Forgot your password?
typodupeerror
Privacy The Courts Communications Government

An Inbox Is Not a Glove Compartment 316

Posted by Soulskill
from the until-gmail-unveils-support-for-glove-storage dept.
Frequent Slashdot contributor Bennett Haselton writes "A federal judge rules that government can obtain access to a person's inbox contents without any notification to the subscriber. The pros and cons of this are complicated, but the decision hinges on the assertion that ISP customers have lowered privacy interests in e-mail because they 'expose to the ISP's employees in the ordinary course of business the contents of their e-mails.' Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' — but then what are the consequences for the rest of the argument?" Read on for the rest of Bennett's analysis.

Federal Judge Michael Mosman has ruled that the government can read your e-mails stored with a third-party provider like GMail, without notifying you that a search warrant has been executed (PDF) against your account. (Actually, the judge ruled that there is no "notice" requirement triggered at all, so that in theory, neither GMail nor the subscriber would have to be notified — but that seems only of theoretical interest, since in practice GMail would have to cooperate in order to execute the warrant, unless the government is planning to have ninjas sneak into their server farm at night. The substantive impact of the ruling is that e-mails can be read without notifying the subscriber.)

Now, as I said when writing about the possibility of undetectable encryption being installed on people's computers, at the risk of incurring the wrath of civil libertarian allies, I am not 100% in favor of limiting governmental power in cases like these. Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil. There may be cases where the government can only prevent harm from being done, by gaining access to someone's e-mail account, and by preventing the subscriber from finding out that their e-mails are being read. However, all of these arguments are also true when applied to governmental seizure of property from someone's home — and yet we still have Fourth Amendment protections against warrantless searches of your house. So should they, and do they, legally apply to e-mail? And under the "third party doctrine," should the government have to notify the subscriber of the search, or only the ISP?

Law Professor Orin Kerr of George Washington University Law School has written an article [click on the link and then press the download button to download a draft] arguing that the Fourth Amendment does apply to e-mail. But he has also written another article arguing in favor of the third-party doctrine — essentially, that when the government seizes property that is in the possession of a third party, it only has to notify the third party, not the property owner. To the extent that this is relevant to the GMail case, the argument would appear to support Judge Mosman's ruling. However, Kerr's paper also acknowledges that the third party rule has been the subject of scorching criticism of other Fourth Amendment scholars, calling it "dead wrong" and "making a mockery of the Fourth Amendment."

It will probably be a long time before courts are issuing consistent rulings on the third-party rule as it applies to e-mail. In the meantime, though, one statement in Judge Mosman's ruling sticks out in particular:

"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."

This was the basis for further reasoning that the defendants had less of an expectation of privacy in their e-mail contents, and hence that there was a strong case for allowing the government to read the e-mails without notice to the defendants. (In this he was drawing an analogy to a previous ruling in which a court held that a bank's customer has "no legitimate expectation of privacy" in his bank records because they were "voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.")

But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business." And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails. (At the e-mail provider that I use, SpeakEasy, employees can only access accounts with the explicit permission of the customer, and only then by resetting the password or obtaining the password from the customer. When I worked in MSN accounts, most employees didn't have the security clearance to access customer accounts at all.)

This tracks with what customers reasonably expect from banks versus what they reasonably expect from ISPs. If I called my bank to ask about the status of my account, and the customer service representative noted that I had a high number of overseas wire transfers and asked if I wanted to upgrade to a business account with a reduced wire fee, it probably wouldn't even occur to me to be offended that she had looked at my transaction records. On the other hand, if I called SpeakEasy and asked them to add more space in my inbox, and the tech support guy said, "Dude, you could do a lot better than Chloe," I might think he was overdue for a review of their customer privacy policy.

Judge Mosman uses several more analogies in arguing that the third-party doctrine applies to e-mails (beginning on page 12 of the ruling), analogies between e-mail and real-world situations that most of us are familiar with, like leaving documents out in the open at someone else's house. Now, most of us don't have the expertise to comment on the legal technicalities. But in the game of analogies, we're all experts, insofar as we're qualified to comment on whether we feel that one thing is "like" another, or whether our "expectations of privacy" in the two areas are similar. And under the rules of that game, I would disagree with the judge's analogies for several reasons:

1. There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice. The judge cites precedents in which courts ruled, variously: (a) that when a suspect left documents at his mother's house and the police executed a warrant there, they only had to provide notice to the mother, not the suspect, even though the mother was not the owner of the documents; (b) that a defendant had no grounds to object to the search of another person's purse, when the search turned up drugs belonging to the defendant; and (c) that defendants 'could not make a Fourth Amendment claim regarding a search of someone else's car because they had no "legitimate expectation of privacy in the glove compartment or area under the seat of the car in which they were merely passengers."' But all of those cases involved property that the defendants chose to leave in the possession of someone else, rather than keeping on their person or in their own houses. In all of these cases, the person X who left the property in the possession of person Y, could not have expected that person Y would keep their eyes off of that property, or would shield it from the view of casual acquaintances who happened to see it there. So by allowing the notice only to be served on person Y, these three cases are just specific implementations of a general rule: "If person X leaves property with person Y, with no expectation that person Y would refrain from examining the property, then the notice of warrant only has to be served on person Y."

This rule does not generalize to GMail accounts. If I send and receive messages through a GMail account, I know that they're stored on Google's servers, but that's out of necessity in order for them to provide web-based e-mail that can be accessed from multiple locations. By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice. Now, if I had printed out an e-mail from GMail and left it lying around at my Mom's house, or in a friend's glove compartment, then that could be interpreted to indicate that I had less interest in keeping that e-mail private, and it would be more analogous to the situations above. In fact if I had sent an e-mail to someone working at Google, I would understand that my expectation of privacy had been lowered significantly, and that the recipient might forward it to their friends or leave a printout on their desk, or that the police might request for him to show it to them without notifying me. Simply having an e-mail stored in a GMail account is not the same thing.

2. E-mails are not like bank records, because you have a greater expectation of privacy for e-mails, even from the institutions that hold them. It's true that bank transactions are more closely analogous to web-based e-mails, because they're both stored on company servers by the nature of the business, so this analogy isn't as badly flawed as the previous ones. But in addition to the fact mentioned above, that ISP employees do not have access to your e-mails "in the ordinary course of business" despite what Judge Mosman wrote, there is the "inside/outside" distinction that Orin Kerr describes in his paper on the Fourth Amendment and e-mail. Essentially, police don't need a warrant to observe what goes on outside your home — whatever is visible from a public street — but they would need a warrant to take their inspection inside. Kerr argues for extending this analogy to the "content/non-content" rule for Internet transactions, so that Fourth Amendment protection would apply to the contents of e-mails, but not necessarily to the "outside" information such as sender, recipient, and transmission time. (Actually that still seems like rather weak privacy protection, to say that the Fourth Amendment doesn't protect information about who we exchange e-mails with, but even this watered-down argument still implies stronger privacy protection for e-mail contents.) Bank transaction records would be more like "outside" information and less deserving of privacy protection, so the analogy doesn't hold.

3. By analogy to the expectation of privacy in people's homes, the expectation of privacy for the contents of e-mail is possibly greater. Judge Mosman writes, "The sanctity of the home is often cited as the central purpose for this notice requirement, but the requirement has not been explicitly limited to searches of homes," and quotes from another court decision: "[t]he mere thought of strangers walking through and visually examining the center of our privacy interest, our home, arouses our passion for freedom as does nothing else." Well, since he brought it up, if it's relevant to compare the "passion" that's "aroused" by the invasion of various spheres of privacy, if I had a choice I would rather have a stranger wander through my house and inspect everything except the computer, than allow them access to my browser history and all the e-mails I'd sent and received in the past year. (And that's not even taking into account the violations of other people's privacy that would be entailed by someone looking through all of my e-mails.) Applying the test of "What would you rather have people see?", most people who make more than casual use of e-mail, seem to care more about the privacy of their e-mail than about the privacy of what's visibly lying around in their house — if a good friend drops by unannounced, you can usually lead them through your house without worrying about what they'd see, but you probably wouldn't give the same person a complete record of all your e-mails in the past year. (Remember, according to the judge's quote, we're comparing "visually examining" your house vs. your e-mail, not actually physically taking anything.)

As I said, I'm not necessarily opposed to the government having the authority to obtain records of people's e-mails if they have an extremely good reason, without necessarily having to notify the subscriber that their e-mails had been read. But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails." I wonder if even Judge Mosman thinks that's true. If he got a call from his bank offering to upgrade his account based on recent transaction activity, he'd probably just politely get them off the phone like the rest of us. But if he got a call from his ISP tomorrow, saying that his e-mails were starting to sound cranky and they were wondering if there was anything they could do to cheer him up, would he just thank them for their concern and leave it at that?

This discussion has been archived. No new comments can be posted.

An Inbox Is Not a Glove Compartment

Comments Filter:
  • by fotoguzzi (230256) on Monday November 02, 2009 @10:24AM (#29950490)
    you insensitive clod!
  • by onionman (975962) on Monday November 02, 2009 @10:27AM (#29950522)

    This decision doesn't really change the common practice of law-enforcement agencies does it? Haven't we all already known that the government (and gmail/yahoo/hotmail/your boss etc.) is scanning our email pretty much whenever it wants to?

    • by rolfwind (528248) on Monday November 02, 2009 @10:41AM (#29950698)

      If this stupid decision goes through, it makes all unwarranted searches of email admissible in court. The government tortured in Guantanamo, since we all "know" that is happening, should we all go "Oh well" and then when a court legalizes it say "This decision only frmalizes what already happens, whoopey doo!"

      As an aside, when I give my car to service, the employees of the dealership/repairshop can conceivably search through my glovebox. I guess cars shouldn't need warrants. And when I have a plumber/electrician fix my house, he can snoop, so might as well strike houses from the list of things needing warrants.

      Its pretty evident I have no expectation of privacy on my email, that's why it has no password, and if it did, I give it to everyone, Mr. Idiot Judge.

      • by onionman (975962) on Monday November 02, 2009 @10:50AM (#29950826)

        Well, one of the benefits of formally recognizing what is occurring is that it allows the practice to be formally challenged without the issue of "state secrets" being relevant.

        As the old saying goes, "the problem with unwritten rules is that no one knows where to go to erase them." Here we have formal decision which puts one judge on record as agreeing with the common practice. This decision may now be appealed. The appeals process can allow the judicial branch to decide on the entire practice of warrantless wiretapping without any state secrecy issues being involved! That seems like a good thing to me.

        • by rolfwind (528248) on Monday November 02, 2009 @10:56AM (#29950926)

          Yes, but once erased, they'll keep on spying on email in secret, landing us back to step 1 and this will be the perpetual cycle. The best spot we can hope for is step 1, unfortunately, secret, court unsanctioned spying.

          As reported days ago, the biggest opponent to the three strikes rule in britain were the spooks, because they fear a rise in encryption use. That is what people should start using to defend themselves because the formal set of rules won't help here, but at least the court shouldn't ever sanction and admit it. Even if sucessfully challenged this time, there will come a time in the repeating cycle where it doesn't get erased, doesn't get overturned, and then we're stuck at the worst possible case.

          • Re: (Score:3, Insightful)

            by pugugly (152978)

            I'm okay with that - because sooner or later secret, court unsanctioned spying blows up in their face.

            So yeah, I want this decision overturned, so that when it blows up in their face there are consequences.

            Pug

        • Re: (Score:3, Interesting)

          by MetalPhalanx (1044938)

          "The problem with unwritten rules is that no one knows where to go to erase them."

          Wait a minute, laws are erased?

      • by nedlohs (1335013) on Monday November 02, 2009 @10:55AM (#29950888)

        No. They still need a warrant, it's just that the warrant is shown to the ISP who gives them the email and the actual owner is none the wiser. So it works like a phone tap instead of like a search and seizure in your home.

        Just run your own mail server and now the warrant needs to go to you, so you get notified. Doesn't stop them reading it of course...

        • Just run your own mail server and now the warrant needs to go to you, so you get notified.

          The ISP could still read most mails, as the data transitions via their network in order to reach your server.

      • No, that is not correct. These searches still need to have a warrant issued by a judge. The difference is that they don't need to show the warrant to you, they only need to show it to your ISP. This is a subtle difference but is very important. These searches are already possible with "Silent Warrants", i.e. for telephone wiretaps, where they do not need to tell you ahead of time. So there really isn't that much of a change of what is possible, just a clarification.
      • by MobyDisk (75490)

        , it makes all unwarranted searches of email admissible in court.

        The summary says merely that the person does not need to be notified. Not that a warrant is not required.

        ...without notifying you that a search warrant has been executed

        Big difference between not requiring a warrant, and not requiring notification.

    • Re: (Score:3, Informative)

      The government does have to notify Google/Yahoo/etc., it doesn't just scan all correspondence without warrant. What it does mean, is that it can read your e-mail by issuing a warrant to Google without ever notifying you. Google complies promptly with all warrants issued but is not in the habit of forwarding correspondence to the FBI just for fun.

      The key here is not to treat any information stored on remote servers as belonging to you. Anything on your computer is in your possession but the moment you send i

    • Re: (Score:3, Insightful)

      by Forge (2456)
      This is what comes from deliberately inventing definition for what is really just new technology to perform an old function for which there is well established law.

      In this particular case, Email is still mail. It just travels faster and as photons or electrons rather than as a collection of atoms.

      So all we had to do is transpose the rules which apply to snail mail over to email. I.e. A postman is not allowed to open and read your mail. He just has to pass it on to the destination address. That sam
  • Email is not private. The sooner you stop pretending it should be and do nothing, the more quickly the citizens of this country can have a legitimate conversation about this and other issues of national importance.

    Moral outrage in 3....2....1....

    • by Verdatum (1257828)
      ARRG!!!!
    • Re: (Score:3, Insightful)

      by King_TJ (85913)

      Umm... let me get this straight then? You believe it's an undeniable *fact* that email not only IS not private as it currently stands, but SHOULD not ever be considered private?

      I'd argue that in reality, the expectation of privacy for electronic mail by the general public is no different than the expectation of privacy they have for physical mail. Unfortunately, the implementation most often used today doesn't live up to the expectations people have. (People tend to think that because they can't check t

      • Re:The #1 Lesson (Score:4, Insightful)

        by Zerth (26112) on Monday November 02, 2009 @11:18AM (#29951200)

        The law is effectively saying "Everything's written on the equivalent of postcards that anyone can see as they handle it, anyway - so why should we grant it any legal privacy rights?")

        That's exactly why I don't care. When I send an unencrypted email, my mail server sees it, my router sees it, my ISP can see it, and 10 or 20 other servers between me and the destination mailerserver can probably see it too.

        If someone sends unencrypted mail, I don't feel in the least bit bad when it gets read. If you wouldn't send it on a postcard, you shouldn't email it unencrypted. If whomever you are sending it to can't deal with that, contact them by another method.

        • by whoever57 (658626)

          That's exactly why I don't care. When I send an unencrypted email, my mail server sees it, my router sees it, my ISP can see it, and 10 or 20 other servers between me and the destination mailerserver can probably see it too.

          Perhaps your mail goes unencrypted, but most of my email does not. My email leave my house and travels to my own mailserver in an encrypted form. From my mailserver, if going to gmail, the connection uses SMTP-TLS -- in other words, once again it is encrypted.

          An increasing number o

      • by mpapet (761907)

        Email is the equivalent of postcards.

    • This begs the questions:
        - is a letter private?
        - does this augment the legitimacy of encrypting your e-mail, even if you having nothing to hide?

  • by Iphtashu Fitz (263795) on Monday November 02, 2009 @10:30AM (#29950550)

    If the government wants access to my inbox they'll need to talk to me since I'm the admin of my mail server.

    • by Intron (870560)
      And are you also your own ISP or does your email pass through someone else's routers? Hope you don't mind them recording packets and saving every DNS lookup and every website you visit as part of the "ordinary course of doing business".
      • Re: (Score:3, Interesting)

        by Again (1351325)

        And are you also your own ISP or does your email pass through someone else's routers? Hope you don't mind them recording packets and saving every DNS lookup and every website you visit as part of the "ordinary course of doing business".

        Well you could always give them information overload. Make a bot in Ruby that is constantly going to random websites, sending random emails to random addresses and just constantly doing things online. Have the bot run all day and the information the ISP stores of you will become meaningless gibberish because the vast majority of it will be random from your bot.

        • Re: (Score:3, Insightful)

          Have the bot run all day and the information the ISP stores of you will become meaningless gibberish because the vast majority of it will be random from your bot.

          They'll just assume you're a 4chaner.

      • And are you also your own ISP or does your email pass through someone else's routers? Hope you don't mind them recording packets and saving every DNS lookup and every website you visit as part of the "ordinary course of doing business".

        Except that really - they don't. How many gigabytes of packets headers get routed through their servers every hour,.not to mention the actual payload size? There's no storage medium that exists that they wouldn't fill up too quickly - and as such medium evolves, our transfer needs increase.

        Running your own email server is sufficient protection. While it's reasonable to assume that they might log the web sites you visit (though if you're not using their proxy, much less likely), the content of what you u

        • by amorsen (7485)

          In Denmark all connections are logged (by first and last packet or by first packet + connection statistics). You can't necessarily find out exactly what someone is browsing for, but you can get pretty close.

          Email headers are logged if the email passes through ISP servers (which they all do, because of RBL's).

    • I am the admin my mail server. But my mail server is a virtual server in a datacenter. I lease that space, so presumably as far as notification goes, it is just as much mine as an apartment I may rent or a car I may lease.

      Will the judge see it this way?

      • Re: (Score:2, Interesting)

        Did you set up your mail server such that it can be viewed by people other than yourself?

        Mine's in colocation, rather than being a virtual server, but there's a ton that I've done to lock it down... there's volume encryption on the drive. There's a BIOS password to prevent the settings from being viewed/changed. CDROM and booting from USB are disabled, as are all of the unused SATA ports (the mobo doesn't have any PATA ports). And it's a standard *nix setup with a very secure root password.... it's a passph

    • by vlm (69642)

      If the government wants access to my inbox they'll need to talk to me since I'm the admin of my mail server.

      http://en.wikipedia.org/wiki/National_Security_Letter [wikipedia.org]

      Until recently, if you got an NSL to disclose information about one of your users, that user being yourself, it would have been illegal to disclose to yourself that the jackboots were requesting information about yourself.

    • by Grishnakh (216268)

      Unfortunately, there's some disadvantages to having your own mail server. First, you can't easily have webmail, which is important for many people. Email wouldn't be nearly as useful to me if I could only read it at home after I get home from work, and didn't have access to it from work at all. If you work at home, this might not be an issue for you.

      Even if you could implement webmail on your home mail server (I haven't checked, but maybe there's some open-source webmail programs out there), it won't be

      • http://www.microsoft.com/exchange/owa/ [microsoft.com]

        Outlook web access

        I run a SBS server at home.

      • by vlm (69642)

        First, you can't easily have webmail, which is important for many people.

        apt-get install squirrelmail.

        For me, running mutt via ssh is more accessible/important.

        • by Grishnakh (216268)

          At many companies, like the one I work at, you can't access anything on the internet via ssh. So this isn't a very useful solution.

          (Yeah it sucks, but jobs aren't exactly all that plentiful these days.)

    • Or you can delete it and no one can read it. A place I worked at had that requirement to reduce liabilities during lawsuits. If you own the mail server they can still see it when they give you the warrant. If you use a third party copy or print it off once you get then they have to talk to you to get it again. There are tonnes of ways to circumvent this issue if you feel the need to.
  • One flaw (Score:5, Insightful)

    by Todd Knarr (15451) on Monday November 02, 2009 @10:31AM (#29950558) Homepage

    One flaw in this argument: ISP employees do in fact have access to your e-mail. Hopefully it's only a small number, sysadmins and others with root access, and ISPs usually promise not to use that access except in limited ways without the customer's permission, but that doesn't change whether they have access or not. And the courts are concerned with whether the ISP has access, not whether or not he's promised to use it.

    A good analogy would be ordinary bank records vs. the contents of a safe-deposit box. The first the bank has access to, and the customer has limited expectation of privacy regarding them. The second the bank does not have access to, their key physically can't open the box alone, and the customer has a higher expectation of privacy about the contents. If you want an expectation of privacy in your e-mail, you need to insure that your ISP literally cannot access it's contents. A promise from them that they won't isn't sufficient if they can.

    • Yes, there are some employees who have access to the e-mails, but they are not exposed on a regular basis to the content of those e-mails, unless they're excessively abusing the power they've been trusted with.

    • Re:One flaw (Score:5, Informative)

      by rolfwind (528248) on Monday November 02, 2009 @11:12AM (#29951114)

      A good analogy would be ordinary bank records vs. the contents of a safe-deposit box. The first the bank has access to, and the customer has limited expectation of privacy regarding them. The second the bank does not have access to, their key physically can't open the box alone, and the customer has a higher expectation of privacy about the contents.

      Up until the 1970s, you're bankrecords were, in fact, confidential and the customer had as much expectation to privacy there as with his health records entrusted to his doctor.

      Then this was assaulted by the "Right to Financial Privacy Act" in 1978, which "let federal agents write their own search warrants, but limited the subjects of those warrants to financial institutions."
      http://www.lewrockwell.com/orig6/napolitano2.html [lewrockwell.com] (I don't respect Lew Rockwell so much, but Judge Napolitano seems to know what he is talking about, and this was in a speech of his as well here: http://www.youtube.com/watch?v=t8QwTKKSvR8 [youtube.com])

      I heard various things about Government unwarranted snooping and seizure on safety deposit boxes, but I can't find a credible link about that at the moment.

    • Re:One flaw (Score:5, Insightful)

      by nine-times (778537) <nine.times@gmail.com> on Monday November 02, 2009 @11:20AM (#29951246) Homepage

      My landlord has keys to my apartment. Does that mean I have no expectation of privacy in my own apartment, just because a third party theoretically has access to it? Even if I haven't given permission for my landlord to enter my apartment?

      • by Noexit (107629)

        What about looking at logfiles? If your landlord is doing repairs on your home he can see who's going in and out and what they're carrying. Same thing with looking through the email logs as a normal course of business isn't it?

        And of course, your landlord can enter your apartment with your keys if he has sufficient reason to believe you're knocking holes in the wall or causing some other damage.

        • Yes, there are times when it is legal for the landlord to enter your apartment, but that's my whole point. For as much access as your landlord has, I don't believe it allows police to search your apartment without a warrant.

          Now IANAL and I'm sure there are lots of complications an intricacies involved. Are there cases where a landlord can give police access to your apartment? I bet there are. Can a landlord put cameras in public areas of the building that record my coming to and going from the apartmen

      • by tlhIngan (30335)

        My landlord has keys to my apartment. Does that mean I have no expectation of privacy in my own apartment, just because a third party theoretically has access to it? Even if I haven't given permission for my landlord to enter my apartment?

        Yes, outside of what the law and your agreement provide. You'll probably find that your landlord can enter your apartment (and depending on the legals, may have to provide some notice - 24 hours is common, but maybe not) to inspect. Near the end your agreement, your landlo

    • by mariushm (1022195)

      Yeah, people at the post office and customs can also open your packages on suspicion they contain drugs or other illegal materials and they could in theory read the letter but that doesn't mean they read the text of the letter.
      The same way people at the ISP could read the mail but that doesn't mean they do.

    • Re: (Score:3, Interesting)

      by demachina (71715)

      The big problem here is that chances are the NSA is directly tapping all the backbone fiber in the Internet already, and they are building giant new data centers in Utah and Texas to store Yettabytes of data which is 1,000,000,000,000,000GB. Chances are the NSA is already and will certainly be in the future recording every email, IM, URL GET and POST and phone call flowing through every fiber they manage to tap and they will probably tap them all in this country, in all their allied countries like the UK

    • by http (589131)

      If you want an expectation of privacy in your e-mail, you need to insure that your ISP literally cannot access it's contents. A promise from them that they won't isn't sufficient if they can.

      You need to look up the word 'expectation'. Yes, the courts are concerned with capability, not ordinary course. That's part of the problem, and makes me very glad I'm not in the USA.
      You seem to share this misunderstanding with the judge.* Yes, I have 'access' to some email accounts, but if I looked at them withou

    • by dgatwood (11270)

      Actually, that's not true. The bank does have access to your safe deposit box even without you present. Surely you don't think that they continue to keep your stuff in that box if you fail to pay the rent. How, then, if they don't have access to the box, do they do so? :-)

      So the question is whether notification of the owner is required for a safe deposit box search. I think that the answer is probably "no", in which case it's not that shocking for email to be treated in the same way---not that this trea

  • I'm just happy to see them actually realizing that it should require a warrant.
  • "Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' "

    I disagree. When something starts filling /var/spool/mqueue it's common that customer e-mail get read.

    • by Dr. Evil (3501)

      If I'm reading somebody's email, all I take away from it is.... spam, spam, spam, real email, spam, porn, script-gone-bonkers, script-gone-bonkers, real email.

      I don't actually read the contents. Maybe the sender-recipient pairs, but I won't talk about what I see.

      • by taskiss (94652)

        I do the same, but consider that reading the e-mail. I think a court would too, if it came to that.

    • by Akatosh (80189)

      Also any message that double bounces to postmaster, gets marked as spam (by a human), or breaks webmail, outlook, or a mail server in any way. All of those get investigated. Delivery problems get forwarded with full content attached by customers to isp staff. Customers ask isp staff to rumage through their mail and delete large messages. As a sysadmin I see way more personal email than I ever wanted to (sexting and cams that use email == pine4life).

  • the hinge of the matter is that customer service/tech support *has* to when troubleshooting certain issues. I've worked for several ISPs and it's generally the same procedure. Verify but don't DO anything or leak anything out. Customers SHOULD have a feeling of privacy from other users but not ISP staff. Their email is sitting on OUR servers. Don't like it? Do it yourself. Or don't use email. Which is a better option. Email sucks.

  • Sure they do. (Score:4, Insightful)

    by mindstrm (20013) on Monday November 02, 2009 @10:33AM (#29950608)

    "But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails.""

    It might be a bit far reaching... but come on, system administrators have had access routinely to people's mailbox contents since forever (on most mail systems). Not that we go around snooping on your mail, but we can and do have access to it, if it's plaintext, at any time. If you are sending emails through any provider without encryption and assuming that some staff at that provider are not technically capable of reading and copying your emails, you are delusional.

    This is not like snail-mail, where although you know the postman could open your mail, you also know he'd go to prison for it.

    • That email is inherently insecure. Email is normally plain text, unless you use some form of email encryption or third party secure document service, you should automatically assume anything you put in an email could potentially be known to anyone and everyone. This is a big reason underground channels use encrypted, unlisted IRC channels as a form of comm(among other methods). This does not make the 4th Amendment issues any less, but if you have something worth looking into, be smarter about what you put i

  • By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice.

    This is incorrect - you had a choice to host your own email server (doesn't cost a great deal) on which you could encrypt your data stores. You chose not to and went with a commercial email provider for... cost reasons? If you're not prepared to spend real money protecting/securing your documents and feel it's only worth $FREE$ then you are conveying, pr

    • by timeOday (582209)
      I do run my own mail server and I do appreciate being able to exchange very private email with my wife without anybody being able to snoop. But I will be the first to make two points: 1) running your own mail server is NOT for everybody; you have to run a computer 24/7, you have to tweak the config files from time to time, you have to fight SPAM on your own, you need a domain name - all of this is totally unreasonable for most users, and 2) the extra protection you gain is ONLY for mail sent from users you
  • by wiredog (43288) on Monday November 02, 2009 @10:39AM (#29950680) Journal

    As James Fallows asks in The Atlantic Are we naked in the cloud? [theatlantic.com]

    But the reader's point is less about the ins and outs of this ruling than about the broader legal/privacy implications of storing information "in the cloud." When you're working in Google Docs, as opposed to using a spreadsheet or document that lives on your computer, have you essentially surrendered custody and control of that information? What if you rely on online "cloud" systems -- Carbonite, SugarSync -- to back up or sync your files? Have you given up custody of those files too?

    The answer he supplies is "yes" you have given up custody.

    • "An Inbox Is Not a Glove Compartment"

      Yes, Mr. Stevens, we get that the Internet isn't a big truck.

    • Re: (Score:3, Insightful)

      by cawpin (875453)
      The entire basis for this case is illegitimate. They are saying, since email is handled by a third party, the actual owner doesn't need to be notified. This would widely apply to damned near everything we do nowadays. My money is under the control of a third party, my bank. Does this mean they can get my bank records without notifying me? Does it mean they can search my house without notifying me? After all, I don't actually own it yet, the bank does.
      • Does this mean they can get my bank records without notifying me?

        Yes.

        Does it mean they can search my house without notifying me? After all, I don't actually own it yet, the bank does.

        Wrong, you do own your house. The bank simply has the legal option to seize it if you failure to pay on the loan, it is the secured collateral - how can it be collateral if you don't own it?

      • by Artifakt (700173)

        You're about the third post in this thread to mention homes, and the answers in your case are:
        1. Yes, and it's actually done quite frequently.
        2. Technically yes, although it's been done mostly in some limited cases under laws such as RICO, and 20 states have some protections for some other possible abuses.

        Without sweeping legal reforms, the same bullshit that lets them make this call on e-mail has already let them get your financial information - they just use the same argument that ba

    • Well, not necessarily. A good backup client (I don't know about Carbonite or Sugarsync) should encrypt, with industry-standard algorithms, on the client side before sending it to the server.

      In this case, you retain your data.

    • If you're putting enterprise-critical data in the cloud without encrypting it first, you are a fool.
  • by daid303 (843777) on Monday November 02, 2009 @10:43AM (#29950720)

    Because I use hotmail...

  • > ...the decision hinges on the assertion that ISP customers have lowered
    > privacy interests in e-mail because they 'expose to the ISP's employees in
    > the ordinary course of business the contents of their e-mails.' Fortunately
    > for everybody, this is not true...

    Yes it is. The fact that the employees might be fired for reading the mail does not alter the fact that they have the opportunity to do so. Unencrypted email is no more private than a postcard.

    • by c0d3g33k (102699)
      You're missing the subtle point that opportunity can be trumped by allowable policy. If the standards are that no emails are examined without just cause and only by explicitly authorized personnel, then some level of 'customary' privacy exists, even if one shouldn't expect that the email could never be viewed. By your reasoning nobody should expect not to be clubbed to death while walking down the street because any passerby has the opportunity to do so, since the potential victim isn't wearing armor. Ye
      • by nomadic (141991)
        You're missing the subtle point that opportunity can be trumped by allowable policy.

        No, you're missing the point; the question isn't whether a sysadmin at the ISP can read the e-mail, it's whether the ISP itself has access to the e-mail. The subpoena is being served on the organization; the organization sets its own rules regarding access. It can't tell the court "oh, I can't give you that because the internal rules we arbitrarily made don't allow us."
  • by No Grand Plan (975972) on Monday November 02, 2009 @10:49AM (#29950796)
    ... because pretty soon we're not going to have any rights online.
  • Caveat Lector (Score:5, Insightful)

    by Grond (15515) on Monday November 02, 2009 @10:51AM (#29950832) Homepage

    From the essay: "Now, most of us don't have the expertise to comment on the legal technicalities"

    Mr. Haselton is, as far as I can determine, not an attorney and has no formal legal education. So bear in mind that the above statement applies to the author of this essay as well.

    You know how Slashdot contributors often bemoan poor science journalism written by reporters who obviously don't understand the subject matter? The same danger exists when people like Mr. Haselton, who is a freelance programmer, try to analyze and report on legal issues.

    Again, from the essay: "But in the game of analogies, we're all experts, insofar as we're qualified to comment on...whether our "expectations of privacy" in the two areas are similar."

    The expectation of privacy is a legal term of art. It does not simply refer to the individual's subjective feeling about whether he or she, personally, expects that a given communication, act, etc will or should be private. So, no, we are not all necessarily qualified to comment on the similarity of the expectation of privacy in two areas because there is a second, objective component of the expectation of privacy. The objective component is highly context-dependent, and its contours have been defined over the years by numerous court cases, none of which Mr. Haselton has cited, distinguished, or applied here.

    And this is the glaring issue with Mr. Haselton's essay: he has analyzed the opinion in a vacuum. He does not cite or apply any supporting precedent or statutes, nor does he distinguish the facts of the case from the precedents that the judge cited. This kind of reasoning is not legal reasoning, and it can easily lead to all kinds of errors.

    Note that I have, apart from the meaning of 'expectation of privacy,' refrained from critiquing the substance of Mr. Haselton's argument. It is possible that his argument could well win the day in an appeal; on the other hand, perhaps it is hogwash. I merely want the readers here not to be mislead into thinking that this is a rigorous legal argument or that Mr. Haselton is some kind of expert on the subject matter. Indeed, his lack of citations or argument from precedent would probably get him laughed out of court.

    • Re: (Score:3, Interesting)

      by nomadic (141991)
      Yet he seems to have become slashdot's resident legal columnist. I don't think I've read anything of his that hasn't irritated the hell out of me.
      • Re: (Score:3, Informative)

        by TheRaven64 (641858)

        I don't think I've read anything of his that hasn't irritated the hell out of me

        That's okay, I don't think I've read anything of his...

        You do know that we're not meant to click on the links in the summary, right?

    • by Belial6 (794905)

      Amendment IV The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

      One does not need to be a lawyer to understand what this means. It is absolutely clear that email DOES apply to this. The constitution is not a complicated document, and it is not designed to require a modern law degree to understand.

      • > One does not need to be a lawyer to understand what this means. It is absolutely clear that email DOES apply to this.

        I think e-mails clearly qualify as "papers" in the context of the amendment; unfortunately, the constitution is not clear on what happens when your "papers" are being handled or stored by a third party, or when the courts have declared that your "papers" actually belong to that third party.

    • lack of citations or argument from precedent would probably get him laughed out of court

      Since ignoring precedent is itself precedent, it's more appropriate to laugh while going into court.

    • by Kjella (173770)

      I think most cases get simpler if we forget the Internet. If I put some stuff in a bank vault and the police would like to take a look at it, must they serve me or just the bank? I might be wierd, but I actually thought the bank. Yes, the warrant must name me and the scope of the search is naturally limited to my box and not the entire vault, but I didn't think it was necessary to actually serve the suspect with the warrant. My impression was that with a warrant they could just serve it to whoever opened th

  • Wrap that thing in an envelope for Cripe's Sake!

  • - e-mail is like snail mail: it transits through others to get to me. i DO have an expectation that my mail, and my email, is private
    - I park my car on someone else's property daily. This does NOT mean I'm giving my car away, or I don't care what happens to it.
    - In any case, blanket invasion of privacy without even having to go though a judge for each specific instance, or at least each specific individual for a certain time period, is unacceptable. I don't trust judges much more than politicians, but just

  • After indexing it for search and ad-serving purposes, it should then be encrypted on their disks.
    This would circumvent the judge's argument.

    If this sort of encryption is not done, all people and businesses that use software as a service to
    for example write and store their intended-private documents are in legal jeopardy.

    • by RevWaldo (1186281) *
      In terms of using paid-for email with an ISP, could an ISP encrypt a user's server content to the point that they for all practical purposes couldn't decrypt it even if they wanted to, or even if the Feds showed up, search warrants and shotguns in hand?

      Right off the top I can see the fallacy being that e-mail sent from/to the user to/from the outside world has to leave/enter the ISP in a decrypted form, and thus they could be force to sniff for messages from/to the user.
    • by AusIV (950840)
      You'd lose a lot of functionality that way. The only way Gmail could encrypt e-mails in such a way they couldn't produce them later would be to use asymmetric encryption, and only the recipient has the decryption key. That means you'd have to make sure you never lost your key, and you'd have to put it on every computer you wanted to check e-mail from. You'd lose the major benefits of having a web-mail client. You wouldn't be able to search the e-mail, unless Gmail indexed it before encrypting it, in which c
  • Even if the contents of your inbox were revealed during the ordinary course of business, that doesn't mean they aren't private. During the ordinary course of business at the hospital I work in, people's medical information is "revealed" (to staff that have valid need of it). This doesn't mean that those staff members go into the local McDonald's and whisper to their friends: "You see Jim Smith there ordering the Egg McMuffin with extra sausage and bacon? He had a heart attack and a triple bypass just six

  • Thankfully, I run my own mail server *and* I keep it in the glove compartment of my car...
  • Yet another bad ruling that demonstrates that an average judge doesn't have enough technical knowledge to make a good ruling. They all make the same mistake: because they don't understand the tech, they try to force physical-world paradigms already familiar to them onto the digital world, regardless of the fact that its a terrible fit and causes massively incorrect conclusions to be made.

    We can't continue to leave these vitally important infrastructure decisions to have-a-go judges. The damage already cause

    • by cdrguru (88047)

      It isn't just the judge. Complex court cases often involve tens of people in associated areas, including law schools. If it is not possible to take the technical aspects out of a case so that people not trained in the technology can understand it, you are setting up for some sort of "high court of tech" that is excluded from review.

      What is being attempted is to remove the technology from the issues of law so that everyone can review matters. This is the same thing that happens with medical malpractice -

    • by nomadic (141991)
      Yet another bad ruling that demonstrates that an average judge doesn't have enough technical knowledge to make a good ruling. They all make the same mistake: because they don't understand the tech, they try to force physical-world paradigms already familiar to them onto the digital world, regardless of the fact that its a terrible fit and causes massively incorrect conclusions to be made.

      Have you read the ruling? Which specific part do you disagree with?
  • I understand Google is an American company. This is American legislation. I can't take anything from the article which would tell me anything about the access to non-US citizen email. Anyone dare to speculate? I'd say "We're reading everything ..."
    • by nomadic (141991)
      I understand Google is an American company. This is American legislation. I can't take anything from the article which would tell me anything about the access to non-US citizen email. Anyone dare to speculate? I'd say "We're reading everything ..."

      If it's in the US, in a jurisdiction that decides to follow this judge's reasoning, then sure. The citizenship of the mail isn't the point, it's who's storing it.
  • I run my own IMAP server in my own basement. I can go and touch the machine that the mail is actually stored on.

    Does this ruling have any implications for me? It looks to me like it doesn't.

  • It's not an inbox problem. It's a GMail long-term storage problem. It was settled in United States v. Councilman [wikipedia.org] that the Electronic Communications Privacy Act applied to messages in "temporary storage". This decision [volokh.com]

    Also, this was a search with a court-issued search warrant. The question being litigated is whether the service provider has to tell the customer about the warrant.

  • Public Storage (Score:3, Insightful)

    by DeanFox (729620) * <spam,myname&gmail,com> on Monday November 02, 2009 @01:38PM (#29952966)

    So I rent space at a Public Storage facility that only I have the key to for $xx a month. In this 20'x20' storage facility, locker, room, whatever you want to call it are my personal belongings including boxes and boxes of personal financial statements, letters, etc. no different than if I had them at home in the attic had I the space.

    Because I have my belongings stored with a "third party" they do not need a search warrant to search my off site storage facility? I thought they did. If they do, how is this different than me storing bits and bites in a storage facility owned by a third party? Because they're bits and bytes rather than phyiscal boxes of documents?

    How is this different than my apartment? The storage facility labeled APT 2B in building six is owned by a third party. So the apartment where I live can be searched without a warrant? You know... My home is not paid for. Technically it's still owned by the bank, a third party...

    As far as solving all this computer usage eavesdropping and abuse when (in the $@#%@#) are we as programmers going to make encryption ubiquitous. Nothing is on a drive, sent via whatever protocol in the TCP/IP stack, email, P2P that isn't encrypted. Upon OS installation, like the user password we ask for an user/OS passphrase or whatever it takes that nothing and I mean nothing is available in cleartext on the server, in the cloud or traveling over a wire? When? The ASCII standard is what should be made illegal. This is one problem we CAN solve.

    JMHO
    -[d]-
  • by Polo (30659) * on Monday November 02, 2009 @02:11PM (#29953406) Homepage

    Does this mean the IRS will find out about the MILLIONS of dollars people in Nigeria have for me??

    My taxes will go through the roof!!

If money can't buy happiness, I guess you'll just have to rent it.

Working...