III. Government and Court Access to Private-Sector Information

Law Enforcement and Privacy

Along with civil litigation, a company can face requests to provide personal information in connection with criminal investigations and litigation. Fourth Amendment limits on law enforcement searches - "reasonable expectation of privacy test" developed in context of government wiretaps. Statutes that can apply to criminal investigations, including HIPAA, ECPA, SCA, RFPA. CLOUD Act addresses evidence stored in other countries.

FISA Amendment Act of 2008.

Gave legal authorization to new surveillance practices, especially where one party to the communication is reasonably believed to be outside of the US. It granted immunity to the telephone companies so they wouldn't be liable for records provided to the govt in the wake of 9/11. Required more reporting from govt to Congress and put limits on some of the secrecy around NSLs and other requests for records relating to national security.

NATIONAL SECURITY AND PRIVACY

When the government seeks personal information for national security purposes. Any company can be faced with a request for records under Section 215 of the USA Patriot Act, and many can receive NSLs. Responding to national security requests is complicated because US privacy laws have varying scope and differing definitions for national security exceptions.

Electronic discovery (electronically stored information (ESI)):

a. E-discovery implicates both domestic privacy concerns and issues arising in transborder data flows. i. 3 Major Steps in E-Discovery Process: primarily owned by attorneys but privacy pros often assist 1. Preservation: When an organization receives notice of potential litigation, the first step that should take place is the issuance of a legal hold to individuals and departments that may have electronic or paper records relevant to the dispute. Preservation includes more than not intentionally destroying information. When entity has reason to believe there will be litigation, all automated processes that would destroy relevant information must be suspended. Most often affects IT groups requiring preservation of log entries and ensuring that they are not automatically purged after a certain period of time or after the log reaches a certain size. 2. Collection: of preserved electronic records - timing determined by attorneys - documents on file servers, files stored on individual computers, email messages stored on servers or in the cloud, and records in enterprise systems managed on prem or in the cloud. Must have processes in place to collect this information and will normally use e-discovery mgmt. product to assist with collection and organization of records. 3. Production: records actually presented to the other side - the real heavy lifting begins. Review all collected records and decide which are relevant to the dispute and not protected by legal privileges (e.g., atty-client privilege). Electronic file with all relevant files shared with other side. ii. ESI can be email, word processing documents, databases, web pages, server logs, instant messaging transcripts, voicemail systems, social networking records, thumb drives, or even microSD cards iii. Data Retention: Managing e-discovery and privacy begins with a well-managed data retention program 1. Best practices for email retention (Sedona Conference guidelines): · Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units · The teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice · Interdisciplinary teams should reach consensus as to policies, while looking to industry standards · Technical solutions should meet and parallel the functional requirements of the organization 2. Good Faith Exception: When done in good faith, data that is transitory, not routinely created or maintained for business purposes, and requires additional steps to retrieve and store may be outside the duty to preserve 3. Preservation and litigation hold: even when wiping data is done within the normal course of business, in litigation, there is a duty to act affirmatively to preserve the data. 4. Conflict: when corporate retention policy and discovery obligations conflict, discovery obligations will likely prevail. Courts apply 3-part test: · Retention policy should be reasonable considering the facts · Court may consider similar complaints against the organization · Court may evaluate whether the org instituted the policy in bad faith iv. Transborder data flows 1. Conflict between US obligation to follow discovery rules and, when data is located outside US, more restrictive laws in another country (e.g., GDPR in the EU) 2. Different approaches · Plaintiff, seeking resolution in the U.S., needs to comply · All parties must comply; foreign statutes do not deprive an American court power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute. · Focus is on the nature or type of documents at issue; privacy log describing docs without disclosing contents 3. Conflict can be avoided by: · Hague Convention on the Taking of Evidence: Party seeking to displace F.R.C.P. has burden of (1) demonstrating that it is more appropriate to use the Hague Convention and (2) establishing that the foreign law prohibits the discovery sought · Aerospaciale v. S.D. of Iowa provides factors a US court may use to resolve a conflict between US and foreign law re e-discovery requests: o Importance of the documents or data to the litigation o Specificity of the request o Whether the information originated in the US o Availability of alternative means of security for the info o Extent to which the important interest of the US and the foreign state would be undermined by an adverse ruling. (most important factor)

The USA Freedom Act of 2015:

a. Enacted following Snowden revelations and release of thousands of classified docs to the media that detailed govt programs re: collecting large amounts of info on citizens and non-citizens. i. Reformed US intelligence and surveillance laws and increased transparency of the FISA Court and added new controls to improve oversight of govt surveillance ii. Eliminated Section 215 - bulk collection of call detail records 1. Prohibited blanket "tangible things" production orders - targeted warrants from FISA Court needed to collect phone metadata from telecom companies 2. Required use of specific selector terms such as when requesting records for specific phone number or email address under Patriot Act or for pen register/trap and trace orders issued under FISA iii. Judge must approve FISA orders for ongoing collection of records except where US AG declares emergency iv. Changes to FISA Court 1. Court must obtain independent expert opinions when court believes govt surveillance application presents novel or significant interpretation of the law or in other cases where the court needs technical expertise 2. Allows court to ask SCt to review questions about interpretation of the law 3. Requires that Director of National Intelligence conduct declassification reviews of significant FISA Court orders and disclose those orders to the public when possible v. NSLs must now include specific selection terms and there are stricter requirements on federal agencies about when gag orders can be imposed on NSL recipients. Recipients of NSL allowed to challenge the letter or a gag order contained in the letter in court and more disclosure of information about those letters is allowed. vi. Transparency Reports: govt must issue annual transparency reports that include details on requests made using the National Security Authorities provided by USA Freedom Act vii. Companies permitted to publish aggregate info about FISA orders and NSLs received in given period

Foreign Intelligence Surveillance Act of 1978 (FISA):

a. Establishes standards and procedures for the authorization of electronic surveillance (including video) that collects foreign intelligence, use of pen registers and trap and trace devices (for phone numbers, email addresses, and other addressing and routing information), physical searches, and business records for the purpose of gathering foreign intelligence within the US. FISA orders can be issued when foreign intelligence gathering is significant purpose of investigation. FISA orders are issued based on probable cause that party to be monitored (any person - even US person) is "foreign power" or "agent of a foreign power." FISA orders issue from a special court of 11 federal district court judges, the Foreign Intelligence Surveillance Court (FISC) - holds secret hearings on FISA requests. i. Two ways govt can conduct surveillance under FISA: 1. US Attorney General: approves surveillance for up to 1 year if there is no substantial likelihood of intercepting communications of US persons 2. FISC: approves surveillance that may involve US persons if there is probable cause to believe that person is the agent of a foreign power - must be renewed every 90 or 120 days ii. Wiretaps: DoJ must apply to FISC to obtain warrant authorizing electronic surveillance of foreign agents. For targets that are U.S. persons, FISA requires heightened requirements in some instances. Agents must demonstrate probable cause to believe "target of the surveillance is a foreign power or agent of a foreign power," that "a significant purpose" of surveillance is to obtain "foreign intelligence information," and appropriate "minimization procedures" are in place. 1. No need to demonstrate commission of crime is imminent. 2. Agents of foreign powers include agents of foreign political organizations and groups engaged in international terrorism, as well as agents of foreign nations. 3. President may authorize electronic surveillance to acquire foreign intelligence information for periods of up to 1 year without FISC order where US AG certifies "no substantial likelihood that the surveillance will acquire the contents of any communication to which a U.S. person is a party," provided surveillance directed solely at communications among or between foreign powers, or "acquisition of technical intelligence ... from property or premises under open and exclusive control of foreign power." 4. Due to secrecy of govt surveillance of agents of foreign powers, entities that receive FISA order to produce records generally cannot disclose that fact to the targets of investigation. 5. Companies are allowed to publish statistics about the number of FISA orders and NSLs they receive iii. E-mails and stored records: Where govt accidentally intercepted communications that "under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes, and if both sender and intended recipients are located in US," government is required to destroy those records, "unless AG determines that contents indicate threat of death or serious bodily harm to any person." iv. National Security Letters: category of subpoena that, prior to the Patriot Act, was used narrowly, only for certain financial and communication records of an agent of foreign power and only with approval of FBI headquarters. Patriot Act expanded use of NSLs. 1. Issued by authorized officials, Special Agent in Charge of FBI field office 2. Can be issued w/o judicial involvement but under 2006 amendments recipients can petition federal court to modify or set aside NSL if compliance would be unreasonable or oppressive 3. NSL can seek records relevant to protect against international terrorism or clandestine intelligence activities 4. Patriot Act originally included strict rules against recipient disclosing receipt of an NSL (see below). 2006 amendment to Patriot Act said that recipients are bound by confidentiality only if there's a finding by requesting agency of interference with criminal or counterterrorism investigation or for other listed purposes. Recipients could petition court to modify or end secrecy requirement. Recipients were allowed to disclose request to those necessary to comply with the request and to an attorney for legal assistance. 5. As of 2015, FBI now presumptively terminates NSL secrecy for an individual order when an investigation closes or no more than 3 years after full investigation opened.

Fourth Amendment

a. The 4th Amdt articulates many of the fundamental concepts used by privacy professionals in the U.S. SCOTUS stated that "the overriding function of the 4th Amdt to protect personal privacy and dignity against unwarranted intrusion by the State." Evidence obtained in violation of the 4th Amdt is subject to the "exclusionary rule" - the evidence can be excluded from a criminal trial. Olmstead v. US (1928): SCOTUS held no warrant was required for wiretaps conducted on telephone company wires outside of the suspect's building. 4th Amdt only protects home and other private spaces Katz v. US (1967): SCOTUS overruled Olmstead and held that warrantless wiretaps are unconstitutional searches, because there was a reasonable expectation that communication would be private. Reasonable expectation of privacy test. What a person knowingly exposes to the public, even in his own home or office, is not protected by 4th Amendment. [J. Brandeis] "There is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, the expectation is one that society recognizes as 'reasonable.'"[J. Marshall] [In Public Exception] US v Miller (1976): SCOTUS held that the 4th Amdt does not require a warrant for police to get a person's checking account records or the list of phone numbers a person has called. Information a person puts into hands of a 3rd party not protected by 4th Amdt. [Third Party Doctrine] Companies are permitted to turn over customer and employee records to the government (although statutory and other legal limits may apply). US v Jones (2012): Held that a warrant was needed when the police placed a GPS device on a car and tracked its location for over a month. Decision emphasized that the police had trespassed onto car when physically attached GPS device. Concurring opinions implied Constitutional limit on surveillance of "in public" activities, potential implications for 3rd party doctrine. Riley v California (2014): SCOTUS held that the contents of cell phone cannot be searched by law enforcement w/o a search warrant. Data on cell phone was quantitatively and qualitatively different than information in a physical container. Immense storage capacity of cell phones as well as ability to link to remote storage. Internet searches can reveal a person's interests, and location information can pinpoint individual's movement over time. Carpenter v US (2018): SCOTUS held that law enforcement officers must secure a warrant to access at least certain records held by third parties namely, cell site location information. Recent cases suggest SCOTUS seeking to update 4th Amdt doctrine to adapt to changing technology and may place further limits on 3rd party doctrine as it relates to digital data.

Compelled disclosure of media information:

a. Zurcher v Stanford Daily (1978) - SCOTUS held that valid search warrants "may be used to search any property" where there is probable cause to believe that evidence of a crime will be found. i. Privacy Protection Act of 1980 (PPA): Provides extra layer of protection for members of media and media organizations from government searches or seizures in the course of criminal investigation. 1. Applies to Disseminators of Info to the Public and protects work product and documentary materials from search warrants: Govt officials engaging in criminal investigations not permitted to search or seize media work product or documentary materials possessed by a person "reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public communication, in or affecting interstate or foreign commerce." 2. Government Agents Seeking Materials from Journalists and News Media organizations must do so by obtaining voluntary cooperation or a subpoena that may be contested in court rather than using search and seizure powers 3. But this does not affect the govt's ability to search for or seize such materials if · there is probable cause to believe that the person possessing the materials has committed or is committing the criminal offense to which the materials relate if the offense is not the receipt, possession, communication, or withholding of such materials or the information contained therein or · there is reason to believe that the immediate seizure of such materials is necessary to prevent the death of, or serious bodily injury to, a human being 4. PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities 5. PPA applies to government officers or employees at all levels of government. Applies only to criminal investigations, not to civil litigation. Several states provide additional protections. 6. Violation can lead to penalties of a minimum of $1,000, actual damages, and attorney's fees. 7. PPA was drafted to respond to police physical searches of traditional newspaper facilities. Going forward, courts may face claims that PPA is significantly broader, because disseminating "a public communication" may apply to blogs, other web publishing, and perhaps even social media.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act):

a. attacks of September 11, 2001 led to important changes to FISA, as part of the Patriot Act passed in the wake of attacks. i. Amended FISA and ECPA - Loosened requirements for surveillance of US persons suspected of terrorist activities ii. Created "roving" wiretaps - allowed investigators to get wiretap order against a person that was valid for any type of communication they engaged in, rather than requiring that the wiretap order specify the communications providers involved iii. Strengthened BSA rules against money laundering and required that banks take steps to make sure that they know who owns the funds stored in their accounts iv. Expanded definition of pen register/trap and trace beyond telephone numbers to include dialing, routing, addressing, or signaling info v. Expanded Use of National Security Letter (NSL) under FISA as investigative tool to secretly demand records from communication services provider - administrative subpoena that can be issued by FBI w/o involvement of a federal judge. Authority to issue NSL shifted from director of FBI to agents in charge of FBI field offices vi. Section 217: Law enforcement officer needs to have court order or some other lawful basis to intercept wire or electronic communications. Owner or operator of computer system can face penalties under ECPA for providing access to law enforcement without following legally mandated procedures. 1. Permits, but does not require, owner or operator of computer system to provide access in defined circumstances. For computer trespassers (i.e., hackers), law enforcement can now perform interceptions if: · The owner or operator of protected computer authorizes interception of computer trespasser's communications on the protected computer · The person acting under color of law is lawfully engaged in an investigation · The person acting under color of law has reasonable grounds to believe that contents of computer trespasser's communications will be relevant to the investigation o The interception does not require communications other than those transmitted vii. Section 215: Provides that federal court order can require production of records or any tangible items (including call detail records, books, other records, papers, documents or other items) related to terrorist investigation 1. Recipients of the order are prohibited from disclosing the existence or contents of the order 2. Disclosure of the order is permitted only to: persons necessary (e.g., employees who gather records) to comply with order and an attorney for purpose of receiving legal advice

The Cybersecurity Information Sharing Act of 2015 (CISA):

a. permits the federal government to share unclassified technical data and information with private sector about how networks have been attacked and how successful defenses against such attacks have been carried out. Specific provisions include: i. Authorizes sharing or receiving "cyberthreat indicators" or "defensive measures" between govt and private sector for a "cybersecurity purpose." ii. Requires redaction of PI not relevant to the threat before sharing. For sharing to qualify for protections under CISA, the company's actions must be done in accordance with certain requirements. For example, a company intending to share a "cyberthreat indicator" must first remove, or implement a "technical capacity" configured to remove, any information that is not directly related to a threat and that the company is aware at the time relates to a specific individual. iii. Sharing information with federal government does not waive privileges, such as attorney-client privilege. Importantly, there is no similar provision for sharing with state and local governments or other companies. iv. Shared information exempt from federal, state and local FOIA laws (i.e., laws "requiring disclosure of information or records)." v. Prohibition on government using shared information to regulate or take enforcement actions against lawful activities. Information shared under CISA "shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any non-Federal entity or any activities taken by a non-Federal entity pursuant to mandatory standards, including activities related to monitoring, operating defensive measures, or sharing cyberthreat indicators." The information may be used, however, to develop or implement new cybersecurity regulations. vi. Allows company to conduct security monitoring of its own info systems. Company is authorized to "monitor" and "operate defensive measures" on its own information system or, with written authorization, another party's system, for cybersecurity purposes. vii. Protection from legal liability for monitoring activities. However, no corresponding liability protection for operating defensive measures.

The Communications Assistance to Law Enforcement Act of 1994 (CALEA)

b. (Digital Telephony Bill): i. Scope: Does not add any new wiretapping authority. Requires telecommunications carriers to assist with implementation of authorized wiretaps. In 2005, FCC issued order that expanded scope of telecom services to providers of broadband internet access and VOIP services when interconnect with traditional phone services ii. Applies to phone companies and other common carriers, VoIP service providers and internet service providers iii. What it does: lays out the duties of defined actors in the telecom industry to cooperate with intercepting communications for law enforcement, and other needs relating to security and public safety. iv. Implemented by FCC

Access to Financial Data:

b. Disclosure to law enforcement prohibited unless statutory requirements met i. Right to Financial Privacy Act of 1978 (RFPA): passed after the Supreme Court held in Miller that 4th Amdt did not apply to checking accounts 1. Applies to disclosures by financial institutions: banks, credit card companies and consumer finance companies requested by federal agencies 2. For financial records of individuals and partnerships of fewer than 5 people. 3. No government authority can access or obtain copies of information contained in financial records of any consumer from a FI unless financial records are reasonably described and meet one of the following conditions: · customer authorization · administrative subpoena or summons (e.g., by a federal agency) · qualified search warrant (a showing of probable cause, specifying person to be seized, place to be searched and evidence being sought and signed by a neutral magistrate) · judicial subpoena or summons · formal written request from authorized gov authority for law enforcement 4. Notice: Agency must provide customer with written notice of government request for records and wait 10 days from service or 14 days from mailing to access the records. Customer has right to object to the disclosure in court. 5. Penalties: actual damages to the customer, punitive damages, and attorney's fees ii. Bank Secrecy Act of 1970 (BSA): "The Currency and Foreign Transaction Reporting Act" 1. Basis of the law: Targeted organized crime groups and others who used large cash transactions 2. What it does: Authorizes Treasury Secretary to issue regulations that impose extensive record-keeping and reporting requirements on FIs 3. Applies to any entities subject to supervision by state or federal bank supervisory authority (banks, securities brokers, casinos, card clubs, etc.) 4. Requirements: FI must keep records and file reports on certain financial transactions: · Currency Transaction Reports (CTR) - institution must report cash transactions totaling more than $10,000 in a single day o Exception: does not include credit secured by real property · Suspicious Activity Report (SAR) - institution must report suspected money laundering activity or attempts to deliberately avoid CTRs. (see below for more) · bank checks, drafts, cashier's checks, money orders, or travelers' checks for $3000 or more in currency o Must collect name, address and SSN of the purchaser; date of purchase; type of instrument, and serial numbers and dollar amounts of the instruments · Exceptions to records and reports requirements: o Funds governed by the Electronic Funds Transfer Act and o Transactions made through automated clearinghouses, ATMs or point of sale systems 5. Record Retention · Only those with "high degree of usefulness" · Must include: o Borrower's name and address o Credit amount o Purpose and date of credit · Such records may be maintained for 5 years · For deposit account records: o Depositor's taxpayer ID o Signature cards o Checks exceeding $100 6. Suspicious Activity Reports (SAR) · FI must file in certain situations. Alerts government to suspicious transactions · Must be filed with the U.S Department of Treasury's Financial Crimes Enforcement Network (Fincen) when: o FI suspects an insider committing crime regardless of dollar amount o entity detects crime involving $5000 and substantial basis for identifying suspect o entity detects crime involving $25,000 (no need for suspect) o entity detects currency transactions aggregating $5000 or more that involve potential money laundering 7. Violations · Civil Penalties including o fines up $25000 or the amount of the transaction (up to $100,000 max) o penalties for negligence ($500/violation). o penalties up to $5000 per day for failure to comply. o Penalties up to $25000 for failure to comply with info sharing requirements of the USA PATRIOT Act. o Penalties up to $1M for failure to comply with due diligence requirements · Fines for negligence, failure to comply with regulations, failure to comply with information sharing requirements, failure to comply with due diligence requirements · Criminal Penalties include up to $100,000 fine and/or 1 year imprisonment and up to $10,000 fine and/or 5 year imprisonment.

Access to Communications

b. From strictest to most permissive, federal law has different rules for (1) telephone monitoring and other tracking of oral communications, (2) privacy of electronic communications, and (3) video surveillance, for which there is little applicable law. Federal law is also generally stricter for real-time interception of a communication than retrieval of a stored record. In each area, states may have statutes that apply stricter rules. Potential state law claims for invasion of privacy or other common-law claims when monitoring is offensive to a reasonable person. i. Wiretaps: federal law generally strict in prohibiting wiretaps of phone calls - requires probable cause and search warrant plus alternative means of getting the evidence have been exhausted. Exceptions: Interception is permitted if the party to the call or if one of the parties has given consent and where companies intercept in the ordinary course of business ii. Electronic Communications Privacy Act (ECPA): passed after SCOTUS held that 4th Amdt did not apply to phone numbers called. Protects wire, oral, and electronic communications while those communications are made, in transit, and stored on computers. The Act applies to email, telephone conversations, and data stored electronically. ECPA included amendments to the Wiretap Act (Omnibus Crime Control and Safe Streets Act), created the Stored Communications Act, and created the Pen Register Act. ECPA prohibits US service providers from disclosing content of communications to law enforcement except through a warrant or an appropriate request through another mechanism. 1. Wiretap Act: concerns interception of electronic and wire communications, which include "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection" - any oral conversation where person has no expectation that 3rd party is listening. Covers communications while made/in transit. · Prohibitions: o wiretapping and electronic eavesdropping, possession of wiretapping or electronic eavesdropping equipment, and use or disclosure of information unlawfully obtained through wiretapping or electronic eavesdropping o intentionally intercepting or attempting to intercept a wire, oral or electronic communication by using any electronic, mechanical or other device - electronic device must be used to perform surveillance; mere eavesdropping with unaided ear not illegal under ECPA o disclosing information so obtained if person has reason to know was obtained illegally through interception of a wire, oral, or electronic communication · Exceptions: o interception authorized by statute for law enforcement purposes o consent of at least one of the parties is given - some states require consent of all parties o individual record's own conversation without violating federal law 2. E-mails and Stored records: Stored Communications Act (SCA): addresses access to stored communications at rest, which primarily means e-mails that are not in transit. · Prohibits unauthorized acquisition, alteration, or blocking of electronic communications while electronically stored in a facility through which electronic communications service is provided · Exceptions for law enforcement access and user consent · Employer cannot access employee's private e-mails unless consent is given (e.g., employment contract that explicitly authorizes employer to access e-mails) · Violations can lead to criminal penalties or a civil lawsuit · State laws may protect emails. Delaware prohibits employers from monitoring or intercepting phone conversation or transmission, email or transmission or internet access or usage w/o prior written notice and daily electronic notice. Connecticut requires employer who engages in electronic monitoring to give prior written notice to all employees and post notice of types of electronic monitoring in conspicuous place. 3. Pen registers (communications metadata): Pen Register Act covers pen registers/trap and trace. Pen registers are surveillance devices that capture phone numbers dialed on outgoing phone calls; trap and trace devices capture numbers identifying incoming calls. Not supposed to reveal content of communications or identify parties to a communication or whether a call was connected - only that one phone dialed another phone. Smith v Maryland: SCOTUS held that a pen register is not a search because "petitioner voluntarily conveyed numerical information to phone company." Court did not distinguish between disclosing numbers to human operator or just automatic equipment used by phone company. Left pen registers completely outside constitutional protection. No reasonable expectation of privacy in the information because telecom company has ready access to it. · Standard for the government to obtain a pen/trap order is much lower than that required for a wiretap - must only be "relevant to an ongoing criminal investigation" · In context of phone calls, pen registers display outgoing number and incoming number. · USA Patriot Act expanded beyond phone numbers to include "dialing, routing, addressing, or signaling information" transmitted to or from a device or process. · Because e-mail subject lines contain content, pen registers in e-mails must include sender and addressee but NOT any part of subject line (per revisions in the USA Patriot Act) · USA Freedom Act prohibits use of pen registers and trap and trace orders for bulk collection and restricts use to circumstances where there are specific selectors, such as email address or phone number · IP addresses and port numbers associated with communication are allowed · Prohibits installation or use of any device (including software) that serves as a pen register or trap and trace 4. CalECPA: No California government entity can search phones and no police officer can search accounts without: · Permission from a judge · Obtaining consent · Showing it is an emergency