The Legal Rulings in Warshak v. United States:
In my last post, I explained the facts of Warshak v. United States, the Sixth Circuit's new decision that largely rewrites the law of e-mail privacy. In this post, I want to explain the opinion's legal rulings.

  Two caveats before I begin. First, I'll mostly (although not entirely) save the commentary for later. The Warshak opinion announces five or six novel and far-reaching propositions of law, and I think it's important for us to start with an understanding of what those rulings are before we get to whether the court had a solid basis or announcing them. Second, I should emphasize that there may be room for disagreement as to the meaning of some of the passages. The opinion is quite complex and not exactly a model of clarity, and I struggled over some of the passages. Given this, I hope those who disagree with my interpretations will politely explain why in the comment thread.

  On to the opinion, starting with procedural issues and then moving on to the Fourth Amendment rulings.

The Procedural Rulings

  Let's get the procedural, non-Fourth Amendment matters out of the way first. These parts are less high-profile than the substantive Fourth Amendment issues, but they're the rulings that let the court get to the Fourth Amendment issues so we need to appreciate them to understand the case. In particular, there are two key procedural rulings:

  (1) When a person challenges a statute under the Fourth Amendment, the court has the power to consider all of the possible applications of the challenged statute, determine which ones violate the Fourth Amendment, and then enjoin the ones that would violate the Fourth Amendment while allowing the statute to be used in ways that the court concludes would be constitutional.

  According to the court, individuals can bring facial challenges to statutes under the Fourth Amendment "where the statute, on its face, endorses procedures to authorize a search that clearly do not comport with the Fourth Amendment." However, courts ruling on such facial challenges do not need to uphold or strike down statutes in their entirety. Rather, courts can impose a "narrow" type of facial invalidation in which the court can determine which applications of the statute would be constitutional and which would be unconstitutional. The court can then prohibit only the unconstitutional applications of the statute and permit the rest.

  (2) The plaintiff in this case has standing and his claims are ripe to challenge future acts under the SCA, and the balance of factors favors an injunction here.

  Warshak has standing to challenge the government's future conduct because the government has obtained his e-mails twice before and might do so again because the statute permits the government's action. Although Warshak has been indicted and the case has moved on to a different stage, it is possible that the government might try to get his e-mail again using the same technique it used in 2005. His claims are not excessively hypothetical because it seems likely that future efforts to obtain Warshaks e-mail probably would be pretty similar to the two past ones. Further, the government wants to act in ways that violate the Fourth Amendment, which is contrary to the public interest and favors issuing the injunction.

The Fourth Amendment Rulings

On to the Fourth Amendment rulings. They are:

  (1) The threshold that the Fourth Amendment requires when compelling evidence with a subpoena or similar order depends on who has privacy rights and whether the persons who have privacy rights have been given prior notice of the government's action.

  The court envisions three different categories of privacy protection for orders to compel:

  First, when the government is seeking evidence with a subpoena and no third party has a reasonable expectation of privacy in the information, the Fourth Amendment standard is the traditional reasonableness standard.

  Second, when the government is seeking evidence with a subpoena and a third party has a reasonable expectation of privacy in the information but is not given prior notice, then the Fourth Amendment requires probable cause.

  Third, when the government is seeking evidence with a subpoena and a third party has a reasonable expectation of privacy in the information but is given prior notice allowing them to challenge the subpoena, then the Fourth Amendment standard drops back down to traditional reasonableness. In other words, the Fourth Amendment requires probable cause or notice, but the presence of notice drops the required legal threshold down to reasonableness.

  (2) E-mail users always have a reasonable expectation of privacy against the outside world in their e-mail.

  The contents of stored e-mail held by an ISP are like the contents of landline telephone calls, sealed letters, or sealed packages. The fact that ISPs have the technical ability to access e-mail doesn't matter, any more than does the fact that the Post Office has the technical ability to break open your envelopes and read your postal mail. An ISP might access subscriber and non-content information associated with an e-mail, but the ISP has not been granted access to the e-mail's contents and there is a "societal expectation" that they normally will not access contents.

  Notably, however, a user's reasonable expectation of privacy in e-mail is not the same as a person's reasonable expectation of privacy in physical spaces. Rather, it is broader, because computer accounts are different from physical spaces. In the physical world, a person's reasonable expectation of privacy is contingent on his relationship to the place. Thus, Katz had a reasonable expectation of privacy in the phone booth only temporarily when he was making a call; a hotel guest loses his reasonable expectation of privacy after checkout time; and a burglar has no reasonable expectation of privacy in a house he has burglarized. Fourth Amendment rights in physical spaces depend on whether the person has a legitimate relationship with the space sufficient to establish constitutional proection.

  According to the court, these concepts do not apply to computer accounts. The court reasons that these Fourth Amendment rules in physical space exist because physical space can be used by multiple people. For example, a hotel guest loses a reasonable expectation of privacy at checkout time because the next guest is coming and soon will be putting his stuff in the room. But e-mail is different: e-mail accounts are not ordinarilty used by multiple people. If you stop paying the bill for your ISP account, you wouldn't expect some other Internet user to gain access to your account and start looking through your e-mail! As a result, you maintain a reasonable expectation of privacy in your account even if you signed up for the account fraudulently or you decided to abandon the account.

  Indeed, even a hacker likely has a reasonable expectation of privacy in the contents of e-mails in an account he has hacked. A thief does not have a reasonable expectation of privacy in the contents of a computer he has stolen. But if a hacker breaks into an account and puts his private information there, the analogy to a stolen physical computer is unhelpful because the hacker didn't actually "steal" the e-mail account or the server that hosts it.

  (3) A clear statement by an ISP in Terms of Service that it regularly accesses e-mail content combined with a) evidence that users are aware of that policy and b) evidence that the ISP utilizes the policy does not eliminate Fourth Amendment protection altogether, but does eliminate a reasonable expectation of privacy "vis a vis the provider," allowing a lower subpoena standard to be used to compel evidence from the ISP.

  According to the court, there are two kinds of reasonable expectations of privacy: those generally and those vis-a-vis ISPs. (Editorial note: This is wrong as a matter of basic Fourth Amendment law; there is no such thing as reasonable expectations of privacy vis a vis different people or entities. But I promised not to talk about the merits here, so I'll get to that in a future post.) In some circumstances, ISP monitoring can eliminate the user's reasonable expectation of privacy vis a vis the ISP although not vis a vis the outside world. The key line is between "total access" and "less in-depth screening"; "total access" eliminates the REP with respect to the provider but "less in-depth screening" does not.

  The court elaborates on the line and offers the following constitutional test: to establish that a user has waived a reasonable expectation of privacy in e-mail vis a vis the provider, the goverment must show "based on specific facts," "that the ISP or other intermediary clearly established and utilized the right to inspect, monitor, or audit the contents, or otherwise had content revealed to it." If the government can establish this, then the user's reasonable expectation of privacy "vis a vis the provider" is waived, and the Fourth Amendment is now satisfied if the subpoena or order to compel is obtained under a reasonableness standard rather than probable cause.

  (4) Computer scanning of e-mail for key words, types of images or "similar indicia of wrongdoing" in a way that does not disclose contents to an actual person does not invade any Fourth Amendment rights.

  According to the court, such computer-driven screening is like post office screening of packages for evidence of drugs or explosives. Because such screening does not trigger the Fourth Amendment — on a Caballes dog-sniff rationale, I assume — digital screening does not do so either. (Presumably this means that the any NSA monitoring of e-mail for keywords or the use of FBI devices installed at ISPs to scan e-mail and attachments for digital images of child pornography do not implicate the Fourth Amendment. However, the court does not elaborate on this point.)

  (5) When e-mail is obtained pursuant to a search warrant, the particularity requirement requires that warrants must "target e-mails that could reasonably be believed to have some connection to its specific investigation."

  When the government has probable cause to believe evidence of crime or contraband is in an e-mail account, it cannot request the entire e-mail account. The warrant has to be selective and only ask for specific documents or categories of documents. (Given that ISP employees execute warrants for e-mail accounts, rather than police officers, I don't know how this is supposed to work. Perhaps cops need to actually come to the ISP and screen the e-mails onsite or else the police must start outsourcing minimization to the ISP employees? Or can the ISP send the entire contents to the FBI, which will then execute the search on the account based on the particular warrant much as hey would a PC? More on this later, too.) The court suggests that magistrates should consider limiting e-mail warrants based on the date of the e-mail, the "to" and "from" adress, or keywords, but does not impose a requirement of that.

* * * *

  So there you have it. As you can see, the court sure managed to pack in a lot of law into a 20-page opinion. I don't think I'm exagerrating to say it's an entirely new regime for e-mail privacy. In my next post, I'll finally start critiquing the opinion on the merits. I plan to start by critiquing the court's procedural rulings, some of which struck me as pretty obviously wrong and contrary to fairly clear Supreme Court precedent that the panel opinion didn't cite. Stay tuned....
YAP (mail):

Indeed, even a hacker likely has a reasonable expectation of privacy in the contents of e-mails in an account he has hacked. ... But if a hacker breaks into an account and puts his private information there, the analogy to a stolen physical computer is unhelpful because the hacker didn't actually "steal" the e-mail account or the server that hosts it.

The way I read the decision, the court is saying that if a hacker paid for an email account with a stolen credit card, he might still have an expectation of privacy, NOT that a hacker could hack someone else's account and thereby gain an expectation of privacy in it. I think they're saying that the fact that the funds were stolen is a crime, but it doesn't automatically cause the thief to lose expectations of privacy in the things he/she used the funds for.
6.21.2007 8:59am

I meant to ask earlier, what about the panel's members made you unsurprised (my word) by the ruling?
6.21.2007 9:27am
Justin (mail):
Looks like my main disagreements with you (assuming that you disagree with all 7 "rulings") will be with substantive "rulings" 2, 3, and 5. The rest range from "I don't really know the substantive law here, but that doesn't seem right" to "I know that isn't right."

Before you do your commentary, since my main disagreements come in (2) and (3), please consider (and explain in your commentary.

for (2), why the distinction you are making matters. My initial response to your pre-criticism commentary is "so?" Email has both the virtual properties of a conversation and a file. A telephone conversation is protected "forever" because its physical property is extinguished as soon as the conversation is extinguished - and even if thats not true (if the NSA had bugged, but not retrieved the bug), the expectation of privacy on any physical remnant ALSO lasts forever, absent some other circumstance. Email also has the virtual properties of a file. If you delete the email, why should we treat this differently than someone putting a file in the burn box? If the burn box happened offsite, we certainly would not well take a statute that says offsite burn boxes must provide access to the police of all files before burning, right? And I'd prefer a normative answer, not a positive one - I know that's not how most courts treat the law.

(3) This is something where I am less actual aware of the facts - how exactly do ISPs differ from, say, AT&T, who surely has the capability of bugging all your calls? And if the difference is legal or contractual, rather than technical or practical,
(a) - Should (normative) the government be able to bug phone calls using the same procedures? If your answer is yes, then we may not be able to find any common ground due to larger differences.
(b) - If someone wanted privacy in their emails, then how would they go about doing that, in a way that makes reading emails not just difficult but legally impossible?
(c) - How does this apply to law firms, who routinely use email to pass on sensitive information?

6.21.2007 9:55am

The court does say that at first, but in the next paragraph they appear to be talking about a hacker's rights in a hacked account (which is a common fact pattern).


Just to be clear. this post is about what the panel held, not whether those holdings comport with any one person's views of sound social policy. I realize that the court's holdings may in fact comport with those notions in your case, and to the extent that is important to you in evaluating the merits of judicial decisions, I understand why you are interested in discussing that. But obviously you and I approach the law very differently, and here I'm actually interested in a different set of questions -- what the court held, and then later, whether the court's decision was decided correctly as a matter of existing precedents.

As for actual ISP practices, I will be getting to that; my understanding is quite different from the panel's, though (although of course whether those differences matter is another question).
6.21.2007 11:01am
Don Miller (mail) (www):
I run email servers for 2 internet domains.

At both sets of servers we run anti-virus and anti-spam software.

Both types of software automatically read and analyze the content of every email that flows through our system. Our users are very aware that we do this, and are grateful for the service.

Because every email is being 'read', by machine, do you think this would be sufficient grounds for the government to argue that email users have no expectation of privacy to email accounts on those systems?

I've been an IT professional for 25 years. I have never felt that email was private. That is what encryption is for. It may be that I am too aware of the technical side of how email works to think that it can be private.
6.21.2007 11:27am
David W. Hess (mail):

(b) - If someone wanted privacy in their emails, then how would they go about doing that, in a way that makes reading emails not just difficult but legally impossible?

They could encrypt the email and there are both open and closed standards for doing so. Usually this leaves the destination and source address among other things available as plain text in the header which is required for successful delivery but with some additional complexity it is possible to mask those as well.
6.21.2007 11:37am

I think there's a distinction between your example and the facts of this case. Indeed, we have an expectation of privacy regarding our snail mail even though some of this mail is now being x-rayed and postal workers are always on the look-out for suspicious mail.
6.21.2007 11:39am
Justin (mail):

Sorry that I misunderstood the purpose of your argument. I agree that this case has a strong likelihood of being overturned, on the procedural grounds alone. My initial interest in your series of posts was quirked by your claims that the substantive argumetns were "troubling" and that it would provide more protection to email and electronic information than to other vessels of private infromation.

Don's post led me to make sure that one of my questions was clarified, as well: Both normatively and positively, can/should a breakable encryption grant a legal grant of privacy? To go into the physical/virtual paradigm again, does it matter if a door is locked, given that locks can easily be broken?
6.21.2007 11:41am
Justin (mail):
David, I understand that. Hopefully, the above clarification will explain the question I was trying to ask.
6.21.2007 11:43am

I wrote an article several years ago on whether encryption should create a reasonable expectation of privacy. A copy of it is here. The abstract:
Does encrypting Internet communications create a reasonable expectation of privacy in their contents, triggering Fourth Amendment protection? At first blush, it seems that the answer must be yes: A reasonable person would surely expect that encrypted communications will remain private. In this paper, Professor Kerr explains why this intuitive answer is entirely wrong: Encrypting communications cannot create a reasonable expectation of privacy. The reason is that the Fourth Amendment regulates access, not understanding: no matter how unlikely it is that the government will successfully decrypt ciphertext, the Fourth Amendment offers no protection if it succeeds. As a result, the government does not need a search warrant to decrypt encrypted communications. This surprising result is consistent with Fourth Amendment caselaw: it matches how courts have resolved cases involving the reassembly of shredded documents, recovery of deleted files, and the translation of foreign languages. The Fourth Amendment may regulate government access to ciphertext, but it does not regulate government efforts to translate ciphertext into plaintext.
6.21.2007 11:47am
Justin (mail):
That's what I thought the answer would be. Thanks, Orin.
6.21.2007 11:53am
Justin (mail):
Orin, having skimmed the article, it appears not to be a positive argument but a normative one (one that I think is intuitively corect given past precedent, but not one that explains how courts actually have addressed the situation). Do you know if in the last 5 years or so, courts have followed your viewpoint or that of Froomkin/Mandleman/Singhal's view?
6.21.2007 11:58am
David W. Hess (mail):
Sorry Justin. I answered the wrong question and was thinking more along the lines of what can be done to make interception and understanding impossible in the sense of being practical. I am not in the position to and would not in any case second guess Professor Kerr's paper which I had completely forgotten about.

If anything, I am more convinced then ever that strong encryption is necessary to maintain privacy and that 4th Amendment protections are not sufficient. This ruling notwithstanding, I have every expectation that the government will continue and expand the monitoring of private communications. If the various authorities did not want to face a flood of strongly encrypted communications, they should have made the legal limits of search and seizure clear and vigorously abided by them such that they were above reproach.
6.21.2007 12:54pm
Justin (mail):

My concern, which isn't particularly relevant to the actual case at bar, is that encryption isn't enough, particular for your average person, against the capacity of the government intent on "breaking in."
6.21.2007 1:17pm
Justin (mail):
Actually, it is relevant in at least one way (and may be in more depending on Orin's arguments), defeating Don Miller's point in the context of the "reasonable expectation of privacy" argument. If an encrypted email is not going to GIVE an otherwise unprotected email a reasonable expectation of privacy, it doesn't seem right that lack of encryption should be evidence AGAINST an otherwise protected email. And FURTHERMORE, if (and I don't know if this if is true) the only practical way to get email access via an ISP that contains Orin's "clear statement," (i.e., its not practical to expect those people who want privacy in their email to simply make sure they use ISPs without said statement), AND (1) as a result people use encryption to create such practical expectations, AND (2) such encryption has no effect on the analysis, then the argument to ascribe any weight to that agreement is weakened - particularly if there is either a legal duty or a reasonable expectation that the ISP utilize or

And in considering that argument, consider this one as well: Would a statute that permits the bugging of everybody's phone without a warrant succeed on the basis that:

1) Since everybody's phone is bugged, the data containing the conversation exists at both points of a conversation and

2) The data used in a criminal trial against party A was obtained from party B's phone, and party A cannot rely on party B's right to privacy (and in any event, party A assumed the risk that disclosure of private information to party B would lead to subsequent public revelation).

If *not*, then there's perhaps some problems in treating ISPs as a third party. In addition (or, depending on the legal analysis, instead)*, there's an unrelated (but more severe) problem with the caselaw describing the rule that one cannot enforce another party's right to privacy.

*It's unclear to me at this point whether an argument (which Orin presumably will make in his next post) that an ISP is a third-party who can disclose information to the government in a way that eviscerates the REP is dependant on the caselaw that is directly called into question by the hypothetical.
6.21.2007 1:32pm

Your guesses about the arguments I will be making aren't very accurate, either in this thread or in some others. While of course it's great to discuss these issues in general, I would appreciate it if you didn't associate them with me based on your expectations of what you think I might say.

6.21.2007 1:40pm
nedu (mail):

I note with some amusement footnote 137 on p.530 (p.29 in PDF) of your paper. You wrote:

137. I am assuming that there are no major advances in the mathematics of factoring prime numbers [...]

From a mathematical standpoint, I venture my humble opinion that there will never, ever, ever be any "major advances in factoring prime numbers." Alas for mathematics!

Turning to the substance of the argument....

A "reasonable expectation of privacy" is factored into a subjective component and an objective component. I'd argue that that factorization is not particularly helpful: Instead, it should be factored into:

o A reasonable interest in privacy.
o Reasonable measures to protect privacy.

A reasonble interest should be viewed "objectively"--that is, society's interest in protecting the privacy of an individual in a particular setting.

Reasonable measures should be seen as an allocation of burdens to various parties--something that judges are quite familiar with in other contexts.

The amici in Warshak made much of society's interest in protecting the privacy of email. I think that's an interest that society should be prepared to protect.

The government made an argument that measures taken by Warshak to protect the privacy of his email were insufficient to trigger the fourth amendment: to wit, he left the email in the possession of a third party.

In the past, I have heard a fair number of email professionals indicate their view that end-to-end encryptation is necessary to protect privacy in email. I happen to share that view.

Perhaps a fourth amendment argument is the wrong place to raise the issue. But, for instances, lawyers who expect that unencrypted email to clients remains private are, imho, taking reckless chances.
6.21.2007 1:44pm
gr101 (mail):

Indeed, even a hacker likely has a reasonable expectation of privacy in the contents of e-mails in an account he has hacked. A thief does not have a reasonable expectation of privacy in the contents of a computer he has stolen. But if a hacker breaks into an account and puts his private information there, the analogy to a stolen physical computer is unhelpful because the hacker didn't actually "steal" the e-mail account or the server that hosts it.

I disagree. Because the legitimate user would come along and read the emails the hacker put in there. Even if the hacker has installed technological blocks to this. It is reasonable to expect that the legitimate user would try to access what he thinks is properly his own files.
6.21.2007 2:15pm

Ack. I can't believe I wrote that! How embarrassing.
6.21.2007 2:23pm
David W. Hess (mail):
My concern . . . is that encryption isn't enough, particular for your average person, against the capacity of the government intent on "breaking in."

My position is the mirror image. :)

I would find encryption completely sufficient to protect my communications while in transit even if I delivered the cyphertext to any interested party. That does not mean I see no role for legal protections but I do not consider them sufficient in of themselves.

I agree that routine email encryption is beyond the ability of most users but that is a limitation of current end user implementations and a lack of demand.

Please forgive me if the following is too far off topic. I am inclined to leave the deep legal analysis to others as I am unqualified for such.

I have always found the legal distinctions between email and a telephone conversation to be meaningless from a technical perspective. In both cases, a recording of the communication exists or can be created as a separate entity in the custody of a third party.

The difference in the details is at most a difference in amount and not a difference in kind. If I replaced all of the RAM and storage used by the hardware involved in the transmission of an email message with mercury delay lines which were once used for data storage, all of the data would be present temporarily as an acoustical wave. If I replaced a circuit switched telephone link with a packet switched network, the phone conversation would exist in RAM somewhere (at least in part at any given time) and apparently according to a recent decision be "a tangible document that can be stored and must be turned over in a lawsuit."

Email generally is present as a whole at any one point in the communications chain where a telephone conversation would not be but again, that distinction is implementation dependant and not inherent to the character of email or the character of a telephone conversation. It is easier to intercept an entire email message but there is nothing in the nature of email that makes this a given. Do I gain legal protection if I send my email message one letter at a time? Do I loose legal protection of my telephone conversation if I digitally record it and send it all in one message?

Oddly enough, back when it was looking like the federal government was going to place severe restrictions on strong cryptography, Ronald L. Rivest (the R in RSA) published a method of transmitting information in such a way that it was confidential yet unencrypted called Chaffing and Winnowing. If applied to email, it would easily have had the effect of replacing a normally easy to intercept email with a stream of gibberish in which only part of the plain text (it had no cyphertext) would be present in transmission at any given time much like a telephone conversation is treated today both in law and practically.
6.21.2007 2:40pm
Bill Sommerfeld (www):
I'd hope that point (4):

"Computer scanning of e-mail for key words, types of images or "similar indicia of wrongdoing" in a way that does not disclose contents to an actual person does not invade any Fourth Amendment rights"

.. also means that similar automated analysis by an ISP's spam defenses would have no impact on a user's legal expectations of privacy.
6.21.2007 3:58pm
Bill Sommerfeld (www):
Orin: You are in good company -- misstatements about the relevance of the difficulty of "factoring primes" to a cryptographic problem are surprisingly common, even by people in the field who should know better.

(For those who have no idea what we're talking about: RSA public key encryption involves choosing two large prime numbers, multiplying them, and then publishing the product; being able to factor the product would enable you to break the encryption. The difficulty of factoring composite numbers which are the product of two large primes is a fundamental part of the strength of the algorithm...)
6.21.2007 6:05pm