Susan Freiwald on United States v. Warshak: Sixth Circuit Brings Fourth Amendment Protection to Stored Email, At Last
posted by Danielle Citron
Finally! A Federal Appellate Court has brought the Fourth Amendment to stored email! On December 14th, in United States v. Warshak, the 6th Circuit held that when government agents compel an Internet Service Provider (ISP) to disclose its user’s stored emails, they invade the user’s reasonable expectation of privacy, which constitutes a search under the Fourth Amendment and requires a warrant or an applicable exception.
In a 2007 decision, a panel of the 6th Circuit found a reasonable expectation of privacy (REP) in Warshak’s stored emails when he sought an injunction, but the 6th Circuit, en banc, vacated that decision the next year on ripeness grounds. The case decided three days ago concerned Warshak’s appeal of his criminal conviction of an array of charges related to fraudulent business practices. The trial was long and involved (and much of the decision concerns other issues). As part of the investigation, prosecutors seized 27,000 of Warshak’s private emails, ex parte, and without first getting a warrant. Along with Patricia Bellia, of Notre Dame, I wrote an amicus brief for law professors prior to the 2007 decision, and have written law review articles (with Tricia) on the topic since. Below, I explain the court’s constitutional analysis, discuss why this discussion was so long in coming and share some thoughts about the future.
The court found a subjective expectation of privacy in email because “[given] the often sensitive and highly damning substance of his emails, [the court thought] it highly unlikely that Warshak expected them to be made public.” In finding that “society [was] prepared to recognize that expectation as reasonable” (the objective test), the court first discussed how “[b]y obtaining access to someone’s email, government agents gain the ability to peer deeply into his activities.” The court’s analysis was functional; “an ISP is the functional equivalent of a post office or a telephone company” and it “would defy common sense to afford emails lesser Fourth Amendment protection” than letters and phone calls (citing and quoting my article with Tricia Bellia at this point).
The court’s analysis was also normative, which is the approach I have advocated to REP questions. In the court’s words: “[a]s some forms of communication begin to diminish, the Fourth Amendment must recognize and protect nascent ones that arise.” The court found a REP in email because the modern meaning of the Fourth Amendment requires it, because email “plays an indispensable part in the Information Age.” The court did not determine whether people know or expect or assume privacy in their emails (which could be a tricky exercise in light of technology CEOs’ public proclamations that we “have no privacy”), but rather concluded that “email requires strong protection under the Fourth Amendment; otherwise, the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.” That approach echoes the Supreme Court’s in Katz v. United States (U.S. 1967), when it found wiretapping telephone calls subject to the Fourth Amendment due to “the vital role that the public telephone has come to play in private communication.” (which the 6th Circuit quoted). As the court recognized, “the Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish” (citing Kyllo v. United States (U.S. 2001) and an article by Orin Kerr).
The court rejected the government’s arguments, three of which I will discuss. First, the government claimed that an ISP’s terms of service, which provide that it may access users’ emails for some purposes, defeats users’ REPs. Second, the government argued that stored email is not constitutionally protected because it is acquired from a third party (the ISP who stores it) and by permitting third party storage, the user forfeits a REP. And third, the government argued that it can compel disclosure using a subpoena like court-order without establishing probable cause because subpoenas are reviewed merely for reasonableness.
The government argued that if an ISP’s terms of service permit it to access stored emails, those emails must not be subject to a REP. The court held that mere access by the intermediary would be not be sufficient to defeat a REP. The court explained that phone calls are protected against warrantless interception even though the phone company has the capacity to monitor calls, and letters are protected even though the postal service, an intermediary, could easily open and read them. Thus, “the threat or possibility of access is not decisive when it comes to the reasonableness of an expectation of privacy.” Crediting EFF for this argument, the court also noted that an ISP’s retention of a right of access to emails for business purposes does not defeat REPs. Kudos to Kevin Bankston, the high-powered EFF litigator who submitted amicus briefs both in the litigation’s earlier stage and for the case decided on Tuesday. Drawing on EFF’s brief for this and several other parts of the analysis, the court drew analogies to access by landlords to apartments and hotel owners to rooms, neither of which defeat REPs vis-à-vis access by law enforcement agents.
As for when ISP access is sufficiently extensive “to snuff out a“ REP, the court cited the 2007 panel’s reasoning, which indicated that the user’s REP will be retained in most typical situations of mere ISP control and ability to access in limited circumstances. But when “the ISP expresses an intention to ‘audit, inspect, and monitor’ its subscriber’s emails, that might be enough to render an expectation of privacy unreasonable.” Notably, the court here rejects a monolithic expectation of privacy that is defeated whenever the information at issue is seen by anyone. Instead, and appropriately, the court recognizes that our permitting a service provider to look at our email to run its business should not require us to give up the protections of the warrant requirement: the interposition of a neutral magistrate to review the propriety and need for the government to pry into our personal communications.
The court rejected the government’s second claim by noting that unlike the defendant in United States v. Miller (U.S. 1976), from which the so-called “third party rule” is derived, an email user does not convey his email to his ISP to be put “to use ‘in the ordinary course of business.’” Instead, the service provider is a “mere intermediary, not the intended recipient of the emails,” whose access does not defeat the user’s REP. The Court referred to my article with Tricia Bellia here as well, where we argued that unless the ISP is a virtual party (or an actual party) to the user’s emails, then the ISP may not consent to sharing the emails with law enforcement (or be compelled to do so). A user’s consent to ISP access to provide a service does not forfeit a reasonable expectation vis-à-vis law enforcement access. This is an important recognition by the Court, amply supported by case law, and it will surely prove relevant in future cases. If a “third party rule” had applied, then any information available from someone other than the author or addressee would be unprotected (and there would be no privacy online).
Lastly, the court rejected, though without analysis, an odd argument the government has made about “compelled disclosure.” The government has argued that when it obtains a court order under 18 U.S.C. §2703(d) (which employs a “specific and articulable” standard), only reasonableness and not probable cause is required. Of course Congress can’t draft procedural standards that do not pass constitutional muster. As the 6th Circuit recognized with regard to Warshak’s emails, “to the extent the SCA (Stored Communications Act) purports to permit the government to obtain such emails warrantlessly, the SCA is UNCONSTITUTIONAL.” (all caps added). The government may not hide behind an unconstitutional statute to avoid the Fourth Amendment. Although, as mentioned, the government effectively did so here, in that the court denied Warshak’s exclusionary remedy because it found that government agents believed in good faith that the SCA was constitutional.
Why so Long?
It should be hard to believe that this is the FIRST federal appellate case that really analyzes how the Fourth Amendment applies to email. One reason it has taken SO LONG for a case to be brought is that the SCA does not provide a statutory exclusionary remedy. To get evidence excluded, defendants have had to show a constitutional violation, but had no precedent to help them do so. The opinion just decided recognized the revolving door nature of that problem. While it denied an exclusionary remedy to Warshak based on agent’s good faith reliance on an unconstitutional statute, it proclaimed (in a footnote) that “after today’s decision, the good-faith calculus has changed, and a reasonable office may no longer assume that the Constitution permits warrantless searches of private emails.”
We can’t know whether the case will be appealed, and if so, the result on appeal. One sticking point is the government’s use of a preservation order to compel the ISP to save Warshak’s emails for subsequent acquisition. As Kevin Bankston argued in the EFF brief, § 2703(f) orders may be used to have a provider preserve documents in its possession, but using it to command preservation of emails created in the future permits an end-run around the demanding requirements of the Wiretap Act for email interception. The concurring judge (Keith) agreed that the government had conducted “back-door wiretapping” and doubted whether the government’s “actions, if contested directly in court, would withstand the muster of the Fourth Amendment.” (The government also violated the statute by delaying notice to Warshak of the email seizures for well over a year, but the court found that not to be a constitutional violation).
For now, as the decision states “it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment.” The decision’s reasoning could well apply to government demands that an employer turn over employee emails. Consent to monitor email for work purposes should not forfeit a reasonable expectation of privacy vis-à-vis government surveillance.
Cyberprof commentators Paul Ohm and Orin Kerr view this decision as quite persuasive and likely to be influential. Though it comes from a Circuit Court and not the Supreme Court, federal appellate decisions have traditionally set the law for other jurisdictions in cyber law cases, likely because appellate decisions have been so rare (and judges apparently loath to dive into the how the Fourth Amendment interacts with new communications technologies).
Such future cases as arise that are related to stored email will flesh out just what ISP practices will be found to defeat users’ reasonable expectations of privacy. My hope is that courts continue to recognize that when users permit theirs ISP to access their email they do not forfeit privacy rights in those emails vis-à-vis government agents. The protections afforded by the warrant requirement are essential to ensure that the executive branch does not engage in fishing expeditions into our emails and abuse its power and chill our speech. Meanwhile, other reforms are needed such as greater transparency, notice to users, and meaningful remedies. We cannot be expected to protect our privacy if we do not know when it has been invaded. And we should not have to live with an unconstitutional statute for 24 years, as we did with the Stored Communications Act (passed in 1986).
As Kevin Bankston notes on his EFF blog, this result should spur Congress to reform the unconstitutional Stored Communications Act. Kevin and I both belong to the Digital Due Process Coalition (along with Tricia Bellia, Paul Ohm, other cyberprofs and a large number of companies and organizations). The group has been spearheaded by the Center for Democracy and Technology, and has put together principles and language that we have presented to Congress on how to reform the federal surveillance statutes, including bringing the warrant requirement to stored email (as well as other needed reforms).