Amazon, Google, and others like them maintain.
As more companies use free email services like Gmail for their corporate email and free products like Google Drive and Google Sheets for online collaboration among their corporate employees, their trade secrets and other proprietary corporate data will end up in the hands of law enforcement.
Yesterday’s battle over law enforcement’s ability to seize electronically stored information (ESI) controlled by a third party was whether a federal search warrant under the Stored Communications Act, 18 U.S.C. § 2703, compelled a company to produce email stored on a server outside the United States. Congress mooted that battle by passing the CLOUD Act, codifying new language in section 2703 that clarifies that federal warrants for ESI compel the production of data stored outside the U.S.
Today’s battle stems from the practices of companies like Google that, in addition to email and storage services, also provide a myriad of other cloud products to consumers, which result in significant other personal data being in Google’s possession. To complicate matters, customers access those cloud services by subscribing with the use of a unique ID and a password that is typically, although not exclusively, the user’s email address.
While the user may consciously choose to store certain files or types of data with these services, that is not always the case. There may be a treasure trove of data automatically generated by these services via applications on mobile devices and computers. Examples include the GPS locator feature on iPhoto, a Google user’s search history, or an Amazon customer’s online shopping preferences.
Taken together, data from these apps can contain most of a person’s entire electronic footprint—from restaurants visited to freeways driven, from photos snapped to voice messages logged. That’s a staggering amount of information available for use against either the subscriber or someone else whom the data incriminates, whether that person was in the crosshairs before the search or not. See United States v. Ganias, 824 F.3d 199, 217 (2d Cir. 2016) (noting that the seizure of a computer hard drive “can give the government possession of a vast trove of personal information about the person to whom the drive belongs, much of which may be entirely irrelevant to the criminal investigation that led to the seizure”).
As the various types of ESI expand, the potential for law enforcement to take advantage increases. Indeed, one such questionable practice is law enforcement’s reliance on search warrants directed to companies like Google for ESI from multiple different Google products when the warrant application addresses probable cause to search only the defendant’s Google electronic mail system, Gmail.
In those search warrant applications, law enforcement personnel often provide no other link between the Gmail account and the other Google products or services besides the fact that the defendant used an @gmail.com email address to register for the other Google services. That trompe l’oeil may yield a warrant that directs Google to turn over all of a subscriber’s ESI, even though law enforcement had probable cause, and therefore a legal basis, to seize only a limited subset of that information—that is, just the emails in the user’s Gmail account.
To compound law enforcement’s advantage, federal law allows the government to obtain a court order delaying notification to the subscriber that the subscriber’s data have been seized. That puts the subscriber in the position of litigating the propriety of the search, not at the time it’s taking place, but rather after some incriminating evidence has been found. The subscriber, asking a court to suppress that incriminating evidence after it has been seized, is perceived as “the guilty guy trying to get off on a technicality.” See 18 U.S.C. § 2705.
Current case law provides little guidance on navigating the Fourth Amendment issues that arise under these circumstances.
Google offers at least 50 separate products that store user data, including some extremely popular and almost universally available mobile and desktop apps such as Google Drive, Chrome, Google Photos, Google Play Music, Google Maps, G Suite Marketplace, Google My Business, YouTube, Hangouts, and of course Gmail. Indeed, as a result of the recent global pandemic, more and more companies are participating in, and recording, corporate business meetings taking place over Google Meet sessions. For many of these products, the basic versions are free; others are paid.
Users must register for Google products by establishing a Google account with a unique identifier that is always an email address (although it is not necessarily always an @gmail.com address). For many users, the creation of a Google account happens automatically when they decide to start using Gmail and create a Gmail account. In that case, the username chosen when creating the Gmail account becomes the permanent Gmail address for that account and is also used as the unique ID for the Google account that houses the email product. Google subscribers automatically have access to certain products like Calendar, YouTube, Contacts, Photos, Maps, and Google Drive, easily accessed from within Gmail by clicking on a visible nine-dot box in the upper right corner of the email interface.
These arrangements can be likened to apartment buildings, each with a unique street address (the username), and each building containing several different rooms in which the different Google products are located and in which the data for that product are stored. The Google ID is the user, or “landlord,” key: Together with a password, it not only unlocks the front door of the building; it also serves as a master key to unlock individual apartments in the building. Some Google customers’ apartment buildings may have only one apartment containing Gmail ESI. Other customers’ buildings may have apartments for YouTube, Docs, and Maps, but no Gmail.
While items from the Gmail “apartment” can be moved within the “building,” that generally requires affirmative action by the user/landlord. For example, when a user receives a photo attached to a message in her Gmail account inbox, she has the option to rely on Gmail’s free unlimited storage and simply leave the photo in Gmail. Alternatively, she can download it to a folder on her local computer or click on an option labeled “Add to My Drive,” which moves the photo to the user’s Google Drive for easier access to the file. Google users also can save to Google Drive other files such as word-processing documents and other file types attached to Gmail. They can also upload photos and other documents from their computers or mobile devices directly to Google Drive, with no Gmail account interface.
Anecdotal evidence suggests that law enforcement agencies are aggressively obtaining warrants to search products like Google Drive and other “apartments” in a Google landlord’s “building” based on affidavits that, at most, articulate probable cause to search only for Gmail.
One high-profile example involved the investigation into the death of musician and artist Prince in April 2016 from a drug overdose. The Carver County, Minnesota, sheriff served a warrant on Google that sought all data maintained by Google pertaining to a particular Gmail account that Prince used to communicate with his inner circle. The affidavit in support of the warrant was focused entirely on the probability that those Gmail communications contained evidence about who may have provided Prince with the fentanyl that caused his untimely death.
There was no discussion whatsoever in the affidavit about Prince’s use of any other Google products aside from Gmail. Nevertheless, the scope of the warrant served on Google went well beyond those emails to demand “[a]ll records, files and contents of Gmail, Google Docs, Google Drive, Google calendar, location history, Google Chrome Sync, Google Services, Google Maps engine, Google Hangouts, Google Photos, Google+, Google profile, web history and plus one.” The investigation was closed without charges, so the scope of the Carver County warrant was not litigated.
In another case, an individual was being investigated for a violation of the Kansas Offender Registry Act, which required him to register all of his online identities. Law enforcement suspected that the individual had not disclosed a Facebook account he controlled. While it was undisputed that law enforcement had probable cause to obtain the Facebook account’s subscriber information, it sought and obtained a search warrant for the entire contents of the Facebook account, including contacts, photos, communications, internet protocol logs, and friends list. United States v. Irving, 347 F. Supp. 3d 615 (D. Kan. 2018). Clearly, law enforcement wanted to gather not only evidence that the individual had violated the act but also evidence of his associations, either to identify additional victims and therefore additional crimes or to identify additional offenders. In that case, the suppression motion was granted.
In a case in which a subscriber was suspected of being part of a prostitution ring, authorities executed a search warrant on Facebook to disclose to the government virtually every type of data that could be located in a Facebook account, including every private instant message the subscriber had ever sent or received, every IP address from which she had ever logged in, every photograph she had ever uploaded or been “tagged” in, every private or public group she had ever been a member of, every search on the website she had ever conducted, every purchase she had ever made through “Facebook Marketplace,” and her entire contact list. United States v. Blake, 868 F.3d 960 (11th Cir. 2017). The trial court denied the suppression motion. On appeal, the circuit court held that the search violated the defendant’s Fourth Amendment rights but that the good-faith exception applied.
Those cases follow an earlier trend. Law enforcement had probable cause to seize email within a particular date range but procured warrants ordering the production of email over a much broader time frame. Such instances of overreach—both inadvertent and intentional—will grow as the use of electronic search warrants continues to explode.
In 2019, Google was served with roughly 21,000 search warrants. Google produced at least some data in response to about 87 percent of those requests. That was up from 2018, when Google responded to about 85 percent of roughly 15,600 search warrant requests. And Google is just one among the many tech giants that store extensive troves of customer data.
The trend is as dangerous as it is obvious: find probable cause to support the seizure of particularized contents of a suspect’s digital data, yet generate a warrant calling for seizure broader in scope, whether in terms of time frame, data repository, or “apartment.”
Generalized warrants purporting to justify overbroad searches are not what the framers of the Fourth Amendment had in mind. Under the Fourth Amendment, before conducting a search for evidence of criminal wrongdoing, law enforcement agencies generally must obtain a judicial warrant. In Riley v. California, 134 S. Ct. 2473 (2014), that rule was extended to searches of cell phones, the impact of which could affect other electronic devices such as laptops and tablets, with the same heightened privacy interests that the Supreme Court held to exist in cell phones. The Supreme Court has also held that GPS tracking by law enforcement constitutes a Fourth Amendment search. As Chief Justice Roberts recognized in Riley, “cell phones, with increasing frequency, are . . . taking advantage of ‘cloud computing,’” and it thus “makes little difference” from a privacy standpoint whether information found on a cell phone is stored on the phone itself or in the cloud. 134 S. Ct. at 2491.
Under the Stored Communications Act, the government may require an electronic communication service provider to disclose contents of an electronic communication that has been held in electronic storage for 180 days or less only pursuant to a judicially authorized search warrant. 18 U.S.C. § 2703(a). For electronic communications held for more than 180 days, the government may require a “provider of remote computing service” to disclose the requested electronic communications without notice to the subscriber or customer, if the government obtains a warrant pursuant to the Federal Rules of Criminal Procedure. See 18 U.S.C. § 2703(b)(1)(A).
The Sixth Circuit held that provision unconstitutional in United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010). Since then, the Department of Justice’s policy has been to seek a warrant when trying to obtain emails that have been stored for longer than 180 days. Unlike executing a traditional premises search warrant, executing a § 2703 warrant does not require law enforcement personnel to be present for the initial gathering of communications—instead, the service provider may turn over copies of the described items from its servers.
Search warrants must be based on probable cause. In addition, search warrants must particularly describe both the place to be searched and the person or things to be seized. The search warrant’s description must be specific enough to allow the person conducting the search to reasonably identify the things the warrant authorizes to be seized. These requirements, that warrants be based on probable cause and describe with particularity the things to be seized, constitute the specificity requirement, which encompasses two key aspects: particularity and breadth. Particularity is the requirement that a search warrant must clearly state what is sought. Overbreadth deals with the requirement that the scope of a search warrant must be limited by the probable cause that forms the basis for the warrant.
Warrant provisions that attempt to justify the seizure of all records of a particular class typically fail the specificity requirement and, therefore, violate the Fourth Amendment. That principle applies to both hard-copy records and electronic records. In fact, as they relate to the seizure of electronic evidence, “all records” seizure provisions have been described by many courts as the electronic age’s version of general warrants. Generally, “all records” searches can be enforced only if there is probable cause to seize all the records in a class or there is literally no more specificity that the warrant could reasonably provide.
In the cases described above, there typically was probable cause to seize certain ESI in the service provider’s repository, but the question was the appropriate scope of materials to seize. In the Prince case, law enforcement’s argument was that it had probable cause to seize his communications, but that raises the question of why Prince’s calendar or location history was seized. In Irving, while there was probable cause to seize subscriber information, what basis was there to seize the remainder?
In Blake, perhaps there was probable cause to examine the subscriber’s email communications within a limited period, but what basis was there to seize records of her purchases from Facebook Marketplace? In a slightly different but related case, probable cause existed to examine the call logs, text messages, and contacts, but not to search the photographs on the phone. United States v. Morton, 984 F.3d 421 (5th Cir. 2021). The police needed separate probable cause to believe each of those other repositories contained evidence of criminality. At the very least, they needed some additional information connecting the other services to the defendant’s alleged criminal activity.
A common theme runs through these cases—expeditiousness. In each, the police could have engaged in a two-step process: obtain the material for which there was probable cause and then develop probable cause to seize the additional material by, among other things, reviewing the ESI seized in the first stage. If, for example, the police had obtained ESI from the defendant’s Gmail account and reviewed the metadata to determine that the target had moved some incriminating documents from a Gmail account to a Google Drive account, regardless of whether it was done on a one-off basis or because an automatic transfer rule had been set up, that could have provided a basis to seek a new warrant to search the defendant’s Google Drive.
Because there was no such evidence, searching in that overbroad manner permitted law enforcement to access a greater scope of ESI than was justified. The judge’s reasoning that all of the products in the Google account were linked using a common username and that the target could have moved incriminating data from Gmail to Google Drive was an unsatisfactory basis to deny the suppression motion.
Future challenges to warrants like these should focus on the lack of any evidence that a defendant transferred information from one product to another, including evidence that a defendant rarely or never accessed certain services. Advocates also should take the time to educate judges about the relevance and interplay between Google accounts, the use of Gmail addresses as user IDs, Gmail account contents, Google Drive, and the other products in Google’s suite.
Practitioners also should focus on the warrant’s temporal limits to ensure that limits justified by the probable cause determination dictate the temporal scope of the permissible seizure. For example, if the government had probable cause to believe that a Gmail account had evidence of the crime over a one-week period, that would not justify a seizure of three years’ worth.
Advocates should consider potential challenges when the repositories or search locations identified in the warrant are less specific, more numerous, or broader than those set forth in the underlying application. In United States v. Russian, 848 F.3d 1239 (10th Cir. 2017), the defendant challenged law enforcement’s seizure of photos and texts from cell phones recovered at the time of arrest. The post–arrest warrant application in that case sought “[t]ext messages, phone numbers, phone calls sent and received, any data contained within the phone or on any removable media device within the phone and Images contributing to the possession or sale of any illegal drug and drug paraphernalia.” The warrant that was issued allowed for the seizure of “cellphones that could be used to facilitate the commission of the crimes,” but the warrant failed to authorize the search of cell phones already in law enforcement custody or the seizure of any cell phone data.
The Russian court found that the warrant was insufficiently particular because it merely authorized a search of the defendant’s residence and seizure of any cell phones found inside. It did not identify either of the phones that were already in law enforcement’s custody, and it did not specify the type of material law enforcement personnel were authorized to seize, such as text messages, photos, or call logs. Id. at 1245. In reaching that conclusion, the Tenth Circuit built off previous case law that limited the search of electronic devices in general:
We have thus drawn a “recognizable line” in considering how much particularity is required for computer searches. On the one hand, we have invalidated warrants authorizing computer searches “where we could discern no limiting principle: where, for example, the warrant permitted a search of ‘“any and all” information, data, devices, programs, and other materials,’” or “all computer and non-computer equipment and written materials in [a defendant’s] house.” On the other hand, we have stated, “warrants may pass the particularity test if they limit their scope either ‘to evidence of specific federal crimes or to specific types of material.’”
Id. (internal citations omitted).
The Tenth Circuit’s approach can translate to cloud repositories.
In United States v. Leon, 468 U.S. 897, 922 (1984), the Supreme Court held that evidence obtained pursuant to an invalid warrant will remain admissible if the officer executing the search acted in objectively reasonable reliance on the validity of the warrant. The government bears the burden of proving that reliance was objectively reasonable. Evidence so obtained is not admissible if the warrant is clearly facially deficient. If the search warrant failed to particularize the place to be searched or things to be seized to such a degree that the executing officer could not have reasonably presumed the warrant to be valid, the evidence should be suppressed. Id. at 923. In Russian, for example, the court held that the officer’s reliance on the insufficiently particular warrant was reasonable under the circumstances, and the court therefore upheld the district court’s refusal to suppress the seized evidence. 848 F.3d, at 1246.
The key question is whether a reasonable and well-trained officer would have known that his or her affidavit failed to adequately establish probable cause for the records he or she was seeking. As a practical matter, that means that even when a defendant is successful in convincing the court that the incriminating fruits of the search should be suppressed because the search violated the Fourth Amendment, law enforcement gets a second opportunity to save the search results by establishing that while the search was not proper, law enforcement acted in a good-faith belief that the search was proper.
In Blake, the Eleventh Circuit saved a conviction by finding that Leon good-faith applied. In Morton, however, the Fifth Circuit found that the facts that led to the reasonable conclusion that the defendant was a consumer of drugs did not support a reasonable conclusion that the defendant was also a drug dealer. The court thus held that the search was not protected by the good-faith exception.
One would expect that litigating good faith should get easier as law enforcement and the courts become familiar with the operation and content of various Google products, and as law enforcement agencies continue to serve tens of thousands of search warrants on custodians like Google each year. It seems unlikely, for example, that anyone could objectively lump the content of Gmail together with Google’s YouTube.
To demonstrate that an officer’s reliance on an overbroad Google warrant is unreasonable, it may help to establish the agent’s prior experience and familiarity with similar warrants, personal use of these various products, prior training, and experience with the technology. The more the agent understands the different “apartments” located within Google, the more unreasonable an overbroad warrant will seem.
Counsel also should consider whether the government may have violated any court-imposed limits on the ESI search and seizure to such an extent that the Google warrant became unconstitutionally general or was executed in an unreasonable manner.
This issue arises more often when law enforcement personnel execute a search in which they seize a computer or server and take it back to the office for some limited time to review the contents pursuant to a specified protocol, like searching for certain keywords. The issue can also arise in the context of section 2703 warrants to companies like Google, however, because those companies have taken the position that they will not perform keyword searches in response to law enforcement demands to seize, for example, all emails that evidence copyright infringement. Thus, law enforcement may seek a warrant that directs Google to produce an admittedly overinclusive set of documents, with the understanding that law enforcement will review the broader set of documents to find those that evidence the copyright infringement and then return or discard the remainder.
There are a number of practical problems with law enforcement reviewing the voluminous amounts of data returned from electronic search warrants, including the overinclusion of nonresponsive materials among the responsive materials. Over a decade ago, Rule 41 of the Federal Rules of Criminal Procedure was amended to recognize the unique nature of these digital productions and make it easier for law enforcement to locate and segregate responsive data.
The amended rule authorizes “a later review of the media or information” obtained pursuant to the warrant, which effectively creates a two-step process by which agents first collect the broader set of data from the storage location and then review that set for material that is “consistent with the warrant.” Rule 41 does not address the timing or method for the subsequent review of ESI, so the conduct of the second step has largely been left to the discretion of law enforcement officials within the contours of the Fourth Amendment’s reasonableness requirement.
Depending on the jurisdiction, a magistrate judge granting the warrant may have imposed restrictions on the scope, duration, or method of the search’s execution that may be relevant to a suppression motion. If the order imposed any time limits on completion, mandated return or deletion of nonresponsive materials, or listed specific search protocols that were not followed, suppression may succeed if the defendant was prejudiced or if the government acted with reckless disregard for those procedures. See United States v. Christie, 717 F.3d 1156, 1166–67 (10th Cir. 2013) (discussing that the Fourth Amendment particularity requirement may or may not require limitations ex ante, but noting that “even if courts do not specify particular search protocols up front in the warrant application process, they retain the flexibility to assess the reasonableness of the search protocols the government actually employed in its search after the fact, when the case comes to court, and in light of the totality of the circumstances”).
As technology rapidly evolves, it has become increasingly difficult to apply Fourth Amendment requirements to search warrants for electronic data. This is particularly true when the data are controlled by third parties, stored in the cloud, and uploaded to the cloud at times even without the user’s knowledge.
Existing case law governing the propriety of search warrants for an individual’s electronic data is lacking. The door to governmental abuse and overreach is wide open. Practitioners should challenge the propriety of such government searches whenever possible.
While case law specific to searches of Google’s products may be absent, the legal arguments used to challenge issues pervasive in more traditional government searches can and should be made to challenge suspect governmental searches of Google user data. Still, the age-old adage is more true than ever: Do not save, or passively allow to be saved, anything for which you don’t want a record.