No Fourth Amendment Protection in E-Mail Addresses, IP Addresses, Ninth Circuit Holds: Commentators and Congress have long assumed that government surveillance of non-content "header" information like e-mail addresses and IP addresses, typically done by a service provider, do not violate a Fourth Amendment "reasonable expectation of privacy." Today the Ninth Circuit became the first court to hold this directly in United States v. Forrester.

  My major concern with this opinion is that, unless I'm missing something, the opinion does not actually say how the surveillance occurred. The Court states that the government used "a pen register analogue on [the defendant]'s computer" to collect the IP address, to/from e-mail addresses, and total volume transferred. But the reader is left guessing what that means.

  Consider two possibilities. The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. If so, the analogy to Smith v. Maryland is really clear, and the result in Forrester is clearly correct. The second possibility is that the Court meant what it said literally: the government installed a pen register analogue "on [the defendant's] computer," which seems to suggest some kind of surveillance device actually inside the person's machine. If that's right, I tend to think this is a different case. At that point the facts become a lot more like United States v. Karo, the locating device case, where the use of a surveillance device inside the home was held to be a search.

  So which one of these sets of facts occurred? We don't know, as best as I can tell, and without knowing I find it hard to tell if I agree with the decision. More broadly, it will be hard for other courts to know what to make of the precedent: Is the court saying that the government can remotely install a surveillance device on your personal machine so long as the information collected doesn't implicate a reasonable expectation of privacy? Or are they only saying that the provider can collect that information from inside the provider's network on the government's behalf?

  Maybe I'm just missing the part of the opinion that explains this? If so, please let me know in the comment thread. And thanks to Terry Edwards for the link.

Related Posts (on one page):

  1. Amended Opinion in Forrester:
  2. Can the FBI Install Spyware on Your Computer Without A Warrant?:
  3. No Fourth Amendment Protection in E-Mail Addresses, IP Addresses, Ninth Circuit Holds:
Can the FBI Install Spyware on Your Computer Without A Warrant?: Kevin Poulsen has an interesting piece at on a recent criminal case in which the government obtained a search warrant and remotely installed spyware on a target's computer. The program reported back a wealth of information on how the computer was being used, including IP addresses, the MAC address, etc.. No contents of communications were obtained; this would have required a Title III order rather than a traditional search warrant. The warrant affidavit is here.

  Given that the government obtained a probable cause warrant and didn't collect the contents of any communications, it's hard to find a legal problem with what the government did. At the same time, the story does make me wonder if something like this was used in the United States v. Forrester case I blogged about earlier. I never did find out if the Forrester case involved monitoring at the ISP or involved spyware installed on the suspect's personal machine. But if it was the latter, I tend to think a warrant probably was necessary and the court's decision probably was wrong.

  Why might it matter whether the government installed the device at the ISP or on the suspect's machine? It's true that the government ends up with the same information either way. But the Fourth Amendment usually focuses on how information is collected rather than what information is collected. The fact that the government can buy the morning newspaper at a corner store without a warrant doesn't mean that they can break into your home and read your copy without obtaining a warrant first.

  More broadly, I tend to think that the most persuasive rationale for the third-party doctrine underpinning Smith v. Maryland (and thus Forrester) is that the recipient of a communication is a party to the communication that can consent to monitoring. When a communication is received by its intended recipient, that recipient has control over what to do with the information received much like the recipient of a traditional letter. Thus in Smith v. Maryland, the phone company could record Smith's telephone numbers because it was the end recipient of the communication -- the communication about the numbers to be dialed -- from Smith to the phone company.

  Spyware is different. If the government places spyware on a private machine, it is not working with a party to the communication. Rather, it is intercepting the contents of communications between the parties, the user and the ISP. I think it's much harder to apply the third-party doctrine in that setting. You end up having to say that the possibility the government could get the ISP to conduct the monitoring means that the government doesn't have to try. But consent is consent in fact, not a likelihood of consent if the government had tried to obtain it. Given that, I'm dubious that spyware is covered under the rationale of Smith v. Maryland. As a result, I tend to think a warrant is probably needed to install spyware without the ISP's involvement even if non-content information was disclosed (note that a warrant was obtained in the case covered by Wired). It's not an open and shut case, but I think a warrant is probably needed.

  Anyway, sorry if these ideas are hard to follow; I'm working on an article about the third party doctrine and my views are still forming, so some of my comments may seem disjointed. Finally, thanks to Dan Solove for the link.
Amended Opinion in Forrester: Good news for those following United States v. Forrester, the computer pen-register case; the Court very helpfully amended the opinion today to clarify that the surveillance program was installed at the ISP's connection facility rather than on the individual's personal machine. That's very good to know, for reasons I explained here. I think the opinion is clearly correct in light of it.

  I trust some readers are thinking that even if the court's decision is correct as a matter of Fourth Amendment law, the result is still troubling as a matter of policy. Pen register orders are very easy to get, and non-content Internet surveillance can be quite invasive. I think that's basically right, which is why I think the Pen Register statute needs to be amended. As I argued in this article, I think the standard for an Internet pen register order should be a showing of "specific and articulable facts" rather than a mere certification of relevance. In traditional Fourth Amendment terms, Congress should use a Terry stop standard rather than a subpoena standard. That's a question for Congress, not the courts, but I hope the Forrester case helps bring attention to the need for statutory reform.