Federal Judge Says E-mail Not Protected By 4th Amendment 451
DustyShadow writes "In the case In re United States, Judge Mosman ruled that there is no constitutional requirement of notice to the account holder because the Fourth Amendment does not apply to e-mails under the third-party doctrine. 'When a person uses the Internet, the user's actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus 'private' information is actually being held by third-party private companies."" Updated 2:50 GMT by timothy: Orin Kerr, on whose blog post of yesterday this story was founded, has issued an important correction. He writes, at the above-linked Volokh Conspiracy, "In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers."
Re:Glove Box in a Leased Car (Score:3, Informative)
While you have the car in your possession, no. But, once you turn it in, yes.
And, that is a bad analogy.
Re:Not the same, in several aspects (Score:3, Informative)
* Develop a mailserver that stores mail in an encrypted folder and requires your key to access.
We have this already, it's called PGP. ECHELON already reads the To:, From: and Subject: lines of all email sent over any significant hops, so you don't really need to secure those.
This is not the same everywhere. (Score:5, Informative)
Recently in the second Circuit, it has been ruled that gmail users do have an expectation of privacy in their e-mail account. http://online.wsj.com/public/resources/documents/Bear1.pdf [wsj.com]. Here the Court ruled that the warrant was too broad since it didn't restrict the inspection of e-mails that were unrelated to the investigation.
In light of both rulings, it may not prevent the government inspection, but could be grounds to suppress. Furthermore, the Stored communications act prohibits a warrant for this type of information unless, "offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation."
ECPA (Score:5, Informative)
I see that the electronic communication privacy act of 1986 is being ignored once again.
http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
Re:By this logic... (Score:5, Informative)
Actually, they are private because there is a law saying they are private.
Re:Not the same, in several aspects (Score:5, Informative)
Indeed, if you'd like a citation that agrees with you, http://cyberlaw.stanford.edu/packets001954.shtml [stanford.edu] is a good place to start.
Re:ok (Score:5, Informative)
Funny, in the UK we had police smash into almost 7,000 safe-deposit boxes.
More than 500 officers smashed their way into thousands of safety-deposit boxes to retrieve guns, drugs and millions of pounds of criminal assets. At least, that's what was supposed to happen."
It was a warrant-expansion, from one of those "seizure of criminals assests" laws, that were started first in the States. Gone ALL wrong, 'tho'.
"Many of the clientele were families who had fled turmoil, pogroms, coups and wars and long had a cultural preference for locking away money and jewels, building up a vehement distrust for the integrity of traditional banks. Here, stepping down the spiral staircase at the back to the darkened boxes below, they felt reassured that their most important possessions were safe."
Read more: http://www.dailymail.co.uk/home/moslive/article-1222777/The-raid-rocked-Met-Why-gun-drugs-op-6-717-safety-deposit-boxes-cost-taxpayer-fortune.html [dailymail.co.uk]
Bush Appointee (Score:2, Informative)
Not to get all ad hominem or anything, but this judge was apparently nominated by G.W. Bush and is an LDS, according to Wikipedia. We should be expecting these kind of rulings for a long time: Bush got a lot of his guys in before he lost his political capital. Civil rights, schmivil schmights.
Zo
Wrong: E-mail is Protected by Fourth Amendment (Score:2, Informative)
The title of the article is pure sensationalism.
E-mail is still protected by the 4th Amendment.
The ruling was that there is no 'constitutional requirement of notice to the account holder' for items in possession of a third-party.
Re:ok (Score:3, Informative)
Emphasis on the "positive". :-) Medieval? There's a certain pride that the rights and privileges we are losing were established back in the Middle Ages. Hellooo... Magna Carta!
This is nothing new (Score:4, Informative)
We've seen this sort of "logic" before, and often. The general principle is "When a computer becomes involved, all precedent is forgotten, and centuries of hard-learned lessons must be learned all over again." I've forgotten who first pointed this out, but it's a useful thing to remember.
It took many centuries, and many deaths, for the freedoms that most of the "first-world" countries have were encoded in their laws. But over and over, we've found that the courts don't apply those laws to anything that involves a computer. It takes a good list of horror stories about the actions of ISPs and other people in positions of power, plus new laws, to get the older Real World laws applied to anything involving a computer. This is just one example of many.
It's sorta funny that computers, which are the ultimate in relentless, unforgiving, mechanical logic, have an effect on humans that can be characterized as destroying our ability to use logic as simple as saying that everything we knew before still applies when there's a computer in the vicinity.
In most of the First World, it's illegal for a postal or other delivery employee to open a package and make notes on the content. There are good historic reasons for this. It's interesting to read the history of the concept of "common carrier", and understand why it came to be. People did literally die before these rules went into effect, as the result of people opening and reading the contents of messages in transit, and selling the information to interested parties. This history isn't a secret. But when its a computer transferring messages, the carriers are permitted to inspect the contents and sell the information to interested parties. This will eventually lead to laws applying the common-carrier rules to computerized communications. But this will only happen after the same sort of disasters that led to the common-carrier rules for written, printed and analog telephone communications.
The only scheme that's stable over the long term is that "carriers" of messages should not be allowed to use the contents of the messages for any purpose. In exchange for this, the people in power agree to not punish the carriers for the contents of any delivered messages. Anything else will eventually be a disaster for the people in power, when they learn too late that the carriers have made "commercial" use of the contents of messages to/from powerful people.
This isn't a hypothetical scenario; it is exactly what led to the common-carrier laws in the past. Things like this court decision just shorten the time until such disasters occur. And it's all due to our mysterious inability to remember and apply historic precedent when there's a computer involved.
The blog's author has updated his analysis... (Score:4, Informative)
The original author of the blog in the story has revised his analysis thus:
"In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers. I missed this because the reasoning closely resembles the argument for saying that the Fourth Amendment doesn’t apply at all, and I didn’t read the earlier section closely enough. That’s obviously a much narrower position, and I apologize for misunderstanding it the first time in the quick skim I gave it. Sorry about that: The fault is entirely mine."
http://volokh.com/2009/10/29/opinion-on-fourth-amendment-and-e-mail/ [volokh.com]
Re:Not the same, in several aspects (Score:4, Informative)
Yes and the spy sats can see through your roof and read what you are typing on your comp00ter right now!
Seriously, get a grip, they aren't watching you. REALLY, they aren't. If Echelon were reading those, don't you think it would be exactly the thing to obsfucate if you've got something to hide? And thats done with SSL, not PGP.
If you're going to suggest something for encryption, PGP is entirely not it on any number of levels. There are several reasons why only geeks use it, first being its obnoxious to keep your key data up to date, even with the key servers. This is a prime example of why the 'OMG DECENTRALIZEDQ%!@%!@%' crap people go for is retarded. You decentralize it, then add back centralized servers so you can make it usable again, but not usable enough that everyone is on the same page.
S/MIME is far more useful in the general sense of email since there are 3rd party 'trusted' stores for validating certificates AND revoke them.
PGP users are too into the idea of a decentralized web of trust which is fine for geeks who have 4 friends and thats the end of it, for those of us who communicate with others outside of our basement it falls apart. It was a great first implementation of encryption for the masses, but we're past that now, will you geeks please get over it. Its not going to take over the world, the general public isn't going to bother, hell I'm a geek who writes encryption software and I don't deal with PGP.
This story is simply incorrect... (Score:1, Informative)
and the author (Orin Kerr) has apologised.
http://volokh.com/2009/10/29/opinion-on-fourth-amendment-and-e-mail/
The judge's opinion only concerned whether or not the fourth amendment required the owner of an email account to be served NOTICE of a search having taken place, not whether the actual search is covered by the fourth amendment.
Huge difference.
Please fix this someone?
Re:Not the same, in several aspects (Score:3, Informative)
Plus there's no expectation that FedEx would (or should) have access to the *contents* of your mail,
Seeing as I accidentally replied to the wrong post...
Yes, there is. When you get a shipping account from FedEx, you explicitly allow them to open and inspect any package at any time for any reason.
Re:Stop using FedEx (Score:3, Informative)
it is a criminal offence to listen in to private phone calls or record them without the permission of all parties involved.
Not necessarily. In "One Party" states, only 1 party(the recorder) in the conversation must have knowledge of the call being recorded. I've recorded a convo w/ a "2 Party" state business(o-line retailer) who's number was toll free and I was "unaware of their location at that time". Man she was super-pissed when I called out her lies. She threatened to press charges and created quite a stink! Management refunded my monies and then some. I doubt she works for there anymore.
States Requiring One Party Notification
Alabama, Alaska, Arizona, Arkansas, Colorado, District Of Columbia, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Mississippi, Missouri, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Oregon, Ohio, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, West Virginia, Wisconsin, Wyoming.
Re:PGP (Score:4, Informative)
What are they going to do, ignore a court order? The point is that they can give the court all of the customer's data but since it's all encrypted there's no harm.
I do remember something (probably on slashdot) about an easy web interface that let you send your password to the server for your data to be unencrypted over there for the session. They warned everyone "Don't use this because if we get a court order to keep logs on you, we'll log your password and hand it over to them."
Re:Stop using FedEx (Score:1, Informative)
When I worked at FedEx, police searched packages all the time. I don't believe they brought warrants in with them. The policy is that packages may be opened for inspection.
No one was arrested for the contents of the package, but one large bundle of cash was seized. They said the owner had only to show up and identify himself to recover it.
Other packages detected by dog were allowed to continue, and surveillance was set up based on that.
Re:PGP (Score:4, Informative)
This was because Hushmail was forced to either allow the Interpol (which has clout in Ireland and other places Hushmail has their servers) to read what the server decrypted via the Javascript client, or likely face shutdown for not cooperating.
There is absolutely nothing Hushmail's developers could have done once the judge in their area handed the search warrent papers. I still highly recommend using the service, not just for E-mail, but a decent place to store some documents offsite.
Re:Not the same, in several aspects (Score:4, Informative)
S/MIME is easiest to use within, or between, large organizations. Large companies can afford to give all their employees s/mime keys. S/MIME scales within an organization in a way that PGP does not. While individuals can get s/mime keys for free from a few places (NOT Thawte any longer), they're a pain to administer.
There's a reason everyone and their dog uses pgp keys, and not s/mime keys. e.g.
http://w2.eff.org/Misc/EFF/?f=pgpkey.eff.txt
http://www.kernel.org/signature.html
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
The trusted 3rd party broker and revoker offered by S/MIME is meaningless for most email communications, because Verisign and other CAs cannot cost-effectively vet individual email senders. PGP acknowledges this difficulty and offers an infrastructure for people to be as paranoid or as trusting as they want to be of others' keys.
Re:Not the same, in several aspects (Score:1, Informative)
You do. A search warrant and probable cause are required to get this content. However, the search warrant is for contents at Google, not at your residence. Therefore, you do not have a right to be notified when the search is conducted.
better read the EULA on those HIPPA forms (Score:1, Informative)
The judge's decision didn't actually turn on whether you "understand" that the contracted company's employees have access to the information but rather on the issue that you agreed in the EULA to allow Google to give your information to law enforcement under nebulously undefined circumstances.
The Fourth Amendment is sort of a specific instance of privacy. Before HIPPA you had no expectation of privacy except with respect to law enforcement where your Fourth Amendment privacy was protected (so-called "doctor-patient privilege"). Post-HIPPA you now do have an expectation of privacy except with respect to law enforcement where most of the EULAs you now sign explicitly tell you that your health care providers will disclose your medical details to law enforcement under nebulously defined circumstances ... as this judge has now recognized.
The problem is not with this judge, the problem is with the really bad terms that've been placed in non-negotiable EULAs. If this guy's lawyers were smart, the moment the prosecutor brought up the EULA as having waived Fourth Amendment rights the defense lawyers should have started arguing that email service EULAs (as a class) are an "unconscionable" contract (and should therefore be ruled unenforceable) precisely because they contain such a momentous waiver of your constitutional rights without due compensation and without any ability to negotiate the contract.
Re:Not the same, in several aspects (Score:4, Informative)
No, there are explicit laws protecting that information through targeted legislation. That's actually part of the argument on why the CAN access your e-mail this way (if it's on a cental 3rd party system).
But, in contrast, they CAN subpeona your medical records, phone records, and more.... They do that every day!!!! This only extends that to e-mail. The difference is, you have no expectation of guaranteed privacy of e-mail as you do with medical records as those are protected by such targeted legislation and regulation, so they can subpeona access to it, and they don't have to provide you protection notice under the 4th amendment (though it does have to pass a judge's scritiny for them to get that subpeona). In other words, It;s not that they could not already get your e-mail through a court order, this just gives them the abiltiy to do so without first having to issue your lawyer notice (you can still fight to have the contents kept from a court case, it;s not public record, you still have rights).