Statement by William C. Snyder on SCOTUS Carpenter vs. US Decision

Read the opinion

The Supreme Court’s Carpenter vs. US decision today will have far-reaching impacts, because it extends constitutional protections to cell site location information and not just to the actual content or words and sounds of a cellphone call or text message. The government now needs a warrant issued by a judge in order to obtain long-term, detailed records of the location of a cell phone.

The ruling also is significant because the Court reasons that constitutional protections against unreasonable searches and seizures must change as technology advances, surely a sign that more change will come. Furthermore, the Court struck down Congress’s protections for cell site location information. That is, the FBI fully complied with the Stored Communications Act and obtained federal court orders requiring Sprint and another carrier to turn over the geolocation information. Those orders are less difficult for police to obtain than are search warrants. Now, more stringent search warrants are required.

Nevertheless, the Court affirmed that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties … even if the information is revealed on the assumption that it will be used only for a limited purpose.”

The so-called “Third Party Records Doctrine” survives; the Court found that it does not apply to long-term “encyclopedic” geographic information generated by cell phones. Striking down this doctrine would have had enormous implications for government investigations, both for law enforcement and intelligence agencies.

The Court not only did not go that far, but it reaffirmed the basic principle that the Constitution does not protect evidence a person voluntarily provides to someone else.

These matters are complex. The justices wrote 119 pages to explain their reasoning. Also, the decision was 5-4, decided by just one vote. Today’s decision is, in the words of the Court, “a narrow one.” It is a step toward extending Constitutional protections in the cyber age, but only a step. It points a direction, but the Court is proceeding one step at a time.

Professor William C. Snyder


Very Initial Thoughts on the White House Cybersecurity Order

By William C. Snyder

Actual Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Initial thoughts, observations, and questions on the White House Cybersecurity Order …

  • Once again, the NIST Framework for Improving Critical Infrastructure Cybersecurity is key.
  • Each agency has 90 days to provide a risk management report to the secretary of the Department of Homeland Security (DHS) and the Director of the Office of Management and Budget (OMB).
  • DHS, OMB, Commerce, General Services, and White House staff then have 60 days to submit to the president a plan to protect the “executive branch enterprise.” Is that coordination or an ability to designate who is in charge?
  • For any national security system, the SecDEF and Director of National Intelligence (DNI) replace DHS and OMB.
  • An even larger group has 180 days to provide a report on protecting critical infrastructure. That group includes the secretary of DHS, secretary of Defense, the Attorney General, the DNI, the Director of the FBI, “the heads of appropriate sector-specific agencies,” … “and all other appropriate agency heads.”
  • The order calls for “market transparency of cybersecurity risk management practices by critical infrastructure entities,” presumably so people can vote with their feet. But, much critical infrastructure is either held/run by regulated monopolies or in the public sector. So, consumer choice is minimal and demand will not be elastic based upon transparency of poor cybersecurity practices. This directive may simply amount to public shaming as the enforcement mechanism.
  • A different large group of public agencies is to promote resilience against botnets and the like.
  • The departments of Energy and Homeland Security and DNI office have 90 days to report on securing the electric grid.
  • For the nation in general, “it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.” Note that one side of the balance is only “disruption, fraud, and theft.” There is no mention there of preventing terrorist communications or contraband such as child pornography.
  • A report on deterring adversaries is required within 90 days.
  • A section entitled “International Cooperation” also calls for reports, but it gives no indication of whether the Administration still supports “multi-stakeholderism” or will shift to “multi-literalism.”
  • For better or worse, the order does not address investigative abilities and criminal enforcement.
  • The order takes a defense posture and does not promote—yet—offensive cybersecurity.

On Tort Liability for “Buggy” Software

By William C. Snyder

(Re-published from Crossroads: Cybersecurity Law & Policy | Nov. 13, 2016) Effectively there is no liability for manufacturers of “buggy” software. This is not, however, due to a special exemption in the law enacted to ban software liability. There is a special exemption to liability enacted by Congress for interactive computer services, and sometimes that overlaps with software.

“Greer and Schneier (and others) are right that there should be liability for vulnerable software, but strict product liability would stifle innovation.”

Generally, however, the reason you can’t sue software creators for bugs is because Congress has not enacted or created such liability, not because they have banned such liability. In the routine case, the software creator makes the end user agree through a licensing agreement to not hold the creator liable. The end user must go along with that agreement, or else they can’t use the software (such as the Windows or Apple operating systems). Congress have never limited such licensing agreements for software like they (or some state legislatures) have for regular products liability.

The exemption that does exist is called “Section 230 Immunity.” Basically, it is immunity for Internet service providers (ISP’s), website hosting services, and websites. Section 230 of the Communications Decency Act of 1996 states:

  • (c) Protection for “Good Samaritan” blocking and screening of offensive material
    • (1) Treatment of publisher or speaker—No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.
    • (2) Civil liability—No provider or user of an interactive computer service shall be held liable on account of—
      • (A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or
      • (B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph.[1]

* * *

  • (f) Definitions As used in this section:
    • (1) Internet—The term “Internet” means the international computer network of both Federal and non-Federal interoperable packet switched data networks.
    • (2) Interactive computer service—The term “interactive computer service” means any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.
    • (3) Information content provider—The term “information content provider” means any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.
    • (4) Access software provider—The term “access software provider” means a provider of software (including client or server software), or enabling tools that do any one or more of the following:
      • (A) filter, screen, allow, or disallow content;
      • (B) pick, choose, analyze, or digest content; or
      • (C) transmit, receive, display, forward, cache, search, subset, organize, reorganize, or translate content.

In short, “Section 230 of the Communications Decency Act grants interactive online services of all types, including blogs, forums, and listservs, broad immunity from tort liability so long as the information at issue is provided by a third party.” That immunity extends to liability for delivering malware (viruses, etc.) over the Internet. It does not cover liability for writing and selling or licensing buggy software.1

The reasons that you can’t sue over buggy software are mostly 1) it is nearly impossible to prove the elements of tort liability under either the common law or the Uniform Commercial Code, as explained in this article; and 2) Congress has never enacted (and the courts have never discovered on their own) strict liability for software defects. (“Strict liability” is legal responsibility for damages or injury even if the person found strictly liable was not at fault or negligent.)

Thus, in almost all cases, you waived suits for liability in the license for the software. Here is the license for Windows:

Last updated July 2016


* * *


Microsoft warrants that properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. This limited warranty does not cover problems that you cause, that arise when you fail to follow instructions, or that are caused by events beyond Microsoft’s reasonable control. The limited warranty starts when the first user acquires the software, and lasts for one year. Any supplements, updates, or replacement software that you may receive from Microsoft during that year are also covered, but only for the remainder of that one-year period or for 30 days, whichever is longer. Transferring the software will not extend the limited warranty.

Microsoft gives no other express warranties, guarantees, or conditions. Microsoft excludes all implied warranties and conditions, including those of merchantability, fitness for a particular purpose, and non-infringement. If your local law does not allow the exclusion of implied warranties, then any implied warranties, guarantees, or conditions last only during the term of the limited warranty and are limited as much as your local law allows. If your local law requires a longer limited warranty term, despite this agreement, then that longer term will apply, but you can recover only the remedies this agreement allows.

If Microsoft breaches its limited warranty, it will, at its election, either: (i) repair or replace the software at no charge, or (ii) accept return of the software (or at its election the Microsoft branded device on which the software was preinstalled) for a refund of the amount paid, if any. These are your only remedies for breach of warranty. This limited warranty gives you specific legal rights, and you may also have other rights which vary from state to state or country to country.

Except for any repair, replacement, or refund Microsoft may provide, you may not recover under this limited warranty, under any other part of this agreement, or under any theory, any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages. The damage exclusions and remedy limitations in this agreement apply even if repair, replacement or a refund does not fully compensate you for any losses, if Microsoft knew or should have known about the possibility of the damages, or if the remedy fails of its essential purpose. Some states and countries do not allow the exclusion or limitation of incidental, consequential, or other damages, so those limitations or exclusions may not apply to you. If your local law allows you to recover damages from Microsoft even though this agreement does not, you cannot recover more than you paid for the software (or up to $50 USD if you acquired the software for no charge).

[emphasis in original]

If you don’t agree to that—or a provision like it in very nearly every software license—then you can’t use the software. What choice do you have? Only one: you could go to open source software. But, as Bruce Schneier explains, by its very nature (it is written like a Wikipedia) there is no one to sue for bugs in open source software.

Thus, Dan Greer reportedly said at a Black Hat USA conference: “Today the relevant legal concept is ‘product liability,’ and the fundamental formula is ‘If you make money selling something, then you better do it well, or you will be held responsible for the trouble it causes.’ For better or poorer, the only two products not covered by product liability today are religion and software, and software should not escape for much longer.”

He then advocated for extending liability for vulnerable software: “The software houses will yell bloody murder the minute legislation like this is introduced,” said Geer, “and any pundit and lobbyist they can afford will spew their dire predictions that ‘This law will mean the end of computing as we know it!’ To which our considered answer will be, ‘Yes, please! That was exactly the idea.’”

In short, there is a special exemption for interactive computer services. There is, usually, practical immunity for people who license or sell buggy software to you. Congress could extend tort liability to the makers and sellers of buggy software.

My opinion is this: Greer and Schneier (and others) are right that there should be liability for vulnerable software, but strict product liability would stifle innovation. Some kind of middle ground such as liability for gross negligence only is appropriate. Also, I believe that Syracuse University iSchool Professor Lee McKnight is correct in saying that, “this issue [is more likely] to be addressed in the incoming administration than one more beholden to Silicon Valley’s sloppy business practices as usual.”

1 See, SOFTWARE MANUFACTURER DENIED SECTION 230 IMMUNITY – HARDIN V. PDX, 2014 WL 2768863 (Cal. App. Ct. June 19, 2014), 

Tort Liability for Buggy Software

Updated—Apple’s Odd First Amendment Argument

By William Snyder

(Re-published from I have been saying that there is no constitutional issue in the case of “In The Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203”—the so-called “Apple v. FBI” litigation—because the government has a warrant to search the telephone and the owner of the phone (San Bernardino County, CA) consents to the search.  I stand corrected.  There is no Fourth Amendment issue in the case.

“The United States is a nation of laws—not corporations.”

Apple is predicting that it will raise a First Amendment claim when it files its pleading in court.  The Los Angeles Times reports: “‘They [the US Department of Justice] are seeking a court order to compel Apple to write new software, to compel speech,’ [Apple attorney] Boutrous said in a brief interview with The Times.”

Boutrous said courts have recognized that the writing of computer code is a form of expressive activity, speech that is protected by the First Amendment. If the argument is that computer code is speech, and because the First Amendment prohibits the government from compelling speech, then therefore the government may not compel Apple to provide this code/speech—then Apple is making a very odd argument.

Of course the government can compel speech.  It does so every day.  Every subpoena—a writ ordering a person to attend court and testify—compels speech. True, sometimes the Fifth Amendment right against self incrimination overrides a subpoena, but that has nothing to do with the First Amendment.  But surely writing words and numbers on a piece of paper to convey information is speech?  Yet try refusing to fill out your tax return on the grounds that the First Amendment forbids the government to compel speech.  You’ll end up having your assets seized and going to jail, much the same fate as Apple executives will face if they refuse to comply with the federal court order at the end of the adversarial process. 

So far Apple has not failed to comply with a court order in this case.  The order compelling Apple to assist in the search specifically invites Apple to challenge its legality as unduly burdensome within a certain time frame. Apple is still within that (extended) period. When we reach the end of the litigation, however, Apple must comply with the resulting court order, if any.  The United States is a nation of laws—not corporations—and the idea that the law does not apply in cyberspace was buried in the 1990s.

Professor Bill Snyder’s updated statement for Feb. 26, 2016:

Despite the rhetoric, so far Apple has not told the Court that it will refuse to assist in the search of the San Bernardino killer’s iPhone.  The order compelling Apple to assist in the search specifically invites Apple to challenge its legality as unduly burdensome, which Apple did on Thursday, Feb. 26, 2016. Apple is asking the Court to vacate its order.

If the Court does not change its mind, Apple must comply.  If Apple fails to comply with a federal court order at the end of this adversarial process, it can and no doubt will be held in contempt, fined, its assets seized, and its corporate officers jailed. We have a government of laws, not corporations, and the idea that the law does not apply in cyberspace was buried in the 1990s.

There is no Fourth Amendment search and seizure issue, because a neutral and detached magistrate issued a search warrant for the phone and because the owner consents to the search.  Apple does not argue otherwise in its motion filed on Thursday.  Rather, it argues that there is a First Amendment free speech issue.  Essentially, Apple argues that software code is speech, the First Amendment restricts the government from compelling speech, and therefore the Constitution prohibits the Court from compelling Apple to provide code/speech to access the data on the phone.  This is a bizarre argument.  The government can and does compel speech every day.  Every subpoena ever issued for testimony or documents compels speech.  Every tax form compels citizens to answer questions—to speak.

For more updates and to read the source documents for this controversy, visit:



Justice Shifts to Cyber from Terrorists with Reorganization

doj-logoBy William C. Snyder

“The US Justice Department is shifting the focus of its national security prosecution team to deal with cyber instead of spies,” writes Lawfare.  “U.S. national security prosecutors shift focus from spies to cyber,” proclaims Reuters.  “DOJ heightens focus on state-backed cyber crime” is The Hill’s headline.  All are reacting to a press release from the U.S. Department of Justice dated Tuesday, October 21, 2014.

The release states that my former colleague and friend Luke Dombosky has been named Deputy Assistant Attorney General of Justice’s National Security Division (NSD) to “manage NSD’s newly created portfolio covering protection of national assets, including efforts to combat economic espionage, proliferation, and cyber-based national security threats;” the “Anti-Terrorism and Advisory Council (ATAC) Coordinator program will be re-designated as the National Security Coordinator/ATAC program, to better reflect its ongoing work on the full range of national security threats, including combating economic espionage and counterproliferation;” and other “strategic changes within the … (NSD) designed to put additional focus on the protection of national assets from the threat of state-sponsored economic espionage and proliferation, including through cyberspace.”

[Full disclosure: this author was a federal prosecutor assigned to an ATAC and a JTTF.  The ATAC’s are groups of federal, state and local law enforcement agencies headed by the local U.S. Attorneys around the country. They were created by Attorney General Ashcroft shortly after 9/11/01 in order to address issues of terrorism.]

From Reuters: “The revamp… also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States.”  This reflects my long advocacy of combining computer engineers with lawyers and policy makers, something I try to do in interdisciplinary classes every day.

John P. Carlin, the Assistant Attorney General for National Security who announced these changes, used a cyber term to explain them: “We need to develop the capability and bandwidth to deal with what we can see as an evolving threat,” reports Reuters.  The same article also quotes a former Justice prosecutor stating: “This is not just a reshuffling of the deck” …

Read the full post here.



David House, DHS, & the 4th Amendment Border Search Exception


By William C. Snyder

As a supplement to yesterday’s post about David House and the controversy over the treatment of Fourth Amendment rights at the border, here’s a little summary of how constitutional law addresses electronic devices and the warrant requirement at U.S. borders.

The Supreme Court has held that border searches are not subject to warrant provisions of the Fourth Amendment and are “reasonable” within the meaning of that amendment “simply by virtue of the fact that they occur at the border.”  U.S. v. Cotterman, 709 F.3d 952, 960 (9th Cir. 2013) (quoting U.S. v. Ramsey, 431 U.S. 606, 616 (1977)).  This exception has been termed the “Border Search Exception” to the Fourth Amendment.

The broad contours of the scope of searches at our international borders are rooted in ‘the long-standing right of the sovereign to protect itself by stopping and examining persons and property crossing into this country.’ Id.

In other words, the government’s interest in thwarting illegal activities at the border is often found to outweigh an individual’s privacy interests.

But, what about searches or seizures of electronic devices?

Laptop computers, iPads and the like are simultaneously offices and personal diaries.  They contain the most intimate details of our lives: financial records, confidential business documents, medical records and private emails.  This type of material implicates the Fourth Amendment’s specific guarantee of people’s right to be secure in their ‘papers.’ Cotterman, 709 F.3d at 964.

The Supreme Court has placed some limits on the Border Search Exception holding that certain types of searches may require at least a reasonable suspicion of criminal activity.  “Highly intrusive” searches at a border, for example, require “some level of suspicion,” and searches that are “so destructive,” “particularly offensive,” or overly intrusive require particularized suspicion.  Id. at 963 (citing at U.S. v. Flores-Montano, 541 U.S. 149, 152 (2004)).

However, “the Supreme Court [has not yet] addressed whether a border search of electronic devices that store personal information constitutes a non-routine ‘highly intrusive search’ which would require some level of suspicion.” House v. Napolitano et al., No. 1:11-cv-10852, WL 1038816 at *10 (D. Mass., Mar. 28, 2012).

To complicate things even further, we are now seeing searches of electronic devices that go beyond the scope of cursory viewing of documents, photographs, and other files stored on the device’s hard drive. “Forensic investigations” of electronic devices are being conducted, which could include, for example, unlocking password-protected files, restoring deleted material, or retrieving images viewed on websites.

Should these more intrusive forensic border searches be subjected to the same Fourth Amendment exception, such that they will be deemed reasonable simply by virtue of the fact that they occur at an international border? …

To read the full post, click here.

At This Point Legally, US Would Be Wrong to Attack Syria

Syria ConflictBy William C. Snyder

(From All nations have the right to use military force in self-defense, but Syria has not attacked the United States. If we, the U.S., are to use force against another nation in order to enforce international law rather than in self-defense, then as members of the United Nations we must wait for authorization by the Security Council. In the U.N. Charter, we agreed to ‘refrain in … international relations from the threat or use of force against … any state’ except for ‘self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has’ acted.

[pullquoteright]It might not be immoral for the U.S. to kill those responsible for the chemical weapons attack, but it would be a violation of international law.”[/pullquoteright]

It makes no sense to enforce one international treaty (the chemical weapons ban) by breaking another (the U.N. Charter). I hope that the U.N. Security Council authorizes the use of force against and the prosecution of those who used chemical weapons in Syria, but absent that or an armed attack by Syria on the U.S. or our treaty allies, we would be wrong to use military force against Syria.

If, however, a nation with whom we have a defense treaty — including but not limited to all members of NATO plus Israel — were to be attacked by Syria, then we must defend ourselves collectively with any and all force necessary at a time and place and in a manner of our choosing. The same would be true, of course, if the United States were attacked by Syria. The Syrian military should view an attack upon U.S. Navy destroyers in the Mediterranean as tantamount to suicide.

There might be some more extreme circumstances in which the United States would have a lawful duty to protect the people of Syria from their own government. Whatever might be the contours of the legal duty to protect is not yet clear, but it has not been triggered by events as of Sept. 2 …

To read the full article, click here.

Call Database Legal Rationale to be Released Today: LA Times

Gear LeverBy William C. Snyder

The Los Angeles Times reports this morning, 7/31/13, that the Obama Administration has declassified the order of the Foreign Intelligence Surveillance Court which authorized the collection of call data records or “metadata” on a large scale.  Time reporter Ken Dilanian writes:

The now-declassified order is expected to be made public Wednesday when Deputy Atty. Gen. James Cole, NSA Deputy Director John Inglis and other officials are to appear before the Senate Judiciary Committee.

This order is expected to show the reasoning for determining that “records concerned are sought for an authorized investigation conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities,” the standard required by Section 1861 of the Foreign Intelligence Surveillance Act (FISA), as codified, sometimes erroneously referred to as Section 215 of the USA PATRIOT Act or “the Library Provision.”  That “in accordance with subsection (a)(2)” language in the preceding sentence requires that:

“(2) An investigation conducted under this section shall—

“(A) be conducted under guidelines approved by the Attorney General under Executive Order 12333 (or a successor order); and

“(B) not be conducted of a United States person solely upon the basis of activities protected by the first amendment to the Constitution of the United States …

To read the full post, click here.

First Instead of Fourth Amendment Challenge to NSA Data Collection

By William C. Snyder

four-freedoms_speechAn e-mail from the Electronic Frontier Foundation (EFF) received yesterday—July 16, 2013—supports my analysis of constitutional challenges to the collection of metadata from companies such as Verizon.

In an earlier post, I responded to a friend’s Facebook post which argued: “The 4th and 5th Amendments to the Constitution of my country, Article 12 of the Universal Declaration of Human Rights, and numerous statutes and treaties forbid such systems of massive, pervasive surveillance.”

On Facebook and on this blog at “Wrong, Mr. Snowden, Just Wrong,” I explained that international law simply does not criminalize espionage or military surveillance by nation states. Here, again, on Crossroads at “Fourth Amendment Does Not (Yet) Apply to NSA’s Telephone Call Database (Metadata)” we discussed the Fourth Amendment.  On Facebook, I stated that I couldn’t see a due process or other Fifth Amendment violation, adding:

But, the very limited success that has been made in challenging orders for production of third party records has been accomplished with FIRST Amendment arguments—that such surveillance chills speech or association.

Sure enough, yesterday the EFF wrote:

EFF just filed First Unitarian Church v. NSA, a new lawsuit opposing the illegal mass surveillance programs of the National Security Agency (NSA). We’re representing a broad group of American organizations—political associations, churches, and groups of ordinary folks—to draw much needed attention to the First Amendment violations caused by the unprecedented collection and searching of telephone records. (emphasis added) …

For the full post, click here.

Fourth Amendment Does Not (Yet) Apply to NSA’s Telephone Call Database

By William C. Snyder

fourth-amendmentWe may wish to make surveillance like that revealed by the Verizon court order (leaked by Mr. Snowden) for phone call metadata illegal. But it is not now. It is specifically authorized by a statute, and it was ordered by judges appointed pursuant to Article III of the Constitution.

Moreover, the Supreme Court has repeatedly and consistently held that production of records about you in the hands of third parties does not implicate your constitutional rights. You have no Fourth Amendment protections regarding those records (unless you meet the Katz test.) Smith and Miller (both Supreme Court cases) said that phone company records and bank records do not meet that test from Katz (i.e., you do not have a reasonable expectation of privacy.)

The ACLU keeps saying that “Section 215 of the Patriot Act is unconstitutional.” What they are really saying is that they believe that a correct interpretation of the Constitution would be to overrule well-settled Supreme Court precedent and find that people do have a reasonable expectation of privacy (both subjectively and one that society finds to be reasonable: Katz) in third party records about them. The gist of the argument is that the amount of data shared today is so different quantitatively that there is also a qualitative difference. Everything about the average person is shared with a third party now, but make no mistake, any applicability of the Fourth Amendment to third party records would be an extreme break with settled precedent …

To read the entire post, click here.

For a related post (Wrong, Mr. Snowden, Just Wrong), click here.