I earlier wrote about the National Security Agency (NSA) and their mass collection of phone records (Smith v. Maryland and the NSA Telephone Number Defense). Now I would like to briefly discuss the privacy issues surrounding the NSAs use of the PRISM program. I’ll narrowly focus on emails and this post necessarily hinges on an assumption that the NSA, through the PRISM program, is storing your emails to later search.
My assumptions are as follows: I believe that the NSA is gathering emails to later have access to in case it needs to search through them. This is based on the government’s needle and haystack defense. Ranking member of the House Intelligence Committee Dutch Ruppersberger put forth this defense. He described it as follows: “If you want to find a needle in a haystack, which is a lot of what our intelligence community does, you need the haystack. And the providers who have this information, they keep it only for a certain period of time. So in order for us to be involved and stop these attacks, we need to move right away.” (CNN) I grant that he may have just been referring to the collection of phone numbers dialed, but I suspect that the needle and haystack defense may well be used as justification to defend PRISM.
So I believe it is safe to assume that the government is gathering this data (your emails) in case they are deleted or secreted away so that if they feel the need to later search your emails they will have ready access. This is supported also by the need for the government to build a massive new data storage center that will be able to hold a yottabyte of data.
So that is where I begin my analysis. As always it is helpful to look to a court case that has undertaken a careful analysis of the issues presented to frame this discussion. The court case I will be relying on, and citing to, is United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).
If you remember, as stated in my earlier post, that when a court undertakes to determine whether a violation of the 4th Amendment has taken place they undergo a two pronged analysis. Judge Boggs put it as such:
The Fourth Amendment provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause . . . .” U.S. Const. amend. IV. The fundamental purpose of the Fourth Amendment “is to safeguard the privacy and security of individuals against arbitrary invasions by government officials.” Camara v. Mun. Ct., 387 U.S. 523, 528, 87 S. Ct. 1727, 18 L. Ed. 2d 930 (1967); see Skinner v. Ry. Labor Execs.’ Ass’n, 489 U.S. 602, 613-14, 109 S. Ct. 1402, 103 L. Ed. 2d 639 (1989) (“The [Fourth] Amendment guarantees the privacy, dignity, and security of persons against certain arbitrary and invasive acts by officers of the Government or those acting at their direction.”).
Not all government actions are invasive enough to implicate the Fourth Amendment. “The Fourth Amendment’s protections hinge on the occurrence of a ‘search,’ a legal term of art whose history is riddled with complexity.” Widgren v. Maple Grove Twp., 429F.3d 575, 578 (6th Cir. 2005). A “search” occurs when the government infringes upon “an expectation of privacy that society is prepared to consider reasonable.” United States v. Jacobsen, 466 U.S. 109, 113, 104 S. Ct. 1652, 80 L. Ed. 2d 85 (1984). This standard breaks down into two discrete inquiries: “first, has the [target of the investigation] manifested a subjective expectation of privacy in the object of the challenged search? Second, is society willing to recognize that expectation as reasonable?” California v. Ciraolo, 476 U.S. 207, 211, 106 S. Ct. 1809, 90 L. Ed. 2d 210 (1986) (citing Smith v. Maryland, 442 U.S. 735, 740, 99 S. Ct. 2577, 61 L. Ed. 2d 220 (1979)).
The Court made easy work of the first question concluding that the defendant had a reasonable expectation that his emails would remain private. I think this assumption is axiomatic.
The Court’s next step was to determine whether society is willing to accept this expectation of privacy in email as reasonable. “This question is one of grave import and enduring consequence, given the prominent role that email has assumed in modern communication.” Warshak, at 284. The Court then went further to give just a few of the numerous examples of how important email has become to our lives:
Since the advent of email, the telephone call and the letter have waned in importance, and an explosion of Internet-based communication has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away. Lovers exchange sweet nothings, and businessmen swap ambitious plans, all with the click of a mouse button. Commerce has also taken hold in email. Online purchases are often documented in email accounts, and email is frequently used to remind patients and clients of imminent appointments. In short, “account” is an apt word for the conglomeration of stored messages that comprises an email account, as it provides an account of its owner’s life. By obtaining access to someone’s email, government agents gain the ability to peer deeply into his activities. Much hinges, therefore, on whether the government is permitted to request that a commercial ISP turn over the contents of a subscriber’s emails without triggering the machinery of the Fourth Amendment.
The Court went on to hold that based on the similarities between emails and traditional forms of communications that common sense dictates that it should receive the same 4th amendment protections. The Court further pointed out that the mere fact that a third-party intermediator could access the emails does not obviate the expectation of privacy. They pointed out that telephone company operators have the ability to listen in on a phone call and the government still needs a warrant to listen to your calls.
They also point out that a hotel guest has a reasonable expectation of privacy in their hotel rooms despite the fact that a maid can enter the room to clean. However, the Court made sure to be clear that there are circumstances under which an agreement with your ISP may render your expectation of privacy null and void.
Again, however, we are unwilling to hold that a subscriber agreement will never be broad enough to snuff out a reasonable expectation of privacy. As the panel noted in Warshak I, if the ISP expresses an intention to “audit, inspect, and monitor” its subscriber’s emails, that might be enough to render an expectation of privacy unreasonable. See490 F.3d at 472-73 (quoting United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000)). But where, as here, there is no such statement, the ISP’s “control over the [emails] and ability to access them under certain limited circumstances will not be enough to overcome an expectation of privacy.” Id. at 473.
The Court then went on to hold that the expectation of privacy in your emails is one that society is willing to accept as reasonable.
This case shows that there is at least one Court of Appeals in the United States that views emails as analogous to traditional mail. The question that remains is whether the terms of service used by the companies like Google in their GMail service obliterate the expectation of privacy. Here is a link to Google’s privacy policies.
This was briefly discussed by Judge Garaufis in IN THE MATTER OF AN APPLICATION OF THE UNITED STATES OF AMERICA FOR AN ORDER AUTHORIZING THE RELEASE OF HISTORICAL CELL-SITE INFORMATION 809 F.Supp. 2d. 113 (E.D.N.Y. 2011). Judge Garaufis posed the question in Footnote 6 this way: “For example, would the third-party doctrine remove the reasonable expectation of privacy over the contents of emails sent on Gmail, or similar email providers, that use computers to access and analyze the contents of email communications in order to display advertisements?”
The question that remains unanswered is whether the secret law created by the FISA court has dealt with this issue. More specifically, has the FISA court looked at GMail’s terms of service and made a decision that you do not have a reasonable expectation of privacy in your GMail because of the invasive nature of Google’s use of your emails. Unfortunately, with no access to the secret court decisions people cannot adjust their behavior accordingly. Thus the nefarious nature of secret law and secret courts move onward.
I also have to note that the secret courts may have determined that the storage of the emails does not constitute a search until the government physically looks at the content of the emails in some way. Of course a post based on secret law would not provide much insight without being informed of the contents of secret law.
*You may be wondering why this post does not discuss the Stored Communications Act 18 USC § 2703. I believe that this post was long enough as is and the Stored Communications Act will still be around in the future to feature in its very own post.