Subpoenas: uncovering evidence from third parties in the digital age

As lawyers, we have an ethical duty that requires a basic understanding of issues related to the discovery of electronically stored information. This duty evolves as new technologies develop and become integrated with the practice of law. (California State Bar Formal Opinion No. 2015-193.) This applies when handling subpoenas seeking consumer or employment-related records as well as third-party business records subpoenas relating to electronic data.

Data available from social media and cell phone companies can be obtained using nonparty business records subpoenas. (Code of Civil Procedure Section 2020.410.) Proper procedures must be used when preparing and serving these nonparty business records. (See, e.g., Code of Civil Procedure Sections 2020.410 et seq.)

In addition to the subpoena itself, public utility wireless carriers require notarized written consent to release certain categories of protected records signed by the consumer whose records are the subject of the subpoena. (Public Utilities Code Section 2891; Code of Civil Procedure Section 1985.3(f); 18 U.S. Code Section 2702, subdivisions (b)(3) and (c)(2).) Protected records include personal calling patterns, the subscriber's personal financial information, demographic information, cell tower location data, precise GPS location data, and other stored electronic data related to the subscriber that the phone company may maintain. Email service providers and social media companies also require notarized written consent to release consumer records because this digital information is generally protected by federal law, specifically the Electronics Communications Privacy Act (ECPA) and Stored Communications Act (SCA). (Facebook, Inc. v. Superior Court, 4 Cal.5th 1245, 1282 (2018) (citing Negro v. Superior Court, 230 Cal.App.4th 879, 899 (2014).)

The ECPA generally protects wire, oral, and electronic communications while they are being made, are in transit, and when they are stored on computers. This act applies to email, telephone conversations and other data stored electronically. (18 U.S.C. Sections 2510-2523.) One major exception to the ECPA is that the ECPA does not protect electronic communications made through an electronic communications system that is configured such that the communication is "readily accessible to the general public." (18 U.S.C. Section 2511(2)(g)(i).)

The SCA is a subset of the ECPA, and prohibits "electronic communication services" (e.g., email) and "remote computing services" (e.g., cloud storage) from knowingly divulging to any person the contents of a communication while stored or carried by that service, unless certain exceptions apply. (18 U.S.C. Section 2702.) The SCA's two major exceptions are: (1) the lawful consent exception, and (2) the metadata exception.

Under the lawful consent exception, a service provider is allowed to disclose the contents of a stored communication pursuant to a subpoena accompanied by the lawful consent of (1) the originator of that content, or (2) an intended recipient of such communication, or (3) in the case of a remote computing service (e.g., Dropbox, Google Drive, etc.), the consent of the subscriber. (18 U.S. Code Section 2702(b)(3).) This consent can also be compelled. For example, if in response to a document production request a party refused to produce relevant social media posts, so long as the party could otherwise be compelled to produce those same social media posts, it could be possible to compel that party to provide the required consent to the social media company to disclose those posts. (See Juror Number One v. Superior Court, 206 Cal.App.4th 854 (2012).)

In Facebook Inc. v. Superior Court, 4 Cal.5th 1245 (2018), social media companies challenged improper subpoenas asserting that the SCA prohibited them from divulging the requested communications (i.e., Facebook posts or messages, including deleted content) regardless of whether the communications in question were configured to be public or private. The California Supreme Court held that while the SCA generally prohibits providers from disclosing the content of communications, that prohibition doesn't apply to communications configured to be public because the public setting creates implied consent for such disclosure, and, thus, a provider has no discretion to refuse to disclose the content of public communications. (Id. at 1274.) The Court left unresolved the question of how to treat posts that were subsequently reconfigured to be private or deleted before the relevant subpoena was issued. (Id. at 1289.)

Where, on the other hand, a user configures their social media posts to be inaccessible to the general public and accessible only to their "friends" or particular groups, at least one court has determined that these posts were "configured to be private" for purposes of the SCA. (Ehling v. Monmouth-Ocean Hosp. Serv. Corp. 961 F.Supp.2d 659, 668 (D. N.J. 2013).) In reaching this conclusion, the court observed that decisions "interpreting the SCA confirm that information is protectable as long as the communicator actively restricts the public from accessing the information." (Id. at 667.)

A provider, however, may divulge "non-content information" - or metadata - to any person other than a governmental entity pursuant to a subpoena. (18 U.S.C. Section 2702(c)(6).) Metadata includes, without limitation, logs maintained on a network server, as well as basic subscriber information such as a name and address, phone connection records, records of phone sessions and duration, phone numbers, temporarily assigned network addresses, and means and sources of payment for services. (18 U.S. Code Section 2702(c)(2).) Notably, the definition of metadata can be quite broad. At least one court has held that cell site information, as well as the date, time, and duration of calls, is all non-content information. (Mintz v. Mark Bartelstein & Associations, Inc., 885 F.Supp.2d 987, 999 (C.D. Cal. 2012).) The types of metadata that a third-party service provider may be able to provide are typically listed in the company's privacy policy.

Certain content may not be available from third-party providers via a subpoena because the information is end-to-end encrypted. Notably, this includes the content of iMessages, which are the "blue" Apple-device-to-Apple-device "text messages." In such situations, it may only be possible to obtain the content directly from the sending or receiving party in its decrypted form.

Subpoenas can be powerful tools to uncover the electronic fingerprints left by others in our increasingly digital world.