URL:
http://www.wired.com/politics/law/commentary/circuitcourt/2007/07/circuitcourt_0718?currentPage=all
Courts Should Shield Web and E-Mail Data From Nosy Cops
07.18.07 | 2:00 AM
For much of human history, we have been able to conduct our private
lives separately from our public ones. Upstanding, productive citizens
during the day, we were free to be seditious, depressed or kinky by
night. However, the computers we use in our homes during those private
hours create and preserve evidence of our interests, relationships and
beliefs, blurring the line between private and public.
Congress and the courts have responded by giving privacy protection to
the contents of communications, including phone calls and e-mail
messages, but denying strong protection to transactional information
like phone numbers dialed and websites visited. Two recent Fourth
Amendment cases illustrate that we need to understand that internet-use
records are more like mind readers than phone bills if we are to retain
any privacy in our communications.
In 1986, out of a concern that privacy protections were not keeping up
with new modes of communication, Congress passed the Electronic
Communications Privacy Act, or ECPA, which criminalized the interception
and unauthorized access of electronic communications.
Congress also gave individuals the right to sue anyone who discloses
customer information to a governmental entity without proper legal
justification. However, Congress gave much stronger protections to the
contents of phone calls and e-mail messages than to transactional
information like telephone numbers dialed or IP addresses visited.
The history and growth of the internet reveals gaping privacy holes in
this dichotomy. In one of my cases, which will go to hearing later this
month, a police officer allegedly told the defendant's internet service
provider that a life-and-death emergency required immediate disclosure
of my client's internet-usage records.
The ISP gave the police the information, thereby subverting the
statutory rule that law enforcement must use some kind of legal process
before collecting internet-use records. Because these kinds of
transactional records are less protected than content, my client may be
left with no legal recourse against the police officer.
ECPA doesn't provide for the exclusion of illegally obtained
transactional evidence, and our client has no money to sue the officer,
who probably has no money to pay if a judgment went against him.
As technology develops and internet usage becomes more widespread,
privacy gaps in ECPA rear their ugly heads, so citizens are asking
courts to protect internet information under the Fourth Amendment. So
far, the courts are doing a mixed job of it.
In mid-June, the 6th U.S. Circuit Court of Appeals decided Warshak v.
United States (pdf). (I was a signatory on a law professors' amicus
brief in support of plaintiff Warshak). Agents investigating Warshak for
fraud obtained court authorization to seize his e-mail, but did not have
probable cause to believe that Warshak was engaged in a crime, as the
Fourth Amendment generally requires.
Warshak sued, alleging that he had a reasonable expectation of privacy
in his e-mail messages, and thus a probable-cause warrant is required,
and that no court order based on lesser evidence would do. Over vigorous
objection by the government, both the trial court and the 6th Circuit
agreed with Warshak.
At the heart of the case was the question of whether e-mail users have a
reasonable expectation of privacy in their messages, even though those
messages are transmitted and stored by ISPs. The "reasonable expectation
of privacy" triggers Fourth Amendment protection.
The 6th Circuit held that we do have a constitutional privacy interest
in our e-mail messages, particularly in the absence of user agreements
that indicate that the ISP will monitor or audit us. This expectation is
reasonable even though the ISP has the technological capability of
collecting the message for the government, and even though the message
was sent to a third party who could have voluntarily disclosed it to
officers.
The court analogized the e-mail message to a telephone call or a letter,
both of which are transmitted by third parties, both of which are
intended for another person and both of which are protected by the
Fourth Amendment.
While the opinion may yet be reviewed by the full 6th Circuit, the
essence of the ruling, that the content of communications deserves
constitutional protection regardless of the technological vagaries of
its transmission, is clearly sound.
In contrast, last week the 9th U.S. Circuit Court of Appeals decided
United States v. Forrester (.pdf), a case that argued unsuccessfully for
constitutional protection for to/from addresses of e-mail messages and
the IP addresses of the websites that the defendant visited.
The 9th Circuit analogized the facts in Forrester to Smith v. Maryland,
a case that denied Fourth Amendment protection for dialed telephone numbers.
Yet, to/from addresses -- and particularly IP addresses -- are vastly
more revealing than phone numbers, which, at the time of Smith, only
told what business or residence was called, not who answered or what was
discussed.
An IP address tells you what content I viewed on a web page, which could
include books I shopped for, information I researched, articles I read
-- all of which are windows into my interests, preferences, sympathies
or mere curiosities.
IP addresses tell far more about what I'm thinking than telephone
numbers do, and the 9th Circuit is wrong to give them cursory
constitutional protection. This is especially true because there's a
seductive but mistaken temptation to think that law enforcement can
predict my future behavior from what I read. A research scientist may
look for bomb-making information, a news junkie may read jihadist
websites. Future bad behavior cannot be inferred from nontraditional
thinking.
The 9th Circuit opinion may also be reheard by the full court, and if
so, the judges will need a more accurate understanding of the nature of
IP addresses and the wealth of information and insight they reveal about
a person's innermost thought processes.
The 9th Circuit should also view IP address seizures in light of new
federal proposals to require ISPs to store customers' search histories
and retain other transactional data. In combination, the two will create
a digital mind reader that can trace every internet user's thoughts and
interests, and take away the security of knowing that your thoughts are
your own.
- - -
Jennifer Granick is executive director of the Stanford Law School Center
for Internet and Society, and teaches the Cyberlaw Clinic.
--
David Solomonoff, President
Internet Society of New York
[EMAIL PROTECTED]
isoc-ny.org
_______________________________________________
Discuss mailing list
[email protected]
http://lists.isoc-ny.org/mailman/listinfo/discuss
