When the FBI Seizes Your Messages From Big Tech, You May Not Know It for Years

Jay Greene and Drew Harwell / The Washington Post
When the FBI Seizes Your Messages From Big Tech, You May Not Know It for Years Ryan Lackey, a Facebook customer who found out years later that the company's Law Enforcement Response Team turned over data to prosecutors years ago and didn't notify him. (photo: Angel Valentin/Washington Post)

Microsoft, Google, Facebook and other tech firms are pressing lawmakers to stop prosecutors from secretly snooping on private accounts

At first, Ryan Lackey thought the email was a scam. It arrived one morning in March, bearing news that Facebook had received an order from the Federal Bureau of Investigation to turn over data from personal accounts Lackey uses to chat with friends and exchange cat photos.

Even weirder, the email said Facebook had been forced to keep this intrusion secret. Six months later, Lackey, a computer security consultant in Puerto Rico, still has no idea what Facebook turned over to an FBI investigation that he believes may have started as early as 2019.

“My online life, at least half of it touches Facebook in some way,” said Lackey, 42.

Every year, Facebook, Google and other technology companies receive hundreds of thousands of orders from law enforcement agencies seeking data people stash online: private messages, photos, search histories, calendar items — a potentially rich trove for criminal investigators. Often, those requests are accompanied by secrecy orders, also known as nondisclosure or gag orders, that require the tech companies to keep their customers in the dark, potentially for years.

Concern about the practice spiked this summer after journalists at The Washington Post and the New York Times learned that the Trump Justice Department had secretly subpoenaed their email account data in an effort to identify the source of classified leaks early in President Donald Trump’s term. Federal prosecutors also targeted Democrats on the House Intelligence Committee, their aides and even family members.

But those requests were just a tiny fraction of the orders prosecutors secure annually to stealthily snoop through the data of ordinary users like Lackey.

In the last six months of 2020, Facebook received 61,262 government requests for user data in the United States, said spokesman Andy Stone. Most — 69 percent — came with secrecy orders. Meanwhile, Microsoft has received between 2,400 and 3,500 secrecy orders from federal law enforcement each year since 2016 — or seven to 10 per day — according to congressional testimony by vice president of customer security and trust Tom Burt.

Google and Apple declined to disclose the number of gag orders they’ve received. But in the first half of 2020, Google said U.S. law enforcement made 39,536 requests for information about 84,662 accounts — with many of the requests targeting multiple accounts. Apple said it received 11,363 requests.

The Trump administration is hardly the first to use gag orders for tech-company searches. Under the 1986 Electronic Communications Privacy Act, federal prosecutors are required to seek digital information from tech companies, not their customers. Since then, prosecutors have routinely used gag orders to prevent the companies from spilling the beans to suspects who might destroy evidence, go into hiding or threaten someone’s life.

But the practice has mushroomed over the past two decades, part of a broader surveillance ramp-up following the Sept. 11, 2001, terrorist attacks, lawyers said. As the orders have proliferated, privacy advocates and the tech companies themselves have become increasingly concerned.

Some tech company officials have accused prosecutors of reflexively requesting gag orders for routine investigations, regardless of whether the cases actually require such secrecy. And an array of company officials and legal experts argue that the practice robs tech company customers of their constitutional protections against unreasonable search and seizure.

“Across all the rest of society, it’s understood that government doesn’t get to take your stuff, doesn’t get to come in and into your house, doesn’t get to break into your file folders or your lock box at the bank without a warrant. And you get to know about that warrant and you get to exercise your legal rights,” Microsoft’s Burt said in an interview. “Someone cannot exercise their Fourth Amendment rights when their data has been taken in secret.”

With lawmakers in both parties considering reining in the practice, the Justice Department is reviewing its policies regarding nondisclosure orders that delay notification of tech company customers, said spokesman Joshua Stueve.

“The Department is committed to properly balancing legitimate needs for confidentiality in criminal investigations with the public’s interest in understanding how investigative authorities are used,” Stueve said in an email, though he declined to specify what changes are under consideration.

The proliferation of gag orders mirrors the explosion of electronic evidence as the world has become more digital, said Ed Kim, a former prosecutor in the United States Attorney’s Office for the Southern District of New York, who is in private practice in New York now.

“That’s led tech companies to get more vigilant,” Kim said.

When prosecutors obtain warrants for physical evidence, they rarely need a gag order. That’s because the person who owns the objects — a weapon used in a crime, for example, or a box of documents — is often present when the evidence is seized. And if the evidence is seized improperly, either because the dragnet is overly broad or because of outright investigative abuses, the target of the search typically has an opportunity to challenge it in court.

It’s different with digital evidence, which is often kept on the servers of tech companies. That evidence can include highly sensitive details about a person’s entire life, including photos, text messages and phone records that could be used to establish their relationships, describe their motives or even place them at the scene of a crime.

But when investigators serve tech companies with subpoenas or search warrants for this information, the target of the investigation has no idea their data is being seized. And if investigators obtain a gag order, the records must be handed over without the person’s knowledge or consent — depriving the person of an opportunity to challenge the seizure in court.

Justice Department officials argue there are legitimate reasons to request secrecy orders, especially during complex investigations targeting drug dealers or crime bosses. They note that secrecy orders require judicial approval, providing a check on their investigative powers.

But the bar is often low for investigators to prove the need for secrecy, said white-collar defense lawyer Robert Mintz, a former deputy chief of the Organized Crime Strike Force Division of the U.S. attorney’s office.

“Judges are in a difficult position of having to gauge the necessity of having subpoenas being secret at the beginning of an investigation,” he said. “Historically, judges have given great deference to prosecutors.”

Over the years, tech companies such as Google have increasingly tried to challenge gag orders that appear to be unnecessary, said Albert Gidari, a former lawyer for Big Tech and telecommunications firms who later served as director of privacy at Stanford Law School’s Center for Internet and Society. Where possible, he said, they also have sought to alert users to the search warrants and share details in so-called “transparency reports.”

But tech company officials said it is often difficult to tell which orders are worth fighting. The orders are often vague — sometimes just email addresses — and the owner of the account isn’t always obvious.

Microsoft provided two secrecy orders to The Post with the names of the customers redacted. Each is only about four paragraphs long and declares that notifying the customer about the existence of the data request could lead to evidence tampering or flight from prosecution.

Neither order offers any support for those claims, or any details to indicate why secrecy is necessary. Microsoft complied with both orders and notified customers of the seizure only after the orders expired.

Microsoft said it generally complies with secrecy orders because it is legally required to do so. At Google, director of law enforcement and information security Richard Salgado said the company will challenge nondisclosure orders if there are “external signals” that the orders lack merit. For example, email addresses can indicate who the subjects or their employers are, providing an avenue for the company to argue against secrecy, said Salgado, a former federal prosecutor.

Google’s decision to challenge the gag order on the Trump Justice Department’s subpoena for email data belonging to four reporters at the New York Times, which uses Google’s mail service, offers a rare example of such a challenge becoming public. Google won, and was able to share details of the subpoena — initially only with a Times lawyer.

Often, however, the orders “are rather generic,” Salgado said, providing too little information for Google to mount a case.

“These nondisclosure orders are issued more routinely than makes sense,” he said.

Consider the case of Lackey. A former Defense Department contractor, Lackey now runs a security consulting business that has handled matters involving cryptocurrency and ransomware. Lackey acknowledges that work could conceivably place him in the crosshairs of law enforcement.

But Lackey says it’s not at all clear why prosecutors would sift through his data on Facebook, where he oversees several groups, including one focused on cat photos.

Was the FBI after basic subscriber information, such as his name and when he created the account? Or did they seize something much more problematic, such as personal photos, private messages or a history of his movements at home and abroad during 15 years of logging into the app? The latter, he said, would be a “severe violation of my expectation of my privacy.”

It’s unclear even when the secrecy order was first issued, though Lackey said clues from legal documents he has since obtained suggest that he was kept in the dark for at least two years before Facebook sent him that March email.

“I’m pretty confident that I’m a fairly boring person. I haven’t done anything that I would consider worthy of the FBI’s time or interest,” Lackey said.

Stueve, the Justice Department spokesman, declined to comment on Lackey’s case, as did Stone, the Facebook spokesman. Stone pointed to Facebook’s transparency report, which notes that it complies with government requests for user information when required by law and that it turns over data “narrowly tailored” to each request.

In an emailed statement, Facebook vice president and deputy general counsel Chris Sonderby said Facebook officials “push back against government overreach and challenge nondisclosure orders in court when necessary.” He added: “Our policy is to notify people who use our platform of requests for their information unless prohibited by law or in exceptional circumstances.”

After receiving the March email, Lackey asked Facebook what information it had handed over and what time frame the request covered. In an emailed response reviewed by The Post, the tech giant wrote that it couldn’t give him “legal advice” and suggested that he “consult with an attorney.”

Lackey said he has been left with “low-level anxiety” and lots of unanswered questions.

“I’m not opposed to helping law enforcement with a legitimate investigation,” he said. “But if it’s a civil liberties violation or a fishing expedition, I don’t want to help them in that.”

As privacy advocates and tech company officials press prosecutors for more transparency, lawmakers on Capitol Hill are beginning to sift through their options for reining in the practice. One idea: Require tech companies to preserve digital files that are the subject of court orders and permit customers to challenge the orders in court before the information is turned over to prosecutors.

Sen. Ron Wyden (D-Ore.) is drafting a measure that would require government investigators to tell the targets of surveillance what data they gather from the tech companies within a reasonable time, much as they already do for more traditional wiretaps and bank-record subpoenas. The measure would cover demands for location records, stored emails, social media photos and other data, said a Wyden aide, who spoke on the condition of anonymity to discuss the internal bill-writing process.

The measure also would require federal courts to publish, for the first time, basic statistics about surveillance and secrecy orders. But it would continue to permit the orders to be issued.

Wyden is hoping the measure will attract bipartisan support. While Democrats have expressed outrage over the Trump administration’s leak investigation, Republicans have accused President Biden and former president Barack Obama of snooping on conservatives.

“The United States of America should not spy on its citizens,” Rep. Jim Jordan (R-Ohio) said during a June hearing on the issue. “This process is in need of reform.”

EXPLORE THE DISQUS SETTINGS: Up at the top right of the comments section your name appears in red with a black down arrow that opens to a menu. Explore the options especially under Your Profile and Edit Settings. On the Edit Settings page note the selections on the left side that allow you to control email and other notifications. Under Profile you can select a picture or other graphic for your account, whatever you like. COMMENT MODERATION: RSN is not blocking your comments, but Disqus might be. If you have problems use our CONTACT PAGE and let us know. You can also Flag comments that are seriously problematic.
Close

rsn / send to friend

form code