Richmond Journal of Law and Technology

The first exclusively online law review.

Category: Article (Page 2 of 7)

Digital Direction for the Analog Attorney – Data Protection, E-Discovery, and the Ethics of Technological Competence

BMS Publication Version PDFpdf_icon

Cite as: Stacey Blaustein et al., Digital Direction for the Analog AttorneyData Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow, 22 Rich. J.L. & Tech. 10 (2016),

 Stacey Blaustein,* Melinda L. McLellan,** and James A. Sherer***


I.  Introduction

 [1]       Over the past twenty years, the near-constant use of sophisticated technological tools has become an essential and indispensable aspect of the practice of law. The time and cost efficiencies generated by these resources are obvious, and have been for years.[1] And because clients expect their counsel to take full advantage,[2] savvy attorneys understand that they must keep up with ever-evolving legal technologies to stay competitive in a crowded marketplace.[3]

[2]       With increased globalization and exponential growth in the creation, collection, use, and retention of electronic data, the challenges to all lawyers—especially those who may not have tech backgrounds or a natural aptitude for the mechanics of these innovations—are multiplying with breathtaking speed.[4] Nevertheless, many attorneys are either blissfully unaware of the power and potential danger associated with the tools they now find themselves using on a daily basis, or they are willfully avoiding a confrontation with reality. For lawyers, technological know-how is no longer a “nice to have” bonus; it now poses an ethical obligation. Where competent client representation demands a minimum level of tech proficiency, however, many lawyers come up short with respect to this fundamental component of their professional responsibilities.[5]

[3]       What types of privacy and data security threats do various technologies pose to attorneys, their firms, their clients, and the legal profession in general? What rules and regulations govern how attorneys may make use of technology in their practice, and how might clients seek to impose restrictions around such use when it comes to their corporate data? Must attorneys gain mastery over the intricate mechanics of the technological resources they employ, or is basic knowledge sufficient? How can we weigh the potential risks and rewards of cutting-edge, emerging digital products and electronic resources about which clients—and indeed, even the lawyers themselves—may understand very little? These are just a few of the questions that arise when we consider the issue of technological competence in the legal profession and corresponding ethical requirements.

[4]       To begin to answer these questions, we look to the applicable Model Rules issued by the American Bar Association (“ABA”), various state-level professional ethics rules that incorporate the Model Rules, associated ethics opinions and guidance issued by the states, state and federal court decisions, and guidelines issued by sector-specific agencies and organizations.[6] Our focus in this investigation concerning lawyerly “technological competence” will be on privacy and data security risks and safeguards, e-Discovery-related challenges, and the potential perils of various uses of social media in the legal sphere.

 II.  The Threat Landscape: Law Firms as Prime Targets

[5]       In recent years, the volume and severity of attacks on electronically-stored data, and the information systems and networks that house that data, have increased exponentially. The modern-day “threat environment” is “highly sophisticated,” and “massive data breaches are occurring with alarming frequency.”[7] For attorneys, such perils implicate multiple ethical and professional responsibilities with respect to how they handle data, including the duty to protect the confidentiality of client information and the obligation to provide “competent” representation.

[6]       Unfortunately, law firms can provide a proverbial back door for hackers seeking access to a company’s data, as attorneys often are custodians of a veritable “treasure trove” of valuable client information “that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.”[8] Some hackers even focus their efforts primarily on law firms, especially those firms collecting vast amounts of data from corporate clients in the course of E-Discovery or corporate due diligence.[9] Corporate secrets, business strategies, and intellectual property all may be found in a law firm’s collection of its clients’ data.[10] In some cases, the interceptors may be looking for competitive information relevant to merger negotiations, or trying to suss out evidence of as-yet unannounced deals for insider trading purposes.[11]

[7]       A 2015 report estimated that 80% of the biggest 100 law firms have experienced some sort of data security incident.[12] And as is the case with so many companies that suffer a breach, law firms that have been hacked may not know about it for a considerable period of time. Moreover, unlike other industry sectors subject to various reporting requirements, law firms generally do not have a statutory obligation to publicly report cybercrimes that do not involve personally identifiable information.[13] Lack of obligations notwithstanding, a recent report indicated that “[t]he legal industry reported more “cyber threats” threats in January [2016] than nearly any other sector,” topped only by the retail industry and financial services.[14]

[8]       Although these reported “threats” might not necessarily result in data compromises, the fact that the legal industry frequently is among the most targeted for data theft should concern attorneys.[15] Anecdotal evidence of actual and attempted interference with law firms’ data security systems abounds as well. In 2014, a report indicated that communications between lawyers from the law firm of Mayer Brown and officials with the Indonesian government were intercepted by an Australian intelligence agency that had ties with the U.S. National Security Agency (“NSA”).[16] And the managing partner of the Washington-area offices of Hogan Lovells LLP recently noted that her firm “constantly intercept[s] attacks.”[17]

[9]       The message to law firms seems clear: first, if “you’re a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim.”[18] Second, “[f]irms have to make sure they are not a weak link…which at its most basic level means their standards for protecting data need to be at least equivalent to those of the companies they represent.”[19]

[10]     It seems inevitable that client expectations and demands with regard to their legal service providers’ security will continue to evolve and expand. One commentator recently predicted that in the future “clients across the board will demand firms demonstrate they’re prepared for all shapes and sizes of cybersecurity breaches,”[20] while another prophesized that “in the name of risk management and data leakage prevention, a large financial industry corporation will challenge their outside counsel’s [Bring Your Own Device] program.”[21] Indeed, according to a 2014 report in the New York Times:

Banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets for their own use of sale to others….Some financial institutions are asking law firms to fill out lengthy 60 page questionnaires detailing the [law firm’s] cybersecurity measures, while others are demanding on-site inspections….Other companies are asking law firms to stop putting files on portable thumb drives, to stop emailing non-secure iPad or working on computers linked to a share network in countries like China and Russia.[22]

[11]     In short, lawyers, law firms, and other legal services providers cannot afford to be complacent when it comes to cybersecurity.

A.  Lawyering in the Cloud

[12]     Firm adoption of cloud services is on the rise, especially among boutiques and solo practitioners that previously lacked the resources to compete effectively with larger law firms when it came to technology and data storage.[23] At first, the added value of cloud services created a perception that “nirvana had arrived” in terms of leveling the playing field for smaller firms.[24] Notwithstanding the apparent advantages of the cloud, attorneys were quick to identify concerns associated with the technology and its supporting practices, including “increased sensitivity to cyber-threats and data security.”[25] Some commentators opted for a cautious and conservative approach, noting that the “legal profession has developed many safeguards to protect client confidences,” and that the use of cloud hosting, among other practices, fell on a continuum where, as “an individual attorney gives up direct control of his or her client’s information, he or she takes calculated risks with the security of that information.”[26]

[13]     There is hope for attorneys drawn to the advantages of cloud services, but vigilance and diligence is required. As noted in tech law guidance from March 2014, “[u]sing the cloud to hold data is fine, so long as you understand the security precautions.”[27] Security concerns have put a damper on adoption rates and the development of attorney-specific cloud services lags behind other industries. This reluctance is unsurprising given the slow rate of technological advancements within the profession generally,[28] and a deserved reputation that the tendency of firms is “to be technology followers, not leaders.”[29] That said, lawyers do seem to be embracing the cloud to some extent,[30] with the majority utilizing cloud solutions in some capacity,[31] even if implementation is mostly through “sporadic action and adoption among firms and law departments.”[32]

[14]     With respect to professional obligations, this type of implementation may not require specific technological expertise on the part of the attorneys. New York State Bar Association Opinion 1020, which addressed ethical implications of the “use of cloud storage for purposes of a transaction,” determined that compliant usage “depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.”[33]

[15]     Further, New Jersey Opinion 701 addresses the reality that it is

[N]ot necessarily the case that safeguards against unauthorized disclosure are inherently stronger when a law firm uses its own staff to maintain a server. Providing security on the Internet against hacking and other forms of unauthorized use has become a specialized and complex facet of the industry, and it is certainly possible that an independent [Internet Service Provider] may more efficiently and effectively implement such security precautions.[34]

[16]     Opinion 701 does include an additional caveat, that

[W]hen client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer’s obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it.[35]

 B.  E-Discovery Tools

 [17]     To begin with, federal judges are unconvinced that many of the attorneys appearing before them understand how to make proper use of the technologies and related strategies associated with E-Discovery. A recent report, “Federal Judges Survey on E-Discovery Best Practices & Trends,”[36] compiled some of the judges’ concerns, noting first “the typical attorney…does not have the legal and technical expertise to offer effective advice to clients on e-discovery.”[37] Some of the judges’ comments were quite blunt, with one noting that “[s]ome attorneys are highly competent; but most appear to have significant gaps in their understanding of e-discovery principles.”[38]

[18]     Legal ethical rules and related opinions and scholarship provide guidance for what attorney E-Discovery competence should look like. At least one author has made the connection between professional responsibility and technological savoir-faire, noting that:

There is growing recognition across the country that the practice of law requires some degree of competence in technology. In the forum of litigation, competence in technology necessarily equates with competence in e-discovery. It is only a matter of time before ethics bodies across the nation call for competence in e-discovery.[39]

[19]     The opinions of courts and bar associations may carry the most weight, but a number of influential professional and industry groups also have offered useful commentary on technological competence. For example, competence is

…highlighted in the very first rule of legal ethics, according to the American Bar Association[’s] Rule 1.1 of the ABA Model Rules of Professional Conduct,” which “specifically recognized the need for technological competence through a significant change in August 2012 that formally notified all lawyers (and specifically those in jurisdictions following the Model Rules) that competency includes current knowledge of the impact of e-Discovery and technology on litigation.[40]

[20]     This guidance predated and perhaps presaged a number of state and federal reactions to technology and the impact of these developments on the practice of law, especially within the realm of E-Discovery. Delaware amended its Lawyers’ Rules of Professional Conduct as they related to technology in 2013;[41] North Carolina[42] and Pennsylvania[43] did the same shortly thereafter.

[21]     California’s relatively recent Formal Opinion No. 2015-193 (the “California Opinion”) addresses a number of issues associated with attorney ethical duties vis-à-vis E-Discovery. Although advisory in nature, the California Opinion states “attorneys have a duty to maintain the skills necessary to integrate legal rules and procedures with ‘ever-changing technology.’”[44] That reads broadly, but the California Opinion has been interpreted to indicate that, because E-Discovery arises “in almost every litigation matter, attorneys should have at least a baseline understanding of it.”[45] Specifically, the California Opinion begins with the premise that E-Discovery requires an initial assessment of its inclusion at the beginning of a matter.[46] If E-Discovery will be a component of a matter,

[T]he duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.[47]

[22]     Other commentators have noted that the California Opinion focuses on “nine (9) core competency issues” which would offer “solid guidelines for attorneys…to maintain competency and protect client confidentiality in the era of eDiscovery.”[48] One author notes that one of these core competency issues and its related directive, that of performing data searches, stretches across the entirety of the E-Discovery process “occurring at each of these steps, from preservation and collection to review and redaction.”[49]

[23]     Soon after the California Opinion was decided, Magistrate Judge Mitchell Dembin issued a Southern District of California decision that addressed “counsels’ ethical obligations and expected competency” in HM Electronics, Inc. v. R.F. Technologies, Inc.[50] The HM Electronics case focused both on specific steps the attorneys should have taken (such as implementing a legal hold and doing the legwork necessary to certify discovery responses as true) as well as behavior actively detrimental to the case (instructing client personnel to destroy relevant documents).[51] Of note in Judge Dembin’s excoriation of the misbehaving attorneys is his statement that “a judge must impose sanctions for a violation of the Rule that was without substantial justification.”[52] One article suggests that part of the problem may be simply that “counsel and clients alike…fail to take seriously judges’ expectations for how they conduct themselves throughout the discovery process.”[53]

[24]     New York attorneys followed the California Opinion with interest, first noting that it merely presented “the standard tasks one should engage in and competently execute to properly collect and produce responsive ESI [Electronically Stored Information] to the opposing party.”[54] A 2009 S.D.N.Y. opinion had chastised attorneys who would otherwise disclaim experience, warning that it was “time that the Bar—even those lawyers who did not come of age in the computer era” understood E-Discovery technologies and their application.[55] A recent article indicated that there is “an ample basis to discern a framework for ethical obligations, derived from ethics rules, court rules, and sanctions decisions in the e-discovery context” based in part on the history of New York courts as “leaders in the advancement of e-discovery law.”[56]

[25]     But such a “framework for ethical obligations” might not even be necessary where competence is the ethical rule at issue. Competence “requires that lawyers have the legal knowledge, skill, thoroughness, and preparation to conduct the representation, or associate with a lawyer who has such skills”[57] and that supervision is appropriate to ensure that the work of others “is completed in a competent manner.”[58] The issue of supervision came up in another advisory opinion, Ethics Opinion 362 of the District of Columbia Bar, which indicated that retaining an e-Discovery vendor that provided all of the E-Discovery services was both impermissible (as the unauthorized practice of law on the part of the vendor) as well as a circumstance where the attorney engaging such a vendor was not absolved from understanding and supervising the work performed, no matter how technical.[59]

 1. Metadata in Electronic Files

[26]     A very basic threat to client confidentiality (as well as the secrecy of counsel’s strategy) is the existence of metadata embedded in electronic files exchanged between the parties or produced as evidence. Most frequently this threat exists in the form of automatically created information about a file, including changes made to the file, that can be recovered and viewed by a third party if not removed (or “scrubbed”) prior to disclosing the file. This “application metadata” can include information about the document itself, the author, comments and prior edits, and may also detail when the document was created, viewed, modified, saved or printed.[60] In addition to the fact that access to metadata can provide opposing parties with everything from revealing insights to damning evidence, there’s also a “real danger” that “application metadata may be inaccurate.”[61]

[27]     Further, disputes related to metadata regularly arise in the E-Discovery context. Indeed, one of the “biggest challenges in electronic discovery” concerns “[u]nderstanding when metadata is relevant and needs to be preserved and produced.”[62] To cite just one example, the concurring opinion in State v. Ratcliff noted that judges must determine whether submitted evidence contained more than the information visible on the face of the document, or whether metadata was included as well, where the distinction “is critical, both on an ethical and adjudicative basis.”[63]

[28]     Accordingly, understanding and managing metadata has become a baseline requirement for technological competence when dealing with client data and attorney work product. Numerous products exist to help save lawyers from themselves when it comes to accidental disclosure of metadata, including software applications that may be integrated into email programs to prevent documents from being sent outside the network without first passing through a scrubbing filter. And the e-filing portal in many jurisdictions “contains a warning reminder that it is the responsibility of the e-filer to strip metadata from the electronic file before submitting it through the portal.”[64] Reliance on these tools, however, may not suffice for long as the sophistication and complexity of issues related to the creation and manipulation of metadata continue to evolve.

III. Overview of U.S. Data Privacy and
Information Security Law

 [29]     The sectoral approach to privacy and data security law in the United States often is described as “a patchwork quilt” comprised of numerous state and federal laws and regulations that apply variously to certain types of data, certain industries, the application of particular technologies, or some combination of those elements. These laws may be enforced by a variety of regulators, with state Attorneys General and the Federal Trade Commission often leading the way.[65] Plaintiffs’ lawyers also are prominent actors in this space, bringing an ever-increasing number of class action and other civil suits alleging violations of privacy rights, data protection laws, and information security standards.

[30]     Although there are no federal or state privacy statutes specifically applicable solely to lawyers, numerous data protection laws and regulations may apply to attorneys in their role as service provider to their clients or in other contexts. The obligations associated with these laws often implicitly or explicitly demand that lawyers handling client data (1) have a thorough understanding of the potential privacy and security risks to that data; (2) assess and determine how best to secure the data and prevent unauthorized access to the data; and (3) supervise anyone acting on their behalf with respect to the data to ensure the data is appropriately protected at all times.

[31]     Below we describe a few of the privacy and data security laws that tend to come up frequently for lawyers and impose requirements on their handling of client data that may involve technological competence. This discussion is by no means exhaustive, as technology touches upon virtually every aspect of data protection regulation and information security counseling by attorneys in the field. To provide just a few examples, advising companies on restrictions applicable to cross-border data transfers, data localization requirements, cybersecurity standards and information sharing obligations, and regulatory action around the use of biometrics and geolocation technologies are just a few examples of areas where a lawyer must have an understanding of the underlying technology to effectively assist clients.

 A.  HIPAA – Business Associate Agreements

[32]     The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), is the most significant health privacy law in the United States, imposing numerous obligations on “covered entities” and “business associates” of those “covered entities” to protect the privacy and security of “protected health information” (“PHI”).[66] As required by HIPAA, the Department of Health and Human Services (“HHS”) issued two key sets of regulations to implement the statute: the Privacy Rule[67] and the Security Rule.[68]

[33]     Although attorneys and law firms are not themselves considered covered entities directly subject to HIPAA’s requirements,[69] when attorneys obtain PHI from covered entity clients in the course of a representation, the law firm may be subject to certain HIPAA Privacy Rule requirements[70] in its role as a business associate.[71] The Privacy Rule and the Security Rule apply to a covered entity’s interactions with third parties (e.g., service providers) that handle PHI on the covered entity’s behalf.[72] The covered entity’s relationships with these “business associates” are governed by obligatory contracts known as business associate agreements (“BAAs”) that must contain specific terms.[73] With respect to technological competence specifically, for example, the BAA requires the business associate to implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the BAA, and states that the business associate must ensure that any agents/subcontractors that receive PHI from the business associate also protect the PHI in the same manner. And attorneys who “hold HIPAA data or [other PII] may be governed by state or federal law beyond the scope of the proposed rules, which is noted in the new comments”[74] to ABA Rule 1.6, discussed further below.

B.  GLBA Safeguards Rule Requirements

[34]     Pursuant to the Gramm-Leach-Bliley Act (“GLBA”), the primary federal financial privacy law in the United States, various federal agencies promulgated rules and regulations addressing privacy and data security issues.[75] For example, the Safeguards Rule requires financial institutions to protect security of personally identifiable financial information by maintaining reasonable administrative, technical, and physical safeguards for customer information.[76] To comply with the Safeguards Rule, a financial institution must develop, implement, and maintain a comprehensive information security program, and that program must address the financial institution’s oversight of service providers that have access to customers’ nonpublic personal information (“NPI”).[77]

[35]     Again, although a law firm is not a financial institution directly subject to the GLBA, when it acts as counsel to a financial institution, GLBA requirements may apply to its handling of NPI received from that client. To the extent a financial institution’s law firm will have access to such NPI in the course of the representation, the financial institution-client must take reasonable steps to ensure the law firm has the ability to safeguard such data prior to disclosing it to the firm, and require the firm to contractually agree (in writing) to safeguard the NPI. Assuming such data will be stored electronically (a safe assumption in virtually all cases), it is incumbent on the law firm to understand the potential data security risks and how to prevent unauthorized access, use, transfer, or other processing of their clients’ NPI.

 C.  State Data Security Laws

[36]     At the state level, there are numerous laws and regulations regarding the protection of personal information (and other types of data) that apply to all entities that maintain such data, including lawyers, law firms, and other legal service providers.

[37]     A number of states, such as California, Connecticut, Maryland, Nevada, Oregon, and Texas, have enacted laws that require companies to implement information security measures to protect personal information of residents of the state that the business collects and maintains.[78] These laws of general application are relevant to attorneys and law firms with respect to the personal information they maintain—both client data and data relating to their employees. Typically, these laws are not overly prescriptive and include obligations to implement and maintain reasonable security policies and procedures to safeguard personal information from unauthorized access, use, modification, disclosure, or destruction (though most do not offer a definition or description of what is meant by “reasonable” security). Some laws, such as California’s, impose a requirement to contractually obligate non-affiliated third parties that receive personal information from the business to maintain reasonable security procedures with respect to that data.[79]

[38]     Massachusetts was the first state to enact regulations that directed businesses to develop and implement comprehensive, written information security programs (“WISPs”) to protect the personal information of Massachusetts residents.[80] These regulations apply to all private entities (including law firms) that maintain personal information of Massachusetts residents, including those that do not operate in Massachusetts; they also list a number of minimum standards for the information security program.[81] The Massachusetts regulations are relatively prescriptive as compared to other similar state laws of this nature, and they include numerous specific technical requirements.

[39]     These requirements apply to law firms directly, but they also apply to law firms as service providers to businesses that maintain personal information of Massachusetts residents. A compliant WISP must address the vetting of service providers, and the contract must include provisions obligating the service provider to protect the data.[82]

IV.  Applicable Ethical Rules and Guidance

[40]     The myth of the Luddite[83] or caveman[84] lawyer persists, even if this type of anachronism is, in fact, an ethical violation waiting to happen.[85] But even attorneys who “only touch a computer under duress, and take comfort in paper files and legal research from actual books”[86] must deal with technology.[87] The adequate practice—or perhaps simply “the practice” of law does not exist without technology, and there is no longer a place for lawyers who simply “hope to get to retirement before they need to fully incorporate technology into their lives.”[88]

[41]     “Really?” goes the refrain. “Why can’t I just practice the way I always have, without [insert mangled, vaguely-recognizable technology portmanteau] getting in the way?”

[42]     Well, for one thing, to the extent attorneys rely on the protections of privilege to serve their clients, said attorneys must understand how the confidentiality of their communications and work product may be compromised by the technology they use. Technologies introduce complexity that, in turn, may affect privilege—especially when “many lawyers don’t understand electronic information or have failed to take necessary precautions to protect it.”[89] But how much understanding, exactly, may be required to competently represent clients in matters concerning E-Discovery, or data security, or even privacy? At many organizations, “[p]rivacy issues get handled by anyone who wants to do them” because the subject matter area is understaffed or ignored.[90] The key technological issues relevant to E-Discovery versus data privacy may be somewhat different, but the “solutions” companies find are eerily similar: the practitioners that are actually doing the work are often those who have been delegated the work, whose “expertise” is somewhat home-grown and may, in fact, not really represent true technological competence at all.[91]

[43]     What, then, are the requirements for expertise? Perhaps a pragmatic approach is best. Certainly, practitioners who use technology—again, likely all of them—must take some well-defined, initial steps toward acquiring the appropriate skill set. This might be as straightforward as the lawyer familiarizing herself with the relevant technologies at issue. Although it may sound a bit too easy, “just being well-versed enough to understand the issues is a big plus.”[92] That being said, “those considering a career in cybersecurity or privacy will need to spend time developing some level of technical expertise.”[93] In short, the answer is “it depends” and “no one really knows – yet.” In this relatively new space, actual decisions and definitive standards for “technological competence” are thin on the ground. Below we will examine some of the relevant rules and guidelines to consider.

 A.  Recent Guidelines in the Ethics Rules

[44]     Most attorneys do not have specialized training focused on a particular technological field. Certainly the vast majority do not hold themselves out as experts in cybersecurity, cloud-based storage, social media, biometrics, or any of a variety of related disciplines. However, even in the absence of expertise, there are some basic ethical rules that provide a framework for determining a practitioner’s professional duties and obligations with regard to technology—specifically, rules pertaining to competent client representation, adequate supervision, confidentiality, and communications.[94]

1.  Competent Client Representation (Model Rule 1.1)

[45]     As discussed briefly above, almost four years ago, the America Bar Association formally approved a change to the Model Rules of Professional Conduct to establish a clear understanding that lawyers have a duty to be competent not only in the law and its practice, but also with respect to technology. Detailed below, the passage of this rule contemplated changes in technology and eschewed specifics. Rather than a paint-by-numbers approach, ABA Model Rule 1.1 puts the responsibility on attorneys to understand their own—and their clients’—needs, and how new technologies impact their particular practice.

[46]     ABA Model Rule 1.1 states that:

A lawyer shall provide competent representation to a client. Competent representation requires legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.[95]

[47]     ABA Model Rule 1.1 was amended in 2012 by Codified Comment 8 as follows:

To maintain the requisite knowledge and skills, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.[96]

[48]     Some note that Rule 1.1 “does not actually impose any new obligations on lawyers;”[97] neither does it require perfection.[98] Instead it “simply reiterates the obvious, particularly for seasoned eDiscovery lawyers, that in order for lawyers to adequately practice, they need to understand the means by which they zealously advocate for their clients.”[99] One article noted, in fact, that Comment 8 was evidence of “the ABA’s desire to nudge lawyers into the 21st century when it comes to technology.”[100] It did, however, caution that it was “a very gentle nudge.”[101]

 [49]     Nudge or not, that message has resonated across the United States. In the four years since that amendment was approved and adopted by the ABA, twenty-one states since have adopted the ethical duty of technological competence for lawyers.[102] As for many of the states that have not formally adopted the change to their Model Rules of Professional Conduct, those may still explicitly or implicitly acknowledge this emerging duty to be competent in technology, having a basic understanding of technologies their clients use, and a duty to keep abreast of such changes including a required awareness of regulatory requirements and privacy laws.[103]

2.  Supervision (Model Rules 5.1 and 5.3)

[50]     ABA Model Rule 5.1 also bears on a lawyer’s duties regarding technology insofar as duties aided or supported by technology are performed by someone other than the attorney. This responsibility extends to immediate as well as remote support staff, with ABA Model Rule 5.1 requiring that “[l]awyers must also supervise the work of others to ensure it is completed in a competent manner.”[104] This attempt at establishing “the principle of supervisory responsibility without introducing a vicarious liability concept”[105] has led to considerations regarding inexperience generally,[106] but the implications for technological applications should be clear—an associate or other paralegal professional is much more likely to use technology to support legal work[107] than she is to make a representation before a court or like body.

[51]     ABA Model Rule 5.3 also sets forth responsibilities of partners and supervising attorneys to non-lawyer assistants. This set of ethical considerations further reinforces the responsibilities attorneys have to apply sufficient care in their practice when outsourcing supporting legal work to inexperienced non-professionals, and to ensure that confidentiality is maintained with outsourcing staff.[108] This is not just a matter of supervising specific tasks. It also contemplates knowing which tasks are appropriate for delegation, both within the firm and to third-party vendors. For example, if a delegate of the attorney uses technology to begin an engagement, it’s possible that such an arrangement could be viewed as “establish[ing] the attorney-client relationship,” which may be prohibited under ABA Model Rule 5.5.[109]

3.  Duty of Confidentiality (Model Rule 1.6)

[52]     ABA Model Rule 1.6 states that it is critical that lawyers do not reveal confidential or privileged client information.[110] When information was kept in an attorney’s head, or perhaps committed to a sheet of paper, historical precedent on how to comply with this duty may have been helpful. In the “world of tomorrow,”[111] looking to the past for answers makes little sense, especially in those instances where the attorney is unclear as to how information is stored, accessed, maintained, or utilized.

[53]     Model Rule 1.6 also considers a duty of confidentiality that resides at the core of every attorney’s role and serves as one of the attorney’s most important ethical responsibilities. Model Rule 1.6 generally defines the duty of confidentiality as follows: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted [elsewhere].”[112]

[54]     This rule is broad. It encompasses any client information, confidential or privileged, shared or accessible to the attorney and is not limited to just confidential communications. Further, it may only be relinquished under the most onerous of circumstances.[113] A lawyer shall not, therefore, reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted elsewhere in the rules.

[55]     In 2000, the Advisory Committee looked into its crystal ball and considered ESI on various platforms, in different repositories, in various forms. It then added Comment 18 to Rule 1.6, requiring reasonable precautions to safeguard and preserve confidential information. Comment 18 states that, “[A] lawyer [must] act competently to safeguard information relating to the representation of a client against … inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”[114] Indeed, “[p]artners and supervising attorneys are required to take reasonable actions to ensure that those under their supervision comply with these requirements.”[115]

[56]     In addition to the ABA’s commentary, state and local professional organizations have issued guidance as well. In establishing a specific roadmap for lawyers to attain the skills necessary to meet their ethical obligations with respect to relevant technology in the practice of law, and returning to the California Bar’s Formal Opinion 2015-193, there is a sort of checklist that may assist lawyers in meeting their ethical obligations to develop and maintain core E-Discovery competence in the following areas:[116]

  • Initially assessing E-Discovery needs and issues, if any;
  • Implementing or causing (the client) to implement appropriate ESI preservation procedures, (“such as circulating litigation holds or suspending auto-delete programs”);[117]
  • Analyzing and understanding the client’s ESI systems and storage;
  • Advising the client on available options for collection and preservation of ESI;
  • Identifying custodians of potentially relevant ESI;
  • Engaging in competent and meaningful meet and confers with opposing counsel concerning an E-Discovery plan;
  • Performing data searches;
  • Collecting responsive ESI in a manner that preserves the integrity of the ESI; and
  • Producing responsive, non-privileged ESI in a recognized and appropriate manner.

[57]     But this technological competence inherent in the Duty of Competence represents only one third of the ethical duties that govern an attorney’s interaction with technology. This ESI and litigation skills checklist does not address “the scope of an attorney’s duty of competence relating to obtaining an opposing party’s ESI;”[118] nor does it consider the skills required of non-litigation attorneys, which must be inferred from the rule.

[58]     In addition, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2010-179 states that “[a]n attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representations does not subject confidential client information to an undue risk of unauthorized disclosure.”[119]

[59]     In reference to the duty of confidentiality, the New York County Lawyer’s Association’s Committee on Professional Ethics examined shared computer services amongst practitioners in Opinion 733, noting that an “attorney must diligently preserve the client’s confidences, whether reduced to digital format, paper, or otherwise. The same considerations would also apply to electronic mail and websites to the extent they would be used as vehicles for communications with the attorney’s clients.”[120] The New York State Bar’s Committee on Professional Ethics Opinion 842 further stated that, when “a lawyer is on notice that the [client’s] information…is of ‘an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer’s control,…the lawyer must select a more secure means of communication than unencrypted Internet e-mail.’”[121] 

4.  Communications (Model Rule 1.4)

[60]     ABA Model Rule 1.4 on Communications also applies to the attorney’s use of technology and requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology.[122]

[61]     In construing all of these Model Rules and comments, it is clear that attorneys who are not tech-must (1) understand their limitations; (2) obtain appropriate assistance; (3) be aware of the areas in which technology knowledge is essential; and (4) evolve to competently handle those challenges; or (5) retain the requisite expert assistance. This list applies equally to data security issues, such as being aware of the risks associated with cloud storage, cybersecurity threats, and other sources of potential harm to client data, and can easily be extended to include awareness and understanding with respect to domestic and foreign data privacy issues.

[62]     The ethical obligations to safeguard information require reasonable security, not absolute security. Accordingly, under such rules and related guidance from the Proposal from the ABA Commission on Ethics 20/20,[123] the factors to be considered in determining the reasonableness of the lawyers’ efforts with respect to security include:

(1) The sensitivity of the information;

(2) The likelihood of disclosure if additional safeguards are not employed;

(3) The cost of employing additional safeguards;

(4) The difficulty of implementing the safeguards; and

(5) The extent to which the safeguards adversely affect the lawyer’s ability to represent the client.[124]

As New Jersey Ethics Opinion 701 states, “[r]easonable care however does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible.”[125]

B.  Ethics and Social Media

[63]     When considering their ethical duties with respect to technology, lawyers today must confront a host of challenges that would have been almost unimaginable even ten years ago. The rise and proliferation of social media as a daily part of most people’s personal and professional lives has created one such challenge.[126] Numerous courts have addressed—and continue to address—attorney duties with respect to social media in the context of spoliation motions when social media evidence has been lost, destroyed, or obfuscated due to negligence, or in accordance with attorney advice.[127] In addition, given the novelty and complexity of the issues, and in the interest of consistency, state bar associations have begun to address issues associated with attorney use of, counseling on, and preservation of social media.

[64]     The Association of the Bar of the City of New York’s Committee on Professional and Judicial Ethics, in Formal Opinion 2010-2, provided some helpful guidelines on attorney access to social media, stating that “[a] lawyer may not use deception to access information from a social networking webpage,” either directly or through an agent.[128] While focused on behaviors that attorneys and their agents should not undertake when developing a case, the opinion does note that the “potential availability of helpful evidence on these internet-based sources makes them an attractive new weapon in a lawyer’s arsenal of formal and informal discovery devices,” and also offers up “the Court of Appeals’ oft-cited policy in favor of informal discovery.”[129] Simply put, the duty is twofold: an attorney must both be aware of social media and know how to use social media to provide effective representation.

 2.  State Bar Association Guidance

[65]     State bar associations are becoming increasingly involved in providing guidance on social media and its implications for the practice of law. For example, in 2014, the New York and Pennsylvania State Bar Associations and the Florida Professional Ethics Committee issued guidance on social media usage by attorneys and addressed the obligations of attorneys to understand how various platforms work, what information will be available to whom, the ethical implications of advising clients to alter or change social media accounts, and the value of ensuring adequate preservation of social media evidence.

i.  New York

[66]     The Social Media Ethics Guidelines of the Commercial and Federal Litigation Section of the New York State Bar Association provide specific guidance for the use of social media by attorneys.[130] Guideline 4, relating to the review and use of evidence from social media, is divided into four subparts, all of which provide specific and pertinent guidance to attorneys:

  • Guideline No. 4.A: Viewing a Public Portion of a Social Media Website, provides that “[a] lawyer may view the public portion of a person’s social media profile or public posts even if such person is represented by another lawyer. However, the lawyer must be aware that certain social media networks may send an automatic message to the person whose account is being viewed which identifies the person viewing the account as well as other information about such person.”[131]
  • Guideline No. 4.B: Contacting an Unrepresented Party to View a Restricted Portion of a Social Media Website, provides that “[a] lawyer may request permission to view the restricted portion of an unrepresented person’s social media website or profile. However, the lawyer must use her full name and an accurate profile, and she may not create a different or false profile to mask her identity. If the person asks for additional information from the lawyer in response to the request that seeks permission to view her social media profile, the lawyer must accurately provide the information requested by the person or withdraw her request.”[132]
  • Guideline No. C: Viewing A Represented Party’s Restricted Social Media Website, provides that “[a] lawyer shall not contact a represented person to seek to review the restricted portion of the person’s social media profile unless an express authorization has been furnished by such person.”[133]
  • Guideline No. 4.D: Lawyer’s Use of Agents to Contact a Represented Party, “as it relates to viewing a person’s social media account,” provides that “[a] lawyer shall not order or direct an agent to engage in specific conduct, or with knowledge of the specific conduct by such person, ratify it, where such conduct if engaged in by the lawyer would violate any ethics rules.”[134]

ii.  Florida

[67]     In Advisory Opinion 14-1, the Florida Bar Association’s Professional Ethics Committee confirmed that an attorney could advise a client to increase privacy settings (as so to conceal from public eye) and remove information relevant to the foreseeable proceedings from social media as long as an appropriate record was maintained—the data preserved—and no rules or substantive laws regarding preservation and/or spoliation of evidence were broken.[135]

iii. Pennsylvania

[68]     In 2014, the Pennsylvania Bar Association issued a Formal Opinion that included detailed guidance regarding an attorney’s ethical obligations with respect to the use of social media. Among other guidelines, the Opinion specifically stated that:

  • Attorneys may advise clients about the content of their Social networking websites, including the removal or addition of information;
  • Attorneys may connect with clients and former clients;
  • Attorneys may not contact a represented person through social networking websites;
  • Although attorneys may contact an unrepresented person through social networking websites, they may not use a pretextual basis for viewing otherwise private information on social networking websites; and
  • Attorneys may use information on social networking websites in a dispute.[136]

3.  ABA Model Rule 3.4

[69]     Finally, although ABA Model Rule 3.4 on Fairness to Opposing Party and Counsel does not directly address social media, the principles behind the rule apply in the social media context. The Rule provides that an attorney shall not “unlawfully obstruct another party’s access to evidence or unlawfully alter, destroy or conceal a document or other material having potential evidentiary value” nor shall the attorney “counsel or assist another person” to undertake such actions.[137]

C.  Guidance on Duties Related to Cybersecurity

[70]     As we discussed above in Section II, attorneys face a complex threat landscape when it comes to security concerns related to the protection of their clients’ data.[138] Although the scope of an attorney’s ethical obligations in this regard remains somewhat unclear, there are several sources of guidance relevant to how lawyers are expected to manage cybersecurity risks.

[71]     One such source that squarely addresses the issue is the Resolution issued by the ABA’s Cybersecurity Legal Task Force. The Resolution contains a detailed Report explaining the ABA’s position regarding the growing problem of intrusions into computer networks utilized by lawyers and law firms, and urges lawyers and law firms to review and comply with the provisions relating to the safeguarding of confidential client information.[139] As the ABA noted in its Report, defending the confidentiality of the lawyer-client relationship and preservation of privilege in communications and attorney work product are fundamental to public confidence in the legal system.[140] Attorneys are directed to (1) keep clients reasonably informed as set forth in the Model Rules of Professional Conduct, as amended in August 2012 and adopted in the jurisdictions applicable to their practice; and (2) comply with other applicable state, federal, and court rules pertaining to data privacy and cybersecurity.[141] The ABA further urges the respect and preservation of the attorney client relationship during the pendency of any actions in which a government entity aims to deter, prevent, or punish unauthorized, illegal intrusions into computer systems and networks used by lawyers and law firms.

[72]     The comment to ABA Model Rule 5.7 states, perhaps somewhat axiomatically, that when “[a] lawyer performs law-related services or controls an organization that does so, there exists the potential for ethical problems.”[142] This, combined with Model Rule 1.6’s requirement for attorneys to safeguard and protect client information, suggests further potential duties associated with cybersecurity.[143] As one author notes

Fulfillment of a law firm’s duty to maintain client confidences in today’s world of cyberattacks requires much more than legal knowledge and legal skills. It requires sophisticated computer knowledge and skills far beyond legal practice. That is why cybersecurity experts should be used to assist in any law firm’s client’s data protection efforts.[144]

Indeed, “[t]raining in security, including cybersecurity should be a part of every lawyer’s education. It is especially important for lawyers who do electronic discovery”.[145]

[73]     On a related subject, in Formal Opinion 2015-3, the New York City Bar Association issued guidance indicating that lawyers do not violate their ethical duties by reporting suspected cybercrime to law enforcement.[146] If an attorney has performed “reasonable diligence” to determine whether a prospective client is actually attempting fraud, the opinion says, then the attorney is free to report.[147] The Opinion continued, highlighting the lack of duty associated with individuals who are not actually clients, stating that an

attorney who discovers that is he the target of an Internet-based trust account scam does not have a duty of confidentiality to the individual attempting to defraud him, and is free to report the individual to law enforcement authorities, because that person does not qualify as a prospective or actual client of the attorney.[148]

V.  Conclusion

[74]     It goes without saying that we live (and work) in interesting times. Cloud technology offers convenience, flexibility, cost savings—and a host of potential security issues that existing “hard-copy world” rules aren’t fit to address. The details of top-secret corporate transactions are now hashed out on collaborative virtual platforms that may be vulnerable to damage, destruction, or unauthorized access. And the increasing ubiquity of social media makes it ever more likely that lawyers and clients alike may post information without appreciating the potential legal ramifications. New technologies have the capacity to enrich our personal lives and enhance our professional lives, but they also create complex and novel challenges for lawyers already subject to a web of ethical duties concerning competence and confidentiality.

[75]     Given the speed with which this dynamic area is changing, the issues raised in this piece may well feel dated within months of publication as the next new product or service revolutionizes another fundamental aspect of human interaction and connectivity. Nevertheless, in this article we have outlined some of the many challenges facing attorneys operating in a threat-laden high-tech landscape, taken a look at the ways in which existing and emerging ethical rules and guidelines may apply to the practice of law in the digital age, and opened a door to further conversation about all of these issues as they continue to evolve.



* Stacey Blaustein is a Senior Attorney – Corporate Litigation with the IBM Corporation.

** Melinda L. McLellan is Counsel in the New York office of Baker & Hostetler LLP.

*** James Sherer is Counsel in the New York office of Baker & Hostetler LLP.


[1] See Roger V. Skalbeck, Computing Efficiencies, Computing Proficiencies and Advanced Legal Technologies, Virginia State Bar – Research Recourses (Oct. 2001),, archived at

[2] See Ed Finkel, Technology No Longer a ‘Nice to Learn’ for Attorneys, Legal Management, Association of Legal Administrators (Oct. 2014),, archived at

[3] See, e.g., Evan Weinberger, Fintech Boom Prompts Lawyers to Add Tech Know-How, Law360 (Sep. 4, 2015, 6:05 PM),, archived at; see also Allison O. Van Laningham, Navigating in the Brave New World of E-Discovery: Ethics, Sanctions and Spoliation, FDCC Q. 327(Summer 2007),, archived at

[4] See Frank Strong, Beautiful Minds: 41 Legal Industry Predictions for 2016, LexisNexis LawBlog (Dec. 17, 2015),, archived at

[5] To further complicate matters, for attorneys and law firms practicing in the financial technology area such as payment, online lending, bitcoin and other virtual currencies, these lawyers need to be competent in “fintech”, financial technology, another outgrowth of the expertise in technology requirement. See Evan Weinberger, Fintech Boom Prompts Lawyers to Add Tech Know-How, Law360 (Sep. 4, 2015, 6:05 PM),, archived at

[6] See infra Part III (explaining that agencies such as the FDA have issued guidance in their arena- Postmarket Management of Cybersecurity in Medical Devices).

[7] Report to the House of Delegates, ABA Cybersecurity Legal Task Force Section of Sci. & Tech. Law 1,, archived at

[8] Ellen Rosen, Most Big Firms Have Had Some Hacking: Business of Law, Bloomberg (Mar. 11, 2015, 12:01 AM),, archived at

[9] See Melissa Maleske, A Soft Target for Hacks, Law Firms Must Step Up Data Security, Law360 (Sep. 23, 2015, 10:09 PM),, archived at

[10] See id.

[11] See Susan Hansen, Cyber Attacks Upend Attorney-Client Privilege, Bloomberg Businessweek (Mar. 19, 2015, 2:56 PM),, archived at

[12] See Rosen, supra note 8.

[13] Id.

[14] Mark Wolski, Report: Legal Industry Was Heavily Targeted with Cyber Threats in January, Bloomberg BNA (Mar. 9, 2016),, archived at

[15] See id.

[16] James Risen & Laura Poitras, Spying by N.S.A. Ally Entangled U.S. Law Firm, N.Y. Times, Feb. 15, 2014,, archived at

[17] See Rosen, supra note 8.

[18] See Hansen, supra note 11.

[19] Blake Edwards, Verizon GC: Law Firms Prime Targets for Hackers, Bloomberg BNA (Feb. 4, 2016),, archived at

[20] Strong, supra note 4.

[21] Id.

[22] Matthew Goldstein, Law Firms Are Pressed on Security for Data, N.Y. Times (Mar. 26, 2014),, archived at

[23] See N.Y. City Bar Comm. on Small Law Firms, The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations 2 (Nov. 2013),, archived at

[24] Id.

[25] Strong, supra note 4.

[26] Patrick Mohan & Steve Krause, Up in the Cloud: Ethical Issues that Arise in the Age of Cloud Computing, 8 ABI Ethics Comm. News L. 1 (Feb. 2011),, archived at

[27] Sharon D. Nelson & John W. Simek, Why Do Lawyers Resist Ethical Rules Requiring Competence with Technology?, Slaw (Mar. 27, 2015),, archived at

[28] Ed Finkel, Technology No Longer a ‘Nice to Learn’ for Attorneys, Legal Management, Association of Legal Administrators (Oct. 2014), archived at

[29] Leslie Pappas, The Security Concerns Holding Up One Firm’s Cloud Usage, Bloomberg BNA (Jan. 22, 2016),, archived at

[30] See Casey C. Sullivan, Is It Time for a Law Firm Cloud Computing Security Standard?, FindLaw (Feb. 18, 2016),, archived at

[31] See Jonathan R. Tung, Survey: Law Departments Are Warming Up to the Cloud, FindLaw (Feb. 18, 2016),, available at

[32] Strong, supra note 4.

[33] N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 1020 (Sept. 12, 2014),, archived at

[34] N.J. Advisory Comm. on Prof’l Ethics, Op. 701 (2006),, archived at

[35] Id.

[37] Aebra Coe, Judges Lack Faith in Attys’ E-Discovery Skills, Survey Says, Law360 (Jan. 28, 2016),, archived at

[38] Id.

[39] Bob Ambrogi, California Considers Ethical Duty to Be Competent in E-Discovery, Catalyst Blog (Feb. 27, 2015),, archived at

[40] Karin S. Jenson, Coleman W. Watson & James A. Sherer, Ethics, Technology, and Attorney Competence, The Advanced eDiscovery Inst. (Nov. 2014),, archived at

[41] See Order Amending Rules 1.0, 1.1, 1.4, 1.6, 1.17, 1.18, 4.4, 5.3, 5.5, 7.1, 7.2, and 7.3 of the Delaware Lawyers’ Rules of Professional Conduct, Del. R. Prof’l Conduct (2013),

[42] See N.C. State. Bar Rules of Prof’l Responsibility & Conduct R. 1.1 (2014),, archived at

[43] See Notice of Proposed Rulemaking, 43 Pa. Bull. 1997 (Apr. 13, 2013),, archived at

[44] Bob Ambrogi, California Finalizes Ethics Opinion Requiring Competence in E-Discovery, Catalyst Blog (Aug. 6, 2015),, archived at

[45] Id.

[46] See id.

[47] State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193 (2015),, archived at

[48] Adam Kuhn, The California eDiscovery Ethics Opinion: 9 Steps to Competency, Recommind Blog (Aug. 11, 2015),, archived at

[49] Id.

[50] H. Christopher Boehning & Daniel J. Toal, E-Discovery Competence of Counsel Criticized in Sanctions Decision, New York Law Journal (Oct. 6, 2015),, archived at

[51] See generally HM Elecs., Inc. v. R.F. Techs., Inc., 2015 U.S. Dist. LEXIS 104100 (S.D. Cal. Aug. 7, 2015) (arguing the invalidity of the steps that the defendants took in order to certify discovery as true).

[52] Boehning & Toal, supra n. 50.

[53] Id.

[54] Samantha V. Ettari & Noah Hertz-Bunzl, Ethical E-Discovery: Core Competencies for New York Lawyers, New York Law Journal (Nov. 2, 2015),, archived at

[55] William A. Gross Constr. Assocs., Inc. v. Am. Mfrs. Mut. Ins. Co., 256 F.R.D. 134, 136 (S.D.N.Y. 2009).

[56] See Ettari & Hertz-Bunzl, supra n. 54.

[57] See Ettari & Hertz-Bunzl, supra n. 54 (citing New York Rules of Professional Conduct (N.Y. Rule) 1.1.5).

[58] See Ettari & Hertz-Bunzl, supra n. 54 (citing N.Y. Rule 5.1(c)).

[59] See generally D.C. Comm. on Legal Ethics, Formal Op. 362 (2012),, archived at (discussing the permissibility of non-lawyer ownership of discovery service vendors).

[60] See generally The Sedona Conference Working Group, Best Practices Recommendations & Principles for Addressing Electronic Document Production, The Sedona Principles: Second Edition, June 2007, at 60, 61, archived at (explaining the composition and functionality of metadata).

[61] Id. at 4.

[62] Id.

[63] State v. Ratcliff, 849 N.W.2d 183, 196 (N.D. 2014).

[64] See Christian Dodd, Metadata 101 for Lawyers: A 2-Minute Primer, Law360 (Oct. 15, 2015, 4:30 PM),, archived at

[65] See Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 587 (2014).

[66]See Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §§1320d to 1320d-8 (2007) [hereinafter HIPAA].

[67] See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160, 164).

[68] See Security Standards, 68 Fed. Reg. 8333, 8334 (Feb. 20, 2003) (codified at 45 C.F.R. pts. 160, 162, 164).

[69] The health plan within an organization, such as a law firm’s employee health plan, may itself be a “covered entity” for HIPAA compliance purposes, but a firm generally is not, itself, a covered entity. See, e.g., HIPAA, supra note 66.

[70] See John V. Arnold, PRIVACY: What Lawyers Must Do to Comply with HIPAA, 50 Tenn. B.J. 16, 17 (Mar. 2014).

[71] See Lisa J. Acevedo et. al., New HIPAA Liability for Lawyers, 30 GPSolo, no. 4, 2013,, archived at

[72] See Standards for Privacy of Individually Identifiable Health Information, supra note 67; see Security Standards, supra note 68.

[73] Both the Privacy Rule and the Security Rule dictate certain terms that must be included in a BAA.

[74] See Nelson & Simek, supra note 27.

[75] See 15 U.S.C. §§ 6801–6809 (2012).

[76] See 16 C.F.R. §§ 314.2, 314.3(b).

[77] See 16 C.F.R. § 314.4(a-c).

[78] See, e.g., Cal. Civ. Code § 1798.81.5 (Deering 2009); Conn. Gen. Stat. § 42-471 (2010); Md. Code Ann., Com. Law §§ 14-3501 to 14-3503 (LexisNexis 2009); Nev. Rev. Stat. § 603A.210 (2009); Or. Rev. Stat. § 646A.622 (2009); Tex. Bus. & Com. Code Ann. §§ 72.001–72.051 (West 2009).

[79] See Cal. Civ. Code § 1798.81.5 (Deering 2009).

[80] See 201 Mass. Code Regs. 17.01–17.05 (2008).

[81] See id.

[82] See id.

[83] See Debra Cassens Weiss, Lawyers Have Duty to Stay Current on Technology’s Risks and Benefits, New Model Ethics Comment Says, ABA Journal Law News (Aug. 6, 2012, 7:46 PM), archived at

[84] See Unfrozen Caveman Lawyer, Saturday Night Live Transcripts,, archived at (“Sometimes when I get a message on my fax machine, I wonder: ‘Did little demons get inside and type it?’ I don’t know! My primitive mind can’t grasp these concepts.”) (last visited Apr. 5, 2016).

[85] See Megan Zavieh, Luddite Lawyers Are Ethical Violations Waiting to Happen, (last updated July 10, 2015),, archived at

[86] Lois D. Mermelstein, Ethics Update: Lawyers Must Keep Up with Technology Too, American Bar Association – Business Law Today, Business Law Today (Mar. 2013),, archived at

[87] See Blair Janis, How Technology Is Changing the Practice Of Law, GP Solo,, archived at (last visited Apr. 5, 2016).

[88] Kevin O’Keefe, We Need Laws Requiring Lawyers to Stay Abreast of Technology? LEXBLOG: Ethics & Blogging Law (Mar. 28, 2015),, archived at

[89] Attorney-client Privilege: Technological Changes Bring Changing Responsibilities for Attorneys and Legal Departments, Corporate Law Advisory,, archived at (last visited Apr. 5, 2016).

[90] Daniel Solove, Starting a Privacy Law Career, LinkedIn Pulse (Aug. 27, 2013),, archived at

[91] See Peter Geraghty & Sue Michmerhuizen, Think Twice Before You Call Yourself an Expert, Your ABA (Mar. 2013),, archived at .

[92] Solove, supra note 90.

[93] Alysa Pfeiffer-Austin, Four Practical Tips to Succeed in the Cybersecurity and Privacy Law Market, ABA Security Law (Dec. 9, 2015),, archived at

[94] See David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012),, archived at

[95] Model Rules of Prof’l Conduct R. 1.1 (2014).

[96] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014) (emphasis added).

[97] Jenson, Watson & Sherer, supra note 40, at 2.

[98] See James Podgers, You Don’t Need Perfect Tech Knowhow for Ethics’ Sake—But a Reasonable Grasp Is Essential, ABA Journal (Aug. 9, 2014),–but_a_reasonable_grasp, archived at

[99] Jenson, Watson & Sherer, supra note 40, at 2.

[100] Kelly H. Twigger, Symposium, Ethics in Technology and eDiscovery – Stuff You Know, but Aren’t Thinking About, Ark. L. Rev. (Oct. 16, 2014),, archived at

[101] Id.

[102] These states are: Arizona, Arkansas, Connecticut, Delaware, Idaho, Illinois, Iowa, Kansas, Massachusetts, Minnesota, Nebraska, New Hampshire, New Mexico, New York, North Carolina, Ohio, Pennsylvania, Utah, Virginia, West Virginia, and Wyoming. See Robert Ambrogi, 20 States Have Adopted Ethical Duty of Technological Competence, Law Sites (Mar. 16, 2015),, archived at (last updated Dec. 23, 2015) (listing 20 states not including Nebraska); see also Basic Technology Competence for Lawyers, Event Details, Nebraska Bar Assoc. (Apr. 6, 2016),, archived at (“[T]he need to be aware of and have a working knowledge of technology…is ethically required of all lawyers.”).

[103] Ann M. Murphy, Is It Safe? The Need for State Ethical Rules to Keep Pace with Technological Advances, 81 Fordham L. Rev. 1651, 1659, 1665–66 (2013),, archived at

[104] Samantha V. Ettari & Noah Hertz-Bunzl, Ethical E-Discovery: What Every Lawyer Needs to Know, LegaltechNews (Nov. 10, 2015),, archived at (referring to Model Rule of Prof’l Conduct 5.1).

[105] American Bar Association, A Legislative History: the Development of the ABA Model Rules of Professional Conduct, 1982-2005 560 (2006).

[106] Jeffrey P. Reilly, Rule 5.1 of the Rules of Professional Conduct: What Must Corporate General Counsel Do? Association of Corporate Counsel, Baltimore Chapter FOCUS 2Q12 5–6 (2012),, archived at

[107] See Jennifer Ellis, What Technology Does a Modern US Lawyer Generally Use in Practice?, Quora (Mar. 22, 2014),, archived at

[108] See Model Rules of Prof’l Conduct R. 5.3.

[109] Frances P. Kao, No, a Paralegal Is Not a Lawyer, ABA Bus. Law Today, (Jan./Feb. 2007),, archived at

[110] See Model Rules of Prof’l Conduct R. 1.6.

[111] See Jon Snyder, 1939’s ‘World of Tomorrow’ Shaped Our Today, Wired (Apr. 29, 2010, 8:00 PM),, archived at

[112] Model Rules of Prof’l Conduct R. 1.6.

[113] See Saul Jay Singer, Speaking of Ethics: When Tarasoff Meets Rule 1.6, Washington Lawyer (May 2011),, archived at

[114] Model Rules of Prof’l Conduct R. 1.6 cmt. 18.

[115] David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012),, archived at

[116] See State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2015-193, 3–4 (2015) [hereinafter Cal. Ethics Op. 2015-193] (discussing what an attorney’s ethical duties are in the handling of discovery of electronically stored information).

[117] Ettari & Hertz-Bunzl, supra note 104.

[118] Cal. Ethics Op. 2015-193, supra note 116, at fn. 7.

[119] State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2010-179, 7 (2010) (discussing whether an attorney violates the duties of confidentiality and competence she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties).

[120] N.Y. Cnty. Lawyers’ Ass’n Comm. on Prof’l Ethics, Formal Op. 733, 7 (2004) (discussing non-exclusive referrals and sharing of office space, computers, telephone lines, office expenses, and advertising with non-legal professionals).

[121] N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Formal Op. 842 (2010) (discussing using an outside online storage provider to store client’s confidential information).

[122] Model Rules of Prof’l Conduct R. 1.4 (1983); see also 204 Pa. Code § 81.4 (1988),, archived at (incorporating ABA Model Rule 1.4 into Pennsylvania’s Model Rule 1.4).

[123]See ABA Comm. on Ethics 20/20, Introduction and Overview (Feb. 2013),, archived at

[124] Model Rules of Prof’l Conduct R. 1.6(c) cmt. 18 (1983).

[125] Opinion 701 also highlights, if inadvertently, the challenges attorneys face when trying to modify existing practices to fit new technologies. As part of the inquiry underpinning Opinion 701’s guidance, the opinion notes that “nothing in the RPCs prevents a lawyer from archiving a client’s file through use of an electronic medium such as PDF files or similar formats.” This note is nearly laughable when read in the context of current practice, as it suggests that attorneys were (or are?) concerned about whether PDF files are appropriate for retaining paper documents. N.J. Advisory Comm. on Prof’l Ethics, Formal Op. 701 (2006),, archived at

[126] See Brian M. Karpf, Florida’s Take on Telling Clients to Scrub Social Media Pages, Law 360 (Sept. 15, 2015, 4:33 PM),, archived at

[127] See id.

[128] N.Y.C. Bar Ass’n Comm. on Prof’l. Ethics, Formal Op. 2010-2 (2010),, archived at (discussing lawyers’ obtainment of information from social networking websites).

[129] Id.

[130] Mark A. Berman, Ignatius A. Grande & James M. Wicks, Social Media Ethics Guidelines of the Commercial and Federal Litigation Section of the New York State Bar Association, The New York State Bar Association (June 9, 2015),, archived at

[131] Id.

[132] Id.

[133] Id.

[134] Id.

[135] See Fla. State Bar Comm. on Prof’l Ethics, Proposed Op. 14-1 (2015),$FILE/14-01%20PAO.pdf?OpenElement, archived at

[136] Pa. Bar Ass’n. Comm. on Ethics, Formal Op. 2014-300, 2 (2014),, archived at

[137] Model Rules of Prof’l Conduct R. 3.4 (1983).

[138] See supra Part II.

[139] See ABA Cybersecurity Legal Task Force, Resolution 118, 2 (August 2013),, archived at

[140] See id. at 4.

[141] See id. at 16.

[142] Model Rules of Prof’l Conduct R. 5.7, cmt. 1 (1983).

[143] See Model Rules of Prof’l Conduct R. 1.6.

[144] Ralph C. Losey, The Importance of Cybersecurity in eDiscovery, E-Discovery Law Today (May 9, 2014), archived at

[145] Ralph C. Losey, The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part Two, e-Discovery Team (May 18, 2014),, archived at

[146] N.Y.C. Bar Ass’n Comm. on Prof’l Ethics, Formal Op. 2015-3, 4–5 (2015),, archived at

[147] Id. at 1.

[148] Id. at 6 (emphasis added).

A Litigator's Guide to the Internet of Things

Peyton Publication Version PDFpdf_icon 


Cite as: Antigone Peyton, A Litigator’s Guide to the Internet of Things, 22 Rich. J.L. & Tech. 9 (2016), 

Antigone Peyton, Esq.*I

I. Introduction

[1]       Maybe you’ve heard about the Internet of Things (IoT). It’s the network of physical objects (or “things”) that connect to the Internet and each other and have the ability to collect and exchange data. It includes a variety of devices with sensors, vehicles, buildings, and other items that contain electronics, software, and sensors. Some IoT objects have “embedded intelligence,” which allows them to detect and react to changes in their physical state.[1] Though there is no specific definition of IoT, the concept focuses on how computers, sensors, and objects interact with each other and collect information relating to their surroundings.[2]

[2]       In 2009, the number of “things” connected to the Internet surpassed the number of people worldwide.[3] That was just the beginning of the IoT movement.[4] In fact, some industry experts estimate that there will be up to 50 billion connected devices by 2020.[5] The LinkedIn “Internet of Things Community” is 12,000 members strong, and it’s growing every day.[6] Lawyers need to understand how this explosive growth in the IoT market is going to change their practice in the courtroom.

[3]       From a litigator’s perspective, there are benefits and risks associated with IoT evidence. These connected objects, combined with big data analytics, can make cases simultaneously clearer and more complicated. The IoT movement also challenges litigators to roll up their sleeves and think creatively about how all these connected objects can tell a story. The key evidence that blows the case wide open may be right in front of your face, flying through the interweb, waiting patiently in a client’s smart phone app, or sitting on their fitness device.

[4]       For instance, and as this paper explores, IoT information can be used to track suspects’ movements at the time a crime occurred and provide evidence of an alibi. It can be used to attack the credibility of witness testimony and show how a vehicle was (or wasn’t) functioning properly when an accident occurred. As with all evidence we might use in the courtroom, lawyers, juries, and judges need to understand how IoT data should be interpreted and its limitations.

[5]       Lawyers also need to talk with clients about the smart objects they interact with and which objects might have information that is potentially relevant to litigation. The data those objects collect might reflect a client’s physical injury and diminished capacity, indicate the physiological response to a sexual harassment incident, or provide evidence of a former employee’s unauthorized access to company systems to steal data. Consider the narrative that can be created once you obtain the right IoT data from a client or opponent. You can’t consider the options, however, until you ask the right questions.

[6]       It’s time to hone your technical competence and start thinking about how IoT will forever change the way you prepare and try your case! This is the litigator’s guide to the Internet of Things.

II. The Internet of What?

[7]       The basic premise behind IoT is that everyday objects can be turned into “smart” devices that operate better, are more efficient, and communicate with their people masters and other objects. These objects are programmed to communicate via apps, text messages, browsers, and other tools. They tend to communicate using embedded sensors and wired and wireless communication protocols and systems, including Wi-Fi, Bluetooth, and a variety of specialized IoT protocols.[7]

[8]       Imagine a refrigerator that tells you when you need more milk,[8] or a home thermostat that can be adjusted remotely using an app on your mobile device and learns your behavior patterns relating to your home climate.[9] Or a networked house that connects power outlets to sounds systems, TVs, smoke detectors, security cameras, coffee pots, and the home owner through a software app.[10] These homes already exist,[11] and more are coming online everyday.

[9]       This increased connectivity includes objects outside the home. Workers and service professionals are connecting remotely and communicating with their company’s business equipment and office systems via mobile devices.[12] Consumers are buying networked cars,[13] and walking around with wearable fitness and health technologies strapped to their arms and embedded in their clothes that track their vitals and activity levels.[14] Bikers are using apps and devices to track their workouts and film their surroundings.[15] Google Glass wearers are creating and recording information as they travel and they are communicating with the Internet using voice commands.[16] All of these connected technologies create interesting information about their users and have some level of situational awareness.

III. The Connected State 

A. Connected Toys

[10]     There are a surprising number of everyday objects found in homes that are recording information and transmitting it offsite. One creepy example of the IoT revolution is Mattel’s talking Barbie.[17] Mattel’s connected Barbie can talk with your child through an embedded microphone and a Wi-Fi connection that’s engaged when you hold down a button on her belt.[18] When someone talks to “Hello Barbie,” the conversation is recorded and sent to a server back at the company that makes the voice recognition technology powering Barbie.[19] There, speech recognition software (think of a Barbie version of Siri) interprets the child’s statements and sends back a pre-programmed response.[20] That’s right, the doll talks back to the child. Mattel’s partner, ToyTalk, stores all of the children’s conversations and the conversations of others who interact with the doll.[21]

[11]     Whether ToyTalk is controlling the object or its behaviors or listening to the people or other objects that its products interact with, these activities are important to lawyers investigating potential sources of relevant evidence in the litigation context. Perhaps a lawyer might send a subpoena to ToyTalk seeking the audio records from its client’s Hello Barbie doll for use in a domestic abuse case. And Hello Barbie is not an outlier—there are a number of connected toys popping up on store shelves. It’s rarely, if ever, explained to the consumer where the conversations these toys record and transmit are being stored, how that information is being used by the manufacturer or a partner company, and how it might be collected for use in litigation.

[12]     Some enterprising companies, including several rent-to-own companies that ran into a bit of trouble with the FTC, put spyware (called Detective Mode) on their rental laptops that would turn on the built-in-cameras if the customer failed to make timely payments.[22] The spyware could also track the user’s location, disable the computers, and add a fake software registration popup window that would take a user’s registration information and transmit it back to the rental store, who would use it to track the renters to collect money.[23] Detective Mode also gathers data about whoever is using the computer, and transmits it to the software manufacturer every two minutes, who then sends the data to the rent-to-own store.[24] Since the software collected private data including user names and passwords for e-mail accounts, social media websites, financial institutions, Social Security numbers, medical records, private e-mails, bank and credit card statements, along with webcam pictures of children, partially undressed individuals, and intimate activities at home, the FTC put a stop to the practice.[25] While these rental laptops are not considered an IoT object, similar spyware can be loaded on any object with a chip that includes a camera and access to the Internet and used to collect massively sensitive information.

B. Wearable IoT Devices 

[13]     Wearable IoT devices include a wide range of medical devices and health and fitness products, including casual wearable fitness devices (like the Apple watch) and connected pacemakers and insulin pumps.[26] Wearable fitness devices, including smart watches and smart clothes, now monitor geolocation as well as heart rate, pulse, calorie consumption, sleep patterns, and other biological data.[27] Most wearable devices monitor very sensitive personal and health data. The devices constantly store data that users unconsciously create while going about their day. Wearables also transmit that data to the manufacturer and other entities for analysis and to share the information with the user so they can track their health and fitness over time.[28] Without a doubt, this data can be used in a court of law.

[14]     The information wearable fitness and health devices collect can be highly relevant in determining, for example, where an individual was at a particular time and whether they have been “disabled” or injured as a result of a particular accident. A personal injury lawyer might be interested in the data collected from their client’s wearable fitness device. For instance, the data obtained from a Fitbit device[29] has been used as evidence of an individual’s diminished physical activity resulting from a work-related injury in a Canadian personal injury case.[30] The plaintiff used her Fitbit data to show that her post-injury activity levels were lower than the baseline for someone of the same age and profession to prove she deserved compensation for the injury.[31] With the help of a startup analytic company that aggregates Fitbit data and prepares analytical reports, her lawyers contrasted her personal data with the general population’s health and wellness data (from other Fitbit devices) to make their case.[32]

[15]     Prosecutors and defense counsel seeking incriminating or exculpatory evidence can also use wearable device data. In a case alleging rape in Pennsylvania, the Fitbit data contradicted the statements of the alleged victim by showing that at the time of the crime, she was awake and walking around, even though she claimed she was attacked while asleep.[33] She now faces misdemeanor charges because the Fitbit data contradicted her story.[34]

[16]     Some wearables, like Google Glass, transmit location information, take photos and videos, and perform web searches. Imagine if a person who witnesses a crime while wearing this device took pictures of the perpetrator and the scene after the crime occurred.[35] Unlike surveillance technology, humans tend to look at something interesting or important. Technology like Google Glass might help them record valuable eye-witness evidence. The device may contain evidence like photos and geolocation information, along with time stamps, that police may use to investigate and prosecute crimes and civil litigants may use to pursue their cases.

[17]     However, there are downsides to a person’s voluntary collection of sensitive health information using a wearable device. Insurers and employers seeking to deny injury and disability claims can just as easily use wearable devices to support their own litigation claims and positions. It is generally seen as illegal for employers and insurers to force people to use the wearable devices.[36] But if individuals decide to collect this information on their own, device manufacturers or companies that store or report wearable device data might receive a subpoena for it, assuming the consumers don’t have it.

[18]     The fact that wearable device data may have evidentiary value should come as no surprise, given the fact that evidence from other self-tracking devices has already been used in court. Courts already use data from GPS devices and biking apps in cases involving bike accidents.[37] Police routinely use surveillance technology like Automatic License Plate Readers (ALPR) mounted on police cars, or on objects like road signs and bridges, to photograph thousands of plates per minute and track motorist movements.[38] Private companies also collect license plate photos and geotagged images and sell that data to law enforcement, insurers, and financial institutions.[39] They consider this analogous to taking photographs in public and disseminating the information, an activity protected by the First Amendment.[40] This is one part of a larger trend toward surveillance of private citizens’ activities. While this type of surveillance usually occurs without consent, wearable tracking is voluntary.

[19]     One issue raised by wearable evidence involves the reliability of the data and the analyses performed on it. The software that analyzes wearable data interprets the wearer’s daily activities and compares that data to predetermined baselines and standards set by the manufacturer. For example, Fitbit monitors sleep patterns, decides how many hours a user sleeps, and determines the quality and efficiency of that sleep.[41] The wearer is compared to the “average” sleeper (as determined by the manufacturer’s algorithm).[42] That information might be useful for an employer defending itself against a worker’s compensation claim, particularly if the sleep analysis reveals that the worker was considered “sleep deprived” by the data analysis at the time of the accident. So regardless of her personal optimal sleep duration or the outside forces that might have impacted her sleep the night before the accident occurred, she would be categorized and measured against a population baseline.

[20]     Other wearable devices collect different data, function differently, and use different algorithms and standards to analyze data and report trends and health information in comparison to the general population.[43] All of this means that before wearable evidence is used in a case, you need to understand what it means and the limitations inherent in the analysis of that data. This information should be clearly explained to the fact finder by someone who knows the IoT device that collected the data and the analytic method or methods it uses to interpret that data. Perhaps the IoT revolution will give rise to a whole new class of “experts” who interpret wearables data and the analytics engines in a courtroom setting.

C. Connected Cars

[21]     Another category of IoT technology relates to connected transportation. Today, many cars have sophisticated software that connect the user to many remotely managed features including real-time navigation, mapped points-of-interest, dash-based Internet search, streaming music, and mobile device app connectivity.[44] IoT implicates a wide variety of technologies involved with running and monitoring connected cars, including connected control systems, Event Data Recorders (EDRs), and other vehicle telematics.[45] Vehicle control software may use proximity sensors to identify collision risks and automatically engage the brake, survey blind spots and report objects, and park a vehicle without driver assistance. Automakers are turning vehicles into smartphones using connection technology that controls the entertainment and navigation systems, enables phone calls, and provides a Wi-Fi hotspot. Further, a number of well-know tech companies are currently testing driverless cars and intend to offer self-driving cars in the near future.[46] These cars will be connected to the Internet and they will transmit all kinds of data relating to the vehicle and its passengers’ activities.

[22]     Particularly in light of the Volkswagen emissions scandal,[47] the connected control systems on vehicles are of great interest to the public and regulatory bodies. Additionally, an insurance carrier might seek records reflecting the information an auto manufacturer collects through a connection with an in-dash entertainment system and the data relating to car speed and breaking that resides in the vehicle control system. Was the driver checking her email while driving 70 miles an hour before she rear-ended another car? And a class action lawyer might find the data housed on EDRs useful in a class action lawsuit relating to certain safety issues involving the physical components of vehicles or the software that runs them.

[23]     Some vehicles have safety features that include automated calls in case of emergencies, and in at least one reported incident, a hit and run accident was foiled when the fleeing driver’s car called the police after impact.[48] The car synced to the driver’s phone using Bluetooth, and because the emergency call feature was enabled, it gave police the vehicle’s GPS location and opened the line so the driver could talk with the police.[49] The owner told the police that her car was not in an accident when connected, but the dents in the front of her car and her airbags told a different story when the police showed up at her house later.[50]

[24]     At least one rental car agency is already putting cameras in navigational devices installed in its fleet of cars, and the user cannot disable the camera.[51] While the agency reports that these cameras are not currently optional, they are clearly moving towards the day when customers (and the entire interior of a car) will be visible to their representatives if a service call is made using the navigational device.[52]

IV. e-Discovery of IoT Information

[25]     Lawyers and clients should prepare for IoT-related e-discovery issues. IoT objects will present many challenges in the e-Discovery context. There are limitations on wearable devices and other IoT objects and the information they collect, however, the technology is becoming more sophisticated, accessible, and shareable every day. And when information is shared among multiple objects—a watch, a smartphone and a cloud computing system—the preservation issues are complex. Also, some IoT data is ephemeral and never really stored for future use or access. The Federal Rules of Civil Procedure provide some flexible guidance for dealing with this technical revolution, and counsel against “a limiting or precise definition of electronically stored information.”[53] Yet companies that store data from IoT devices will need to develop processes for preserving, collecting, and producing it when the duty arises—whether it’s the consumer’s duty or their own.

[26]     The legal regimes that govern the capture, processing, use, and ownership of object data are important when determining whether we—or our clients—have a duty to protect data generated from IoT activities (keep it secure and confidential) or preserve and produce it in a litigation. Often, consumers will expect that their wearable device data is “off limits” and they are surprised to learn that it can be used in certain types of cases. The sooner litigators identify the important IoT data clients and their customers generate and the objects they interact with everyday, the better off everyone will be when evaluating the legal risks and obligations to secure and produce that information.

[27]     Additionally, as IoT finds its way into the courtroom, judges will be asked to analyze the complex possession, custody, and control issues encountered in the IoT context. These questions may involve an analysis of the relative cost and burden associated with owner focused or manufacturer focused production options. For example, if an owner must jailbreak her device and hire an expensive expert to collect data off her wearable device, but the manufacturer can export her data with relative ease, courts should consider such practical realities when deciding their relative obligations. Moreover, access controls, privacy restrictions, and contractual obligations play a role in determining the appropriate process for engaging in e-discovery of IoT data.

[28]     One of the practical problems relating to collection of IoT information is that device manufacturers each collect data in their own way. And the analytic platforms that collect and aggregate IoT data do the same thing. Raw data residing on IoT objects may not be preserved or collected without undertaking significant efforts at a significant cost. The manufacturers don’t build these objects with the purpose of making it easy to collect information from them directly. This makes it particularly difficult to develop standard processes for preserving, collecting, reviewing, and producing information from a wide variety of IoT objects using their APIs or built in data reporting and download features. It also makes it hard to aggregate data from different devices and standardize it to obtain big data metrics using data collected from all wearable devices of a particular class. Given these issues, the cost associated with using this type of data could be prohibitive, given the relatively lower value of a case and the damages at stake. This is a prime area in which companies and e-discovery vendors can innovate and create a strong market for flexible services and solutions involving IoT device data.

[29]     Undoubtedly, more lawsuits involving IoT data are coming, as more lawyers and litigants realize that the data is discoverable, relevant, and useful as evidence that can support their case. Litigators and clients should understand how IoT objects work, what information they collect, where it is stored, how long it is stored, and who is obliged to keep it safe. Only after we understand how the system works, can we make strategic decisions about legal risks, e-discovery options and obligations, and appropriate use of IoT data in court. It will be interesting to see how the market responds to the challenges that will arise when parties start engaging in IoT discovery.

V. IoT Object As Witness 

[30]     As wearables and other IoT objects find their way into the courtroom, litigators must figure out how we will use IoT information as “witness” evidence. Did we ever imagine that the objects gathering information about us could be used against us? Will judges and juries treat it like forensic evidence, and give it the same weight and credibility as scientific analysis or the results reported by an expert witness? Not unlike scientific researchers or forensic experts, wearable technologies collect data, interpret it, and reflect it in reports that provide information about the user activity and experience.

[31]     It will be particularly interesting to see what happens when a witness’s sensory experiences (sight, sound, taste, etc.) clash with the “experience” reported by their wearable device and how the fact finder reconciles these competing stories. For example, if a biker testifies that they were traveling down a hill towards an intersection at about 15 miles per hour, but their wearable device or Strava[54] app reports the speed down the slope at 25 (due to a complicated three-dimensional GPS reading and reporting algorithms), which “witness” will the jury credit more? Both systems for reporting experiences are fallible and fraught with errors. But if litigators prioritize IoT data-driven evidence over eyewitness statements or expert analysis, then we must ensure that the algorithms used to analyze IoT data are understood and their imperfections are disclosed. As one commentator noted, if we think of devices as partial witnesses, we must understand that they carry biases and have a worldview, based on their relationship with their environment.[55]

[32]     There is a significant risk that IoT object information, for instance, the Fitbit data and its sleep analysis,[56] would carry more evidentiary weight than the owner’s own experience and view of her sleep patterns or alertness at the time an injury occurred. As with forensics results, there is a significant risk that judges and jurors will conclude that device data doesn’t lie or have an imperfect memory. Yet there is an interpretive activity lurking behind the scene. When wearable object data is collected and interpreted by analytics companies using proprietary algorithms, counsel, judges and juries will need to understand what’s happening under the hood, whether the results reported are reliable, and what evidentiary weight they should be given. The interpretive tools used to report IoT data are often highly subjective or an imperfect fit for a number of users because of their crude analysis methods or the individual’s health status and biology. This is but one area where possibilities are far ahead of the law on witness-style testimony from things connected the Internet.

[33]     Only time will tell whether this type of IoT information is seen as objective and unbiased evidence in the courtroom. If we can’t demonstrate that IoT evidence meets the requirements for introduction of scientific or forensic evidence, then it may be excluded.[57] If introduced, it may be given too much weight in light of its significant limitations. A balanced approach is needed.

[34]     Courts will also have to figure out how the Fifth Amendment protects the right against self-incrimination when the incriminating evidence involves user data created by an IoT object. And the Sixth Amendment provides the Constitutional right to confront a witness that will provide evidence against the accused in a criminal prosecution.[58] How would a witness confront her wearable device or the companies that think they know the best way to interpret the data it collects? This raises fundamental philosophical questions regarding the witness who must be available for “confrontation.” Is it you, your device, the manufacturer, the service provider that collects and analyzes your data, or the company that provides the algorithms used to interpret it? The case law is going to be messy and inconsistent as courts start considering the obstacles presented by use of IoT evidence in the courtroom and sorting the Constitutional issues out.

[35]     Additionally, as more IoT objects are used in litigations, people’s relationships with their wearables are likely to change. How will they react after learning that the connected IoT objects they interact with can be used as an involuntary informant? Perhaps the day is coming when eyewitness testimony will become almost irrelevant and will be replaced by the information our objects provide about our location, health, conscious state, and activities at any given time. But while IoT can reveal truths, those truths must be understood in context, in all their fallible or limited glory.

VI. Litigating in an IoT World

[36]     Some have called IoT a third major revolution—one built on the industrial revolution and the Internet revolution.[59] Lawyers and their clients are becoming more reliant on IoT to manage, monitor, and control their objects, interact, and work on the substantive aspects of their job. Regardless of the source, the information that IoT objects collect and share provide litigators rich new evidence stores that should be explored to find interesting information that impacts their case.

[37]     A tech-savvy lawyer knows how to get the right evidence in the right format from her client or opponent. The fact that IoT raises a number of novel and interesting legal issues and practical complexities means that tech-savvy lawyers, with a good grasp of the basic issues, will be well positioned to provide thoughtful and constructive advice. This guidebook provides some basic information regarding IoT technologies, legal issues, and practical concerns that should be considered. But it needs to be applied to the real world, for each client and case, and in the context of each connected collection of objects, companies, and people. The IoT movement is your opportunity to continue your self-education journey, and learn more about the implications of IoT on lawyering in the Information Age.



* Antigone Peyton is the founder and CEO of Cloudigy Law PLLC, an intellectual property and technology law firm located in McLean, Virginia. Antigone is an unabashed technophile focused on intellectual property litigation and cutting-edge legal and emerging technology issues, particularly those involving social media, patents, trademarks, copyrights, and trade secrets. Antigone is a frequent speaker and writer covering technological competence, IP, social media, and e-Discovery issues. You can find her on Twitter (@antigonepeyton) or on SnapChat (assuming you know what it is and how to use it).

[1] See Embedded Intelligence – Connecting Billions of Smart Sensors Into the Internet of Things, ARM Holdings,, archived at (last visited Mar. 23, 2016).

[2] The “things” or “objects” in the IoT generally do not include desktop or laptop computers, smartphones, and tablets.

[3] See Dave Evans, Cisco Internet Bus. Solutions Grp., The Internet of Things: How the Next Evolution of the Internet Is Changing Everything 3 (2011),, archived at

[4] See Accenture, The Internet of Things: The Future of Consumer Adoption (2014),, archived at

[5] See Evans, supra note 3, at 3. IDC’s Digital Universe study reports that by 2020, there will be 200 to 300 billion connected IoT objects. See The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, EMC2 (Apr. 2014),, archived at; see also Data Set to Grow 10-fold By 2020 As Internet of Things Takes Off, (Apr. 9, 2014, 1:00 PM),, archived at

[6] See Internet of Things Community, LinkedIn,, archived at (last visited Mar. 23, 2016).

[7] Current IoT products are communicating through a variety of communication platforms and standards, including new home automation standards produced by Google (Brillo/Weave) and Apple (HomeKit) that connect each company’s devices in a proprietary communication network.

[8] See Michael Gowan, LG Smart Fridge Spots Spoiled Food, Orders Groceries,,, archived at (last updated Jan. 4, 2013, 12:46 PM) (explaining how LG’s smart refrigerator connects to the Internet, allowing users to remotely access the refrigerator content list, keep track of their grocery list, and identify out-of-date products stored in it).

[9] See Bernard Marr, Google’s Nest: Big Data And The Internet of Things In The Connected Home, Forbes (Aug. 5, 2015, 10:52 AM),, archived at (discussing the Nest thermostat and the usage data uploaded from individual devices via the Internet, which allows Nest to understand energy usage trends across community microcosms and around the world).

[10] See, e.g., A Smart Home Solution That Lives in the Cloud, Comcast,, archived at (last visited Mar. 23, 2016) (describing the Xfinity Home technology, which allows users to monitor and control security cameras, smoke detectors, thermostats, lights, and motion sensors through web browsers or Internet connected devices); see also Marr, supra note 9 (discussing how Google is building infrastructure for smart homes of the future that are fully networked by its own devices).

[11] See Daniel H. Wilson, Smart House: Your So-Called Sci-Fi Life, Popular Mechanics (Sept. 30, 2009),, archived at

[12] See Angela Moscaritolo, Your Printer Can Now Order Ink for You, Thanks to Amazon, (Jan. 19, 2016, 11:35 AM),,2817,2498102,00.asp, archived at

[13] See Brendan O’Brien, The Cloud-Connected Car Drives IoT Monetization, TechCrunch (Oct. 20, 2015),, archived at

[14] See James Stables, Best Fitness Trackers 2016: Jawbone, Misfit, Fitbit, Garmin and More, Wareable (Mar. 7, 2016),, archived at

[15] See Elisha Hartwig, 5 Apps to Map Your Bike Route, Mashable (Sept. 11, 2013),, archived at

[16] See Matt Swider, Google Glass Review, TechRadar (Feb. 20, 2015),, archived at

[17] See Lee Moran, Mattel Unveils Talking Hello Barbie Doll, Which Will Have Conversations with Kids, N.Y. Daily News,, archived at (last updated Feb. 18, 2015, 8:18 AM).

[18] See James Vlahos, Barbie Wants to Get to Know Your Child, N.Y. Times Mag. (Sept. 16, 2015),, archived at

[19] See Ashlee Kieler, Mattel Unveils Hello Barbie, a Doll That Can Hold a Conversation, Consumerist (Feb. 17, 2015),, archived at

[20] See id.

[21] Mattel and ToyTalk responded to these concerns by confirming that the recorded conversations will not be used to advertise or market products to children, further nothing that parental consent is required to set up a Hello Barbie account. Also, interestingly, parents can listen to their child’s recorded conversations and delete all recorded conversations. Additionally, ToyTalk states that it will only use the recordings to improve its speech recognition technology. See Privacy Policy, ToyTalk,, archived at (last updated Jan. 11, 2016). Mattel does seem to obtain data that it can use to market other products, and it does so with a parent’s consent when they use Mattel’s websites and apps. See Mattel Online Privacy Statement and Children’s Privacy Statement, Mattel,, archived at (last updated Apr. 9, 2014).

[22] See Press Release, Fed. Trade Comm., FTC Halts Computer Spying (Sept. 25, 2012),, archived at; see also David Kravets, Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says, Wired (Sept. 25, 2012, 6:11 PM),, archived at

[23] See Kravets, supra note 22.

[24] See Complaint at 3–4, FTC v. Designerware, LLC., Kelly, & Koller (2012),, archived at

[25] See id.; see also Kravets, supra note 22.

[26] See Accenture, supra note 4, at 3–4 (noting some reports indicate that over 28% of consumers will own wearable IoT technology by the end of 2016).

[27] See, e.g., Fitbit App, Fitbit,, archived at (last visited Mar. 23, 2016).

[28] See Murray Grigo-McMahon, My Data, Your Data, Our Data, Qlik (July 6, 2015),, archived at

[29] Fitbit is an extremely popular wearable fitness tracker.

[30] See Kate Crawford, When Fitbit is the Expert Witness, The Atlantic (Nov. 19, 2014),, archived at

[31] See id.

[32] See id.

[33] See Brett Hambright, Woman Staged ‘Rape’ Scene with Knife, Vodka, Called 9-1-1, Police Say, Lancaster Online (June 19, 2015, 2:57 PM),–/article_9295bdbe-167c-11e5-b6eb-07d1288cc937.html, archived at

[34] See Kashmir Hill, Fitbit Data Just Undermined a Woman’s Rape Claim, Fusion (June 29, 2015),, archived at

[35] See Kashmir Hill, Google Glass Will Be Incredible for the Courtroom, Forbes (Mar. 15, 2013, 5:02 PM),, archived at

[36] See Adam Satariano, Wear This Device So the Boss Knows You’re Losing Weight, Bloomberg (Aug. 21, 2014, 1:26 PM),, archived at

[37] See Patrick Brady, Prosecution Rest in LA Road Rage Rase. Defense Will Call Witnesses Monday, VeloNews (last updated Nov. 3, 2009, 7:00 PM),, archived at

[38] See Conor Friedersdorf, An Unprecedented Threat to Privacy, The Atlantic (Jan. 27, 2016),, archived at (discussing how one private company has taken approximately 2.2 billion license-plate photos to date, and each month it captures and permanently stores nearly 80 million more geotagged images).

[39] See id.

[40] See David Sirota, Companies Test Their First Amendment Right to Track you, Or. Live,, archived at (last updated Mar. 8, 2014, 7:10 AM).

[41] See What Should I Know About Sleep Tracking?, Fitbit,, archived at (last updated Mar. 7, 2016).

[42] See id.

[43] The wearable fitness device market includes Nike Fuelband, Fitbit, Withings Pulse, and Jawbone Up, among others. A number of companies have also developed fitness apps that interact with these wearable devices and collect the user data they create. Fitbit lists over 30 apps that are compatible with the Fitbit device. See Compatible Apps, Fitbit,, archived at (last visited Mar. 25, 2016).

[44] See, e.g., Cisco Connected Transportation,, archived at (last visited March 25, 2016).

[45] An EDR is “a device or function in a vehicle that records the vehicle’s dynamic time-series data during the time period just prior to a crash event (e.g., vehicle speed vs. time) or during a crash event . . . intended for retrieval after the crash event.” 49 C.F.R. § 563.5 (2015). Telematics refers to data collection transmission, and processing technologies for use in vehicles.

[46] See Alice Truong, Tesla Just Transformed the Model S into a Nearly Driverless Car, Quartz (Oct. 14, 2015),, archived at; Cadie Thompson, There’s One Big Difference Between Google and Tesla’s Self-driving Car Technology, Tech Insider (Dec. 5, 2015, 12:00 PM),, archived at; Feann Torr, Next-gen Audi A8 Drives Better Than You, Motoring (Oct. 22, 2014),, archived at; Tom Risen, Report: Uber, Lyft Poised to Win on Driverless Cars, U.S. News & World Rep. (Nov. 13, 2015, 4:05 PM),, archived at

[47] See Russell Hotten, Volkswagen: The Scandal Explained, BBC News (Dec. 10, 2015),, archived at

[48] See Kashmir Hill, Florida Woman’s Car Calls Police After She Flees the Scene of an Accident, Fusion (Dec. 7 2015, 11:46 AM),, archived at

[49] See id.

[50] See id.

[51] See Kashmir Hill, Hertz Puts Cameras in Its Rental Cars, Says It Has No Plans to Use Them, Fusion (Mar. 13, 2015, 1:46 PM),, archived at

[52] See id.

[53] Fed. R. Civ. Pro. 34, advisory committee’s note on 2006 amendments.

[54] Strava is a running and cycling GPS tracker. See generally Strava,, archived at (last visited Mar. 21, 2016).

[55] See Crawford, supra note 30.

[56] See What Should I Know About Sleep Tracking?, supra note 41.

[57] See Fed. R. Evid. 702.

[58] See U.S. Const. amend. VI.

[59] See Harish Nivas, How Internet of Things is the Next Big Industrial Revolution, IOTWorm (Jan. 23, 2016),, archived at

"Connected" Discovery: What the Ubiquity of Digital Evidence Means for Lawyers and Litigation

Gottehrer Publication Version PDFpdf_icon 


Cite as: Gail Gottehrer, “Connected” Discovery: What the Ubiquity of Digital Evidence Means for Lawyers and Litigation, 22 Rich. J.L. & Tech. 8 (2016),

Gail Gottehrer

I. Introduction

[1]       More than ten years ago, the Zubulake case[1] raised awareness of the importance of digital evidence in litigation. At that time, for many lawyers, the discovery process consisted of collecting paper documents, manually reviewing those paper documents, and responding to document requests by producing paper documents. Digital evidence existed, but was more limited in scope and volume than it is today. Back then it was often overlooked or not recognized as a potential source of valuable evidence to be obtained in discovery.

[2]       In the post-Zubulake era, the ways in which companies and individuals create and maintain information have changed dramatically. Many types of documents that were traditionally created on paper and stored in hard-copy now never exist on paper. Instead, they are created on computers or other digital devices and stored in e-mail archives, on backup tapes, or in the cloud. Business and personal communications that once took place via letters and faxes are now transmitted through e-mails and text messages. Microsoft Excel files replaced handwritten accounting ledgers. Medical records are routinely created and stored electronically, making the paper medical file a thing of the past. Carbon copy secretarial message books with tear-away message slips are replaced by programs that transcribe voicemail messages and deliver them to the recipient by e-mail. Designs are created and maintained in CAD files rather than drawn on paper. Many businesses advertise primarily, if not exclusively, on social media and the Internet and little, if at all, through paper mailings. Employees traded in paper calendars and address books for electronic schedulers, using programs and applications that reside on their computers and mobile phones.

[3]       The prevalence of digital information, and the corresponding decline in the use of paper for the creation and storage of information, profoundly affected litigation, including discovery and trials. The “documents” and information that are requested and produced in discovery are overwhelmingly electronic documents and data. Electronically created and stored information is being used in depositions, to support motions, and at hearings and trials. Given the ways in which technology transforms how people communicate and do business, the “smoking gun” in a case—to the extent one exists—is more likely to be an e-mail, text message or social media post than a tangible document. Knowing how potential sources of digital evidence are created and stored, how to obtain that data in discovery, and how to maximize the value of that information during depositions and at trial are now critical components of the practice of law.

[4]       Digital evidence is so significant in discovery and litigation that it should be acknowledged as being much more than a subset of discovery, often referred to as “e-Discovery.” Existing and emerging technologies provide digital evidence that can shape the outcome of a case or investigation. Digital evidence from a wide range of technologies finds its way into civil and criminal litigation in the United States and other countries, with dramatic results. Digital evidence is poised to take on an even greater role in litigation as the Internet of Things continues to grow,[2] autonomous vehicles become commonplace,[3] industrial business operations incorporate drones,[4] and blockchain revolutionizes banking.[5]

[5]       This article discusses some of the reported cases in which digital evidence was the subject of motion practice, was introduced at trial, and was a determining factor in a case. It is not an exhaustive look at all the cases that have been affected by digital evidence, or all the kinds of technology that generate data relevant to legal proceedings. A review of the cases in this article, however, is sufficient to dispel any doubt about the importance of digital evidence and to confirm the magnitude of its impact on the practice of law. 

II. Connected Devices

A. Telematics Devices

 [6]       Telematics devices are wireless devices, typically installed in personal vehicles or fleet vehicles. They collect data on how the vehicle is being operated, if the vehicle crashes or an airbag is deployed, and when maintenance is needed.[6] These devices transmit that data from the vehicle to an entity, such as an insurance company or a fleet owner, in real time.[7]

[7]       Telematics data led to the criminal conviction of a driver in the United Kingdom who was involved in a hit and run accident that resulted in the death of a pedestrian in 2014.[8] Police experts analyzed data from the telematics device Omar Tariq was driving at the time of the accident, which showed that he was speeding—driving more than 20 miles over the posted speed limit.[9] Confronted with that evidence, Tariq pled guilty to causing a death by dangerous driving and was sentenced to more than three years in prison.[10]

[8]       In the United States, data from a Progressive Insurance telematics device helped a Cleveland, Ohio father persuade a jury that he was not guilty of murder.[11] Michael Beard was accused of suffocating his infant daughter on May 8, 2011 at 4:45 a.m., after he finished his shift working as a nursing aide.[12] Counsel introduced data from the Snapshot telematics device in his car at trial, and showed that Beard had turned the car off in front of the child’s house “at 4:44 a.m. and turned it back on three minutes later.”[13] After deliberating for an hour, the jury found that Beard was not guilty of the crime.[14]

[9]       Important leads in another criminal matter came from data from the UConnect telematics system in a stolen Jeep Renegade.[15] That evidence, in combination with footage from a Nest home security camera in the Jeep owner’s house, led to an arrest and assisted police in identifying the other thieves.[16] When a group of teenagers broke into the house of a Baltimore man, their faces were caught on the Nest camera in the house, which led to the arrest of one of the thieves.[17] He refused to identify his accomplices, who also stole the homeowner’s Jeep.[18] When the homeowner got his Jeep back, he noticed three new device names on the Jeep’s UConnect system paired device list.[19] The homeowner matched one of the device names to an Instagram account of a teenager who appeared to match one of the individuals seen on the Nest footage.[20] The homeowner also noticed that one of the names on the Instagram account’s contacts matched one of the phones on the list on the UConnect System.[21] This digital evidence gave Baltimore police several leads in the case.[22]

[10]     On the civil side, data from a telematics device enabled a driver in the United Kingdom to successfully challenge a speeding charge by contradicting the evidence that allegedly supported it.[23] Police charged Neil Herron with driving 10 miles over the posted speed limit.[24] Herron insisted that he had not been speeding.[25] At the time of the alleged speeding incident, Herron had been conducting a trial of a telematics device in his car.[26] The data from that device enabled Herron to prove that the car had been traveling far below the speed limit, as he had claimed.[27]

B. GPS Navigation Systems

[11]     Data from a GPS device[28] introduced in a criminal non-jury trial led to the conviction of a New Jersey man for second degree murder for intentionally running over a twelve year old girl.[29] Prosecutors alleged that George Ford killed the girl to prevent her from reporting what had happened to her when he was alone with her in the hours before her death.[30] Ford contended that he had hit the girl by accident after showing her horses he had in a pasture near Binghamton.[31] The critical evidence came from a GPS device that Ford’s estranged wife placed in his vehicle when she suspected he was having an affair.[32] When she provided the GPS device to the police, the data from the device showed that Ford had not been at the pasture and had spent the hours before the girl’s death behind an abandoned farmhouse half a mile from where she was killed.[33]

[12]     Similarly, in State v. Jackson, data from a GPS device installed by police proved to be key evidence leading to the conviction of defendant William Jackson for the murder of his daughter.[34] Jackson told police that his daughter had been kidnapped on her way to school.[35] After a search of Jackson’s house and truck failed to yield any evidence, police obtained a warrant and put a GPS tracking device in his truck.[36] Data from the GPS device led police to a storage unit, an empty grave near a logging road and a new grave where the girl was buried.[37] Based largely on the GPS data connecting Jackson to the body and its burial and reburial sites, the court convicted Jackson of murder and sentenced him to fifty-five years in prison.[38] The conviction was affirmed by the Washington Supreme Court.[39]

[13]     Ironically, in the case of a Wisconsin man, the evidence used to convict him of stalking his former girlfriend was the data from the GPS device he himself had used to commit the crime.[40] Paul Seidler previously installed a GPS tracking device on his ex-girlfriend’s car that tracked the car’s location and reported it to him by cellphone or computer through the Internet.[41] Seidler used the data to follow his ex-girlfriend.[42] Prosecutors used the data to support their case against him, describing the GPS device as “the best witness.”[43]

[14]     GPS data is also used as evidence in civil cases, such as the wrongful termination action brought by a cable company employee against his former employer, Pacific Bell Telephone Company.[44] Pacific Bell terminated Blake Smith’s employment after an investigation into the theft of his work truck led the company to conclude that Smith had failed to safeguard company property and that he had lied during the investigation into the theft.[45] Smith claimed he parked the truck, took the keys out of the ignition, and locked the truck.[46] A significant factor in Pacific Bell’s determination that Smith was lying was the data obtained from the GPS technology in the truck, which revealed that the truck was idling when it was stolen.[47] In an affidavit filed in support of its motion for summary judgment, Pacific Bell explained that the GPS technology in its trucks generates a report in a Microsoft Excel spreadsheet that records various data, including the time and location of every vehicle, each time the ignition is turned on or off, the time and location of the vehicle every seven seconds, and the time and location of the vehicle every one mile it is driven.[48] The Court ultimately granted Pacific Bell’s motion for summary judgment.[49]

C. Wearables[50]

 [15]     Digital evidence from wearable fitness trackers will play a role in a pending criminal case in Pennsylvania and a pending civil case in Canada. In West Chester, Pennsylvania, police arrested defendant Jeannine Risley when data from her Fitbit showed she lied to police when she reported she was assaulted.[51] Risley told the police officers responding to her 911 call that she was sleeping until around midnight, when she awoke to find a man on top of her.[52] She alleged that the man assaulted and raped her.[53] An examination of data from the Fitbit she wore that night, however, contradicted her claims.[54] The Fitbit data showed that Risley was awake and walking around at the time she claimed she was sleeping and ultimately assaulted.[55] Risley now faces trial on three misdemeanor counts including knowingly filing a false police report.[56]

[16]     On the civil side, a Canadian law firm is planning to use Fitbit data as evidence in a personal injury case to prove the effect that a car accident had on their client.[57] The accident victim, injured years before Fitbits were available, was a personal trainer and led an active lifestyle before the accident.[58] To support the plaintiff’s claim that her activity level is impaired by the accident, her lawyers intend to run data from the Fitbit she currently wears through an analytics platform which uses publicly available research to compare a person’s activity data with that of the general population.[59] Her lawyers expect the data to show that their client’s activity levels are now below average for a woman of her age and profession, as a result of the injuries she sustained in the accident.[60]

D. Dashboard Cameras and Red Light Traffic Cameras 

[17]     Data from dashboard video cameras and government operated traffic cameras is effective in both civil and criminal cases. Evidence from an onboard video camera, in addition to cell phone records, led to an Alabama jury awarding nearly $1.3 million to a driver who was severely injured in a crash caused by a truck driver who was distracted by a work-related phone call at the time of the accident.[61] At trial, the jury saw video footage from a camera that was in the school bus with which Michael Duey collided.[62] Additional digital evidence from cell phone records from the truck driver Gregory Moore, whose negligence caused the collision, showed Moore was on a business call at the time of the accident.[63] Based on this data, the jury found Moore and his employer liable for the damages incurred by Duey.[64]

[18]     In a criminal case in California, the court convicted Carmen Goldsmith of failing to stop at a red light in an intersection, based on photos and video generated by a red light traffic camera system.[65] At trial, a police investigator testified that this computer based digital camera system records events that occur in an intersection after the traffic light turns red, and stores the information on the hard disc of a computer at the scene.[66] Technicians retrieve the data during the day via an Internet connection.[67] The system records and produces three photos and a twelve-second video.[68] The photos show the vehicle approaching the intersection before the violation, then the vehicle within the intersection turning right or going through the intersection, and finally the vehicle’s license plate.[69] The system puts a data bar on all three photos showing the date, time, location and amount of time the traffic light was red at the time of the photo.[70] In this case, the video shows the vehicle approaching the intersection and moving through it.[71] The Appellate Division of the Superior Court, the Court of Appeals, and the California Supreme Court all affirmed Goldsmith’s conviction. In response to Goldsmith’s claim that the camera evidence was not adequately authenticated, the Supreme Court explained that it frequently approved the “substantive use of photographs as essentially a ‘silent witness’ to the content of the photographs,” because to “hold otherwise would illogically limit the use of a device whose memory is without question more accurate and reliable than that of a human witness.”[72]

E. Event Data Recorders

[19]     Data from event data recorders, also known as black boxes, proves to be important evidence in criminal cases. In Commonwealth v. Zimmerman, the Massachusetts Appellate Court held that the trial judge properly admitted evidence taken from the event data recorder (EDR[73]) in the defendant’s car, which contributed to her conviction for motor vehicle homicide.[74] Michelle Zimmerman lost control of her SUV and it spun, sliding off the road, hitting a tree, and resulting in the death of the passenger in the front seat of her vehicle.[75] At the time of the accident, road conditions were poor, with both rain and snow.[76] The police accident investigator found there was probable cause to believe that “evidence of this crime would be found in the EDR.”[77] While Zimmerman claimed she was driving between 20 and 30 miles per hour, the data from the EDR in her vehicle showed that five seconds before the accident, she was driving at 58 miles per hour.[78] Zimmerman was charged with and convicted of operating her vehicle at a rate of speed that was not reasonable or prudent and criminally negligent operation of a vehicle.[79]

[20]     In Matos v. State, the Florida District Court of Appeal affirmed the conviction of Edwin Matos on two counts of vehicular manslaughter where the key issue in the case–the speed at which Matos had been driving–was established by the prosecution through data from an EDR.[80] Matos collided with another vehicle, killing two teenage girls.[81] Data from the EDR in Matos’s car showed he was driving at a 114 miles per hour (in a 30 mile per hour zone) four seconds before the crash, and 103 miles per hour within one second after the crash.[82] The defense’s expert estimated the car’s speed at only 56.91 miles per hour.[83] Data from the EDR helped the court to convict Matos.[84]

[21]     Similarly, in People v. Hopkins, data from the air bag module in the defendant’s car helped prosecutors establish “a prima facie case of depraved indifference murder” and defeat the defendant’s motion to dismiss the indictment.[85] The air bag module data showed that at the time of impact, the defendant’s vehicle was going between 65 and 70 miles per hour; that five seconds before impact, the defendant’s car was travelling at 104 miles per hour; and that three to four seconds before impact, the vehicle was going 106 miles per hour.[86] The posted speed limit in the area was 30 miles per hour.[87] The data further showed that the defendant did not apply the brakes until two and a half to three second before he crashed into the line of cars stopped at a red light.[88]

F. E-Z Pass Transponders

[22]     The E-Z Pass system, implemented in toll plazas in sixteen states, collects data used by both prosecutors and defendants in states like New Jersey. In S.S.S. v. M.A.G., a New Jersey appellate court reversed the lower court’s entry of a final restraining order in a domestic violence case and remanded the case for a new trial due to the improper exclusion of E-Z Pass evidence.[89] In this case, a woman alleged her former boyfriend picked her up at her school at Rutgers-Newark at 9 A.M., assaulted her at a Jersey City motel at 9:30 A.M., and returned her to her school at 10 A.M.[90] The defendant denied this and claimed that nothing had happened.[91] In addition to a letter from his employer stating he had been at work from 8:35 A.M. until 5 P.M., he also offered data from E-Z Pass transponder records, showing that he crossed the Bayonne Bridge in to Brooklyn at 8:16 A.M. that day.[92] The defendant argued that he could not have crossed the bridge into Brooklyn at 8:16 A.M., gotten to work at 8:35 A.M., and been in Newark at 9 A.M.[93] The appellate court found that in this he-said-she-said dispute, where no witnesses could be called or exhibits introduced, the E-Z Pass transponder evidence was critical to the defense and its exclusion on hearsay grounds was improper.[94]

[23]     In State v. McGuire, the prosecutor introduced E-Z Pass transponder data against Melanie McGuire, a New Jersey woman accused of killing her husband, cutting up his body, and disposing of it in suitcases in Virginia.[95] The prosecution introduced the evidence to support the allegation that she traveled from her home to Atlantic City in order to create false evidence showing that her husband was still alive and in the Atlantic City area.[96] McGuire had called E-Z Pass customer service trying to get them to remove two forty-five cent charges showing her traveling near Atlantic City, which she claimed were incorrect.[97] The prosecution also introduced E-Z Pass evidence from the vehicles of McGuire and her parents.[98] This data, in combination with the state’s case, suggested that on May 3, McGuire picked up her kids from day care, dropped them off with her parents, and then returned to her house to get the suitcases containing her husband’s body and travel to Delaware and Virginia to dump them.[99]

III. Social Networking Sites

[24]     Not only does the widespread use of social networking sites create new ways for individuals and businesses to communicate, but it also creates a treasure trove of relevant data for civil and criminal litigation. For example, in Reid v. Ingerman Smith LLP, Reid sued her employer and Mary Anne Sadowski for damages resulting from alleged sexual harassment by Sadowski.[100] Defendants sought production of postings and photographs from private portions of Reid’s Facebook account, arguing that since postings and photographs on the public portions of her account contradicted her claims in the lawsuit, the private portions may also contain relevant information.[101] After reviewing the public postings, the Court found them to be probative evidence of Reid’s mental and emotional state, and concluded that her private postings may also contain relevant information that reflected her emotional state.[102] The Court also found that postings by third parties about Reid’s social activities were discoverable, as they could be relevant to her claims of emotional distress and loss of enjoyment of life, and could reveal the names of potential witnesses in the case.[103] Reid was ordered to produce social media postings and photographs that “reveal[ed], refer[ed], or relate[d] to any emotion, feeling or mental state… [and] relate[d] to events that could be reasonably expected to produce a significant emotion, feeling or mental state,” including posts made by third parties that contain their observations of Reid and Reid’s responses to those posts.[104]

[25]     Similarly, in Romano v. Steelcase, Inc., the court required the plaintiff to provide the defendant with access to her Facebook and MySpace pages and accounts, as they were deemed to contain information relevant to her damages claims and to the extent of her alleged injury, including her claim for loss of enjoyment of life.[105] The plaintiff alleged that she was permanently injured as a result of the accident and could not participate in certain activities due to her injuries.[106] The defendant argued that information on the public pages of plaintiff’s Facebook and MySpace pages showed her to have an active lifestyle, and that one account contained a photo of the plaintiff smiling outside her home–even though she claimed that she was bedridden and confined to her house as a result of her injuries.[107] The contradictions between the information on the public portions of these social media sites and plaintiff’s claims in her lawsuit led the Court to find it was reasonably likely that the private portions of those sites may contain additional information relating to her activities and enjoyment of life, which were relevant and material to the defense of the case.[108]

[26]     In Held v. Ferrellgas, Inc., a recent employment discrimination and retaliation case, the Court found that data from the online job search engines that the plaintiff had used were relevant and had to be produced.[109] Defendants argued that any job searches conducted during the course of plaintiff’s employment related to his commitment to his job, his perspective on the working environment at the company, and any emotional distress he allegedly suffered.[110] Searches conducted after his employment ended, defendants contended, related to plaintiff’s alleged emotional distress, actual damages and attempts to mitigate his alleged damages.[111] The court ultimately agreed with the defendants.[112]

[27]     Being equally probative in criminal matters, postings and communications on Facebook played a role in the conviction of several men on terrorism conspiracy charges in U.S. v. Hassan.[113] The prosecution used the defendants’ Facebook postings and communications to demonstrate their violent tendencies and commitment to terrorism.[114] At trial, the prosecution’s evidence included messages posted by one defendant on Facebook promoting his radical Jihadist beliefs; another defendant’s postings on Facebook and other social media sites that demonstrated his belief in violent jihad and his willingness to further violent causes; and information showing that the second defendant had asked someone to delete the postings that related to his violent ideology.[115] The defendants were convicted of conspiracy to provide material support to terrorists and other charges.[116] Their convictions were affirmed by the Fourth Circuit Court of Appeals.[117]

IV. Text Messages and Tweets 

[28]     Digital evidence played a central role in the criminal trial of Dharun Ravi, a Rutgers college student charged with witness tampering, invasion of privacy, and bias intimidation arising from his activation of a webcam to watch his roommate’s date with a man in their dorm room.[118] The evidence of Ravi’s witness tampering included a series of text messages he sent to fellow Rutgers student Molly Wei while police interviewed her.[119] Those texts showed that Ravi tried to influence what Wei told the police about their spying on his roommate.[120] In one text message, Ravi wrote: “Did you tell them we did it on purpose? What did you tell them when they asked why we turned it on? I said we were just messing around with the camera.”[121] After the trial, where Ravi was convicted of witness tampering, one juror stated that Ravi’s texts convinced her that he had tampered with a witness.[122]

[29]     Texts and tweets were also important evidence introduced at trial in connection with the invasion of privacy and bias intimidation charges.[123] In a Tweet from Ravi to another student, he wrote: “Roommate asked for the room. I went to Molly’s room and turned on my webcam I saw him making out with a dude. Yay.”[124] In another Tweet, Ravi invited others to view video of his roommate during another date with the same man, saying “[a]nyone with iChat I dare you to video chat me between hours of 9:30 and 12. Yes it’s happening again.”[125] In an attempt to persuade the jury that he was not biased against gay people, Ravi’s attorney introduced a text Ravi sent to his roommate where Ravi wrote “I’ve known you were gay and I have no problem with it. In fact one of my closest friends is gay and I have a very open relationship.”[126] The jury found Ravi guilty on those charges as well.[127]

V. Blogs and Chat Rooms 

[30]     Litigants also rely on blog entries and chat room transcripts to support their claims in civil cases. Portions of a blog were among the evidence a father used to support his motion for a new trial in a divorce case, after a Louisiana trial court awarded domiciliary custody of his minor son to his ex-wife.[128] The father unsuccessfully relied on pages of his ex-wife’s blog to argue that she may have had a relationship with another man during the couple’s separation, despite having denied that she was in a relationship during the trial.[129] He further argued that his ex-wife’s blog entries showed she spent an excessive amount of time on the Internet rather than taking care of her child, and that she hated his parents because she accused them of cyberstalking her by reading her blogs.[130] The trial judge stated that while the Internet statements were evidence that could have been used to impeach the ex-wife’s credibility during the divorce proceeding, the statements occurred after the trial and were not made under oath, and therefore, did not provide the basis for a new trial.[131] The Court also noted that, more generally, it was not clear that the statements would be evidence that was important to the case.[132] The appellate court affirmed the trial court’s order.[133]

[31]     Conversely, other courts have found chat room transcripts to be relevant evidence. In Glazer v. Fireman’s Fund Insurance Company, the plaintiff was ordered to produce copies of all her chats from LivePerson, a website offering online advice and professional consulting services, including sessions with online psychics.[134] Glazer chatted with the online psychics on numerous occasions, and e-mailed portions of some of those online chats to her work e-mail account.[135] When she sued Fireman’s Fund for allegedly retaliating against her after “she complained about discrimination against non-African Americans and [ultimately terminating] her because of her religion,” Fireman’s Fund reviewed the excerpts of the chats and sought to obtain the transcripts of all chats in discovery.[136] Based on a review of the excerpts, the Court agreed with Fireman’s Fund that all the chats appeared to be relevant to one or more issues in the case—such as Glazer’s work performance, her relationships with her co-workers, her opinions about how she was treated during her employment at the company, her emotional state before, during, and after her employment, the steps she took to mitigate her damages, and her personal beliefs about African Americans—and allowed them to be discoverable.[137]

VI. E-mails

[32]     While there is a myriad of other digital evidence sought in building cases, perhaps the most frequently sought and used form of digital evidence is e-mail. In Arroyo v. Volvo Group North America, LLC, a military service discrimination and disability discrimination case, e-mail evidence led to the reversal of an order granting summary judgment to Volvo.[138] The Court found that e-mails sent between Volvo employees could lead a reasonable jury to conclude that Volvo had anti-military animus against Arroyo, and discriminated against her because she had post-traumatic stress disorder.[139] The Seventh Circuit Court of Appeals found that the District Court underestimated the “strength of the emails as support for Arroyo’s case.”[140]

[33]     In those e-mails, Volvo supervisors expressed frustration with Arroyo’s taking time off from work for military service, writing “are we required to give her the day before and day after for travel?” and “I find myself with a dilemma if I were to discipline a person for taking too much time off for military reserve duty․ I certainly give her credit for serving our country but of course I am also responsible for our business needs.”[141] During Arroyo’s deployment to Iraq, her supervisor sent an e-mail to Volvo’s head of labor relations complaining that Arroyo had contacted him only once since she deployed, stating that for scheduling purposes, “it would be beneficial for us to know her status.”[142] Responding to that concern, the head of labor relations wrote in another e-mail that “[u]nfortunately, there isn’t a lot we can do. Per the law we have to wait for her. Sorry it isn’t what you wanted to hear.”[143]

[34]     Internal e-mails from Volvo personnel also provided support for Arroyo’s disability discrimination claim.[144] One such e-mail showed that Volvo considered disciplining Arroyo for being absent while she was hospitalized for her post-traumatic stress disorder, even though she previously advised Volvo of her disabling condition.[145] In another e-mail, one of Arroyo’s supervisors joked about her absence, writing that there were “several rumors for [Arroyo’s] not being here,” including that “[s]he’s on vacation in Hawaii.”[146] In yet another e-mail, a Volvo employee opined that Arroyo was “really becoming a pain with all this.”[147] 

VII. Conclusion 

[35]     Digital evidence has disrupted discovery, civil and criminal litigation, and the practice of law. Advances in technology radically changed the way in which information is created, transmitted, preserved, and accessed–as well as the way in which potential litigants communicate. Technological innovation altered the types of claims that are litigated, the way in which they are litigated, and the kinds of evidence that must be used to support and undercut those claims.

[36]     There is no turning back. The days of document production consisting primarily of paper and of hard-copy trial exhibits sitting on easels in front of juries are behind us. When asked to find information about an opposing party, the initial inclination of lawyers who have recently graduated from law school and entered the practice of law will be to check social media to obtain information about that party. To investigate the allegations in a complaint, these lawyers’ first instinct will be to search the e-mails on the client’s office computer and their messages on cell phones and tablets. All lawyers must acknowledge that digital evidence plays an important role in litigation. Those who fail to understand the relevance of technology and digital evidence to the practice of law do so at their—and their clients’—peril.

[37]     The cases discussed in this Article illustrate why lawyers need to stay abreast of changes in technology and be knowledgeable about sources of data they create.[148] To competently and effectively represent their clients, lawyers need to know which digital evidence may be relevant in a particular case, what they should request from the opposing party in discovery, the proper way in which to craft those requests, how to confirm that what they received is what they requested, how to use digital evidence in depositions, as well as how to authenticate digital evidence at trial and overcome potential objections to its admissibility.

[38]     As the widespread adoption of new technology continues, and more companies, industries, and governmental entities recognize the transformative power of big data and analytics, the volume of data that will be relevant in litigation will increase exponentially. The frequency with which digital evidence will be used in litigation, in government investigations and administrative proceedings, and at civil and criminal trials will soar. It will become clear to lawyers and clients that gaining competence, if not expertise, in the use of digital evidence is not a necessary evil, but a way to enhance the litigation strategy for a case and to increase the likelihood of a successful resolution. The ubiquity of digital evidence means that litigation and data are inextricably intertwined and that mastering “connected” discovery and maximizing the value of digital evidence are critical skills for today’s lawyers.



[1] See Zubulake v. UBS Warburg, 220 F.R.D. 212, 214 (S.D.N.Y. 2003) (stating “Electronic evidence only complicates matters. As documents are increasingly maintained electronically, it has become easier to delete or tamper with evidence (both intentionally and inadvertently) and more difficult for litigants to craft policies that ensure all relevant documents are preserved. This opinion addresses both the scope of a litigant’s duty to preserve electronic documents and the consequences of a failure to preserve documents that fall within the scope of that duty.”).

[2] See Internet of Things: Privacy and Security in a Connected World Fed. Trade Comm’n i (2015),, archived at

[3] See The Driverless Cars Are Coming Sooner than You Think, Classifiedleaks, (Oct. 27, 2015, 8:04 AM),, archived at; see also Catherine Clifford, There Will Be 20 Million Self-Driving Cars on the Road by 2025, Entrepreneur (Dec. 2, 2015),, archived at

[4] See Tim Devaney, Eight Industries that Want to Fly Drones, The Hill (Oct. 25, 2014, 2:43 PM),, archived at; see also Megan Crouse, Which Industry Uses Drones Most? Manufacturing (July 31, 2014, 9:57 AM),, archived at; Sally French, Drone Delivery Is Already Here — And It Works, MarketWatch (Dec. 15, 2015, 7:32 AM),, archived at

[5] See Jack Bowling & Steve Quinlivan, Bitcoin Blockchain Technology to Revolutionize Financial Services, StarTribune (Jan. 10, 2016, 2:00 PM),, archived at; see also Dion Hinchcliffe, How Blockchain Is Likely to Transform IT and Business, ZDNet (July 31, 2015),, archived at

[6] See What is Telematics, Fleetmatics,, archived at (last visited Mar. 18, 2016); see also Brian Hughes, Why Telematics (Think: Driverless Cars) Is the Future, Entrepreneur (Dec. 18, 2015),, archived at

[7] See Telematics, Gartner,, archived at (last visited Mar. 18, 2016).

[8] See Telematics Data Helps Jail Courtesy Car Driver for Hit and Run Collision, FleetNews (Jan. 26, 2016),, archived at

[9] See id.

[10] See id.

[11]See Donna J. Miller, With Help from Snapshot Insurance Device, Parma Heights Man Is Cleared of Murdering His 7-Month-Old Daughter, (July 2, 2013, 3:30 PM),, archived at

[12] See id.

[13] See id.

[14] See id.

[15] UConnect is a multimedia infotainment system in Chrysler vehicles that integrates with smartphones, has navigation functionality and gives drivers access to physical controls that adjust features from climate control to music preferences. See Lindsay Martell, What Is Chrysler UConnect?, Autotrader (Oct. 2013),, archived at

[16] See Sean Gallagher, Opsec Fail: Baltimore Teen Car Thieves Paired Phones with Jeep UConnect, arstechnica (Feb. 11, 2016, 11:44 AM),, archived at

[17] See id.

[18] See id.

[19] See id.

[20] See id.

[21] See Gallagher, supra note 16.

[22] See id.

[23] See Telematics Successfully Used to Overturn Speeding Prosecution, FleetNews (Feb. 10, 2015),, archived at

[24] See id.

[25] See id.

[26] See id.

[27] See Driver Wins Speeding Case Through Telematics, The Driving Instructor Leicester (Oct. 5, 2015),, archived at; see also supra note 23.

[28] See What Is GPS?, Garmin,, archived at (stating Global Positioning System (GPS) devices use a “satellite-based navigation system made up of a network of [twenty-four] satellites placed into orbit by the U.S. Department of Defense,” and made available for private use. The satellites transmit signal information to GPS receivers that use the data to determine a vehicle’s location and display it on an electronic map on the device) (last visited Feb. 23, 2016).

[29] See People v. Ford, 935 N.Y.S. 2d 368, 368–69 (NY App. Div. 2011); see also Carly Rothman, N.Y. Judge Convicts Piscataway Man of Killing Baby Sitter, (Feb. 19, 2009, 7:08 PM),, archived at

[30] See id.

[31] See id.

[32] See id.

[33] See id.

[34] See State v. Jackson, 46 P.3d 257, 260 (Wash. Ct. App. 2002); see also David A. Schumann, Tracking Evidence with GPS Technology, Wisconsin Lawyer (May 2004),, archived at

[35] See id.

[36] See id.

[37] See id.

[38] See id.

[39] See Schumann, supra note 34.

[40] See id.

[41] See id.

[42] See id.

[43] Id.

[44] See Smith v. Pac. Bell Tel. Co., 649 F.Supp.2d 1073, 1076 (E.D. Ca. 2009).

[45] See id. at 1079–80.

[46] See id. at 1078.

[47] See id. at 1079–80.

[48] See id. at 1078.

[49] See Smith v. Pac. Bell Tel. Co., 649 F.Supp.2d 1073, 1101–02 (E.D. Ca. 2009).

[50] Wearable devices contain smart sensors and wirelessly connect to smartphones through a web connection. These devices collect and track data about the person who wears them, such as activity level, heart rate, calories burned and sleep patterns. They can also be used to make payments at stores and to alert the wearer about incoming calls and e-mails. Popular types of wearables include fitness trackers, smartwatches, smart glasses, smart clothing and smart jewelry. See Dan Sung, What Is Wearable Tech? Everything You Need to Know Explained, Wareable (Aug. 3, 2015),, archived at; see also The Wear, Why and How, The Economist (Mar. 14, 2015),, archived at Experts have predicted that by 2019, 173.4 million wearable devices will have been shipped worldwide. See Fueled by Growing Demand for Smart Wearables, IDC Forecasts Worldwide Wearable Shipments to Reach 173.4 Million by 2019, IDC (Sep. 14, 2015),, archived at; see also Dinah Wisenberg Brin, As Wearables Become More Popular, What Is HR’s Responsibility?, Society for Human Resource Management (Feb. 16, 2016),,%202016&MID=01516098&LN=Gottehrer&spMailingID=24737172&spUserID=ODM1OTI3NDQzOTgS1&spJobID=742677018&spReportId=NzQyNjc3MDE4S0#sthash.kFaSjKe3.dpuf, archived at

[51] A Fitbit is a fitness tracker that allows the wearer to monitor things such as the number of steps taken, distance covered and calories burned. Some versions include an altimeter, which keeps track of the amount of stairs climbed and some include sleep tracking. The Fitbit syncs to the wearer’s Fitbit account through a computer or mobile device and enables the wearer to view the activity data collected by the wearable device. See Robert J. Nelson, Everything You Need to Know About Fitbit, iMore (Jun. 12, 2014, 8:24 AM),, archived at; see also Brett Hambright, Woman Staged ‘Rape’ Scene with Knife, Vodka, Called 9-1-1, Police Say, (Jun. 19, 2015),–/article_9295bdbe-167c-11e5-b6eb-07d1288cc937.html, archived at

[52] See Hambright, supra note 51.

[53] See id. 

[54] See id.

[55] See id.

[56] See id.

[57] See Parmy Olson, Fitbit Data Now Being Used in the Courtroom, Forbes (Nov. 16, 2014, 4:10PM),, archived at

[58] See id. 

[59] See id.

[60] See id. 

[61] See Video: Distracted Driving Lawsuit Draws $1.3M Award, Automotive Fleet (Feb. 8, 2016),, archived at

[62] See id.

[63] See id.

[64] See id.

[65] See People v. Goldsmith, 203 Cal. App. 4th 1515, 1518 (Cal. App. 2d Dist. 2012).

[66] See People v. Goldsmith, 59 Cal. 4th 258, 264 (Cal. 2014).

[67] See id.

[68] See id.

[69] See id. at 264-65.

[70] See id. at 265.

[71] See People v. Goldsmith, 59 Cal. 4th 258, 265 (2014).

[72] Id. at 267.

[73] An Event Data Recorder (EDR), also known as a “black box,” is a device that is built into a vehicle’s airbag control module and records certain information from a vehicle immediately before and/or during most crashes. The data from the event data recorder’s memory can be downloaded to provide information about what happened to the vehicle, the deployment of airbags and seat belt tensioners, as well as data about the engine speed and vehicle speed prior to the crash. See Event Data Recorders, Insurance Institute for Highway Safety (Apr. 2015),, archived at (last visited Feb. 18 2016).

[74] See Commonwealth v. Zimmerman, 873 N.E.2d 1215, 1218 (2007).

[75] See id. at 1217.

[76] See id.

[77] See id.

[78] See id. at 1216, 1219.

[79] See Commonwealth v. Zimmerman, 873 N.E.2d 1215, 1217 (2007).

[80] See Matos v. State, 899 So. 2d 403, 405 (Fla. Dist. Ct. App. 2005).

[81] See id. at 405.

[82] See id.

[83] See id.

 [84] See id.

 [85] People v. Hopkins, No. 2004-0338, 2004 N.Y. Misc. LEXIS 2902, at *17.

[86] See id. at *9.

[87] See id.

[88] See id.

[89] See S.S.S. v. M.A.G., No. A-1623-09T2, 2010 N.J. Super. Unpub. LEXIS 2479, at *1 (N.J. Super. Ct. App. Div. 2010). 

[90] See id. at *3. 

[91] See id. at *4.

[92] See id.

[93] See id. at *4–5.

[94] See S.S.S., 2010 N.J. Super. Unpub. LEXIS 2479, at *8–10.

[95] See State v. McGuire, 16 A.3d 411, 419, 426 (N.J. Super. Ct. App. Div. 2011).

[96] See id. at 426.

[97] See id.

[98] See id. at 427.

[99] See id.

[100] See Reid v. Ingerman Smith LLP, No. CV-2012-0307(ILG)(MDG), 2012 U.S. Dist. LEXIS 182439, at *1 (E.D.N.Y. Dec. 27, 2012).

[101] See id. at *3.

[102] See id. at *3–4.

[103] See id. at *7.

[104] See id. at *7, 9. Using the same relevance analysis, another court similarly required the plaintiff in a race discrimination action to produce her online social media communications, including “profiles, postings, messages, status updates, wall comments, causes joined, groups joined, activity streams, applications, blog entries, photographs, or media clips, as well as third-party communications that put the plaintiff’s communications in context.” See Robinson v. Jones Lang LaSalle Americas, Inc., No. 3:12-cv-00127-PK, 2012 U.S. Dist. LEXIS 123883, at *5–6 (D. Or. Aug. 29, 2012); see also Bass v. Miss Porter’s School, No. 3:08cv1807(JBA), 2009 U.S. Dist. LEXIS 99916, at *1, *3–4 (D. Conn. Oct. 27, 2009) (finding that the defendant was entitled to receive information from the Facebook account of the plaintiff, relating to her allegation that she was teased and taunted on Facebook and through text messages, because “Facebook usage depicts a snapshot of the user’s relationships and state of mind at the time of the content’s posting” and was therefore relevant to issues of liability and damages in the case)

[105] See Romano v. Steelcase, Inc., 907 N.Y.S.2d 650, 651 (2010).

[106] See id. at 653.

[107] See id. at 654.

[108] See id.

[109] See Held v. Ferrellgas, Inc., No. 10-2393-EFM, 2011 U.S. Dist. LEXIS 120980, at *1 (D. Kan. Aug. 31, 2011).

[110] See id., at *2.

[111]See id.

[112] See id., at *3. 

[113] See United States v. Hassan, 742 F.3d 104, 117 (4th Cir. 2014).

[114] See id.

[115] See id. at 147.

[116] See id. at 141.

[117] See id. at 151. 

[118] See Collen Curry, Rutgers Trial: Dharun Ravi Sent Texts to Witness During Police Investigation, abc NEWS (Feb. 27, 2012),, archived at

[119] See id. 

[120] See id.

[121] Id.

[122] See David M. Halbfinger & Beth Kormanik, Rutgers Case Jurors Call Digital Evidence Crucial, N.Y. Times (Mar. 16, 2010),, archived at

[123] See id.

[124] Jamil Smith, ‘I Saw Him Making Out with a Dude. Yay.,MSNBC (Sept. 30, 2010, 12:10 PM),, archived at

[125] Tyler Clementi: Rutgers Suicide, CBSNEWS,, archived at (last visited Feb. 25, 2016).

[126] Amy Davidson, The Tyler Clementi Verdict, The New Yorker (Mar. 16, 2012),, archived at

[127] See id. 

[128] See Steinebach v. Steinebach, 957 So.2d 291, 299 (Ct. of App. La. 2007).

[129] See id.

[130] See id.

[131] See id.

[132] See id. at 300.

[133] See Steinebach, 957 So.2d at 300.

[134] See Glazer v. Fireman’s Fund Ins. Co., No. 11 Civ. 4374 (PGG) (FM), 2012 U.S. Dist. LEXIS 51658, at *1–4 (S.D.N.Y Apr. 4, 2012).

[135] See id. at *2.

[136] See id. at *1–2.

[137] See id. at *2–3. Instant messages (“IMs”) have been introduced at trial and have been found to be sufficient evidence to support a verdict. See, e.g., State v. Voorheis, 844 A.2d 794, 796–97 (2004) (text of instant messages between defendant and mother of minor girl that contained graphic and sexually explicit language offered substantial evidence that defendant had attempted to promote a lewd performance by a child and to incite another to commit a felony and supported his conviction on both charges).

[138] See Arroyo v. Volvo Group North America, LLC, 805 F.3d 278, 280–81, 287, 288 (7th Cir. 2015).

[139] See id. at 285, 287.

[140] Id. at 285.

[141] Id. at 281–82.

[142] Id. at 282.

[143] Arroyo v. Volvo Group North America, LLC, 805 F.3d at 282.

[144] See id. at 287.

[145] See id.

[146] Id. at 283.

[147] Id.

[148] See Model Rules of Prof’l Conduct R. 1.1, Cmt. 8 (2015) (“A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”) (“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology….”); see also Robert Ambrogi, 20 States Have Adopted Ethical Duty of Technology Competence, LawSites (Mar. 16, 2015),, archived at (stating that as of October 2015, twenty states have recognized that lawyers have a duty to be technologically competent).

Preservation: Competently Navigating Between All and Nothing

Preservation: Competently Navigating Between All and Nothing pdf_icon 

Cite as: Lauren Wheeling Waller, Preservation: Competently Navigating Between All and Nothing, 22 Rich. J.L. & Tech. 7 (2016),

Lauren Wheeling Waller*

I. Introduction

 [1]       Merriam-Webster defines “competent” as “having requisite or adequate ability or qualities.”[1] All professions require competence to be successful—from chefs, to tailors, to NFL quarterbacks. Without the adequate ability to poach an egg, alter suits, or read defenses, they lose patrons, customers, or—in the case of a quarterback—games and fans. Lawyers are no different. Without competence, they may not be successful. However, lawyers are different than the NFL quarterback in that they have an explicit duty of competence to their clients. The Model Rules of Professional Conduct provide “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”[2] The comments to the Model Rules make it clear that competency also requires that lawyers “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .”[3] With this sentence, attorneys can no longer simply put up their hands and say, “it’s e-mail and text messages, I don’t know how nor do I want to handle that.”

[2]       Additionally, some State Bars implementing their own Rules of Professional Conduct have decided that attorney competence applies to handling electronically stored information (“ESI”), and at a minimum, that attorneys be able to carry out the following:

  • [I]nitially assess e-[D]iscovery needs and issues, if any;
  • [I]mplement/cause to implement appropriate ESI preservation procedures;
  • [A]nalyze and understand a client’s ESI systems and storage;
  • [A]dvise the client on available options for collection and preservation of ESI;
  • [I]dentify custodians of potentially relevant ESI;
  • [E]ngage in competent and meaningful meet and confer with opposing counsel concerning an e-[D]iscovery plan;
  • [P]erform data searches;
  • [C]ollect responsive ESI in a manner that preserves the integrity of that ESI; and
  • [P]roduce responsive non-privileged ESI in a recognized and appropriate manner.[4]

[3]       Attorneys now need to have an understanding of the components of the Electronic Discovery Reference Model[5] and the tools available to assist in each part of that process. If they do not have the requisite understanding, they need to associate with someone who does.[6]

[4]       Preservation of ESI is implicated in at least five of the competencies specifically listed in a California Rules of Professional Conduct’s Formal Opinion,[7] but preservation for some lawyers can be a scary concept. Why? For one, data never sleeps.[8] Every minute of the day, people generate data in the form of e-mails, Instagrams, Tweets, and Snapchats.[9] If you compare the data generated in 2012 to that created in 2015, not only has the amount of data increased, but also the type of data created has increased with the proliferation of new applications that create data.[10] Identifying the type of data that needs to be preserved and how it needs to be preserved can be complicated because of this ever-changing data landscape.

[5]       Additionally, preservation provokes fear in the heart of many attorneys, because failing to preserve potentially relevant evidence can have significant adverse consequences for not only the client in the lawsuit but also for the attorneys involved.[11] Attorneys, however, now have more guidance regarding the imposition of sanctions in Federal Court, as the Federal Rules of Civil Procedure were amended to clarify when a court can impose sanctions for the failure to appropriately preserve evidence, including when evidence is intentionally destroyed.[12]

[6]       Even with the amendments to the Rules, the following questions still exist for every piece of litigation:

  • When does the duty to preserve arise?
  • What must be preserved for the potential or current litigation?
  • What steps can I take to competently preserve potentially relevant information?

[7]       Is the answer to the above questions that every piece of data in your client’s possession must be preserved? No. Is the answer to preserve only e-mails a specific custodian sends to counsel on his or her own accord, without any further discussion with counsel? No. While there is no “one size fits all” answer to preservation, this article intends to guide practitioners through the preservation rubric outlined in the cases of “e-Discovery Canon,”[13] as well as recent case law and the 2015 amendments to the Federal Rules of Civil Procedure. This article also outlines questions practitioners should ask their clients and themselves in order to competently identify and preserve ESI.

II. The Duty to Preserve

[8]       The first question that a lawyer must answer is whether the duty to preserve has been triggered. Common law creates the duty to preserve evidence, and litigants owe this duty to the court, not just the opposing party.[14] Some commentators argue that the duty to preserve may be the most important duty a litigant has, in that failing to meet this duty can deprive the court of the ability to properly assess the claims of the parties before it.[15] This duty “arises not only during litigation but also extends to that period before the litigation when a party reasonably should know that the evidence may be relevant to the anticipated litigation.”[16] In the context of litigation for plaintiffs, the duty arises before the lawsuit is filed, and for defendants when the lawsuit is served, at the very latest.[17]

[9]       To be clear, though, whether a party is filing or has filed a lawsuit is not the test—it is the reasonable anticipation of litigation, in whatever form that takes. Recently, in Clear-View Technologies, Inc. v. Rasnic Magistrate Judge Paul S. Grewal (no stranger to preservation and e-Discovery issues[18]) found that a text message sent to a defendant over two years before suit was filed and eight months before any preservation notice was sent to the defendant triggered the duty to preserve.[19] Magistrate Judge Grewal stated that Plaintiff’s then-CEO “made clear in text messages to [defendants] that he was prepared to sue them for trying to interfere with” a potential business investment.[20] In his opinion, Judge Grewal noted that while the then-CEO later sent text messages apologizing for his previous texts, at no time did he take back his threat of litigation.[21] In the context of non-lawsuit triggers, courts have also found that a presentation regarding potential patent infringement claims,[22] ultimatums made to a CEO to “comply with [an] injunction” or face a lawsuit,[23] and of course, requests in writing that an individual or entity preserve evidence that may be relevant to a dispute trigger the duty to preserve.[24]

[10]     Accordingly, practitioners should not depend on the arrival of a complaint to trigger a client’s duty to preserve. While service of pleadings certainly can and does trigger the duty to preserve, once apprised of a potential dispute, practitioners should ask their clients not only about the facts of the potential dispute, but also how they communicated with the individuals involved with the potentially adverse party—in-person, telephone, e-mail, text messages, and/or any other medium of communication. As a practical matter, these queries will be easier the more you know about your client’s business and data landscape.[25] While a slip-and-fall, a failure to make a specified delivery under the terms of a contract, or a malfunction of a piece of equipment causing injury will remain clear triggers for the duty to preserve, practitioners should not overlook the wide variety of ways individuals now communicate with one another when analyzing whether and when the duty to preserve was triggered.

III. The Scope of Preservation

[11]     The duty to preserve evidence includes “an obligation to identify, locate, and maintain[] information that is relevant to specific, predictable, and identifiable litigation.[26] The duty pertains, however, only to relevant documents.[27] Relevant documents include:

[A]ny documents or tangible things . . . made by individuals “likely to have discoverable information that the disclosing party may use to support its claims or defenses.” The duty also includes documents prepared for those individuals to the extent those documents can be readily identified (e.g., from the “to” field in e-mails). The duty also extends to information that is relevant to the claims or defenses of any party, or which is “relevant to the subject matter involved in the action.” Thus, the duty to preserve extends to those employees likely to have relevant information—the “key players” in the case.[28]

The cases are clear on one point: once the duty to preserve is triggered, not every piece of data belonging to an organization must be preserved, just as every piece of paper belonging to an organization is not required to be preserved.[29] The cases outlined below demonstrate as much.

[13]     In Blue Sky Travel & Tours, LLC v. Al Tayyar, the Fourth Circuit vacated and remanded the district court’s decision to impose severe sanctions on the defendant for failing to preserve certain invoices requested by the plaintiff.[30] In this breach of contract action, the plaintiff’s damages included a claim for lost profits, and in an effort to prove those lost profit claims, the plaintiff requested that the defendant produce certain invoices.[31] When the defendant did not provide the invoices, the plaintiff moved to compel their production.[32] The court granted the motion, but the defendant still did not produce the invoices because the documents were not retained.[33] The plaintiff then moved for sanctions, and the magistrate recommended the court grant the motion and provide an adverse inference instruction.[34] The problem with this recommendation and ruling, though, was that the magistrate judge ruled that the defendant had a duty to hold “all” documents, stating:

[W]hen this litigation started, the defendants were required by law to preserve. Any document retention policy you had had to be stopped. . . . [o]nce you are put on notice that there is litigation pending, or once litigation starts, you are required . . . to stop [your] normal document retention policies and to preserve [ALL] documents because you don’t know what may or may not be relevant.[35]

[14]     The Fourth Circuit vacated and remanded the magistrate’s decision because the lower court used the incorrect standard for the duty to preserve.[36] The Fourth Circuit noted that a party may be sanctioned for spoliation if the party “(1) had a duty to preserve material evidence, . . . (2) willfully engaged in conduct resulting in the loss or destruction of that evidence, [and] (3) at a time when the party knew, or should have known, that the evidence was or could be relevant to the litigation.”[37] The Fourth Circuit reiterated that a party is not required to preserve all of its documents, only documents that the party knew or should have known were or could be relevant to the parties’ dispute.[38]

[15]     In Wandering Dago, Inc. v. N.Y. State Office of Gen. Servs., the court had to decide whether officials in one governmental agency and their attorney could be sanctioned for the destruction of e-mails, according to the terms of an e-mail retention policy, belonging to another governmental agency.[39] More to the point, the court had to determine whether a preservation obligation for one governmental agency involved in a specific litigation automatically applies to every other governmental agency not involved in the litigation.[40] The court said no, as the defendant agencies in the litigation had no control over the other governmental agencies’ e-mails.[41] Therefore, the defendant agencies had no obligation to preserve the other non-party agencies’ e-mails.[42] The court noted that to require a governmental agency in litigation to preserve and produce documents belonging to another governmental agency not a party to the litigation would “subject all [ ] agencies, the legislature, the judiciary, quasi-state agencies, and possibly public authorities to disclosure scrutiny, notwithstanding their relative remoteness to the case.”[43] The court found that “state agencies for most purposes are separate and distinct organs and should not be viewed in the aggregate.”[44] Moreover, the court noted that requiring each governmental agency “and thousands of officials to institute a litigation hold every time a party contemplates or even commences litigation against another agency would paralyze the State.”[45]

[16]     In AMC Technology, LLC v. Cisco Systems, Inc., Magistrate Judge Grewal distinguished between documents parties are obligated to preserve and those that they are not obligated to preserve and that can be destroyed as part of a routine retention policy.[46] Pursuant to Cisco’s document retention policy, Cisco reformatted departed employees’ laptops and deleted e-mail archives thirty days after an employee’s departure.[47] After one employee’s departure, and the deletion of his data, AMC requested his custodial data.[48] When Cisco did not provide the data because it had been destroyed according to its retention policy, AMC moved for spoliation sanctions.[49]

[17]     Judge Grewal held that sanctions were not warranted because Cisco was under no obligation to preserve his data at the time it was destroyed.[50] Judge Grewal underscored that the “scope of this duty is confined to what is reasonably foreseeable to be relevant to this action. Requiring a litigant to preserve all documents, regardless of their relevance, would cripple parties who are often involved in litigation . . . .”[51] In its analysis, the court also noted that the disposal of the employee’s documents “appears to have been routine—Cisco followed established company procedure, which deletes company emails and information within thirty days.”[52]

[18]     These cases provide a framework for identifying the scope of preservation. While each case turns on its own unique facts, these cases demonstrate that preserving everything is not the requirement of the duty to preserve, as such a requirement would create inefficiencies for business and government entities attempting to carry out their daily functions. Moreover, they show that only those documents that are reasonably foreseeable to be relevant to the action at the time the duty is triggered must be preserved. Obviously, what is relevant can change during the course of an investigation. As a result, practitioners should continue to monitor what has been preserved and the pertinent issues in the litigation to continue to observe their preservation obligations.

A. Identifying What Must Be Preserved

[19]     So the next question is: how do you identify and preserve documents that are potentially relevant to the parties’ dispute? Understanding who created and possesses potentially relevant ESI—and how that ESI is stored—is the first step to competently complying with the duty to preserve. Not taking these steps can lead to the destruction of potentially relevant information, and adverse consequences for that destruction. Brown v. Tellermate Holdings Ltd. outlines the failings of practitioners in executing their duty to identify and preserve potentially relevant ESI, and thus provides a good description of what practitioners need to do to competently comply with their preservation obligations.

[20]     In Brown v. Tellermate Holdings Ltd., the court found that Tellermate’s counsel “failed to uncover even the most basic information about an electronically-stored database of information” and that “as a direct result of that failure, took no steps to preserve the integrity of the information in that database.”[53] In this age discrimination case, the plaintiffs requested reports from both of their accounts in, a web-based application that allows businesses to track sales activities, as well as a number of other employees’ reports.[54] While at Tellermate, the plaintiff employees knew that Tellermate acquired licenses for their sales team to use and encouraged its employees to use it.[55] During discovery, Tellermate contended that it could not produce the reports because, among other things, Tellermate could not “print out accurate historical records from . . .”[56] Counsel for Tellermate represented to the court that “Tellermate [did] not possess or control data maintained in the database and [was] not at liberty to produce it in discovery,” as well as that no one from Tellermate “has access to [the] ESI of . . . .”[57] However, in direct contradiction from its attorneys’ representations to the court, Tellermate’s representative testified that “any Tellermate employee with a login name and a password could access . . . historical information . . . at any time.”[58]

[21]     Additionally, after the plaintiffs’ departure, Tellermate changed the user names to the their accounts and took no action to preserve the information in the plaintiffs’ accounts, as the data in their accounts could be changed or deleted by administrators at the company.[59] For the above actions, the court admonished Tellermate’s counsel, stating “all of this information was clearly known to at least some Tellermate employees since Tellermate began using; had the right questions been asked of the right people, counsel would have known it as well.”[60]

[22]     The court also found that “counsel apparently never identified the persons having responsibility for information, which would have included those Tellermate employees (named by the [plaintiffs] in their document request) whose accounts were being requested, or the persons designated by Tellermate as its administrators.”[61] In short, the court found that “counsel had an affirmative obligation to speak to the key players at Tellermate so that counsel and client could identify, preserve, and search the sources of discoverable information.”[62]

[23]     To competently preserve ESI, practitioners must determine the individuals who may have knowledge or information about the different issues involved in the dispute, then determine what potentially relevant documents and data those individuals have in their possession, custody, or control.[63] Simultaneously, practitioners should speak with their client’s information technology personnel, who can explain the company’s system-wide back up procedures, any “auto-delete” functions, and gain a general overview of where and how data resides throughout the company (e.g., e-mail servers, file share servers, VM systems, databases, etc.).[64] These steps allow a practitioner to ask the right questions of the right people in order to determine where potentially relevant information resides.

[24]     Additionally, asking the right questions of the right people can also inform your decision as counsel as to what is reasonably accessible and therefore reasonably can be preserved. For example, if you learn from information technology personnel that the company’s disaster recovery systems are truly disaster recovery systems rather than a form of long-term storage, it may be worth mentioning at a Fed. R. Civ. P. 26(f) conference or meeting that, because these systems are for disaster recovery only, they are not reasonably accessible and will not be preserved.[65]

[25]     Moreover, discussing the data landscape with key custodians and information technology personnel provides valuable information about the various data sources and the amount it may cost to preserve those data sources, which can provide insight into whether producing from that data source is proportional to the needs of the case.[66] For example, in You v. Japan the court allowed defendant Sankei, a newspaper publisher, to modify a piece of a preservation order because of the undue burden it was placing on its business.[67] The preservation order required each party to take affirmative steps to preserve evidence related to the action by ceasing “any document destruction programs and any ongoing erasures of e-mails, voicemails, and other electronically recorded materials.”[68] Sankei took steps to comply with the order, including retaining versions of articles that it placed in a proprietary application used for laying out each edition of the newspaper.[69] The application typically retained these versions for 90 days.[70] Sankei stated that requiring that application to retain the article versions for greater than 90 days “could slow down the system or cause it to crash.”[71] Sankei also stated that installing a new storage system could take up to eight months and would cost $18 million.[72] Accordingly, Sankei filed a motion for relief from the preservation order and proposed an alternative method to preserve the documents in the proprietary application.[73] The Court, noting plaintiffs’ objections, granted Sankei’s proposal and included a modification proposed by the plaintiffs.[74] Without asking the right questions of the right people, Sankei may not have been able to seek an alternative that would allow it to continue functioning as a business and maintain its preservation obligations.

B. The Litigation Hold

[26]     While the litigation hold or legal hold notice should now be part of every practitioner’s litigation checklist, it is still an integral part of competently complying with the duty to preserve. As the court in Zubulake V stated, “[o]nce a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”[75]

[27]     A litigation hold informs custodians and information technology personnel about the lawsuit and their preservation obligations to preserve potentially relevant information relating to the lawsuit.[76] However, implementing the litigation hold does not end a party’s preservation obligations—“[c]ounsel [also] must oversee compliance with the litigation hold.”[77]

[28]     Apple Inc. v. Samsung Electronics Co., Ltd. demonstrates the potential consequences of failing to monitor compliance with a litigation hold. There, Magistrate Judge Grewal analyzed “whether Samsung took adequate steps to avoid spoliation after it should have reasonably anticipated” litigation.[78] In this case, a Samsung entity/defendant failed to disable the “auto-delete” function of its e-mail system after the duty to preserve was triggered.[79] Judge Grewal noted that it is “generally recognized that when a company or organization has a document retention policy, it is ‘obligated to suspend’ that policy and ‘implement a “litigation hold” to ensure the preservation of relevant documents’ after the preservation duty has been triggered.”[80] Samsung issued a litigation hold notice requesting employees to “preserve any and all [] documents that may be relevant to the issues in the potential litigation . . . until [the potential litigation] is fully resolved.”[81] However, while the litigation hold notice provided categories of documents that should be retained, Samsung took no steps to evaluate what its employees were doing to comply with the litigation hold notice, especially in light of the continued use of the auto-delete function.[82] While under the legal hold, Samsung never checked to see whether a single custodian was in compliance with the given directives.[83]

[29]     Practitioners and clients should consistently monitor employee and information technology compliance with their legal hold directives. The longer a legal hold is in place and the more time that goes by opens companies up to something that can be described as “Litigation Hold Fatigue,” resulting in less enthusiastic preservation practices.[84] Additionally, as noted above, issues in a litigation change, which can change what needs to be preserved. Follow-up reminders and revisions to litigation holds not only assist in complying with preservation obligations, but they can also assist in defining the scope of preservation.

IV. What Can We Learn From Failing to Preserve

[30]     Cases outlining complete failures to preserve are instructive to practitioners as a template for “Preservation Do Nots.” In Altercare, Inc. v. Clark, the Ohio Court of Appeals was required to determine whether the trial court abused its discretion in dismissing Altercare’s case against its former employee, Clark, for failing to preserve the former employee’s computer after the obligation to preserve arose.[85] After being told not to return to Altercare for work, Clark’s attorney sent Altercare a letter stating that it had breached Clark’s employment contract, and requesting that Altercare preserve evidence relevant to the dispute.[86] The preservation notice portion of the letter provided a non-exhaustive list of data covered by Altercare’s obligation, as well as ways that Altercare could comply with its obligation.[87] Once suit was filed, Clark requested in discovery all ESI relating to Clark and/or Clark’s employment with Altercare.[88]

[31]     The trial court attempted to determine what Altercare did to preserve Clark’s ESI on numerous occasions.[89] The court found that, at one point, Altercare returned a different hard drive to Clark than belonged to the work computer she sent the company for preservation.[90] The trial court held that Altercare did not preserve Clark’s work computer, failing to either “[pull] it out of service or [make] a copy or clone of its hard drive at the time Ms. Clark put [Altercare] on notice” of its obligation to preserve.[91] Because the trial court found that Altercare’s conduct in failing to preserve Clark’s work computer showed “such extreme carelessness and indifference,” the trial court dismissed Altercare’s complaint.[92] The Court of Appeals affirmed the trial court’s ruling, finding that Altercare “took no action whatsoever” to preserve Clark’s computer, either when she was terminated—even though it was reasonably foreseeable that litigation with Clark was probable—or after receiving the preservation notice from Clark’s attorney.[93] Notably, the Court of Appeals also recognized that the trial court “found that there was no evidence that Clark’s computer was lost as a result of a routine, good faith operation,” [94] such as a retention schedule.

[32]     Similarly, in Alter v. Rocky Point Sch. Dist., in ruling on the Plaintiff’s motion to compel and for sanctions in a workplace discrimination claim, the court found that defendants had failed to satisfy their duty to preserve relevant evidence.[95] The court based its ruling on the following facts:

  • Defendants failed to issue a timely litigation hold, instead waiting more than two years after Plaintiff filed a Notice of Claim;[96]
  • Defendants “failed to discuss the litigation hold with key players” in the lawsuit;[97]
  • Defendants failed to inform key custodians regarding their obligation to preserve relevant evidence “on whatever devices contained the information, [including] [personal] laptops, cellphones or any personal digital devices capable of ESI storage.”[98]

[33]     In Clear-View Techs., discussed above, the defendants took “no reasonable steps to preserve relevant evidence” and, in fact, “affirmatively destroyed it,” after the text message that triggered the preservation obligation was sent and, in some cases, after the preservation letter was received and after suit was filed.[99]

[34]     In each of these cases, the party responding to destruction allegations failed to take reasonable steps to preserve potentially relevant evidence—no litigation holds issued, no custodian interviews performed or even simple questions asked, and in a workplace discrimination suit, the terminated employee’s workstation was not preserved—and was then punished in some manner by the court. As these cases demonstrate, it is this failure to competently preserve potentially relevant evidence that places clients and their attorneys on rocky ground with the court.

[35]     Prior to the 2015 amendment of Rule 37(e), the sanctions imposed by courts because of the destruction of evidence, whether through negligence or bad faith, created inconsistencies in the sanctions imposed throughout the federal circuits.[100] In one circuit, a party could receive an adverse inference instruction from the grossly negligent deletion of an employee’s ESI,[101] while in another, an adverse inference instruction was appropriate only where there was a finding of bad faith in the destruction of the evidence.[102] Amended Rule 37(e) no longer allows courts to punish parties through an adverse inference instruction in the wake of destroyed evidence if they can show they took reasonable steps to preserve evidence.[103]

[36]     So what does this mean for practitioners? In the words of algebra teaches everywhere, litigants must “show their work.” Litigants should document the processes by which and steps they took to preserve potentially relevant evidence. The following steps, while not all-inclusive, and when they were taken should be well-documented by practitioners:

  • Issue a litigation hold that outlines the potential forms of ESI (e-mail, text messages, word documents, databases, etc.) and the potential sources of ESI (e-mail mailbox, smart phone, workstation, network servers, social media accounts, etc.) available to custodians;[104]
  • Identify and interview key players and custodians regarding their ESI forms and sources;
  • Interview information technology personnel regarding forms and sources of ESI available to employees and other personnel at the company, as well as the back-up and disaster recovery systems in place;
  • Document which devices were identified as having potentially relevant evidence and how each device was preserved for each custodian;
  • Document how specific information on servers and other company sources was identified and preserved;
  • Monitor legal hold compliance and refresh litigation hold notice as issues in the litigation evolve and new custodians are identified and new employees hired;
  • Disable and document the disabling of “auto-delete” functions for systems containing such functions;
  • Evaluate software offerings available to assist with the implementation of a legal hold;[105]
  • Analyze records management or retention policies for those categories of documents under a litigation hold to ensure routine destruction as to those documents has stopped.

[37]     Practitioners should document what was done and when it was done to demonstrate to the court how they took reasonable steps to preserve ESI. Taking the time to identify whose data and what sources and forms of data need to be preserved, and then “showing your work” by documenting those preservation steps and the considerations necessary to make those choices, demonstrates competence and may save you from headaches and discord later.

* Lauren Wheeling Waller is a partner at Williams Mullen and chairs the firm’s e-Discovery and Information Governance Practice Group. She is an experienced litigator and provides guidance in crafting defensible and uniform approaches to records management and retention, litigation hold implementation, as well as managing complex e-Discovery projects in commercial litigation and investigations. She has written and spoken frequently on electronic discovery topics and is a member Working Group I on Electronic Document Retention and Production of The Sedona Conference.



[1] Competent, Merriam-Webster,, archived at (last visited Feb. 25, 2016).

[2] Model Rules of Prof’l Conduct R. 1.1 (2014).

[3] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014) (emphasis added).

[4] State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193, 3–4 (2015) [hereinafter Cal. Ethics Op.] (emphasis added) (internal citations omitted).

[5] See EDRM Stages, EDRM,, archived at (last visited Feb. 25, 2016).

[6] See Cal. Ethics Op., supra note 4, at 3; see also HM Electronics, Inc. v. RF Techs., Inc., No. 12cv2884-BAS-MDD, 2015 WL 4714908, at *24 (S.D. Cal. Aug. 7, 2015) (holding that an “attorney’s duty to supervise the work of consultants, vendors, and subordinate attorneys is non-delegable. ‘An attorney must maintain overall responsibility for the work . . .,’ and, must do so by remaining regularly engaged in the . . . work.”) (internal citations omitted) (emphasis in original).

[7] See Cal. Ethics Op., supra note 4, at 3–4. (“[I]nitially assess e-[D]iscovery needs and issues, if any; [I]mplement/cause to implement appropriate ESI preservation procedures; [A]nalyze and understand a client’s ESI systems and storage; [A]dvise the client on available options for collection and preservation of ESI; [I]dentify custodians of potentially relevant ESI; [C]ollect responsive ESI in a manner that preserves the integrity of ESI”).

[8] See generally Data Never Sleeps 3.0, DOMO,, archived at (last visited Feb. 11, 2016). 

[9] See id.

[10] Compare id., with Data Never Sleeps 2.0, DOMO,, archived at (last visited Feb. 11, 2016), and Data Never Sleeps, DOMO,, archived at (last visited Feb. 11, 2016) (noting that applications such as Snapchat and Tinder were not identified in 2012 but generated vast amounts of data in 2015).

[11] See Victor Stanley, Inc. v. Creative Pipe, Inc., 269 F.R.D. 497, 538–41 (D. Md. 2010) (recommending sanctions including permanent injunction and attorneys’ fees); Malibu Media, LLC v. Tashiro, No. 1:13-cv-00205-WTL-MJD, 2015 U.S. Dist. LEXIS 64281, at *104 (S.D. Ind. May 18, 2015) (granting motion for sanctions for default judgment); HM Elecs., Inc. v. RF Techs., Inc., No. 12cv2884-BAS-MDD, 2015 WL 4714908, at *31–35 (S.D. Cal. Aug. 7, 2015) (recommending adverse inference instruction, as well as other sanctions). As these cases indicate, EDRM preservation tends to be the area where attorneys and clients make the most mistakes.

[12] See Fed. R. Civ. P. 37(e) (allowing for sanctions only when information is lost and cannot be replaced, and the court finds that another party is prejudiced from the loss or that the party acted with the intent to deprive the other party of information).

[13] See Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 461 (S.D.N.Y. 2010) [hereinafter Pension Comm.], abrogated by Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 143 (2d Cir. 2012); Rimkus Consulting Grp. v. Cammarata, 688 F. Supp. 2d 598, 607 (S.D. Tex. 2010); Victor Stanley, Inc., 269 F.R.D. at 499–500; Zubulake v. UBS Warburg LLC (Zubulake V), 229 F.R.D. 422, 424 (S.D.N.Y. 2004), Zubulake v. UBS Warburg LLC (Zubulake IV), 220 F.R.D. 212, 214 (S.D.N.Y. 2003).

[14] See Victor Stanley, Inc., 269 F.R.D. at 525 (noting “the duty to preserve evidence relevant to litigation of a claim is a duty owed to the court.”) (emphasis in original).

[15] See Monica McCarroll, Discovery and the Duty of Competence, 26 Regent U. L. Rev. 81, 91 (2013).

[16] Silvestri v. Gen. Motors Corp., 271 F.3d 583, 591 (4th Cir. 2001).

[17] See Pension Comm., 685 F. Supp. 2d at 466.

[18] See generally Apple Inc. v. Samsung Elecs. Co., Ltd., 881 F. Supp. 2d 1132, 1132 (N.D. Cal. 2012).

[19] See Clear-View Techs., Inc. v. Rasnick, No. 5:13-cv-02744-BLF, 2015 U.S. Dist. LEXIS 63579, at *3. The text message stated, in part, “[D]on’t call my shareholders with your b.s. That is [tortious] economic interference. I will not accept this. . . . [K]eep it up and you’ll find [yourself] in court[.] Call Clyde again and I sue. Mark my words.” Id at *3–4 (alteration in original).

[20] Id. at *3.

[21] See id. at *21.

[22] See Apple Inc., 881 F. Supp. 2d at 1145 (noting that the presentation from Apple provided Samsung with “more than just a vague hint” that litigation “was at least foreseeable, if not ‘on the horizon.’”).

[23] In re Napster, Inc. Copyright Litig., 462 F. Supp. 2d 1060, 1069 (N.D. Cal. 2006).

[24] See, e.g., Altercare, Inc. v. Clark, 9th Dist. No. 12CA010211, 2013-Ohio-2785, at ¶ 2.

[25] While discussed only in the context of preservation below, information about a client’s data landscape prior to litigation should be part of an overall information governance effort. See Information Governance Reference Model (IGRM), EDRM,, archived at (last visited Mar. 18, 2016) [hereinafter IGRM].

[26] Apple Inc., 881 F. Supp. 2d at 1137; The Sedona Conference, The Sedona Conference Commentary on Legal Holds: the Trigger & the Process 1 (Conor R. Crowley et al. eds., 2007),, archived at (download required).

[27] See Pension Comm., 685 F. Supp. 2d 456, 466 (S.D.N.Y. 2010), abrogated by Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 143 (2d Cir. 2012).

[28] Zubulake IV, 220 F.R.D. at 217–18. While this case was decided under the pre-2015 amendment scope of discovery, it remains a seminal case in defining the scope of the duty to preserve.

[29] See id. at 217 (noting that the duty to preserve does not require litigants to preserve “every shred of paper, every e-mail or electronic document, and every backup tape[.]”).

[30] See Blue Sky Travel & Tours, LLC v. Al Tayyar, 606 Fed. Appx. 689, 690 (4th Cir. 2015).

[31] See id. at 691.

[32] See id.

[33] See id. at 692.

[34] See id. at 692–93.

[35] Blue Sky Travel & Tours, LLC, 606 Fed. Appx. at 692.

[36] See id. at 690.

[37] Id. at 697–98.

[38] See id.

[39] See Wandering Dago Inc. v. N.Y. State Office of Gen. Servs., No. 1:13-CV-1053 (MAD/RFT), 2015 U.S. Dist. LEXIS 69375, at *1 (N.D.N.Y. May 29, 2015).

[40] See id. at *1–2.

[41] See id. at *22 (“Defendants correctly assert that they have no control over [Defendants’] emails. . . .”).

[42] See id.

[43] Id. at *23 (quoting N.Y. v. Amtrak, 233 F.R.D. 259, 266 (N.D.N.Y. 2006).

[44] Wandering Dago Inc., 2015 U.S. Dist. LEXIS 69375, at *24.

[45] Id. at *24–25.

[46] See AMC Tech., LLC v. Cisco Sys. Inc., No. 11-cv-3403 P, 2013 U.S. Dist. LEXIS 101372, at *4 (N.D. Cal. July 15, 2013).

[47] See id. at *4.

[48] See id. at *5–7.

[49] See id.

[50] See id. at *10.

[51] AMC Tech., LLC, 2013 U.S. Dist. LEXIS 101372, at *9.

[52] Id. at *11.

[53] Brown v. Tellermate Holdings, Ltd., No. 2:11-cv-1122, 2014 U.S. Dist. LEXIS 90123, at *6 (S.D. Ohio July 1, 2014).

[54] See id. at *7, *10.

[55] See id. at *8.

[56] Id. at *11.

[57] Id. at *13.

[58] Brown, 2014 U.S. Dist. LEXIS 90123, at *14.

[59] See id.

[60] Id. at *19 (emphasis added).

[61] Id. at *52–53.

[62] Id. at *56.

[63] See Zubulake V, 229 F.R.D. 422, 432 (S.D.N.Y. 2004); see also McCarroll, supra note 15, at 94–95.

[64] See Zubulake V, 229 F.R.D. at 432.

[65] See Zubulake IV, 220 F.R.D. 218. Amended Rule 26(f) now puts issues of preservation at the forefront of a 26(f) conference. See Fed. R. Civ. P. 26(f)(3)(C) (“A discovery plan must state the parties’ views and proposals on: . . . any issues about disclosure, discovery, or preservation of electronically stored information, including the form or forms in which it should be produced . . . .”) (emphasis added); see also Fed. R. Civ. P. 37(e), advisory committee’s note on 2015 amendments (“A party may act reasonably by choosing a less costly form of information preservation, if it is substantially as effective as more costly forms.”).

[66] Fed. R. Civ. P. 26(b)(1) (“Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense” and proportional to the needs of the case).

[67] See Hee Nam You v. Japan, No. C 15-03257 WHA, 2015 U.S. Dist. LEXIS 123877, at *2–5 (N.D. Cal. Sept. 16, 2015).

[68] Id. at *2.

[69] See id. at *2–3.

[70] See id. at *3.

[71] Id.

[72] See Hee Nam You, 2015 U.S. Dist. LEXIS 123877, at *3.

 [73] See id.

[74] See id. at *4–5.

[75] Zubulake V, 229 F.R.D. at 431 (quoting Zubulake IV, 220 F.R.D. at 218).

[76] See id. at 439.

[77] Id. at 432.

[78] Apple Inc. v. Samsung Elecs. Co., Ltd., 881 F. Supp. 2d 1132, 1134 (N.D. Cal. 2012).

[79] See id. In his opinion, Judge Grewal again reiterated that the duty to preserve includes identifying, locating, and maintaining information that is relevant to the litigation. See id. at 1137.

[80] Id. at 1137 (internal citations omitted).

[81] Id. at 1142–43.

[82] See id. at 1145.

[83] See Apple Inc., 881 F. Supp. 2d at 1147.

[84] See generally Legal Hold Software, Exterro,, archived at (last visited Feb. 20, 2016) (“Help custodians understand the importance of pending obligations, fight ‘notice fatigue’ by those on multiple legal holds, and promote consistent compliance.”).

[85] See Altercare, Inc. v. Clark, 9th Dist. No. 12CA010211, 2013-Ohio-2785, at ¶ 12.

[86] See id. at ¶ 2.

[87] See id. (“Altercare can most easily comply with its obligation by making mirror-image bit stream back-up copy of computers and storage media (such as hard disk drive[s], floppy disks, CDs, DVDs, back-up tapes, or any other electronic data), which will inexpensively preserve relevant electronic and digital evidence on searchable CD-ROMs or DVD.”).

[88] See id. at ¶ 3.

[89] See id. at ¶¶ 3–10.

[90] See Altercare, 2013-Ohio-2785, at ¶ 6.

[91] Id. at ¶ 10.

[92] Id.

[93] Id. at ¶¶ 2, 16.

[94] Id. at ¶ 16.

[95] See Alter v. Rocky Point Sch. Dist., No. 13-1100 (JS) (AKT), 2014 U.S. Dist. LEXIS 141020, at *3 (E.D.N.Y. Sept. 30, 2014).

[96] See id. at *28.

[97] Id. at *23.

[98] Id. *22­–24, *26, *28.

[99] Clear-View Techs., Inc. v. Rasnick, No. 5:13-cv-02744-BLF, 2015 U.S. Dist. LEXIS 63579, at *21–23 (noting that defendants “failed to implement a hold policy,” “deleted thousands of relevant emails, [and] discarded several phones, laptops, [and] iPads…”).

[100] Compare Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99, 108 (2nd Cir. 2002) (“The sanction of an adverse inference may be appropriate in some cases involving the negligent destruction of evidence because each party should bear the risk of its own negligence.”), with United States v. Artero, 121 F.3d 1256, 1259 (9th Cir. 1997) (noting that a “district judge did not abuse his discretion by refusing to give an adverse inference instruction, because the appellant showed neither bad faith imputable to the federal government nor prejudice from the loss and destruction of the evidence.”) (citing United States v. Jennell, 749 F.2d 1302, 1308–09 (9th Cir. 1984)).

[101] See Sekisui Am. Corp. v. Hart, 945 F. Supp. 2d 494, 504 (S.D.N.Y. 2013).

[102] See Rimkus Consulting Grp. v. Cammarata, 688 F. Supp. 2d 598, 614 (S.D. Tex. 2010).

[103] See Fed. R. Civ. P. 37(e) advisory committee’s note on 2015 amendments (“The rule only applies if the information was lost because the party failed to take reasonable steps to preserve the information.”).

[104] See generally D.O.H. v. Lake Cent. Sch. Corp., No. 2:11-cv-430, 2015 U.S. Dist. LEXIS 20259, at *23–25 (N.D. Ind. Feb. 20, 2015) (discussing where custodians identify social media as a potential source of potentially relevant information, practitioners should take steps to ensure that they understand how to preserve data from a social media site or engage a third-party vendor that does understand both how the site works and how to preserve the data contained in the site.).

[105] See generally Jie Zhang & Garth Landers, Magic Quadrant for E-Discovery Software, Gartner (May 18, 2015),, archived at (evaluating over twenty e-Discovery software vendors).

Addressing Employee Use of Personal Clouds

Favro Publication Versionpdf_icon

Cite as: Philip Favro, Addressing Employee Use of Personal Clouds, 22 Rich. J.L. & Tech. 6 (2016),

Philip Favro*



[1]       Cloud computing is one of the most useful innovations in the digital age.[1] While much of the attention on recent advances has focused on smartphones, tablet computers, and wearable technology, the cloud is perhaps unrivaled in its utility for organizations.[2] From simplified data storage to innovative software platforms, enterprise-grade cloud solutions provide cost-effective alternatives to acquiring expensive computer hardware and software.[3] Enterprise clouds also offer a collaborative work environment for a mobile and widespread work force, enabling businesses to maximize worker productivity.[4]

[2]       Organizations are not alone in reaping the benefits of cloud computing. Individuals have likewise discovered the value that cloud providers offer in their personal lives.[5] With increased storage for digital photos, music, and other files, personal cloud providers help users avoid losing personal data when a computer hard drive inevitably fails.[6] Furthermore, the transfer functionality afforded by personal clouds enables users to seamlessly move data between computers, smartphones, and other mobile devices.[7]

[3]       With such utility at their fingertips, it should come as no surprise that individuals use personal clouds to facilitate work responsibilities.[8] Personal cloud providers like Dropbox, Box, and Google Drive can obviate clunky network storage options and simplify data sharing and teamwork among colleagues.[9] While employees of many organizations could benefit from such functionality, it is particularly advantageous to workers whose employers lag behind the technology curve.[10]

[4]       These and other features seem to make personal clouds an ideal tool for advancing business objectives within the corporate environment.[11] Appearances, however, can be deceiving. That is exactly the case with employee use of personal cloud applications in the workplace.[12] From information retention and information security to litigation readiness and cybersecurity, personal cloud use among employees implicates a range of troubles for organizations.[13] Indeed, the very aspects that make personal clouds so attractive–cheap and unlimited storage, simplified transfers, and increased collaboration–pose serious threats to the enterprise.[14]

[5]       Nevertheless, companies in many instances have taken few, if any, actionable steps to address the proliferation of personal cloud use among their employees.[15] Worse, some organizations have implemented “bring your own cloud” (BYOC) policies that officially sanction employee use of consumer-grade cloud applications in the workplace without sufficient corporate oversight.[16] A BYOC policy that lacks proper measures to ensure compliance may very well result in a disastrous outcome for the enterprise.[17]

[6]       In this article, I address these issues by surveying recent court cases that exemplify the information governance and litigation challenges arising from personal cloud use in the business enterprise. In particular, I discuss the problems with BYOC practices that expressly or implicitly enable employee use of personal clouds. I also spotlight some of the troubles that stealth use of personal clouds creates for organizations. I conclude by suggesting some practices that can help organizations ameliorate these problems.


[7]       Employers are often directly responsible for the difficulties that have resulted from employee use of cloud applications.[18] That employers are at fault does not stem from this being a new trend. Indeed, personal cloud providers have been around since the 2000s,[19] with courts examining the troubles associated with cloud computing beginning in 2011.[20]Organizations previously overlooked the risks of this trend by authorizing their executives or employees to use personal cloud applications in the corporate ecosystem.[21] In addition, they ignored the hazards associated with the stealth use of personal clouds.[22] This Part examines cases that address these aspects of employee use of consumer clouds.

 A. Corporate Approved BYOC Accounts

[8]       In many instances, organizations have openly welcomed the use of personal clouds by their employees.[23] Whether by policy or by practice, corporate IT departments have approved personal cloud use by expressly enabling its functionality.[24] Nevertheless, that is often the extent of corporate oversight.[25] Beyond requiring an employee to sign a perfunctory non-disclosure agreement, little follow up effort is taken to prevent employees from transferring confidential information from company servers to a personal cloud.[26]

[9]       Such corporate inaction can be challenging for cybersecurity initiatives, retention schedules, and preservation requirements in litigation. However, it can be especially problematic when an employee leaves the company with proprietary materials and begins working for an industry competitor.[27] The Selectica v. Novatus[28] and PrimePay v. Barnes[29] decisions are particularly instructive on the need for organizations to abandon their laissez-faire attitude toward employee use of approved BYOC accounts.

  1. Selectica v. Novatus

[10]     In Selectica, plaintiff (Selectica) filed suit against defendant (Novatus), claiming Novatus misappropriated various trade secrets.[30] In particular, Selectica alleged that four of its former sales personnel violated their respective non-disclosure agreements by sharing confidential pricing information with Novatus, their new employer.[31] Those agreements provided that the employees would maintain the confidentiality of Selectica’s proprietary information and return all such materials to the company upon termination of their employment.[32]

[11]     Despite those agreements, one of the employees (Holt) offered to share Selectica’s pricing information to a member of Novatus’ senior management team after joining Novatus.[33] Holt still had access to that information along with other data belonging to Selectica because he maintained it with Box, a cloud storage provider.[34] The Box account was not a stealth cloud drive concealed from Selectica.[35]

[12]     Instead, Selectica expressly recommended and authorized Holt to store that data under a BYOC arrangement with Box: “While employed by Selectica, [Holt] had a company laptop computer which, on Selectica’s recommendation, was configured so that it automatically synced to his personal cloud storage account at This meant that when Holt saved a file to the laptop, the system pushed a copy to his Box account.”[36] Despite having enabled the BYOC arrangement with Holt, Selectica apparently neglected to disable the Box account or remove any proprietary materials upon Holt’s departure.[37] As a result, Holt had full access to the pricing information when he joined Novatus.[38]

[13]     Selectica demonstrates the folly of a lax approach to personal cloud use within the enterprise. While Selectica enabled the Box account for backup purposes, it took no action to protect Selectica’s interest in the corporate information stored in that account. For example, Selectica did not obtain Holt’s login credentials to the Box account.[39] Nor does it appear that Selectica monitored Holt’s use of the account while employed with the company.[40] Selectica did not disable the Box account when Holt left the company.[41] Furthermore, Selectica took no action to confirm that Holt had either returned or destroyed all proprietary company information before going to work for Novatus.[42]

[14]     Any one of these steps—and certainly a combination of them—would likely have prevented the disclosure of Selectica’s product pricing information to an industry competitor.[43] Selectica exemplifies the need for corporate oversight of approved BYOC accounts if organizations are to prevent their trade secrets from falling into the hands of competitors.

  1. PrimePay v. Barnes

[15]     Another exemplary decision on these issues is PrimePay v. Barnes.[44] Like Selectica, PrimePay involves claims of trade secret misappropriation.[45] In PrimePay, the plaintiff (PrimePay) sued one of its former executives (Barnes) that established a competing business entity.[46] PrimePay moved for a preliminary injunction against the operation of Barnes’ business, arguing that Barnes took several categories of confidential PrimePay information and stored it with cloud service provider Dropbox, along with other locations.[47] According to PrimePay, Barnes accessed the Dropbox-stored data to allegedly help start his competing company. He then allegedly destroyed those materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”[48]

[16]     In response to these arguments, Barnes asserted that he never absconded with PrimePay’s proprietary data.[49] Instead, Barnes explained that any PrimePay data in his Dropbox account was from work that he previously performed while at PrimePay.[50] According to Barnes, that data was mostly deleted at the time he left the company.[51] As for the origin of the Dropbox account, it was created far in advance of Barnes’ departure from the company.[52] Its purpose was not to steal proprietary data, Barnes argued, but to allow him to complete work for PrimePay when he was away from the office.[53] Nor was this a stealth account; it was a company-approved BYOC:

Barnes created the Dropbox [account] . . . so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin.[54]

[17]     Given that Barnes’ Dropbox account was a company-approved BYOC account, and in light of other evidence suggesting Barnes did not access the Dropbox files or other proprietary PrimePay information after leaving his position with the company, the court did not find evidence of trade secret misappropriation.[55] While the court ordered the destruction of PrimePay’s remaining confidential information stored on the Dropbox, it refused to issue a preliminary injunction against the operation of Barnes’ competing enterprise.[56]

[18]     PrimePay reinforces the lesson from Selectica that a laissez-faire approach to personal clouds may lead to corporate disasters. Because PrimePay did not monitor or disable the Dropbox account, Barnes apparently left the company with a massive trove of proprietary company data. Even though the court accepted Barnes’ explanation that he accessed little, if any, of that data after he left the company, PrimePay’s evidence suggested otherwise.[57] While PrimePay may never know how much of its information was used to start Barnes’ competing enterprise, it is reasonably certain that a more robust compliance program would have quarantined the proprietary data before Barnes left the company.[58] This may have obviated the legal expenses and opportunity costs of the litigation. Like Selectica, PrimePay ultimately teaches that organizations should police approved BYOC environments to better safeguard proprietary corporate information.

 B.  Stealth Use of Personal Clouds

[19]     Beyond the problem of a poorly monitored BYOC ecosystem stands the equally troubling scenario of stealth use of personal clouds.[59] Such a scenario involves employees using their personal cloud accounts in connection with their work duties without express company approval.[60] While some employees do so in good faith to facilitate their work, others clandestinely use their cloud accounts to sabotage the organization or to gain a competitive advantage over their former employers after leaving the company.[61] A number of decisions demonstrate the problems with stealth—or “shadow”—use of personal clouds across the spectrum of corporate employees.[62]

  1. Operations-Level Employee

[20]     Operations-level employees are often at the heart of stealth use of personal clouds. For example, in Toyota Industrial Equipment Manufacturing v. Land, a managerial level employee (Land) used Google Drive and other personal cloud applications to steal hundreds of critical documents from his employer (Toyota) before going to work for an industry competitor.[63] Those documents included technical specifications reflecting the proprietary design of certain industrial equipment, along with related pricing and financial information.[64] While authorized to use that data during his employment, Land stored and kept shadow copies of these materials on his Google Drive account so they could be accessible after he left Toyota.[65]

[21]     To facilitate the removal of Toyota’s proprietary information, Land downloaded “GoogleDriveSync.exe” on his work computer.[66] Similar to the corporate-enabled Box account in Selectica, the GoogleDriveSync.exe program enabled Land to simultaneously save documents on his personal Google Drive account that he saved to his company-issued computer.[67] On the eve of his departure from Toyota, Land placed approximately 800 “files and folders” on Google Drive.[68] These actions—Land removing and then retaining Toyota’s proprietary information after his departure from the company in violation of his non-disclosure agreement—resulted in an injunction preventing Land from working for Toyota’s competitor.[69]

[22]     Another case involving stealth cloud use by an operations-level employee is RLI Insurance Company v. Banks.[70] In RLI, the employee (Banks) used a Norwegian cloud provider (Jottacloud)[71] to upload “757 customer claim files and other files containing proprietary information” belonging to her employer (RLI).[72] Banks initially tried to upload the files to her Dropbox account, but RLI’s corporate network denied access to Dropbox.[73] RLI had employed a web filtering software blocking employees from accessing more commonly used cloud providers, such as Dropbox.[74] Undeterred, Banks researched “Dropbox alternatives” that could evade RLI’s filtering protocol, opened a Jottacloud account, and used that service to remove proprietary RLI data in violation of her employment agreement.[75] RLI eventually discovered Banks’ malfeasance, but only after offering her a severance package subsequent to her dismissal from the company.[76]

  1. Company Executives

[23]     Operations-level employees are not alone in their furtive use of personal clouds. Company executives can also be guilty of such conduct. Given the nature of access that executives often have to critical information, such conduct can be particularly problematic. The Frisco Medical Center v. Bledsoe[77] and De Simone v. VSL Pharmaceuticals[78] cases are instructive in this particular scenario.

[24]     In Frisco Medical, the chief operating officer (Bledsoe) for a Texas hospital (Frisco) used Dropbox to obtain several classes of proprietary and patient information before leaving Frisco for a new position elsewhere.[79] More specifically, Bledsoe installed Dropbox on her work computer after she accepted her new position but before she resigned from Frisco.[80] With Dropbox enabled, Bledsoe then transferred “Frisco’s confidential and proprietary information, trade secrets, peer review materials, and statutorily protected patient health information to her personal” cloud account in violation of her employment agreements.[81]

[25]     Frisco did not suspect that Bledsoe surreptitiously removed proprietary information from its computer network until she revealed in an exit interview that “she knew where too many bodies were buried.”[82] It was only then that Frisco began investigating Bledsoe’s computer usage, discovered her use of Dropbox, and determined the extent of the information she had taken from the hospital.[83]

[26]     In contrast to Frisco Medical, De Simone v. VSL Pharmaceuticals involved a chief executive officer (De Simone) who used Dropbox to deprive his company (VSL) of corporate records.[84] De Simone, who served as VSL’s chief executive for more than a decade, became embroiled in a dispute with investors over who rightfully owned VSL’s intellectual property related to the probiotic drug sold by the company.[85] In connection with that dispute, De Simone transferred VSL’s corporate records to his personal Dropbox account.[86] He then wiped the corporate network in order to eliminate any trace of the records and rejected shareholder requests to access the information.[87] After resigning his position as VSL’s CEO a few months later, De Simone began working for a competitive enterprise that manufactured and sold a generic version of VSL’s probiotic drug, taking the corporate records with him.[88]

  1. Analysis of Cloud Jurisprudence

[27]     The cases discussed so far generally involve harm to employers that likely could have been obviated had the organizations taken safeguards to prevent or detect stealth use of personal clouds.[89] Instead, like Selectica, the employers in Toyota Industrial, RLI, and Frisco Medical relied on non-disclosure and other employment agreements to protect their sensitive and proprietary information.[90]

[28]     On the one hand, those agreements successfully enabled the aggrieved parties to obtain injunctions, summary judgment orders, and damages against the cloud-wielding tortfeasors.[91] But at what cost? The employers incurred legal fees and costs for the investigations and court actions they undertook to address the theft of corporate information by their former employees. In addition to those expenses, the organizations sustained substantial opportunity costs. Personnel were likely redirected from business operations to ameliorate the harm caused by the loss of proprietary data. Moreover, industry competitors may have become acquainted with strategic plans, pricing information, design specifications, financial performance, and other proprietary data. All of this may have provided their competitors with an advantage in subsequent business dealings.[92]

[29]     Simply put, the non-disclosure and employment agreements did nothing to stop the perpetrating employees from misappropriating company trade secrets.[93] Beyond the agreements, the only employer that apparently took anything close to a preventative step was RLI, which used a blocking program to prevent personal cloud use.[94] However, even that step proved inadequate as the employee easily circumvented the software filter by using a previously unknown cloud application.[95]

[30]     Just as in Prime Pay, none of the employers appears to have established a process to detect the possible use of personal cloud applications. This is evident from De Simone, as the company did not know that its chief executive used Dropbox to steal its corporate records.[96] That no such process was in place in RLI is confirmed by the company’s initial offering of severance pay to Banks.[97] The Frisco employer only began its search of Bledsoe’s computer activity after she carelessly suggested she knew where the “bodies were buried.”[98] In Toyota Industrial, no efforts were made either to examine Land’s computer activity or to verify his next work destination after he tendered his resignation.[99] Indeed, Toyota allowed Land to work for another two weeks at the company before his termination date.[100]

[31]     With employees now regularly using consumer clouds in connection with their work responsibilities, organizations must be prepared to counteract their potential negative effects. As set forth in Part III, companies should develop proactive measures to address employee use of cloud applications and to mitigate any resulting harm.


[32]     Despite the complexities that personal clouds now present for many organizations, they are not insurmountable. Enterprises can generally manage potential problems through a proactive, common sense approach to information governance. In this Part, I discuss some of the key aspects of an information governance program that can help address the challenges associated with employee use of personal cloud applications.

[33]     A prefatory step that organizations can take in this regard is to create a data map identifying the locations—both on and off the corporate network—where their information resides.[101] While a data map is useful for both information retention and litigation purposes, it is essential for controlling ingress and egress to proprietary information—precisely the data endangered by personal cloud applications.[102] If a company cannot identify the precise areas where it has stored its trade secrets and other sensitive materials, it becomes difficult to establish that it used “reasonable steps” to safeguard that information.[103] In contrast, a current and accurate data map better enables organizations to reasonably account for proprietary records, along with other indispensable business information.[104] Once the data map is in place, organizations can then proceed to develop policies that reasonably ensure the protection of corporate data.[105]

[34]     Those policies should include actionable protocols that address employee use of personal cloud applications.[106] Those protocols should clearly delineate whether personal clouds are permitted and if so, what constitutes an authorized BYOC account.[107] Whether an enterprise chooses to ban the use of personal clouds or to adopt a BYOC-friendly environment, the policy should include audit and enforcement mechanisms to gauge policy observance.[108] At a minimum, those mechanisms ought to include the right to monitor, access, and disable employee use of personal clouds.[109] Related mechanisms will also be required for those organizations that proscribe BYOC use since employees will likely circumvent such a policy.[110] For example, blocking programs like the one used in RLI, while not foolproof, are a practicable first step to preventing some personal cloud use.[111]

[35]     In a BYOC ecosystem, applicable protocols should additionally describe what company data can or cannot be transferred to the cloud.[112] Organizations should also require the disclosure of user login credentials for approved cloud applications to ensure appropriate policy compliance.[113] Upon an employee’s termination, approved BYOC accounts should either be disabled or the company should verify that company data previously maintained in the account has been either returned or destroyed.[114]

[36]     In like manner, non-BYOC organizations should consider examining terminated employees’ computer activity and corporate devices to detect whether there was illicit use of personal clouds.[115] However, such a step may not be practicable for many organizations that lack the resources for a thorough review of every employee device. If a comprehensive sweep is cost prohibitive, organizations should consider conducting a review of those employees whose possible disclosure of corporate information carries the greatest risk to the enterprise.[116] The extent to which a company carries out this step likely depends on the role of the terminated employees, their position in the company, and the nature of the information to which they were privy.[117] Despite the expense of this procedure, such a step would likely have obviated much of the litigation that ensued in Selectica, Novatus, Toyota Industrial, RLI, and Frisco Medical.


[37]     The challenges with personal cloud applications need not be an intractable problem. Following industry best practices like those suggested in Part III should help organizations address many of the troubles associated with approved BYOC accounts. They should also mitigate the harm created by stealth cloud use that may go undetected. While certainly not an elixir, adopting these practices should help companies avoid many of the worst problems associated with personal cloud use in the enterprise.




*Consultant, Discovery and Information Governance, Driven, Inc.; J.D., Santa Clara University School of Law, 1999; B.A., Political Science, Brigham Young University, 1994.


[1] See Joe McKendrick, 5 Benefits of Cloud Computing You Aren’t Likely to See in a Sales Brochure, Forbes (July 21, 2013, 9:04 PM),, archived at

 [2] See Edwin Schouten, 5 Cloud Business Benefits, Wired (Oct. 5, 2012),, archived at

 [3] See Jim Lynch, What Are the Benefits and Drawbacks of Cloud Computing?, TechSoup (Feb. 6, 2015),, archived at

[4] See id.

[5] See Nicholas Lee, Is Your Corporate Data Appearing on Personal Clouds?, CloudTweaks (Sept. 9, 2015),, archived at

[6] See Zack Christenson, Benefits of Cloud Computing, American Consumer Institute (Sept. 30, 2013),, archived at

[7] See Bill Kleyman, What Personal Cloud Means for Consumers and Enterprises, Data Center Knowledge (Sept. 10, 2013),, archived at

[8] See Louis Columbus, How Enterprises Are Capitalizing on the Consumerization of IT, Forbes (Mar. 24, 2014, 06:43 AM),, archived at (“79% [of surveyed enterprises] report that file sharing and collaboration tools including Box, Egnyte, Google Apps, Microsoft Office 365, GroupLogic, ShareFile and others are pervasively used today. 49% are with IT approval and 30% are not.”).

[9] See Andrew Froehlich, The Buck Stops at BYOC, InformationWeek (Jan. 29, 2014, 12:00 PM),, archived at (“Employees are comfortable using services such as DropBox, Google Apps, and Carbonite at home. Because of that comfort level, they naturally want to use those same tools in their business life.”); Intermarine, L.L.C. v. Spliethoff Bevrachtingskantoor, B.V., No. 15-mc-80211-MEJ, 2015 U.S. Dist. LEXIS 112689, at *2 (N.D. Cal. Aug. 20, 2015) (“Dropbox provides a document storage and sharing service through which users can collectively save, share, and edit documents stored ‘in the cloud.’”).

[10] See Froehlich, supra note 9.

[11] See id. (“Lack of IT management and control will quickly put an end to BYOC, even though it has the potential to provide real benefits.”).

[12] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *22–24, *29 (E.D. Tex. Nov. 30, 2015) (discussing defendants’ extensive use of Dropbox to remove vast amounts of proprietary information belonging to plaintiff).

[13] See Susan Miller, New Risk on the Block: Bring Your Own Cloud, GCN (May 23, 2013), archived at

[14] See Robert L. Mitchell, IT’s New Concern: The Personal Cloud, ComputerWorld (May 20, 2013, 7:00 AM),–the-personal-cloud.html, archived at

[15] See discussion infra Part II.

[16] See Froehlich, supra note 9.

[17] See id. (“BYOC presents a nightmare scenario because data can be copied, duplicated, and ultimately lost or stolen via the various cloud services.”).

[18] See Columbus, supra note 8.

[19] See Victoria Barret, Dropbox: The Inside Story of Tech’s Hottest Startup, Forbes (Oct. 18, 2011, 8:30 AM),, archived at; Jonathan Strickland, How Cloud Storage Works, (Apr. 30, 2008),, archived at (Web-based e-mail providers like Yahoo! and Hotmail have been providing their users with a quasi-cloud computing environment through e-mail since the 1990s).

[20] See, e.g., Animators at Law, Inc. v. Capital Legal Solutions, L.L.C., 786 F. Supp. 2d 1114, 1117–18 (E.D. Va. 2011) (explaining that plaintiff’s former employees accessed company files stored in a company Dropbox account through login credentials that plaintiff failed to disable after the employees left the company).

[21] See Columbus, supra note 8.

[22] See Boston Scientific Corp. v. Lee, No. 13-13156-DJC, 2014 U.S. Dist. LEXIS 66220, at *2, *4–7 (D. Mass. May 14, 2014) (enjoining defendant from using proprietary information that he had taken from his prior employer and which he stored both during and after his employment on Google Drive).

[23] See Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-40TBS, 2015 U.S. Dist. LEXIS 30460, at *2 (M.D. Fla. Mar. 12, 2015).

[24] See Columbus, supra note 8.

[25] See Froehlich, supra note 9.

[26] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *7–9 (observing that defendants’ former employer began investigating the possibility that defendants took proprietary company data in violation of their non-disclosure agreements only after one of the defendants mentioned that “she knew where too many bodies were buried.”).

[27] See Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *5–6, *9 (S.D. Ind. July 21, 2014) (explaining that defendant uploaded confidential information from his former employer to his Google Drive account before going to work for an industry competitor).

[28] See Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-40TBS, 2015 U.S. Dist. LEXIS 30460 (M.D. Fla. Mar. 12, 2015).

[29] See PrimePay, L.L.C. v. Barnes, No. 14-11838, 2015 U.S. Dist. LEXIS 65710 (E.D. Mich. May 20, 2015).

[30] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *4.

[31] See id. at *2.

[32] See id. at *1.

[33] See id. at *3.

[34] See id.

[35] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *2–3.

[36] Id. at *2 (emphasis added).

[37] See id. at *2.

[38] See id. at *2–3.

[39] See id. at *17.

[40] See Selectica, Inc., 2015 U.S. Dist LEXIS 30460, at *2–3.

[41] See id.

[42] See id.

[43] See Tom Nolle, Bring Your Own Cloud: The Movement Companies Can’t and Shouldn’t Stop, TechTarget (Apr. 8, 2014),, archived at

[44] See PrimePay, L.L.C. v. Barnes, No. 14-11838, 2015 U.S. Dist. LEXIS 65710 (E.D. Mich. May 20, 2015).

[45] See id. at *2.

[46] See id. at *4–5.

[47] See id. at *2, *9–11.

[48] Id. at *8–9.

[49] See PrimePay, L.L.C., 2015 U.S. Dist. LEXIS 65710, at *3.

[50] See id. at *11–13.

[51] See id. at *12.

[52] See id. at *11.

[53] See id.

[54] PrimePay, L.L.C., 2015 U.S. Dist. LEXIS 65710, at *11.

[55] See id. at *64, 66.

[56] See id. at *106–08.

[57] See id. at *34–36, *100–01.

[58] See Lee, supra note 5.

[59] See Danny Palmer, CIOs Worried Cloud Computing and Shadow IT Creating Security Risks, Computing (July 27, 2015),, archived at

[60] See Thoran Rodrigues, Cloud Computing and the Dangers of Shadow IT, TechRepublic (Aug. 16, 2013, 12:48 PM),, archived at

[61] See, e.g., Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *3–4, *8–9 (E.D. Tex. Nov. 30, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *10, *13–14 (S.D. Ind. July 21, 2014).

[62] See Rodrigues, supra note 60.

[63] See Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *3–7.

[64] See id. at *5.

[65] See id. at *5–7.

[66] See id. at *6–8.

[67] See id. at *6–7.

[68] See Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *8.

[69] See id. at *15–16, *22.

[70] See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, (N.D. Ga. Jan. 27, 2015).

[71] See id at *2; see generally Jottacloud,, archived at (last visited Mar. 17, 2016) (“Jottacloud is a cloud storage service for individuals and companies that lets you backup, synchronize, store and share files from all your devices. The uploaded data is protected by one of the worlds [sic] strongest privacy laws, with all your data stored in Norway.”).

[72] RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *2.

[73] See id.

[74] See id. at *1–2.

[75] Id. at *2.

[76] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 27, 2015) (No. 1:14-CV-1108-TWT) (“Not aware of Defendant’s misappropriation of RLI’s Customer Claim Files and Proprietary Information, RLI offered Defendant a severance package upon her termination. Defendant had not yet accepted the offer of a severance package when RLI discovered the misappropriation. Based on Defendant’s misconduct, RLI revoked its offer of severance to Defendant by letter to Defendant.”).

[77] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915 (E.D. Tex. Nov. 30, 2015).

[78] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *2 (D. Md. Sept. 23, 2015).

[79] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *8.

[80] See id. at *12.

[81] Id. at *11.

[82] Id. at *7.

[83] See id. at *7–9.

[84] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *48 (D. Md. Sept. 23, 2015).

[85] See id. at *1–2.

[86] See id. at *48–49.

[87] See id. at *18.

[88] See id. at *2.

[89] See discussion infra Part III.

[90] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *3 (E.D. Tex. Nov. 30, 2015); RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, at *2, *6 (N.D. Ga. Jan. 27, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *4–6 (S.D. Ind. July 21, 2014).

[91] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *40–41 (granting Frisco summary judgment against Bledsoe on its trade secret claims); Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *21–22 (enjoining Land from working for his new employer).

[92] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *2 (stating that beyond the problems with industry competitors, such unauthorized disclosures could violate regulatory schemes such as the Health Insurance Portability and Accountability Act, or HIPAA).

[93] See David S. Levine, School Boy’s Tricks: Reasonable Cybersecurity and the Panic of Law Creation, 72 Wash. & Lee L. Rev. 323, 334–35 (2015) (observing that many companies prefer to litigate rather than protect their trade secrets).

[94] See RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[95] See id. at *2.

[96] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *48 (D. Md. Sept. 23, 2015).

[97] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 27, 2015) (No. 1:14-CV-1108-TWT).

[98] Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *7 (E.D. Tex. Nov. 30, 2015).

[99] See Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *6 (S.D. Ind. July 21, 2014).

[100] See id.

[101] See David Wetmore & Scott Clary, To Map or Not to Map: Strategies for Classifying Sources of ESI, Information Management (2009),, archived at

[102] See R. Mark Halligan, Protecting U.S. Trade Secret Assets in the 21st Century, 6 Landslide, No. 1, Sept.–Oct. 2013, at 4,, archived at (urging companies to adopt “mapping” approaches to better safeguard trade secrets); see also Sterling Miller, Ten Things: Trade Secrets and Protecting Your Company, Corporate Law Advisory (Apr. 27, 2015),, archived at [hereinafter Miller] (“You need an inventory of all of the company’s trade secrets . . . [a]n inventory helps you identify what steps are needed to keep those specific items confidential and protected and be clear with the business what items are not considered trade secrets . . .”).

[103] See Boston Scientific Corp. v. Lee, No. 13-13156-DJC, 2014 U.S. Dist. LEXIS 66220, at *10, *12–13 (D. Mass. May 14, 2014) (finding the employer used “reasonable means to protect its trade secrets” despite contradictory evidence suggesting an employee openly used a personal Google Drive account to access and store confidential company information).

[104] See Halligan, supra note 102, at 4.

[105] See, e.g., Philip J. Favro, Getting Serious: Why Companies Must Adopt Information Governance Measures to Prepare for the Upcoming Changes to the Federal Rules of Civil Procedure, 20 Rich. J.L. & Tech. 5, 25–35 (2014),, archived at (explaining that a comprehensive information governance plan would take various factors into consideration. They would likely include the length of pertinent retention periods, the ability to preserve data for legal matters, applicable data protection laws, cybersecurity initiatives, and use policies for smartphones and other mobile devices).

[106] See Philip Favro, Do You Know Your BYOCs?, Legal Tech. News (July 13, 2015),, archived at

[107] See Miller, supra note 102.

[108] See Sophie Vanhegan, Legal Guidance: Protecting Company Information in the Cloud-Era, HRZone (Apr. 23, 2013),, archived at

[109] See id. (observing that corporate policies must “allow company monitoring of employees’ IT activity and work email accounts . . .”).

[110] See id. (“Employers may also wish to consider . . . implementing IT measures to prohibit uploading of documents onto web-based applications.”); see also RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, at *2 (N.D. Ga. Jan. 27, 2015).

[111] See, e.g., RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[112] See Vanhegan, supra note 108 (explaining that policies addressing personal cloud usage should “expressly prohibit the removal of company documents and information outside the company’s systems.”).

[113] See Esther Schindler, Protecting Corporate Data…When an Employee Leaves, Druva Blog (Oct. 13, 2014),, archived at

[114] See Rachel Holdgrafer, Fix Insider Threat with Data Loss Prevention, Cloud Security Alliance (Dec. 10, 2015),, archived at

[115] See Miller, supra note 102 (“Departing employees constitute one of your biggest risks for trade-secret theft.”).

[116] See id.

 [117] See id.; see also Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *5 (E.D. Tex. Nov. 30, 2015).

Sweeten the Deal: Transfer of Federal Spectrum Through Overlay Licenses

Skorup Publication Version PDFpdf_icon

Cite as: Brent Skorup, Sweeten the Deal: Transfer of Federal Spectrum Through Overlay Licenses, 22 Rich. J.L. & Tech. 5 (2016),

Brent Skorup*

I. Introduction

[1]       The explosion in consumer demand for wireless services that began in the 1990s caught policymakers off guard. Demand for wireless services has only accelerated, as new cellular wireless technologies—such as broadband Internet via 3G and 4G LTE—permit services such as web browsing, video streaming, the Internet of Things, and gaming, necessitating a steady influx of spectrum as an input. However, the traditional Federal Communications Commission (FCC) and National Telecommunications and Information Administration (NTIA) spectrum assignment processes, to nonfederal and federal users respectively, strained to accommodate new demands and cutting-edge services. In traditional assignment, still widely used today, the rights to free use of certain frequencies are awarded by the FCC and NTIA to deserving users.[1] Figuring out who is deserving of frequencies in the absence of the price system, however, is a time-consuming and politicized process. Rent-seeking and economic waste at the FCC became too obvious to ignore in the 1990s, so regulators today increasingly rely on market allocation of nonfederal spectrum through spectrum auctions.[2]

[2]       The new challenge is transferring spectrum from inefficient legacy operators to bandwidth-hungry entrants. Almost no “greenfield” spectrum is left—commercial and government users occupy nearly all valuable spectrum—so policymakers are scouring existing wireless systems for surplus spectrum that can be auctioned. In the past 25 years, various incumbent users, including television broadcasters,[3] public safety agencies,[4] aeronautical systems,[5] and utility companies,[6] have seen their spectrum transferred to new licensees and repurposed for consumer uses such as mobile broadband. Not only are inefficient commercial technologies locked in because of decades of top-down spectrum assignment, but also the growing consensus among experts is that spectrum assigned to federal agencies is lightly used and would be better redeployed for consumer use.[7]

[3]       Slow repurposing of federal spectrum is a hidden public policy crisis with tremendous economic costs. Delayed reassignment of spectrum to efficient use is costly to society,[8] so streamlining the process of quickly transferring swaths of spectrum between users is a policy goal that would yield significant economic benefits. Economists estimate that spectrum in the hands of inefficient incumbents represents hundreds of billions of dollars of lost consumer surplus annually.[9] Delayed deployment of new wireless services results chiefly because few incumbents offer to relinquish their valuable spectrum. Incumbents generally have two undesirable options: either (a) relocate to another band and purchase new, more efficient equipment or (b) mothball operations completely.

[4]       The spectrum shortage is not a market failure; rather, it is a regulatory failure that prevents spectrum from being quickly transferred to its highest-valued uses. First, although some commercial users pay market rates for spectrum through auctions and secondary markets, federal agencies do not pay market rates.[10] The negligible annual fee agencies pay for their frequencies means spectrum is undervalued and agencies have little incentive to economize. Second, because federal agencies cannot sell or transfer their spectrum to commercial users, the resources are locked into inefficient federal systems.[11]

[5]       To paraphrase FCC Commissioner Jessica Rosenworcel, federal agencies need “carrots and sticks” for efficient use.[12] In the next five to ten years, particularly with the hardest-to-reclaim spectrum (such as that of the Department of Defense), a “carrot” may be required. One “carrot” proposal would encourage efficient trades by giving agencies greater rights to the spectrum they possess—a system of transferable spectrum licenses[13]—so that agencies can trade and sell spectrum to commercial users and retain some of the proceeds.

 [6]       Commissioner Rosenworcel proposed that to affect these transactions and to channel spectrum to its highest-valued uses, the FCC and NTIA could auction off “overlay” licenses to commercial users.[14] Overlay licenses here mean flexible-use licenses to use a particular band occupied by another licensee. Overlay licenses grant auction winners (1) primary rights to any unused spectrum in the band, (2) secondary rights to spectrum in the band that is being used by an incumbent, and (3) exclusive rights to bargain with existing users occupying portions of the band.[15] These licenses can be accompanied by a deadline for incumbent users to move out of the band.[16] Before that deadline, overlay licensees must protect existing users in the band, but they also reap rewards (such as faster deployment of 4G LTE services) if they can convince the incumbents to move or repack to another band.

[7]       Purchasing an overlay license is akin to purchasing a city block of real property that has a few tenants with unexpired leases. The existing tenants have a superior possessory right to occupy the property, but they may willingly abandon the property for a high-enough cash payment or trade. The benefit of overlay licenses is that they create residual claimants and encourage voluntary settlements between the incumbent user or users—in this case, a federal agency—and the overlay auction winner. The FCC previously executed successful overlay auctions on the nonfederal side, and Rosenworcel called such auctions an “elegant solution” for a band encumbered by federal users.[17]

[8]       There are several policy alternatives for repurposing federal spectrum. A White House–commissioned study focuses on the deficiencies of these proposals, but largely avoids comparative institutional analysis.[18] For example, the study notes the overlay auction process can be “extremely slow and cumbersome.”[19] The analysis cannot end there, however. The important questions to be answered include (1) are overlays slow and cumbersome compared to the available alternatives and (2) which process is more likely to improve social welfare?

[9]       Economist Ronald Coase pointed out that a policy should (as much as possible) be compared with other real-world policy alternatives and their economic effects.[20] Here, as in many debates, all available policy choices are costly. Regulators must consider how their rules influence relocation decisions relative to other real-world alternatives. In this paper, I make the case that private ordering through overlay auctions performs admirably when compared to the regulation-intensive spectrum-sharing regime recommended in the President’s Council of Advisors on Science and Technology (PCAST) report.[21] By examining how overlay auctions and sharing techniques have worked in practice, regulators have a better understanding of the costs and benefits associated with spectrum policy decisions.[22]

II. Background

[10]     Command-and-control spectrum allocation methods prevailed at the FCC and NTIA for decades, drawing comparisons to the former Soviet Union’s State Planning Committee, known as Gosplan, “which allocated scarce resources by administrative fiat among factories and other producers in the Soviet economy.”[23] Economists such as Ronald Coase pointed out during this era that spectrum has many attributes of real property, and that it might be more efficiently used by private users who (1) internalize the benefits and costs of deploying the input and (2) can sell it to parties who value it more.[24] Market-based spectrum reform—if not always practiced—essentially won the day both on the commercial side and at the FCC since the early 1990s. Auctions are held for spectrum, secondary markets permit license transfers to profit-maximizing firms, and the FCC generally avoids prescribing which wireless services must be provided. Therefore, scholars are increasingly focused on injecting market reform into the reordering of federal spectrum,[25] which the NTIA assigns to agencies through command and control.

[11]     The 3,200 MHz segment of spectrum spanning 300 MHz to 3,500 MHz is in high demand for both government and commercial users. This range of frequencies, or similar approximations to it, represents the so-called “beachfront spectrum” because it has optimal propagation characteristics for many popular wireless services.[26] Lower frequencies in this range permit transmissions over long distances, whereas higher frequencies transmit shorter distances, but have a higher capacity for transmitting things like web data and streaming video. National mobile broadband carriers—the primary purchasers of available spectrum—such as Sprint and AT&T Mobility take a diversified approach. They acquire both low and high bands so that they can provide both good regional coverage (via low bands) and localized high capacity (via high bands).

[12]     NTIA manages federal spectrum, and it estimated in 2012 that federal operations use about 40 percent of the in-demand spectrum.[27] Of the 3,200 MHz of beachfront spectrum, NTIA is currently analyzing close to 1,000 MHz to either share with or transfer to commercial users.[28] To that end, in late 2014, the FCC auctioned off federal spectrum in the AWS-3 auction.[29] The biggest bidders included AT&T Mobility, Verizon Wireless, Dish Network, and T-Mobile.[30] The 50 MHz band of paired spectrum (25 MHz of federal spectrum was paired with another nonfederal 25 MHz block) raised over $40 billion.[31] Several empirical studies show that the annual consumer surplus derived from wireless broadband approximates the auction value of the underlying spectrum.[32] Therefore, the $40 billion paired block of AWS-3 spectrum (when deployed) will provide about $40 billion worth of consumer surplus annually.

[13]     Federal agencies are market participants for many indispensable inputs but not, anomalously, for spectrum. Agencies compete with private firms for supply of most inputs, such as labor, real estate, electricity, automotive fleets, and office supplies. Spectrum, however, is given to federal agencies very cheaply, and underused or excess spectrum cannot be sold to commercial operators.[33] Agency spectrum is removed from market processes, and agencies have little economic incentive to use or manage spectrum efficiently.[34] With little sense of the opportunity costs of the spectrum they use, agencies are largely exempt from economic pressures to use more efficient radios, outsource wireless services to commercial operators, or substitute wireless communications with wired communications.

[14]     Market mechanisms for repurposing federal spectrum are currently unavailable, so members of Congress and the executive branch rely mostly on scrutiny from government audits and congressional hearings, which have limited effectiveness.[35] Policymakers understand the urgency, but the Obama administration’s June 2013 memorandum to federal agencies, like the PCAST report that informed the memorandum, does little about the underlying problem.[36] On the issue of efficient use of federal spectrum, the memorandum merely directs agencies to determine what spectrum could potentially be made available for sharing or clearing and requests that agencies “use the minimum spectrum reasonably necessary to most effectively meet mission requirements.”[37]

[15]     These sorts of requests have been around for decades. The problem is not that a president has not asked for efficient use forcefully enough; rather, the problem is that federal agencies face few economic tradeoffs.[38] Agencies have acceded—slowly—to congressional mandates to clear spectrum for auction. However, agencies are increasingly resistant to relocating their operations.[39] For this reason, the White House is contemplating several spectrum-clearing and spectrum-sharing methods, though no alternative has emerged as the consensus.[40]

III. Rival Approaches

[16]     Repurposing federal spectrum is a pressing economic problem that has received increasing attention. Several solutions have been proposed. A 2014 study commissioned by the White House found, every federal spectrum-repurposing proposal, including overlays, faces implementation challenges.[41] Comparisons between policies are therefore necessary for informed policymaking. Below, the PCAST dynamic sharing proposal is analyzed and compared to recent overlay auctions and the clearing of federal users.

A.    PCAST’s Dynamic Sharing Proposal

[17]     The political difficulties in transferring a valuable resource from one group (federal agencies) to another (commercial wireless operators and consumer device makers) guided the PCAST recommendation to do away with traditional clearing and auctioning procedures such as overlays.[42] Instead, PCAST recommended simply changing the nature of the obligations of spectrum users—a do-no-harm standard—and relying on the future advancement of technologies that enable dynamic spectrum sharing.[43] With dynamic sharing, commercial devices such as smartphones, tablets, and small cells detect and avoid—possibly in real time—interference with federal systems, such as radar and video surveillance, that use the same frequencies at the same time in the same geographic area. The benefit is that dynamic sharing eliminates the need to clear resistant federal users.

[18]     The PCAST recommendations are modeled on the FCC’s TV white spaces proceeding.[44] That permitted unlicensed devices and cognitive radios in the unused “white spaces” that comprise about 240 MHz of the 294 MHz allocated to television broadcasters.[45] Like federal users, television broadcasters are legacy users that, generally speaking, cannot sell their spectrum to mobile carriers.[46] After a 2002 staff recommendation for this type of spectrum sharing, the FCC issued a 2008 order allocating spectrum for white space devices’ use. The first device was approved in 2012.[47] White space devices must protect incumbent broadcasters but can transmit and receive signals in geographic areas and on frequencies that do not contain television broadcasters.

[19]     The device specifications formulated by the FCC have strict power limits and are quite complex because of interference concerns.[48] White space-sharing techniques rely on accurate geolocation information; yet those crucial databases of registered devices contain hundreds of errors.[49] Seven years after the 2008 order, white space–sharing technology has been used only marginally. As of this writing, only about 600 devices are in use,[50] providing data services (e.g., connecting municipal water-monitoring systems) and Wi-Fi-like Internet access (at a handful of libraries and schools).[51]

            B. Auction of Overlay Licenses

[20]     An alternative proposal for spectrum reform (resembling Commissioner Rosenworcel’s proposal) is to auction overlay licenses which permit the commercial use of spectrum currently encumbered by federal users.[52] These licenses are called overlays because they geographically surround an existing spectrum assignment. Overlays have enabled the relocation and clearing of state government systems and public safety systems from a few hundred MHz of spectrum. Overlays have not been used for federal spectrum because agencies cannot directly receive consideration from commercial users.[53]

[21]     Overlay licenses grant auction winners (1) primary rights to any unused spectrum in the band, (2) secondary rights to spectrum in the band that is being used by an incumbent, and (3) exclusive rights to bargain directly with existing users occupying portions of the band. In the case of auctioning spectrum occupied by federal users, the winning overlay licensee is required to protect the incumbent federal users but can negotiate directly with them. Overlay licensees might induce incumbents to use more efficient devices (thereby freeing up spectrum for new uses), to tolerate certain amounts of interference, to move to a different band entirely, or to cease operations altogether.[54]

[22]     The policy innovation lies in combining transferable federal spectrum rights with the overlay auction framework. These rights would give agencies the ability to bargain with potential suitors and to be directly compensated for vacating or otherwise reducing their use of a band. Federal agencies are not profit-maximizing firms, but they do face budget constraints, and tradeoffs are more transparent when agencies are faced with priced assets. If permitted, agencies might improve their input mix by selling unused assets and reinvesting the revenue. For instance (as described later) several agencies have transferable real property rights. That is, they have the authority to lease and sell federal real estate and buildings to private developers and to retain some of the proceeds.[55] Transferable spectrum rights make agencies residual claimants in a similar fashion. Overlay auctions give regulators a process to induce spectrum incumbents to sell their underused assets quickly.

[23]     Although the compensation should be negotiated, successful overlay auctions have featured a command-and-control element. As explained infra, it is likely necessary for federal incumbents to have a deadline to vacate their bands.[56]

                        1. Case Study of the PCS Auction

[24]     Overlays have been used a few times to repurpose encumbered nonfederal spectrum, including the major auctions like the PCS auction and AWS-1 auction.[57] Congress first authorized the FCC to conduct spectrum auctions in 1993 to avoid wasteful command-and-control prescriptions and to permit more spectrum for the nascent cellular phone industry.[58] With that authority, the FCC used overlay auctions for the new Broadband Personal Communications Service (PCS), a type of cellular phone technology, in the mid-1990s.[59] The FCC auctioned 120 MHz of encumbered beachfront spectrum, and cellular phone companies were the major bidders. Incumbent users were mostly public utilities, railroads, and local governments operating thousands of microwave communication links, but they also included state public safety operations such as firefighters, police, and other emergency responders.[60] The auction and clearing proposals faced resistance and, echoing today’s objections from federal agencies, public safety incumbents warned that the FCC’s auction would disrupt their communications reliability and could “have a devastating effect on . . . millions of inhabitants” relying on their services.[61] Nevertheless, the auctions for this encumbered spectrum commenced in 1995.[62] The auction winners could deploy services where there were no incumbents and had secondary rights to the spectrum where incumbents operated.

[25]     To relocate those incumbents and to free up spectrum for PCS, the FCC mandated that the PCS license winners pay the incumbents’ relocation costs. But the FCC also did something novel: it gave the incumbent users transferable spectrum rights. That is, the FCC permitted the incumbent users to bargain with the overlay auction winners and, in exchange for an additional payment or in-kind benefit, move before a relocation deadline.[63]

 [26]     The FCC gave non–public safety users a two-year voluntary negotiation period during which they were not required to negotiate with the PCS overlay winners.[64] This period was followed by a one-year mandatory negotiation period during which the PCS licensee and the incumbent were required to bargain in good faith.[65] After that deadline—three years from commencement—PCS licensees could force the incumbent to move, while compensating it for relocation costs. Public safety users had a three-year voluntary negotiation period followed by a two-year mandatory negotiation period.[66]

[27]     This PCS auction grossed $7.7 billion in bids.[67] There are no public records of the payments made for early relocation, but good-faith negotiations were reportedly the norm.[68] By January 1998, over half of the microwave links had been moved out of the band,[69] and the spectrum was deployed for cellular service. Most incumbent microwave links were upgraded to work on new frequencies, but about 10% shifted to wired connections or ceased operation.[70] Today PCS spectrum supplies about 20% of all licensed spectrum used for mobile broadband and is a major part of each national carrier’s spectrum holdings.[71] Looking back, the concerns about widespread public safety communications disruption never materialized.

2. Case Study of AWS-1

[28]     The 2006 Advanced Wireless Services (AWS-1) auction was an auction of 90 MHz of paired (45 MHz) spectrum that contained nonfederal and federal users.[72] The nonfederal spectrum was auctioned off via overlay licenses; the federal spectrum wasn’t. Post auction, 12 federal agencies in the 1.7 GHz band[73] relocated to other bands and several nonfederal users in the 2.1 GHz band relocated. The nonfederal users included various state and commercial microwave systems, as well as Broadband Radio Service systems—which provided services like two-way broadband and public safety communications.[74]

[29]     The federal users had a clearing deadline with no direct compensation from winning bidders. However, federal users received some indirect compensation. AWS-1 was the first band auctioned under the 2004 Commercial Spectrum Enhancement Act, a law giving federal agencies a limited share of pooled auction proceeds—compensation for their relocation costs.[75] The 45 MHz occupied by nonfederal users, on the other hand, was assigned via an overlay license. The FCC permitted the nonfederal incumbents—much like the incumbents in the PCS bands—to enter into private cost-sharing agreements with the new AWS licensees.[76] Despite the encumbrances, the 1.7 GHz band grossed almost $7 billion.[77] Like the agreements between overlay licensees and incumbents in the PCS auction, the post-auction cost-sharing agreements relocating the nonfederal incumbents in the 2.1 GHz band are unavailable.

[30]     The federal users did not have overlay licensees to bargain with and merely faced relocation deadlines. NTIA tracked the relocation costs of federal systems in the 1.7 GHz band so that agencies could be reimbursed through the relocation fund created by the Commercial Spectrum Enhancement Act.[78] The Government Accountability Office (GAO) estimated that the encumbered 1.7 GHz band grossed almost $7 billion.[79] Relocation costs of federal users totaled around $1.5 billion[80] ($1 billion less than a Congressional Budget Office estimate but exceeding NTIA’s original estimates by about 50 percent),[81] for net revenue of $5.5 billion.

[31]     Once the auction was completed, even though little financial incentive was provided beyond the benefit of upgraded wireless systems, the clearing of agencies happened fairly rapidly. Presumably, overlay licensees paying agencies to relocate would be even more effective. By December 2008, two years after the auction, dozens of federal wireless systems had been moved from the 1.7 GHz band, and licensees had deployed mobile broadband in some cities.[82] Four agencies—the Department of the Treasury, the Department of Homeland Security, the US Postal Service, and the Department of Housing and Urban Development—had vacated the band completely.[83] By late 2010, four years after the completion of the auction, seven agencies representing 81% of eligible systems had been relocated.[84] By 2011, 95% of systems were relocated,[85] and by 2012, six years after the auction, NTIA reported that all seven agencies had ceased operations in the band.[86]

[32]     Representatives from the wireless industry expressed publicly that they were satisfied with the relocation process, but some systems and agencies were more difficult.[87] Representatives from MetroPCS, the fourth-biggest bidder in the auction, with licenses mostly in the West and the Northeast, stated that the relocation process “worked relatively well.”[88] Carriers’ discussions with agencies about information like channel bandwidth, antenna power, and height for each system to be relocated expedited the process.[89] Steve Sharkey, T-Mobile’s chief of engineering and technology policy, said that these technical discussions with federal users “resulted in T-Mobile being able to deploy services years earlier than originally anticipated.”[90]

[33]     Clearing federal agencies and allowing nonfederal incumbents to bargain with the overlay licensees allowed productive use of much of the encumbered AWS-1 bands within a few years. T-Mobile was the top bidder, paying over $4 billion for AWS-1 licenses covering nearly the entire United States,[91] and illustrating the efficacy of overlays and clearing. A mere two years after the auction, T-Mobile—after the clearing of federal users and negotiating with nonfederal incumbents—launched 3G service in 27 markets covering over 100 million people.[92] This included the lucrative San Francisco[93] and New York City[94] markets. By 2010, it completed most of its nationwide mobile broadband network using AWS-1 spectrum. Auction winners like MetroPCS and Leap Wireless covered millions more after clearing their AWS-1 spectrum.[95] Today that 90 MHz of AWS-1 spectrum, now cleared of incumbents, supplies about 15% of licensed mobile broadband spectrum and is used by more than 200 million Americans through technologies such as 4G LTE.[96]

IV. Comparison of Dynamic Sharing and Overlay Auctions

[34]     Decades of assigning spectrum to agencies for free has locked valuable frequencies into inefficient wireless uses. Choosing the superior set of policies for repurposing federal spectrum in a timely manner means capturing tens of billions of dollars annually—from consumer welfare gains, industry investment, and jobs—that would otherwise evaporate.[97] The experiences described suggest that clearing and relocating federal systems through a system of overlay auctions yield greater economic benefit than do dynamic sharing proposals like the one contemplated by PCAST.

[35]     Direct comparison of unlicensed dynamic sharing with overlays is difficult because, as mentioned, dynamic sharing technologies do not have widespread deployment. This is a red flag given the substantial costs for every year that implementation is delayed. NTIA has proposed the use of dynamic sharing strategies since at least 1991.[98] But to date these technologies have permitted very little sharing between commercial and government users.[99] The PCAST authors are aware of some of these difficulties and therefore predict that its proposed overhaul of policy would take “perhaps two to three decades.”[100]

[36]     That prediction is a best-case scenario. It would likely take much longer to implement a widespread complex sharing regime. Even if it becomes technically feasible to share spectrum across a wide band of frequencies in real time, the regulatory process either halts or substantially delays inter-organization sharing.[101] The unlicensed sharing approach shifts the tasks of devising certifications and regulating spectrum-sharing etiquette from market actors to regulators.[102] Nearly all wireless operators, including government agencies and commercial licensees, vigorously resist sharing spectrum with other users and technologies. There have been costly episodes of agencies and licensees fiercely objecting to even minute possibilities of interference to their own wireless operations.[103]

[37]     The multitude of federal systems with vastly different performance characteristics—radar, satellite communications, air-to-ground communications, video surveillance, unmanned aircraft systems, to name a few—means that the complex challenges for consumer device makers are multiplied. No amount of engineering ingenuity can tell regulators what the “correct” probability of harmful radio interference is. In sharing disputes, the incumbents invariably commission technical analyses that highlight remote, worst-case interference scenarios. The entrants respond with their own studies showing “typical” scenarios in which their systems pose little interference threat to existing users. Regulators are caught in the middle of a tug-of-war of competing technical papers and have no propensity to make a decision that optimizes wireless output between the systems. Even after a decision is made to allow shared use, a federal system technology upgrade or a change in federal supplier could simply restart the process anew (at best) or stymie necessary and life-saving agency upgrades (at worst).

[38]     Incumbents present delays and resistance toward any scheme. However, overlays and clearing have an established history of delivering spectrum to private markets, where millions of subscribers can use it productively in a few years’ time. It is too early to say, as the PCAST report intimates, that clearing federal users is impractical.[104] As the PCS and AWS-1 examples show, much of the spectrum cleared by overlay auctions and clearing deadlines is typically redeployed commercially in under five years.[105]

[39]     By giving agencies greater rights to their spectrum and a mechanism—overlay auctions—that allows the agencies to transfer those rights and to retain revenues, federal spectrum could be repurposed for consumer uses. Overlay auctions have been completed before and represent an off-the-shelf technique that FCC staff members have experience implementing.[106] Overlays present great flexibility in auction design because licenses can be nationwide, regional, or can cover narrow geographic locations. Importantly, overlays rationalize band usage by creating residual claimants who internalize the gain from spectrum investments.[107] When an overlay licensee moves an agency to another band or medium, its spectrum is more valuable. It is this increase in value that gives the parties room to negotiate.

[40]     After 25 years of forecasts that dynamic sharing is right around the corner, dynamic sharing is still largely in the research and development stage.[108] Dynamic sharing depends on complex cognitive radios or central database look-up functions that may never be deployed en masse. Despite access to some 240 MHz of prime spectrum, only 600 or so unlicensed devices in the market use TV white spaces, utilizing a crude sharing technology.[109] I am not aware of any reliable estimates, but the total investment in the white space ecosystem seven years after its 2008 allocation likely totals only a few million dollars and attracts only a few thousand users.

[41]     In contrast, clearing incumbents with overlays in similar swaths of spectrum leads to investment and consumer welfare gains orders of magnitude larger, sometimes within months of auction. Hazlett et al. estimated in 2004 that the repurposing of 120 MHz of spectrum for PCS induced over $45 billion of network investment in the five-year period following the auction, from 1994 to 1998.[110] The 220 MHz of spectrum freed by the combined broadband PCS and AWS-1 auctions supplies about one-third of spectrum holdings of mobile carriers,[111] an essential input for an industry that in 2014 had revenues of nearly $188 billion and capital investment of $32 billion.[112]

[42]     Dynamic sharing technology simply will not enable similar economic benefits in the next several years. Given the tremendous opportunity costs of inaction in the interim, waiting for dynamic technology to be widespread is a speculative and costly option relative to clearing alternatives.[113]

V. Final Notes

A. Response to the Counter that Federal Agencies May Not Respond to Financial Incentives

[43]     Some scholars argue that giving agencies self-funding ability through transferable spectrum rights would be ineffective.[114] They counter that any gain in revenue from spectrum sales would be viewed by Congress as a windfall and would be offset in subsequent rounds of appropriations, thereby diminishing the incentive of agencies to sell their spectrum.[115]

[44]     The logic is sensible, but existing evidence appears to undermine that theory. Admittedly, the literature on agency self-funding is limited,[116] and literature on the incentive effects from agency self-funding through asset sales is even scarcer. Therefore, predictions about how Congress and agencies will respond to the vestment of additional spectrum rights are largely conjectural. However, existing programs indicate that agencies (1) do not generally believe they will be penalized in the appropriations process for perceived windfalls from asset sales and (2) can be incentivized to relinquish property if they can pocket some of the gains.

[45]     The examples where agencies self-fund indicate that agencies favor such arrangements, provided that they have significant control over distributing the revenue.[117] For instance, GAO analysis of financial regulatory agencies that self-fund through examination fees and the like indicates that self-funded agencies generally prefer self-funding to funding through the appropriations process.[118]

[46]     More to the point, in responding to the notion that Congress will penalize agencies for monetary windfalls provided by asset sales, Dorothy Robyn—who was in an excellent position to view such dynamics while at the General Services Administration and the Department of Defense—concluded in her influential spectrum policy paper, “[t]hat has emphatically not been my experience.”[119] Robyn points out that it was the agencies themselves that lobbied Congress for agency retention of revenue from land sales during a round of painful military base closures.[120] These sales can occasionally be quite large. The Navy, for instance, sold two Marine Corps bases for $850 million[121]—likely substantial enough to receive congressional notice—but there is no evidence the Navy saw decreased appropriations as a result.

[47]     Further, Congress authorizes the secretaries of the military departments to lease underused real property and personal property that the department controls in exchange for cash and in-kind consideration.[122] The military has used that authority to enter into complex leases, called enhanced use leases, which might grant, for example, a 50-year lease of military land to a private developer.[123] A 2011 GAO report noted that there were 17 enhanced use leases in place, with in-kind consideration valued at hundreds of millions of dollars, and dozens more were either under review or in negotiation.[124] On the basis of agency use of these programs, Robyn concluded “the ability to retain the proceeds from the disposal of property is a key motivator for federal agencies.”[125]

[48]     There are risks, such as improper incentives and decreased accountability to Congress and to the president, when agencies self-fund.[126] Self-funding programs should be monitored and perhaps have mandatory sunsets, but there is some real-world evidence that allowing agencies to retain some proceeds of asset sales motivates the types of behaviors intended—namely, disposition of underused public assets into private markets, where the assets can be used more productively.

B. Need for Mandatory Clearing Deadlines for Federal Users after an Overlay Auction

[49]     One lesson from the PCS overlay auction, identified by Cramton, Kwerel, and Williams, was that relocating state government systems was significantly slowed when the agencies were permitted to stay indefinitely.[127] Such delays led the scholars to conclude that, in fact, government agencies may need weaker rights to stay than do nongovernment incumbents “because they [government users] may be too likely to stay when they should terminate or relocate.”[128]

 [50]     Absent a deadline, economically efficient improvements tend to be underproduced or substantially delayed because incumbents have an incentive to reject the bidder’s offers indefinitely.[129] Incumbents know that their consent is required and that they can extract a portion of the producer surplus in excess of their opportunity costs—the so-called holdout problem.[130] This problem is likely exacerbated when public agencies are involved. Further, for an appreciating asset like spectrum, hoarding may be a lucrative strategy.[131]

[51]     The benefit of a deadline to move wireless systems is that negotiations focus on the relocation costs (with a premium paid for speedy relocation) and not on the value to the entrant of clearing the spectrum.[132] Incumbent users thus have an incentive to settle early.[133] In the broadband PCS and AWS-1 auctions involving federal and nonfederal incumbents, deadlines helped make relocations largely successful in encouraging positive-sum settlements.[134]

C. Role of Political Entrepreneurship in Spectrum Reallocation

[52]     Overlay licenses of encumbered federal spectrum would represent uncertain investments with substantial risk discounting, so economic modeling is challenging. Information about many defense and law enforcement systems is difficult to acquire and stymies bargaining between commercial bidders and agencies. Hence, knowledgeable former federal officials will likely need to use their expertise to make deals possible between agencies and commercial bidders.

[53]     Such political entrepreneurship has a storied history in spectrum allocation. In the 1980s and 1990s a former wireless regulator at the FCC, acquired wireless licenses held by taxi and pizza delivery dispatchers.[135] The FCC agreed to waive rules regarding the licenses, and the purchaser aggregated the new, flexible licenses that enabled cellular phone technology.[136] His actions increased the economic value of those fragmented licenses and led to the creation of Nextel, which was one of the nation’s largest mobile phone companies when it was acquired by Sprint.[137]

[54]     Since 2000, following the financial failures of several satellite communications operators, the FCC has waived rules requiring satellite communications in certain bands so that the same spectrum can be used instead for ground-based cellular mobile broadband. In the mid-2000s, though they were less successful at navigating the regulatory issues than was O’Brien, financier Phil Falcone and his business partners acquired spectrum licensed to satellite communications firms SkyTerra and Inmarsat. They devoted billions of dollars to developing a new wireless network.[138] The company, LightSquared, petitioned the government for waivers, and the FCC agreed to loosen its rules to permit traditional mobile phone service in that spectrum.[139] Likewise, in 2011 Dish Network acquired 40 MHz of satellite spectrum through a fire sale purchase of two bankrupt satellite communications companies.[140] The FCC again waived most of its satellite rules and permitted traditional mobile broadband services.

[55]     Finally, most relevantly, in the AWS-1 auction, T-Mobile hired defense experts, including a former general and former director of the Defense Information Systems agency, to assist in negotiating with federal agency heads.[141] Successful political entrepreneurship requires institutional knowledge of federal systems and of the idiosyncratic personalities and hierarchies that may otherwise confound successful transactions.[142] Political entrepreneurship is difficult to identify and to model formally, but it will likely play an important role if agencies are vested with spectrum rights that they can transfer for payment.

VI. Conclusion

[56]     Overlay auctions are one of several tools policymakers should consider for repurposing federal spectrum. There are several plans for approaching the problem of inefficient government use, but all, to various degrees, are time consuming and costly. If overlays and clearing deadlines are time consuming because relocations typically take two to six years, what does that imply for PCAST-style unlicensed dynamic sharing that take decades to fully implement? No other reform proposal has enabled widespread consumer use and economic investment as rapidly as have overlay auctions combined with clearing deadlines. Federal agencies lack some of the incentives that private firms have to use resources efficiently. Nevertheless, when spectrum users have the ability to sell their rights and overlay auctions are used, experience suggests that spectrum can be repurposed from legacy government systems to high-value commercial uses within a few years.


* The author is a research fellow at the Mercatus Center at George Mason University. He has an economics degree from Wheaton College and a law degree from the George Mason University School of Law. He extends thanks to Ted Bolema and two anonymous reviewers for helpful comments on earlier drafts, and special thanks to Thomas Hazlett, whose conversation precipitated this article.


[1] See 47 U.S.C. § 309(a) (2012) (the FCC “shall determine, in the case of each application filed with it . . . whether the public interest, convenience, and necessity will be served by the granting of such application.”); see also Nat’l Telecomms. & Info. Admin., U.S. Dep’t of Commerce, Manual of Regulations and Procedures for Federal Radio Frequency Management 8.1.1 (May 2013, rev. 2014),, archived at (describing NTIA’s spectrum assignment procedures).

[2] See Thomas W. Hazlett, Assigning Property Rights to Radio Spectrum Users: Why Did FCC License Auctions Take 67 Years?, 41 J.L. & Econ. 529, 532–33 (1998).

[3] See Robert M. Rast, The Dawn of Digital TV, IEEE Spectrum (Oct. 3, 2005, 4:18 AM),, archived at (describing the clearing of analog broadcast television systems to allow for the 700 MHz auction).

[4] See infra Part B(1) (describing the PCS auction).

[5] See Gregory L. Rosston, Increasing the Efficiency of Spectrum Allocation, 45 Rev. Indus. Org. 221, 231 (2014).

[6] See infra Part B(1) (describing the PCS auction).

[7] President Barack Obama concurs with this assessment. In June 2010, he issued a memorandum directing the NTIA to identify federal spectrum that can be made available for wireless broadband by 2020. See Unleashing the Wireless Broadband Revolution, 3 C.F.R. 348, 348–49 (2011); see also Thomas M. Lenard, Lawrence J. White & James L. Riso, Increasing Spectrum for Broadband: What Are the Options? 23 (Tech. Pol’y Inst.. Working Paper, 2010),, archived at (“There appears to be a widespread consensus that spectrum in government hands is likely not being used efficiently . . . .”); Jeffrey A. Eisenach, Spectrum Reallocation and the National Broadband Plan, 64 Fed. Comm. L.J. 87, 130 (2011); Harvey J. Levin, The Radio Spectrum Resource, 11 J.L. & Econ. 433, 434 (1968) (“Most other users (like those in public safety and local or federal government radio) are not directly constrained in their use of spectrum by pressures in any ‘markets’ for their end products or services.”); Kenneth R. Carter & J. Scott Marcus, Improving the Effectiveness and Efficiency of Spectrum Use by the Public Sector: Lessons from Europe (Sept. 27, 2009),, archived at (“To a significant degree, these [efficiency] improvements have not worked their way into spectrum use by public sector users, including the military, emergency services, or aeronautical or maritime transport.”); James Losey & Sascha Meinrath, Free the Radio Spectrum, IEEE Spectrum (June 28, 2010, 7:59 PM),, archived at (stating that “the 270 000 [assignments] held by government agencies . . . are woefully underutilized.”).

[8] See Coleman Bazelon & Giulia McHenry, LocustPoint Networks, Staying on Track: Realizing the Benefits from the FCC’s Incentive Auction Without Delay ii (2015),;ECFSSESSION=Kk3QJpkhFvcQwklx1G3Rz6tF8p3LBhxBWph1ZmjDp4nkr60XTZRG!156529071!809722108?id=60001031918, archived at (estimating that the social costs of delaying the “Incentive Auction” of TV bands two or three years could approach $200 billion).

[9] See, e.g., Harold Furchtgott-Roth, Hudson Inst., Granting Licensed Spectrum Flexibility: How to Spur Economic Growth and Innovation in America 6 (2012),–spectrumflexibility–dec12.pdf, archived at; see also Thomas W. Hazlett & Roberto E. Muñoz, A Welfare Analysis of Spectrum Allocation Policies, 40 RAND J. of Econ. 424, 425 (2009).

[10] Agencies pay only a small, annual fee for their spectrum—$122 for each frequency assignment. See U.S. Gov’t Accountability Office, GAO-13-7, Spectrum Management: Incentives, Opportunities, and Testing Needed to Enhance Spectrum Sharing 11 n.14 (2012),, archived at

[11] The Miscellaneous Receipts Act requires “an official or agent of the Government receiving money for the Government from any source” to “deposit the money in the Treasury as soon as practicable without deduction for any charge or claim.” 31 U.S.C. § 3302(b) (2012). Thus, under current law, any payment to agencies would have to be submitted to the Treasury rather than be retained by the agency receiving the payment for relocation purposes. Once revenue is submitted to the Treasury, it may only be disbursed pursuant to a specific congressional directive. See Commerce Spectrum Mgmt. Advisory Comm., Recommendations for Improving the Process for Identifying Spectrum for Future Reallocation or Sharing 25 n.55 (2008),, archived at

[12] One meritorious “stick” proposal is to charge agencies approximately the opportunity cost of their spectrum, much like the United Kingdom does. Long-term spectrum fees should be budgeted for as an operating expense so that agencies can sensibly weigh the tradeoffs between acquiring spectrum and other inputs that further their agency mission. This proposal resembles a “GSA for spectrum.” See Lenard, White, & Riso, supra note 7, at 26; see also Brent Skorup, Reclaiming Federal Spectrum: Proposals and Recommendations, 15 Colum. Sci. & Tech. L. Rev. 90, 110–12 (2013). For a thoughtful analysis on the merits of this proposal, see generally Dorothy Robyn, Econ. Studies at Brookings, Buildings and Bandwidth: Lessons for Spectrum Policy from Federal Property Management 2 (2014),, archived at

[13] My thanks are extended to an anonymous reviewer for suggesting this term.

[14] Comm’r Jessica Rosenworcel, Remarks at CTIA 2013–The Mobile Marketplace 4 (May 22, 2013),, archived at (“So I propose we auction 2155–2180 MHz along with an additional right . . . the exclusive right to negotiate with federal incumbents [in the 1755–1780 MHz band].”).

[15] See Brent Skorup, Getting Away From GOSPLAN, 36 Reg. 14, 18 (Winter 2013–2014),, archived at

[16] See id. at 18.

[17] Rosenworcel, supra note 14, at 4.

[18] See Karen D. Gordon et al., IDA Sci. & Tech. Policy Inst., A Review of Approaches to Sharing or Relinquishing Agency-Assigned Spectrum 2 (2014),, archived at

[19] Id. at 54.

[20] See Ronald H. Coase, The Problem of Social Cost, 3 J.L. & Econ. 1, 43 (1960) (“A better approach would seem to be to start our analysis with a situation approximating that which actually exists, to examine the effects of a proposed policy change and to attempt to decide whether the new situation would be, in total, better or worse than the original one.”).

[21] See President’s Council of Advisors on Sci. & Tech., Exec. Office of the President, Realizing the Full Potential of Government-Held Spectrum to Spur Economic Growth ix (July 2012) [hereinafter PCAST],, archived at

[22] See Thomas W. Hazlett, Efficient Spectrum Reallocation with Hold-Ups and Without Nirvana 31 (George Mason Univ. Law & Econ. Research Paper Series, No. 14-16),, archived at

[23] See Skorup, supra note 15, at 14.

[24] See, e.g., Yochai Benkler, Some Economics of Wireless Communications, 16 Harv. J.L. & Tech. 25, 29–30 (2002) (citing the property rights and auctions framework as “the standard economists’ view”); Thomas W. Hazlett, The Wireless Craze, the Unlimited Bandwidth Myth, the Spectrum Auction Faux Pas, and the Punchline to Ronald Coase’s “Big Joke”: An Essay on Airwave Allocation Policy, 14 Harv. J.L. & Tech. 335, 532 (2001); Eli Noam, Spectrum Auctions: Yesterday’s Heresy, Today’s Orthodoxy, Tomorrow’s Anachronism, Taking the Next Step to Open Access Spectrum, 41 J.L. & Econ. 765, 766 (1998).

[25] See, e.g., Eisenach, supra note 7, at 89; Lenard, White & Riso, supra note 7, at i.

[26] See PCAST, supra note 21, at 141–42.

[27] NTIA defined “high-value spectrum” as “spanning 225 MHz to 3,700 MHz.” Mark . Goldstein, Dir. Phys. Infrastructure Issues, Testimony before the H. Comm. on Energy & Commerce, Subcomm. on Commc’n & Tech., Spectrum Management: Federal Government’s Use of Spectrum and Preliminary Information on Spectrum Sharing 3 (Sept. 13, 2012) (transcript on file with U.S. Gov’t Accountability Office) [hereinafter Goldstein Testimony],, archived at

[28] See Penny Pritzker & Lawrence E. Strickling, U.S. Dep’t of Commerce, Fifth Interim Progress Report on the Ten-Year Plan and Timetable 6, table B-1 (2015),, archived at

[29] See id. at 3.

[30] See Phil Goldstein, AWS-3 Auction Results: AT&T Leads with $18.2B, Verizon at $10.4B, Dish at $10B and T-Mobile at $1.8B, FierceWireless (Jan. 30, 2015),, archived at

[31] The paired spectrum grossed $42.5 billion, and the unpaired 15 MHz of federal spectrum grossed $2.43 billion. See George S. Ford & Lawrence J. Spiwak, Auction 97 and the Value of Spectrum, Phoenix Center 1, 2 (Feb. 4, 2015),, archived at

[32] See Bazelon & McHenry, supra note 8, at 9.

[33] Agencies pay only a small, annual fee for their spectrum—$122 for each frequency assignment. Goldstein Testimony, supra note 27, at 12 & n.13.

[34] PCAST concluded that, “[f]ederal users currently have no incentives to improve the efficiency with which they use their own spectrum allocation.” PCAST, supra note 21, at ix. Some of the inefficiency is undoubtedly to be expected. Any large organization has bureaucratic friction, and federal agencies—particularly defense agencies—are especially risk averse. A lack of transparency regarding federal uses of spectrum and the fragmented authority over federal spectrum management certainly contributed to the government failure. Transparency in spectrum use is generally unrewarded and is therefore undersupplied. See Harold Feld & Gregory Rose, Breaking the Logjam: Some Modest Proposals for Enhancing Transparency, Efficiency and Innovation in Public Spectrum Management 6 (2010),, archived at The fragmentation of authority over federal spectrum may unfortunately be intractable. A 1994 effort to consolidate Department of Defense spectrum management lasted only a year because the chiefs of Army, Navy, Air Force, and intelligence organizations all wanted to retain their own spectrum management office. U.S. Gov’t Accountability Office, GAO-NSIAD-97-131, Defense Communications: Federal Frequency Spectrum Sale Could Impair Military Operations 15 (June 1997),, archived at

[35] The slow relocation of government systems leads to verbal haranguing of federal administrators and to visible frustration. See Carl Franzen, Congress blasts military and national telecom agency for not sharing wireless spectrum faster, Verge (June 27, 2013),, archived at (“Do you [NTIA and Department of Defense administrators] sit down and talk to each other? Why wouldn’t the two of you sit down and talk about it. Why am I even having to ask this question again?”) (quoting Rep. Eshoo).

[36] See Presidential Memorandum on Expanding America’s Leadership in Wireless Innovation (June 14, 2013), 78 Fed. Reg. 37,431 (June 20, 2013),, archived at

[37] Id. at 37,433.

[38] See Federal Management of Radio Spectrum: Hearing Before the Subcomm. on Telecomm. & Fin. of the H. Comm. on Commerce, 104th Cong. 10 (1995) (statement of James L. Gattuso, Vice President, Citizens for a Sound Economy).

[39] See PCAST, supra note 21, at 9 (discussing the increasing difficulties of relocating incumbent federal systems).

[40] See Gordon et al., supra note 18, at 61.

[41] See id. at 13 (noting the significant challenges implementing, for example, spectrum use fees).

[42] See PCAST, supra note 21, at 1 (“Clearing and reallocation of Federal spectrum for exclusive use is not a sustainable basis for spectrum policy.”).

[43] See id. at 11 (“T]he key to the new architecture is to create very wide bands and implement dynamic, real-time, spectrum sharing.”).

[44] See id. at 24 (“We envisage that access to large Federal bands authorized for shared use can be coordinated primarily by registering and communicating with a management database, similar in concept to the White Space Databases certified by the FCC to provide permission to transmit in the TV Bands.”).

[45] See Thomas W. Hazlett & Evan T. Leo, The Case for Liberal Spectrum Licenses: A Technical and Economic Perspective, 26 Berkeley Tech. L.J. 1037, 1049 n.50 (2011) (explaining the strict rules for unlicensed devices mean much of the available frequencies cannot be exploited).

[46] See PCAST, supra note 21, at 16.

[47] See id. at 11–13.

[48] See Evaluation of the Performance of Prototype TV-Band White Space Devices Phase II, Office of Engineering & Tech., FCC/OET 08-TR-1005, iv (Oct. 14, 2008), document/view; jsessionid=7qp3P1VbdnpcVyFWySl2N52n318pmkvNznfvhcyWdnPhqGTpyhzP!1471562840!-321460796?id=6520183093, archived at

[49] See Robert McDowell, The FCC Should Fight for Our Right to TV White Space, Wired (Apr. 17, 2015),, archived at; see also Mike Dano, FCC promises to clean up error-ridden TV white space databases, FierceWireless (Mar. 20, 2015), fcc-promises-clean-error-ridden-tv-white-space-databases/2015-03-20, archived at

[50] See McDowell, supra note 49.

[51] See Lyndsey Gilpin, White Space broadband: 10 communities doing big projects, TechRepublic (Mar. 19, 2014),, archived at

[52] See Richard M. Nunno, Cong. Research Serv., SPR 97-218, Radiofrequency Spectrum Management 23 (1998) (A wireless industry association opposed this proposal in the AWS-3 auction, but the crux of its opposition was that the federal users were not required to relocate by a certain date).

[53] See Comments of 4G Americas in the Matter of Amendment of the Commission’s Rules with Regard to Commercial Operations in the 1695-1710 MHz, 1755-1780 MHz, and 2155-2180 MHz Bands 8, GN Docket. No. 13-185 (2013),, archived at

[54] Theoretically, overlay licensees could also bargain with incumbents to share spectrum by the millisecond or by the hour, but it is unlikely, at present, that the economics of spectrum sharing permit such agreements in practice.

[55] See U.S. Gov’t Accountability Office, GAO-11-574, Defense Infrastructure: The Enhanced Use Lease Program Requires Management Attention 1–2 (2011),, archived at

[56] See Peter Cramton, Evan Kwerel & John Williams, Efficient Relocation of Spectrum Incumbents, 41 J.L. & Econ. 647, 649 (1998) (Overlays, then, may not be appropriate for bands where shutdown deadlines are especially unpredictable or long term).

[57] See id. at 661.

[58] See id. at 660.

[59] See Nunno, supra note 52, at 13 (“Overlay licenses were auctioned in the PCS auctions since there were already incumbent licensees . . . using that spectrum.” The auctioned spectrums were 1850–1910 MHz and 1930–1990 MHz. Id.

[60] See Cramton et al., supra note 56, at 660, 668.

[61] Reply Comments of the Los Angeles County Sheriff’s Dept., In the Matter of Redevelopment of Spectrum to Encourage Innovation in the Use of New Telecommunications Technologies, ET Docket No. 92-9 (July 6, 1994), at 2,, archived at

[62] See Cramton et al., supra note 56, at 660–61 (FCC rulemaking for the auction commenced in 1993, and the PCS auctions were carried out in 1995, 1996, and 1997).

[63] See id. at 668–69 (“[T]here have been reports of incumbents demanding premiums of several times actual relocation costs to relocate before the involuntary relocation period.”).

[64] See id. at 663, 666 (noting that in 1997, this voluntary period was shortened to one year).

[65] See id. at 665–66.

[66] See Cramton et al., supra note 56, at 665–66 (noting these negotiation periods and conditions were occasionally fine-tuned by the FCC.).

[67] Evan R. Kwerel & Gregory L. Rosston, An Insiders’ View of FCC Spectrum Auctions, 17 J. Reg. Econ. 253, 275 (2000).

[68] See Cramton et al., supra note 56, at 668.

[69] See id.

[70] See id.

[71] See Federal Commc’n Commission, Seventeenth Report, in Matter of Annual Report and Analysis of Competitive Market Conditions with Respect to Mobile Wireless, Including Commercial Mobile Services 50, WT Docket No. 13-135 (2014),, archived at (estimating there is about 580 MHz of spectrum used for mobile broadband and 120 MHz (PCS spectrum) out of 580 MHz is a little over 20%.).

[72] See Rosston, supra note 5, at 235–36 (“The Commission adopted procedures by which new AWS licensees may relocate incumbent [nonfederal] BRS and fixed microwave service operations in a manner similar to that developed for clearing the PCS band.”); see also Hazlett & Leo, supra note 45, at 1072.

[73] See U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Second Annual Progress Report 2 (Mar. 2009),, archived at (listing those agencies: Department of Agriculture, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Housing and Urban Development, the Department of the Interior, the Department of Justice, the Department of Transportation, the Department of the Treasury, the National Aeronautics and Space Administration, the Tennessee Valley Authority, and the United States Postal Service).

[74] See FCC, Ninth Report and Order and Order in the Matter of Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands 5, WT Docket No. 02-352 (Apr. 21, 2006),, archived at

[75] See 47 U.S.C. § 928(c) (2012).

[76] See, e.g., 47 C.F.R. §§ 27.1160; 27.1170 (2015).

[77] U.S. Gov’t Accountability Office, GAO-13-472, Spectrum Management: Federal Relocation Costs and Auction Revenues 16 (2013),, archived at

[78] See id. at 15–16.

[79] See id. at 16.

[80] See Howard Buskirk, NTIA Says Cost of Clearing AWS Spectrum Will Be Below $1 Billion, Comm. Daily (Dec. 29, 2005),, archived at (Estimates for relocation costs and for upgrading technologies like outdated analog surveillance systems varied widely before the auction. On the low end, NTIA projected in a report that the cost of 2,240 frequency assignments across 12 agencies would be $936 million. In 2005, the Congressional Budget Office estimated that costs could run as high as $2.5 billion. Agencies included the Department of Defense (mostly the Navy), Department of Energy, Department of Homeland Security, and Federal Aviation Administration. The Forestry Service had 579 assignments and the Department of Energy had 596.).

[81] See GAO, supra note 75, at 11–12; see generally U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Sixth Annual Progress Report 2–3 (Mar. 2013) [hereinafter NTIA Relocation],, archived at (estimating relocation costs set by the NTIA and Dep’t of Commerce).

[82] See NTIA Relocation, supra note 79, at 1.

[83] Id. at 2.

[84] See U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Fourth Annual Progress Report 2 (Mar. 2011) [hereinafter NTIA Relocation Fourth],, archived at

[85] See U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Fifth Annual Progress Report 2 (Mar. 2012) [hereinafter NTIA Relocation Fifth],, archived at

[86] See NTIA Relocation Fourth, supra note 82, at 2–3; see also NTIA Relocation Fifth, supra note 85, at B-11 (The types of federal wireless systems varied widely in terms of services and relocation costs. The Department of Housing and Urban Development had only five systems, for instance, that transmitted video and communications. The total relocation costs were around $21,000.); Id. at B-14 (The Department of Justice’s Bureau of Alcohol, Tobacco, Firearms and Explosives likewise had five systems (mostly for video communications), but it had many more components, and the estimated relocation outlays totaled over $48 million); Id. at B-16 (The Drug Enforcement Agency had a single system, identified only as “video surveillance,” that was estimated to take three years and $75 million to relocate.); Id. at B-21 (The U.S. Postal Service also had a single video surveillance system consisting of about 500 devices that took one year and $1.8 million to relocate.).

[87] See Dep’t of Commerce, Comments of T-Mobile in the Matter of Relocation of Federal Systems in the 1710–1755 MHz Frequency Band: Review of the Initial Implementation of the Commercial Spectrum Enhancement Act 1, 5, Docket. No. 0906231085-91085-01 (Aug. 21, 2009),, archived at (supporting the idea that some regions were difficult to clear, T-Mobile representatives noted in 2009 to NTIA that “T-Mobile’s launch of service in the AWS band was delayed by several months, if not longer, in many markets. Indeed, even today—nearly three years after Auction No. 66—there are certain parts of the country such as the southeast w[h]ere no wireless carrier has been given access to AWS frequencies. Such delays jeopardize investment, hinder broadband deployment, and harm consumers”).

[88] Dep’t of Commerce, Comments of MetroPCS, In the Matter of Relocation of Federal Systems of 1710-1755 MHz Frequency Band: Review of the Initial Implementation of the Commercial Spectrum Enhancement Act 2, Docket No. 0906231085-91085-01 (Aug. 21, 2009),, archived at

[89] See Comments of T-Mobile, supra note 87, at 5.

[90] Creating Opportunities Through Improved Government Spectrum Efficiency: Hearing Before the Subcomm. on Comm’n & Tech. of H. Comm. on Energy & Commerce, 112th Cong. 6 (2012) (statement of Steve Sharkey, Director, Chief Engineering & Tech. Policy, T-Mobile USA, Inc.); Howard Buskirk, Spectrum Shortfall Tops Concerns at CTIA, But Signs Growing Carriers Might Embrace Sharing, Comm. Daily (May 11, 2012) (“‘I think we’re at the point of let’s get engineers into a room to figure out and solve the problems,’ [Sharkey] said. ‘Neither side has a complete understanding of the way each other’s systems work and operate.’ During AWS-1 clearance when industry first tried to clear spectrum on the West Coast, the immediate reaction of government users was ‘no way, it’s all redlined out and it’ll be a long time,’ [Sharkey] said. ‘But we gave them more information about how our systems really operate and the power levels that they would expect—it cleared up practically a whole coast almost immediately.’”).

[91] See Press Release, T-Mobile USA, Statement on the Conclusion of Bidding in the FCC Auction of Advanced Wireless Services (Sept. 18, 2006),, archived at

[92] See Global View Partners, Mobile Broadband in the Americas: Momentum Building in the AWS Band 14 (2009),, archived at

[93] See Comments of T-Mobile, supra note 87, at 6.

[94] See Katherine Noyes, T-Mobile’s 3G Network Touches Down in NYC, TechNewsWorld (May 5, 2008),, archived at

[95] See Global View Partners, supra note 92, at 14–15.

[96] See FCC, supra note 69, at 50, 62 (showing that the 90 MHz of cleared AWS-1 spectrum constitutes around 15.5% of the total amount (580.5 MHz) of spectrum).

[97] See Bazelon & McHenry, supra note 8, at 13 (attachment A) (discussing the economic costs of delay in the TV broadcaster incentive auction).

[98] See NTIA, U.S. Spectrum Management Policy: Agenda for the Future 6 (1991),, archived at

[99] See Gerald R. Faulhaber, Commentary on “The Spectrum Opportunity: Sharing as the Solution to the Wireless Crunch,” 8 Int’l J. Comm. 116, 119 (2014).

[100] PCAST, supra note 21, at v, ix.

[101] See Thomas W. Hazlett & Brent Skorup, Tragedy of the Regulatory Commons: LightSquared and the Missing Spectrum Rights, 13 Duke L. & Tech. Rev. 1, 21 (2014).

[102] See Jerry Brito, The Spectrum Commons in Theory and Practice, 2007 Stan. Tech. L. Rev. 1, P36–37, P54 (2007).

[103] See, e.g., Hazlett & Skorup, supra note 99, at 3–4 (discussing the LightSquared-GPS dispute); Examination of the Government’s Spectrum Management Process: Hearing Before the Subcomm. on Telecomm. and the Internet of H. Comm. on Energy and Commerce, 107th Cong. 42–43 (2002),, archived at (Ultrawideband (UWB) users struggled for more than a decade to coordinate with federal users, NTIA, and the FCC to share spectrum: “It took 13 years, including three and one half years of intensive efforts, to gain regulatory approval for UWB.”); Brito, supra note 100, at P64 (describing how satellite incumbents objected to the FCC’s exclusion zone sizes when permitting unlicensed devices).

[104] PCAST Report, supra note 21, at 1.

[105] The PCS auctions took place from 1995 to 1997. See Cramton et al., supra note 56, at 660–61. Sprint was the largest bidders and by the end of 1996 had already deployed PCS operations in several major markets, including Washington, D.C. and San Diego, with planned deployments in several more markets by mid-1997. Press Release, Qualcomm, Sprint PCS Launches Advanced Wireless Service in San Diego (Dec. 27, 1996),, archived at T-Mobile was the largest bidder in the 2006 AWS-1 auction and by the end of 2008 had deployed 3G networks that covered over 100 million Americans by using AWS-1 bands. See Global View Partners, supra note 92.

[106] Overlay auctions include the PCS and AWS-1 auctions described supra, as well as smaller auctions like the BRS auction. See Cramton et al., supra note 56, at 660–61; Rosston, supra note 5, at 235–36.

[107] See Hazlett, supra note 22, at 18 (“Overlay licenses empower private [decision] agents, who internalize substantial gains [from spectrum reassignment] . . .These actors not only have superior information and incentives to those of government administrators . . .but they bring a different tool kit to the task at hand. In particular, private firms can write contracts and access capital markets.”).

[108] See GAO, supra note 77, at 24; Paul Barbagallo, For TV “White Spaces,” the Global Outlook is Hopeful but Cautious, Bloomberg BNA (July 16, 2014),, archived at (noting that “spectrum sensing, is still nascent”).

[109] See McDowell, supra note 47.

[110] Thomas W. Hazlett et al., Report to U.S. Chamber of Commerce, Sending the Right Signals: Promoting Competition through Telecommunications Reform 1, 103 (Sept. 2004),, archived at

[111] FCC, supra note 69, at 50 (estimating that there is about 580 MHz of spectrum used for mobile broadband).

[112] CTIA, Annual Wireless Industry Survey, (2015),, archived at

[113] Regulators in the recent past ignored the huge consumer welfare losses that delay inflicts. See Jerry A. Hausman, Valuing the Effect of Regulation on New Services in Telecommunications, 28 Brookings Papers on Econ. Activity: Microeconomics 1, 24 (1997),, archived at (“It appears that delay in cellular service was the commission’s way to avoid confronting a very difficult decision. Potential losses in consumer welfare did not appear to figure into the FCC’s regulatory approach.”).

[114] See, e.g., Thomas Lenard & Lawrence White, Digital Age Communications Act: Report from the New Spectrum Policy Working Group, Tech. Pol’y Inst. 1, 20 (Mar. 2006),, archived at; Dorothy Robyn, Making Waves: Alternative Paths to Flexible Use Spectrum, Aspen Inst. 1, 36 (2015),, archived at (“[The argument against transferable federal spectrum rights] that has gotten the most traction in the spectrum community—is that the ability to retain the proceeds will not motivate federal agencies to transfer their spectrum because of the nature of the budget process . . . . In anticipation of this zero-sum dynamic, agencies would forego the opportunity to trade spectrum for money.”).

[115] See Robyn, supra note 114, at 42.

[116] See Charles Kruly, Self-Funding and Agency Independence, 81 Geo. Wash. L. Rev. 1733, 1737 (2013).

[117] U.S. Gov’t Accountability Office, GAO-02-864, SEC Operations: Implications of Alternative Funding Structures 11–12 (2002),, archived at

[118] See id. at 12–13 (stating that, if self-funding agencies in fact do receive more punitive scrutiny from Congress, the drawbacks are likely diminished in the case of spectrum sales, where agencies are merely supplementing their budgets. Presumably, Congress is more likely to scrutinize totally self-funded agencies than partially self-funded agencies).

[119] Robyn, supra note 12, at 14.

[120] See id.

[121] See Robyn, supra note 114, at 37.

[122] See 10 U.S.C. § 2667(a) (2012); T. Randolph Beard et al., Market Mechanisms and the Efficient Use and Management of Scarce Spectrum Resources, 66 Fed. Comm. L.J. 263, 291 (2013) (stating that leasing spectrum has been proposed, but the government’s inefficient management of spectrum leads scholars to conclude that it is preferable for agencies to sell spectrum rather than to lease it).

[123] See GAO, supra note 55, at 2, 8 (stating that these leases often include revenue sharing between the private developer and the agency).

[124] See id. at 2.

[125] Robyn, supra note 12, at 14.

[126] See Kruly, supra note 116, at 1737.

[127] See Cramton et al., supra note 56, at 664­–65.

[128] Id. at 665.

[129] See generally Lloyd Cohen, Holdouts and Free Riders, 20 J. Legal Stud. 351 (1991),, archived at

[130] See Glen Whitman, Law & Economics Lecture 2: Externalities, Cal. St. Univ. Northridge,, archived at (last visited Jan. 27, 2016).

[131] See Robyn, supra note 114, at 35.

[132] See Cramton et al., supra note 56, at 649–50.

[133] See id. at 658.

[134] See id. at 649.

[135] See Thomas W. Hazlett, Inching Toward Wireless Capitalism, Wall Street J. Europe (Jan. 12, 2004),, archived at

[136] See id.

[137] See id.

[138] See Daniel Fisher, Lightscrewed, Forbes (Jan. 3, 2012),, archived at

[139] See id.

[140] See FCC, Report and Order and Order of Proposed Modification in the Matter of Service Rules for Advanced Wireless Services in the 2000–2020 MHz and 2180–2200 MHz Bands, WT Docket. No. 12-70, 2, 8 (Dec. 11, 2012),, archived at

[141] T-Mobile Lobbies on Wireless Airwaves (Dec. 12, 2007), Yahoo!,, archived at T-Mobile’s lobbyists included those at the Cohen Group, headed by former Clinton defense secretary William Cohen. Id.

[142] Political entrepreneurship admittedly resembles and likely overlaps with the notorious revolving door phenomenon in politics. It is beyond the purposes of this paper to distinguish between damaging rent-seeking and socially beneficial deal-making. Suffice it to say that in some circumstances former insiders, possessing a depth of knowledge that disinterested outsiders cannot reasonably attain, can effect Pareto improvements in regulated industries. The analysis presented supra suggests that Pareto improvements here are fairly easy to identify—it is likely that most transfers of spectrum from agencies to the private sector result in substantial social welfare gains. See also Bazelon & McHenry, supra note 8, at 9 (citing economics research that suggests the consumer benefits generated by spectrum deployed for wireless broadband are 10 to 20 times the value of the spectrum to producers).


Merger and Acquisition Due Diligence Part II – The Devil in the Details

Regulating Healthcare Robots: Maximizing Opportunities While Minimizing Risks

Can I Call You Back? A Sustained Interaction with Biospecimen Donors to Facilitate Advances in Research

MLAT Jiu-Jiutsu and Tor: Mutual Legal Assistance Treaties in Surveillance

pdf_icon Cortes Publication Version PDF


Cite as: Sarah Cortes, MLAT Jiu-Jitsu and Tor: Mutual Legal Assistance Treaties in Surveillance, 22 Rich. J.L. & Tech. 2 (2015),


Sarah Cortes

I. Introduction: Rise of Surveillance, MLATs, Anonymity, MJATs


[1]       A corrupt Australian Law Enforcement Agency (LEA) wishes to track the communications of a journalist who has published leaked whistleblowing documents from a confidential source, revealing the Australian LEA’s complicity in illegal narcotics activity. The target journalist lives in New York and is a U.S. citizen. She opens her laptop, goes online and fires up Tor Browser.[1] She is communicating with her whistleblowing source in Australia, who faces death if his identity is uncovered. Her communication and network traffic passes through Tor relays in Canada, Finland, and Malaysia before arriving at her source in Australia.[2]

[2]       In what we call an “MLAT cartel attack” against online privacy tools, Australia uses treaty relationships with other countries to facilitate surveillance.[3] The communication service providers (CSPs) under their jurisdiction all implemented automated surveillance through unclear legal means. Once surveillance is automated and normalized, it becomes easier to bypass Fourth Amendment protections,[4] skipping meaningful judicial oversight or a show of probable cause—asking forgiveness rather than permission.

[3]       The corrupt Australia LEA presses the button, targeting the journalist’s network traffic,[5] hoping to find her source. Traffic correlation[6] and timing attacks[7] enable the corrupt Australian LEA to capture the journalist’s outgoing message as it travels through the Tor network—and she discovers the identity of her whistleblower in short order. It is the last time the American journalist hears from her source—who has been silenced.

[4]       Since Edward Snowden recommended the use of the TorBrowser as one of his top tips for whistleblowers and ordinary people to protect their privacy and anonymity online,[8] policymakers are becoming aware of Tor’s role in protecting identity online. For instance, Snowden leaked a document revealing the NSA project “EgotisticalGiraffe”, which had the objective of breaking underlying Tor encryption and privacy protections.[9] In this paper, we document how MLATs can assist in such attacks on Tor.

[5]       The documents released by Snowden reveal far greater levels of U.S. and other government surveillance than previously known,[10] including surveillance outside the US and across multiple country borders.[11] This widespread surveillance includes online data and telecommunications; much of it culled from third-party communication service providers (“CSPs”).[12] With the expansion of surveillance came the expansion of U.S. law legalizing surveillance, such as the U.S. Patriot Act.[13] Some contend that much of this surveillance—often referred to by LEAs as lawful intercept (“LI”)—is actually unlawful.[14]

[6]       These changes in government surveillance have resulted in several undesirable circumstances, including government attempts to apply pressure directly on third-party CSPs operating within their borders.[15] Coincident with the rise of online government surveillance has been a rise in a little-noticed legal tool—the international Mutual Legal Assistance Treaty (MLAT).[16] Governments control the CSPs, which own or operate IT infrastructure over which network traffic passes.[17] MLATs provide vector for government intelligence agencies (GIAs) to facilitate global surveillance—technically and legally—through exploiting this control.

[7]       MLAT expansion facilitates surveillance and erodes civil liberties in three distinct ways. First, specific MLAT provisions explicitly eliminate existing civil liberties. Second, MLATs provide a legal framework for mass cross-border surveillance. Third, MLATs technically facilitate surveillance by controlling CSPs, encouraging technical surveillance automation, and attacking online privacy and anonymity protecting tools. We review recent MLAT circuit court rulings—including United States v. Getto, decided by the Second Circuit on September 30, 2014.[18]


Figure 1. Tor usage over time.[19]


[8]       As a result of expanded government surveillance and other trends, such as the rise of Internet use generally and of marketing-oriented and corporate surveillance—the use of online privacy and anonymity protecting tools have risen.[20] For global privacy, a class of online multi-jurisdictional anonymity/privacy tools (MJATs))—such as virtual private networks (VPNs), proxy servers, and anonymous networks—have emerged.[21] Examples of these MJATs are JonDo,[22] I2P,[23] Freenet,[24] Lantern,[25] UltraSurf,[26] and TorBrowser.[27] Since 2004, TorBrowser usage has jumped to an average of over 2.5 million daily users worldwide, peaking at over six million users on high-usage days.[28]

[9]       MJATs have many uses, and in one way can be thought of as online counter-surveillance tools. In our opening hypothetical, the American journalist and the Australian whistleblower used Tor to evade government surveillance. Many use MJATs simply to evade corporate marketing-driven surveillance.[29] Tor in particular is a source of consternation for the NSA—as revealed by the leaked presentation entitled “Tor stinks.”[30] The NSA finds that Tor “stinks” because the NSA cannot break its privacy and anonymity protecting encryption.[31] Like other MJATs, Tor protects individual online privacy and anonymity against government surveillance like the NSA’s, or the corrupt Australian LEA’s. For this reason, MJATs like Tor are considered high-value targets.[32] The NSA slides portray the typical Tor user as a terrorist, providing them with justification to attack privacy.[33] However, a journalist is just as likely to use anonymity to protect the identity of a whistleblower. Snowden’s slides reveal the effort and expense the GIAs invest in breaking Tor.[34] MLATs can uniquely facilitate breaking high-value targets like MJATs—while providing a legal framework for doing so.

[10]     Government desire to extend surveillance, coupled with (1) a need to provide a legal framework for otherwise unconstitutional acts (including unlawful intercept and surveillance), (2) the need to pressure CSPs into relaying surveillance information, and (3) the pursuit of MJAT attacks, has led government agencies, LEAs, and others to seek to teach the old MLAT dog new tricks. In this category we demonstrate how MLATs extend government control to foreign CSPs in a way that facilitates a series of technical attacks on online privacy tools.


     A. The Expansion of MLATs


[11]     We observe the correlation of MLAT expansion with the rise of the Internet, cybercrime, and the expansion of lawful interception, or government surveillance. We note that secret MLAT treaties possibly further expand MLAT proliferation.[35] We observe that the rise in government surveillance—along with the rise in corporate (or civil) surveillance—has driven the proliferation of increasingly more sophisticated online MJATs. Although LEAs form a significant class of MJAT users,[36] GIAs have created an endless cycle of government efforts to attack MJATs and individuals’ efforts to defend their privacy. MLATs and MJATs are locked in this endless cycle of cyber arms proliferation.

[12]     We then review legal frameworks for intergovernmental legal cooperation, including MLATs: how they work, how many are in force, and which ones are most relevant, as well as frameworks for recognizing and enumerating countries of the world. We demonstrate that recent growth in MLATs has been significantly motivated by a rise in GIA surveillance. We show how the rise of GIA surveillance coincides with the rise of MLATs. We review surveillance and non-surveillance related reasons for the recent increase in MLATs—including a desire to control and compel compliance, anti-bribery enforcement, the ubiquitous war on drugs, and the availability to LEAs of third party corporate surveillance.

     B. MLATs and Civil Liberties

[13]     First, through Internet-era improvements, which eliminate United States constitutional and other legal protections, the power of MLATs has quietly eroded civil liberties in numerous ways. For example, commentators have pointed out defendants cannot use MLATs,[37] and that MLATs expand unchecked online surveillance.[38] MLATs give rise to numerous civil liberties issues—including eliminating the double jeopardy bar, and the death penalty bar.[39] MLATs have expanded in scope to include political crimes, and eliminate the dual criminality requirements.[40] MLAT enforcement has been presented as compulsory, and the executive branch argues that the courts have no discretion in how the terms of the MLAT are carried out.[41] We note that MLAT surveillance and other provisions ignore international law. Stepping back, we review the big picture issues MLATs are increasingly raising in the courts: separation of powers, judicial review, and constitutional supremacy.[42] 

[14]     As MLATs have been enforced—both by the United States in foreign countries and United States MLAT partner countries in the United States—court challenges have proliferated. These cases reflect a growing schism between the executive branch and the courts; with the executive branch asserting that the courts have no role in enforcing constitutional provisions—and some circuit courts have begun to push back. More than thirty years after the Supreme Court decided its last MLAT casewhich predated the Internet[43]—an increasing number of MLAT cases have recently reached circuit courts. For example, in United States v. Getto the Second Circuit affirmed a conviction after the District Court refused to suppress evidence.[44] The First, Second, Ninth, and Eleventh Circuits have issued contradictory rulings regarding MLATs, and numerous MLAT-related constitutional issues seem ripe for more thorough review by the Supreme Court.[45]

     C. MLATs and Legal Frameworks for Global Mass Surveillance

 [15]     Second, by expanding their legal scope, MLATs have begun to form a legal scaffolding for global surveillance.[46] MLATs can accomplish this either directly or indirectly. On the one hand, they expand scope to explicitly include surveillance.[47] On the other, they create Joint Investigative Task Forces (JITs), which provide potential to circumnavigate restraints on domestic surveillance.[48] JITs can facilitate cooperative surveillance by collaborating with other countries. They can also provide a vector for parallel construction, whereby MLATs are the fig leaves covering up otherwise illegal surveillance.[49] JITs can redefine the investigating party, defining one country’s target another country’s target. “Cooperative surveillance” has long been performed as a way around domestic spying laws through the use of mutual surveillance by collaborating governments.[50] Additionally, interlocking MLAT cartels of cooperating country LEAs might be tempted to function as super-cartels through legal mechanisms such as JITs.[51]

     D. MLATs Expand Technical Automation for Global Mass             Surveillance 

[16]     MLATs facilitate technical expansion of global surveillance in a four-step process. In step one, MLATs help governments establish cooperative control over CSPs.[52] In step two, third parties apply pressure to streamline MLAT requests by automating technical standards and capabilities for government surveillance.[53] In step three, with technical surveillance standards and capabilities, and CSP controls in place, governments can use tools such as XKeyscore to analyze cleartext traffic.[54] In step four, by performing timing and traffic correlation technical attacks against anonymizing tools like MJATs, governments can improve their chances of de-anonymizing encrypted traffic.[55]

[17]     In step one, MLATs may play an effective role because governments exert legal control over CSPs, and therefore network traffic. MLATs formalize this control throughout the world, and set a standard for governments exerting control over CSPs. If a country did not exercise control over its CSPs before enterting into a MLAT, as a MLAT signatory, it may now have set an obligation or example, and a standard that, like powerful countries, are expected to do so.

[18]     Next, in the context of established, consolidated CSP control, MLATs facilitate implementing a mechanical surveillance roadmap. Third parties use MLATs to facilitate remote surveillance automation.[56] Third parties such as Google are applying pressure via MLATs on telecommunications and data communications service providers to incorporate technical standards which implement automated CSP surveillance. This is turn relieves third parties of legal liability and ongoing complex legal analysis.[57]

[19]     Further, through enabling MLAT access to surveillance, third parties hope to stave off increasing pressure from governments around the world to locate local servers within each of their boundaries, subject to local government control.[58] In other words, to preserve their own autonomy, third parties promote the automation of remote surveillance and the strengthening of this legal solution. Presented with the options of either refusing to operate in countries that demand they install local, surveillance-enabled servers, or strengthening those countries’ access to surveillance through MLAT-encouraged automation, they choose the latter. However, this results in consequences to citizens living in countries with civil liberties protections, like the United States.

 [20]     Specifically, corporations urge the use of MLATs to implement technical standards for CSP interfaces—like the European Telecommunications Standards Institute (ETSI) standards[59]—to capture traffic. MLAT-sponsored technical standards form the missing link between legal instruments and actual massive data stores of recorded communications data.[60] Interestingly, not only governments use MLATs for this purpose. Third parties like Facebook collaborate with standards bodies and governments to implement LI technical standards, which are roadmaps for rolling out automated surveillance.[61]

[21]     Third parties may collaborate in the technical and legal facilitation of remote Internet-based surveillance for multiple reasons. First, they may seek to reduce and more clearly define the increasing burden of demand for information from LEAs to CSPs. Second, they may want to avoid locating surveillance-enabled servers in foreign countries.[62] Third, they may perceive a need to define the boundaries of legal liability.[63] We analyze a number of documents from third parties, like Google, international business consortiums, and international technical standard setting bodies, like ETSI, to MLATs and government surveillance.

     E. MLATs Enable New Attacks on Online Privacy and Anonymity Tools

[22]     Governments use MLATs to launch attacks and analyze the harvest of information. MLATs work because governments exert legal control over CSPs, as well as network traffic and MJAT traffic.[64] MJATs route traffic all over the world. Once traffic is captured, the third step—analysis of cleartext communications traffic—can begin. For example, NSA XKeyscore surveillance tools appear to fit almost precisely, or “snap in” to work with these standards.[65] Creating paths for network traffic and building circuits that cross jurisdictions can make surveillance by GIAs harder.

 [23]     Beyond analysis of unencrypted data (with traffic captured) MLATs allow governments of multiple jurisdictions to collaborate in a fourth step to surveillance: performing hitherto challenging or impossible attacks on encrypted or anonymous, privacy-protected communications attacks—such as traffic correlation, traffic analysis, and timing attacks—through multiple countries. We examine this ability of GIAs to perform LI, by using MLATs to defeat constitutional protections to online anonymous communication privacy.[66] In this step, sovereigns use MLATs as a kind of Mutual Lawful Interception Treaties.

[24]     MLATs are one of several hostility factors, which governments can display to anonymous network communications. Combined with other measurable hostility factors, MLAT risk to MJATs can be quantified per country By becoming jurisdiction-hostility aware, one can improve anonymity by reducing the risk of surveillance through an approach we call “jurisdictional arbitrage.”[67] The least hostile countries in which jurisdictional arbitraging privacy tools may concentrate on increasing the proxy servers to expand and disseminate them across the best mix of countries to minimize user risk in the maximum jurisdictions.

[25]     Present use of MLATs has become an indicator of legal hostility to freedom in itself. MLATs routinely invalidate the rights of targets. We review measures we have developed to quantify MLAT strength and depth, include “absolute” MLAT hostility and “relative” MLAT hostility. We briefly review other hostility factors. 

[26]     MLATs provide a metric that, in combination with other metrics, provide a valuable measure of GIA surveillance by country and consequently cause risk to anonymous network communications. In the short term, MJATs can reduce risk by modifying their path selection algorithms to take into account country legal hostility. In the long term, public awareness of the threat to individual privacy can lead to MLAT modifications. Using MLAT attacks to extend law to attack jurisdiction arbitraging privacy tools seems inevitably to result in those tools getting smarter.

[27]     We show that traffic may pass through inherently hostile countries with lots of MLATs and large cartels, and apply “absolute” MLAT hostility coefficients to countries. We show the effect when traffic passes through cooperating countries of “relative” MLAT hostility. We review experiments we performed and discuss our methodology. We present the first complete global MLAT map, and discuss new treaties in comparison to accession to existing treaties. We present the results of our experiments and our conclusions: that a high percentage of Tor traffic is at significantly increased risk due to MLATs, and that the risk can be lowered by rerouting and modifying path selection. We further review Internet Service Providers and Internet Exchange Points (IXPs) and their role as potential surveillance points.

[28]     We classify countries according to MLAT and other legal “hostility factors” to Internet freedom in general, and the possibility of deanonymizing MJATs specifically. We develop the first scheme to measure and quantify country-by-country MLAT collaboration, and thus risk, and apply the scheme to create MLAT risk measurements for all countries across the globe. Up to now, researchers have documented a number of technical attacks against MJATs.[68] We now define a new class of attacks, legal attacks, which facilitate the network traffic correlation, traffic timing, and traffic analysis class of attacks. We document a specific new legal attack, the MLAT attack. This allows countries to collaborate and perform a traffic correlation and timing attacks on all cross-jurisdiction MJAT relays or circuits. We show how MJAT traffic risk increases when it passes through countries with high MLAT legal hostility. We present MLATs as one of five surveillance “legal hostility factors” quantified in a related paper.[69] We measure two forms of the MLAT hostility factors: absolute hostility, per country MLAT factor; and collaborative hostility, MLAT “cartels.”[70]

[29]     The expansion of MLATs results in MJATs getting smarter.[71] Reducing MLAT score reduces unlawful intercept as a stop to reducing LI. Our recommendations include short-term changes in technology, such as the location of Tor relay nodes. We also recommend long-term changes, such as changing laws involving MLATs and their treaties.

II. The Quiet Rise of MLATs

[30]     While MLATs themselves are not new, their numbers and scope have significantly increased since the rise of the Internet—the era when the public has become aware of significantly increased online activity in general, as well as cybercrime and surveillance.[72] “In recent decades, the United States has ratified an increasing number of bilateral treaties with other nations to facilitate legal proceedings, known as mutual legal assistance treaties or MLATs.”[73] These proliferating bilateral agreements—such as the EU-US MLAT[74] and the multilateral Budapest Cybercrime Treaty,[75] which were ratified and entered into force in the U.S. in 2010 and 2007, respectively—significantly expand the scope of latitude for LEAs. At the same time, they reduced or eliminated many civil liberties and other privacy protections for individuals.[76]

     A. MLAT Mechanics

          1. Frameworks for Intergovernmental Legal Cooperation

[31]     Since the 20th century, governments have used a number of tools to attempt to obtain cooperation in criminal matters.[77] These tools include:

  • “spontaneous” cooperation[78]
  • ad hoc processes through extra-territorial orders from individual countries[79]
  • relationships for cooperation outside of MLATs, like the U.S. FBI international “24/7 network”[80]
  • national and state statutes[81]
  • letters rogatory[82]
  • MLAT-type requests such as customs agreements, tax agreements, and others[83]
  • bilateral treaties, including extradition, MLAT, and others[84]
  • multilateral treaties, including MLAT and others.[85]

[32]     Each framework has its strengths and weaknesses. Some are per investigation, some are on a best-efforts basis, some are ad hoc, and some are informal. MLATs reflect an effort to create legally binding agreements to obligate and compel countries to cooperate on criminal investigations and related matters such as target extradition.

          2. MLAT History

[33]     MLATs have existed for quite some time. In the modern era, a U.S. MLAT with Kenya contains documents dating from 1931.[86] The United States signed the first non-secret modern MLAT[87] with Switzerland in 1977.[88] At their most basic, MLATs formally require and enable their signatories to cooperate in many aspects of legal assistance, from investigations, to collection of evidence, to extradition of targets or suspects.

[34]     A large and increasing body of case law exists with respect to MLATs. While no case directly holding on issues raised by MLATs has come before the Supreme Court, some such cases bear on MLATs. These include United States v. Verdugo-Urquidez,[89] and United States v. Alvarez-Machain,[90] a pair of related Mexican cases involving narcotics involving the murder of a U.S. Drug Enforcement Agency (DEA) official. Verdugo-Urquidez established that U.S. Fourth Amendment protections do not apply to searches and seizures by U.S. officials of non-resident, non-citizens in a foreign country, such as those requested in MLATs.[91] Alvarez-Machain established that LEAs may operate outside MLATs, and tacitly sanctioned a DEA arrest via illegal abduction.[92]

          3. MLAT Classifications

[35]     There are multiple kinds of MLATs, and their classification may be viewed along multiple vectors—including signatory scope, category of law, law enforcement goal, treaty focus, criminal threat model, phase, and status. There are multiple sub-options within those classifications. The first vector—signatory scope—may be multilateral (global or regional), bilateral, or unilateral. Multilateral MLATs enshrine agreements between more than two countries.[93] Bilateral MLATs enshrine agreements between two countries.[94] Monolateral MLATs may be considered one-way laws, enacted by some countries to enable them to assist foreign MLA in the absence of actual bilateral agreements with other countries.[95] Regional multilateral MLATs may involve only a handful of countries, while global multilateral MLATs may involve almost every country. A country may enter into both a multilateral MLAT with another country, and a bilateral treaty with that country, creating legal overlap. Organizations administering multilateral MLATs include the E.U., the Council of Europe, the U.N., the Organization for Economic Cooperation and Development, the Association of Southeast Asian Nations, and the Organization of American States.[96]

[36]     Naturally, not all MLATs are created equal. Some multilaterals MLATs are not directly enforceable in the member states.[97] Instead, signatories are required to adopt laws or procedures which have the desired effect and are enforceable. For example, in the United Nations Convention Against Illicit Trafficking Narcotic Drugs and Psychotropic Substances, “signatories are required to [implement laws or] procedures which will enable the signatories’ own authorities to ‘identify, seize, and freeze’ proceeds or property derived from illegal drug activities.”[98] For this reason, bilateral treaties are considered significantly stronger than many multilateral treaties.

[37]     A treaty’s category of law may be either civil or criminal, as some MLATs deal with civil law and others with criminal law. We concern ourselves primarily with criminal MLATs or MLAT provisions. The law enforcement goal of treaties may include extradition (or what some call a rendition) or non-extradition mutual legal assistance. Extradition or rendition treaties are often viewed as separate from MLATs, but they are closely related.[99]

[38]     In the fourth category, treaty focus, a treaty may be either simply a general MLAT, or it may have MLA provisions incidental to other treaty foci. Examples include tax agreements, customs agreements, Hague Convention on Child Abduction,[100] and Schengen Acquis Treaty.[101]

[39]     Motivation for a number of MLATs has been linked to campaigns against specific crimes.[102] These MLATs may be narrow, and may overlap with other MLATs. Criminal threats—the fifth MLAT classification vector—may include one or more specific criminal threats. These may include narcotics, anti-bribery, human trafficking, skyjacking, organized crime, terrorism, weapons trafficking (including nuclear weapons), or tax evasion incident to banking secrecy laws.

[40]     MLATs typically take five to ten years to develop between a few principal phases.[103] For this reason, attempts to identify treaties by date can result in greater confusion. We classify MLATs by a sixth vector—phase—to clarify whether and where it may be in force. Phases include drafting, signing, acceptance, approval, ratification, deposit of instrument, accession, and entry into force. These can all happen on different dates, or the same date, depending on the treaty.

[41]     Only in the last of these phases is the MLAT actually in effect, a status often referred to as “treaty in force.”[104] For this and other reasons, such as expiration or a country ceasing to exist, a treaty may have a status of “not in force.”[105] Another issue with MLATs is finding definitive sources and agreeing on a definitive citation. As they are by nature signed by at least two parties, each party may claim to hold the definitive reference. Not to mention each treaty has multiple versions on its long journey from drafting to entry into force.

Cortes image 2 

Figure 4. India, U.S., and U.S. MLAT growth.[106]


          4. MLAT Measurement – The MLAT Database

[42]     In this article, we perform the first comprehensive and global analysis of MLATs. From original sources, we have constructed what is—to our knowledge—the first complete database of all MLATs, providing the first MLAT big picture. Between 1977 and 2013, the number of MLAT relationships between all countries grew from a few to several hundred.[107] During this period, the number of participating countries grew also.[108] Between the U.S., and the U.K. alone treaties grew from 1 to 105.[109]

[43]     MLAT analysis shows that new adversarial models are necessary to take into account global surveillance, and that different governments may pose different, quantifiable risks to civil liberties and anonymous network communications, based on observable factors such as MLATs in force. The database consists of 32 tables and reports. Tables capture links to the original documents, the official source repository for the document, lists of signatory countries, dates, and any other available information. Some tables capture multilateral treaty information, and others capture bilateral treaty information. We summarize the various treaties and treaty sets in a summary table.

 [44]     We use the ISO 3166 standard to identify 191 autonomous governments in the world.[110] A set of scripts loop through various tables to create summaries and reports, including total number of treaties entered into by countries, and which countries have treaty relationships with each other. We then bring to light MLAT cartels, groups of countries that have entered into treaty relationships with each other, whose LEAs may cooperate. We provide for treaty risk weights to experiment with different scoring algorithms.

     B. Motives for MLAT Growth and Expansion

          1. Roots Combatting Money Laundering

[45]     Mark M. Richard—the Deputy Assistant Attorney General of the Criminal Division—testified to the advantages of MLATs over letters rogatory to the House Foreign Affairs Committee in 1987.[111] He stated “an MLAT, either by itself or in conjunction with domestic implementing legislation, can provide a means of overcoming bank and business secrecy laws that have in the past so often frustrated the effective investigation of large-scale narcotics trafficking operations.”[112]

 [46]     In the 1970s, against a backdrop of bank secrecy laws and the emergence of offshore tax havens, the rise of the Internet saw a rise in money laundering crimes, including the two largest categories, narcotics­ and bribery related crimes.[113] This partially drove MLAT expansion after 1977. Complex international cases—notably, one concerning commodities trader Marc Rich, then the largest tax evasion case in U.S. history—drove the U.S. Department of Justice to seek more formal methods to gain international cooperation and legal assistance from other governments.[114] 

[47]     Since then, an increasing number of MLATs have been implemented around the world. Treaty growth is driven by a number of factors, including both government and corporate agendas. The latter include the desire to expand business abroad unfettered by bribery demands and—more recently—legal uncertainties regarding CSP obligations to provide subscriber information to LEAs. Corporate anti­bribery initiatives played a significant motivating role in the expansion of MLATs in recent decades. The poorest countries may be the most frequent targets of enforcement.[115]

[48]     Choi and Davis found that “at the country level we report evidence that the SEC and DOJ impose greater aggregate sanctions for violations in countries with a lower per capita and weaker local anti-bribery institutions.”[116] Further, this skew may not be related to a higher prevalence of guilt by poorer countries, as Choi and Davis go on to conclude: “overall, these findings suggest that factors besides those deemed relevant by U.S. and international law influence enforcement of the FCPA.”[117] For example, the OECD treaties—where Asian countries predominate—reflect an emphasis on reducing the cost of doing business (i.e., the cost of bribes) for wealthy companies leveraging profits in poor countries.[118]

[49]     Sadly, MLATs and other tools failed to recover the estimated $5 billion the Marcoses laundered out of the Philippines—mainly to Swiss banks[119]—or to provide restitution or justice to their victims of domestic terror.[120]

          2. Returning the Favor: Performance Certainty 

[50]     Fed up with years of lacking assistance from other governments in the pursuit of bank secrecy targets like Marc Rich, the U.S. DOJ first negotiated MLATs—like the 1977 one with Switzerland—to have teeth in compelling other governments to cooperate and assist.[121] Thirty years later, their success demonstrated apparent but unintended consequences for Boston College academics. ACLU of Massachusetts summed up in its brief:

[t]he government . . . maintains that the Applicants are not entitled to any judicial review. In the government’s view, the Mutual Legal Assistance Treaty between the U.S. and the U.K. authorizes a foreign power, acting with the Executive’s unreviewable stamp of approval, to compel citizens to produce confidential information for prosecutions abroad.[122]

[51]     Countries also sought to ensure performance certainty with MLATs. For instance, the Eleventh Circuit reversed an order overruling MLAT compliance with a request from Canada regarding a smuggling operation, holding that “MLATs . . . have the desired quality of compulsion as they contractually obligate the two countries to provide to each other evidence and other forms of assistance needed in criminal cases,”[123] both during pre-charge investigation and post-charge prosecution stages.[124] The court also ruled that

despite the apparent versatility of 28 U.S.C. § 1782—titled “[a]ssistance to foreign and international tribunals and to litigants before such tribunals—law enforcement authorities found the statute to be an unattractive option in practice because it provided wide discretion in the district court to refuse the request and did not obligate other nations to return the favor that it grants.”[125]

[52]     Press coverage of the First Circuit missed the point that MLAT treaty compliance is intended by its drafters to be non­discretionary.[126] Those that grasped this argued that the Boston College Trustees should have challenged this point more strenuously, and pursued the request to the court to quash the subpoenas on grounds of academic freedom, among others.[127] We discuss this case in further detail later.[128]

[53]     Regarding MLAT performance certainty, Senator John Kerry—ironically a member since 1990 of the same Senate Foreign Relations Committee that approved MLATs, including Chair from 2009–2013, and now Secretary of State himself—wrote a letter regarding Trustees of Boston College to the then Secretary of State Hillary Clinton.[129] In that letter, he wrote:

Given my deep concern, I spoke to Attorney General Holder about this matter late last year. I fully recognize that the United Kingdom has invoked the provisions of our Mutual Legal Assistance Treaty and that this is clearly a factor that affects our flexibility dealing with such a request. Nonetheless, given the close relationship we have with the United Kingdom and the deep and enduring interest all of us share in seeing a lasting peace in Northern Ireland, I would urge you to work with the British authorities to reconsider the path they have chosen and revoke their request.[130]

No one knew better than Kerry, since he—ironically, as Chair—approved the US-UK-MLAT that voluntarily tied its own hands.[131] It was to Kerry’s committee that Rotenberg had addressed his apparently unheeded 2004 testimony.[132]

[54]     MLATs strictly compel parties targeted for investigation to perform under the MLAT, but do not seem to likewise compel the Attorney General to require enforcing countries to conform to MLAT terms. In Boston College Trustees, the government attempts to argue just that, stating:

[T]his Court affirmed in In re: Request, the US­UK MLAT by express terms precludes a private party from refusing to comply with a request for production of documents on the ground that the requirements of the treaty have not been followed. Thus, even if Price’s death did call into question whether the United States was still required to provide the documents to the UK pursuant to the treaty, which it does not, that would not absolve Boston College of its obligation to provide the documents to the United States and this appeal would remain viable.[133]

[55]     The First Circuit has cited the US­UK MLAT in ruling it allows the US Attorney General to decide to pursue a request despite noncompliance with treaty terms: “Treaty is intended solely for mutual legal assistance between the parties. The provisions of this Treaty shall not give rise to a right on the part of any private person to obtain, suppress, or exclude any evidence, or to impede execution of a request.”[134]

          3. Executive v. Judicial Branches

[56]     There can be little doubt, when reviewing current court cases and government briefs, that our executive branch views MLATs as a general strategy to expand its powers and enable law enforcement aims to supersede constitutional protections when reviewing current court cases and government briefs. Having attempted to remove judicial discretion from the treaties, the government’s position since then has been to convince the judicial branch of its resulting lack of power to enforce constitutional protections. For example, in Boston College Trustees, the Court summarizes the Executive Branch’s position:

The government, for its part, contends that courts do not have discretion under the US–UK MLAT to review for relevance materials subject to a subpoena. It states that only the Attorney General, not the courts, has discretion to decline, delay or narrow a request under the treaty. . . . Pursuant to Article 3 of the US–UK MLAT, it is the Attorney General who decides whether to accede to a request from the UK, to narrow compliance to a certain aspect of said request or to decline to cooperate altogether. The government, however, erroneously concludes that the Attorney General’s exclusive prerogative in initiating proceedings translates into a general bar on judicial oversight of the subpoena enforcement process.[135]

[57]     The court in Commissioner’s Subpoenas also noted “United States courts have consistently ruled that similar provisions in other treaties do not important substantive constitutional or statutory protections into the extradition context.”[136] It concluded:

[p]rior cases involving similar language in other treaties further illustrate that vague and general references to the ‘law of the Requested State’ in treaties must be carefully construed in the context of all the language of the Treaty and cannot simply be read in mechanical fashion as the appellees contend . . . .[137]

The court goes on to cite Elcock v. United States—an extradition treaty case—which, while distinguishable, found:

Had the parties intended that each would apply its own [substantive] law in determining whether the requested extradition would violate double jeopardy principles, they could have clearly stated as much….In the absence of such a provision, a court may not simply rely on the meanings the terms of the treaty have in the context of domestic law.[138]

Additionally, the Second Circuit established that the U.S. government may conduct investigations and obtain evidence outside MLAT provisions.[139]

[58]     The little noticed 2003 Eleventh Circuit case In re Commissioner’s Subpoenas[140] already provided the grounds on which Rotenberg’s prophecy for the Budapest Cybercrime Treaty would come true:[141] that “vague and general references” to legal protections offer scant protection to privacy and other civil liberties in treaties.[142]

[59]     Perhaps noting the ease with which the judicial branch sustained the executive branch’s inclination to deprioritize civil protections, we see that an increasing number of treaties explicitly exclude civil liberties in recent years.[143]

[60]     However, cases are currently working their way through the courts in which they take responsibility for review of MLAT requests, reasserting judicial review and the supremacy of the Constitution.[144] The executive branch continues to fight back on these efforts, through government appeals

          4. Surveillance-Related Motives: Governments

[61]     An examination of treaties—including the EU MLAC,[145] the EU-U.S. MLAT,[146] and the multilateral Budapest Cybercrime Treaty[147]—reveals their emphasis on surveillance, including online and telecommunications. While MLATs have been used to proliferate surveillance mechanically—they have also served to provide a little-observed legal basis for global surveillance by GIAs. 

[62]     Was extending surveillance globally a key motivating factor behind recent MLATs, or a by­product? For the answer to that question, we need look no further than public testimony by its drafters, on which the 2011 Global Fishing decision places so much emphasis.[148] For example, in 2005, Mary Ellen Warlow—the Director of the Office of International Affairs, Criminal Division, U.S. Department of Justice—made a statement before the Senate Committee on Foreign Relations concerning law enforcement treaties.[149] She testified:

 [T]his is the first United States MLAT to include special investigative techniques among permissible types of assistance. Specifically, Article 12 establishes that the Parties may use telecommunications surveillance, undercover investigations, and controlled deliveries, in accordance with their domestic law, in execution of requests for assistance. This provision was included at Germany’s request, to assert the Federal government’s legal authority, through the States, to undertake such actions on behalf of foreign authorities.[150]

Samuel M. Witten—the Deputy Legal Adviser for the U.S. Department Of State—further testified before the Committee on “An Extradition Treaty With Great Britain And Northern Ireland, . . . Israel, . . . Germany, and . . . Japan,”[151] stating:

The proposed U.S.­Germany Mutual Legal Assistance Treaty in Criminal Matters (MLAT) fills a significant gap in our network of MLATs with major European law enforcement partners . . . . The MLAT with Germany is typical of our over 50 MLATs with countries around the world, including most of the countries of Europe. It has several innovations, including provisions on special investigative techniques, such as telecommunications surveillance, undercover investigations, and controlled deliveries. It allows certain uses for evidence or information going beyond the particular criminal investigation or proceeding. . . .[152]

[63]     Broad surveillance provisions are found in every MLAT of this era. For example, Title III of the EU MLAC explicitly and in detail authorizes the use of “Interception of Telecom.”[153] Article 20 is noted for its implications: “[i]nterception of telecommunications without the technical assistance of another Member State.”[154] Surveillance has been automated to the point where Member State assistance in surveillance is no longer operationally necessary.[155]

[64]     By contrast, the Inter­American Convention on Mutual Assistance in Criminal Matters—which has more than 20 signatory states—specifically mentions neither telecommunications interception nor surveillance.[156] The Budapest Cybercrime Treaty contains extensive provisions for surveillance of real time metadata, as well as content.[157] This extends to a requirement that signatories conceal the fact of surveillance: “[e]ach Party shall adopt such legislative and other measures as may be necessary to oblige a service provider to keep confidential the fact of the execution of any power provided for in this article and any information related to it.”[158]

[65]     The EU-U.S. MLAT—into which parties entered negotiations shortly after 9/11, and which entered into force in 2010—provides broad powers that include surveillance.[159] It provides, “[m]utual […] assistance shall be afforded to a national administrative authority,” investigating matters for a criminal prosecution could include requests for surveillance or the interception of communications.[160] Under Article 7, broad requests can be made by “fax or e­mail, with formal confirmation to follow when required by the requested State.”[161]

[66]     Referring to Article 5, Section 3, commented:

EU law enforcement officers in the joint teams from the state where the operation is being conducted will be allowed to circumvent formal requests for mutual assistance by directly requesting surveillance by other national agencies, the interception of telecommunications, search warrants, arrest and detention. No mechanisms for accountability are set out.[162]

          5. Surveillance-Related Motives: Third Parties 

[67]     Third parties play an important role in pushing the expansion of MLATs.[163] Dramatic increases in requests to third parties for otherwise private communications has led to their collaboration in implementing technical standards and capabilities for surveillance. We summarize briefly here.

[68]     Responding to pressure from governments around the world for access to subscribers’ private data and communications, third parties like Facebook have lobbied to implement technical standards facilitating surveillance through MLATs.[164] In this way, MLATs play a quiet role in mandating technological solutions to facilitate government surveillance.

[69]     Through ETSI standards, like ETSI Technical Standard 102 677,[165] third parties have sought to incorporate CSP Lawful Intercept technical design and infrastructure standards and requirements into MLATs, to facilitate remote surveillance automation.[166] It appears from various treaty provisions that this automation has been taken into account, and is assumed. For example, Article 20 of the EU MLAC covers Interception of Telecommunications without the technical assistance of Another Member State.[167]

[70]     MLATs also invoke action immediately upon ratification in another sense: the requirement to implement specific legislation—including international technical standards like ETSI TS 102 677—which details dynamic triggering” for fully automated “lawful” interception (i.e., surveillance).[168] Another interesting standard is ETSI TS 187 005, Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); NGN Lawful Interception; Stage 1 and Stage 2 definition.[169]

[71]     Others have documented extensive collaboration by telecommunications and other third parties on purveying information to the U.S. government.[170] However, the collaboration by third parties with foreign GIAs through MLATs has received scant attention. How collaboration with non-U.S.-countries can impact U.S. citizens has also received scant attention.

[72]     In the past, evidence was collected by law enforcement agencies. When one government LEA sought evidence from another jurisdiction, it generally sought it from the other jurisdiction’s LEA. But with the advent of electronic communications, foreign governments are increasingly seeking evidence from foreign third parties—mostly U.S. third parties like Google, Twitter, and Facebook. The increasing demands on third parties for access to subscribers’ personal communications information has effectively compelled third parties like Facebook to exert pressure to expand MLATs, in order to set boundaries for this demand.[171] Hosein and Banisar observed of the then­draft Budapest Cybercrime Treaty that “[its] requirements are extremely expansive in scope, and impose significant burdens on Internet providers, operators, users and equipment manufacturers to collect information, conduct surveillance and provide assistance.”[172]

[73]     The recent increase in corporate transparency reports and takedown demands documents this. In the first six months of 2013, petitioners from almost 100 countries had submitted almost 25,000 takedown requests to Google alone.[173] Transparency reports from Microsoft,[174] Twitter,[175] Facebook,[176] and others report similar trends. The desire by these third parties to set boundaries on these requests is a key driving factor behind the involvement of CSP in MLATs. In becoming so involved, third parties found themselves drawn deeper and deeper into MLAT surveillance collaboration. This resulted in a marriage between not only the global CSPs and U.S. surveillance interests like the NSA, but GIAs of all countries.

[74]     A number of documents reveal the extent of this corporate involvement. By September 2012, the International Chamber of Commerce (ICC)[177] was drafting detailed recommendations for MLATS.[178] By 2010, the ICC was already involved in recommending technical standards for “best practices for lawful intercept requirements,” including “dynamic triggering.”[179] By 2012, it issued detailed recommendations for MLAT modifications.[180] The ICC refers to MLAT terms that enable and facilitate third party collaboration in LI as “benefits for governments, LEAs, and CSPs”, and enumerates:

  • Consistent requirements can also help CSPs respond to LI requests in ways that accelerate access to data for LEAs, including by:

◊ Providing CSPs with clarity on LI requirements, which in turn reduces the real or perceived risk of subsequent legal challenge to a CSP decision to supply data and avoids the need for complex dialogues on legal requirements and processes; and

Allowing CSPs to ensure that they have requisite legal authority to implement existing technical protocols for cross-border LI, such as the proposed European Telecommunications Standards Institute (ETSI) “dynamic triggering” process for mobile wiretaps.[181]

[75]     The ICC acknowledges the risks to privacy, and gives a nod to individual rights, observing: “new processes for transferring personal information can raise tensions with privacy and data protection rights under national and transnational law. Both concerns are extremely important, and can be managed in a responsible manner.”[182] However, few ideas are proposed for effectively protecting those rights.

[76]     In 2010, the ICC recommended member countries adopt internationally consistent technical standards for LI.[183] Later, it noted that adoption and implementation of ETSI DTS 102 677 “could be influential” in ensuring CSPs “have the requisite legal authority to implement existing [and proposed] technical protocols for cross-border LI.”[184] The proposed ETSI DTS 102 677 standard is one of a large set of LI technical standards for CSPs, which detail technically how surveillance works.[185] ETSI TS 187 005 provides further technical detail about how CSPs actually pick up our communications.[186]

[77]     Facebook, Google, and other third parties work through the trade organization ICC to implement international surveillance technology standards.[187] The multi­stakeholder group Global Network Initiative—in which Google and Microsoft, as well as other CSPs, participate—announced in its 2015 public policy agenda: “Data Beyond Borders: Mutual Legal Assistance in the Internet Era,” setting forth a public policy agenda to help further shape MLAT policy.[188]

[78]     A critical concept reflected in these documents is dynamic triggering.[189] ETSI TS 102 677 defines dynamic triggering as “a framework and architecture for achieving dynamic invocation of [Content of Communication (CC)].”[190] In other words, global CSP through ICC are recommending standards to accomplish interception, not just of metadata like time of communications and parties’ names, but of the communications themselves. ETSI TS 102 677 goes on to state that its protocols are intended to be re­usable in any generic service domain and transport network scenario requiring the use of dynamic activation of lawful interception. The framework and architecture in the present document when included within specific service domain standards (e.g. 3GPP IMS) and transport network standards provides a consistent and inter­operable approach to dynamic triggering across multiple technology standards and/or multiple operators. The present document enhances other LI specifications to provide interoperability across different technologies or domains.[191]

[79]     The role of MLATs in this otherwise dry technical standard becomes clear: “[t]he present document assumes the necessary legal frameworks are in place to allow the use of dynamic triggering in both single and multiple operator domains. Any legal issues concerning the use of dynamic triggering are outside the scope of the present document.”[192] In other words, technology can only accomplish so much. Beyond that, countries and individuals must seek a legal framework to justify surveillance.


III. MLATS and Civil Liberties

 [80]     As of 2013, the Supreme Court invalidated 176 laws as unconstitutional.[193] Against this background Google argues that secrecy laws surrounding surveillance themselves are illegal on the ground they violate the First Amendment.[194] One part of the government may abuse its ability to shape and pass laws that provide legal frameworks for agents’ otherwise unlawful behavior. For example, treaties and laws that seek to allow what would otherwise be unlawful (or unconstitutional) intercept in the name of lawful intercept.

[81]     MLAT’s efforts to legalize reductions to civil liberties have also been pointed out by others. In 2004, Mark Rotenberg of EPIC[195] provided testimony to the U.S. Senate, presenting his work and the work of Gus Hosein at Privacy International and others on the Budapest Cybercrime Treaty.[196] Rotenberg addressed four broad areas: that the treaty “[1] lacks adequate safeguards for privacy. . . [2] [has] vague and weak privacy protections. . . [3] [has] insufficient recognition of international human rights obligations. . . [and] [4] lacks a dual-criminality requirement.”[197] He also noted that the work was “drafted in a secret and non-democratic manner,” and “most European countries have failed to ratify” it.[198] Nevertheless, the U.S. did ratify the essentially unchanged treaty three years later—as did many other countries.[199]

[82]     At this hearing, prior to the era of disclosures of mass surveillance, Rotenberg accurately foreshadowed the Snowden disclosures, stating:

We object to the ratification of the Cybercrime Convention because it threatens core legal protections, in the United States Constitution, for persons in the United States. The treaty would create invasive investigative techniques while failing to provide meaningful privacy and civil liberties safeguards, and specifically lacking judicial review and probable cause determinations required under the Fourth Amendment. A significant number of provisions grant sweeping investigative powers of computer search and seizure and government surveillance of voice, e-mail, and data communications in the interests of law enforcement agencies, but are not counterbalanced by accompanying protections of individual rights or limit on government use of these powers.[200]

[83]     Two years earlier, Hosein and Banisar had warned similarly, “vague statements about the need to respect those rights . . . will quickly deteriorate in practice, to the lower common denominator.”[201] Yet dire as the analyses of Rotenberg, Hosein, and Banisar were, the Department of Justice continues to draft MLATs further eroding civil liberties.

     A. Judicial Review and Constitutional Supremacy 

[84]     In an amicus brief to Boston College Trustees, ACLU of Massachusetts (ACLUM) summarizes a key MLAT issue: “If the government has its way, its desired straightjacket on judicial review would apply to investigations and prosecutions by any foreign country party to an MLAT[.]”[202] The doctrine of judicial review and the supremacy of the Constitution enable access to all civil liberties protections and prevent the enforcement of unconstitutional laws. We briefly summarize judicial review here.

[85]     The Constitution does not specifically use the term “judicial review.” The power to declare laws unconstitutional is nevertheless a long-recognized aspect of the powers given to the Judiciary by Article III.[203]

[86]     Essentially, since the Supremacy Clause says “[t]his Constitution” is the “supreme law of the land,” federal statutes are lawful only when they emanate from the Constitution. State constitutions and statutes are valid only if they are consistent with the Constitution.[204] Any law contrary to the Constitution is unlawful. The Supreme Court has final jurisdiction in all cases arising under the Constitution, so it has the final authority to decide whether statutes are lawful—that is, consistent with the Constitution. This is how lawful Intercept (LI) can become Unlawful Intercept (ULI). Judicial review provides fundamental protection of civil liberties, and provides a check and balance of power on the Executive and Legislative, and branches.

[87]     The Executive branch, having invested significant effort in negotiating MLATs, took the opportunity to expand its own powers and enable law enforcement goals to work around constitutional restrictions. It has worked continuously to convince the judicial branch of its lack of latitude to enforce constitutional protections. A review of Senate Foreign Relations Committee hearings regarding the Cayman Islands MLAT ironically reveals that leading conservative—and staunch opponent of the 1964 Civil Rights Act—Senator Jesse Helms as the main opponent of the Executive’s strategy to reduce civil rights under MLATs.[205] He introduced a simple amendment: “To add an understanding that nothing in this treaty requires or authorizes legislation or other action by the United States of America prohibited by the Constitution of the United States.”[206] Helms stated on October 24, 1989:

I have insisted for months and months on end to the State Department that if clarifications such as I am offering today were incorporated into the MLAT’s [sic], there would be no problem for me. But I took an oath right here on the floor, three times, to protect the constitutional rights of the American people. I do not intend to surrender those rights, even inadvertently.[207]

Helms addressed his remarks to none other than his distinguished colleague on the Committee, Senator John Kerry.[208] Kerry opposed Helms’ opposition to ratifying the treaties and the two battled it out for two years.[209] Kerry stated in the same hearing, conceding Helms’s point:

Each of the treaties has an escape clause which permits our chief law enforcement official, the Attorney General, to make a determination, if at any time there is some reason to believe the treaties might be abused, that somehow the criminal justice process might be diverted by virtue of corrupt officials in another country or some other possible barrier to the appropriate use of these treaties, indeed the United States has the right not to provide information, not to cooperate under the treaty, as do other countries, similarly, if they think we are on a fishing expedition. . . . I understand wholeheartedly the interests that motivate the distinguished Senator from North Carolina. He has not sought changes in these treaties because he objects to the concept of cooperating or fighting the war on drugs. He has had legitimate concerns about the interests of the United States and the application of our own Constitution. I think those concerns have been met in the amendments we are poised to accept, and I want to thank the distinguished Senator for his cooperation in helping us to reach this point.[210]

[88]     Helms’ wording was eventually accepted in watered-down form. Curiously, no courts have reviewed Helms’ extensive remarks in 1988­1989 insisting on these protections, Kerry’s objections, or the clear intent of the ultimate adoption of constitutional supremacy. Instead, the courts over the past 30 years have tended to accept the Justice Department’s assertion that performance is mandatory, and judicial review is precluded.

[89]     Recently, however, courts have begun to reassert responsibility for judicial review of MLAT requests, citing separation of powers and the supremacy of the constitution.[211] Cases increasingly reflect this struggle, and seems headed to the Supreme Court for review. The Executive Branch continues to fight back on efforts to assert judicial discretion through government appeals.

[90]     Recent cases winding their way through the courts appear to be starting to slowly confront the fundamental constitutional challenges of MLATs. In 2011, the Ninth Circuit issued a ruling that—while it did not benefit its hapless subject, Arkadi Gontmakher—did first seem to confront the issue of judicial review.[212] That case established that MLATs are subject to judicial discretion, albeit on a very limited basis.[213] This built on a similar Eleventh Circuit holding from 2003, which we review in the Law of the Requested State section.[214]

[91]     Nevertheless, these rulings have been echoed in Trustees of Boston College, Palmat, and others to support the view that the executive branch espouses—that MLATs are subject to little or no judicial review.[215] The ACLU of Massachusetts argued in its amicus brief to Boston College Trustees that “[t]hese cases effectively surrendered judicial review of foreign requests for evidence in criminal cases to the judgment of the executive branch. Nothing in the UK­MLAT requires such a result.”[216] A review of these cases reveals the struggle between the executive and judicial branches ripe for Supreme Court review.

[92]     The Global Fishing decision—increasingly cited and roundly criticized by the ACLU—states

[o]ur conclusion that the parties to the treaty intended to remove the district court’s traditional ‘broad discretion’ does not end the inquiry. The government argues that, upon receiving an MLAT request for assistance from the executive branch, the district court has no choice but to comply with that request.” According to the government, the constitution imposes no limits on what the executive branch may require the courts to do in that situation.[217]

[93]     We disagree. Treaties, like statutes, are subject to constitutional limits, including the separation of powers and the guarantee of due process.[218]

[94]     The court goes on to say “[t]he enforcement of a subpoena is an exercise of judicial power.”[219] It harshly criticizes the government’s position, stating:

According to the government, the executive branch has the authority to exercise that power directly, because the district court is required, by virtue of an MLAT request, to compel the production of requested documents. The government’s position leads to the inescapable and unacceptable conclusion that the executive branch, and not the judicial branch, would exercise judicial power. Alternatively, the government’s position suggests that by ratifying an MLAT, the legislative branch could compel the judicial branch to reach a particular result—issuing orders compelling production and denying motions for protective orders—in particular cases, notwithstanding any concerns—such as violations of individual rights—that a federal court may have. This too would be unacceptable.[220]

[95]     Rulings since Global Fishing have picked up on the Ninth Circuit’s nod to judicial accountability to the constitution, and the executive branch’s opposition. Recently, the First Circuit widened the crack, opened by the Ninth Circuit, in MLATs’ apparently impenetrable armor by asserting its right to judicial review, but declining to exercise it.[221] In 2013, the First Circuit also found that federal courts have the authority to quash MLAT subpoenas, but it declined to do so.[222]

[96]     Between 2000 and 2006, Boston College academics carried out a project to record oral histories relating to armed domestic strife in Ireland in the 1970s between Ireland and the U.K.[223] A condition of the project was that Boston College would guard interviewees’ confidentiality until their death, under what it believed and asserted to be an academic privilege conferred by the First Amendment.[224] Among those oral histories was testimony by former IRA members Brendan Hughes and Doulours Price regarding some alleged murders, including that in 1972 of Jean McConville, a widowed mother of 10 suspected of informing against the IRA.[225]

[97]     In 2011, the U.K. filed a request for the recordings pursuant to its MLAT, which the U.S. Attorney General duly carried out, seeking and receiving in 2012 a subpoena directing Boston College to turn over the recordings.[226] They complied with the first subpoena as it included interviews with Brendan Hughes, a former Irish Republican Army (IRA) member who was by then deceased. However, in a second 2012 subpoena, Boston College was ordered to turn over 85 tapes—including that of the Doulours Price testimony—to Ireland.[227] Boston College appealed. It asserted, among other things, that revealing the contents of the recordings could expose Doulours Price and Boston College academics to acts of violent revenge.[228] In 2013, the First Circuit ruled against Boston College, ordering it to turn over additional recordings, including those of Doulours Price.[229] Thus, the court handed down a ruling against Boston College—a disappointment to First Amendment defenders in general, and those defending academic privilege in particular. The ruling did include a small silver lining for concerned MLAT­watchers. It merely asserted that the doctrine of judicial review did not enable the DOJ to unilaterally force MLAT terms on the judiciary.[230] This came too late to help Doulours Price, as she was found dead in her home in January 2013.

The First Circuit noted that Boston College

further urges this court to decide whether a district court has discretion to quash a subpoena issued pursuant to the US–UK MLAT. . . . The government, for its part, contends that courts do not have discretion under the US–UK MLAT to review for relevance materials subject to a subpoena. It states that only the Attorney General, not the courts, has discretion to decline, delay or narrow a request under the treaty . . . Pursuant to Article 3 of the US–UK MLAT, it is the Attorney General who decides whether to accede to a request from the UK, to narrow compliance to a certain aspect of said request or to decline to cooperate altogether.[231]

[98]     The government, however, erroneously concludes that the Attorney General’s exclusive prerogative in initiating proceedings translates into a general bar on judicial oversight of the subpoena enforcement process. The treaty is silent as to the role of federal courts in the process of enforcing subpoenas issued in furtherance of a request by the U.K. Of course, this silence does not mean that the actions taken by the Executive once the Attorney General decides to comply with a request are totally insulated and beyond the purview of oversight by the courts. In fact, courts play a prominent role in aiding the Executive’s administration of its obligations under the treaty.[232] In Boston College, the First Circuit ruled that the enforcement of subpoenas is an inherent judicial function, which, by virtue of the doctrine of separation of powers, cannot be constitutionally divested from the courts of the United States. Nothing in the text of the US–UK MLAT, or its legislative history, has been cited by the government to lead us to conclude that the courts of the United States have been divested of an inherent judicial role that is basic to our function as judges.[233]

[99]     The Court re­emphasizes this throughout the rest of the decision, noting it has “unequivocally established that courts have inherent judicial power over the enforcement of subpoenas issued in the context of a proceeding pursuant to the US–UK MLAT.”[234] It expresses withering criticism of the government’s position in footnote 5:

On [one] occasion, the government assumed arguendo that the discretion to quash existed and that the court acted properly within it. . . .This is in sharp contrast to what the government had argued unsuccessfully in another case involving an MLAT where it denied such discretion existed.. . . In the appeal before us now, the government has again changed its position…and the guarantee of due process.[235]

[100]   Thus, we see the executive branch continuing to pursue the argument that courts have no discretion over MLAT enforcement, and enforce the unconstitutional MLAT terms, while the judiciary begins to push back. Until the court awoke to the direct challenge to its own rights and authority, it seemed to take a laissez-faire attitude towards protecting the rights of individuals. Further MLAT challenges are likely to come before the courts.

[101]   Following the decision against Boston College, the government was not satisfied to have prevailed over academic freedom. The government petitioned the judge to change his own Boston College Trustees ruling, to eliminate the very sections in which the court ventured its assertion of the separation of powers doctrine: “that federal courts have the authority to quash MLAT subpoenas.”[236]

[102]   “Relevant to this inquiry,” Boston College’s brief responds

Boston College further urges this court to decide whether a district court has discretion to quash a subpoena issued pursuant to the US­UK MLAT. The government, for its part, contends that courts do not have discretion under the US­UK MLAT to review for relevance materials subject to a subpoena. It states that only the Attorney General, not the courts, has discretion to decline, delay or narrow a request under the treaty.[237]

[103]   Boston College summarizes that the ruling accepted Boston College’s argument that federal courts have authority to quash MLAT subpoenas, and . . . expressly rejected the government’s argument that they did not. The government . . . did in fact address the issue, and did so in a contradictory fashion that, in the end, acknowledged federal courts’ authority.[238]

[104]   Boston College laid out its arguments for judicial review of MLATs, stating in “its responsive brief in this appeal, the government acknowledged that it had not appealed from the ruling below that the district court had authority to quash the US­UK MLAT subpoenas, explaining that the government ‘was satisfied with the result reached by the district court.’”[239] Boston College continued that “the government nonetheless asserted in its responsive brief that the district court had no discretion to consider Boston College’s objections to the subpoena under either the US­UK MLAT or 18 U.S.C. § 3512, and that the treaty ‘reserves the authority to take these actions [to decline, delay, or narrow the request] to the Attorney General, not the courts. . . .’”[240] Boston College’s brief quotes the government that “‘[t]o the extent courts retain discretion,’ that discretion should be narrowly exercised.”[241] To support its argument, Boston College continues, “the government cited the same Ninth Circuit decision[Global Fishing], on which Boston College based its argument in the district court for that court’s authority to quash MLAT subpoenas.”[242]

[105]   Boston College outlined its case for judicial review of MLATs, citing additional portions of the government’s previously filed brief to show that the United States took a conflicting position regarding the court’s authority to quash MLAT subpoenas earlier in the litigation than the position taken in the Petition for Rehearing. Boston College quotes that government brief as stating that while this court was ‘not require[d]’ to address [the authority and scope of the federal courts’ discretion in determining the legality of an MLAT subpoena] if it did so, ‘it is the United States’ position that the district court’s discretion is limited to evaluating whether the issuance of a subpoena would offend some constitutional guarantee or violate a recognized federal privilege.[243]

Therefore, Boston College’s brief continued,

[i]t is puzzling that the government now seeks in its Petition for Rehearing a rewriting of this court’s opinion to remove language confirming the authority of federal courts to quash MLAT subpoenas, when recognition of that authority is not substantially different from what the government in its responsive brief said is the ‘United States’ position’ on the issue.[244]

[106]   Boston College wryly observes, “[t]his court’s decision apparently describes the nature of the courts’ authority in more robust terms than the government likes. . . .”[245] Boston College concludes its arguments against expunging reference to judicial review of MLATs from the court’s decision by invoking estoppel:

The briefing history in this appeal shows that the government did have the opportunity to address, and actually did address, the issue of federal courts’ authority to quash MLAT subpoenas. This history further shows that the government in its responsive brief did acknowledge that federal courts have ‘discretion’ – which presupposes authority – to quash MLAT subpoenas. This history requires rejection of the government’s request now that the court rewrite its May 31, 2013 opinion to expunge the court’s decision on this issue.[246]

[107]   Judge Toruella agreed, and long after watchers had assumed the Boston College case was over, he issued another key ruling. He denied the government’s request that the court essentially revise and expunge the portion of its own ruling, holding that MLAT subpoenas are subject to judicial review.[247] Thus, judicial review of MLAT subpoenas received recent support from the First Circuit, despite its overall adverse ruling on other civil liberties in Boston College Trustees. 

[108]   Rulings since Boston College Trustees have picked up this theme. Palmat, out of the Southern District of Florida notes the defendants base their claim in the Fifth and Fourteenth Amendment’s protection of an individual’s interests in avoiding the disclosure of personal matters.[248]

For the reasons set forth below, the Court agrees with Petitioner’s . . . argument . . . [that] the Supreme Court has observed, treaty obligations are ‘subject… to the Constitution’s guarantees of individual rights.. . . .Therefore, the Court has federal question jurisdiction pursuant to 28 U.S.C. § 1331 over a claim that a treaty obligation does not comport with a constitutional guarantee.[249]

     B. The Boomerang Effect: MLAT Collateral Impact

[109]   Naturally, a hidden risk of MLATs involves the way they may boomerang back to harm citizens in countries normally enjoying constitutional protections to their civil liberties. In US v. Trustees of Boston College,[250] commentators appeared to miss this point. Conservatives who had never concerned themselves with the possible fallout of LEA-catering MLATs in the past expressed outrage when the UK enforced its US MLAT in the recent US v. Trustees of Boston College case. In a 2012 press release in New York, the Irish American Republicans (IAR) condemned “in the strongest terms []the actions of President Barack Obama and Attorney General Eric Holder in trying to take private property and invade the private research archives of an American university, and then turn them over to a foreign intelligence service.”[251] It went on to lament, in new-found concern for the rights of the accused: “[t]he actions of the Obama administration are an utter disgrace, and a betrayal of the United States Bill of Rights and American national sovereignty.”[252]

[110]   The IAR statement complained “Attorney General Holder had issued subpoenas to Boston College, directing the university to turn over its extensive research archives on the Irish Troubles to the intelligence services of the United Kingdom, ‘a foreign nation.’”[253] Apparently ignorant of the compulsory nature of the US-UK MLATs,[254] the Obama administration, the statement said, “had chosen to act pursuant to the [MLAT] between the US and UK.”[255] The First Circuit sided with the U.K. The release goes on to berate:

The research archives of an American University are sacred, not to be delivered to foreign despots, by the government of the United States…Nothing could have a more chilling effect upon America’s First Amendment rights to free speech, right to petition and due process, and the western tradition of academic freedom, then this cowardly stunt by the Obama administration to deliver a private American research archive to a foreign power. . . . We call upon the United States Court of Appeals, 1st Circuit, to uphold America’s constitutional rights, and reject the subpoena to Boston College.[256]

[111]   Another example of MLAT consequences unforeseen or unheeded when Congress approved them—as many would characterize Boston College—is this collateral damage to freedoms of US citizens.[257] Global Fishing illustrates this aspect of harm to US citizens from the MLAT’s devil’s bargain.[258] Russia was the actual party seeking action against a U.S. citizen in Global Fishing—it sought data regarding Arkadi Gontmakher, a Seattle businessman and U.S. citizen who was jailed and eventually tried in Russia on charges that he was involved in the illegal harvest and sale of king crab.[259] Gontmakher argued that Russia was on a fishing expedition; in other words, harassing him.[260] His pleading stated that “the Court should enter a protective order relieving Global [Fishing] of any obligation to produce documents for use in the Russian investigation.”[261] They contended that the Russian proceedings are corrupt and illegal in a variety of ways, both in general and with respect to the specific proceedings against Gontmakher.[262] Apparently, there was credence to Gontmakher’s protests, as he was eventually tried and acquitted in Russia, and “a Russian judge has ordered the Russian government to pay 100,000 rubles and apologize to [him].”[263]

[112]   Global Fishing illustrates the lack of standing afforded defendants under many U.S MLATs. However, it also illustrates a kind of banking against the Snowdens of the world—where the U.S may seek a return of the investment of helping Russia pursue its political enemies in return for cooperation in apprehending U.S.’s political enemies. Gonhtmakher, by all indications an innocent victim of Russian extortion, was calculated collateral damage, readily foreseeable when the treaty was drafted. By entering into its MLAT with Russia—stripped of civil liberties, especially in political cases—the U.S. seems to have effectively promised Russia that the U.S. DOJ will not blink at compulsory MLAT enforcement on behalf of Russia, even in Russian political cases against U.S. citizens. In return, we predict the U.S. will expect Russia to one day force Russian citizens/residents to comply with U.S. demands under the MLAT, when a Russian resident/citizen—like Snowden, for example—may be target of a possible U.S. government politically­inspired charge. It would seem that Snowden—now facing a possibly politically­inspired charge by the U.S. government, and possibly the death penalty, although now a Russian resident, two formerly disallowed conditions in MLATs—might fit this bill exactly.

     C. MLATs and the Law of Requested States 

[113]   In 2003, a decision in a Eleventh Circuit case, In re: Commissioner’s Subpoenas—an appeal from the U.S District Court for the Southern District of Florida—laid the groundwork for later erosion of civil liberties protections in MLATs.[264] The court held in reversing an order overruling MLAT compliance with a request from Canada regarding smuggling that “we reject appellee’s argument that the ‘law of the Requested State’ should be read mechanically to incorporate all of the substantive law of the Requested State.”[265] Deferring to the Executive Branch, the court in a single swipe knocked down the application of precedent to any MLAT treaty requests, sacrificing any protections in our own country and states in the service of ensuring cooperation with US investigations and prosecutions in foreign countries. Referring to the Technical Analysis—or testimony regarding executive branch intent—the Court stated “The negotiator’s explanation of [the treaty] . . . does not appear to support the appellees’ reading.”[266]

[114]   The court noted that the treaty Technical Analysis “was prepared by the United States negotiating team, [and] constitutes the formal executive branch representations as to the meaning of this treaty and the obligations to be assumed by the United States under it.”[267] “This official interpretation by the executive branch is entitled to great deference by this court,” the court goes on to state, apparently less concerned with balancing deference to U.S constitutionality. [268] It then goes on to note that “the executive branch states that one purpose of . . . the MLAT, is to “provide[] slightly broader authority than 28 U.S.C. 1782 for U.S. federal courts to use their power to issue subpoenas and other process when Canada needs evidence for use before an administrative agency,”[269] sanctioning further expansion of Executive power, essentially granting it the ability to modify U.S. legislation when applying it in a treaty context.

[115]   Carter­appointed Circuit Judge R. Lanier Anderson III wrote, “we conclude that the magistrate judge erred in construing the MLAT to express a clear and unambiguous intent to make requests under the Treaty subject to the limitations of all other substantive law of the United States[.]” Judge Anderson admitted, however, “undeniably, the magistrate judge’s interpretation finds some support in the treaty text.”[270]

     D. MLATs and the Fifth, Sixth, and Fourteenth Amendments—Due Process is Not Applicable to Defendants

 [116]   In many MLATs (notably U.S. MLATs) legal assistance through MLATs is not explicitly available to defendants.[271] For many years, and as recently as 2015, courts have held that individuals—in other words, defendants—have no right to enforce MLATs.[272] Others have questioned whether this exclusion is legal under the due process provisions of the Fifth, Sixth, and Fourteenth Amendments to the U.S. Constitution. [273]

[117]   United Kingdom v. United States pitted the U.K. against the U.S. because the Crown Protection Service (CPS) “apparently pursuant to its discovery obligations under English law, served Appellants with a disclosure schedule prepared by the CPS and a British police constable after a visit to the offices of the US Secret Service in Miami.”[274] In other words, the U.K. CPS recognized its obligation to assist defendants and attempted to use a MLAT on behalf of defendants. The U.S. denied the claim on the grounds it did not interpret the same MLAT to require the U.S. to recognize any such defendants’ rights.[275]

[118]   Alistair Brown notes that there exists the “apparent determination of some states at least to ensure that individuals cannot invoke treaty provisions. Again, this is most easily demonstrated under reference to MLATs negotiated by the USA.”[276] Brown notes

It is accepted that it is open to the defence to enlist the aid of the court or even of the prosecutor in obtaining evidence under an MLAT but that is only half the story. In an adversarial system, the exclusion of evidence obtained irregularly is, if anything, more important to the defence in practice than obtaining evidence in support of a substantive defence on the merits.[277]

[119]   MLAT partners have a wide variation in their respect for individual rights and freedoms, which may have inspired signatories to abandon their citizens’ own rights and freedoms in the pursuit of law enforcement.[278] Foreign governments’ ability to deprive U.S citizens of their rights through use of MLATs has increased. In its role as enforcer of foreign MLAT requests, the U.S actually acts on behalf of the foreign government in abridging U.S. citizens’ rights.

     E. MLATs and the Fifth Amendment: MLATs Have No Double Jeopardy Bar 

[120]   MLATs have long ignored the rights of individuals to access their provisions. Newer treaties remove protections routinely included in earlier MLATs, and further expand LEA scope. According to U.S Department of Justice documents, there are several benefits to MLATs over other types of treaties or legal tools.

[121]   Brian Pearce, Resident Legal Adviser for the U.S. Embassy in Bangkok, points out in Mutual Legal Assistance, that “extradition treaties: double jeopardy is a bar (e.g., US-Thai Treaty Article 5: “If Requested State has tried fugitive for the same offense, extradition shall not be granted.”)[279] However, for “MLAT treaties: no such exception [exists].”[280] MLATs thus eliminate yet another right afforded under the Fifth Amendment’s Due Process clause. In United States v. Jeong, a South Korean national was convicted in South Korea for paying bribes to American public officials. He was sentenced to time served—58 days plus an approximately $10,500 fine.[281] The U.S. then requested evidence under the U.S.­South Korean MLAT, which has no double jeopardy exclusion.[282] Nevertheless, the U.S. stated it was “not seeking to further prosecute Jeong,” implying it would not put him in double jeopardy for the crime.[283] The defendant traveled to the U.S., believing he might receive assistance collecting money that his firm was owed by the agency he bribed.[284] Upon arrival in the U.S., he was promptly arrested and prosecuted for bribery, wire fraud, and conspiracy.[285] He was sentenced to five years and a $50,000 fine.[286] Apparently, the slap on the wrist imposed by South Korean judicial system did not seem to the DOJ OIA more than law enforcement theater. Jeong appealed on the grounds that the second prosecution violated the double jeopardy exclusion of another, multilateral MLAT.[287] The Fifth Circuit ruled against him, holding that no violation occurred—neither of the bilateral nor the multilateral MLAT—and that double jeopardy does “not attach when separate sovereigns prosecute the same offense.”[288]

[122]   The U.S­South Korean MLAT—like most U.S. MLATs—omits any Fifth Amendment provision prohibiting double jeopardy.[289] Thus, the U.S. prosecuted Jeong twice for the same offense for which he was convicted in Korea, in a maneuver that would be unconstitutional by general Fifth Amendment standards—but perfectly permissible under the MLAT. When applying the MLAT to foreign nationals who admit to bribery—as Jeong did—this looks like a U.S law enforcement triumph for the public. The price is that U.S. citizens may be imprisoned and incarcerated abroad for offenses, for which they have already been tried in the U.S., including those for which they have been acquitted in a U.S. court.

     F. MLATs and Dual Criminality

[123]   Pearce highlights civil liberties rollbacks in other areas. He points out that “[t]here are several benefits to the MLAT process,” noting that they, “often don’t require dual criminality.”[290] Indeed, a review of MLATs reveals that dual criminality requirements have quietly disappeared in recent treaties. For example, Article II, provision 3 of the 2009 US-Canada MLAT states “[a]ssistance shall be provided without regard to whether the conduct under investigation or prosecution in the Requesting State constitutes an offence or may be prosecuted by the Requested State.”[291]

[124]   But bars to Mutual Legal Assistance are now limited to military offenses, interference with investigation in the requested state, and tax offenses (under some treaties). This impact becomes clear when one considers the many countries with U.S. MLATs where anti­gay laws are enforced.[292] Eighteen of these countries have MLATs with the US.[293] By discarding longstanding dual criminality provisions, the many U.S. MLAT partners now have legal standing to pursue homosexuals, including demanding U.S. cooperation in their surveillance, apprehension, and extradition. Many other examples exist of laws in other countries that effectively criminalize otherwise law-abiding U.S. citizens.[294]

[125]   The effects may be difficult to imagine, but include jailing U.S. citizens—or the citizens of U.S. allies—for homosexuality, assisted by MLATs to enlist U.S. LEAs to gather evidence.[295] Further, they could be used to assist countries investigating their own nationals while in the U.S.

[126]   Consider this scenario: your grandfather, a prominent academic in India comes to the U.S. as a visiting professor at Harvard for six months. He attends a rally protesting the election in India, where prominent gay rights activists also speak. India requests MLAT assistance from the U.S. LEAs—including Massachusetts State and the Harvard University police—seeking to prosecute him for the crime of homosexuality. Under the terms of the MLAT—into which the U.S. entered fully aware India has crimes on its books like this—the U.S. would have no choice but to assist in India’s investigation of the professor, including possibly turning over any video of the professor at the rally.

     G. MLATs and Political Offenses

[127]   Initially, Nadelmann reports, exclusions for political offenses were included at Dutch insistence when negotiating that 1983 treaty,[296] much to the indignation of the Americans. “[W]hen obliged to negotiate such treaties with non-democratic governments because of broader concerns such as drug trafficking, U.S. negotiators typically insisted on including the ‘political offense’ exception clause.”[297] However, they saw little need to include the clause in treaties with Western Europeans, particularly in MLATs. But “some European negotiators, including the Dutch, were less convinced that the clause should be excluded; they were influenced by their own perceptions of the conflicts between civil rights activists and law enforcement officials in the American South during the 1960’s, and by cases such as that involving the ‘Chicago 7.’”[298] The American negotiators took umbrage at any suggestion that violations of U.S. laws—or prosecutions of criminal offenses—could be politically motivated or justified; they agreed, however, that insofar as extradition was deemed the most extreme form of international assistance in criminal cases, a political offense exception might be warranted in such treaties. However, they saw no need for its inclusion in the MLAT. When the Dutch insisted, the Americans relented.[299] It is worth noting that the Dutch treaty was second on the U.S. wish list, as Netherlands Antilles was considered to have the most stringent bank secrecy laws in the world, and thus was a primary haven for money launderers.[300]

[128]   Pearce also highlights civil liberties rollbacks in other areas. He points out “Article 3 of US-Thai Treaty[provides]: ‘Extradition shall not be granted’ for political offense[s], military offense[s], or where ‘extradition is requested for political purposes,’” however, “MLATs[] except military offenses, but generally don’t exclude political offenses.”[301] For example, the U.S.-Russia MLAT not only did not exclude political offenses; [302] it appends a note from the U.S. Embassy agreeing it has specifically omitted such during negotiations.[303] By contrast, the 1994 U.S.-U.K. MLAT[304]—used to subpoena the Boston College tapes—excludes assistance that “would be contrary to important public policy” or relating to “an offence of political character.”[305] Interestingly, this MLAT was used to unjustifiably harass U.S. citizen Arkadi Gontmakher, and presumably under which the U.S. would in turn pursue assistance surveilling and prosecuting Edward Snowden.

[129]   Some have asserted that the In re Price case is political.[306] According to the U.S.­U.K. MLAT, Mutual Legal Assistance is only available when the requesting country is “investigating conduct with a view to a criminal prosecution of the conduct, or referral of the conduct to criminal investigation or prosecution authorities, pursuant to its specific administrative or regulatory authority to undertake such investigation.”[307] “Assistance shall not be available for matters in which the administrative authority anticipates that no prosecution or referral, as applicable, will take place,” it states.[308]

[130]   In 2014, the BBC reported that years earlier “187 people had received letters telling them they would not face prosecution for IRA crimes.”[309] It then emerged that untold hundred had received Royal pardons for IRA activities.[310] In other words, it appeared the U.K. government knew all along that it would never prosecute the Jean McConville murder, nor any other Belfast Project­related crimes, and so would never comply with the terms of the MLAT.[311] It then appeared that the real aim of the U.K.’s MLAT might have been solely political: raising the specter of 1972 crimes during an election season which included Sinn Fein leader Gerry Adams.[312] Adams was the one Brendan Hughes and Doulours Price identified as the one who ordered the murder of McConville and others.[313]

     H. MLATs and Death Penalty Bars

[131]   Pearce indicates “[e]xtradition treaties often provide there may be no extradition for offenses which are punishable by death in Requesting State, but not in Requested State (e.g., Article 6).”[314] But for “MLAT Treaties, no such limitation [exists],”[315] eliminating a right afforded under the Eighth Amendment.[316] Nineteen states outlaw the death penalty.[317] But U.S. MLAT drafters, reviewers, and approvers see fit to collaborate to facilitate investigation and prosecution in situations where the penalty in the requesting country will be terminal.

[132]   For instance, “country surveys . . . indicate that apostasy laws are frequently used to charge persons for acts other than conversion. For example, in Mauritania, Saudi Arabia, Jordan, and Yemen, individuals were charged with apostasy for their writings or comments on social media.”[318] Salman Rushdie and others were sought for criminal prosecution (and punishment by death) by the Iranian state for ostensibly criticizing Islam.[319] As another example, in many Islamic countries, laws require women to wear hijab.[320]   Under the terms of this MLAT with Iran,[321] it appears India may have agreed to assist Iran in pursuing women under its jurisdiction, not dressed according to Iran’s tastes.

     I. MLATs and Search, Seizure, and Online Surveillance

[133]   We have reviewed MLATs’ lack of Fifth, Sixth, Eight, and Fourteenth Amendment protections. The section on U.S. DOJ motivation to achieve MLAT performance certainly revolved around search and seizure, an area generally subject to Fourth Amendment protections. In its amicus brief in Boston College Trustees, the ACLUM summed up the issue: “ACLUM is concerned about the government’s position in this case that governments who are parties to Mutual Law Assistance Treaties should have greater rights than United States federal and local law enforcement authorities to subpoena documents without judicial review.”[322] This case reflected public outcry in the U.S.—particularly among Irish-Americans and friends of academic freedom—about the request by the U.K. to seize recordings of oral histories of IRA members.[323] The heart of that outcry concerned public realization and disbelief that MLATs lack Fourth Amendment protections, or that judicial review and relief regarding these protections is unavailable to them.

     J. MLATs and Wiretapping

[134]   The Wiretap Act bases its search and seizure protections in Fourth Amendment judicial review requirements and probable cause determinations.[324] Modern MLATs eliminate these obstacles for LEAs. By eliminating constitutional constraints on search and seizure—including that of personal data and communications under government surveillance—MLATs, when applied to Americans, expose them to an unfamiliar lack of civil liberties.

[135]   In United States v. Rommy, the Second Circuit established that the United States government may conduct investigations (including surveillance) outside MLATs.[325] Pursuant to MLAT requests from the U.S. in 2002, “the Netherlands provided the United States with a transcript of a . . . call intercepted by the Dutch police in which Rommy and an unnamed confederate discussed the limited supplies of ‘Versace t-shirts.’”[326] Rommy contended that the DEA violated the MLAT in effect between the United States and the Netherlands—as well as Dutch domestic law—by employing a confidential informant (DeVries) to gather evidence in the Netherlands after Dutch officials had denied the United States’ MLAT request to conduct an undercover investigation in their country.”[327] The judge held an MLAT procedure is nice but not necessary, and denied the motion to reverse the ultimate conviction on this, and all other grounds.[328]

[136]   In this case, the Dutch courts actually denied the first MLAT request for surveillance of Rommy for lack of probable cause.[329] In similar cases, when the legal shoe is on the U.S. foot, the U.S. Attorney General and U.S. Courts have claimed MLATs preclude such refusals.[330] Not to be deterred, the U.S. conducted its own investigation of Rommy in the Netherlands.[331] On the grounds of evidence thus gathered in disregard of the agreed­upon MLAT procedure, the Netherlands relented upon a second MLAT request from the U.S., and agreed to allow Rommy’s surveillance.[332]

     K. MLATs and FOIAs

[137]   Even the FOIA has not survived MLATs. A report submitted to the Senate by Senator Jesse Helms on the Senate Foreign Relations Committee stated “[m]ost MLATs allow the Central Authorities of the country providing evidence or information under the Treaty to prohibit its use in other investigations, prosecutions, or proceedings without their consent. . . . In this country, the limitation places the MLAT information and evidence initially beyond the reach of a Freedom of Information Act request.”[333]

     L. MLAT and International Law

[138]   Before reviewing surveillance and Fourth Amendment issues, we briefly review contraventions to international law. With respect to international privacy treaties and MLATs, we find a disconnect between MLAT treaty provisions and privacy protections in other treaties. For example, the 1966 U.N. International Covenant on Civil and Political Rights (ICCPR) and the 1953 COE European Convention on Human Rights (ECHR) are two treaties considered to bear on privacy internationally.[334] But their terms—like those of other treaties and laws—have never been applied to MLATs.

[139]   The European Parliament noted in its 2014 report its disapprobation of U.S. stance that non­U.S. citizens may be accorded a sort of second-class status with respect to civil liberties accorded its own citizens, as in MLATs:

[I]n respect of intelligence activities concerning non­US persons under Section 702 of FISA, the Recommendations to the President of the USA recognise the fundamental principle of respect for privacy and human dignity as enshrined in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights . . . whereas we find [the U.S. government] does not recommend granting non­US persons the same rights and protections as US persons.[335]

The report also notes the threat U.S. mass surveillance poses. It states:

these risks [to liberty] do not only originate in criminal activities (against which the EU legislator has adopted a series of instruments) or from possible cyber attacks from governments of countries with a lower democratic record. There is a realization that such risks may also come from law enforcement and intelligence services of democratic countries putting E.U. citizens or companies under conflicts of laws resulting in a lesser legal certainty, with possible violations of rights without proper redress mechanisms.[336]

[140]   With respect to MLATs, the report observes their recognized role in acquiring information:

Calls on the Commission to conduct . . . an in­depth assessment of the existing Mutual Legal Assistance Agreement . . . in order to verify its practical implementation and, in particular, whether the US has made effective use of it for obtaining information or evidence in the EU and whether the Agreement has been circumvented to acquire the information directly in the EU, and to assess the impact on the fundamental rights of individuals; such an assessment should not only refer to US official statements as a sufficient basis for the analysis but also be based on specific EU evaluations.[337]

Finally, specific privacy protections in MLATs are few and far between, and precede the modern era of digital communications. For example, Article 26 of the E.U. MLAC refers to data protection.[338] However, the protections there are vague, especially compared with the provisions for LEAs. In conclusion, U.S. citizens and others seem to have been deprived of a full range of civil liberties through Executive Branch action, through what it maintains is compulsory international treaty reflexivity.


IV. MLATs and Legal Frameworks for Surveillance

[141]   Mutual Legal Assistance is certainly a critical element to a civil society, as is surveillance. Victims and targets of crime will be the first to seek to take advantage of MLAT capabilities, and will demand that law enforcement worldwide spare no effort to investigate, survey, apprehend, and arrest criminals. Certainly MLATs and surveillance have a legitimate role to play as a tool to improve law enforcement—no less, of course, than do privacy­ and anonymity-protecting MJAT tools like Tor Browser, extensively used by law enforcement. Yet laws and legal tools that fail to replicate privacy and other civil protections can cause harm, as well as reduce security. MLATs create legal frameworks that can be used to justify surveillance that is otherwise Unlawful Intercept. We briefly review case law, including very recent cases that have upheld these legal frameworks. We use the term Unlawful Intercept (“ULI”)—meaning unconstitutional surveillance—to contrast with Lawful Intercept (“LI”), itself a synonym for government surveillance.

     A. MLAT Explicit References to Surveillance

[142]   We have reviewed numerous treaties in Section Two that explicitly incorporate reference to telecommunications and data surveillance with weak safeguards, or where drafters testified that this was their intent. As we have seen in In re Commissioner’s Subpoenas—the Canadian smuggling case—not only the explicit treaty provisions, but also their intent forms the legal basis for later review in the courts.[339] We recall Judge Anderson’s words: “The negotiators’ explanation of [the treaty], provided in the Technical Analysis, does not support the appellees’ reading.”[340]

[143]   The U.S. Senate hearing testimony by Mary Ellen Warlow—the Director of the Office Of International Affairs, Criminal Division, U.S. Department of Justice—explains how the desire for legal justification for surveillance motivated not only the U.S., but also Germany in drafting recent MLATs. She said “this is the first United States MLAT to include . . . telecommunications surveillance. . . . This provision was included at Germany’s request, to assert the Federal government’s legal authority, vis-à-vis the States, to undertake such actions on behalf of foreign authorities.”[341] The testimony of Samuel M. Witten—Deputy Legal Adviser for the U.S. Department Of State—further established intent, by saying “[t]he proposed U.S.­Germany Mutual Legal Assistance Treaty in Criminal Matters (MLAT). . . has several innovations, including telecommunications surveillance[.]”[342]

[144]   We have already reviewed detailed surveillance provisions in specific treaties in Section Two. We now review how other MLAT provisions add to the legal basis for surveillance.

     B. Spontaneous Information

[145]   “The US National Security Agency circumvents UK law by offering, rather than being asked for, intelligence from global websites to their British counterparts, according to David Blunkett, who was home secretary at the time of the 9/11 attacks,” according to a 2013 report by the Guardian, which further states “. . .Blunkett highlighted one of the key areas at the heart of investigations into whether Britain’s GCHQ eavesdropping centre has abided by the law.”[343] Exactly what law, however, was not clear. However, an examination of the Budapest Cybercrime Treaty may finally clear up this question. That treaty enshrines in law the idea that countries just help each other out, unsolicited:

A Party may, within the limits of its domestic law and without prior request, forward to another Party information obtained within the framework of its own investigations when it considers that the disclosure of such information might assist the receiving Party in initiating or carrying out investigations or proceedings concerning criminal offences established in accordance with this Convention or might lead to a request for cooperation by that Party under this chapter.[344]

[146]   According to Article 26, the provision appears to be custom-made to fit into the US “international silver platter doctrine,”[345] which courts have been using to uphold what would otherwise amount to violations of the Fourth Amendment. The Budapest Cybercrime Treaty states:

Prior to providing such information, the providing Party may request that it be kept confidential or only used subject to conditions. If the receiving Party cannot comply with such request, it shall notify the providing Party, which shall then determine whether the information should nevertheless be provided. If the receiving Party accepts the information subject to the conditions, it shall be bound by them.[346]

[147]   This provision sounds highly familiar. It is in fact a review of parallel construction,[347] with its imperative to keep the real source of information—unlawful surveillance—a secret. We discuss the Silver Platter Doctrine after a review of JITs.

     C. JITs and Collaborative Surveillance

[148]   The EU MLAC first provided for Joint Investigative Task Forces (JITs) in 2000.[348] JITs bring together members of law enforcement from multiple countries. Article 13, Provision 7 states:

Where the joint investigation team needs investigative measures to be taken in one of the Member States setting up the team, members seconded to the team by that Member State may request their own competent authorities to take those measures. Those measures shall be considered in that Member State under the conditions which would apply if they were requested in a national investigation.[349]

[149]   Thus, for example, if a U.S. LEA is the originating Member State, it can request to set up a JIT in France, with members “seconded” from France, Croatia, Bulgaria, and Jamaica. Thus, a U.S. case can become a French, Croatian, Bulgarian, and Jamaican case. When the U.S. ultimately seeks surveillance data about a U.S. citizen in Jamaica, that would under U.S. law be prohibited domestic surveillance. However, once it forms a JIT with Jamaica, it also becomes a Jamaican case. In seeking surveillance data about a U.S. citizen, Jamaica is free to surveil the U.S. national as a foreign citizen. The JIT then allows Jamaica to share the resulting surveillance with the rest of the JIT members, including the U.S. LEA. E.U. MLAC Provision 9 states:

A member of the joint investigation team may, in accordance with his or her national law and within the limits of his or her competence, provide the team with information available in the Member State which has seconded him or her for the purpose of the criminal investigations conducted by the team.[350]

[150]   JITs come to mind when reflecting on The Guardian’s report from 2013, that reports “[t]he US National Security Agency circumvents UK law by offering, rather than being asked for, intelligence from global websites to their British counterparts, according to David Blunkett.”[351] In this way, MLAT JITs facilitate cooperative surveillance by collaborating governments. In other words, they legalize formerly Unlawful Intercepts.

In Getto I, the court held:

ongoing collaboration between an American law enforcement agency and its foreign counterpart in the course of parallel investigations does not—without American control, direction, or an intent to evade the Constitution—give rise to a relationship between the two entities sufficient to apply the exclusionary rule to evidence obtained abroad by foreign law enforcement.[352]

[152]   The Court also held “the alleged warrantless searches and surveillance do not shock the judicial conscience.”[353] What does shock the conscience is that—considering of the facts of the investigation—the Court could have found an absence of “American control, direction, or an intent to evade the Constitution.”[354]

     D. International Silver Platter Doctrine

[153]   The Silver Platter doctrine fits precisely into the Spontaneous-cooperation clause of the Budapest Cybercrime Treaty and into the JIT provisions of that and most other modern MLATs. In 2014, the Second Circuit issued its second and final ruling in United States v. Getto.[355] There, the court demonstrated its determination to turn a blind eye to the reality of U.S. MLAT influence over foreign LEAs and the example it sets in the world by upholding the admissibility of evidence—specifically, surveillance—legally gathered under MLATs, despite court findings that the evidence was gathered illegally by many other standards.[356] In Getto I, an American citizen appealed his conviction in a case involving surveillance of a “lottery telemarketing scheme operated out of three so-called ‘boiler rooms'” in Israel.[357] The court insisted that Israeli LEAs are not agents of U.S. LEAs.[358] This reasoning is echoed in the decision in United States v. Lee, when U.S. LEA purchased surveillance equipment for a Jamaican LEA, provided their training in its use, and in other ways might have been seen to have “directed” the operation.[359] This might violate U.S. law prohibiting seeking methods “designed to evade constitutional requirements.”[360]

[154]   Not so, found Judge José A. Cabranes of the Second Circuit, the judge in both cases. U.S. LEAs did not “direct” searches and seizures in these cases.[361] In contrast with the finding in Elkins v. United States that ended the domestic silver platter exception to the Fourth Amendment,[362] Cabranes’ rulings appear to demonstrate that over 50 years later—despite it being a different world where crime is internationalized—U.S. judges are not prepared to acknowledge constitutional evasion maneuvers called out years before by their colleagues. The court “reason[ed] that ‘the mere fact that an [MLAT] existed, information was shared and the DEA provided money, training and [surveillance] equipment does not warrant a finding of agency’ between the DEA and Jamaican law enforcement.”[363] The court found “the two nations signed a Memorandum of Understanding (“MOU”) in 2004 to establish a program in which Jamaican law enforcement officers, inter alia, ‘would monitor intercepted phone conversations authorized by Jamaican court orders for purposes of both countries gathering evidence or leads to obtain evidence in narcotics investigations.’”[364]

[155]   In Getto I, the court held that Israeli LEAs are not acting as “agents” of U.S. LEAs, even when the U.S. LEA purchased surveillance equipment for the foreign LEA and, as in United States v. Lee, provided their training in its use, and in other ways directed the investigation.[365] Getto pointed out that “(1) the INP initiated its investigation based on the MLAT request from American law enforcement officials; (2) Israel never sought to prosecute Getto; (3) many other members of the conspiracy, or related conspiracies, were extradited to the United States; and (4) an article in an Israeli newspaper stated that American law enforcement agents watched live surveillance of the Ha’Negev boiler room.”[366] The court found that “the MLAT request, the information-sharing between American law enforcement and the INP, and American receipt of the fruits of the INP’s investigation in Israel – reveals no cooperation ‘designed to evade constitutional requirements.’” ]Thus, it reasoned that the evidence need not be excluded, and upheld Getto’s conviction.[367] The court found that Israeli LEAs are not acting as agents of U.S. LEAs, despite appearances to the contrary.[368] Getto also asserted the Israeli National Police acted as agents under the joint venture doctrine, a doctrine which the Second Circuit does not recognize and explicitly declined to adopt in this case.[369]

     E. JITs and the European Parliament 

[156]   Regarding JITs, the European Parliament reported as a result of its investigation[370] that “the revelations since June 2013 have caused numerous concerns within the EU as to. . .

the degree of cooperation and involvement of certain EU Member States with US surveillance programmes or equivalent programmes at national level as unveiled by the media; the lack of control and effective oversight by the US political authorities and certain EU Member States over their intelligence communities; the possibility of these mass surveillance operations being used for reasons other than national security and the fight against terrorism in the strict sense, for           example economic and industrial espionage or profiling on political grounds; . . . the respective roles and degree of involvement of intelligence agencies and private IT and telecom companies; the increasingly blurred boundaries between law enforcement and intelligence activities, leading to every citizen being treated as a suspect and being subject to surveillance[.][371]

[157]   Reuters first reported the concept of parallel construction in 2013.[372] It is a short step from using JIT cooperative surveillance to using JITs to facilitate legal window dressing for parallel construction.

     F. Value of Measuring MLATs and Lawful Intercept in an Era of Unlawful Intercept

[158]   We now briefly pause to examine the value of LI indicators in an era of covert mass global surveillance. Given revelations that GIAs around the world perform surveillance unconstrained by laws, is there anything to learn from analyzing the indicia of each country’s LI propensity, such as MLATs?

[159]   The nature of government surveillance is covert. By contrast, it would seem MLATs are overt (albeit very low profile) tools, which may legalize otherwise unconstitutional global surveillance cooperation. As so many GIAs seem to be conducting Unlawful Interception, a fatalist and cynic might take the view that that there is no longer any reason to expend effort either negotiating or using MLATs. One might argue if all intelligence is already covertly available to all law enforcement through NSA programs, why bother with MLATs at all? Yet indisputably, MLAT use continues to expand and proliferate.

[160]   There are six good reasons why MLAT analysis and analysis of Lawful Intercept in general is legitimate, despite the fact that un­lawful intercept continues apace globally. First, MLATs indicate a need for legal grounds for surveillance by high­MLAT­initiating countries, like Canada.[373] Second, they are indicators of prevalence of surveillance targets and collaborators in countries where MLATs cluster, like tiny Cook Islands.[374] Third, not all GIAs from the same country share intelligence data. Thus, LI demonstrably expands surveillance and its measure remains relevant regardless of ULI. Fourth, LI may supplement ULI where GIA’s reach is incomplete or unattainable (if such a thing is still possible). Fifth, reliable and significant datasets exist for LI, while few exist for ULI, and the ones that do exist are incomplete and unreliable. So far, no successful attempts to create a trust model based on ULI exist. Sixth, LI country analysis can be viewed as a complement to ULI analysis rather than a substitute.

[161]   In terms of the value of MLATs as general surveillance indicators, MLATs can provide legal cover for surveillance by nations that consider themselves law-abiding.[375] While in rogue nations conducting surveillance, the lack of MLATs may not accurately indicate surveillance activity, this does not detract from the fact that MLATs—in combination with other hostility indicators[376]—can provide an overall indication of countries’ surveillance traffic and collaboration policies.

[162]   Second, analyzing MLATs can shed light on where activity of interest to GIAs may be occurring. For example, the Cook Islands—thousands of miles from anywhere—has approximately 150 treaty relationships.[377] The indicator of activity of interest in this small, ocean­bound nation can indicate something of interest to LI is occurring, whereby it might be logical to conclude the investment of time to establish a legal basis for surveillance has had some justification in the surveillance conducted there.

[163]   Third, parallel construction has laid bare that not all GIAs share intelligence. Thus, the NSA’s “poor step­siblings” (who must follow the rule of law) demonstrate that for many GIAs, LI—facilitated by tools such as MLATs—clearly expand surveillance, and so still matter.[378]

[164]   Fourth, even the most powerful GIA may not have the ability to control online data everywhere in the world, at least not without difficulty. LI provides an additional vector for surveillance beyond where even ULI cannot reach.

[165]   Fifth, ULI data (as we have pointed out) is sparse, incomplete, and lacking in credibility. Clearly the optimal surveillance dataset would track all GIAs the world over and score countries by degree of online government surveillance. However, despite diligent effort reviewing existing sources, we (unsurprisingly) remain unaware of a reliable and complete dataset classifying GIA activity for countries around the world. Thus, comparing countries may be impossible on a practical basis, without analyzing what information legally justified LI data can provide.


V. MLATs and Jurisdictional Arbitrage

[166]   Having now laid the legal groundwork to understand the motivations and effects of modern MLATs and their role in surveillance, we turn to their application in attacks on online privacy and anonymity tools like Tor. Earlier, we defined MJATs as a class of online multi­jurisdictional, anonymity/privacy tools—including virtual private networks (“VPNs”), proxy servers, and anonymous networks—have emerged. Examples include JonDos,[379] I2P,[380] Freenet,[381] Lantern,[382] UltraSurf,[383] TorBrowser.[384] For TorBrowser, we noted usage has jumped since 2004 to an average of over 2.5 million daily users worldwide, peaking as high as six million users on high usage days.[385]

[167]   MJATs have many uses, and in one way can be thought of as online counter­surveillance tools. The hypothetical American journalist and the Australian whistleblower used Tor to evade government surveillance. Many MJATs use them simply to evade corporate marketing­driven surveillance. In In Depth: MJAT Jurisdictional Arbitrage Measurement and Technical Experiments,[386] we review this topic in greater detail, including the mechanics of MJATs, and show how MLATs can be used in their attack. MLATs increase the risk of “breaking” online anonymity tools by allowing countries to collaborate in piecing together encrypted network traffic as it travels through disparate jurisdictions. Anonymity networks such as Tor intentionally route network packets through geographically dispersed checkpoint routers, in order to obfuscate the Internet address and location of the user’s device and their destination website.[387] This increases the likelihood that user traffic will travel across multiple legal and other jurisdictions.

     A. Legal Threats to Global Online Anonymity Networks: ISPs and IXPs

[168]   New adversarial models are necessary to take into account global surveillance and that different governments may pose different, quantifiable risk to anonymous network communications. First, we rank countries by number and nature of intelligence treaties. Second, we bring to light MLAT cartels–groups of cooperating countries. Finally, we demonstrate interlocking cartels can function as super-cartels through legal mechanisms such as JITs. Combined with other measurable hostility factors, we demonstrate a method by which GIA risk per country can be quantified. We show that MLATs are one of several hostility factors or indicators, which governments can display to anonymous network communications.

[169]   Researchers have considered technical attacks against networks, including online anonymity networks. We consider legal attacks against ISPs and IXPs; that is, attacks by governments with legal jurisdiction and control over ISPs and IXPs. In this article, we consider a threat model of local passive adversaries, personified in the form of each of the 191 autonomous governments of the world, based on the ISO 3166 standard. In this model, adversary governments take control in varying degrees of the ability to read online communications traffic flowing over the web as it passes through their own countries, through Internet Service Provider (“ISP”) and Internet Exchange Point (“IXP”) cables and devices located in their country.

[170]   In what jurisdictions do the IXP and ISP lie? In other words, which countries’ governments control parts of the path through which your network traffic flows? Do those countries recognize the same standards for privacy as those in the user’s home country? Are they more or less respectful of individual privacy of online communications, including anonymous online communications? What laws exist in those countries, to protect privacy? And, what actual practices exist, regardless of laws?

     B. MLAT Attacks: MLATs as an Indicator of Hostility to Privacy

[171]   In addition to the matters herein discussed, we build upon the impacts of MLATs in a set of other publications. The use of expanded MLATs has become an indicator of legal hostility to freedom. Countries with a greater number of MLATs indicate their willingness to cooperate in erosion of constitutional freedoms, including intercepting network traffic. In Jurisdictional Arbitrage,[388] we identify and define MLAT hostility indicators and other legal hostility factors, and measure the countries of the world by these factors. We explore the implications for anonymous network communications in a series of experiments. We introduce the global MLAT map, the first of its kind. We present our results and conclusions for online privacy tools and attacks through the law. We have identified five hostility factors that indicate a government’s legally­encoded hostility to privacy of online communications.[389] Entering into treaties such as MLATs that facilitate cross­border law enforcement and surveillance is one factor identified. In this work, we seek to further the legal groundwork validating this hostility factor as a measure of a country’s jurisdictional risk to online privacy. To this end, we have built the first comprehensive repository of MLATs. We have also built the first database of MLAT metadata. We use this database to analyze the growth in MLATs and their global interlocking cartels.

     C. Threat, Advisory, and Attack Models

[172]   Returning to our initial scenario, we recall the corrupt Australian LEA who wished to track the communications of a journalist who has published leaked whistleblowing documents from a confidential source—revealing the Australian LEA’s complicity in illegal narcotics activity. The target journalist lives in New York and is a U.S. citizen. She opens her laptop, goes online and fires up Tor. She communicates with her whistleblowing source in Australia, who faces death if his identity is uncovered—if he is de-anonymized. Her traffic passes through Tor relays in China, Finland, and Malaysia, before proceeding to its final destination, her source’s chat server, also in Australia.

[173]   We now demonstrate the attack model, the previously discussed MLAT cartel attack. Australia has MLATs with China, Finland, Malaysia, and many other countries. The CSPs and IXPs under their jurisdictions have all long since been required to and have implemented ETSI TS 102 677, facilitating dynamic triggering of surveillance.[390] This process has been administratively and technologically streamlined through the new, “improved” MLAT Central Authority provisions.

[174]   As before, the corrupt Australian LEA presses the button, targeting the journalist’s network traffic, hoping to find her source. Through traffic correlation and timing attacks, the Australian LEA is able to capture the journalist’s outgoing message traffic on its way to the first Tor relay in China. Timing and traffic correlation attacks reveal the destination of the Tor middle relay in Finland, and the LEA captures that traffic as well. A second time, the timing and traffic correlation attacks reveal the destination of the Tor exit relay in Malaysia, and the LEA captures that traffic as well. Finally, a third round of timing and traffic correlation attacks reveal the targeted destination: the journalist’s source. The corrupt Australian LEA has just successfully captured the target journalist’s network traffic as it passes through Australia, China, Finland, Malaysia and back to Australia.

[175]   The content of the journalist’s communication is unknown to the corrupt Australian LEA until it leaves the exit relay, as Tor tunnels the traffic with encryption. However, once it leaves the exit relay, the LEA can read the now unencrypted traffic, and see the identity of the target whistleblower.

[176]   Tor tears down and rebuilds new circuits every few minutes to defeat attacks. Theoretically, a new circuit might be built through a non-cartel partner, cutting off the surveillance. However, the main objective has already been gained once a single circuit de-anonymizes the target. Further, certain high-surveillance countries have expanded MLAT cartels, such that the probability of achieving at least 50% full cartel circuits can be high enough to capture significant information.

[177]   This example illustrates the threat model of GIAs collaborating to capture online communications through legal control of IXPs and CSPs outside of their jurisdiction, via MLATs. And, the adversary model, a cartel of collaborating GIAs using MLATs.

[178]   In a refinement of the attack model, which we call the MLAT “buddy” attack, the journalist still works at helping her source to blow whistles. However, her Tor traffic path selection algorithm routes her traffic communications through a country that does not collaborate with the Australian LEAs, Iran. Nevertheless, Iran decides to record and store the traffic on its own, as it has a high surveillance hostility factor. At a future date, Iran can decide to supply the “missing link” of recorded traffic and metadata that, together with information recorded by the cartel, can piece together retroactively the whistleblower’s identity. Thus, absolute hostility to anonymous network traffic, measured in part by MLATs, is relevant, even without factoring in cartel membership.

[179]   In yet another attack model, the same corrupt Australian LEA wishes to surveil traffic form the journalist target to her source whistleblower, the ultimate target. This would be impermissible domestic surveillance, However, by virtue of the traffic being randomly routed outside the U.S. through Tor relays, it may classify it as non-domestic by virtue of its application of Section 215 if FISA. As such, it may apply to its MLAT partners for the traffic.

     D. Defenses Against MLAT attacks

[180]   In Quantifying and Counteracting the Threat of Government Intelligence Agencies Against Tor, we set forth how MJATs, like Tor, can incorporate MLAT metrics into their path selection algorithm. This enables MJATs to avoid countries with high hostility to anonymous network traffic and high collaboration with surveillance cartel partners. Every action to defeat privacy and anonymity, such as expansion of MLATs, produces an equal and opposite reaction, such as improved anonymous networks through path selection modifications to send communications through countries less hostile to anonymous network traffic.


VI. Conclusion, Recommendations, and Future Work

[181]   MLATs have significantly expanded in recent years, in number and in scope, with little public attention. We hope future MLAT research will demonstrate that MLATs have indeed expanded the ability of LEAs to solve crime, as the DOJ would assert. We have demonstrated that MLATs have increased the risk of global surveillance, as well as eroded civil liberties to a new, greater degree than has been identified in the past. They have provided at least part of a framework to legalize mass surveillance. They have facilitated imposing technical specifications for surveillance capabilities on CSPs in MLAT cartel jurisdictions. They provide a vector to measure hostility to privacy and anonymous communications by country. Finally, they have facilitated complex technical attacks against online anonymity- and privacy-protecting tools (MJATs), such as Tor, that facilitate surveillance of domestic targets.

[182]   We recommend reviewing MLATs comprehensively, rather than on an ad hoc, country-by-country basis, including multilateral MLATs. As the negative impact of MLATs on U.S. citizens and civil liberties becomes clear, policymakers should consider modifications that enable law enforcement to attain international cooperation and assistance, while retaining civil liberties protections. In the meantime, online anonymity- and privacy-protecting tools can take country hostility factors such as number of MLATs and other factors into account, as well as MLAT cartels, and implement modified path selection algorithms. Thus, the cat-and mouse game will continue.






[1] See generally Tor Browser, Tor,, archived at (last visited Dec. 2, 2015) (describing and explaining Tor generally, in that it allows you to search the Internet without being tracked).


[2] Tor relays function to “receive traffic on the Tor network and pass it along.” What Is Tor?, Tor Challenge,, archived at (last visited Oct. 4, 2015).


[3] See Bryce Clayton Newell, The Massive Metadata Machine: Liberty, Power, and Mass Surveillance in the U.S. and Europe, 10 ISJLP 481, 483 (2014).

[4] See U.S. Const. amend. IV (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”).


[5] Actually, the IP address of the journalist’s home router, to which her laptop is attached.


[6] See, e.g., Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr & Paul Syverson, Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, at sec. 3 (20th ACM Conference on Computer and Communications Security, Nov. 2013) [hereinafter CCS 2013],, archived at (describing how Tor and traffic correlation attacks can work together).


[7] See, e.g., Rishab Nithyanand, Oleksii Starov, Adva Zair, Phillipa Gill & Michael Schapira, Measuring and Mitigating AS-Level Adversaries Against Tor 1, 14 (Aug. 18, 2015),, archived at (asserting that there are high rates of susceptibility to traffic correlation and timing attacks for Tor users, correlating to potentially high probability of successful capture).


[8] See Brian Fitzgerald, Snowden at SXSW: Encryption Must Be Stronger, Digits: Wall St. J. (Mar. 10, 2014, 11:47 AM),, archived at (citing a Twitter post by an individual attending the conference).


[9] See Peeling Back the Layers of Tor with Egotistical Giraffe, The Guardian (Oct. 4, 2013, 10:49 AM),, archived at; see also James Ball, Bruce Schneier, & Glenn Greenwald, NSA and GCHQ Target Tor Network That Protects Anonymity of Web Users, The Guardian (Oct. 4, 2013, 10:50 AM),­gchq­attack­tor­network­encryption, archived at; Barton Gellman, Craig Timberg, & Steven Rich, Secret NSA Documents Show Campaign Against Tor Encrypted Network, Wash. Post (Oct. 4, 2013),­security/secret­nsa­documents­show­campaign­against­tor­encrypted­net work/2013/10/04/610f08b6­2d05­11e3­8ade­a1f23cda135e_story.html, archived at


[10] See Glenn Greenwald, Ewen MacAskill, & Laura Poitras, Edward Snowden: The Whistleblower Behind the NSA Surveillance Revelations, The Guardian (June 9, 2013, 9:00 AM),­snowden­nsa­whistleblower­surveillance, archived at


[11] See Laura Poitras, Marcel Rosenbach, Michael Sontheimer, & Holger Stark, A Two­Faced Friendship: Turkey Is ‘Partner and Target’ for the NSA, Spiegel Online Int’l (Aug. 31, 2014, 12:00 PM),­show­nsa­and­gchq­spied­on­partner­turkey­a­989011.html, archived at

[12] See id.


[13] See U.S. Patriot Act, Pub. L. No. 107-56, § 201, 115 Stat. 272, 278 (2001); Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 108 Stat. 4279, 4282 (1994).


[14] See Steve Erlanger, Fighting Terrorism, French­Style, N.Y. Times (Mar. 30, 2012),­review/the­french­way­of­fighting­homegrown­terrorism.html, archived at; Scott M. Fulton, EU’s Reading to Cloud Providers: Stop Sheltering Yourself from US Patriot Act, (Dec. 6, 2011),­reding­to­cloud­providers, archived at


[15] See, e.g., Declan McCullagh, FBI Pressures Internet Providers to Install Surveillance Software, CNet (Aug. 2, 2013, 12:26 PM),, archived at; Complaint at paras. 2, 7, 10, 13–14, Jewel v. Nat’l Sec. Agency, No. C 08­04373 (N.D. Cal. Sept. 18, 2008),, archived at Jewel was one of the first to challenge the NSA’s massive domestic data collection program as “un” lawful interception. See NSA Spying on Americans: Jewel v. NSA, Elec. Frontier Found.,, archived at (last visited Oct. 1, 2015). The NSA’s defense has revolved around assertions under the state secrecy privilege. Gov’t Def.’s Reply in Supp. of Mot. to DIsmiss and for Summ. J. at 1, 7, Jewel v. Nat’l Sec. Agency, No. C:08-cv-4373 (N.D. Cal. June 26, 2009),, archived at So far, the courts have declined to dismiss the case based on state secrets. See, e.g., Order at 2, Jewel v. Nat’l Sec. Agency, No. C 08-04373 (N.D. Cal. July 8, 2013),, archived at On March 10, 2014, the court issued a temporary restraining order halting NSA’s destruction of evidence. Order Granting TRO at 1–2, Jewel v. Nat’l Sec. Agency, No. C 08-04373 (N.D. Cal. Mar. 10, 2014),, archived at On June 5, 2014, EFF filed an application for an emergency hearing upon learning that the NSA was continuing to destroy evidence. Plaintiff’s Emergency Appl. to Enforce the Court’s TRO at 1–2, Jewel v. Nat’l Sec. Agency, No. C:08-cv-4373 (N.D. Cal. June 5, 2014),, archived at


[16] For more information, see Sarah Cortes, Dynamic Triggering: MLATs, Third Parties and ETSI TS 102 677 Automated Surveillance (Sept. 30, 2014) (unpublished manuscript) (on file with author) [hereinafter Dynamic Triggering].


[17] Id.


[18] See generally United States v. Getto (Getto II) 586 Fed. App’x 11 (2d Cir. 2014) (finding Getto was guilty of conspiracy to commit wire fraud and mail fraud and affirming his sentence).


[19] TorMetrics—Direct Users by Country, Tor Project,, archived at (last visited Dec. 3, 2015) [hereinafter TorMetrics]; see also Karsten Loesing, Steven J. Murdoch, & Roger Dingledine, A Case Study on Measuring Statistical Data in the Tor Anonymity Network, Financial Cryptography and Data Security 203, 210–11 (Radu Sion et al. eds., Springer Berlin Heidelberg 2010),, archived at


[20] Electronic Privacy Information Center lists 99 such tools, within the following 21 categories: (1) CD/USB Based Operating Systems; (2) Internet Anonymizers, Virtual Private Networks (VPNs), and Proxy Servers; (3) Web Browser Ad­ons; (4) Search Engines; (5) Email Encryption; (6) Alternative Email Accounts; (7) Anonymous Remailers; (8) Disk/File Encryption; (9) Secure Instant Messaging; (10) Disk/File Erasing Programs; (11) Password Vaults; (12) Firewalls; (13) Antivirus; (14) Cookie/Cache/Internet History Cleaners; (15) Mobile Privacy; (16) VoIP/Video Messaging; (17) Social Networking; (18) Meshnet; (19) Alternative Currencies; (20) Publishing; and (21) Temporary Mobile Phones. See EPIC Online Guide to Practical Privacy Tools, Elec. Privacy Info. Ctr.,, archived at (last visited Dec. 3, 2015).


[21] See id.


[22] See JonDo – The IP Changer, JonDonym,, archived at (last visited Dec. 3, 2015) (“You may use JonDonym for anonymous surfing, anonymous e-mail, chats, and other purposes.”).


[23] See What Does I2P Do for You?, Invisible Internet Project,, archived at (last visited Dec. 3, 2015) (“I2P is an anonymous overlay network. . .”.).


[24] See Share, Chat, Browse. Anonymously. On the Free Network., Freenet Project,, archived at (last visited Oct. 4, 2015) (“Share files, chat on forums, browse and publish, anonymously and without fear of blocking or censorship!”).


[25] See Open Internet for Everyone, Lantern,, archived at (last visited Oct. 4, 2015) (“Lantern is a free desktop application that delivers fast, reliable, and secure access to the open Internet.”).


[26] See Ultrasurf,, archived at (last visited Oct. 4, 2015) (“Ultrasurf has now become one of the world’s most popular anti-censorship, pro-privacy software. . .”).


[27] See TorBrowser, supra note 1.


[28] See TorMetrics, supra note 19.


[29] See Ultrasurf, supra note 26.


[30] CT SigDev, Tor Stinks, at 1 (June 2012),, archived at; see also Ball, Schneier, & Greenwald, supra note 9; 42 Years for Snowden Docs Release, Free All Now, Cryptome,, archived at (last updated Aug. 15, 2015).


[31] See CT SigDev, supra note 30, at 2.


[32] See id. at 5.


[33] See id. at 15.


[34] See id. at 23; see also Ball, Schneier, & Greenwald, supra note 9.


[35] See Peter Vinthagen Simpson, Cold War Treaty Confirms Sweden Was Not Neutral, The Local (Dec. 9, 2013),, archived at (regarding revelations following the proliferation of secret treaties); see, e.g., Pete Yost, U.S. Cannot Say How Many Had Communications Watched, Huffington Post (July 28, 2011, 5:19 PM),, archived at (regarding the proliferation of secret legal activity).


[36] See arma, Talking to German Police in Stuttgart, Tor Blog (Mar. 26, 2008),, archived at; arma, Trip Report: Tor Trainings for the Dutch and Belgian Police, Tor Blog (Feb. 5, 2013),, archived at; phobos, A Visit to Iceland, Tor Blog (May 22, 2011), archived at


[37] See Alastair Brown, Towards a Prosecutorial Model for Mutual Assistance in Criminal Matters?, 6 Hume Papers on Pub. Pol’y 50, 52, 56 (1998).


[38] See Hearing on Law Enforcement Treaties: Hearing Before the S. Comm. on Foreign Relations, 108th Cong. 39–41(2004) (statement of Marc Rotenberg, President, Electronic Privacy Information Center) [hereinafter Hearing].


[39] See id. at 40; U.N Office on Drugs & Crime, Manual on Mutual Legal Assistance and Extradition 50–51 (2012),, archived at


[40] See Inter-American Convention Against Terrorism, art. 11, June 3, 2002, S. Treaty Doc. No. 107-18; Hearing, supra note 38, at 40.


[41] Julian Ku & John Yoo, The Supreme Court Misses Its Chance to Limit the Treaty Power, Forbes (June 12, 2014, 4:00 AM),, archived at

[42] See Hearing, supra note 38, at 39.


[43] See United States v. Alvarez­Machain, 504 U.S. 655, 667–70 (1992).


[44] See United States v. Getto (Getto II), 586 Fed. App’x. 11, 13 (2d Cir. 2014).


[45] See, e.g., United States v. Moloney (In re Price), 685 F.3d 1, 3 (1st Cir. 2012); United States v. Global Fishing (In re 840 140th Ave. NE), 634 F.3d 557, 564 (9th Cir. 2010); United States v. Rommy, 506 F.3d 108, 113 (2d Cir. 2007); United States v. Hagege, 437 F.3d 943, 946–47 (9th Cir. 2005); In re Comm’r’s Subpoenas, 325 F.3d 1287, 1289–90 (11th Cir. 2003); Mercator Corp. v. United States (In re Grand Jury Subpoenas), 318 F.3d 379, 381–82 (2d Cir. 2002).


[46] See, e.g., David Whedbee, Comment, The Faint Shadow of the Sixth Amendment: Substantial Imbalance in Evidence-Gathering Capacity Abroad Under the U.S.-P.R.C. Mutual Legal Assistance Agreement in Criminal Matters, 12 Pac. Rim L. & Pol’y J. 561, 561–81 (2003) (arguing that allowing defendants in U.S. criminal proceedings more international access would enhance constitutional protections).


[47] See Nat’l Cyber Investigative Joint Task Force, Fed. Bureau Investigation,, archived at (last visited Dec. 3, 2015).


[48] See id.


[49] See John Shiffman & Kristina Cooke, Exclusive: U.S. Directs Agents to Cover Up Program Used to Investigate Americans, Reuters (Aug. 5, 2013, 3:25 PM),, archived at


[50] See id.


[51] See Peter Vogel, The Cloud Privacy Illusion, E-Com. Times (Aug. 8, 2012, 5:00 AM)

[52] See id.


[53] See Andrew K. Woods, Global Network Initiative, Data Beyond Borders: Mutual Legal Assistance in the Internet Age 16 (Jan. 2015),, archived at


[54] See Frank Siepmann, Managing Risk and Security in Outsourcing IT Services: Onshore, Offshore and the Cloud 93–94 (2014),, archived at


[55] See Jing Deng, Richard Han, & Shivakant Mishra, Countermeasures Against Traffic Analysis Attacks in Wireless Sensor Networks, in First International Conference on Security and Privacy for Emerging Areas in Communications Networks, at secs. 1, 2 (Inst. of Elec. & Elecs. Eng’rs 2005).


[56] See Ctr. for Internet & Soc’y, MLATs and International Cooperation for Law Enforcement Purposes 1–2,, archived at


[57] See id.


[58] See, e.g., Jessica Guynn & David Pierson, Google Blames Chinese Censors for Outage, L.A. Times (Mar. 31, 2010),, archived at (describing the general conflict between Google and China).


[59] See Who Are Our Members, Eur. Telecomm. Standards Inst.,, archived at (last visited Sept. 25, 2015) (“We have over 800 members drawn from 64 countries across 5 continents. This reflects the increasing globalization of the communications market and ETSI’s key role in enabling it.”); What We Are, Eur. Telecomm. Standards Inst.,, archived at (last visited Sept. 25, 2015) (“We are an independent, not-for-profit organization, widely respected for our neutrality and trustworthiness”).


[60] See Dynamic Triggering, supra note 16.


[61] See Shiffman & Cooke, supra note 49.


[62] See Sarah Cortes, In Depth: MJAT Jurisdictional Arbitrage Measurement and Technical Experiments (September 30, 2014) (unpublished manuscript) (on file with author) [hereinafter In Depth].


[63] See id.


[64] See supra Part I.d.


[65] See Glenn Greenwald & Spencer Ackerman, How the NSA is Still Harvesting Your Online Data, The Guardian (June 27, 2013),, archived at


[66] See In Depth, supra note 62.


[67] See id.

[68] See id.


[69] See id.


[70] See id.


[71] See In Depth, supra note ­­62.


[72] See id.


[73] United States v. Global Fishing, Inc. (In re 840 140th Ave. NE) 634 F.3d 557, 563 (9th Cir. 2011).


[74] See Mutual Legal Assistance Agreement, U.S­E.U, art. 5, June 25, 2003, 43 I.L.M 758 [hereinafter EU­US MLAT].


[75] See Council of Europe Convention on Cybercrime, Nov. 23, 2001, 41 I.L.M. 282 [hereinafter Budapest Cybercrime Treaty].


[76] See Amalie M. Weber, The Council of Europe’s Convention on Cybercrime, 18 Berkley Tech. L.J. 425, 438 (2003).


[77] See U.N. Office on Drugs and Crime, Manual on Int’l Cooperation in Criminal Matters Related to Terrorism 1 (2009) [hereinafter See U.N. Manual on Int’l Cooperation].


[78] See id. at 63–65.


[79] See id.


[80] See id., at 19; see also 24/7 Network of Cyber Investigators Graphic, Fed. Bureau of Investigation,, archived at (last visited Sept. 26, 2015).


[81] See U.N. Manual on Int’l Cooperation, supra note 77, at 15–16.


[82] See id. at 79, 114–15.


[83] See id.


[84] See id. at 22.


[85] See id.


[86] See U.N. Office on Drugs and Crime, Compendium of Bilateral, Regional and Int’l Agreements on Extradition and Mutual Legal Assistance in Crim. Matters Kenya 3 (2010).


[87] This is the first non­secret “modern” U.S. MLAT. Of course, we are not aware of earlier secret MLATs that still remain secret. For an example of a formerly secret treaty which is no longer secret, see Gunnar Rensfeldt, NSA “asking for” specific exchanges from FRA – Secret treaty since 1954, (Dec. 8, 2013),, archived at


[88] Treaty between the United States of America and the Swiss Confederation on Mutual Assistance in Criminal Matters, U.S.-Switz., May 25, 1973, 27 U.S.T. 2019, T.I.A.S. 8302 (entered into force Jan. 23, 1977).


[89] See United States v. Verdugo­Urquidez, 494 U.S. 259, 274–75 (1990) (determining Fourth Amendment protections do not apply to searches and seizures by U.S. agents of property owned by a nonresident alien in a foreign country).


[90] See United States v. Alvarez­Machain, 504 U.S. 655, 670 (1992) (holding a defendant’s capture by forcible abduction in another country does not prohibit his trial in the U.S. for violations of U.S. laws, and, that the US is not required to follow an extradition treaty procedure, that is optional).


[91] See Verdugo-Urquidez, 494 U.S. at 275.


[92] See Alvarez-Machain, 504 U.S. at 669–70.


[93] See Definition of Multilateral,,, archived at (last visited Nov. 30, 2015).


[94] See Definition of Bilateral,,, archived at (last visited Nov. 30, 2015).


[95] See Definition of Unilateral,,, archived at (last visited Nov. 30, 2015).


[96] See, e.g., Dep’t of Int’l Law, Inter-American Convention on Mutual Assistance in Criminal Matters Preamble, Org. of Am. States,, archived at (last visited Dec. 3, 2015).


[97] See Thomas F. McInerney III, Note, Towards the Next Phase in International Banking Regulation, 7 DePaul Bus. L.J. 143, 164–65 (1994) (stating “[a]lthough not self-evidently applicable, the Drug Convention may supply some needed assistance in developing a truly multilateral solution to the problem of illicit bank activities. . . Although not directly enforceable in the member states.”).


[98] Id. (quoting United Nations Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances art. 5, Dec. 20, 1988, 28 I.L.M.493).


[99] See Definition of Extradition Treaty, The Free Dictionary,, archived at (last visited Nov. 30, 2015).

[100] See Hague Convention on the Civil Aspects of International Child Abduction, Oct. 25, 1980, T.I.A.S. No. 11670.


[101] Agreement between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders (Schengen Acquis Treaty), June 14, 1985,, archived at

[102] See, e.g., Brian Kindle, MLATS Are Powerful Weapons in Financial Crime Combat, Even for Private Sector, Assoc. of Certified Finc. Crim. Specialists,, archived at (discussing MLATs specific to financial crimes).


[103] See generally Jonah Force Hill, Problematic Alternatives: MLAT Reform for the Digital Age, Harv. Nat’l Sec. L.J. (Jan. 28, 2015 1:05 PM),, archived at

[104] See Definition of Treaties in Force, The Free Dictionary,, archived at (last visited Nov. 30, 2015).


[105] See What is Entry Into Force?, The Euclid Treaty,, archived at (last visited Dec. 3, 2015).


[106] See Sarah Cortes, MLAT Database (unpublished research results) (on file with author).


[107] See id.


[108] See id.


[109] See id.


[110] See Country Codes – ISP 3166, Int’l Org. for Standardization,, archived at (last visited Dec. 3, 2015) (stating “ISO 3166 is the International Standard for country codes and codes for their subdivisions.”). As of October 4, 2015, ISO 3166 recognized 249 “countries.” Online Browsing Platform, Int’l Org. for Standardization, (last visited Oct. 4, 2015); see also ISO 3166-1,,, archived at (last modified Aug. 10, 2015). The U.N. recognizes and maintains a list of sixty-nine Trust and Non­Self­Governing Territories; however, twenty-one of these have no separate country code and are not listed in ISO 3166. See Country Codes – ISP 3166, Int’l Org. for Standardization, codes.htm (last visited Sept. 23, 2015). So, the total number of countries with autonomous or semi­autonomous governments in the world today can be evaluated as 201 countries.


[111] See Worldwide Review of Status of U.S. Extradition Treaties and Mutual Legal Assistance Treaties: Hearing Before the H. Comm. on Foreign Affairs, 100th Cong. 26 (1987) (statement of Mark M. Richard, Deputy Assistant Attorney General, Criminal Division).


[112] Id. at 37.


[113] See History of Anti-Money Laundering Laws, Fin. Crimes Enforcement Network, (last visited Sept. 22, 2015). See also The Critical Connection Between the Internet and Money Laundering, Red Earth Intel, Jan. 1, 2015, 01/the-critical-connection-between-the-internet-and-money-laundering.html; Country Codes – ISP 3166, supra note 110.


[114] See Ethan A. Nadelmann, Cops Across Borders: The Internationalization Of U.S. Criminal Law Enforcement 338 (1993).


[115] See Stephen J. Choi & Kevin E. Davis, Foreign Affairs and Enforcement of the Foreign Corrupt Practices Act 14 (N.Y.U. Sch. of Law Pub. Law & Legal Theory Research Paper Series, Working Paper No. 12-35, Law & Economics Research Paper Series, Working Paper No. 12-15, 2012),, archived at


[116] Id. at i.

[117] Id.

[118] See ADB/OECD Anti-Corruption Initiative For Asia And The Pacific: Mutual Legal Assistance, Extradition And Recovery Of Proceeds Of Corruption In Asia And The Pacific 25 (2007).


[119] See David Chaikin, Tracking the Proceeds of Organised Crime – The Marcos Case, Austl. Inst. of Criminology, Mar. 9–10, 2000 at 4–5.


[120] See Philippines v. Pimentel, 553 U.S. 851, 854 (2008).


[121] See Mutual Assistance in Criminal Matters, U.S.-Switz., May 25, 1973, 27 U.S.T. 2019, T.I.A.S. No. 8302 (entered into force 1977).


[122] Br. for Ed Moloney & Anthony McIntyre as Amici Curiae Supp. Appellants at 6, United States v. Maloney (In re Price), 685 F.3d 1 (1st Cir. 2012) (No. 11­2511) [hereinafter Br. for Ed Maloney].


[123] In re Comm’r’s Subpoenas, 325 F.3d 1287, 1290 (11th Cir. 2003).


[124] See id.


[125] Id.


[126] See United Kingdom v. Trs. of Bos. Coll., 718 F.3d 13, 23 (1st Cir. 2013).


[127] See, e.g., Ed Moloney, Ed Moloney: Boston College and Me, Bos. Coll. Subpoena News (Aug. 11, 2014),; Country Codes – ISP 3166, supra note 110.


[128] See discussion infra Part II.B.3.


[129] Letter from John Kerry, Sen., U.S. Cong., to Hilary Clinton, Sec’y of State, U.S. State Dept. (Jan. 23, 2012).


[130] Id.; see also Ross Kerber, Kerry Reaches out on Northern Ireland “Troubles” Records, REUTERS (Jan. 27, 2012, 5:47 PM),, archived at


[131] See Mutual Legal Assistance Treaty, U.S.­U.K., art. I, Jan. 6, 1994, T.I.A.S. 96-1202 (1995) [hereinafter US­UK MLAT].


[132] See Hearing, supra note 38.


[133] Gov’t’s Opp. to Bos. Coll.’s Mot. to Dismiss its Appeal as Moot, at 9, United States v. Trs. of Bos. Coll., 718 F.3d 13 (1st Cir. 2013) (No. 12-1236) (citing United States v. Moloney (In re Price), 685 F.3d 1, 12–13 (1st Cir. 2012)).


[134] In re Price, 685 F.3d at 11–12; see also US­UK MLAT, supra note 131, at art. I.

[135] United Kingdom v. Trs. of Bos. Coll., 718 F.3d 13, 20–21 (1st Cir. 2013) (internal citations omitted).


[136] In re Comm’r’s Subpoenas, 325 F.3d at 1303 (citing Elcock v. United States, 80 F. Supp. 2d 70, 77 (E.D.N.Y. 2000)).

[137] In re Comm’r’s Subpoenas, 325 F.3d at 1302.

[138] Elcock, 80 F. Supp. 2d at 77. Elcock robbed a bank in Germany with his girlfriend accomplice, concealed over $419,000 in a teddy bear, and mailed it to his sister in the U.S. He was arrested and convicted in New York shortly thereafter, when he arrived to visit his sister, and accepted delivery of the teddy bear. Elcock is also interesting constitutionally, as it permitted extradition in an apparent double jeopardy case (related not to an MLAT, but an extradition treaty), as Germany sought to prosecute him after his U.S. conviction.


[139] United States v. Rommy, 506 F.3d 108, 128–29 (2d Cir. 2007). Dutch national Henk Rommy, also known as the “Cobra,” headed an international drug ring that trafficked in large quantities of controlled substances like “ecstasy”… [Co­conspirators] testified that the pills in question were light blue in color and stamped with the logo of the late Italian fashion designer Gianni Versace…[Romy] had smuggled the drugs in recreational vehicles shipped from Europe . . . into New York. Id at 111; see also Treaty on Mutual Assistance in Criminal Matters, U.S.­Neth., art. 18, § 1, June 12, 1981, 35 U.S.T. 1361 (1981).

[140] See generally In re Comm’r’s Subpoenas, 325 F.3d 1287 (11th Cir. 2003) (holding that a request under a mutual legal assistance treaty is not reviewable by a district court).


[141] See Br. for Ed Moloney supra note 122, at 22. See generally Budapest Cybercrime Treaty, supra note 75.

[142] See Hearing, supra note 38, at 39–41; In re Comm’r’s Subpoenas, 325 F.3d at 1302.


[143] See Trs. of Bos. Coll., 718 F.3d at 20–21.


[144] See, e.g., United States v. Maloney (In re Price), 685 F.3d 1 (1st Cir. 2012).


[145] Convention on Mutual Assistance in Criminal Matters Between the Member States of the European Union (Dec. 2011), 2000 O.J. (C 197) 1 (EU) [hereinafter EU MLAC],, archived at


[146] EU-ES MLAT, supra note 74.


[147] Council of Europe (C.O.E.): Convention on Cybercrime, Nov. 23, 2001, 41 I.L.M. 282.


[148] United States v. Global Fishing, Inc. (In re 840 140th Ave. NE), 634 F.3d 557, 563 (9th Cir. 2011).


[149] Statement of Mary Ellen Warlow, Director, Office of International Affairs, Criminal Division, U.S. Department of Justice: Hearing Concerning Law Enforcement Treaties Before the S. Comm. on Foreign Relations, 109th Cong. (2005),, archived at


[150] Id. at 10.


[151] Testimony by Deputy Legal Adviser, Department of State, to Senate Foreign Relations Committee regarding certain bilateral law enforcement treaties, U.S. Senate: Hearing on an Extradition Treaty with Great Britain and Northern Ireland, an Extradition Protocol with Israel, Mutual Legal Assistance Treaty with Germany, and a Mutual Legal Assistance Treaty with Japan Before the S. Committee on Foreign Relations, 109th Cong. (2005) (statement of Samuel M. Witten, Deputy Legal Adviser, U.S. Dep’t of State),, archived at


[152] Id.


[153] See EU MLAC, supra note 145.


[154] Id. at 13.


[155] See Dynamic Triggering, supra note 16.


[156] See Organization of American States, Inter­American Convention on Mutual Assistance in Criminal Matters, May 23, 1992, O.A.S. No. 75,­55.html, archived at


[157] See Budapest Cybercrime Treaty, supra note 75 at tit. 5, art. 20–21.


[158] Id. at art. 20, section 3.


[159] See EU-US MLAT, supra note 75.


[160] Id. at 16.

[161] Id. at 15.


[162] EU: JHA Council authorises signing of EU­USA agreements on extradition and mutual legal assistance, (June 5, 2003),, archived at


[163] See Dynamic Triggering, supra note 16.


[164] See id.


[165] See generally ETSI DTS 102 677 V0.4.1 (2010­03), Lawful Interception (LI); Dynamic Triggering; Dynamic Triggering of Content of Communication Interception, Work Item: DTS/LI­00058, Elec. Telecomms Standards Inst. (Mar. 2010) (defining the standard), (automatic download) (detailing the technical design and infrastructure standards for communication service providers (CSP) and dynamic triggering across multiple operators) [hereinafter ETSI DTS 102 677].


[166] See Dynamic Triggering, supra note 16.


[167] Convention on Mutual Assistance in Criminal Matters Between the Member States and the European Union, supra note 156, at 13–14.


[168] See ETSI DTS 102 677, supra note 165.


[169] See generally ETSI DTS 187 005 V3.1.1 (2012­06), Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN); NGN Lawful Interception; Stage 1 and Stage 2 definition, Electronic Telecomms Standards Inst. (June, 2012) [hereinafter ETSI DTS 187 005],, archived at (defining and specifying, when the network supplying services on behalf of the communication service provider is a next generation network, stage 1 and stage 2 of interception capability and the stage 2 model for lawful interception).


[170] See NSA Spying on Americans, Elec. Frontier Found.,, archived at (last visited Oct. 1, 2015).


[171] See Global Government Surveillance Reform, Reform Gov’t Surveillance,, archived at (last visited Oct. 1, 2015).


[172] David Banisar & Gus Hosein, A Draft Commentary on the Council of Europe Cybercrime Convention (Oct. 2002),, archived at


[173] See Google Transparency Report, Google, (last updated Sept. 23, 2015).

[174] See Microsoft Law Enforcement Requests Report, Microsoft,, archived at (last visited Dec. 3, 2015).


[175] See Removal Requests, Twitter,, archived at (last visited Oct. 1, 2015).


[176] See Global Government Requests Report, January­June 2013, Facebook,, archived at (last visited Oct. 1, 2015).

[177] Investopedia describes the International Chamber of Commerce (ICC) as the “largest, and arguably most diverse, business organization in the world with thousands of member companies representing over 130 countries and a vast array of business interests.” International Chamber of Commerce-ICC, Investopedia, terms/i/international­chamber­of­commerce­icc.asp, archived at (last visited Oct. 1, 2015).


[178] Int’l Chamber of Commerce Comm’m on the Digital Econ., Task Force on Internet and Telecoms, Using Mutual Legal Assistance Treaties (MLATs) To Improve Cross­Border Lawful Intercept Procedures, Doc. No. 373/512 (Dec. 9, 2012),, archived at [hereinafter Pol’y Statement of 2012].


[179] Id. at 2, 5.


[180] Id.


[181] Id. at 5.


[182] Pol’y Statement 2012, supra note 178, at 6.

[183] Int’l Chamber of Com., Comm’n on E-Bus., IT and Telecoms, Task Force on Internet and Telecoms Infrastructure and Serv’s (ITIS), Global Bus. Recommendations and Best Practices for Lawful Intercept Requirements 1, 6–7 (2010),, archived at


[184] Pol’y Statement of 2012, supra note 178, at 5.


[185] ESTI DTS 102 677, supra note 165, at 7.


[186] ETSI DTS 187 005, supra note 169.


[187] Global Network Initiative,,, archived at (last visited Oct. 1, 2015).


[188] Global Network Initiative, Data Beyond Borders: Mutual Legal Assistance in the Internet Era 2 (2015), MLAT Report.pdf, archived at

[189] ETSI DTS 102 677, supra note 165, at 11.


[190] Id. at 7.

[191] Id.


[192] Id.


[193] Cong. Research Serv., No. 108-17, Acts of Congress Held Unconstitutional in Whole or in Part By the Supreme Court of the United States (2004),, archived at

[194] See, e.g., Julianne Pepitone, Google Files First Amendment Court Case Against NSA Surveillance Secrecy, CNN (June 18, 2013),, archived at


[195] EPIC Board & Staff, Elec Privacy Info. Ctr. (last visited Oct. 30, 2015),, archived at


[196] See Ctr. for Tech. and Nat’l Security Pol’y, Crosscutting Issues in Int’l Transformation (Dec. 2009),, archived at


[197] See id.

[198] Id. at 40–41.


[199] Michael A. Vatis, The Council of Europe Convention on Cybercrime at 209-10, reprinted in Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy (2010),, archived at


[200] Hearing, supra note 38, at 39.


[201] Banisar & Hosein, supra note 172, at 3.

[202] Br. for Ed Maloney, supra note 122, at 15.


[203] See generally Marbury v. Madison, 5 U.S. 137 (1803) (holding the court has power of judicial review).


[204] See McCulloch v. Maryland, 17 U.S. 316, 406 (1819).


[205] 135 Cong. Rec. S13,879–93 (daily ed. Oct 24, 1989) (statement of Sen. Helms).


[206] Id.


[207] Id.


[208] Id.

[209] Nadelmann, supra note 114, at 383.


[210] 135 Cong. Rec., supra note 206.


[211] United States v. Global Fishing (In re 840 140th Ave. NE), 634 F.3d 557, 567–68 (9th Cir. 2011).


[212] See id.


[213] See id. at 572.


[214] See In re Comm’r’s Subpoenas, 325 F.3d 1287 (11th Cir. 2003); infra Part III.C.


[215] United States v. Trs. of Bos. Coll., 831 F. Supp. 2d 435 (D. Mass 2011) (recognizing that the Executive’s interpretation of treaties are entitled to great weight); Palmat Int’l, Inc. v. Holder, No. 12-20229, 2013 U.S. Dist. LEXIS 2004, at *9 (S.D. Fla. Feb. 14, 2013).


[216] Br. for Ed Maloney, supra note 122, at 21.

[217] Id.


[218] See id. at 571­­–72 (9th Cir. 2011) (citing Am. Ins. Ass’n v. Garamendi, 539 U.S. 396, 416, n. 9 (2003) (holding that treaties are “[s]ubject to the Constitution’s guarantees of individual rights”); cf. United Kingdom, 870 F.2d at 693 n.8 (holding that in the context of a § 1782 request, that “[t]he district court’s discretion is of course subject to the U.S. Constitution”)).


[219] Id. at 572.


[220] Id.


[221] See In re Price, 685 F.3d at 13.


[222] See United Kingdom v. Trs. of Bos. Coll., 718 F.3d 13, 22 (1st Cir. 2013).


[223] See id. at 16–17.


[224] See id.


[225] See id. at 17–18.


[226] See id. at 18.

[227] See Trs. of Bos. Coll., 718 F.3d at 18.


[228] See id.


[229] See id. at 27–28.


[230] See id. at 21.


[231] Id. at 20­–21.


[232] See 18 U.S.C. § 3512 (2012).


[233] See Trs. of Bos. Coll., 718 F.3d at 23.


[234] Id.

[235] Id. at 21 n.5 (internal citations omitted).


[236] Opp’n of Bos. Coll. to Gov’t’s Pet. for Panel Reh’g at 2, United Kingdom v. Trs. of Bos. Coll. (In re Price), 718 F.3d 13 (1st Cir. 2013),, archived at


[237] See id. at 6.


[238] Id. at 2.


[239] Opp’n of Bos. Coll. to Gov’t’s Pet. for Panel Reh’g, supra note 236, at 6. August 22, 2013 the First Circuit issued an errata sheet in response to the United States’ August 2nd, 2013 Petition for Rehearing. Both parties briefed the issues raised by the United States’ petition, and the court’s errata amendments were incorporated in to the published opinion.


[240] Id. (parentheses and emphasis in original).


[241] Id.


[242] Id.


[243] Id. at 6–7.

[244] Opp’n of Bos. Coll. to Gov’t’s Pet. for Panel Reh’g, supra note 236, at 7.

[245] Id.


[246] Id.


[247] Order Den. Reh’g, United States v. Trs. of Bos. Coll., No. 12-1236 (1st Cir. Sep. 5, 2013),, archived at


[248] Order Granting Resp’t Mot. to Dismiss, at 2–3, Palmat Int’l, Inc. v. Holder, No. 12-20229, 2013 U.S. Dist. LEXIS 2004, at *1 (S.D. Fla. Feb. 14, 2013) (“Palmat is a Florida corporation with its principal place of business in Florida. Wellisch is a foreign investor and Palmat’s majority stockholder. In 2010, Argentina’s Ministry of Foreign Affairs issued several requests to the U.S. Department of Justice for the production of Petitioners’ financial records for bank accounts held in the United States. The requests were made as part of an ongoing criminal investigation stemming from allegations that Palmat, along with other companies, paid bribes to Argentine government officials in connection with the sale of agricultural equipment to the Venezuelan government.”).


[249] See United States v. Moloney, (In re Price), 685 F.3d 1, 15 (1st Cir. 2012) (internal citation omitted) (exercising jurisdiction under 28 U.S.C. § 1331 to review an allegation that the petitioners’ First Amendment rights would be violated based on a subpoena issued pursuant to an MLAT).


[250] See generally United Kingdom v. Trs. of Bos. Coll., 718 F.3d 13 (1st Cir. 2013) (failing to address MLATs).


[251] Press Release, Irish-American Republicans, IrishGOP Condems Obama/Holder MLAT Subpoena of Boston College (Feb. 2, 2012), archived at


[252] Id.


[253] Id.


[254] Mutual Legal Assistance in Criminal Matters Treaty, U.S.­U.K., art. I, ¶ 2, Jan. 6, 1994, S. Treaty Doc. No. 104­2 (1995),, archived at


[255] Press Release, supra note 251.


[256] Id.


[257] Sarah Cortes, Legalizing Domestic Surveillance: The Role of Mutual Legal Assistance Treaties in Deanonymizing TorBrowser Technology (unpublished manuscript) (on file with author).


[258] Id.


[259] See United States v. Global Fishing, Inc. (In re 840 140th Ave. NE), 634 F.3d 557, 561 (9th Cir. 2011).


[260] Id. at 563.


[261] Id. at 565.


[262] Id.


[263] Hal Bemton, Judge: Russia Owes Bellevue Businessman Apology – and Rubles, Seattle Times (Oct. 29, 2012),, archived at


[264] In re Comm’r’s Subpoenas, 325 F.3d at 1290.


[265] Id.


[266] Id. at 1297.


[267] Id. (internal citations omitted).


[268] Id. at 1298.


[269] Id.

[270] Id. at 1294.


[271] See, e.g., Agreement on Mutual Legal Assistance in Criminal Matters, U.S.-China, art. 1, June 19, 2000, T.I.O.S. No. 13102. The Agreement states, “[t]his Agreement is intended solely for mutual legal assistance between the Parties. The provisions of this Treaty shall not give rise to a right on the part of a private party to obtain, suppress or exclude any evidence or to impede the execution of a request.”


[272] See, e.g., United Kingdom v. United States, 238 F.3d 1312, 1317 (2001); In re Lavan, No. MISC-S-11-0019 GEB GGH, 2011 BL 76005, at *2, (E.D. Cal. Mar. 23, 2011).


[273] See David Whedbee, Faint Shadow of the Sixth Amendment: Substantial Imbalance in Evidence­Gathering Capacity Abroad under the U.S.­P.R.C. Mutual Legal Assistance Agreement in Criminal Matters, 12 Pac. Rim L. & Pol’y J. 561, 590 (2003).


[274] United Kingdom v. United States, 238 F.3d 1312, 1315 (2001).


[275] See id.


[276] Brown, supra note 37, at 55.


[277] Id. at 56.


[278] See id. at 55.


[279] Brian Pearce, Mutual Legal Assistance, U.S. Dep’t of Justice, at 21,, archived at


[280] Id.


[281] See United States v. Jeong, 624 F.3d 706, 708–09 (5th Cir. 2010).


[282] See Treaty Between the United States of America and the Republic of Korea on Mutual Legal Assistance in Criminal Matters, U.S.­S. Kor., Nov. 23, 1993, S. Treaty Doc. No. 104­1 (1995).


[283] Jeong, 624 F.3d at 712.


[284] Id. at 707.


[285] Id. at 709.


[286] Id. at 710.


[287] See Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, U.S, Dec. 17, 1997, 105 U.S.T. 43 (ruling that Article 4.3, referring obliquely to double jeopardy, only required consultation, and then only upon request).


[288] Jeong, 624 F.3d at 712.


[289] See id.


[290] See Pearce, supra note 279, at 8.


[291] See Treaty Between the Government of Canada and the Government of the United States of America on Mutual Legal Assistance in Criminal Matters, U.S.-Can., Mar. 18, 1985, Can. T.S. No. 19,, archived at [hereinafter US­Can. MLAT]; see also Treaty Between the Government of the United States and the Government of Ireland on Mutual Legal Assistance in Criminal Matters, U.S.-Ir., Jan. 18, 2001, art. I, para. 3,, archived at [hereinafter US­Ir. MLAT].


[292] See Lucas Paoli Itaborahy & Jingshu Zhu, State­Sponsored Homophobia, A World Survey of Laws: Criminalisation, Protection and Recognition of Same­Sex Love, Int’l Gay Bisexual Trans and Intersex Ass’n (May 2013),, archived at


[293] See id. (listing countries with U.S. MLATs that criminalize homosexuality include Ukraine, Russia, Antigua & Barbuda, Barbados, Belize, Dominica, Grenada, Guyana, Jamaica, St. Kitts & Nevis, St. Lucia, St. Vincent & the Grenadines, Trinidad & Tobago, India, Malaysia, Morocco, Nigeria, and Egypt.).


[294] See David M. Herszenhorn, New Russian Law Assesses Heavy Fines on Protesters, N.Y. Times (June 8, 2012),, archived at


[295] See Kevin Rawlinson, British Man Jailed for Four Months in Morocco ‘for Being Gay’, The Guardian, (Oct. 6, 2014, 7:53 AM),, archived at


[296] Nadelmann, supra note 114, at 351.


[297] Id.


[298] Id. at 352.


[299] Id.


[300] Id. at 349–50.


[301] Pearce, supra note 279, at 20.


[302] Treaty Between the United States of America and the Russian Federation on Mutual Legal Assistance in Criminal Matters, U.S.-Russ., June 17, 1999, S. Treaty Doc. No. 106-22 (2002).


[303] Id. at 12.


[304] Treaty between the United States of America and the United Kingdom of Great Britain and Northern Ireland, U.S.-U.K., Jan. 6, 1994, S. Treaty Doc. No. 104­2 (1996).


[305] Id. at art. III ¶ 1(a), (c).


[306] See Br. for Ed Maloney, supra note 122, at 15.


[307] Essential Texts on International and European Criminal Law 323 (Gert Vermeulen ed., 8th ed. 2012).


[308] 2 Int’l Crim. L.: Multilateral and Bilateral Enforcement Mechanisms 486 (M. Cherif Bassiouni ed., 3rd ed. 2008).


[309] John Downey Case ‘has Implications for Northern Ireland Devolution’, BBC (Feb. 26, 2014),, archived at


[310] See Tom Whitehead, Escaped IRA Terrorists Handed Royal Pardons as Part of Peace Deal, Queen had to Sign Off on Mercy Pardons that Allowed Convicted Killers and Fanatics to Return to Normal Lives, The Telegraph, (Feb. 27, 2014),, archived at; see also Chris Kilpatrick, Stormont Crisis: Spotlight Falls on Pardons Granted by Queen to IRA Men Questions Being Asked Over any Other Deals Cut Behind Closed Doors, Belfast Telegraph (Feb. 27, 2014),, archived at


[311] See Conor Macauley, Boston College Prepared to Return Troubles Tapes, BBC (May 6, 2014),, archived at


[312] See BC Archive Case Appears Politically Motivated, The Irish Echo (Oct. 12, 2011),, archived at


[313] See id.


[314] Pearce, supra note 279, at 22.


[315] Id.


[316] U.S. Const. amend. VIII.


[317] See States With and Without the Death Penalty, Death Penalty Info. Ctr.,, archived at (last visited Dec. 3, 2015).


[318] Id.


[319] Barbara Crossette, Iran Drops Rushdie Death Threat, And Britain Renews Teheran Ties, N.Y. TIMES (Sept. 25, 1998),, archived at


[320] Islamic Penal Code of the Islamic Republic of Iran – Book Five, Chapter Eighteen, Article 638, Iran Human Rights Doc. Ctr. (July 18, 2013),, archived at (explaining that a hijab is a full set of garments for women only, that can cover the entire body, including eyes, face, head, arms, hands, legs, and feet. Some states assert that a hijab is required under Islamic law, while others disagree. The Qu’ran does not explicitly require hijab, but includes an exhortation for women to cover themselves).


[321] Gov’t of India Ministry of Home Affairs: Pol’y Planning Div.,, archived at (last visited Dec. 3, 2015) (stating “India has so far operationalised these Treaties with the following 34 countries […] Iran”).


[322] Br. for Ed Maloney, supra note 122, at 7–8.


[323] United States v. Trs. of Bos. Coll., 831 F. Supp. 2d 435, 455 (D. Mass. 2011).


[324] See, e.g., U.S. Patriot Act of 2001, 115 Stat. 272 (codified as amended in scattered sections of 18 U.S.C. § 1); Communications Assistance for Law Enforcement Act of 1994, 108 Stat. 4279 (codified as amended in scattered sections of 47 U.S.C. § 1001).


[325] See United States v. Rommy, 506 F.3d 108, 140 (2d Cir. 2007).


[326] Id. at 113.

[327] Id. at 128.


[328] Id. at 128–31.


[329] Id. at 113.


[330] See, e.g., United States v. Moloney (In re Price), 685 F.3d 1, 11–14 (1st Cir. 2012) (holding that two subpoenas in an investigation of two academic researchers were not precluded from disclosure under MLAT); see also United States v. Under Seal (In re Grand Jury Subpoena), 646 F.3d 159, 165 (4th Cir. 2011) (finding that MLAT did not give a private right of action to protect subpoenas, regarding documents in discovery between two companies, from government investigation).


[331] See Rommy, 506 F.3d at 113.


[332] Id.


[333] S. Exec. Rep. No. 106­24, at 6 (2000),, archived at


[334] 1953 Council of Europe’s European Convention on Human Rights (ECHR), art. 8,, archived at; 1966 U.N. International Covenant on Civil and Political Rights (ICCPR), art. 17,, archived at


[335] Report on the U.S. NSA Surveillance Programme, Surveillance Bodies in Various Member States and their Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs, at 10 (Feb. 21, 2014),,


[336] Id. at 4.


[337] Id. at 28.


[338] See EU MLAC, supra note 145, at art. 13.


[339] See generally In re Comm’r’s Subpoenas, 325 F.3d 1287 (11th Cir. 2003).

[340] Id. at 1297.


[341] Concerning Law Enforcement Treaties: Hearing on Law Enforcement Treaties Before the S. Comm. on Foreign Relations, 109th Cong. 10, (2005) (statement by Mary Ellen Warlow, Director, Office of Int’l Affairs, Dep’t of Justice),, archived at


[342] On an Extradition Treaty with Great Britain and Northern Ireland, an Extradition Protocol with Israel, a Mutual Legal Assistance Treaty with Germany, and a Mutual Legal Assistance Treaty with Japan: Hearing on Law Enforcement Treaties Before the S. Comm.oOn Foreign Relations, 109th Cong. 10, (2005) (statement by Samuel M. Witten, Deputy Legal Adviser, U.S. Dep’t Of State),, archived at


[343] Nicholas Watt, NSA ‘offers intelligence to British counterparts to skirt UK law’, The Guardian (June 10, 2013),, archived at


[344] Budapest Cybercrime Treaty, supra note 75, at art. 26.


[345] International silver platter doctrine, which holds that allowed evidence seized illegally by agents other than U.S. Federal agents, i.e. foreign law enforcement, may be admitted in U.S. federal court as long as the foreign officials were not acting as agents of federal law enforcement. The court reasons that foreign agents are not deterred by the exclusionary rule, and evidence handed to U.S. federal agents “on a silver platter” may be admitted. This theory was discredited and thrown out after 50 years of misuse in the US courts pertaining to evidence obtained illegally by domestic police, i.e. state and local police. Yet it lives on as a Fourth Amendment exception for foreign police evidence. See Lustig v. United States, 338 U.S. 74, 78–79 (1949) (plurality opinion).


[346] Budapest Cybercrime Treaty, supra note 75.


[347] See Shiffman & Cooke, supra note 49.


[348] See, e.g., EU MLAC, supra note 145, at art. 13; see also Summaries of E.U. legislation – Mutual assistance in criminal matters between Member States, EUR-Lex Europa,, archived at (last updated Dec. 20, 2011). JITs originate in more than one source. We cite the principal sources, without going further into the history. Europol, the European Union Police Alliance website also provides background. General Legal Basis for JITs, Europol,, archived at (“Joint Investigation Teams [are] provided for in Article 13 of the 2000 MLA Convention.”) (last visited Dec. 3. 2015); E.U.­U.S. MLAT, supra note 75, at art. 5. While established in the 2000 Act, JITs did not actually commence until 2005. Thus, the E.U.­U.S. MLAT can also be considered to be the origination point for JITs. Confusingly, this treaty did not enter into force (EIF) until 2010. Its drafting, signing, ratification and entry into force spanned seven years, which is not unusual for treaties. Thus, while its initial draft preceded the actual formation of JITs in 2005, and thus can be considered the origin of JITs, its final EIF followed that of the E.U. MLAC.


[349] EU MLAC, supra note 145, at art. 13, para. 7.


[350] Id. at art. 13, para. 9.


[351] Watt, supra note 343.


[352] United States v. Getto (Getto I), 729 F.3d 221, 224 (2d Cir. 2013).


[353] Id.


[354] Id.


[355] United States v. Getto (Getto II), 586 Fed. App’x 11, 13 (2d Cir. 2014).


[356] Id.


[357] Getto I, 729 F.3d at 225.


[358] Id. at 230–31.


[359] United States v. Lee, 723 F.3d 134, 141 (2d Cir. 2013).


[360] Id. at 140.


[361] Id. at 139.


[362] Id. at 139 n. 3 (distinguishing domestic silver platter with international silver platter doctrine).


[363] Id. at 138.


[364] Lee, 723 F.3d at 137.


[365] Getto I, 729 F.3d at 231.


[366] Id. at 230.


[367] Id. at 234–35.


[368] Id. at 230–32.


[369] Id.


[370] EU Comm. on Civil Liberties, Justice and Home Affairs, European Parliament Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs, art. F (2013),, archived at


[371] Id.


[372] Shawn Musgrave, DEA Teaches Agents to Recreate Evidence Chains to Hide Methods, Muckrock (Feb. 3, 2014),, archived at


[373] See In Depth, supra note 62.


[374] See id.


[375] See id.


[376] See id.


[377] Cook Island Gov’t, Treaty Database: International Treaties,, archived at (last visited Dec. 3, 2015).


[378] Henrich Glaser-Opitz & Ján Labun, Conference Paper, Means of Integrating MLAT and ADS-B in up to Date Surveillance Systems, Int’l Sci. Conference New Trends in Aviation Development 2014,, archived at


[379] See JonDo, supra note 22.


[380] See What Does I2P do for You?, supra note 23.


[381] See Freenet Project, supra note 24.


[382] See Lantern, supra note 25.


[383] See Ultrasurf, supra note 26.


[384] See Tor, supra note 1.


[385] See Tor Metrics, supra note 19.


[386] See In Depth, supra note 62.


[387] Abdelberi Chaabane et al., Privacy in Content-Oriented Networking: Threats and Countermeasures, 43 ACM SIGCOMM Computer Commc’n Rev. 26 (July 2003), at 2–3,, archived at


[388] See In Depth, supra note 62.


[389] See Sarah Cortes, Quantifying and Counteracting the Threat of Government Intelligence Agencies Against Tor (unpublished manuscript) (on file with author).


[390] See ETSI DTS 102 677, supra note 165.


Page 2 of 7

Powered by WordPress & Theme by Anders Norén