In my last post, I explained the facts of Warshak v. United States, the Sixth Circuit’s new decision that largely rewrites the law of e-mail privacy. In this post, I want to explain the opinion’s legal rulings.
Two caveats before I begin. First, I’ll mostly (although not entirely) save the commentary for later. The Warshak opinion announces five or six novel and far-reaching propositions of law, and I think it’s important for us to start with an understanding of what those rulings are before we get to whether the court had a solid basis or announcing them. Second, I should emphasize that there may be room for disagreement as to the meaning of some of the passages. The opinion is quite complex and not exactly a model of clarity, and I struggled over some of the passages. Given this, I hope those who disagree with my interpretations will politely explain why in the comment thread.
On to the opinion, starting with procedural issues and then moving on to the Fourth Amendment rulings.
Let’s get the procedural, non-Fourth Amendment matters out of the way first. These parts are less high-profile than the substantive Fourth Amendment issues, but they’re the rulings that let the court get to the Fourth Amendment issues so we need to appreciate them to understand the case. In particular, there are two key procedural rulings:
(1) When a person challenges a statute under the Fourth Amendment, the court has the power to consider all of the possible applications of the challenged statute, determine which ones violate the Fourth Amendment, and then enjoin the ones that would violate the Fourth Amendment while allowing the statute to be used in ways that the court concludes would be constitutional.
According to the court, individuals can bring facial challenges to statutes under the Fourth Amendment “where the statute, on its face, endorses procedures to authorize a search that clearly do not comport with the Fourth Amendment.” However, courts ruling on such facial challenges do not need to uphold or strike down statutes in their entirety. Rather, courts can impose a “narrow” type of facial invalidation in which the court can determine which applications of the statute would be constitutional and which would be unconstitutional. The court can then prohibit only the unconstitutional applications of the statute and permit the rest.
(2) The plaintiff in this case has standing and his claims are ripe to challenge future acts under the SCA, and the balance of factors favors an injunction here.
Warshak has standing to challenge the government’s future conduct because the government has obtained his e-mails twice before and might do so again because the statute permits the government’s action. Although Warshak has been indicted and the case has moved on to a different stage, it is possible that the government might try to get his e-mail again using the same technique it used in 2005. His claims are not excessively hypothetical because it seems likely that future efforts to obtain Warshaks e-mail probably would be pretty similar to the two past ones. Further, the government wants to act in ways that violate the Fourth Amendment, which is contrary to the public interest and favors issuing the injunction.
On to the Fourth Amendment rulings. They are:
(1) The threshold that the Fourth Amendment requires when compelling evidence with a subpoena or similar order depends on who has privacy rights and whether the persons who have privacy rights have been given prior notice of the government’s action.
The court envisions three different categories of privacy protection for orders to compel:
First, when the government is seeking evidence with a subpoena and no third party has a reasonable expectation of privacy in the information, the Fourth Amendment standard is the traditional reasonableness standard.
Second, when the government is seeking evidence with a subpoena and a third party has a reasonable expectation of privacy in the information but is not given prior notice, then the Fourth Amendment requires probable cause.
Third, when the government is seeking evidence with a subpoena and a third party has a reasonable expectation of privacy in the information but is given prior notice allowing them to challenge the subpoena, then the Fourth Amendment standard drops back down to traditional reasonableness. In other words, the Fourth Amendment requires probable cause or notice, but the presence of notice drops the required legal threshold down to reasonableness.
(2) E-mail users always have a reasonable expectation of privacy against the outside world in their e-mail.
The contents of stored e-mail held by an ISP are like the contents of landline telephone calls, sealed letters, or sealed packages. The fact that ISPs have the technical ability to access e-mail doesn’t matter, any more than does the fact that the Post Office has the technical ability to break open your envelopes and read your postal mail. An ISP might access subscriber and non-content information associated with an e-mail, but the ISP has not been granted access to the e-mail’s contents and there is a “societal expectation” that they normally will not access contents.
Notably, however, a user’s reasonable expectation of privacy in e-mail is not the same as a person’s reasonable expectation of privacy in physical spaces. Rather, it is broader, because computer accounts are different from physical spaces. In the physical world, a person’s reasonable expectation of privacy is contingent on his relationship to the place. Thus, Katz had a reasonable expectation of privacy in the phone booth only temporarily when he was making a call; a hotel guest loses his reasonable expectation of privacy after checkout time; and a burglar has no reasonable expectation of privacy in a house he has burglarized. Fourth Amendment rights in physical spaces depend on whether the person has a legitimate relationship with the space sufficient to establish constitutional proection.
According to the court, these concepts do not apply to computer accounts. The court reasons that these Fourth Amendment rules in physical space exist because physical space can be used by multiple people. For example, a hotel guest loses a reasonable expectation of privacy at checkout time because the next guest is coming and soon will be putting his stuff in the room. But e-mail is different: e-mail accounts are not ordinarilty used by multiple people. If you stop paying the bill for your ISP account, you wouldn’t expect some other Internet user to gain access to your account and start looking through your e-mail! As a result, you maintain a reasonable expectation of privacy in your account even if you signed up for the account fraudulently or you decided to abandon the account.
Indeed, even a hacker likely has a reasonable expectation of privacy in the contents of e-mails in an account he has hacked. A thief does not have a reasonable expectation of privacy in the contents of a computer he has stolen. But if a hacker breaks into an account and puts his private information there, the analogy to a stolen physical computer is unhelpful because the hacker didn’t actually “steal” the e-mail account or the server that hosts it.
(3) A clear statement by an ISP in Terms of Service that it regularly accesses e-mail content combined with a) evidence that users are aware of that policy and b) evidence that the ISP utilizes the policy does not eliminate Fourth Amendment protection altogether, but does eliminate a reasonable expectation of privacy “vis a vis the provider,” allowing a lower subpoena standard to be used to compel evidence from the ISP.
According to the court, there are two kinds of reasonable expectations of privacy: those generally and those vis-a-vis ISPs. (Editorial note: This is wrong as a matter of basic Fourth Amendment law; there is no such thing as reasonable expectations of privacy vis a vis different people or entities. But I promised not to talk about the merits here, so I’ll get to that in a future post.) In some circumstances, ISP monitoring can eliminate the user’s reasonable expectation of privacy vis a vis the ISP although not vis a vis the outside world. The key line is between “total access” and “less in-depth screening”; “total access” eliminates the REP with respect to the provider but “less in-depth screening” does not.
The court elaborates on the line and offers the following constitutional test: to establish that a user has waived a reasonable expectation of privacy in e-mail vis a vis the provider, the goverment must show “based on specific facts,” “that the ISP or other int
ermediary clearly established and utilized the right to inspect, monitor, or audit the contents, or otherwise had content revealed to it.” If the government can establish this, then the user’s reasonable expectation of privacy “vis a vis the provider” is waived, and the Fourth Amendment is now satisfied if the subpoena or order to compel is obtained under a reasonableness standard rather than probable cause.
(4) Computer scanning of e-mail for key words, types of images or “similar indicia of wrongdoing” in a way that does not disclose contents to an actual person does not invade any Fourth Amendment rights.
According to the court, such computer-driven screening is like post office screening of packages for evidence of drugs or explosives. Because such screening does not trigger the Fourth Amendment — on a Caballes dog-sniff rationale, I assume — digital screening does not do so either. (Presumably this means that the any NSA monitoring of e-mail for keywords or the use of FBI devices installed at ISPs to scan e-mail and attachments for digital images of child pornography do not implicate the Fourth Amendment. However, the court does not elaborate on this point.)
(5) When e-mail is obtained pursuant to a search warrant, the particularity requirement requires that warrants must “target e-mails that could reasonably be believed to have some connection to its specific investigation.”
When the government has probable cause to believe evidence of crime or contraband is in an e-mail account, it cannot request the entire e-mail account. The warrant has to be selective and only ask for specific documents or categories of documents. (Given that ISP employees execute warrants for e-mail accounts, rather than police officers, I don’t know how this is supposed to work. Perhaps cops need to actually come to the ISP and screen the e-mails onsite or else the police must start outsourcing minimization to the ISP employees? Or can the ISP send the entire contents to the FBI, which will then execute the search on the account based on the particular warrant much as hey would a PC? More on this later, too.) The court suggests that magistrates should consider limiting e-mail warrants based on the date of the e-mail, the “to” and “from” adress, or keywords, but does not impose a requirement of that.
So there you have it. As you can see, the court sure managed to pack in a lot of law into a 20-page opinion. I don’t think I’m exagerrating to say it’s an entirely new regime for e-mail privacy. In my next post, I’ll finally start critiquing the opinion on the merits. I plan to start by critiquing the court’s procedural rulings, some of which struck me as pretty obviously wrong and contrary to fairly clear Supreme Court precedent that the panel opinion didn’t cite. Stay tuned….