[Infowarrior] - No email privacy rights under Constitution, US gov claims

[Richard Forno]

Original URL: 
http://www.theregister.co.uk/2007/11/04/4th-amendment_email_privacy/
No email privacy rights under Constitution, US gov claims
By Mark Rasch, SecurityFocus
Published Sunday 4th November 2007 12:02 GMT

On October 8, 2007, the United States Court of Appeals for the Sixth Circuit
in Cincinnati granted the government's request for a full-panel hearing in
United States v. Warshak case centering on the right of privacy for stored
electronic communications. At issue is whether the procedure whereby the
government can subpoena stored copies of your email - similar to the way
they could simply subpoena any physical mail sitting on your desk - is
unconstitutionally broad.

This appears to be more than a mere argument in support of the
constitutionality of a Congressional email privacy and access scheme. It
represents what may be the fundamental governmental position on
Constitutional email and electronic privacy - that there isn't any. What is
important in this case is not the ultimate resolution of that narrow issue,
but the position that the United States government is taking on the entire
issue of electronic privacy. That position, if accepted, may mean that the
government can read anybody's email at any time without a warrant.
What is Privacy?

In a seminal case (Katz v. United States in 1963) the US Supreme Court, over
the strenuous objections of the US government, upheld the right of the user
of a payphone to claim a right to privacy in the contents of those
communications. The Court held that the Fourth Amendment right to be secure
in your "persons, house, places and effects" against unreasonable searches
and seizures protected people, not just places. Thus, to determine whether
you had a right against unreasonable seizure - a kind of privacy right - the
court adopted a two-pronged test: did you think what you were doing was
private and is society willing to accept your belief as objectively
reasonable?

The method you use to communicate can effect both your subjective
expectation of privacy and society's willingness to consider that
expectation as "reasonable." Shouting a "private" conversation into a
megaphone at Times Square would neither be subjectively nor objectively
reasonable, if you wanted the conversation to be confidential.
"Broadcasting" the conversation over the radio is likewise unreasonable.

But, what about "broadcasting" it over an unsecured Wi-Fi router, analog
cell phone, or cordless telephone? While certain statutes may make the
interception of such communications unlawful, absent such statutes is there
a Constitutional prohibition on listening in? Put more narrowly, if the cops
listen in on your baby monitor, do they violate your "right to privacy," or
do you give up your right by knowingly putting the monitor in little Timmy's
room in the first place?
Partial Waiver

Do you have a "reasonable expectation of privacy" in the contents of email
you send and receive at work, using a work computer, over a company supplied
network, where the company has a "business use only" policy, and an employee
monitoring policy that states that any communications may be monitored?
Think about it. Indeed, the policy will go further and says "users have no
expectation of privacy." But is this true? Or, is it even a good idea?

Remember Katz? The Constitution only protects reasonable expectations of
privacy. If you have no reasonable expectation of privacy in your email,
then the examination of the contents of your email by anyone for any
purposes is not an invasion of privacy and raises no Fourth Amendment
concerns.

What you really mean in your policy is that your employer (your supervisor,
the IT staff, HR, legal, etc.) may examine the contents of your e-mail for
legitimate reasons and if they choose to, disclose the contents to whatever
third parties they deem reasonable. Fair enough. But, it also means that you
can't read your bosses' email or your co-workers' email, just because you
are curious. Why not? Because they have an "expectation of privacy" in their
email.

Privacy is not like virginity - you either have it or you don't. You can
have privacy rights with respect to some uses by some people and not with
respect to other uses by other people. Right? Well, not according to the
government.
No Constitutional Privacy

In arguing that the government did not necessarily need a wiretap order to
obtain the contents of Mr. Warshak's email from his ISP, the government
argued that the Fourth Amendment did not preclude a mere subpoena because
users of ISPs don't have a reasonable expectation of privacy. The government
argued:

    ... any expectation of privacy can be waived [citing case holding that a
privacy disclaimer on a bulletin board "defeats claims to an objectively
reasonable expectation of privacy."] Many employees are provided with e-mail
and Internet services by their employers. Often, those employees are
required to waive any expectation of privacy in their email each time they
log on to their computers. [Court] orders directed to the email of employees
who have waived any possible expectation of privacy do not violate the
Fourth Amendment.

Now, we are not talking about cases where the employer reads someone's email
and decides to give it to the government, or where the employer consents to
the search by the FBI. Essentially, the Justice Department is arguing that
when you give up your privacy rights in an e-mail policy vis-a-vis your
employer, you waive any Constitutional claim to privacy if the government
decides to just take it - even without the knowledge or consent of the
employer. Once you give up privacy in an email policy, the game is over.
Since the Fourth Amendment only protects legitimate privacy rights, and you
have no privacy in email, theoretically (absent a statute that prohibits it)
the government could constitutionally walk in and just take anyone's files.

Wow.

But then the government goes on: they note "some email accounts are
abandoned, as when an account holder stops paying for the service and the
account is cancelled." There "can be no reasonable expectation of privacy in
such accounts." Oh really? So if I decide not to keep paying Comcast, then
not only to I potentially lose Internet service, but the government can then
read every email I ever wrote or received? Better pay the bill, then. When I
terminate my service, I am terminating my right of use - not "abandoning" my
privacy rights. A few years ago, when an US soldier was killed in Fallujah,
Yahoo had to decide whether his parents could legally access the email in
his account, an account that Yahoo's policy terminated at the soldier's
death. The case was resolved with a consented to court order allowing such
access, but the government's argument would be that when you die your
account terminates and your email is up for grabs. In other words, don't die
with email in your account and don't get any email after you die.

The government again goes on:

    ... hackers may obtain internet services and email accounts using stolen
credit cards. Hackers maintain no reasonable expectation of privacy in such
accounts.

So the privacy of your communications may be determined by the legitimacy of
the method by which you pay for such communications? Bounce a check to the
phone company and the government can listen in to your phone calls? Or buy a
cell phone with a stolen credit card, and the government can read your text
messages?

The most distressing argument the government makes in the Warshak case is
that the government need not follow the Fourth Amendment in reading emails
sent by or through most commercial ISPs. The terms of service (TOS) of many
ISPs permit those ISPs to monitor user activities to prevent fraud, enforce
the TOS, or protect the ISP or others, or to comply with legal process. If
you use an ISP and the ISP may monitor what you do, then you have waived any
and all constitutional privacy rights in any communications or other use of
the ISP. For example, the government notes with respect to Yahoo! (which has
similar TOS):

    Because a customer acknowledges that Yahoo! has unlimited access to her
email, and because she consents to Yahoo! disclosing her email in response
to legal process, compelled disclosure of email from a Yahoo! account does
not violate the Fourth Amendment.

The government relied on a Supreme Court case where a bank customer could
not complain when the government subpoenaed his cancelled checks from the
bank itself and where the Court noted:

    The checks are not confidential communications but negotiable
instruments to be used in commercial transactions. All of the documents
obtained, including financial statements and deposit slips, contain only
information voluntarily conveyed to the banks and exposed to their employees
in the ordinary course of business.

In essence, the government is arguing that the contents of your emails have
been voluntarily conveyed to your ISP and that you therefore have no privacy
rights to it anymore. In a previous proceeding in Warshak, the government
went even further, arguing that automated spam filters, antivirus software,
and other automated processes that examine the contents of your email,
establish that you cannot possibly expect your communications to be private.

What is silly about this is the fact that, at least for the government, the
argument is unnecessary. The Fourth Amendment protects against
"unreasonable" invasions of privacy interests. The government could
effectively argue that, by obtaining a subpoena or other court order for the
records which are relevant to a legitimate investigation, the search or
seizure is reasonable, and therefore comports with the Fourth Amendment. All
subpoenas and demands for documents infringe some privacy interest, and
unless overbroad, they are generally reasonable. The statute which permits
government access to stored communication pursuant to a mere subpoena may
likewise be perfectly reasonable and may withstand constitutional scrutiny.
But that doesn't mean that the Constitution doesn't apply.

No, the government is seeking to eliminate any Constitutional privacy
interest in email. Under this standard, if the FBI walked into your employer
or ISP, and simply took your email (no warrant, no court order, no probable
cause, no nothing), you would have no constitutional argument about the
seizure, because you had abandoned your expectation of privacy. This appears
to be more than a mere argument in support of the constitutionality of a
Congressional email privacy and access scheme. It represents what may be the
fundamental governmental position on Constitutional email and electronic
privacy - that there isn't any.

And that, frankly, scares me.

This article originally appeared in Security Focus
(http://www.securityfocus.com/columnists/456).

Copyright © 2007, SecurityFocus (http://www.securityfocus.com/)

Mark D. Rasch, J.D., is a former head of the Justice Department's computer
crime unit, and specializes in computer crime, computer security, incident
response, forensics and privacy matters as Managing Director of Technology
for FTI Consulting, Inc.