Tag: e mail

E-Mail Privacy Laws Don’t Actually Protect Modern E-mail, Court Rules

In case further proof were needed that we’re long overdue for an update of our digital privacy laws, the South Carolina Supreme Court has just ruled that e-mails stored remotely by a provider like Yahoo! or Gmail are not communications in “electronic storage” for the purposes of the Stored Communications Act, and therefore not entitled to the heightened protections of that statute.

There are, fortunately, other statutes barring unauthorized access to people’s accounts, and one appellate court has ruled that e-mail is at least sometimes protected from government intrusion by the Fourth Amendment, independently of what any statute says. But given the variety of different types of electronic communication services that exist in 2012, nobody should feel too confident that the courts will be prepared to generalize that logic. It is depressingly easy, for example, to imagine a court ruling that users of a service like Gmail, whose letters will be scanned by Google’s computers to automatically deliver tailored advertisements, have therefore waived the “reasonable expectation of privacy” that confers Fourth Amendment protection. Indeed, the Justice Department has consistently opposed proposals to clearly require a warrant for scrutinizing electronic communications, arguing that it should often be able to snoop through citizens’ digital correspondence based on a mere subpoena or a showing of “relevance” to a court.

The critical passage at issue in this case—which involves private rather than governmental snooping—is the definition of “electronic storage,” which covers “temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof” as well as “any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.” The justices all agreed that the e-mails were not in “temporary, intermediate” storage because the legitimate recipient had already read them. They also agreed—though for a variety of reasons—that the e-mails were not in “backup” storage.

Some took this view on the grounds that storage “by an electronic communication service for the purposes of backup protection” encompasses only separate backups created by the  provider for their own purposes, and not copies merely left remotely stored in the user’s inbox. This strikes me as a somewhat artificial distinction: why do the providers create backups? Well, to ensure that they can make the data available to the end user in the event of a crash. The copy is kept for the user’s ultimate benefit either way. One apparent consequence of this view is that it would make a big difference if read e-mails were automatically “deleted” and moved to a “backup” folder, even though this would be an essentially cosmetic alteration to the interface.

Others argued that a “backup” presumed the existence of another, primary copy and noted there was no evidence the user had “downloaded” and retained copies of the e-mails in question. This view rests on a simple technical confusion. If you have read your Gmail on your home computer or mobile device, then of course a copy of that e-mail has been downloaded to your device—otherwise you couldn’t be reading it. This is obscured by the way we usually talk: we say we’re reading something “on Google’s website”—as though we’ve somehow traveled on the Web to visit another location where we’re viewing the information. But this is, of course, just a figure of speech: what you’re actually reading is a copy of the data from the remote server, now residing on your own device. Moreover, it can’t be necessary for the user to retain that copy, since that would rather defeat the purpose of making a “backup,” which is to guarantee that you still have access to your data after it has been deleted from your main device! The only time you actually need a backup is when you don’t still retain a copy of the data elsewhere.

Still, this isn’t really the court’s fault. Whether or not this interpretation makes sense, it at least arguably does reflect what Congress intended when the Stored Communications Act was passed back in 1986, when there was no such thing as Webmail, when storage space was expensive, and when everyone assumed e-mail would generally vanish from the user’s remote inbox upon download. The real problem is that we’ve got electronic privacy laws that date to 1986, and as a result makes all sorts of distinctions that are nonsensical in the modern context of routine cloud storage. Legislation to drag the statute into the 21st century has been introduced, but alas, there’s little indication Congress is in much of a rush to get it passed.

Internet Privacy Law Needs an Upgrade

Imagine for a moment that all your computing devices had to run on code that had been written in 1986. Your smartphone is, alas, entirely out of luck, but your laptop or desktop computer might be able to get online using a dial-up modem. But you’d better be happy with a command-line interface to services like e-mail, Usenet, and Telnet, because the only “Web browsers” anyone’s heard of in 1986 are entomologists. Cloud computing? Location based services? Social networking? No can do, though you can still get into a raging debate about the relative merits of Macs and PCs.

When it comes to federal privacy law, alas, we are running on code written in 1986: The Elecronic Communications Privacy Act, a statute that’s not only ludicrously out of date, but so notoriously convoluted and unclear that even legal experts routinely lament the “mess” of electronic privacy law. Scholar Orin Kerr has called it “famously complex, if not entirely impenetrable.” Part of the problem, to be sure, lies with the courts.  It is scandalous that in 2010, we don’t even have a definitive ruling on whether or when the Fourth Amendment requires the government to get a search warrant to read e-mails stored on a server. But the ECPA statute, meant to fill the gap left by the courts, reads like the rules of James T. Kirk’s fictional card game Fizzbin.

Suppose the police want to read your e-mail. To come into your home and look through your computer, of course, they’d need a full Fourth Amendment search warrant based on probable cause. If they want to intercept the e-mail in transit, they have to go still further and meet the “super-warrant” standards of the Wiretap Act. Once it lands on your Internet Service Provider’s server, a regular search warrant is once again the standard—assuming your ISP is providing access “to the public.” If it’s a more closed network like your work account, your employer is permitted to voluntarily hand it over. But if you read the e-mail, or leave it on the server for more than 180 days, then suddenly your ISP has become a “remote computing service” provider rather than an “electronic communications service provider” vis a vis that e-mail. So instead of a probable cause warrant, police can get a 2703(d) order based on “specific and articulable facts” showing the information is “relevant and material” to an investigation—a much lower standard—provided they notify you. Except they can ask a judge to delay notification if they think that would impede the investigation. Oh, unless your ISP is in the Ninth Circuit, where opened e-mails still get the higher level of protection until they’ve “expired in the normal course,” whatever that means.

That’s for e-mail contents.  But maybe they don’t actually need to read your e-mail; maybe they just want some “metadata”—the equivalent of scanning the envelopes of physical letters—to see if your online activity is suspicious enough to warrant a closer look.  Well, then they can get what’s called a pen/trap order based on a mere certification to a judge of “relevance” to capture that information in realtime, but without having to provide any of those “specific and articulable facts.” Unless it’s information that would reveal your location—maybe because you’re e-mailing from your smartphone—in which case, well, the law doesn’t really say, but the Justice Department thinks a pen/trap order plus one of those 2703(d) orders will do, unless it’s really specific location information, at which point they get a warrant. If they want to get those records after the fact, it’s one of those 2703(d) orders—again, unless a non-public provider like your school or employer wants to volunteer them. Oh, unless it’s a counterterror investigation, and the FBI thinks your records might be “relevant” somehow, in which case they can get them with a National Security letter, without getting a judge involved at all.

Dizzy yet? Well, a movement launched today with the aim of dragging our electronic privacy law, kicking and screaming, into the 21st century: The Digital Due Process Coalition.  They’re pushing for a streamlined law that provides clear and consistent protection for sensitive information—the kind of common sense rules you’d have thought would already be in place.  If the government wants to read the contents of your letters, they should need a search warrant—regardless of the phase of the moon when an e-mail is acquired. If they want to track your location, they should need a warrant. And all that “metadata” can be pretty revealing in the digital age—maybe some stricter oversight is in order before they start vacuuming up all our IP logs.

Reforms like these are way overdue. You wouldn’t trust your most sensitive data to software code that hadn’t gone a few years without a security patch. Why would you trust it to legal code that hasn’t had a major patch in over two decades?