The Fourth Circuit’s recent decision in United States v. Lowers crystalizes two key Trust & Safety issues for providers. Lowers primarily holds that even when a user agrees to terms of service that permit a provider to scan user-stored content, the Fourth Amendment still applies as to government access of that content.
The opinion also includes an important footnote for Trust & Safety teams clarifying that federal reporting obligations for child sexual abuse material (CSAM) should be read broadly. The footnote should help shut down a more recent effort to narrow providers’ reporting discretion in child safety matters.
Provider Access Via Terms of Service ≠ Government Access
Lowers arose from a familiar set of facts. Google identified suspected CSAM through hash matching and made a report to the National Center for Missing and Exploited Children (NCMEC), which eventually led to a criminal prosecution. The defendant argued that law enforcement violated the Fourth Amendment by opening files from his Google Drive without a warrant and moved to suppress.
On that issue, the Fourth Circuit largely agreed. It rejected the argument that Google’s terms, which advised users that Google may scan their stored content to detect abuse or illegal activity, eliminated any reasonable expectation of privacy. Rather, the court held, while those terms may diminish a user’s privacy expectations, they don’t eliminate those expectations altogether, particularly as to law enforcement access.
Terms of service commonly reserve broad rights for providers to monitor, scan, or review user content for safety and enforcement purposes. But Lowers means providers can’t rely on their terms of service when producing content to law enforcement. Instead, the government still must obtain the necessary legal process—usually a warrant.
Accordingly, the Court held, the government’s warrantless opening of the files was an unlawful search. The defendant’s conviction was still affirmed, but only because the evidence was later discovered through intervening steps too attenuated from the unlawful search to justify suppression. (The Fourth Circuit’s holding aligns it with the Second and Ninth Circuits and against the Fifth and Sixth, which have reached the opposite conclusion.)
Federal reporting laws apply broadly
Lowers opinion also contains a footnote that cuts off an argument that had begun to be tested in litigation.
Federal law requires providers to report “apparent” violations of child exploitation laws to NCMEC when they obtain “actual knowledge” of them. 18 U.S.C. § 2258A(a)(2)(A). Congress paired this reporting obligation with broad immunity that protects providers from liability for reports except in extreme cases such as intentional misconduct or actual malice. 18 U.S.C. § 2258B(a), (b). The laws’ straightforward structure reflects Congress’ clear intent that providers broadly escalate suspected CSAM to NCMEC, without holding back potentially important tips due to the risk of liability for getting close calls wrong.
For a long time, that basic point did not seem controversial. Providers understood that “apparent” meant they didn’t need to conclusively determine age before reporting, and NCMEC and law enforcement understood that providers’ reports were bases for further investigation.
More recently, though, some litigants have tried to recast “apparent” as meaning only obvious, undeniable, or unmistakable CSAM. This interpretation is hard to square with the statutory scheme. Providers operate at scale and inevitably must decide whether to report images that are age-difficult or otherwise uncertain. If immunity only extends to reports of “obvious” CSAM, it undercuts Congress’ intent to increase the flow of information to NCMEC and law enforcement. See United States v. Richardson, 607 F.3d 357, 367 (4th Cir. 2010). That framework depends on protecting good-faith reports, including mistaken ones.
The Fourth Circuit addressed that issue directly in Footnote 3. The court explained that because Section 2258A is meant to cast a wide net, “apparent” includes not only clear depictions of CSAM, but also depictions that may or may not actually be CSAM but appear to be. That is the right reading of the statute, and it is helpful to see it stated so plainly in a published appellate opinion. Even successful defenses against claims based on the narrower reading would cost time and expense that contravene Congress’ intent in establishing broad immunity.
Takeaways
Lowers provides more clarity on providers’ Trust & Safety rights and responsibilities—both of which ultimately prioritize user safety.
Its principal holding confirms that terms of service reserving broad provider access rights don’t carry over to law enforcement. Lowers represents another reason that providers must make sure law enforcement provides correct legal process, before producing any user content. And its footnote reinforces that providers should broadly report suspected CSAM to NCMEC, even where the exact age of a depicted victim is not obvious. But providers should also be mindful of the circuit split. The Fourth Circuit’s conclusions are now in tension with the Fifth and Sixth Circuits. Until the Supreme Court resolves the conflict, outcomes for providers involved in CSAM investigations may turn on where the case is brought.