This story appeared on Network World at

http://www.networkworld.com/columnists/2007/070207bradner.html

Fourth Amendment applies to cyberspace, for now

By Scott Bradner, Network World, 06/26/07

People concerned about e-mail security got a whole new reason to worry last year with revelations of secret government monitoring. Earlier this month, though, a U.S. Appeals Court told the government where to get off, at least when dealing with people in the Southern District of Ohio.

Security folk have been telling people not to assume that e-mail is secure since about the time that e-mail was invented. The three most common worries are misaddressing, forwarding and storage. It is all too easy to misaddress e-mail, either sending private mail to a mailing list or sending mail to the wrong person (autocomplete of e-mail addresses in e-mail clients has made the latter problem much worse). There is no way to ensure that e-mail you send to a particular person is not forwarded on. (Don't put anything in e-mail about a person that you do not want that person to see.) Finally, e-mail can be stored on laptops and other portable devices, which can get stolen or lost and the stored information compromised.

There generally has not been all that much worry about someone monitoring your e-mail as it flows from you to the recipient. The exception to the lack of monitoring is where e-mail is scanned for malware or, as is the case in some corporations, scanned for bad (in different senses of "bad") words or phrases. Some companies also routinely archive all e-mail. But these types of monitoring and archiving do not generally involve people looking at each message as it goes past.

An area of possible worry has been dishonest employees with access to the e-mail service itself. They could, in theory, look at the messages when they are stored in the user's mailbox. One high-profile case where this happened was the Councilman one (see "The fools gold ring of safety").

Last year, in an investigation of a Steven Warshak, the U.S. government decided that due process was inconvenient and compelled Warshak's ISPs to turn over copies of his e-mail without going through the process of getting a search warrant and told the ISP not to let him know what had happened. The government used a novel interpretation of the 20-year-old Stored Communications Act (SCA).

When Warshak belatedly found out about the government's action, he sued, asking for a preliminary injunction blocking the government from doing the same thing to him again and also blocking the government from using the SCA in the same way to get copies of the e-mail of anyone else in the Southern District of Ohio, where the case was heard. The district court granted an injunction and extended it to all ISPs in regard to residents in that district, not just those ISPs in that district.

The government appealed, using all sorts of questionable arguments. The Sixth U.S. Court of Appeals unanimously upheld the district court, with a minor but potentially important tweak as you can see here. Basically, the appeals court ruled that because people do have a reasonable expectation that e-mail is private, the government cannot get copies of e-mail. There are three types of exceptions: (1) the government obtains a warrant to access the e-mail, (2) the government provides notice to a user that gives the user time to object or (3) the government can show that the ISP, as a normal part of its business, has people look at the user's e-mail and this is known by the user.

It seems strange that the government even tried to avoid proper constitutional process when trying to access someone's e-mail, but, as the opinion notes: "the needs of law enforcement stand in constant tension with the Constitution's protections of the individual against certain exercises of official power."

While the outcome of this chapter is quite good, the story is not yet over: There are the people outside of the Southern District of Ohio to be protected.

Disclaimer: Folk at Harvard started observing this tension more than a century before the U.S. Constitution was adopted but have not offered an opinion on this specific case (that I know of). Thus, the above opinion is mine, not Harvard's.