Congress Needs to Make Surveillance Gag Orders Fair and Rare
By Greg Nojeim and Jessie Miller
Congress is considering legislation, the NDO Fairness Act, which would make it more likely that internet users will be notified when the government requests or obtains their digital communications. Because that outcome would enable users to better protect their rights, CDT supports the bill.
Under the Stored Communications Act (SCA), governmental entities routinely seek disclosures of users’ online content from communications service providers without providing notice to users. In addition, governmental entities often secure non-disclosure orders from courts (NDOs) which delay or effectively bar the notice that providers themselves can opt to give. Passed by unanimous voice vote in the House and introduced in the Senate by Senators Patrick Leahy (D-VT) and Mike Lee (R-UT), the NDO Fairness Act, H.R.7072 and S. 4373, would raise the standard the government must meet in order to obtain non-disclosure orders, ensure that such orders have finite time limits, and require governmental entities to give subscribers notice after non-disclosure orders expire. Thus, the bill would make it more likely that users will receive notice from providers who choose to give notice and from governmental entities when they obtain an NDO.
We also believe that additional legislation to require governmental entities to give users notice of surveillance demands even when they have not sought an NDO is critically important.
Current Law on Notice of Disclosure
Two sections of the SCA regulate disclosure notices. First, 18 USC 2703 outlines when government notice is necessary. For non-content disclosures, such as a user’s name, address, connection records, and telephone number, the government is not required to give notice. For content disclosures, the government does not have to give users notice when it obtains a warrant to access the contents of their communications, but does have to provide notice when it uses a subpoena or 2703(d) court order to obtain content. However, in United States v. Warshak, the Sixth Circuit Court of Appeals held that compelling disclosure of content without a warrant violates the Fourth Amendment. Other courts have followed suit, and as a result, warrants are generally used to compel disclosure of content. Consequently, the SCA effectively no longer requires the government to give any notice of any demand for any type of data.
Second, 18 USC 2705 explains when the government can get a delay in meeting its obligation to provide notice, and when it can issue a gag order on a provider. However, since 18 USC 2703 of the SCA can no longer be understood to require government notification in the first place, the provision about delays in government notice has little effect. 18 USC 2705 is nonetheless impactful because it allows the government to prevent providers from giving notice to users when their content is sought. Governmental entities can apply to a court for an order which bans providers from notifying persons about disclosure requests “for such period as the court deems appropriate.”
The result has been indefinite gag orders without expiration dates which bar willing and eager providers from notifying users that their information has been disclosed. Microsoft has revealed that 2,576 of the 5,624 federal requests for its customer data between September 2014 and March 2016 were accompanied by a gag order, and 68% of those requests appeared to contain “indefinite demands for secrecy.” In just the first 6 months of 2021, Meta received 63,657 requests for user data, 70% of which contained non-disclosure orders. These findings confirm that the government is routinely seeking non-disclosure orders, frequently without end dates, heightening the need for new regulation governing notice to users.
Change and Continuity Under the NDO Fairness Act
The NDO Fairness Act first raises the standard that governmental entities must meet in order to secure a non-disclosure order. Under current law, no written court order is needed for non-disclosure orders to be granted, and governmental entities only have to show that “there is reason to believe” provider notification will result in one of five enumerated harms, such as seriously jeopardizing an investigation. Current DOJ policy imposes a slightly higher standard, requiring demonstration of a “factual basis” for non-disclosure orders and placing a renewable one-year cap on the duration of such orders. (1)
The NDO Fairness Act heightens these standards by requiring the government to receive a written determination from a court that notice would be “substantially likely” to cause one of the five enumerated harms, the articulation of which is unchanged. In addition, the government must prove that the order is “narrowly tailored” and that there is “no less restrictive alternative.” The Act would also place limits on the duration of non-disclosure orders, ending the practice of indefinite gags on providers. Section 3 of the bill stipulates that non-disclosure orders can delay notification for no more than 60 days. Governmental entities can request an extension of the non-disclosure order, but only if the government makes a showing in court to receive an additional 60-day delay.
The NDO Fairness Act would also change current law by requiring the government to give users notice upon the expiration of a gag order placed on a provider. The Act dictates that within 72 hours of the expiration of a non-disclosure order, the government must provide notice to the user in two forms, such as by email and first-class mail. These notices must include: (1) a copy of the warrant, subpoena, or court order, (2) information on the nature of the inquiry, (3) a recognition of the delay, (4) the identity of the court issuing the order, (5) the provision under which the delay was authorized, and (6) a copy of the disclosed information upon request.
Passage of this bill would meaningfully bolster user notification by raising the bar for the government to secure non-disclosure orders, by time limiting those orders, and by requiring that the government itself give notice after the finite time-limit on a non-disclosure order has expired. (2)
One final provision of note in the NDO Fairness Act is the introduction of an annual report concerning the use of surveillance under 18 USC 2703. The report is to be prepared by the attorney general, and will include information about the number of users whose data was disclosed and the number of arrests, trials, and convictions in cases where disclosure orders were obtained, among other things. This will help bolster transparency that has thus far been lacking in government requests for disclosure of users’ information.
Likely Impacts of the NDO Fairness Act
If enacted into law, the NDO Fairness Act will increase the likelihood that users will be informed by their communication service providers of surveillance demands affecting their sensitive information. These notices will likely be more timely, and higher standards for non-disclosure orders will decrease their frequency and duration. In addition, the NDO Fairness Act will encourage governmental entities to seek gag orders only when truly necessary, both because of the higher standards and because obtaining such orders creates a burden of notification upon expiration of the order, which would otherwise not exist.
Many electronic communications service providers have demonstrated that they are eager to provide notice to users. For example, Microsoft has played an active role in advocating against non-disclosure orders: it brought a major challenge to NDOs which CDT supported, and it testified before Congress last year in support of legislative reform of non-disclosure orders. Many other major technology companies such as Google, Meta, and Twitter have policies of providing notice in most cases of compelled disclosure. On the other hand, telecommunications providers, which receive hundreds of thousands of disclosure demands annually, generally don’t commit to providing notice. The passage of the NDO Fairness Act can help ensure that the promise of notification policies are realized, and may encourage companies that do not now provide notice to consider changing their policies to give notice in the future.
The Act leaves some unfinished business — imposing requirements on the government to give notice of its disclosure demands when no gag order is obtained — which will need to be addressed in future legislation. Nonetheless, CDT supports the passage of this bill because it will result in more frequent and timely notice of government surveillance demands, which will enable users to better protect their rights.
NOTES
(1) The DOJ’s 2017 policy on gag orders can be found here: https://www.justice.gov/criminal-ccips/page/file/1005791/download, and the May 2022 update to that policy is here: https://www.justice.gov/dag/page/file/1509476/download.
(2) Other amendments the NDO Fairness Act makes to the government notice portions of 18 USC 2705 are largely cosmetic because, as explained above, the government is generally not required to give notice. The Act shortens the duration of the delay in notice that the government can request from 90 to 60 days, and adds a requirement of a written determination by a court that a notice would be “substantially likely” to cause harm. Under current law, the standard for granting delayed notice is lower; courts only have to find that there is “reason to believe” that harm “may” occur. These amendments will not increase the likelihood of government notice of surveillance demands unless Congress imposes new requirements to give notice. They appear to be intended to make the circumstances in which government notice can be delayed parallel those that would pertain to delay of provider notice should the Act become law.
