April 19, 2014

avatar

Email Protected by 4th Amendment, Court Says

The Sixth Circuit Court of Appeals ruled yesterday, in Warshak v. U.S., that people have a reasonable expectation of privacy in their email, so that the government needs a search warrant or similar process to access it. The Court’s decision was swayed by amicus briefs submitted by EFF and a group of law professors.

When Alice sends an email to Bob, the email will be stored, for a while at least, on an email server run by Bob’s email provider. Depending on how Bob uses email, the message may sit on the server just until Bob’s computer picks up mail (which happens every few minutes when Bob is online), or Bob may store his long-term email archive on the server. Either way the server, which is typically run by Bob’s ISP, will have a copy of the email and will have the ability to access its contents.

The key question in Warshak was whether, notwithstanding the ISP’s ability to read his mail, Bob still has a reasonable expectation of privacy in the email. This matters because certain Fourth Amendment protections apply where there is a reasonable expectation of privacy. The government had used a certain kind of order authorized by the Stored Communications Act to compel Warshak’s ISP to turn over Warshak’s email without notifying Warshak. Warshak argued that that was improper and the government should have been required to get a search warrant.

The key to the Court’s ruling is an analogy, offered by the amici, between email and phone calls. The phone company has the ability to listen to your calls, but courts ruled long ago that there is a reasonable expectation of privacy in the content of phone calls, so that the government cannot eavesdrop on the content of calls without a warrant. The Court accepted that email is like a phone call, for privacy purposes at least, and the ruling essentially followed from this analogy.

This is not a general ruling that warrants are required to access electronic records held by third parties. The Court’s reasoning depended on the particular attributes of email, and even on the way these particular ISPs handled email. If the ISP’s employees regularly looked at customer email in the ordinary course of business, or if there was a written agreement giving the ISP broad latitude to look at email, the Court might have found differently. Warshak had a reasonable expectation of privacy in his email, but you might not. (Randy Picker has an interesting commentary on Warshak in relation to online records held by third parties.)

Interestingly, the Court drew a line between inspection of email by computer programs, such as virus or spam checkers, versus inspection by a person. The Court found that automated analysis of email did not erode the reasonable expectation of privacy, but routine manual inspection of email would erode it.

Pragmatically, a ruling like this is only possible because email has become a routine part of life for so many people. The analogy to phone calls, and the unquestioned assumption that people value the privacy of email, are both easy for judges who have gotten used to the idea of email. Ten years ago this could not have happened. Ten years from now it will seem obvious.

Orin Kerr, who is expert in this area of the law, thinks this ruling is at higher than usual risk of being invalidated on appeal. That may be the case. But it seems to me that the long-term trend is toward treating email like phone calls, because that is how people think of it. The government may win this battle on appeal, but they’re likely to lose this point in the long run.

Comments

  1. Randy Picker says:

    I discuss this as an example of the issues associated with regulating the cloud–the data that we store remotely. See http://uchicagolaw.typepad.com/faculty/2007/06/regulating_the_.html

    [I updated the main post to point to this. -- Ed]

  2. Ned Ulbricht says:

    IIUC, broad, popular use of end-to-end encryptation for email —prototypically PGP— has been held back primarily by user interface issues. The various UIs have proven too difficult for most people to use, given their perception of the risk to their privacy.

    I’m not familiar with any study that’s separated the human-computer interaction (HCI) problems into a) difficulties with encryptation/decryptation; and b) difficulties with the PGP/GPG “web of trust”. I think that boundary is worth a closer look.

    Because, on the whole, imho, no matter what ordinary users perceive subjectively as a reasonable expecatation of privacy in email, the only reasonable objective assurance of privacy must be based on end-to-end encryptation.

    Elsewhere, in the context of this case (Warshak), I read a commenter’s query whether there was a market for email that does not store intermediate copies. To me, that indicated a fundament misunderstanding of a “store-and-forward” messaging system—the commenter was probably a lawyer. While the internet email transport makes no guarantees of reliability, nevertheless it’s designed to achieve mostly reliable operation: The receiving SMTP server SHOULD write the incoming message to persistent storage before it indicates indicates receipt of the message to the sending SMTP.

    A hop-by-hop, store-and-forward messaging system really needs an end-to-end encryptation layer over it.

    Of course, my comment here has sorta side-stepped the issue of privacy in messages sent over an asynchronous service after receipt by the final destination. And that does seem to be one of the issues the court considered in this case, albeit without really separating the analysis from privacy during transport.

  3. paul says:

    It’s not just the user interfaces that have made encryption rare. There’s still a certain amount of hangover from the crypto wars that discourages vendors from building it in as a matter of course, and there are also still some serious issues of key-distribution infrastructure. (We know how to do that with reasonable safety and efficiency in limited cases, but not nearly for the whole world of email senders as if exists now.)

  4. Jon says:

    So basically all the ISPs that bury the phrase “no expectation of privacy” into their TOS don’t have to follow the ruling. Great, I think most of them have it in there somewhere.

  5. Alex says:

    Maybe not. If it’s a discussion of the ISP handing over the emails, the phone company analogy is probably extensible. You have almost as little choice in ISP in most areas as you have in phone service providers. And those phone companies can’t slip in a “we can listen to you” provision into your agreement. Now, with non-ISP email providers, the story could be a bit different–there’s far more choice and detailed privacy policies, and consumers could use a service that promises more privacy over one that promises less. But it’s still dangerous territory to think that you’re covered legally by whatever you slip into the EULA/ToS that no one reads.

  6. Ned Ulbricht says:

    IMAP and various webmail services have taught that users desire the capability to store messages in the “network cloud”. As a simple user-visible network service, a remote file store for use by a single user is conceptually quite distinguishable from a remote, world-writable file appending service (hint: think basic abstract email service).

    In practice, though, once a message has been appended to a user’s inbox, it seems pretty much just as convenient to leave it there for subsequent retrievals. And, even if the message is written to another store, and deleted from the world-writable inbox, it seems convenient to carry out those operations solely on the server.

    Yet, a remote file store for use by a single user doesn’t have the difficult key distribution problems.

    If we were just going to hand-wave a design in air, then given the cost of bandwidth today, it might seem reasonable to accept a message from the email system at any user-controlled endpoint, then (re-)encrypt it before delivering it to a remote storage service. But, especially with webmail services today, users don’t actually have a convenient interface to a secure message storage service. And, it seems hard to think of an incentive for most ISPs to provide one.

  7. Joe says:

    I’m wondering if this test could be applied to SMS text messages in that the wireless carriers (or the law) should not be able to monitor the contents of a text message.

  8. MathFox says:

    Joe, if you read the legal argument, you can replace email with SMS text messages and the argument fits. Wireless carriers don’t routinely read SMS messages, so you have a reasonable expectation of privacy.
    Note that phone companies have the technical capabilities to listen in on your conversations and may do so accidentally during maintenance activities. The technician listening in is expected to respect your privacy and should not disclose the content of any overheard conversation.

  9. nandaisthegirl@yahoo.com.br says:
  10. Spudz says:

    Why has the average IQ of the readership of this blog apparently imploded?