6th. Circuit holds that Email content is Constitutionally Protected
In the past month, two federal appeals courts have grappled with the Constitutional status of Internet communications. Their rulings have substantial implications for privacy, and raise anew concerns that existing law may not be sufficient to protect Americans’ privacy in the digital age.
In an important case, the federal appeals court for the Sixth Circuit (covering Kentucky, Michigan, Ohio, and Tennessee) ruled on June 18 that email users generally enjoy a constitutionally-protected right of privacy in the content of their email as it sits in storage with a service provider. The court also declared unconstitutional a provision of the Electronic Communications Privacy Act that allows government investigators to use a subpoena or court order issued on less than probable cause to obtain older email without notice to the person whose email is being disclosed.
The rule established by the court is simple: in order to obtain email from a service provider, either a) the government must obtain a search warrant issued under the relatively high standard of probable cause set forth in the Fourth Amendment, or b) if the government wants to use a mere subpoena or a court order issued on less than probable cause, it must provide notice to the person whose communications are being sought, giving that person an opportunity to object.
For Internet users, the ruling is a small but significant victory for privacy. The Justice Department has argued that email, while protected in transit, loses the full protection of the Constitution after it reaches a user’s “inbox” on the computer of a service provider. The 1986 Electronic Communications Privacy Act set up a complicated set of rules according different protection to email depending on how and for how long it is stored. The Sixth Circuit cuts through all of that, bringing email under a single, Constitutionally based rule.
The ruling will likely channel more law enforcement efforts to obtain the contents of older, stored email into the warrant arena — with its higher probable cause standard — especially when government investigators do not want to give notice to the target of their investigation. As a result, sensitive email content information will likely be accessed later in an investigation, when there is sufficiently strong suspicion to establish probable cause. Therefore, the decision may make it less likely that law enforcement will access the email of innocent persons.
From a corporate perspective, the ruling brings some needed simplicity to the rules governing disclosure of stored email. The ruling should be welcome to email providers for another reason: as Internet users remain acutely sensitive to privacy, this case gives them some measure of confidence, marking out one area where online communications enjoy constitutional protection. While the U.S. Justice Department is likely to seek to overturn the decision, the case actually should not have a major impact on law enforcement practices, since under ECPA law enforcement agencies already have to obtain a warrant to get current email.
The premise of the court’s constitutional ruling — that email users reasonably expect that an email is a private communication between sender and recipient — is obviously true, as reflected in the widespread reliance on email for sensitive communications in commerce, government and personal relations. Perhaps the only thing remarkable about the case is that the regular federal courts had never addressed the constitutional issues it raised.
The Justice Department is likely to seek to have the ruling overturned by a larger panel of the Sixth Circuit and, in any case, the Department will not consider itself bound by the ruling outside the Sixth Circuit.
While Warshak dealt with the content of communications, another court recently addressed the question of government access to transactional or signaling or routing data about communications.
On July 6, the federal appeals court for the Ninth Circuit (California, Oregon and Washington) ruled that IP address information and the “to” and “from” lines of email are not constitutionally protected. In essence, the court upheld a provision of ECPA authorizing the government to intercept routing data with a pen register or trap and trace device, which are rubber-stamped by courts on a standard far lower than the probable cause standard specified by the Constitution.
At some level, the Ninth Circuit decision in Forrester makes no new law. It accepts the current dichotomy between content and transactional data and applies it somewhat conservatively, in the sense that it approves pen/trap interception only of e-mail to/from information and IP addresses, not the URL that can show a search query or exactly what was read. (It specifically reserved the question whether the Fourth Amendment would protect URL information.)
However, the court may have been too quick in assuming that an IP address does not convey content. Certainly, if an IP address points to only one website, and if the content on that website is all of one type (all anti-war, or all pornographic), that does reveal something.
Also, while pen/trap decisions from the 1970s assumed that dialed number information does not even indicate whether the call was completed (pen/traps now do), Internet transactional information does show not only that a user “called” an IP address, but it also will show that the IP address responded by sending back the content of the homepage as it existed at that time.
Additionally, it is not clear that the following factual statement in the court’s opinion was entirely accurate: “The only data obtained during the first phase of the investigation were the to/from addresses of [defendant] Alba’s e-mail messages, the IP addresses of the websites that Alba visited and the total volume of information sent to or from his account.” It is likely that the pen/trap process actually acquired a lot more than that and that the government then performed some analysis to extract “to” and “from” data and IP address. For example, “to” and “from” addresses on email do not stick out the way telephone dialing information sticks out: while telephone dialing information in the PSTN is actually carried on a separate channel, “to” and “from” information is buried in digital packets. Analyzing and extracting the “to” and “from” information takes effort, and the court probably should have paid more attention to how the government actually handled the bit stream it was accessing, to make sure that the government was not getting more than was authorized.
More fundamentally, CDT questions the ongoing validity of the proposition that transactional data should be accorded zero Constitutional protection. The telephone cases that originated the transactional data doctrine were based on a pretty artificial judicial conclusion: Back in the 1970s, the Supreme Court said, in essence, “We know that everyone who makes a phone call knows that the phone company uses the dialing information to rout the call, so everyone who makes a call gives up any interest in the privacy of that information.” To the contrary, of course, whom you call and when and how often and whom you email does reveal a lot about your associations and activities and most people do believe it is sensitive and assume it will not be disclosed by the phone company or ISP.
For these reasons, the issues at stake in Forrester merit closer analysis, which may occur on rehearing or in other cases.
At a broader level, both of these cases highlight the disjointed nature of current law as it relates to electronic privacy and the application of Fourth Amendment protections in the digital world. Put simply, the law has not kept pace with the evolution of Internet technology. Judges and lawmakers must address these concerns and consider approaches to revitalize the Fourth Amendment in the face of technological change.