An Inbox Is Not a Glove Compartment 316
Federal Judge Michael Mosman has ruled that the government can read your e-mails stored with a third-party provider like GMail, without notifying you that a search warrant has been executed (PDF) against your account. (Actually, the judge ruled that there is no "notice" requirement triggered at all, so that in theory, neither GMail nor the subscriber would have to be notified — but that seems only of theoretical interest, since in practice GMail would have to cooperate in order to execute the warrant, unless the government is planning to have ninjas sneak into their server farm at night. The substantive impact of the ruling is that e-mails can be read without notifying the subscriber.)
Now, as I said when writing about the possibility of undetectable encryption being installed on people's computers, at the risk of incurring the wrath of civil libertarian allies, I am not 100% in favor of limiting governmental power in cases like these. Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil. There may be cases where the government can only prevent harm from being done, by gaining access to someone's e-mail account, and by preventing the subscriber from finding out that their e-mails are being read. However, all of these arguments are also true when applied to governmental seizure of property from someone's home — and yet we still have Fourth Amendment protections against warrantless searches of your house. So should they, and do they, legally apply to e-mail? And under the "third party doctrine," should the government have to notify the subscriber of the search, or only the ISP?
Law Professor Orin Kerr of George Washington University Law School has written an article [click on the link and then press the download button to download a draft] arguing that the Fourth Amendment does apply to e-mail. But he has also written another article arguing in favor of the third-party doctrine — essentially, that when the government seizes property that is in the possession of a third party, it only has to notify the third party, not the property owner. To the extent that this is relevant to the GMail case, the argument would appear to support Judge Mosman's ruling. However, Kerr's paper also acknowledges that the third party rule has been the subject of scorching criticism of other Fourth Amendment scholars, calling it "dead wrong" and "making a mockery of the Fourth Amendment."
It will probably be a long time before courts are issuing consistent rulings on the third-party rule as it applies to e-mail. In the meantime, though, one statement in Judge Mosman's ruling sticks out in particular:
"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."
This was the basis for further reasoning that the defendants had less of an expectation of privacy in their e-mail contents, and hence that there was a strong case for allowing the government to read the e-mails without notice to the defendants. (In this he was drawing an analogy to a previous ruling in which a court held that a bank's customer has "no legitimate expectation of privacy" in his bank records because they were "voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.")
But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business." And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails. (At the e-mail provider that I use, SpeakEasy, employees can only access accounts with the explicit permission of the customer, and only then by resetting the password or obtaining the password from the customer. When I worked in MSN accounts, most employees didn't have the security clearance to access customer accounts at all.)
This tracks with what customers reasonably expect from banks versus what they reasonably expect from ISPs. If I called my bank to ask about the status of my account, and the customer service representative noted that I had a high number of overseas wire transfers and asked if I wanted to upgrade to a business account with a reduced wire fee, it probably wouldn't even occur to me to be offended that she had looked at my transaction records. On the other hand, if I called SpeakEasy and asked them to add more space in my inbox, and the tech support guy said, "Dude, you could do a lot better than Chloe," I might think he was overdue for a review of their customer privacy policy.
Judge Mosman uses several more analogies in arguing that the third-party doctrine applies to e-mails (beginning on page 12 of the ruling), analogies between e-mail and real-world situations that most of us are familiar with, like leaving documents out in the open at someone else's house. Now, most of us don't have the expertise to comment on the legal technicalities. But in the game of analogies, we're all experts, insofar as we're qualified to comment on whether we feel that one thing is "like" another, or whether our "expectations of privacy" in the two areas are similar. And under the rules of that game, I would disagree with the judge's analogies for several reasons:
1. There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice. The judge cites precedents in which courts ruled, variously: (a) that when a suspect left documents at his mother's house and the police executed a warrant there, they only had to provide notice to the mother, not the suspect, even though the mother was not the owner of the documents; (b) that a defendant had no grounds to object to the search of another person's purse, when the search turned up drugs belonging to the defendant; and (c) that defendants 'could not make a Fourth Amendment claim regarding a search of someone else's car because they had no "legitimate expectation of privacy in the glove compartment or area under the seat of the car in which they were merely passengers."' But all of those cases involved property that the defendants chose to leave in the possession of someone else, rather than keeping on their person or in their own houses. In all of these cases, the person X who left the property in the possession of person Y, could not have expected that person Y would keep their eyes off of that property, or would shield it from the view of casual acquaintances who happened to see it there. So by allowing the notice only to be served on person Y, these three cases are just specific implementations of a general rule: "If person X leaves property with person Y, with no expectation that person Y would refrain from examining the property, then the notice of warrant only has to be served on person Y."
This rule does not generalize to GMail accounts. If I send and receive messages through a GMail account, I know that they're stored on Google's servers, but that's out of necessity in order for them to provide web-based e-mail that can be accessed from multiple locations. By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice. Now, if I had printed out an e-mail from GMail and left it lying around at my Mom's house, or in a friend's glove compartment, then that could be interpreted to indicate that I had less interest in keeping that e-mail private, and it would be more analogous to the situations above. In fact if I had sent an e-mail to someone working at Google, I would understand that my expectation of privacy had been lowered significantly, and that the recipient might forward it to their friends or leave a printout on their desk, or that the police might request for him to show it to them without notifying me. Simply having an e-mail stored in a GMail account is not the same thing.
2. E-mails are not like bank records, because you have a greater expectation of privacy for e-mails, even from the institutions that hold them. It's true that bank transactions are more closely analogous to web-based e-mails, because they're both stored on company servers by the nature of the business, so this analogy isn't as badly flawed as the previous ones. But in addition to the fact mentioned above, that ISP employees do not have access to your e-mails "in the ordinary course of business" despite what Judge Mosman wrote, there is the "inside/outside" distinction that Orin Kerr describes in his paper on the Fourth Amendment and e-mail. Essentially, police don't need a warrant to observe what goes on outside your home — whatever is visible from a public street — but they would need a warrant to take their inspection inside. Kerr argues for extending this analogy to the "content/non-content" rule for Internet transactions, so that Fourth Amendment protection would apply to the contents of e-mails, but not necessarily to the "outside" information such as sender, recipient, and transmission time. (Actually that still seems like rather weak privacy protection, to say that the Fourth Amendment doesn't protect information about who we exchange e-mails with, but even this watered-down argument still implies stronger privacy protection for e-mail contents.) Bank transaction records would be more like "outside" information and less deserving of privacy protection, so the analogy doesn't hold.
3. By analogy to the expectation of privacy in people's homes, the expectation of privacy for the contents of e-mail is possibly greater. Judge Mosman writes, "The sanctity of the home is often cited as the central purpose for this notice requirement, but the requirement has not been explicitly limited to searches of homes," and quotes from another court decision: "[t]he mere thought of strangers walking through and visually examining the center of our privacy interest, our home, arouses our passion for freedom as does nothing else." Well, since he brought it up, if it's relevant to compare the "passion" that's "aroused" by the invasion of various spheres of privacy, if I had a choice I would rather have a stranger wander through my house and inspect everything except the computer, than allow them access to my browser history and all the e-mails I'd sent and received in the past year. (And that's not even taking into account the violations of other people's privacy that would be entailed by someone looking through all of my e-mails.) Applying the test of "What would you rather have people see?", most people who make more than casual use of e-mail, seem to care more about the privacy of their e-mail than about the privacy of what's visibly lying around in their house — if a good friend drops by unannounced, you can usually lead them through your house without worrying about what they'd see, but you probably wouldn't give the same person a complete record of all your e-mails in the past year. (Remember, according to the judge's quote, we're comparing "visually examining" your house vs. your e-mail, not actually physically taking anything.)
As I said, I'm not necessarily opposed to the government having the authority to obtain records of people's e-mails if they have an extremely good reason, without necessarily having to notify the subscriber that their e-mails had been read. But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails." I wonder if even Judge Mosman thinks that's true. If he got a call from his bank offering to upgrade his account based on recent transaction activity, he'd probably just politely get them off the phone like the rest of us. But if he got a call from his ISP tomorrow, saying that his e-mails were starting to sound cranky and they were wondering if there was anything they could do to cheer him up, would he just thank them for their concern and leave it at that?
Decision Formalizes What Already Happens (Score:4, Insightful)
This decision doesn't really change the common practice of law-enforcement agencies does it? Haven't we all already known that the government (and gmail/yahoo/hotmail/your boss etc.) is scanning our email pretty much whenever it wants to?
One flaw (Score:5, Insightful)
One flaw in this argument: ISP employees do in fact have access to your e-mail. Hopefully it's only a small number, sysadmins and others with root access, and ISPs usually promise not to use that access except in limited ways without the customer's permission, but that doesn't change whether they have access or not. And the courts are concerned with whether the ISP has access, not whether or not he's promised to use it.
A good analogy would be ordinary bank records vs. the contents of a safe-deposit box. The first the bank has access to, and the customer has limited expectation of privacy regarding them. The second the bank does not have access to, their key physically can't open the box alone, and the customer has a higher expectation of privacy about the contents. If you want an expectation of privacy in your e-mail, you need to insure that your ISP literally cannot access it's contents. A promise from them that they won't isn't sufficient if they can.
US Mail is handle by a Third Party too (Score:1, Insightful)
So how is it any different if I give an envelope to a USPS employee? It's no longer under my control, but I expect it to be private. Also the USPS has been know to open a package or two, so does that now mean all mail is no longer private? Like email, I have no choice but to let someone else handle my mail, IF I want it to be delivered.
Well there's really only one solution to all this government stupidity, Encrypt Every Thing Every Time.
Now if we could just make it pretty hassle free, so everyone would encrypt every thing every time, without having to think about it.
Sure they do. (Score:4, Insightful)
"But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails.""
It might be a bit far reaching... but come on, system administrators have had access routinely to people's mailbox contents since forever (on most mail systems). Not that we go around snooping on your mail, but we can and do have access to it, if it's plaintext, at any time. If you are sending emails through any provider without encryption and assuming that some staff at that provider are not technically capable of reading and copying your emails, you are delusional.
This is not like snail-mail, where although you know the postman could open your mail, you also know he'd go to prison for it.
Media Mail (Score:5, Insightful)
So how is it any different if I give an envelope to a USPS employee? It's no longer under my control, but I expect it to be private.
I'm not sure about other types of mail, but media mail can be searched at any time, by any postal employee. The sign at my post office states this to be a fact, but I can't find the specifics on their website to give a link here.
Re:Decision Formalizes What Already Happens (Score:5, Insightful)
If this stupid decision goes through, it makes all unwarranted searches of email admissible in court. The government tortured in Guantanamo, since we all "know" that is happening, should we all go "Oh well" and then when a court legalizes it say "This decision only frmalizes what already happens, whoopey doo!"
As an aside, when I give my car to service, the employees of the dealership/repairshop can conceivably search through my glovebox. I guess cars shouldn't need warrants. And when I have a plumber/electrician fix my house, he can snoop, so might as well strike houses from the list of things needing warrants.
Its pretty evident I have no expectation of privacy on my email, that's why it has no password, and if it did, I give it to everyone, Mr. Idiot Judge.
First they came for your emails . . . (Score:1, Insightful)
"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."
What if we changed the third-party statements to the following:
"[T]he defendants voluntarily conveyed to the healthcare provider and exposed to the healthcare provider's employees in the ordinary course of business the contents of their medical records."
"[T]he defendants voluntarily conveyed to the financial institution and exposed to the financial institution's employees in the ordinary course of business the contents of their finances."
"[T]he defendants voluntarily conveyed to the landlord and exposed to the landlord's employees in the ordinary course of business the contents of their apartments."
/. may need to change the category name... (Score:5, Insightful)
Re:Decision Formalizes What Already Happens (Score:5, Insightful)
Well, one of the benefits of formally recognizing what is occurring is that it allows the practice to be formally challenged without the issue of "state secrets" being relevant.
As the old saying goes, "the problem with unwritten rules is that no one knows where to go to erase them." Here we have formal decision which puts one judge on record as agreeing with the common practice. This decision may now be appealed. The appeals process can allow the judicial branch to decide on the entire practice of warrantless wiretapping without any state secrecy issues being involved! That seems like a good thing to me.
Caveat Lector (Score:5, Insightful)
From the essay: "Now, most of us don't have the expertise to comment on the legal technicalities"
Mr. Haselton is, as far as I can determine, not an attorney and has no formal legal education. So bear in mind that the above statement applies to the author of this essay as well.
You know how Slashdot contributors often bemoan poor science journalism written by reporters who obviously don't understand the subject matter? The same danger exists when people like Mr. Haselton, who is a freelance programmer, try to analyze and report on legal issues.
Again, from the essay: "But in the game of analogies, we're all experts, insofar as we're qualified to comment on...whether our "expectations of privacy" in the two areas are similar."
The expectation of privacy is a legal term of art. It does not simply refer to the individual's subjective feeling about whether he or she, personally, expects that a given communication, act, etc will or should be private. So, no, we are not all necessarily qualified to comment on the similarity of the expectation of privacy in two areas because there is a second, objective component of the expectation of privacy. The objective component is highly context-dependent, and its contours have been defined over the years by numerous court cases, none of which Mr. Haselton has cited, distinguished, or applied here.
And this is the glaring issue with Mr. Haselton's essay: he has analyzed the opinion in a vacuum. He does not cite or apply any supporting precedent or statutes, nor does he distinguish the facts of the case from the precedents that the judge cited. This kind of reasoning is not legal reasoning, and it can easily lead to all kinds of errors.
Note that I have, apart from the meaning of 'expectation of privacy,' refrained from critiquing the substance of Mr. Haselton's argument. It is possible that his argument could well win the day in an appeal; on the other hand, perhaps it is hogwash. I merely want the readers here not to be mislead into thinking that this is a rigorous legal argument or that Mr. Haselton is some kind of expert on the subject matter. Indeed, his lack of citations or argument from precedent would probably get him laughed out of court.
Re:Decision Formalizes What Already Happens (Score:4, Insightful)
Yes, but once erased, they'll keep on spying on email in secret, landing us back to step 1 and this will be the perpetual cycle. The best spot we can hope for is step 1, unfortunately, secret, court unsanctioned spying.
As reported days ago, the biggest opponent to the three strikes rule in britain were the spooks, because they fear a rise in encryption use. That is what people should start using to defend themselves because the formal set of rules won't help here, but at least the court shouldn't ever sanction and admit it. Even if sucessfully challenged this time, there will come a time in the repeating cycle where it doesn't get erased, doesn't get overturned, and then we're stuck at the worst possible case.
Re:The #1 Lesson (Score:3, Insightful)
Umm... let me get this straight then? You believe it's an undeniable *fact* that email not only IS not private as it currently stands, but SHOULD not ever be considered private?
I'd argue that in reality, the expectation of privacy for electronic mail by the general public is no different than the expectation of privacy they have for physical mail. Unfortunately, the implementation most often used today doesn't live up to the expectations people have. (People tend to think that because they can't check their mail without the proper login and password, that means the mail is "secure". They're used to thinking that passwords = security when it comes to computers.)
With the right software and proper configuration, it's possible to encrypt all outgoing email automatically, and ensure it really is private. IMHO, it's too bad the systems administrators didn't foresee the need for this when paid customers (usually using dial-up modems with a local ISP) started signing up and trying this stuff out for the first time. (Perhaps the truth is, many of them rather *liked* the idea that if they so desired, they'd be able to snoop into the emails of any of their users, as desired?)
Now, we're reaching a point where the courts are playing "catch up" with the technology, and they're starting to make legal rulings on this stuff. If it's codified into law that it's ILLEGAL to ensure emails have true privacy, that'd be a shame and a big loss for the userbase as a whole.
I know companies like to claim that because they own the servers and the Internet connections the corporate emails travel over and get stored on, they own the "rights" to all of the employee emails as well. But to me, that's rather like an owner of an apartment complex claiming he/she can legally go through any of the tenants' physical mailboxes at will, because he/she owns the panel of mailboxes in the wall that it all gets put in! (Even in my apartment scenario though, the landlord could possibly get away with opening people's individual mailboxes, if all he/she was doing was counting the number of envelopes a tenant received each day, or was just reading the postcards before putting them back. The fact that most mail is inside an envelope that can't be opened without leaving behind evidence it was opened/tampered with adds another layer of security for the tenant. That's where our current email infrastructure is lacking. The law is effectively saying "Everything's written on the equivalent of postcards that anyone can see as they handle it, anyway - so why should we grant it any legal privacy rights?")
Re: No flaw (Score:1, Insightful)
"One flaw in this argument: ISP employees do in fact have access to your e-mail."
In the same way that a landlord has access to the rented homes (has keys): it does not mean you have any less right to privacy in your (rented) home.
Re:Decision Formalizes What Already Happens (Score:3, Insightful)
In this particular case, Email is still mail. It just travels faster and as photons or electrons rather than as a collection of atoms.
So all we had to do is transpose the rules which apply to snail mail over to email. I.e. A postman is not allowed to open and read your mail. He just has to pass it on to the destination address. That same principle applies to private mail providers (FedEx, DHL etc...).
That is what should have been done. What has actually been done is quite different. The authorities routinely go throgh email in circumstances where they would not have been allowed to go throgh snail mail. They "ask" (read order) ISPs to do things that they dare not ask of FedEx.
Re:The #1 Lesson (Score:4, Insightful)
That's exactly why I don't care. When I send an unencrypted email, my mail server sees it, my router sees it, my ISP can see it, and 10 or 20 other servers between me and the destination mailerserver can probably see it too.
If someone sends unencrypted mail, I don't feel in the least bit bad when it gets read. If you wouldn't send it on a postcard, you shouldn't email it unencrypted. If whomever you are sending it to can't deal with that, contact them by another method.
Re:One flaw (Score:5, Insightful)
My landlord has keys to my apartment. Does that mean I have no expectation of privacy in my own apartment, just because a third party theoretically has access to it? Even if I haven't given permission for my landlord to enter my apartment?
Re:Not Just E-Mail. Anything in the "cloud" (Score:3, Insightful)
Re:Makes me glad I run my own mail server (Score:3, Insightful)
Have the bot run all day and the information the ISP stores of you will become meaningless gibberish because the vast majority of it will be random from your bot.
They'll just assume you're a 4chaner.
Public Storage (Score:3, Insightful)
So I rent space at a Public Storage facility that only I have the key to for $xx a month. In this 20'x20' storage facility, locker, room, whatever you want to call it are my personal belongings including boxes and boxes of personal financial statements, letters, etc. no different than if I had them at home in the attic had I the space.
Because I have my belongings stored with a "third party" they do not need a search warrant to search my off site storage facility? I thought they did. If they do, how is this different than me storing bits and bites in a storage facility owned by a third party? Because they're bits and bytes rather than phyiscal boxes of documents?
How is this different than my apartment? The storage facility labeled APT 2B in building six is owned by a third party. So the apartment where I live can be searched without a warrant? You know... My home is not paid for. Technically it's still owned by the bank, a third party...
As far as solving all this computer usage eavesdropping and abuse when (in the $@#%@#) are we as programmers going to make encryption ubiquitous. Nothing is on a drive, sent via whatever protocol in the TCP/IP stack, email, P2P that isn't encrypted. Upon OS installation, like the user password we ask for an user/OS passphrase or whatever it takes that nothing and I mean nothing is available in cleartext on the server, in the cloud or traveling over a wire? When? The ASCII standard is what should be made illegal. This is one problem we CAN solve.
JMHO
-[d]-
Re:Decision Formalizes What Already Happens (Score:3, Insightful)
I'm okay with that - because sooner or later secret, court unsanctioned spying blows up in their face.
So yeah, I want this decision overturned, so that when it blows up in their face there are consequences.
Pug