An Inbox Is Not a Glove Compartment 316
Federal Judge Michael Mosman has ruled that the government can read your e-mails stored with a third-party provider like GMail, without notifying you that a search warrant has been executed (PDF) against your account. (Actually, the judge ruled that there is no "notice" requirement triggered at all, so that in theory, neither GMail nor the subscriber would have to be notified — but that seems only of theoretical interest, since in practice GMail would have to cooperate in order to execute the warrant, unless the government is planning to have ninjas sneak into their server farm at night. The substantive impact of the ruling is that e-mails can be read without notifying the subscriber.)
Now, as I said when writing about the possibility of undetectable encryption being installed on people's computers, at the risk of incurring the wrath of civil libertarian allies, I am not 100% in favor of limiting governmental power in cases like these. Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil. There may be cases where the government can only prevent harm from being done, by gaining access to someone's e-mail account, and by preventing the subscriber from finding out that their e-mails are being read. However, all of these arguments are also true when applied to governmental seizure of property from someone's home — and yet we still have Fourth Amendment protections against warrantless searches of your house. So should they, and do they, legally apply to e-mail? And under the "third party doctrine," should the government have to notify the subscriber of the search, or only the ISP?
Law Professor Orin Kerr of George Washington University Law School has written an article [click on the link and then press the download button to download a draft] arguing that the Fourth Amendment does apply to e-mail. But he has also written another article arguing in favor of the third-party doctrine — essentially, that when the government seizes property that is in the possession of a third party, it only has to notify the third party, not the property owner. To the extent that this is relevant to the GMail case, the argument would appear to support Judge Mosman's ruling. However, Kerr's paper also acknowledges that the third party rule has been the subject of scorching criticism of other Fourth Amendment scholars, calling it "dead wrong" and "making a mockery of the Fourth Amendment."
It will probably be a long time before courts are issuing consistent rulings on the third-party rule as it applies to e-mail. In the meantime, though, one statement in Judge Mosman's ruling sticks out in particular:
"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."
This was the basis for further reasoning that the defendants had less of an expectation of privacy in their e-mail contents, and hence that there was a strong case for allowing the government to read the e-mails without notice to the defendants. (In this he was drawing an analogy to a previous ruling in which a court held that a bank's customer has "no legitimate expectation of privacy" in his bank records because they were "voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.")
But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business." And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails. (At the e-mail provider that I use, SpeakEasy, employees can only access accounts with the explicit permission of the customer, and only then by resetting the password or obtaining the password from the customer. When I worked in MSN accounts, most employees didn't have the security clearance to access customer accounts at all.)
This tracks with what customers reasonably expect from banks versus what they reasonably expect from ISPs. If I called my bank to ask about the status of my account, and the customer service representative noted that I had a high number of overseas wire transfers and asked if I wanted to upgrade to a business account with a reduced wire fee, it probably wouldn't even occur to me to be offended that she had looked at my transaction records. On the other hand, if I called SpeakEasy and asked them to add more space in my inbox, and the tech support guy said, "Dude, you could do a lot better than Chloe," I might think he was overdue for a review of their customer privacy policy.
Judge Mosman uses several more analogies in arguing that the third-party doctrine applies to e-mails (beginning on page 12 of the ruling), analogies between e-mail and real-world situations that most of us are familiar with, like leaving documents out in the open at someone else's house. Now, most of us don't have the expertise to comment on the legal technicalities. But in the game of analogies, we're all experts, insofar as we're qualified to comment on whether we feel that one thing is "like" another, or whether our "expectations of privacy" in the two areas are similar. And under the rules of that game, I would disagree with the judge's analogies for several reasons:
1. There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice. The judge cites precedents in which courts ruled, variously: (a) that when a suspect left documents at his mother's house and the police executed a warrant there, they only had to provide notice to the mother, not the suspect, even though the mother was not the owner of the documents; (b) that a defendant had no grounds to object to the search of another person's purse, when the search turned up drugs belonging to the defendant; and (c) that defendants 'could not make a Fourth Amendment claim regarding a search of someone else's car because they had no "legitimate expectation of privacy in the glove compartment or area under the seat of the car in which they were merely passengers."' But all of those cases involved property that the defendants chose to leave in the possession of someone else, rather than keeping on their person or in their own houses. In all of these cases, the person X who left the property in the possession of person Y, could not have expected that person Y would keep their eyes off of that property, or would shield it from the view of casual acquaintances who happened to see it there. So by allowing the notice only to be served on person Y, these three cases are just specific implementations of a general rule: "If person X leaves property with person Y, with no expectation that person Y would refrain from examining the property, then the notice of warrant only has to be served on person Y."
This rule does not generalize to GMail accounts. If I send and receive messages through a GMail account, I know that they're stored on Google's servers, but that's out of necessity in order for them to provide web-based e-mail that can be accessed from multiple locations. By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice. Now, if I had printed out an e-mail from GMail and left it lying around at my Mom's house, or in a friend's glove compartment, then that could be interpreted to indicate that I had less interest in keeping that e-mail private, and it would be more analogous to the situations above. In fact if I had sent an e-mail to someone working at Google, I would understand that my expectation of privacy had been lowered significantly, and that the recipient might forward it to their friends or leave a printout on their desk, or that the police might request for him to show it to them without notifying me. Simply having an e-mail stored in a GMail account is not the same thing.
2. E-mails are not like bank records, because you have a greater expectation of privacy for e-mails, even from the institutions that hold them. It's true that bank transactions are more closely analogous to web-based e-mails, because they're both stored on company servers by the nature of the business, so this analogy isn't as badly flawed as the previous ones. But in addition to the fact mentioned above, that ISP employees do not have access to your e-mails "in the ordinary course of business" despite what Judge Mosman wrote, there is the "inside/outside" distinction that Orin Kerr describes in his paper on the Fourth Amendment and e-mail. Essentially, police don't need a warrant to observe what goes on outside your home — whatever is visible from a public street — but they would need a warrant to take their inspection inside. Kerr argues for extending this analogy to the "content/non-content" rule for Internet transactions, so that Fourth Amendment protection would apply to the contents of e-mails, but not necessarily to the "outside" information such as sender, recipient, and transmission time. (Actually that still seems like rather weak privacy protection, to say that the Fourth Amendment doesn't protect information about who we exchange e-mails with, but even this watered-down argument still implies stronger privacy protection for e-mail contents.) Bank transaction records would be more like "outside" information and less deserving of privacy protection, so the analogy doesn't hold.
3. By analogy to the expectation of privacy in people's homes, the expectation of privacy for the contents of e-mail is possibly greater. Judge Mosman writes, "The sanctity of the home is often cited as the central purpose for this notice requirement, but the requirement has not been explicitly limited to searches of homes," and quotes from another court decision: "[t]he mere thought of strangers walking through and visually examining the center of our privacy interest, our home, arouses our passion for freedom as does nothing else." Well, since he brought it up, if it's relevant to compare the "passion" that's "aroused" by the invasion of various spheres of privacy, if I had a choice I would rather have a stranger wander through my house and inspect everything except the computer, than allow them access to my browser history and all the e-mails I'd sent and received in the past year. (And that's not even taking into account the violations of other people's privacy that would be entailed by someone looking through all of my e-mails.) Applying the test of "What would you rather have people see?", most people who make more than casual use of e-mail, seem to care more about the privacy of their e-mail than about the privacy of what's visibly lying around in their house — if a good friend drops by unannounced, you can usually lead them through your house without worrying about what they'd see, but you probably wouldn't give the same person a complete record of all your e-mails in the past year. (Remember, according to the judge's quote, we're comparing "visually examining" your house vs. your e-mail, not actually physically taking anything.)
As I said, I'm not necessarily opposed to the government having the authority to obtain records of people's e-mails if they have an extremely good reason, without necessarily having to notify the subscriber that their e-mails had been read. But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails." I wonder if even Judge Mosman thinks that's true. If he got a call from his bank offering to upgrade his account based on recent transaction activity, he'd probably just politely get them off the phone like the rest of us. But if he got a call from his ISP tomorrow, saying that his e-mails were starting to sound cranky and they were wondering if there was anything they could do to cheer him up, would he just thank them for their concern and leave it at that?
The mail to email analogy is almost perfect (Score:1, Interesting)
The mail to email analogy is almost perfect, which now frightens me. What does this judge know about the US Postal system that he isn't saying?
Makes me glad I run my own mail server (Score:4, Interesting)
If the government wants access to my inbox they'll need to talk to me since I'm the admin of my mail server.
Not Just E-Mail. Anything in the "cloud" (Score:4, Interesting)
As James Fallows asks in The Atlantic Are we naked in the cloud? [theatlantic.com]
The answer he supplies is "yes" you have given up custody.
Re:Caveat Lector (Score:3, Interesting)
Re:Decision Formalizes What Already Happens (Score:3, Interesting)
"The problem with unwritten rules is that no one knows where to go to erase them."
Wait a minute, laws are erased?
Re:Makes me glad I run my own mail server (Score:3, Interesting)
And are you also your own ISP or does your email pass through someone else's routers? Hope you don't mind them recording packets and saving every DNS lookup and every website you visit as part of the "ordinary course of doing business".
Well you could always give them information overload. Make a bot in Ruby that is constantly going to random websites, sending random emails to random addresses and just constantly doing things online. Have the bot run all day and the information the ISP stores of you will become meaningless gibberish because the vast majority of it will be random from your bot.
Re:One flaw (Score:3, Interesting)
The big problem here is that chances are the NSA is directly tapping all the backbone fiber in the Internet already, and they are building giant new data centers in Utah and Texas to store Yettabytes of data which is 1,000,000,000,000,000GB. Chances are the NSA is already and will certainly be in the future recording every email, IM, URL GET and POST and phone call flowing through every fiber they manage to tap and they will probably tap them all in this country, in all their allied countries like the UK and Australia, all the ones crossing the oceans, and of course have listened to all the RF bouncing around the planet for decades. They started tapping Soviet undersea copper cables decades ago using submarines so if somehow a telecomm wont let them tap their cables they will probably just do it anyway.
As nearly as I can tell Joe Nacchio, the CEO of Qwest, is the only exec that said no when the Bush administration told the telecoms to let the NSA taps their backbones. They responded with a dubious insider stock trading case against him and threw him in Federal prison to show what happens to people who don't "cooperate". The beauty of American law is just about everyone has cheated on their taxes, traded on an insider stock tip, used illegal drugs, or done something else the government can use against you to force compliance and obedience.
Once they have total surveillance I kind of doubt the government will even need to go to an ISP or a warrant to get access to your inbox. Its really messy for them to have to go to an ISP because telling the sysadmin who the target is risks compromising the "investigation". It is much cleaner and simpler for them to just record EVERYTHING at the backbone so they can data mine it at will, and can hop in the way back machine to see in detail what someone did years ago without relying on an ISP to retain anything.
Re:Makes me glad I run my own mail server (Score:2, Interesting)
Did you set up your mail server such that it can be viewed by people other than yourself?
Mine's in colocation, rather than being a virtual server, but there's a ton that I've done to lock it down... there's volume encryption on the drive. There's a BIOS password to prevent the settings from being viewed/changed. CDROM and booting from USB are disabled, as are all of the unused SATA ports (the mobo doesn't have any PATA ports). And it's a standard *nix setup with a very secure root password.... it's a passphrase, written in a foreign language with a non-latin alphabet, transcribing keystrokes from where they would be on that language's standard input keyboard to a QWERTY keyboard, and it's a non-grammatical sentence. Special characters, mixed-case alphanumberic, completely random to an English speaker, and 34 characters long. Only one user has ssh access, and that user also has a very secure password, in the same vein as the root's password, but using a different non-latin language.
In other words, even if they did try to execute a search warrant on my colocated system, they wouldn't be able to do anything with it without asking me for the password. Can't you set up your mail server to be the same?
Re:Decision Formalizes What Already Happens (Score:3, Interesting)
> Not to mention, of course, that for most of us, running an email server on our home computer would violate our ISP's terms of
> service. Jumping from a "home" account at $30/month to a "commercial" account at $130/month is a big hit for most of us.
You can put a physical machine in colo for half that. You can go even less if you get a hosted virtual machine, potentially allowing you to even shop around jurisdictionally, even internationally. (companies do it, why shouldn't you?)
Clearly the solution is email offering ISPs that put right into their customer agreement that customer information will only be divulged as authorized by the customer or in compliance with an official court order. It seems to me that is the standard of customer privacy that people should be demanding from their ISPs, in writing, with truly motivational levels of monetary penalty for their violation.
-Steve