The Fourth Amendment, Email Headers, and IP Addresses

You may also like...

10 Responses

  1. Orin Kerr says:

    Dan,

    Your theory wouldn’t just raise doubts about Smith v. Maryland; it would require the Supreme Court to overrule it.

    I gather you would also want the Supreme Court to overrule Hoffa, White, Miller, and Couch in addition to Smith v. Maryland? Or just Smith?

    Also, I strongly take issue with your theory that Smith v. Maryland is inconsistent with the rest of Fourth Amendment law. It’s very consistent in result, even though Justice Blackmun’s opinion for the court was terrible. The most obvious rationale is that the phone company was a party to the communication in which Smith sent the mumbers dialed; a party to the communication can consent to monitoring.

  2. Orin,

    Smith v. MD is not consistent with the misplaced trust cases (such as Hoffa). Smith pretends to flow logically from the misplaced trust cases, but it doesn’t. The misplaced trust cases (aka, the assumption of risk cases) hold that when one places trust in another and that person voluntarily betrays one’s trust, there’s no Fourth Amendment violation. Smith v. MD and the third party doctrine cases skip the voluntary betrayal step — they assume that when one places trust in another, one automatically loses any reasonable expectation of privacy. But there’s no betrayal of trust in Smith v. MD or US v. Miller or the other third party doctrine cases — the government is forcing the third parties to betray trust. That’s a big step beyond the misplaced trust cases.

    I believe that the third party doctrine cases ought to be overruled. One of the most reasonable assumptions is that a company will honor its contracts (and confidentiality is often an express or implied term in phone service contracts and especially in one’s dealings with one’s bank or financial institution). Moreover, it is tortious for a bank to breach confidentiality. It is thus reasonable for a person to assume that the bank or phone company will not breach trust unless the entity explicitly reserves the right to do so in its policies. Then, I could see a better analogy to the misplaced trust cases if the entity voluntarily decided to provide the government with the information. Otherwise, I find the logic of the third party doctrine cases to be deeply flawed.

    The best test case, in my opinion, is one that would seek to apply the third party doctrine to one’s doctor. Would the Court really conclude that because a person has disclosed sensitive medical information to her doctor that she no longer has an expectation of privacy in that information? I doubt that the Court would go that far, as such a conclusion would strike many as ludicrous, but the logic of the third party doctrine cases would support that result.

  3. Orin Kerr says:

    Dan,

    I wonder, though, why you object to the party-to-the-communication analogy. It seems quite plausible to understand Smith v. Maryland as simply holding that a party to the communication can consent to monitoring: If A talks to B, B can consent for the government to come in and intercept that communication sent by A.

    Isn’t that all that a pen register does in the case of monitoring by the telephone company? The caller is sending a communication to the phone company asking the company to connect the call to a particular number; the phone company is a recipient of that call, so the phone company can let the government record the information or do it for the government.

  4. Orin — But the phone company isn’t voluntarily providing the government with the information — the third party doctrine cases allow the government to subpoena the information or otherwise force the phone company to comply.

    If I talk with you on the phone, that doesn’t eliminate my expectation of privacy even though I’ve exposed the information to you and you’re a party to the conversation. Now, suppose you voluntarily allow the government in to eavesdrop — this is misplaced trust. But if neither you nor I let the government in, our call is protected. Likewise for the phone company or bank — if it doesn’t voluntarily let the government in, I don’t see how you lose a reasonable expectation of privacy.

  5. Orin Kerr says:

    Dan,

    First, I’m not sure that’s right as applied to Smith v. Maryland itself. Didn’t the phone company agree to install the pen register at the govermment’s request? That’s my off the cuff recollection, at least.

    More broadly, I think you’re missing that you do lose your reasonable expectation of privacy in your phone calls at the end point. This is easiest to see in the case of a letter: If I send you a letter, I have a reasonable expectation of privacy in the letter while it is in transit but not after it arrives. After the information arrives at the destination, my reasonable expectation of privacy is extinguished. The government can subpoena the letter from you after it arrives without implicating my rights at all.

    Can you analogize pen register information to the contents of a letter after the letter has been received? It still leaves open the question of how the government can order a provider to install a device prospectively, but I’ve often thought that this is a broader problem with the pen register statute.

    (This actually gets to some really interesting unresolved issues about what the actual theory is behind Smith, I think.)

  6. Your letter analogy also flows from the faulty rationale of the third party doctrine. I believe that for the purposes of expectations of privacy, there should be no difference between whether the letter is in transit or not. Why should this distinction matter? [We’re talking normatively here, of course, as my claim is that the Court’s doctrine is a logical mess, and the transit/non-transit distinction is just another example of the mess.]

    Suppose we have a conversation on the phone. The government wants to find out what we spoke about. It can do so by intercepting the conversation in transit (wiretapping, protected by the Fourth Amendment). Or it could subponea you to testify (not protected). I’ve long believed that the distinction between real-time interception and obtaining a communication after the fact is one that doesn’t seem logical to me.

    Suppose that when people spoke on the phone, the contents of the communication happened to be retained by the phone company. Imagine that the telephone technology was akin to email technology or Internet communications technology where a copy of communications is stored after transit. Would this eliminate an expectation of privacy because of post-transit storage?

    I think that the purpose of protecting against wiretapping is not because there’s something uniquely pernicious about surveillance of communications in transit. The purpose, in my opinion, is to protect the communications.

    In other words, the transit/storage distinction makes little sense to me.

    Regarding Smith, I can’t recall whether the phone company voluntarily complied or was compelled. But as I understand the reasoning of the third party doctrine cases, such as Miller, if the third party does not voluntarily comply, the government can force it to do so with a court order or subpoena. The third party doctrine cases say that you don’t have a reasonable expectation of privacy because the third party has the information and could conceivably voluntarily betray your trust. But in cases where the government can force disclosure of the information even where a third party doesn’t want to breach trust, I can’t understand why you lose an expectation of privacy.

    Let’s look at Karo, the beeper case in the home. Suppose that the police tried an end-run around Karo. As I recall Karo, the police installed a beeper into a can of ether that the defendant took into his home. The police then tracked his movements inside his home. The Court said that there was no problem with the police giving the defendant the can of ether, but that they violated his reasonable expectation of privacy by tracking his movements inside his home. Here’s a direct quote: “We conclude that no Fourth Amendment interest of Karo or of any other respondent was infringed by the installation of the beeper. Rather, any impairment of their privacy interests that may have occurred was occasioned by the monitoring of the beeper.”

    Now suppose that instead of tracking his movements in real-time with the beeper, the police used a beeper device tracked by a beeper company that kept records about the person’s movements. The police then subpoenaed the records. This would be an end-run around Karo.

    The problem is that there are increasingly ways that information can be captured not only in transit but after-the-fact via subpoenas to third parties.

  7. Orin Kerr says:

    Dan, you’ve touched on a great question that I’ve been thinking a lot about, actually. I tend to think there’s actually a pretty good reason why the reasonable expectation of privacy should end when the letter arrives at its destination: A contrary rule would create tremendous uncertainty as to whether the government needs a warrant before the government came across writing or speech.

    Imagine I send you a private letter confessing that I committed a terrible crime. You take the letter, read it, and (without telling me) decide to post it on your blog. Does the government need a warrant to read the blog? It would be nutty if the answer would be yes. But if I retain a reasonable expectation of privacy in the letter after it has been received, why should it end just because you decide to post the letter on my blog? I have no control over what you do, and don’t know what you’re doing. So if I have a reasonable expectation of privacy after I have relinquished control over the letter, it’s hard to know what if anything could extinguish that.

    More broadly, most information has been whispered down the lane dozens or even hundreds of times; you can always trace it back to some original source, and it may be that in that original source the sender had an REP in it. If that REP isn’t distinguished at some point along the line, the Fourth Amendment quickly starts to look incredibly weird: the government would need to know about the entire history of all communications they are uncovering before they uncover it to know if some one in its past had a reasonable expectation of privacy in the letter. But normally they wouldn’t know anything about the communication until accessing it, creating a difficult Catch-22.

    That’s the wisdom of the third-party doctrine, I think: It cuts off rights downstream when someone has relinquished their rights to enable a system of clear ex ante rules as to when a reasonable expectation of privacy exists.

  8. Orin,

    You write: “Imagine I send you a private letter confessing that I committed a terrible crime. You take the letter, read it, and (without telling me) decide to post it on your blog. Does the government need a warrant to read the blog? It would be nutty if the answer would be yes. But if I retain a reasonable expectation of privacy in the letter after it has been received, why should it end just because you decide to post the letter on my blog?

    This is misplaced trust. The doctrine of misplaced trust views us all as assuming some risk that others will betray us. In your hypo, one party to a communication has betrayed trust, and the government is the lucky beneficiary. There’s no reasonable expectation that the party will not betray you, and your expectation of privacy disappears after the party has posted the letter.

    But suppose I give you a document in confidence and make you sign a confidentiality agreement that prohibits you from disclosing the document. Now, if I’m protected by the law of contracts, isn’t it reasonable for me to assume that you’ll keep the document confidential? Would you say that in this case, there’s no reasonable expectation of privacy?

    Suppose you lock your diary in a safe deposit box at a bank. Should the government simply be able to subpoena the key from the bank?

    The third party doctrine cases assume that you lose privacy after you expose information to third parties, so in the safe deposit box one might argue that the diary itself wasn’t communicated or exposed to the bank. But why isn’t this like the letter you sent to another?

    And here’s one final ironic example of the silliness of the transit/non-transit distinction: I send you a letter. To do so, I give the letter to the government (via the post office) and the government delivers it to you. While the letter is in transit and in the government’s possession, the government needs a warrant to obtain its contents. But the second the postal worker delivers the letter to you, the FBI agent can be standing there at the door with a subpoena to obtain the letter. The irony — the government can’t use the subpoena to get the letter while it is in the government’s possession but suddenly can do so when it is in your possession. Does this make any sense?

  9. nedu says:

    The envelope/content distinction works fairly well with email — the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content.

    This is simplistic to the point of being misleadingly wrong.

    If you are sending email from your home to your workplace over your workplace “virtual private network” (VPN), then from the standpoint of the ISP which provides your residential connection, it is all “content”. And it all should be considered private.

    When someone breaks into someone else’s computer or network to obtain information, without authorization, or exceeding authorization, then they’ve crossed a line. They may be government agents, but absent consent or a warrant, they’re acting like black hats.

    A judge’s idiotic opinion doesn’t make it right.

    Failure to adequately distinguish layers and protocols makes the Ninth Circuit’s opinion ludicrous.

  10. nedu says:

    For the record, the government’s account of the installation of the “pen register” differs from the Ninth Circuit’s account.

    In a November 26, 2002 filing, the government explains on p.11 (p.12 in PDF) that the pen register trap/trace device was authorized for defendant “Alba’s Internet Protocol ‘IP’ address (designated in the wiretap pleadings as the ‘Target Acount’).”

    The pen register trap/trace intercept was accomplished through the use of a “mirror port.”

    But this is impossible to square with the Ninth Circuit’s description on p.8075 (p.5 in PDF) of their opinion:

    The surveillance began in May 2001 after the government applied for and received court permission to install a pen register analogue on Alba’s computer.

    Installing a device on equipment owned by the defendant’s internet service provider (ISP) is quite distinguishable from installing a device on the defendant’s computer. And, rightly or wrongly, the Ninth Circuit found, and based it’s decison on, the latter set of facts.

    If this were a question of qualified immunity for the conduct of the government’s agents, then we’d have to look at the facts in a different light. But to evaluate the Ninth Circuit’s reasoning, we need only look at the Ninth Circuit’s statement of how they saw the facts.

    Based on the Ninth Circuit’s description of the facts, their opinion is unreasonable and contrary to the Constitution.