For much of human history, we have been able to conduct our private lives separately from our public ones. Upstanding, productive citizens during the day, we were free to be seditious, depressed or kinky by night. However, the computers we use in our homes during those private hours create and preserve evidence of our interests, relationships and beliefs, blurring the line between private and public.
Congress and the courts have responded by giving privacy protection to the contents of communications, including phone calls and e-mail messages, but denying strong protection to transactional information like phone numbers dialed and websites visited. Two recent Fourth Amendment cases illustrate that we need to understand that internet-use records are more like mind readers than phone bills if we are to retain any privacy in our communications.
In 1986, out of a concern that privacy protections were not keeping up with new modes of communication, Congress passed the Electronic Communications Privacy Act, or ECPA, which criminalized the interception and unauthorized access of electronic communications.
Congress also gave individuals the right to sue anyone who discloses customer information to a governmental entity without proper legal justification. However, Congress gave much stronger protections to the contents of phone calls and e-mail messages than to transactional information like telephone numbers dialed or IP addresses visited.
The history and growth of the internet reveals gaping privacy holes in this dichotomy. In one of my cases, which will go to hearing later this month, a police officer allegedly told the defendant's internet service provider that a life-and-death emergency required immediate disclosure of my client's internet-usage records.
The ISP gave the police the information, thereby subverting the statutory rule that law enforcement must use some kind of legal process before collecting internet-use records. Because these kinds of transactional records are less protected than content, my client may be left with no legal recourse against the police officer.
ECPA doesn't provide for the exclusion of illegally obtained transactional evidence, and our client has no money to sue the officer, who probably has no money to pay if a judgment went against him.
As technology develops and internet usage becomes more widespread, privacy gaps in ECPA rear their ugly heads, so citizens are asking courts to protect internet information under the Fourth Amendment. So far, the courts are doing a mixed job of it.
In mid-June, the 6th U.S. Circuit Court of Appeals decided Warshak v. United States (pdf). (I was a signatory on a law professors' amicus brief in support of plaintiff Warshak). Agents investigating Warshak for fraud obtained court authorization to seize his e-mail, but did not have probable cause to believe that Warshak was engaged in a crime, as the Fourth Amendment generally requires.
Warshak sued, alleging that he had a reasonable expectation of privacy in his e-mail messages, and thus a probable-cause warrant is required, and that no court order based on lesser evidence would do. Over vigorous objection by the government, both the trial court and the 6th Circuit agreed with Warshak.
At the heart of the case was the question of whether e-mail users have a reasonable expectation of privacy in their messages, even though those messages are transmitted and stored by ISPs. The "reasonable expectation of privacy" triggers Fourth Amendment protection.
The 6th Circuit held that we do have a constitutional privacy interest in our e-mail messages, particularly in the absence of user agreements that indicate that the ISP will monitor or audit us. This expectation is reasonable even though the ISP has the technological capability of collecting the message for the government, and even though the message was sent to a third party who could have voluntarily disclosed it to officers.
The court analogized the e-mail message to a telephone call or a letter, both of which are transmitted by third parties, both of which are intended for another person and both of which are protected by the Fourth Amendment.
While the opinion may yet be reviewed by the full 6th Circuit, the essence of the ruling, that the content of communications deserves constitutional protection regardless of the technological vagaries of its transmission, is clearly sound.
In contrast, last week the 9th U.S. Circuit Court of Appeals decided United States v. Forrester (.pdf), a case that argued unsuccessfully for constitutional protection for to/from addresses of e-mail messages and the IP addresses of the websites that the defendant visited.
The 9th Circuit analogized the facts in Forrester to Smith v. Maryland, a case that denied Fourth Amendment protection for dialed telephone numbers.
Yet, to/from addresses -- and particularly IP addresses -- are vastly more revealing than phone numbers, which, at the time of Smith, only told what business or residence was called, not who answered or what was discussed.
An IP address tells you what content I viewed on a web page, which could include books I shopped for, information I researched, articles I read -- all of which are windows into my interests, preferences, sympathies or mere curiosities.
IP addresses tell far more about what I'm thinking than telephone numbers do, and the 9th Circuit is wrong to give them cursory constitutional protection. This is especially true because there's a seductive but mistaken temptation to think that law enforcement can predict my future behavior from what I read. A research scientist may look for bomb-making information, a news junkie may read jihadist websites. Future bad behavior cannot be inferred from nontraditional thinking.
The 9th Circuit opinion may also be reheard by the full court, and if so, the judges will need a more accurate understanding of the nature of IP addresses and the wealth of information and insight they reveal about a person's innermost thought processes.
The 9th Circuit should also view IP address seizures in light of new federal proposals to require ISPs to store customers' search histories and retain other transactional data. In combination, the two will create a digital mind reader that can trace every internet user's thoughts and interests, and take away the security of knowing that your thoughts are your own.
- - -
Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic.
