Original URL: http://www.theregister.co.uk/2007/11/04/4th-amendment_email_privacy/

No email privacy rights under Constitution, US gov claims

You pronounce it 'sä-fə-strē'

By Mark Rasch

Posted in Government, 4th November 2007 12:02 GMT

On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government's request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. At issue is whether the procedure whereby the government can subpoena stored copies of your email - similar to the way they could simply subpoena any physical mail sitting on your desk - is unconstitutionally broad.

This appears to be more than a mere argument in support of the constitutionality of a Congressional email privacy and access scheme. It represents what may be the fundamental governmental position on Constitutional email and electronic privacy - that there isn't any. What is important in this case is not the ultimate resolution of that narrow issue, but the position that the United States government is taking on the entire issue of electronic privacy. That position, if accepted, may mean that the government can read anybody's email at any time without a warrant.

What is Privacy?

In a seminal case (Katz v. United States in 1963) the US Supreme Court, over the strenuous objections of the US government, upheld the right of the user of a payphone to claim a right to privacy in the contents of those communications. The Court held that the Fourth Amendment right to be secure in your "persons, house, places and effects" against unreasonable searches and seizures protected people, not just places. Thus, to determine whether you had a right against unreasonable seizure - a kind of privacy right - the court adopted a two-pronged test: did you think what you were doing was private and is society willing to accept your belief as objectively reasonable?

The method you use to communicate can effect both your subjective expectation of privacy and society's willingness to consider that expectation as "reasonable." Shouting a "private" conversation into a megaphone at Times Square would neither be subjectively nor objectively reasonable, if you wanted the conversation to be confidential. "Broadcasting" the conversation over the radio is likewise unreasonable.

But, what about "broadcasting" it over an unsecured Wi-Fi router, analog cell phone, or cordless telephone? While certain statutes may make the interception of such communications unlawful, absent such statutes is there a Constitutional prohibition on listening in? Put more narrowly, if the cops listen in on your baby monitor, do they violate your "right to privacy," or do you give up your right by knowingly putting the monitor in little Timmy's room in the first place?

Partial Waiver

Do you have a "reasonable expectation of privacy" in the contents of email you send and receive at work, using a work computer, over a company supplied network, where the company has a "business use only" policy, and an employee monitoring policy that states that any communications may be monitored? Think about it. Indeed, the policy will go further and says "users have no expectation of privacy." But is this true? Or, is it even a good idea?

Remember Katz? The Constitution only protects reasonable expectations of privacy. If you have no reasonable expectation of privacy in your email, then the examination of the contents of your email by anyone for any purposes is not an invasion of privacy and raises no Fourth Amendment concerns.

What you really mean in your policy is that your employer (your supervisor, the IT staff, HR, legal, etc.) may examine the contents of your e-mail for legitimate reasons and if they choose to, disclose the contents to whatever third parties they deem reasonable. Fair enough. But, it also means that you can't read your bosses' email or your co-workers' email, just because you are curious. Why not? Because they have an "expectation of privacy" in their email.

Privacy is not like virginity - you either have it or you don't. You can have privacy rights with respect to some uses by some people and not with respect to other uses by other people. Right? Well, not according to the government.

No Constitutional Privacy

In arguing that the government did not necessarily need a wiretap order to obtain the contents of Mr. Warshak's email from his ISP, the government argued that the Fourth Amendment did not preclude a mere subpoena because users of ISPs don't have a reasonable expectation of privacy. The government argued:

... any expectation of privacy can be waived [citing case holding that a privacy disclaimer on a bulletin board "defeats claims to an objectively reasonable expectation of privacy."] Many employees are provided with e-mail and Internet services by their employers. Often, those employees are required to waive any expectation of privacy in their email each time they log on to their computers. [Court] orders directed to the email of employees who have waived any possible expectation of privacy do not violate the Fourth Amendment.

Now, we are not talking about cases where the employer reads someone's email and decides to give it to the government, or where the employer consents to the search by the FBI. Essentially, the Justice Department is arguing that when you give up your privacy rights in an e-mail policy vis-a-vis your employer, you waive any Constitutional claim to privacy if the government decides to just take it - even without the knowledge or consent of the employer. Once you give up privacy in an email policy, the game is over. Since the Fourth Amendment only protects legitimate privacy rights, and you have no privacy in email, theoretically (absent a statute that prohibits it) the government could constitutionally walk in and just take anyone's files.

Wow.

But then the government goes on: they note "some email accounts are abandoned, as when an account holder stops paying for the service and the account is cancelled." There "can be no reasonable expectation of privacy in such accounts." Oh really? So if I decide not to keep paying Comcast, then not only to I potentially lose Internet service, but the government can then read every email I ever wrote or received? Better pay the bill, then. When I terminate my service, I am terminating my right of use - not "abandoning" my privacy rights. A few years ago, when an US soldier was killed in Fallujah, Yahoo had to decide whether his parents could legally access the email in his account, an account that Yahoo's policy terminated at the soldier's death. The case was resolved with a consented to court order allowing such access, but the government's argument would be that when you die your account terminates and your email is up for grabs. In other words, don't die with email in your account and don't get any email after you die.

The government again goes on:

... hackers may obtain internet services and email accounts using stolen credit cards. Hackers maintain no reasonable expectation of privacy in such accounts.

So the privacy of your communications may be determined by the legitimacy of the method by which you pay for such communications? Bounce a check to the phone company and the government can listen in to your phone calls? Or buy a cell phone with a stolen credit card, and the government can read your text messages?

The most distressing argument the government makes in the Warshak case is that the government need not follow the Fourth Amendment in reading emails sent by or through most commercial ISPs. The terms of service (TOS) of many ISPs permit those ISPs to monitor user activities to prevent fraud, enforce the TOS, or protect the ISP or others, or to comply with legal process. If you use an ISP and the ISP may monitor what you do, then you have waived any and all constitutional privacy rights in any communications or other use of the ISP. For example, the government notes with respect to Yahoo! (which has similar TOS):

Because a customer acknowledges that Yahoo! has unlimited access to her email, and because she consents to Yahoo! disclosing her email in response to legal process, compelled disclosure of email from a Yahoo! account does not violate the Fourth Amendment.

The government relied on a Supreme Court case where a bank customer could not complain when the government subpoenaed his cancelled checks from the bank itself and where the Court noted:

The checks are not confidential communications but negotiable instruments to be used in commercial transactions. All of the documents obtained, including financial statements and deposit slips, contain only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.

In essence, the government is arguing that the contents of your emails have been voluntarily conveyed to your ISP and that you therefore have no privacy rights to it anymore. In a previous proceeding in Warshak, the government went even further, arguing that automated spam filters, antivirus software, and other automated processes that examine the contents of your email, establish that you cannot possibly expect your communications to be private.

What is silly about this is the fact that, at least for the government, the argument is unnecessary. The Fourth Amendment protects against "unreasonable" invasions of privacy interests. The government could effectively argue that, by obtaining a subpoena or other court order for the records which are relevant to a legitimate investigation, the search or seizure is reasonable, and therefore comports with the Fourth Amendment. All subpoenas and demands for documents infringe some privacy interest, and unless overbroad, they are generally reasonable. The statute which permits government access to stored communication pursuant to a mere subpoena may likewise be perfectly reasonable and may withstand constitutional scrutiny. But that doesn't mean that the Constitution doesn't apply.

No, the government is seeking to eliminate any Constitutional privacy interest in email. Under this standard, if the FBI walked into your employer or ISP, and simply took your email (no warrant, no court order, no probable cause, no nothing), you would have no constitutional argument about the seizure, because you had abandoned your expectation of privacy. This appears to be more than a mere argument in support of the constitutionality of a Congressional email privacy and access scheme. It represents what may be the fundamental governmental position on Constitutional email and electronic privacy - that there isn't any.

And that, frankly, scares me.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and specializes in computer crime, computer security, incident response, forensics and privacy matters as Managing Director of Technology for FTI Consulting, Inc.