Crashing the Third Party: Experts Weigh How Far the Government Can Go in Reading Your Email
Late-night viewers of TV ads knew all about Smilin’ Bob.
Dressed in his everyday business outfit of a crease-proof shirt and drab tie, Smilin’ Bob would prance about the office, entertaining foreign executives or posing as Santa during the company’s holiday party.
And while a cheesy tune played through the commercial’s background, Smilin’ Bob would hail his colleagues with an ear-to-ear grin plastered on his face, his white teeth glistening.
He was popping the nutritional supplement Enzyte, a male sexual enhancer, the commercial said.
Because Enzyte is an herbal product, it did not need approval by the U.S. Food and Drug Administration, which otherwise poses strict regulations for pharmaceuticals. Urologists, however, deflated Enzyte’s braggadocio, insisting that there was no ingredient among the herbs, minerals and vitamins guaranteed to promote virility.
But just tell that to the eager customers who called the advertisement’s 800 number. The company that in 2001 produced Enzyte, Cincinnati-based Berkeley Premium Nutraceuticals, had in three years expanded from a family operation to a business employing 1,500 workers. Berkeley’s annual sales had also grown to $250 million, according to a 2010 opinion by the 6th U.S. Circuit Court of Appeals at Cincinnati.
Whether Enzyte helped its buyers where they wanted it was beside the point. What rankled them was Berkeley’s “auto-ship program,” by which a customer would impart a credit card number and continue to receive the product until the customer opted out. Until the end of 2002, no customer was told about the program. Steadily their credit card fees added up. By 2002 the Better Business Bureau received 1,500 complaints, according to the appellate ruling.
But Berkeley got into more trouble. To continue its bank credit, Berkeley had to maintain a low level of “chargebacks,” disputes that occur when a customer calls the credit card company to contest a charge. To keep the ratio low, Berkeley split its transactions into two or three parts so it looked like there were more transactions than customers making them.
In 2006, a federal grand jury handed down a 112-count indictment on fraud-related charges against Berkeley owner Steven Warshak; his mother, Harriet, who processed the credit card payments; and another of Warshak’s businesses.
Two years later, Warshak was found guilty of 93 counts, sentenced to 25 years and ordered to pay $93,000. Berkeley had to forfeit $500 million. His mother was sentenced to two years.
On appeal, the 6th Circuit sent the case back to the lower court for resentencing. Last September Warshak’s sentence was lowered to 10 years, his mother’s to one day.
Regardless of the outcome for the Warshaks—or for the male enhancement business—the 6th Circuit case, United States v. Warshak, nevertheless marked the first time a federal appeals court extended Fourth Amendment protection to the contemporary world of email correspondence. The court, in an opinion by Judge Danny J. Boggs, held that an individual’s reasonable expectation of privacy, the Fourth Amendment standard since 1967, applied to the content of emails stored in a third-party server.
Warshak claimed that government agents violated his privacy expectations by compelling his Internet service provider, NuVox, to turn over about 27,000 emails without first getting a warrant. The court upheld Warshak but allowed the search based on a separate statutory claim.
Nevertheless, wrote Judge Boggs, “email is the technological scion of tangible mail, and it plays an indispensable part in the information age. … It follows that email requires strong protection under the Fourth Amendment; otherwise, the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.”
Added Boggs: “If we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment. … The police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant, that is. … It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber’s emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.”
“This is a very important opinion,” wrote George Washington University law professor Orin Kerr at the time in the law blog Volokh Conspiracy. “It strikes me as quite persuasive and likely to be an influential decision going forward.”
An expert on criminal procedure, Kerr endorses Boggs’ interpretation of the third-party records doctrine, which says that information loses its Fourth Amendment protection when the individual knowingly reveals it to another. In Warshak, for example, the government claimed that once Warshak filed his emails in NuVox, the ISP could be treated as a third party, capable of revealing information that emails would otherwise protect.
According to Boggs’ ruling, while email content should be protected, its noncontent information—visible addresses, subject descriptions, sending and receiving times—lacks Fourth Amendment coverage. Police, for example, can enter a post office and see a letter’s address, who sent it and how much postage it carries, but an officer may not unseal it and read the contents without a search warrant.
Kerr would extend that scenario to the cyberworld through a Fourth Amendment property he calls “technological neutrality,” which transfers the same privacy protection over the content of letters and phone calls to the procedure that exists in emails.
But Greg Nojeim says it’s time to reassess third-party doctrine in an age when “the advance of technology has made it cheap and easy for law enforcement to gather this information easily.” Without a warrant requirement, whatever privacy existed before is practically abolished in a world where emails fly over different servers at the speed of electrons.
“The friction in the system and the practical anonymity that protected privacy are dissipating,” Nojeim said in his essay for the book Patriots Debate: Contemporary Issues in National Security Law, published this summer by the ABA’s Standing Committee on Law and National Security. The committee invited Kerr and Nojeim to contrast their views.
According to Nojeim, senior counsel at the Center for Democracy & Technology in Washington, D.C., “fishing expeditions used to be expensive.” Technology, on the other hand, makes communication accessible and capable of easy intervention. “Today, we live much of our lives online,” he wrote. This makes more human interaction, reflected in digital footprints, accessible to law enforcement.
Yet, Kerr wrote, there’s a value to the third-party doctrine: It introduces a “sensible balance” of police power against the individual’s privacy expectations.
A former special assistant U.S. attorney for the Eastern District of Virginia, Kerr served as a law clerk to U.S. Supreme Court Justice Anthony M. Kennedy and was special counsel for Supreme Court nominations to U.S. Sen. John Cornyn, R-Texas.
On the law enforcement side, third parties introduce a “substitution effect,” allowing potential criminals to take “open and public portions of crimes and [hide] them from public observation,” Kerr wrote in the 2009 Michigan Law Review article “The Case for the Third-Party Doctrine.”
The doctrine, Kerr continued, “blocks this end-run around the traditional Fourth Amendment balance. It helps ensure that the Fourth Amendment rules that apply to crimes committed using third parties are roughly equivalent to the rules that apply to crimes committed without them.” No wrongdoer can duck behind a closed-door meeting, a sealed letter, a secret phone call or a suspicious email and claim the Fourth Amendment will never reach him.
So long, of course, as law enforcement finds probable cause to gain a warrant and pry the items open. And how do police discover probable cause using third parties?
Kerr first imagines a world without third parties—a “mythical year zero,” he called it in his law review article. For example, no postal service would exist to deliver a letter; the author would have to leave home and carry it to the recipient’s location.
A police officer’s job is simple: Follow the person and see where she goes. “The police would not need a warrant to enter your home,” he wrote in his Patriots Debate essay, “but they would be permitted to watch you in public.” Did the person go to a suspected criminal’s home? Did she carry a package that looked like it might be a bomb? There is no Fourth Amendment protection in public; everything is available for all to see. Probable cause amounts to adding one observation to others.
Enter third parties. This time, the person may email a contact and tell him that a package is waiting at a secret location. Police may discern whether something fishy is going on if they are allowed access to email addresses and other external information—but not to internal content. When police have deduced probable cause from external clues—where the email is going, how often one is sent, for example—to suspect malfeasance, then they may request a warrant to examine the internal information.
“Just as the Fourth Amendment should protect that which technology exposes,” Kerr wrote in his law review article, “so should the Fourth Amendment permit access to that which technology denies.”
Kerr likens the situation to the 1979 U.S. Supreme Court case Smith v. Maryland. Michael Smith robbed Patricia McDonough, who gave police a description of him and his car. Smith threatened McDonough with harassing phone calls. Suspecting Smith, police asked the phone company to install a pen register, a device on his phone line that records dialed numbers but does not overhear conversations.
The court shot down Smith’s bid that police violated his expectation of privacy. “It is too much to believe,” wrote Justice Harry A. Blackmun for the majority, “that telephone subscribers … harbor any general expectation that the numbers they dial will remain secret.”
Kerr also refers to United States v. Forrester, the 2010 case in which the 9th U.S. Circuit Court of Appeals at San Francisco extended Smith to the cyberworld. The court held that the government did not invoke the Fourth Amendment when it had a target’s Internet service provider install a monitoring device that recorded the IP address, to/from email addresses and volume sent from the account.
“When the government obtains the to/from addresses of a person’s emails or the IP addresses of websites visited, it does not find out the contents of the messages or know the particular pages on the website,” the court said. “At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the email to/from addresses and IP addresses—but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed.”
As Kerr emphasizes, the noncontent information should remain open for scrutiny.
Yet people do expect a level of privacy. The Supreme Court established the reasonable expectation standard in 1967’s Katz v. United States. A key concurrence by Justice John Marshall Harlan II said that in “an area where, like a home and unlike a field, a person has a constitutionally protected reasonable expectation of privacy, … electronic as well as physical intrusion into a place that is in this sense private may constitute a violation of the Fourth Amendment; and … that an invasion of a constitutionally protected area by federal authorities is, as the court has long held, presumptively unreasonable in the absence of a search warrant.”
To Kerr, however, the reasonable-expectation-of-privacy doctrine would be better understood through the eyes of consent law. The usual “inquiry focuses on whether the government conduct intruded into constitutionally protected areas,” he wrote in his law review article, “... whereas consent asks whether [the government] did so with permission. … By knowingly disclosing information to a third party, an individual consents to another person having control over it.”
“If you are speaking to someone in a room, then you vol-untarily decided to have other people hear you,” Kerr says in a phone interview. But “when you dial telephone numbers you are asking the phone company to connect your call. You are consenting that the recipient hear it but not the phone company.”
While Kerr accepts a third-party parallel from other areas of Fourth Amendment law, Nojeim, on the other hand, wonders whether, in the contemporary world, we haven’t gone way too far in allowing an invasion of privacy via third-party information.
“For too long,” said Nojeim’s essay, “application of the third-party records doctrine has permitted absurd results.”
A director of the Center for Democracy & Technology’s Project on Freedom, Security & Technology, Nojeim previously was counsel with the American Civil Liberties Union, and at the American-Arab Anti-Discrimination Committee. He also worked at the D.C. office of K&L Gates. He is a former co-chair of the Coordinating Committee on National Security and Civil Liberties of the ABA Section on Individual Rights and Responsibilities, a perch from which he helped draft the ABA’s 2007 policy on the state secrets privilege.
Nojeim points to United States v. Jones, which the Supreme Court decided in January. The government planted a Global Positioning System tracking device on the suspect’s car. The majority held that placing the GPS was a search and required the government to obtain a warrant.
But in a concurrence, Justice Sonia Sotomayor questioned the long-held notion that dispatching information to any third party carries with it the risk that the third party will spill the beans. “This approach,” the justice wrote, “is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”
Sotomayor added that she “doubt[s] that people would accept without complaint the warrantless disclosure to the government of a list of every website they had visited in the last week or month or year.”
The concurrence “reflects important new thinking about third-party records doctrine,” says Nojeim in an interview.
But, says Nojeim, “the big elephant in the room is cloud computing”—the delivery of computer and storage capacity to a wide range of users. A strict application of the third-party records doctrine would mean that a user who stores information there would likely make it available to law enforcement without a warrant, he says.
Nojeim illustrates the concern: “Imagine if you store documents in Google Docs, a remote computing service [offered] by Google, and it’s available to law enforcement without warrant.” The government may then gain access to a vast store of personal information. “We need to start thinking about what kind of records we cover, or exempt, from the warrant requirement,” Nojeim says.
Communications content is not the only sensitive information that implicates the third-party records doctrine. A key case, In re U.S. for Historical Cell-Site Data, has been appealed to the 5th Circuit at New Orleans. A federal district court held last November that disclosing cell phone location records without a warrant would violate the Fourth Amendment. The information would spot where a phone user was when a call was made. Many cell phone service providers record the location of users’ phones any time they are turned on.
Kerr filed an amicus saying the lower court should have waited until after a search order was granted.
According to a 2010 case in the District of Columbia Circuit, “A person who knows all of another’s travels can deduce whether he is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups—and not just one such fact about a person, but all such facts.”
In fact, Nojeim says, information is so easily gained in a digital world that it defies Kerr’s substitution effect. Most “communicants simply cannot meet in order to exchange information. It is not practical to do so,” Nojeim wrote.
“Because technology enables so much more communication, we don’t limit ourselves to just calling our neighbors,” says Nojeim. Now, he adds, we communicate through email with a person thousands of miles away. The notion that there is some substitute for distant communication is unworkable. “Are you supposed to get on a boat?”
That means that there is “no practical alternative to use of the third party to convey the information,” Nojeim wrote. Instead of traveling to show up personally so police can watch, as Kerr might imply, “the alternative when one wants to have a Fourth Amendment-protected communication is not to communicate at all.”
Rather, he continued, we “should be more worried about people substituting less efficient means of communicating—showing up in person—in order to protect the privacy of information about their communications.” There’s no reason to chance the risk of the government peering into emails if the individual is hand-delivering terrorism instructions.
AGREEING ON ANOTHER LOOK
Both Kerr and Nojeim argue for a reassessment of the third-party doctrine. Kerr would tie it more closely to the way that the doctrine affected other technological developments, while Nojeim would expand protection further. “Why,” Nojeim wrote, “ ... stop there?” The “court-authorized expansion of the list of exceptions to the third-party doctrine should also be part of the solution.”
He adds, “Courts are going to become increasingly uneasy with the strict, robotic application of third-party doctrine.”
So many communications are carried through intermediaries, and so much digital information about our activities is collected by third parties, “there’s a very small universe of information protected by the Fourth Amendment if the third-party doctrine is applied to all of it,” Nojeim says.
And, he adds, “so many third parties now hold [personal] information. It didn’t used to be the case that drugstores held records about consumer purchases. Now, with affinity programs, many of them do.”