EFF wins 4th Amendment email victory (and megayachts)

The "wow" starts with Wednesday's IT Blogwatch: in which the Electronic Frontier Foundation wins against warrentless U.S. email snooping. Not to mention Silicon Valley's weakness for floating palaces...

EFF board chairman, Brad Templeton writes:

In a tremendous victory for privacy rights, the US 6th district court has restored the power of 4th amendment protection to emails stored on a remote host like an ISP or Webmail, striking down sections of the Stored Communications Act which have been routinely used to grab emails without a warrant.

The court agreed with an amicus brief filed by EFF attorney Kevin Bankston that people did have a reasonable expectation of privacy on their emails even when not stored on their home systems. This decision will make life far easier for users, and for operators of hosted email services like Google's Gmail.

Luke O'Brien has more:

A federal appeals court on Monday issued a landmark decision (.pdf) that holds that e-mail has similar constitutional privacy protections as telephone communications, meaning that federal investigators who search and seize emails without obtaining probable cause warrants will now have to do so.


The ruling by the Sixth U.S. Circuit Court of Appeals in Ohio upheld a lower court ruling that placed a temporary injunction on e-mail searches in a fraud investigation against Steven Warshak, who runs a supplements company best known for a male enhancement product called Enzyte ... The case boiled down to a Fourth Amendment argument, in which Warshak contended that the government overstepped its constitutional reach.


Under the 1986 federal Stored Communications Act (SCA), the government has regularly obtained e-mail from third parties without getting warrants and without letting targets of an investigation know (ergo, no opportunity to contest) ... There have been no previous constitutional challenges of the SCA, likely because ISPs don't want to cause trouble and targets of investigations don't know that their e-mail is being read.

Nate Anderson adds:

The feds secured a court order under the Stored Communications Act (SCA) that allowed them to access Warshak's stored online e-mail. A court order does not require the full "probable cause" level of evidence demanded by a subpoena, but it does involve some judicial oversight ... Warshak argued that gaining access to his e-mail without 1) a warrant or 2) a court order with notification was a violation of the Fourth Amendment.


The court also responded positively to the idea that e-mails should be given the same privacy protection as phone calls.

Susan Crawford explains:

My perplexed cyberlaw students will be very relieved to read this.


Email messages, unlike transactions disclosed to a bank, are the kinds of things that we expect are and will remain private ... the mere involvement of an intermediary doesn't destroy this expectation of privacy ... [It's] a question that is central to law enforcement, and we can expect that this decision will be challenged in a hundred ways. We depend so much on intermediaries, and the Sixth Circuit decision stands firmly on ground the government won't like.


In an era in which telephone companies routinely cooperate with law enforcement without asking for legal process, in which law enforcement routinely claims that every request for information it makes has something to do with terrorism or espionage, and in which my students routinely say they have no reasonable expectation of privacy (in anything), it's a fine moment.  The courts are making clear that they still have a role to play.

The Fourth Amendment can't be overwritten by either broad language in a cooperative provider's terms of service or by the hopeful interpretation of a statute -- here, the Stored Communications Act -- by the Executive Branch.

Ed Felten has an interesting angle:

the Court drew a line between inspection of email by computer programs, such as virus or spam checkers, versus inspection by a person. The Court found that automated analysis of email did not erode the reasonable expectation of privacy, but routine manual inspection of email would erode it.

Pragmatically, a ruling like this is only possible because email has become a routine part of life for so many people. The analogy to phone calls, and the unquestioned assumption that people value the privacy of email, are both easy for judges who have gotten used to the idea of email. Ten years ago this could not have happened. Ten years from now it will seem obvious.

Orin Kerr is astonished:

If it stands on the books, it will revolutionize the way that Fourth Amendment challenges are brought; it will constitutionalize an area of law long thought to be statutory, invalidating some statutes along the way; and it will create the rather surprising result that Fourth Amendment protections are actually significantly stronger online than in the physical world.

With that said, the caveat "if it remains on the books" is very important here. Whether the panel's view of the Fourth Amendment is right or wrong, Judge Martin had to reach out to decide as much as he did. In so doing, he had to make some procedural moves that strike me as pretty obviously wrong. If the Sixth Circuit en banc corrects the procedural errors, all of the panel's substantive Fourth Amendment holdings will go away.

Randy Picker muses thuswise:

We are now moving towards a cloud organization for data. Some content may be stored locally on your machine, while other content—content that you in some powerful sense think belongs to you—will be stored remotely. Where actually? You won’t have a clue ... This is another step on what will be a path of increasing interest and difficulty: how will we regulate the cloud? Piecemeal, I suspect, and Warshak represents one piece.


The critical issue in the case is the expectation of privacy that is appropriate for e-mail. This takes us back to the question of computer organization and the emerging cloud. Presumably, I have my greatest expectation of privacy for e-mails stored locally on my home machine. Yes those e-mails were transmitted over the wires briefly, but just like telephone calls, I don’t lose my expectation of privacy merely because I am using the public phone network.


Regulation always lags technology and then catches up in fits and starts. Warshak makes clear that we will decide cases as we always have, one by one based on the closest available past practice. In doing that, short of legislation, we will decide how we are going to regulate the cloud.

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... Megayachts: Silicon Valley's weakness

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.
Shop Tech Products at Amazon