Success Stories

ISP Data and Search Warrants

With the nearly universal use of Social Media across the United States, it is inevitable that during the course of criminal investigations, an investigator will need access to various social media or email accounts. It is well known and well documented that suspects in criminal cases use social media for a variety of things. Social Media platforms like Facebook and Instagram are occasionally the “meeting places” where people will conspire to commit crimes. These sites are also often the where criminals will go to boast about the crimes they have committed – even going so far as to post pictures or videos of the crimes being committed. Social Media platforms can also be used as the instrument by which crimes like harassment, cyberbullying, stalking and distribution of child pornography are perpetrated.

When any of these instances occur, an investigator needs to gain access to the records of the social media or email account. This can by either submitting a subpoena for the records, which is frequently challenged in court or subject to extensive delays by the ISP (Internet Service Provider). Investigators can also access this information by the issuance of a search warrant to the ISP for the records which may contain evidence of the crimes that have allegedly been committed. Some investigators and judges may be reluctant to issue such search warrants because they believe that they do not have the jurisdiction to issue them due to the fact that, geographically, the ISP is located outside of the local or state court’s jurisdiction.

In spite of this geographical difference, local and state courts have been granted the authority to issue search warrants for the records of Facebook (or other Social Media or email accounts) by the United States Congress. These various laws allow for not only the issuance of search warrants for ISPs physically located outside of the court’s jurisdiction, but also for the issuance of orders to the ISPs to withhold notification of the end user of the existence of any search warrants that may be issued for that specific user’s account history. The following sections of the US code explain how this was handled:

18 U.S. Code § 2510 and 2711 give the definitions of who and what are covered by these particular laws (specifically 18 U.S. Code § 2703) allowing the issuance of search warrants. A remote computing service, which is the recipient of the search warrant (also called an ISP) is defined as “the provision to the public of computer storage or processing services by means of an electronic communications system.” This section also defines the courts that have “competent jurisdiction” as “any district court on the United States (including a magistrate judge of such a court) or any United States court of appeals that … has jurisdiction over the offense being investigated” [2711(3)(A)(i)].

This means that the 41st Judicial District Court in New Orleans, LA can, in fact, issue a search warrant for the account history and any relevant records for a Facebook account that is “housed” in Menlo Park, CA. In fact, Facebook attempted to fight the issuance of Search Warrants for user data in 2014 only to be threatened with criminal contempt of court if they failed to comply with the search warrants that were involved in an ongoing criminal investigation (civil matters are a separate issue altogether). As with most things, including tax policy, these laws are based on the very real fact that the ISP is being used within the physical jurisdiction of the issuing court, and therefore also fall under the legal jurisdiction of the same court. Failure to make this distinction would allow criminals to hide their activities “online”, outside of the reach of legitimate law enforcement efforts which are being exercised under proper judicial oversight.

18 U.S. Code § 2705 also grants the courts the right to order ISPs to withhold disclosure to such search warrant to their users for a period of time, usually between 30 and 90 days. There are provisions where, under exceptional circumstances, this notification can be precluded. This also means that either within the body of a search warrant or with the addition of a separate order, the court can order an ISP to delay the notification of a user that their account’s data. This is specifically to prevent the obstruction of an ongoing investigation by a suspect by the destruction of data, change in behavior, the intimidation of witnesses or flight from Law Enforcement.

All of the updates to the US Code means that suspects cannot hide criminal behavior behind the geographic location of an electronic application. All ISPs that do business or have users in YOUR jurisdiction are subject to duly authorized and approved Search Warrants just like a house, store or bank would be. In fact, may ISPs, like Facebook, have set up entire departments that handle records and data requests from Law Enforcement. Do not let the physical location of an ISP keep you from pursuing your criminal investigations in the direction that the evidence leads.