D.

Joshua Christensen The Electronic Communications Privation of Privacy Act The Fourth Amendment states that [t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable search and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.1 When the Bill of Rights was ratified in 1791, it was impossible to send information to someone electronically, store documents in a virtual cloud, or even talk via telephone. As technology has advanced, it has occasionally been difficult to know exactly how to apply the Fourth Amendment. Rules regarding Fourth Amendment protection of electronic communications, specifically email correspondence, are particularly confusing. While the Fourth Amendment grants protection to documents stored on a personal computers hard drive, email inboxes are generally stored remotely on a thirdpartys server. Despite the efforts of Congress to define Fourth Amendment protection of new communication mediums through the Electronic Communications Privacy Act (ECPA); email and other documents may or may not receive protection depending on the jurisdiction, the status of delivery, and the location of that emails or documents storage. This is largely due to inadequacies in the ECPA which was passed in 1986, when email was primarily a means of communicating information2 rather than storing

U.S. Const. amend. IV. emphasis added. Leahy, Lee Introduce Legislation to Update Electronic Communications Privacy Act, Patrick Leahy United States Senator for Vermont, http://www.leahy.senate.gov/press/leahy-lee-introduce-legislation-toupdate-electronic-communications-privacy-act (last modified Mar. 19, 2013).
1 2

information, and before it was generally available for public use. Last month Senators Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) introduced The Electronic Communications Privacy Act Amendments Act of 2013 (Amendments).3 If passed, these Amendments will better define online privacy, especially as it relates to emails and documents stored with a third party. The Electronic Communications Privacy Act In 1986 the ECPA was passed as an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, which protected communications that could be overheard aurally,4 and which were sent via wire through a common carrier.5 The ECPA was meant to amend a nearly 20-year-old bill, which was viewed as hopelessly out of date [because] [i]t ha[d] not kept pace with the development of communications and computer technology nor with the changes in the structure of the telecommunications industry.6 Likewise, the world was much different in 1986 than it is today. When the ECPA was approved by the senate, very few individuals owned cell phones, even less used email and the word cloud almost always meant a visible mass of particles of condensed vapor suspended in the atmosphere of a planet.7 A lot has changed in the last 30 years, but surprisingly the ECPA has remained almost completely unchanged.

3 4 5 6 7

Id. United States v. New York Telephone Company, 434 U.S. 159, 167 (1977). 18 U.S.C. 2510 (16) (D). S. Rep. No. 541, S. REP. 99-541, 2, 1986 U.S.C.C.A.N. 3555, 3556. "cloud." Merriam-Webster Online Dictionary. 2013. http://www.merriam-webster.com (2 Jan. 2004).

The ECPA is divided into two titles. Title I consists of the Wiretap Act, which protects interception and disclosure of wire, oral, or electronic communications,8 which are still in the process of being transmitted; this title can be found in 18 U.S.C. 2510-2522. Title II consists of the Stored Communications Act (SCA), which protects against unlawful access to stored communications9, and can be found in 18 U.S.C. 2701-2712. Each of the titles operate in the same basic way: generally prohibiting unauthorized access to communications and other personal information, but permitting specified exemptions, one of which provides the government with the ability to obtain direct access or to compel a third party to turn over information.10 Due to the strong Fourth Amendment protections given to emails that are still in transit (granted by the Wiretap Act), as well as the protection of files stored on an individuals personal computer,11 most of the attention here will focus on the SCA which regulates email and documents stored with a third-party. The SCA provides some protection to both the content of a stored communication, as well as subscriber (non-content) information of that stored communication. Beyond the distinction of content and non-content information, however, the SCA becomes a little more difficult to understand. The SCA regulates emails and other documents stored with two primary types of online service providers; electronic communication service providers (ECS) and remote computing

8 9

18 U.S.C. 2511. 18 U.S.C. 2701, emphasis added. 10 Deirdre K. Mulligan, Reasonable Expectations in Electronic Communications: A Critical Perspective of the Electronic Communications Privacy Act, 72 Geo. Wash. L. Rev. 1557, 1566 (2004). 11 See Kyllo v. United States, 533 U.S. 27 (2001).

service providers (RCS). The SCA defines an ECS as any service which provides to users thereof the ability to send or receive wire or electronic communications, 12 and an RCS as the provision to the public of computer storage or processing services by means of an electronic communication system.13 In short, an ECS provides a service that supports communications by others, while an RCS provides a service that supports communications to its systems that either store and/or process information on the senders behalf.14 The statute refers to ECS and RCS providers as being completely different, and affords them different levels of protections; even though this model of electronic mail and Internet activity is generations behind current practice and technology.15 The distinction between an ECS and RCS is very important according to the SCA. The SCA states that the contents of a communication that have been in storage by an ECS for one hundred and eighty days or less cannot be compelled to be disclosed by a government entity without a warrant.16 However, the same email that continues to be stored by that same ECS for longer than one hundred and eighty days can be compelled to be disclosed by a government entity without giving notice to the subscriber of that service with a warrant; or by giving notice to that subscriber but with only a subpoena or a court order instead of a warrant.17 However, if the contents of

18 U.S.C. 2510 (15). 18 U.S.C. 2711 (2). 14 Mulligan, 72 Geo. Wash. L. Rev. at 1567. 15 Robert Gellman, Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, at 12 (Feb. 23, 2009). 16 18 U.S.C.A. 2703(a)-(b). 17 Id.
12 13

that electronic communication are held by an RCS, rather than an ECS, those contents can be compelled to be disclosed by a government entity with only a subpoena or a court order, even if they are less than one hundred and eighty days old.18 It is not always clear whether or not an email or a document will be found to be held by an ECS or an RCS, or both. The Ninth Circuit has held that a service provider cannot be both an ECS and an RCS.19 However, other courts have held that a provider may be deemed to provide both an ECS and an RCS to the same customer,20 and that it is more important to ask whether the particular communication is being provided with an ECS or an RCS service. A great practical example of the confusing nature of this law can be found in an illustration published in an article from the 2004 George Washington Law Review: [E]mail that has been received by a service such as Yahoo! but has yet to be opened by its intended recipient would clearly be in electronic storage and Yahoo! would be a provider of ECS for that email. For another email addressed to the same subscriber but already opened by the intended recipient, it is unclear whether Yahoo! would be an ECS or, as the Department of Justice asserts, an RCS provider, or whether it would fall outside of the SCA all together. While the message is no longer in storage incident to transmission, it may still be considered as maintained for backup protection, as one circuit court recently held, and therefore still considered to be in electronic storage. On the other hand, because the message is no longer on its way to its final destination it may be, as the DOJ contends, that the message should be considered to now be held in storage for the recipient by an RCS. Given that when Congress was drafting the SCA, email had to be actively moved into storage if it was to be maintained longer than a few months, it may be that an email retained on the server of an electronic communication service provider simply falls outside the scope of the SCA. Finally, consider the initial email being held but not opened for 180 days. Under the SCA it is now available to law enforcement under the lower standards governing access to electronic communications held by an RCS.21
18 19 20 21

Id. See Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 902 (9th Cir. 2008). See Flagg v. City of Detroit, 252 F.R.D. 346, 362 (E.D. Mich. 2008). Mulligan, 72 Geo. Wash. L. Rev. at 1569.

These distinctions seem to be so arbitrary and outdated that they likely do not conform to anyones practical expectations of privacy. Expectations of Privacy As I am writing this paper I am realizing that this document is being synced with my Microsoft SkyDrive account. In fact, the document cannot even be found on my local computer as it is being completely saved to the cloud. Because this paper is being

stored and processed by Microsoft, it would likely be considered to be stored by an RCS

service. This means that a government agency could gain access to this document without a warrant. Because I did not intend this document to be read by the public (at least while I was still drafting it), and my intention when uploading it to the SkyDrive was mainly document protection, the ease of access that the government would have to this document lies well outside my reasonable expectation of privacy. While my expectation of privacy might differ from the general publics expectation of privacy, I believe that most people would be shocked at how different privacy laws pertaining to information stored by a third-party are, as compared to similar laws relating to information stored on a personal computers hard drive. As a practical matter it would also be helpful to look at the General Petraeus scandal, and the emails which eventually lead to his resignation.22 The facts of that scandal generally

22

The emails that eventually led to General Petreaus resignation were stored in the drafts folder of a third-party email service provider. Because these emails had already been opened and were being searched in Florida, no warrant would have been needed to search these emails. It is unclear whether the authorities in this case actually did use a warrant or only a subpoena.

imply that even the director of the CIA had his expectations of privacy violated.23 Why is this expectation of privacy important? In Katz v. United States, Charles Katz had been convicted with transmitting wagering information by telephone from Los Angles to Miami and Boston in violation of a federal statute.24 In prosecuting this case the Government was permitted to introduce evidence of [Katz]s end of telephone conversations, overhead by FBI agents who had attached an electronic listening and recording device to the outside of the public telephone boot from which he had placed his calls.25 The Court held that [w]herever a man may be, he is entitled to know that he will remain free from unreasonable searches and seizures,26 indicating that the Fourth Amendment protects people, not places.27 It is well known that Justice Harlans concurrence in that case has set precedence for almost all Supreme Court privacy cases. Justice Harlan wrote that an enclosed telephone booth is an area where, like a home, and unlike a field, a person has a constitutionally protected reasonable expectation of privacy [and] that electronic as well as physical intrusion into a place that is in this sense private may constitute a violation of the Fourth Amendment.28 He explained that there is a two-part test that can be used to analyze the expectation of privacy. First, the person must

23

It is obvious that Petreaus intended to keep these communications private as they were never actually sent but only stored in the drafts folder of his inbox. It appears that even the director of the CIA had his expectations of privacy violated. 24 Katz v. United States, 389 U.S. 347, 348 (1967). 25 Id. 26 Id. 27 Id. 28 Id.

have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as reasonable.29 Justice Harlan went on to explain that a persons home might be a private place, but anything he exposes to the plain view of outsiders30 would not demonstrate that the person attempted to keep those things private. Alternatively, he explained, conversations in the open would not be protected against being overheard so any expectation that those conversations to remain private would be unreasonable.31 Applying this analysis to the facts of the Katz case, Justice Brennan explained that the reasonable expectation of privacy turned on the fact that although a phone booth is a public place at times; upon closing the door behind him, Katz reasonably believed that his conversation would not be overheard. The Internet is in general a very public place. A message that is posted in an online forum can be read by the world. A photo that is publish on pinterest or instagram might be viewed by tens of thousands. However, every email inbox is protected by a password. The Microsoft SkyDrive account where this document is saved is likewise password protected, as is almost every other cloud computing service. If the public intended for their emails to be read or overheard by the public, passwords would be not be necessary. These passwords can be compared to closing the door on a phone booth. Not all courts, however, have agreed that email deserves this reasonable expectation of privacy. For example, a court of appeals in the Eleventh Circuit has

29 30 31

Id. Id. Id.

stated that voluntary delivery of emails to third parties constituted a voluntary relinquishment of the right to privacy in that information.32 A court of appeals in the Second Circuit likewise held that a person cannot enjoy an expectation of privacy in transmissions over the Internet or email that have already arrived at the recipient.33 However, these cases focus on the privacy rights of those emails being forfeited because the disclosure of the emails to the Government was done by the recipient of those emails; not by a third-party. [T]he courts in Lifshitz and Rehnberg did not determine the level of protection afforded to email that travels through or is stored with a third-party ISP.34 The Department of Justice as well as many courts would grant third-party ISPs a third-party exemption and treat them as though they were the recipients of the email. These third-party exemptions are not unique to electronic communications. The cases from which the Department of Justice and many courts have pulled this third-party exemption doctrine; United States v. Miller35 and Couch v. United States;36 were decided well before e-mail was invented. I believe that email communication stored with a third-party ISP can and should be distinguished from these cases; third-party exceptions should not be granted in order to retrieve communications stored with third-party ISPs.

Rehberg v. Paulk, 598 F.3d 1268, 1282 opinion vacated and superseded on reh'g, 611 F.3d 828 (11th Cir. 2010) aff'd, 132 S. Ct. 1497, 182 L. Ed. 2d 593 (U.S. 2012). 33 United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004). 34 Spencer S. Cady, Reconciling Privacy with Progress: Fourth Amendment Protection of Email Stored with and Sent Through A Third-Party Internet Service Provider, 61 Drake L. Rev. 225, 241 (2012). 35 U. S. v. Miller, 425 U.S. 435 (1976). 36 Couch v. United States, 409 U.S. 322 (1973)
32

Third-Party Exemptions In United States v. Miller, Miller made a motion to suppress microfilms of checks, deposit slips, and other records relating to his accounts at two banks37 which had been subpoenaed. Miller charged that this was a violation of his Fourth Amendment privacy rights. The Court held that Miller did not have a right of privacy because these were business records of the banks, not [his] private papers.38 Likewise in Couch v. United States, the IRS summoned documents given to Couchs Accountant for use in preparing his taxes. In that case the Court held that no Fourth Amendment claim can prevail where, as in this case, there exists no legitimate expectation of privacy 39 especially where a lot of this information would eventually be disclosed to the government, under the discretion of the accountant. I believe that email stored with an ECS or RCS should be distinguished from the businesses (the banks in Miller and the accountant in Couch), and no third-party exemption should be given to third-party ISPs. In these cases, the businesses did not merely act as conduits or storage facilities for the records; they acted upon the records independently.40 That is, the banks were using the financial information in Miller, and the accountant was using the information he was given in order to prepare a tax return. That makes these third-parties more analogous to the recipient of an email, rather than a service that transmits or stores the email or document. This line of reasoning was

37 38 39 40

Miller, 425 U.S. at 435. Id. Couch, 409 U.S. at 619. Mulligan, 72 Geo. Wash. L. Rev. at 1579.

10

recently used in the monumental Sixth Circuit case United States v. Warshak41 which, despite the holdings of the above mentioned cases, held that emails held by third-party ISPs are protected by the Fourth Amendment. Additionally, Justice Sotomayors recent concurrence in U.S. v. Jones indicates that at least some justices are reconsidering the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.42 43 United States v. Warshak In U.S. v. Warshak, Steven Warshak (Warshak) owned and operated Berkley Premium Natraceuticals, Inc. (Berkley). Berkley was involved in some questionable advertising and sales practices. In order to compile evidence against Berkley, the government formally requested that NuVox Warshaks Internet Service Provider prospectively preserve the contents of any emails to or from Warshaks email account without Warshaks knowledge.44 A few months later, the government obtained a subpoena and compelled NuVox to turn over the emails that it had begun preserving the previous year.45 Later that year, the government served NuVox with an ex parte court order that required NuVox to surrender any additional email messages in

41 42

United States v. Warshak, 631 F.3d 266 (6th Cir. 2010) United States v. Jones, 132 S. Ct. 945, 957 (2012). 43 Justice Sotomayor goes on to note that the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties is ill suited to the digital age due to the amount of information that people disclose to third parties on a daily basis. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers.I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. U.S. v. Jones, 132 S. Ct. at 957. 44 Id. at 283 (6th Cir. 2010) 45 Id.

11

Warshaks account. In all, the government compelled NuVox to reveal the contents of approximately 27,000 emails.46 Warshak was not notified of this activity for more than a year. Warshak claimed that his Fourth Amendment Rights had been violated. The court in Warshak analyzed this Fourth Amendment claim under the Katz test (discussed supra). Under the subjective prong of the test (which asks whether or not there was a reasonable expectation of privacy), the court found that Warshak plainly manifested an expectation that his emails would be shielded from outside scrutiny because his entire business and personal life was contained within the emails seized.47 Under the second prong of the test (which asks whether or not society will recognize that expectation as being reasonable), the court first looked at the vital role email plays in many peoples lives. It then noted two very important points. First, the very fact that information is being passed through a communications network is a paramount Fourth Amendment consideration. Second, the Fourth Amendment must keep pace with the inexorable march of technological progress or its guarantees will wither and perish.48 The court went on to analyze the facts of Warshak under the second prong of the Katz test, noting that in Katz government agents had affixed an electronic listening device to the exterior of a public phone booth, and had used the device to intercept and record several phone conversations notwithstanding the fact that the telephone company had the capacity to monitor and record the calls.49 The court then noted that letters being processed by the U.S. Postal Service receive similar

46 47 48 49

Id. Id. at 284. Id. at 285. Id.

12

protection (and are similar to emails in the type of information contained therein), it noted that [w]hile a letter is in the mail, the police may not intercept it and examine its contents unless they first obtain a warrant based on probable cause [even though] any [mail carrier] could tear open the thin paper envelopes that separate the private words from the world outside [because] trusting a letter to an intermediary does not necessarily defeat a reasonable expectation that the letter will remain private. 50 The court distinguished this case from Miller because in Miller, the records involved were business records, not confidential communications, and that in Miller the information was conveyed to the bank so that the bank could put the information to use in the ordinary course of business,51 while the communications held by NuVox were received by NuVox as an intermediary, not [as] the intended recipient of the emails.52 Finally, the court held that Warshak did enjoy a reasonable expectation of privacy in the contents of emails that are stored with, or sent through, a commercial ISP, and that [t]he government may not compel a commercial ISP to turn over the contents of a subscribers emails without first obtaining a warrant based on probable cause.53 It went on to hold that any part of the SCA that allows the government to seize emails from an ISP without a warrant is an unconstitutional violation of the Fourth Amendment.54

50 51 52 53 54

Id. Id. at 288. Id. Id. Id.

13

As much of a victory as Warshak was for advocates of online privacy, it is still only binding authority in Kentucky, Michigan, Ohio, and Tennessee (the Sixth Circuit). Prior to Warshak, no other court had declared that the SCA was unconstitutional. Since Warshak very few courts have had the opportunity to accept or reject the Warshak reasoning. Based on some if its previous holdings, it would not be hard to imagine the Ninth Circuit adopting the holding from Warshak if a similar case were to arise there. (see Theofel v. Farey Jones, where the court went far enough to say that the department of justice has too narrow a definition of electronic storage under the SCA, and that previously accessed emails can still be considered to be held in electronic storage, which would mean that once an email is opened it would be considered held by an ECS, not an RCS55 as the Department of Justice contends56; see also Konop v. Hawaiian Airlines, Inc., where the Night Circuit said that the SCA was difficult to interpret because the ECPA was written prior to the advent of the Internet and World Wide Web making the existing statutory framework ill-suited to address modern forms of communication.57 That same court went on to note that until Congress brings the laws in line with modern technology, protection of the Internet and websites will remain a confusing and uncertain area of the law).58 A Missouri Court of Appeals recently cited Warshak and applied its email rule to text messages, holding that retrieving text messages from the third-party carrier with only a subpoena violated an

55 56 57 58

Theofel v. Farey-Jones, 359 F.3d 1066, 1070 (9th Cir. 2004). http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf, pp. 125. Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002). Id.

14

expectation of privacy.59 Under the same analysis as email, a cellular service provider should be treated the same as an ECS until a text message is read, at which point it might be treated as an RCS. However, due to the confusing nature of the SCA nobody is quite sure if that is how they will be treated. Because of this level of confusion, it is necessary that the ECPA be amended. Electronic Communications Privacy Act Amendments Act of 2013 As discussed above, courts have been unable to agree on how to apply the Electronic Communication Privacy Act to modern forms of communication. The Sixth Circuit has held that at least part of the SCA is unconstitutional because it violates Fourth Amendment privacy rights. Many individuals, non-profit organizations, and companies have advocated that the bill be amended. Digital Due Process, a diverse coalition of privacy advocates, major companies and think tanks60 (including both the ACLU and Google) stands at center stage in the fight to amend this bill. Prior to the introduction of the Amendment, the Department of Justice was opposed to any modification to the ECPA that would require a warrant for all emails, regardless of their age, because (according to Associate Deputy Attorney General James A. Baker) it was worried that this type of rule would unnecessarily hinder the governments ability to effectively and efficiently enforce the criminal law and protect national security.61

State v. Clampitt, 364 S.W.3d 605, 611 (Mo. Ct. App. 2012), reh'g and/or transfer denied (Feb. 28, 2012), transfer denied (May 29, 2012). 60 http://digitaldueprocess.org/index.cfm?objectid=DF652CE0-2552-11DF-B455000C296BA163 61 Baker, James A. Statement to the Senate, Committee on Judiciary. The Electronic Communications Privacy Act: Government Perspectives on Protecting Privacy in the Digital Age, Hearing, April 6, 2011. Available at: http://www.judiciary.senate.gov/pdf/11-4-6%20Baker%20Testimony.pdf; Accessed: 4/5/2013.
59

15

However, on the day that the Amendments were proposed, the Department of Justice made a statement to the House Committee on the Judiciary that indicates that it has changed its opinion. On that day, Elana Tyrangiel, the Acting Assistant Attorney General for the Office of Legal Policy stated that there is no principled basis to treat email less than 180 days old differently than email more than 180 days old. Similarly, it makes sense that the statute not accord lesser protection to opened emails than it gives to emails that are unopened.62 While she went on to make a number of recommendations for an update to the ECPA, it appears that even the Department of Justice now agrees that a search warrant should be necessary to compel a third-party to turn over stored communications in a criminal investigation. This is the portion of the SCA that the Sixth Circuit declared unconstitutional, and is the portion that is impacted most by the proposed Amendments. If ratified, the Amendments would change the existing law to remove the legal distinction of an ECS and an RCS. The updated bill would simply state: (a) Contents of Wire or Electronic Communications. A governmental entity may require the disclosure by a provider of electronic communications service of remote computing service of the contents of a wire or electronic communication that is in electronic storage with otherwise stored, held, or maintained by the provider only if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued by using State warrant procedures) that is issued by a court of competent jurisdiction directing the disclosure.63

Tyrangiel, Elana. Statement to the House, Committee on the Judiciary. The Electronic Communications Privacy Act (ECPA). Hearing. March 19, 2013. Available at: http://judiciary.house.gov/hearings/113th/03192013_2/Tyrangiel%2003192013.pdf; Accessed: 4/5/2013. 63 The Electronic Communications Privacy Act Amendments Act of 2013, S. 607 (proposed March 19, 2013) (to be codified at 18 U.S.C. 2701). Available at: http://www.leahy.senate.gov/download/ecpa-bill2013.
62

16

These Amendments would do a lot to clarify the confusing points surrounding the SCA. First, there would be no distinction between an ECS and an RCS. This means that whether or not an electronic communication is in storage prior to or after its opening, it would be treated the same. These Amendments would also require that a warrant be served in any situation where the government is attempting to compel disclosure by a third-party service provider of any content information from any electronic communication, thereby treating them the same as other mediums of document storage and communication. These Amendments would give clarity to law enforcement agents that are attempting to retrieve documents from a third party service provider. As the current law stands, the state of delivery and jurisdiction of the court might cause different rules to apply; which might lead some evidence being excluded from a case. Nobody is benefited when law enforcement agents cannot do their job due to uncertainties related to the law. As the Supreme Court has noted, clarity in the Fourth Amendment context benefits the public and law enforcement alike.64

Burr, J. Beckwith. The Electronic Communications Privacy Act of 1986: Principles for Reform. http://digitaldueprocess.org/files/DDP_Burr_Memo.pdf (referring to Arizona v. Roberson, 486 U.S. 675, 681-682 (1988); and Oliver v. U.S., 466 U.S. 170, 181-182 (1984).
64

17