Can the Government Compel You To Produce Records That Don’t Exist Yet? - Security Boulevard

Can the Government Compel You To Produce Records That Don’t Exist Yet?

We all know that the government can get a subpoena compelling you to produce records that are in your “possession, custody or control,” provided those records are not privileged, along with a few other constraints. They can also get a search warrant authorizing law enforcement agents to search for or seize these records. Other kinds of court orders can be obtained for things like cell tower records, “trap and trace” records of phone numbers called or received, electronic communications or header information related to those communications.

National security letters and FISA orders provide a secret means to compel the production of some records, even without evidence of a crime. What all of these “compelled production” laws and regulations have in common is that they require the recipient to produce (or authorize the government to seize) documents or records that actually exist. But what happens if the government wants records that don’t exist? Or at least don’t exist right now?

Forbes magazine has filed a lawsuit in Pittsburgh federal court (Forbes Media LLC and Thomas Brewster to Unseal Records, Dkt. No. 2:21-mc-00052, (USDC WD PA))) seeking information from the FBI and others about the practice of using an ancient federal statute to compel entities to notify the government when a document or record they are interested in is created, and then to turn it over to the government at that time.

Forbes wrote about this practice in 2020 in an article explaining how online travel reservations company Sabre received an order from a court compelling them to provide—in real-time—information about when, where and how specific individuals were traveling. The government called this kind of surveillance a “hot watch,” and represented to the court in 2019 that “the government is aware … that other courts … have ordered the “hot watch” or real-time transmission of information related to credit cards” under the authority of what is called the All Writs Act. The application noted that, in other cases, courts have “ordered Sabre to assist in effectuating arrest warrants” and that Sabre complied with such orders in other districts.

What is the All Writs Act?

One of the first acts of the first Congress was to pass the All Writs Act of 1789. Congress had just created the federal courts under the Judiciary Act of 1789, (the Supreme Court was the only court established by the Constitution) and was attempting to define the scope of the courts’ powers. The act, now part of the United States Code, provides simply that “all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” A “writ” is essentially a court order, so if a court has the power to do something, it has the power to issue a writ. An appeal of a judgment is technically a ‘writ of appeal.’” An order to compel a public entity to perform a ministerial act is a ‘writ of mandamus.’”

There are lots of ways to be putting on the writs. The government has used—or attempted to use—the All Writs Act to give it (by court order) the authority to do things that are, shall we say, questionable. For example, when they wanted Apple to redesign the iPhone to deliberately weaken its security so the government could obtain access to the San Bernadino shooter’s phone, they sought a writ compelling the computer giant to do just that. They already had a search warrant to seize and search the phone—they simply didn’t have the ability to do so (well, until they hired an Israeli company that was able to crack the phone). They wanted the private company to be compelled to use their expertise to crack their own security and deliver unencrypted, plain text records of a third-party customer. Not quite a search warrant. Not quite simple “technical assistance” in aid of a wiretap. Since no law expressly granted the court the authority to order Apple to do this, the prosecution turned to the Swiss army knife of writs—the 1789 act.

So, it appears that the government is relying on the authority of the 18th century statute to force companies to notify the government—in real-time—when someone’s credit card is used, when they make travel plans, and potentially a host of other electronic information.

It’s not that there isn’t a reason for the government to want to know this information, and it’s not that a court hasn’t approved it—it’s that the government is conscripting technology companies into being something that they were never meant to be—government surveillance agents. What is worse is that these orders—both in terms of their number, their scope and, of course, their targets—are secret.

That’s what Forbes is trying to prevent.

Wiretap orders are meant to be disclosed after a period of time. Search warrants, similarly, are presumed to be public unless filed under seal, and are only kept sealed for a limited period of time. There’s no similar requirement for an order under the All Writs Act. Not only does this mean that the subject or target of a writ doesn’t know that the government—and the government-supporting company—is tracking them, but society as a whole does not know how companies are being conscripted to act as government agents.

While we certainly don’t want terrorists, individually, to know that we are tracking them, society as a general principle should know how the government wants to track its citizens. We should know if the government is using the All Writs Act to compel real-time production (using facial recognition or otherwise) of video surveillance, or of Google search requests. The Pennsylvania lawsuit by Forbes (and the Reporter’s Committee for Freedom of the Press) seeks more openness and transparency about how the DOJ and others are using the AWA to compel assistance by private companies. We will see how the court reacts.

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 108 posts and counting.See all posts by mark