title:

The Fourth Amendment applies to cyberspace, for now

By: Scott Bradner

Everybody says that 'email is not secure." The people that have been saying this for years got a whole new reason to worry last year -- secret government monitoring. In mid June a US Appeals Court told the government where to get off, at least when dealing with people in the Southern District of Ohio.

Security folk have been telling people not to assume that email is secure since about the time that email was invented. The three most common worries are misaddressing, forwarding and storage. It is all too easy to misaddress email, either sending private mail to a mailing list or sending mail to the wrong person (auto complete of email addresses in email clients has made the latter problem much worse). There is no way to ensure that email you send to a particular person is not forwarded on. (Don't put anything in email about a person that you do not want that person to see.) Finally, email can be stored on laptops and other portable devices, which can get stolen or lost and the stored information compromised.

There generally has not been all that much worry about someone monitoring your email as it flows from you to the recipient. Exception to the lack of monitoring are where email is scanned for malware or, as is the case in some corporations, scanned for bad (in different senses of "bad") words or phrases. Some companies also routinely archive all email. But these types of monitoring and archiving do not generally involve people looking at each message as it goes past.

An area of possible worry has been dishonest employees with access to the email service itself. They could, in theory, look at the email when it's stored in the user's mailbox. One high-profile case where this happed was the Councilman one. (See The fools gold ring of safety - http://www.sobco.com/nww/2005/bradner-2005-08-22.html) Last year, in an investigation of a Steven Warshak, the US Government decided that due process was inconvenient and compelled Warshak's ISPs to turn over copies of his email without going through the process of getting a search warrant and told the ISP to not let Warshak know what had happened. The government used a novel interpretation of the 20-year old Stored Communications Act (SCA). (http://www.law.cornell.edu/uscode/html/uscode18/usc_sup_01_18_10_I_20_121.html)

When he belatedly found out about the government's action, Warshak sued asking for a preliminary injunction blocking the government from doing the same thing to him again and also blocking the government from using the SCA in the same way to get copies of the email of anyone else in the Southern District of Ohio (where the case was heard). The district court granted an injunction and extended it to all ISPs in regard to District residents, not just those ISPs located in the District.

The government appealed using all sorts of questionable arguments. The Sixth U.S. Court of Appeals unanimously upheld the district court (with a minor but potentially important tweak). (See the opinion http://www.ca6.uscourts.gov/opinions.pdf/07a0225p-06.pdf.) Basically the Appeals court ruled that, since people do have a reasonable expectation that email is private, the government cannot get copies of email. There are three types of exceptions: (1) the government obtains a warrant to access the email, (2) the government provides notice to a user that gives the user time to object, or (3) the government can show that the ISP, as a normal part of its business, has people look at the user's email user and this is known by the user thus the user does not expect that their email is private at that ISP.

It seems strange that the government even tried to avoid proper constitutional process when trying to access someone's email but, as the opinion notes "the needs of law enforcement stand in constant tension with the Constitution's protections of the individual against certain exercises of official power." While the outcome of this chapter is quite good, the story is not yet over - there are the people outside of the Southern District of Ohio to be protected.

disclaimer: Folk at Harvard started observing this tension more than century before the U.S. Constitution was adopted but have not offered an opinion on this specific case (that I know of) -- thus the above is mine not Harvard's.