![[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]](https://www.emptywheel.net/wp-content/uploads/2017/08/NationalSecurityAgency_HQ-FortMeadeMD_Wikimedia-1030x687.jpg)
FISC Rules that [Redacted] Is Not Subject to FISA 702 for One of Its Services
Last week ODNI declassified two FISA Court opinions pertaining to Section 702. The first was a 2022 FISA Court opinion (which dates to sometime after April 2022 orders were signed) written by Presiding Judge Rudolph Contreras. The second is a 2023 per curiam opinion (David Sentelle, Robert Miller, and Stephen Higginson) affirming the original Contreras one.
While the exact details of the appeal are heavily redacted, it’s clear that the opinion pertains to the definition of Electronic Communications Service Provider under the law. As a reminder, under 702, the government can given a US-based ESCP a “directive” ordering not just content, but also technical assistance. In general, such directives apply to both data in motion (so telecoms) and data at rest (so cloud providers).
One thing the opinions make clear is that the service provider provided at least two categories of service. The service provider seemed to only challenge one of those two categories of service and willingly accept directives for another. The FISCR opinion lays out that the definition of ECSP must be applied on a service to service basis.
A reexamination of subparagraphs (A), (B) and (C) confirms that it is the service being rendered-and nothing else about the provider-that is the crux of each definition. For “provider of electronic communication service,” and “provider of remote computing service,” only the specified communication service is statutorily defined. See 50 U.S.C. § 1881 (b )( 4 )(B) (relying on the definition of “electronic communication service” at 18 U .S.C. § 2510(15) to delineate providers of such); 50U.S.C.§1881(b)(4)(C) (relying on the definition of “remote computing service” at 18 U.S.C. § 2711 to delineate providers of such). Although the term “telecommunications carrier” is itself statutorily defined, that definition similarly relies on the definition of “telecommunications services,” except for one exclusion. See 47 U.S.C. § 153( 51) (‘” [T]elecommunications carrier’ means any provider of telecommunications services, except that such term does not include aggregators of telecommunications services . … “); 47 U .S.C. § 153(53) ( defining “telecommunications service”).
[snip]
What matters is the service that is being provided at a particular time (or as to a particular piece of electronic communication at a particular time), rather than … the service provider itself.” (internal quotations omitted)).
The issue, for the second service, seems to pertain to whether the service provider had access to the comms in question — whether in motion or at rest; such a dispute may be a question of encrypted communications to which the provider did not have access.
Contreras’ opinion treats each type of ECSP, data in motion and then data at rest, to determine that for the service in question (but not for others the service provider offers) it is not a an ECSP under Section 702.
Notably, a key part of the first part of Contreras’ analysis (on data in motion) relies on two opinions about cell phones.
see also Garcia v. City of Laredo, 702 F.3d 788, 793 (5th Cir. 2012) (a cell phone “does not provide an electronic communication service just because the device enables use of electronic communication services” ( emphasis in original); Loughnane v. Zukowski, Rogers, Flood & McArdle, No. 19 C 86, 2021 WL 1057278 at *4 (N.D. Ill. Mar. 18, 2021) (“a smartphone … does not provide the end-user the ability to send or receive wire or electronic communications;” it “merely enables the end-user to employ a wire or electronic communication service . . . which in turn provides [that] ability”) (emphasis in original). 15
And a later passages also pertains to personal devices.
Nonetheless, most courts have found that personal devices used to access web-based email services or similar communication platforms are not facilities through which an ECS is provided. 18
Under the second part of his analysis, Contreras focused on whether the service provider had access to communications (again, a discussion that might be consistent with encryption). In that section, there’s this curious discussion of the June 2021 Van Buren decision that limited the application of the Computer Fraud and Abuse Act, which pivoted on authority to access.
Van Buren interpreted a statutory provision that describes the elements of a crime. It is natural for “access” in that context to be confined to (wrongfully) entering a computer system or parts thereof. It would not sensibly extend to the opportunity or ability to enter a system, without actually doing so, just as it would not make sense for a passerby to be liable for trespass because he walked by an open door without going in. But it strikes the Court that, in other, even computer-related contexts, “access” could be used as a noun (as it is in Section 701(b)(4)(D)) to refer to the ability or opportunity to enter: “Frank has access to the database but be has not logged into it yet.”
FISCR likewise invoked the definition of access under Van Buren.
Context reinforces this understanding. See, e.g., Van Buren v. United States, 141 S. Ct. 1648, 1657- 58 (2021) (“When interpreting statutes, courts take note of terms that carry ‘technical meaning[s]. “‘). In Van Buren, the Supreme Court observed that ‘” [ a ]ccess’ is one such term, long can-ying a ‘well established’ meaning in the ‘ computational sense’- a meaning that matters when interpreting a statute about computers.” Id. at 1657 ( citation omitted).
Close to the end of the FISCR opinion, it seems to definitively define ECSP based on this access principle.
If an entity does not provide a communication service through which it has “access to wire or electronic communications either as such communications are transmitted or as such communications are stored;’ 50 U.S.C. § 188l(b)(4)(D), it is not an ECSP as defined by subparagraph (D), [half paragraph]
Then, FISCR notes that 702 is up for reauthorization this year, so if the government doesn’t like this principle, it can go ask Congress to change it.
Some company successfully argued that if they don’t have access to your data, they can’t be compelled to provide US spooks assistance to get to it.
I wonder if this is related to Protonmail? Wasn’t one of Rudy’s email addresses hosted there?
ProtonMail is based in and entirely hosted in Switzerland… 702 applies to US-based service providers.
Where technology sprints, the law lags behind.
As usual, EW, you’ve made me very curious to see where this goes. I feel smarter just for having read it.
I assume this is (or will be) a significant step in the development of the law on this topic. But I’m not quite following, so can you explain briefly (in layman’s terms) the practical significance of this to a user? For example, if I have an iPhone with Verizon, and internet access through my cable subscription with Optimum, what can and cannot each one of them be required to do when Uncle Sam wants to check me out? Thanks.
The first thing that comes to mind is that this sounds like it could apply to Apple and Signal. One scenario might be the government wanting Apple to pull some user’s Signal chats off their phone.
Yeah, a good guess that Apple is involved somehow; Google might be another possibility.
Interesting suggestion. I’m virtually certain FBI has had this ability in the past, but Van Buren might have bolloxed that?
Given the context of a provider that inhabits multiple roles, Apple seems like a good fit. Stuff like Protonmail and Signal that just provide a single heavily encrypted service don’t feel like they’d need the thorough parsing of whether the ECSP designation applies company-wide or is evaluated on a per-activity basis.
But Apple, who will happily hand over iCloud data when ordered, but who will also send an army of lawyers tell you to pound sand if you want help hacking their phones or compromising iMessage encryption, would seem to fit the groove perfectly. Facebook is the other company that came to mind that offers a differentiable mix of cleartext and e2e encrypted services. I guess Google also has some nascent e2e messaging and a phone OS they might not want to be forced to hack.
If Congress did change 702 as the court seems to be inviting, what would practically change given that the service provider still (presumably) wouldn’t have access to the underlying data they’re being obliged to collect? Would this create an affirmative duty to prevent such data from traversing their service?
(Also, minor typo: “per curium” should be “per curiam”.)
OT, but was wondering what specifics were that got Biggs/Gosar/Finchem off the hook for 14th. Judge in AZ considered MTGreene and Hawthorne (which split on 14th3rd), and allowed BGF to use the 14th5th, with standing and civil/injunctive tossed in to spice it up.
Homework here:
https://www.justsecurity.org/wp-content/uploads/2023/04/arizona-court-order-dismissing-case-apr-22-2022.pdf
(challenges filed at bottom of this page)
https://freespeechforpeople.org/arizona-voters-challenge-congressmen-gosar-and-biggs-and-state-rep-finchem-candidate-for-secretary-of-state-under-fourteenth-amendments-insurrectionist-disqualification-clause/
(group urging AG’s to file challenges)
https://freespeechforpeople.org/the-14point3-campaign/
The first link, the Just Security one, contains Judge Coury’s full decision. As is usual with his work, it is detailed and proper. It explains everything.
It is, though, as Coury writes, “involuted.” And that’s on top of being convoluted as well, as in “difficult to follow.”
The simplest way to describe the decision is, imo, “The Fourteenth, unlike other Amendments to the Constitution, doesn’t stand on its own; it requires Congress to creat a law or laws to effect the enforcement of it, and what’s on the books isn’t helpful at all.”
Lol, let’s see, I’m going to listen to you, or Chris Coury, a judge I know and respect. That’s an easy decision. There were multiple grounds delineated, and having been involved in numerous injunction proceedings here, I can tell you the reasoning was quite solid.
I never said it wasn’t.
Since an FISCR opinion is published by quorum, I wonder if the support of the FISC ruling was unanimous amongst the FISCR panel. I do see how the Government’s ask seems to impose a burden on the company, a burden which to their customers would appear to smack of privacy violation. But maybe that’s the cost of doing business over public broadcast spectra.
Minor typo
Electronic Communications Service Provider under the law. As a reminder, under 702, the government can given a US-based ESCP
Should be ECSP.
seems kind of like e.g. apple saying ‘if they store their data on icloud, yeah, we can turn that over. we are the provider of the data storage/remote computing service. but you can’t compel us to make our device get you their gmail data just because they use an iphone to check their gmail — we are not the communications provider, even if they used our device for communications and it is technically capable of capturing or querying (accessing) that data’
i may be misunderstanding though
I think you’ve got it right exactly. I think the intelligence community is still trying to hunt the same white whale they were after back in 2016 with the All Writs Act of getting Apple to create hacked firmware that can be used to unlock iPhones. This time by claiming Apple’s iCloud business opens the door for basically limitless technical demands of any of their products.