No Fourth Amendment Protection in E-Mail Addresses, IP Addresses, Ninth Circuit Holds:
Commentators and Congress have long assumed that government surveillance of non-content "header" information like e-mail addresses and IP addresses, typically done by a service provider, do not violate a Fourth Amendment "reasonable expectation of privacy." Today the Ninth Circuit became the first court to hold this directly in United States v. Forrester.
My major concern with this opinion is that, unless I'm missing something, the opinion does not actually say how the surveillance occurred. The Court states that the government used "a pen register analogue on [the defendant]’s computer" to collect the IP address, to/from e-mail addresses, and total volume transferred. But the reader is left guessing what that means.
Consider two possibilities. The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. If so, the analogy to Smith v. Maryland is really clear, and the result in Forrester is clearly correct. The second possibility is that the Court meant what it said literally: the government installed a pen register analogue "on [the defendant's] computer," which seems to suggest some kind of surveillance device actually inside the person's machine. If that's right, I tend to think this is a different case. At that point the facts become a lot more like United States v. Karo, the locating device case, where the use of a surveillance device inside the home was held to be a search.
So which one of these sets of facts occurred? We don't know, as best as I can tell, and without knowing I find it hard to tell if I agree with the decision. More broadly, it will be hard for other courts to know what to make of the precedent: Is the court saying that the government can remotely install a surveillance device on your personal machine so long as the information collected doesn't implicate a reasonable expectation of privacy? Or are they only saying that the provider can collect that information from inside the provider's network on the government's behalf?
Maybe I'm just missing the part of the opinion that explains this? If so, please let me know in the comment thread. And thanks to Terry Edwards for the link.
My major concern with this opinion is that, unless I'm missing something, the opinion does not actually say how the surveillance occurred. The Court states that the government used "a pen register analogue on [the defendant]’s computer" to collect the IP address, to/from e-mail addresses, and total volume transferred. But the reader is left guessing what that means.
Consider two possibilities. The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. If so, the analogy to Smith v. Maryland is really clear, and the result in Forrester is clearly correct. The second possibility is that the Court meant what it said literally: the government installed a pen register analogue "on [the defendant's] computer," which seems to suggest some kind of surveillance device actually inside the person's machine. If that's right, I tend to think this is a different case. At that point the facts become a lot more like United States v. Karo, the locating device case, where the use of a surveillance device inside the home was held to be a search.
So which one of these sets of facts occurred? We don't know, as best as I can tell, and without knowing I find it hard to tell if I agree with the decision. More broadly, it will be hard for other courts to know what to make of the precedent: Is the court saying that the government can remotely install a surveillance device on your personal machine so long as the information collected doesn't implicate a reasonable expectation of privacy? Or are they only saying that the provider can collect that information from inside the provider's network on the government's behalf?
Maybe I'm just missing the part of the opinion that explains this? If so, please let me know in the comment thread. And thanks to Terry Edwards for the link.
Related Posts (on one page):
- Amended Opinion in Forrester:
- Can the FBI Install Spyware on Your Computer Without A Warrant?:
- No Fourth Amendment Protection in E-Mail Addresses, IP Addresses, Ninth Circuit Holds:
This spam prevention device "in theory" can gather the same information the government is looking for....
Since Smith v. Maryland indicates the latter is not a search, why should the former be possibly thought of as a search?
Apply same logic to e-mail, since the headers contain sender/recipient information (though they also contain some subject matter information).
I'm also not sure whether I agree with the pen register thing. Normally I'd just flat out disagree - I take a virtual rather than physical view of the 4th Amendment when dealing with electronic privacy - but if there was an ACTUAL physical presence on the person's property - i.e., if they installed a bug - then I'd be a little concerned in any event. Maybe there needs to be a physical AND virtual view - but with a very limited understanding of what physical means?
Shortly afterwards, Congress passed a law prohibiting law enforcement from obtaining this information without a warrant. In other words, Congress seemed to be saying that people do in fact, assume that the phone numbers they dial are private.
If that is the case, I'm curious why the pen register decision has never been reviewed and overturned. I'm going to assume that the "reasonable expectation of privacy" is a fluid concept that can change over time based on current expectations. As the recent HP case made clear, obtaining somebody's phone records is well beyond the scope of what citizens consider to be normal, polite, and ethical behavior. By this point in time, I see no reason why the court can't finally say "yes, you have a reasonable expectation of privacy in the numbers dialed from your phone." Basically what I'm saying is that even if the pen register case was rightly decided 30 years ago, our expectations of behavior have long since questioned that decision.
And, if that's true, the modern equivalent of phone numbers -- IP addresses, etc. -- should be just as protected.
The Fourth Amendment doesn't work that way. If you want to get into the details of why, this article of mine might help.
Perhaps it's time to rethink the idea that if you entrust information to a 3rd party you have abdicated your privacy w/r/t that information except in some very specific circumstances.
I can't cite this, but in NY, there is supposedly no expectation of privacy in your bank records -- so the police can get them without a warrant. Assuming this is true, doesn't that disturb you? Most people consider their bank records and other financial information to be one of the most private pieces of information they have.
Perhaps it's time to move towards a more sliding scale 4th Amendment jurisprudence that considers more than just a binary yes-it's-private, no-it's-not-private system. The fact is that it's virtually impossible today *not* to entrust certain types of information to others while still living in modern society. Sure, you can keep all your cash under your mattress -- in which case you'll have some privacy in your finances -- but very few people are willing to do that. Perhaps we need to begin considering the context in which people entrust information to others via certain types of business relationships. Phone records, bank records, and ISP records are all the kinds of things which most people would be horrified to find released without their information. The service providers in these cases are "entrusted" with this information in the eyes of most people. (Also, for simplicity, I'm going to limit this suggestion to certain commercial relationships; a secret you tell your best friend shouldn't get protection.)
Would it be a more difficult system than the current yes-no jurisprudence? Absolutely. But it would also more realistically approximate how people view expectations of privacy.
Does it really matter that its the same kind of information? Perhaps its more important to consider to what extent the information is disclosed to a third parties.
In the early days of the phone system you had to actually tell a human being who you wanted to call before a call could be connected. Obviously a third party at that point knew who you were calling. The line that courts have drawn between phone numbers and call content seems (and IANAL) to have something to do with the fact that the phone company actually does things with the numbers, such as connecting the call, billing, etc and so some phone company employee might reasonably come across this information in the course of doing his or her job.
This seems to get less and less reasonable the more automated things are. Would an employee at an ISP ever come across the IP addressess you've accessed? Not unless they installed a sniffer, in which case they'd see the content as well. Same thing for email. The To and From addresses are stored in the same file as the content. You open it, you see everything.
So the idea that on the Internet third parties are walking around with this addressing information, and so you've no expectation of privacy in regard to it, but they aren't aware of the content of the communications, so you can consider that private, isn't terribly realistic. IHMO either you've got a natural expectation of privacy in regard to all of it or none of it.
On p.8086 (p.16 in PDF), "We therefore hold that the computer surveillance techniques that Alba challenges are not Fourth Amendment searches."
But according to the description on p.8075 (p.5 in PDF), the government installed surveillance software or hardware on Alba's computer.
This was a fourth amendment search even under the (pre-Katz!), Silverman standard! If the government hadn't had a court order, I'd have no problem seeing a computer trespass! For the Ninth circuit to "hold" that these techniques are not fourth amendment searches defies credulity.
This Ninth circuit panel has lost its collective mind. They're smoking crack.
Is installing "a pen register analogue on Alba’s computer" physical intrusion?
Would it make a difference if the pen register analogue was remotely installed on the defendant's computer? (e.g. through some kind of remote exploit or Trojan Horse?)
As sundry movements to amend the Constitution have waxed and waned, I've been arguing that privacy merits status as an essential right. It deserves explicit constitutional protection and is increasingly vulnerable without it. Ordinarily, assumptions about what the Founders might or might not have sufficiently envisioned generally depend on the eye of the beholder. In this case, however, we ourselves only began to understand the powers we're unleashing a mere ten years ago. It seems increasingly clear that the nature and magnitude of potential - revolutionary! -- incursions upon one's person, in everything from medicine to electronics, represent a substantially new threat for which we are poorly provisioned and pose legal questions we are poorly equipped to answer consistently. We will not be able to limp between penumbra and expectation successfully much longer.
Unfortunately, Conservatives, who should be the natural proponents of a privacy amendment, have been hopelessly compromised by their commitment to a pro-life position which is fundamentally and necessarily anti-privacy. Anyone who disagrees should feel free to take up the challenge I'd like to propose to the Conspiracy's legal gurus:
If you could fashion a 28th Amendment, codifying the expectation of privacy, what would it look like?
I suspect the court's terminology of "a pen register analogue" is being used in a broad sense. I submit you can translate it into layman's language as "A surveillance collection technique that is analogous to pen registers of old was used to collect the data".
Also, I am wondering -- to what extent should an ISP be expected to cooperate with investigators in invading the privacy of a customer?
I didn't know this rule was passed. I think it's a good rule nevertheless if the notion of precedent is supposed to mean anything. Does this mean there is no longer any practical difference between published and unpublished opinions?
For example, right now I am within at least three levels of this sort of port and IP address remapping. I have a router about a foot from my laptop here that multiplexes all the ports from the various computers here onto a single IP address. Then, a second router in the basement of the building does the same for the 36 units in the building. And then the ISP sometimes does the same. Probably, more often, the ISP dynamically temporarily allocates an IP address to a user/ computer/ router (in this case, the router in the basement for the 36 units sharing the same DSL connection).
Mention above was made about logical ports. In the case of email, the typically relevant ports are 25 (SMTP) and 110 (POP3). But these are translated and multiplexed by those same firewalls and routers that screwed up the IP addresses, and, indeed, the way that this whole system works is that this translation of logical ports allows routers, etc. to multiplex all the logical ports from multiple IP addresses on a single IP address.
If you want to intercept the incoming mail for someone, the easiest place to do it is at his mail server. His incoming IP address and port are liable to change every time, but his userid (or mailbox name) stays the same. Alternatively, you can tap his email client on his computer. Anything else gets to be pretty messy.
Outgoing mail may be more difficult, depending on the sophistication of the sender. Obviously, again, it can be tapped from his email client, or as noted above, behind the inner firewall/router. If the sender is not overly sophisticated, and is using his mail provider for outgoing mail, then it can be intercepted there again. But that becomes hard if the sender is like me, and runs his own email server, that becomes difficult, since email servers most often connect directly to destination mail servers via SMTP. Of course, in that case, in order to allow for incoming mail, you need to pass SMTP traffic through the routers and firewalls without network address translation (NAT).
But if the police attached the pen register to the computer itself, or put it on the line w/i the house, how did they manage to do so? I think that I would notice new hardware hanging on the line or on my computer, and I am fairly certain that they couldn't sneak software onto my computer w/o my knowing it. If there are back doors to Windows, etc., I think that we would all like to know about them. And the current generation of spyware and virus removal software seems to do a pretty good job at removing Trojans and the like, as suggested above.
I'd have to say that they are entirely different, because one can access an "incriminating" website accidentally, and APPEAR to spend considerable time on it. But if you dial a phone number accidentally, you aren't going to spend 15 minutes on the phone with the person on the other end of the line.
Imagine that you found yourself clicking on a link to an "incriminating" website by mistake, but while the page was loading, the door-bell rang, and you didn't wind up getting back to the computer for 15 minutes. The prosecutor would be able to say "Kerr spent 15 minutes on this terrorist website which described in detail how to fabricate the bomb used in the terrorist act that he has been accused of", and your defense would be what exactly?
In principle, the government should be able to collect the same kind of "envelope information" from email that they can with snail mail. The problem, of course, is that the devices that collect email information can collect a great deal of other data too...
You're not nearly paranoid enough.
At least one multinational corporation in the IT field performs routine sweeps for keylogging devices attached between the keyboard and the box. It's presumed that neither developers and testers nor administrative and management staff will notice these devices, as they typically are fairly small. This particular corporation does perform classified government work—but I'm talking solely about the computers used for unclassified and non-government work. This sweep requires manpower and costs money—this corporation's security management presumably thinks it's worth paying for.
With software, if you want to be "fairly certain" that there's been no unauthorized installation, then use a live CD, like Ubuntu or Knoppix—from a known source. Alternatively, keep the entire machine off any network and physically secured. Otherwise, you're just fooling yourself about your skills vs. the universe of potential attackers. There are attackers out there whose skills are better than yours—count on it.
At the top of most computer security threat models is the threat called a "major nation state".
Regardless of the aggregation of "internal" addresses via NAT that you speak of, what's hard about monitoring your outgoing IP traffic by inspecting as it arrives from your building's router at the ISP? Yes, the monitor will get the traffic from everyone in the building, but that's only a difference in degree from the fact that even if you had your own, individual connection the monitor would still have to look at every single packet to determine which ones were SMTP or POP3 traffic.
The only hard part is figuring out which dynamic address/port currently belongs to you, but since neither SMTP nor POP3 is encrypted, the solution is left as a fairly simple exercise for the reader...
The visionaries see a not too distant future where you keep your data on a contracted provider who has the resources to guarantee always available access and multiple redundant backup. Think Google. However If the only way I can keep my papers private is to keep them on my own server in my own home then that is what will happen. At that point we are back to a technical future equivalent to 1960. It just all runs faster.
The 4th needs to be amended to expand 'reasonable searches and seizures' to your papers regardless of location or format.
In the main you are right. However I would point out that many programs and ISP's provide SMTP that is encrypted via SSL.
The defense to the charge would be whatever it is--There was nothing illegal about what I did; I was researching; there was a technical problem with my computer and I couldn't get out of the site (or didn't mean to go there and then couldn't get out); I went to the bathroom; the government had the device on for, say, three months, and only had one "hit;" the device shows I didn't download anything; I was just browsing, etc.
The admission of evidence captured in this fashion--like evidence obtained in any other manner--does not prove the charge; it's just evidence.
BTW--this case involved Ecstasy manufacturing, not terrrorism.
Both sets of information were ruled to be public because both are required by the carrier in question to perform the service contracted, multiple persons associated with the carrier have to be able to access and evaluate that information in order to do their jobs under the contract, and persons not under the direct control of the carrier cannot be reasonably barred from being able to access this information.
That last one is a bit complicated but it basically boils down to the fact that the mail carrier has to be able to read the address of a letter in order to place it in the correct box and a hypothetical bystander could easily read it over his shoulder.
The Ninth Circuit’s ruling in The United States v. Forrester has expanded this view of public access to address data for private communications to include internet connection and e-mail address data as well as phone numbers.
I believe this is a problematic ruling. While TCP/IP address recorders and E-mail header recorders at the Internet Service Provider would obviously fall under an expanded Smith v. Maryland, they are not the only ways of obtaining this information.
It is possible to put “internet pen registers” on a subject’s personal computer. These computer resident pen registers can easily be installed on the target computer directly from the internet by using a specially constructed computer virus or Trojan Horse program. These methods do not require physical access to the computer or physical intrusion to 4th Amendment protected space.
These computer resident pen registers have some unique advantages over ISP resident pen registers; anytime the computer is on they are active and can record connection data no matter which Internet Service Provider the computer is connected to. When the subject’s computer is a laptop, a computer resident pen register can record data no matter where the computer is taken and no matter what legal jurisdiction it is in. A computer resident pen register can also record data when stored documents such as archived emails or saved internet files are accessed. Even more problematic, data collected from stored documents may predate the installation of the resident pen register on the subject’s personal computer.
I don’t think the 9th Circuit has sufficiently evaluated the extra possibilities for intrusion that computer resident pen registers give law enforcement authorities.
otpu
(There are exceptions: a page can try to force a periodic reload using Javascript or the 'refresh' meta-tag. Some sites, especially news sites like the New York Times, do this, but it's not that widely used elsewhere in my experience.)
So all you have in the hypo is a burst of traffic followed by 15 minutes of no traffic. That doesn't prove squat.
It's a missed opportunity.
I don't think the 9th Circuit has sufficiently evaluated the extra possibilities for official corruption from authorizing warrantless computer intrusion by law enforcement personnel.
We all know that the severest threats come from people with some form of authorized access.
Face it, your average law enforcement computer technician is just woefully underpaid.... they work hard, and they really deserve to pick up some extra cash, don't you think?
It's a trade-off between the resources expended on counter-measures and the likely attacks. The presumption is that a device can be quickly attached between a keyboard and box by a guest or someone with a limited time unobserved in the area. An attacker with more time (and sufficent resources) will presumably hide the device better.
Likewise, while the sweeps are "routine", there's still a window of vulnerability between sweeps, so there's a deterrent logic in making the counter-measure somewhat known.
For an individual, the risk assessment is probably totally different. Do you have to worry about industrial espionage? State-sanctioned industrial espionage?
My personal most formidable countermeasure against keyboard logger device installation is the absolute certainty of terminal boredom for the spy.
After a pre-set time limit has passed, most servers will auto-close the connection (Clients can also do this, but I assume that the connection won't be closed from that end, as the webpage is still open in the user's computer in our hypothetical). Apache (the most used http server) has a 15 seconds limit, but old versions of IIS (second most used http server) had a 15 minute time-limit (I believe the current limit is 120 seconds).
That said, I am not sure that this supports the assertation made by lukasiak (since it makes the amount of time spent on a website indeterminate if small enough, it tends to help the defense, rather than the prosecution, right? Then again, I'm no lawyer).
Link to article
Lafave endorses the author's idea that "privity" analysis (a proposed term combining notions of confidentiality and standing), rather than "privacy" analysis, is what courts should engage in when deciding these cases. This seems to be what techielaw is getting at in his above post. The article also discusses the differences between Smith (involving voluntary disclosure without a subpoena) and Miller (involving compelled disclosure). And the article proposes a four-pronged test that seems to address Orin's concern about collecting otherwise unprotected information by unreasonable means. I'd imagine this area of the law will become more settled over the next decade.
Link to article
Lafave endorses the author's idea that "privity" analysis (a proposed term combining notions of confidentiality and standing), rather than "privacy" analysis, is what courts should engage in when deciding these cases. This seems to be what techielaw is getting at in his above post. The article also discusses the differences between Smith (involving voluntary disclosure without a subpoena) and Miller (involving compelled disclosure). And the article proposes a four-pronged test that seems to address Orin's concern about collecting otherwise unprotected information by unreasonable means. I'd imagine this area of the law will become more settled over the next decade.