December 27, 2024 / by 

 

FISC Rules that [Redacted] Is Not Subject to FISA 702 for One of Its Services

Last week ODNI declassified two FISA Court opinions pertaining to Section 702. The first was a 2022 FISA Court opinion (which dates to sometime after April 2022 orders were signed) written by Presiding Judge Rudolph Contreras. The second is a 2023 per curiam opinion (David Sentelle, Robert Miller, and Stephen Higginson) affirming the original Contreras one.

While the exact details of the appeal are heavily redacted, it’s clear that the opinion pertains to the definition of Electronic Communications Service Provider under the law. As a reminder, under 702, the government can given a US-based ESCP a “directive” ordering not just content, but also technical assistance. In general, such directives apply to both data in motion (so telecoms) and data at rest (so cloud providers).

One thing the opinions make clear is that the service provider provided at least two categories of service. The service provider seemed to only challenge one of those two categories of service and willingly accept directives for another. The FISCR opinion lays out that the definition of ECSP must be applied on a service to service basis.

A reexamination of subparagraphs (A), (B) and (C) confirms that it is the service being rendered-and nothing else about the provider-that is the crux of each definition. For “provider of electronic communication service,” and “provider of remote computing service,” only the specified communication service is statutorily defined. See 50 U.S.C. § 1881 (b )( 4 )(B) (relying on the definition of “electronic communication service” at 18 U .S.C. § 2510(15) to delineate providers of such); 50U.S.C.§1881(b)(4)(C) (relying on the definition of “remote computing service” at 18 U.S.C. § 2711 to delineate providers of such). Although the term “telecommunications carrier” is itself statutorily defined, that definition similarly relies on the definition of “telecommunications services,” except for one exclusion. See 47 U.S.C. § 153( 51) (‘” [T]elecommunications carrier’ means any provider of telecommunications services, except that such term does not include aggregators of telecommunications services . … “); 47 U .S.C. § 153(53) ( defining “telecommunications service”).

[snip]

What matters is the service that is being provided at a particular time (or as to a particular piece of electronic communication at a particular time), rather than … the service provider itself.” (internal quotations omitted)).

The issue, for the second service, seems to pertain to whether the service provider had access to the comms in question — whether in motion or at rest; such a dispute may be a question of encrypted communications to which the provider did not have access.

Contreras’ opinion treats each type of ECSP, data in motion and then data at rest, to determine that for the service in question (but not for others the service provider offers) it is not a an ECSP under Section 702.

Notably, a key part of the first part of Contreras’ analysis (on data in motion) relies on two opinions about cell phones.

see also Garcia v. City of Laredo, 702 F.3d 788, 793 (5th Cir. 2012) (a cell phone “does not provide an electronic communication service just because the device enables use of electronic communication services” ( emphasis in original); Loughnane v. Zukowski, Rogers, Flood & McArdle, No. 19 C 86, 2021 WL 1057278 at *4 (N.D. Ill. Mar. 18, 2021) (“a smartphone … does not provide the end-user the ability to send or receive wire or electronic communications;” it “merely enables the end-user to employ a wire or electronic communication service . . . which in turn provides [that] ability”) (emphasis in original). 15

And a later passages also pertains to personal devices.

Nonetheless, most courts have found that personal devices used to access web-based email services or similar communication platforms are not facilities through which an ECS is provided. 18

Under the second part of his analysis, Contreras focused on whether the service provider had access to communications (again, a discussion that might be consistent with encryption). In that section, there’s this curious discussion of the June 2021 Van Buren decision that limited the application of the Computer Fraud and Abuse Act, which pivoted on authority to access.

Van Buren interpreted a statutory provision that describes the elements of a crime. It is natural for “access” in that context to be confined to (wrongfully) entering a computer system or parts thereof. It would not sensibly extend to the opportunity or ability to enter a system, without actually doing so, just as it would not make sense for a passerby to be liable for trespass because he walked by an open door without going in. But it strikes the Court that, in other, even computer-related contexts, “access” could be used as a noun (as it is in Section 701(b)(4)(D)) to refer to the ability or opportunity to enter: “Frank has access to the database but be has not logged into it yet.”

FISCR likewise invoked the definition of access under Van Buren.

Context reinforces this understanding. See, e.g., Van Buren v. United States, 141 S. Ct. 1648, 1657- 58 (2021) (“When interpreting statutes, courts take note of terms that carry ‘technical meaning[s]. “‘). In Van Buren, the Supreme Court observed that ‘” [ a ]ccess’ is one such term, long can-ying a ‘well established’ meaning in the ‘ computational sense’- a meaning that matters when interpreting a statute about computers.” Id. at 1657 ( citation omitted).

Close to the end of the FISCR opinion, it seems to definitively define ECSP based on this access principle.

If an entity does not provide a communication service through which it has “access to wire or electronic communications either as such communications are transmitted or as such communications are stored;’ 50 U.S.C. § 188l(b)(4)(D), it is not an ECSP as defined by subparagraph (D), [half paragraph]

Then, FISCR notes that 702 is up for reauthorization this year, so if the government doesn’t like this principle, it can go ask Congress to change it.

Some company successfully argued that if they don’t have access to your data, they can’t be compelled to provide US spooks assistance to get to it.

Copyright © 2024 emptywheel. All rights reserved.
Originally Posted @ https://emptywheel.net/fisa/