Is there a reasonable expectation of privacy in email headers and IP addresses under the Fourth Amendment? No, sayeth the 9th Circuit in US v. Forrester:
The Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), that the use of a pen register (a device that records numbers dialed from a phone line) does not constitute a search for Fourth Amendment purposes. According to the Court, people do not have a subjective expectation of privacy in numbers that they dial because they “realize that they must ‘convey’ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed .” . . . . Therefore the use of a pen register is not a Fourth Amendment search. Importantly, the Court distinguished pen registers from more intrusive surveillance techniques on the ground that “pen registers do not acquire the contents of communications” but rather obtain only the addressing information associated with phone calls. . . .
Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to “voluntarily turn[ ] over [information] to third parties.”
Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a person’s e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.
I’ve written extensively about the problematic application of Smith v. Maryland to email headers and especially IP addresses. I believe that Smith was wrongly decided, but the 9th Circuit was nevertheless bound to follow it. Accordingly, its holding that there is no reasonable expectation of privacy in email headers seems to fall within the holding of Smith. However, IP addresses present a different case. The holding in the Smith case turned on two rationales: (1) exposure of information to third parties (phone companies) eliminated one’s expectation of privacy; (2) the information was not sensitive since it didn’t involve the content of the communications. This second rationale is important, since it is an attempt to keep Smith logically consistent with Katz v. United States, 389 U.S. 347 (1967), where the Supreme Court held that a reasonable expectation of privacy exists in the contents of phone conversations. However, the contents of phone conversations, similar to the phone numbers dialed (pen register), are also accessible to the phone company. Thus, the first rationale (third party doctrine) would be inconsistent with Katz without the aid of the second rationale.
Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.
The envelope/content distinction works fairly well with email — the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content. But with IP addresses, the distinction doesn’t work. In Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I wrote:
When applied to IP addresses and URLs, the envelope/content distinction becomes even more fuzzy. An IP address is a unique number that is assigned to each computer connected to the Internet. Each website, therefore, has an IP address. On the surface, a list of IP addresses is simply a list of numbers; but it is actually much more. With a complete listing of IP addresses, the government can learn quite a lot about a person because it can trace how that person surfs the Internet. The government can learn the names of stores at which a person shops, the political organizations a person finds interesting, a person’s sexual fetishes and fantasies, her health concerns, and so on.
[Therefore,] the content/envelope distinction is not always clear. In many circumstances, to adapt Marshall McLuhan, the “envelope” is the “content.” Envelope information can reveal a lot about a person’s private activities, sometimes as much (and even more) than can content information.