There’s an important e-mail privacy dispute brewing in Colorado: DOJ and Yahoo are clashing in court on the ground that the Ninth Circuit covered in its very weird opinion in Theofel v. Farey-Jones (2004), on whether the federal privacy law known as the Stored Communications Act allows the government to compel opened e-mail from an ISP with less process than a probable cause warrant. You can find Declan McCullagh’s news report here, and the briefs here.
This is big news, and not just because it was mentioned on the Drudge Report. DOJ and some of the ISPs have been disagreeing about this issue quietly for years. What makes this case unusual is that the two sides have decided to litigate it in open court. Assuming the parties are litigating this for keeps, it should at least work its way up to the Tenth Circuit. Further, the decision might very well create a split or invalidate a federal statute in a way that prompts Supreme Court review. So stay tuned: This is an important case to watch.
My own view on the law here is a bit nuanced. On one hand, I think Theofel was wrong as a matter of statutory construction. The statute does in fact allow it DOJ to compel the opened e-mail with less than a warrant, for reasons explored in this article. On the other hand, I think that it will usually violate the Fourth Amendment to compel e-mail with less than a warrant, so the statute that allows this is unconstitutional, for reasons explored in this article. (The final version of the article, out in a week or two, has a more detailed analysis of the unconstitutionality of this aspect of the statute than did the draft of it.) So I think DOJ is right as a matter of statutory interpretation, but Yahoo is right about the Constitution.
PeteP says:
To draw the distinction between ‘opened’ and ‘unopened’ email is insane. It requires the assumption that when you read your own email, you are consenting to a search of same ( or lower standard for such search ), as opposed to ‘not opening it’.
What if I download it from server, IOW accept delivery, but do not ‘open’ it IE read it ? This is how most email transits. I get 500 – 1000 emails a day ( mainly spam ), I actually open maybe 10 of them. Are those ten now ‘public’, or subject to some lesser standard of privacy because I clicked on them here on my own PC ?
This is equivalent to saying ‘If I get a letter and I DON’T open it, it’s private, but if I open it and read it, it’s now public’
Lunacy.
Then again, look at the other laws our Dear Leaders pass ….. to expect sanity from them would be itself lunacy.
April 14, 2010, 8:18 pmOrin Kerr says:
PeteP:
No, it doesn’t. The statute imagines two different ways you can use third party servers like ISPs: First, you can rely on them to deliver your e-mail, and second, you can rely on them to store your files. DOJ’s theory is that when you open e-mail and leave it on the server, you are no longer using the ISP to deliver your mail but are rather using it to store your mail post-delivery. It so happens that Congress chose a lower standard for the latter, likely reflecting third-party doctrine cases like Couch and Miller.
April 14, 2010, 8:52 pmPeteP says:
Orin – OK, I do see the fine-hair of distinction. It’s the same as saying that your ISP’s disks are ‘open to the public’, like your garbage at the street on pickup day.
I would certainly argue with DOJ that my personal private files on the ISP , password protected, are not ‘open to the public’. In fact, any member of the public accessing them would be in violation of computer law ( unauthorized access of a computer system ). That should suffice to create the presumption of privacy.
Personally, I dont’ use any kind of ‘web mail’ etc – when I DL it, it’s gone from server. However, it almost inevitable ( and beyond my control or knowledge ) that other copies may exist in server-side backups, in-process temp files, logs, etc. Are those now ‘subject to a lower standard of search’ ?
April 14, 2010, 9:08 pmOrin Kerr says:
PeteP,
DOJ isn’t arguing that the files are open to the public. They’re arguing that those are remotely stored files, and that the Fourth Amendment doesn’t protect the files with a warrant requirement under the third party doctrine.
Re back-ups, DOJ’s position is that they are protected by whatever standard applied to the original version when the back-up was made. (The definition of “electronic storage” expressly includes back-ups.)
April 14, 2010, 9:19 pmDNJ says:
Orin,
So you don’t think that it is possible to interpret the statute so as to save it, in accordance with the canon of constitutional avoidance?
April 15, 2010, 6:12 amPintler says:
Under that logic, could Congress authorize warrantless searches of safe deposit boxes? Does the boxholder keeping the second key matter?
(I’m assuming, perhaps incorrectly, that warrants are generally required for safe deposit boxes)
April 15, 2010, 9:25 amSoronel Haetir says:
Another interesting question, say you have someone who does download all their messages and a provider that purposefully does not save messages once delivered. Could the feds compel the provider to change their policy on a single target basis?
April 15, 2010, 10:31 amAnonCommentator says:
The legal scholars who work in this area have my sympathy. In all too many cases, such as the third-party doctrine, the law leads to absurd results — yet the legal scholars have to painstakingly work out the implications of the laws that Congress has passed and the precedents that the courts have established, no matter how ridiculous the end result. Sigh.
April 15, 2010, 9:45 pmmetro11 says:
Prof. Kerr:
Your knowledge of this area is vastly superior to mine, to put it mildly.
But I just wanted to suggest this:
Your distinction (and apparently the law’s distinction) between an unopened e-mail and an opened e-mail is a distinction without much of a difference – from an expectation of privacy standpoint – in my view.
You explain above that the apparently accepted view is that unopened e-mail retains a higher expectation of privacy because the 3rd party ISP is acting as an agent delivering the e-mail. But an opened e-mail has a lower expectation of privacy because the 3rd party ISP is merely acting as an agent to store the (presumably) read e-mail.
I would suggest that this is not how the privacy expectations of e-mail users work.
When you receive an e-mail in your personal e-mail account (Yahoo, Gmail, etc.), before you open it, I agree that you have a high expectation of privacy, i.e., that the government won’t be able to access that e-mail before you do without a warrant.
But the differing analysis once the e-mail is opened has problems.
I don’t think it’s true that one’s privacy expectations change once one clicks on an e-mail. You may say that the function of the 3rd party ISP changes then, but I don’t think that has any connection to the privacy expectation of the user.
Once you click on an e-mail you may or may not actually read it. But whether you read it or not, I don’t think the normal user thinks at all at that point about whether he/she just changed the availability of that e-mail to a government official. Indeed, I think, if asked, the normal user would say that, no, they absolutely did not intend to change the privacy analysis for that clicked-on e-mail.
The user has presumably agreed to a user agreement with the 3rd party ISP. So, apparently, the user is comfortable letting this 3rd party ISP keep both opened and unopened e-mails on the ISP server. I don’t think the user makes any distinction between his right to privacy for those opened and unopened e-mails sitting on the ISP server. The user doesn’t care whether the email is opened or unopened via-a-vis anyone other than the ISP gaining access. Put another way, the user sees the ISP server as a medium of private storage for both opened and unopened e-mails.
Further, I don’t understand why an e-mail on the 3rd party ISP – which has been clicked-on – represents some higher level exigency that would make a warrantless seizure reasonable. In other words, if the scenario is that the e-mail has been clicked-on – but the user has just let it sit there in his/her inbox – why would the government not need a warrant to get it? Where’s the emergency? Again, the e-mail is just sitting there … that’s the point of the whole scenario.
April 16, 2010, 7:53 pmOpened Email, ISPs and Search Warrants: What Does Federal Privacy Law Permit? | Privacy Working Group says:
[...] to recent blog post on the Volokh Conspiracy, the federal government is currently involved in a dispute with Yahoo over [...]
April 20, 2010, 4:04 pm