Slashdot Mirror

cold fjord writes "Reuters reports, 'A blogger is entitled to the same free speech protections as a traditional journalist and cannot be liable for defamation unless she acted negligently, a federal appeals court ruled on Friday. Crystal Cox lost a defamation trial in 2011 over a blog post she wrote accusing a bankruptcy trustee and Obsidian Finance Group of tax fraud. A lower court judge had found that Obsidian did not have to prove that Cox acted negligently because Cox failed to submit evidence of her status as a journalist. But in the ruling, the 9th U.S. Circuit Court of Appeals in San Francisco said Cox deserved a new trial, regardless of the fact that she is not a traditional reporter. "As the Supreme Court has accurately warned, a First Amendment distinction between the institutional press and other speakers is unworkable."... Eugene Volokh, [a] Law professor who represented Cox, said Obsidian would now have to show that Cox had actual knowledge that her post was false when she published it. ... "In this day and age, with so much important stuff produced by people who are not professionals, it's harder than ever to decide who is a member of the institutional press."' Further details are available at Courthouse News Service."

WillgasM writes "Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act, according to a judge's broad ruling (PDF) during a case on Friday involving Craigslist and 3taps. Opponents argue that this creates a slippery slope that many unsuspecting web users may find themselves upon. With your typical connection being assigned an address dynamically, is an IP ban really a 'technological barrier' to be circumvented? How long until we see the first prosecution for unauthorized viewing of a noindex page?" Probably a long time; the judge in the case rejected the slippery slope argument: 'There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a "friend" — apparently not a very good one — says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.' Willful evasion of blocks for commercial gain, on the other hand ...

WillgasM writes "Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act, according to a judge's broad ruling (PDF) during a case on Friday involving Craigslist and 3taps. Opponents argue that this creates a slippery slope that many unsuspecting web users may find themselves upon. With your typical connection being assigned an address dynamically, is an IP ban really a 'technological barrier' to be circumvented? How long until we see the first prosecution for unauthorized viewing of a noindex page?" Probably a long time; the judge in the case rejected the slippery slope argument: 'There, and sprinkled throughout its earlier, ostensibly text-based, arguments, 3taps posits outlandish scenarios where, for example, someone is criminally prosecuted for visiting a hypothetical website www.dontvisitme.com after a "friend" — apparently not a very good one — says the site has beautiful pictures but the homepage says that no one is allowed to click on the links to view the pictures. Needless to say, the Court’s decision [regarding 3taps' actions]... does not speak to whether the CFAA would apply to other sets of facts where an unsuspecting individual somehow stumbles on to an unauthorized site.' Willful evasion of blocks for commercial gain, on the other hand ...

theodp writes "If Aaron Swartz downloaded JSTOR documents without paying for them, it would presumably be considered a crime by the USDOJ. But if U.S. Attorney Carmen Ortiz or U.S. Attorney General Eric Holder did the same? Rather than a crime, it would be considered their entitlement, a perk of an elite education that's paid for by their alma maters. Ironically and sadly, that's the kind of inequity Aaron railed against with the Guerilla Open Access Manifesto, a document the DOJ cited as evidence (pdf) that Swartz was a menace to society. On Thursday, Ortiz insisted Swartz — who she now characterizes as 'mentally ill' — received fair and reasonable treatment from the DOJ. But that wasn't good enough for Senator John Cornyn, who on Friday asked Eric Holder to explain the DOJ prosecution of Aaron Swartz." Federal prosecutors have come under heavy criticism for their handling of the Swartz case. Legal scholar Orin Kerr provides counterpoint with two detailed, well-reasoned posts about the case. Kerr says that, as the law stands, the charges against Swartz were "pretty much legit," and that the law itself should be the target of the internet community's angst, rather than the prosecutors. "...blame the system and aim to reform the system; don’t think that this was just two or three prosecutors that were doing something unusual. It wasn’t." James Boyle, co-founder of the Center for the Study of the Public Domain, disagrees with Kerr (partly), arguing that Swartz's renown is simply drawing people together to collectively shine a light on poor legislation and poor prosecutorial practices.

theodp writes "If Aaron Swartz downloaded JSTOR documents without paying for them, it would presumably be considered a crime by the USDOJ. But if U.S. Attorney Carmen Ortiz or U.S. Attorney General Eric Holder did the same? Rather than a crime, it would be considered their entitlement, a perk of an elite education that's paid for by their alma maters. Ironically and sadly, that's the kind of inequity Aaron railed against with the Guerilla Open Access Manifesto, a document the DOJ cited as evidence (pdf) that Swartz was a menace to society. On Thursday, Ortiz insisted Swartz — who she now characterizes as 'mentally ill' — received fair and reasonable treatment from the DOJ. But that wasn't good enough for Senator John Cornyn, who on Friday asked Eric Holder to explain the DOJ prosecution of Aaron Swartz." Federal prosecutors have come under heavy criticism for their handling of the Swartz case. Legal scholar Orin Kerr provides counterpoint with two detailed, well-reasoned posts about the case. Kerr says that, as the law stands, the charges against Swartz were "pretty much legit," and that the law itself should be the target of the internet community's angst, rather than the prosecutors. "...blame the system and aim to reform the system; don’t think that this was just two or three prosecutors that were doing something unusual. It wasn’t." James Boyle, co-founder of the Center for the Study of the Public Domain, disagrees with Kerr (partly), arguing that Swartz's renown is simply drawing people together to collectively shine a light on poor legislation and poor prosecutorial practices.

New submitter Ibhuk writes "I leave my email stored online, as do many modern email users, particularly for services like Gmail with its ever-expanding storage limit. I don't bother downloading every email I receive. According to the South Carolina Supreme Court, this doesn't qualify as electronic storage. This means most email users are not protected by the Stored Communications Act. All your emails are fair game, so be careful what you write. From the article: 'This new decision creates a split with existing case law (Theofel v. Farey-Jones) as decided in a 2004 case decided by the Ninth Circuit Court of Appeals. That decision found that an e-mail message that was received, read, and left on a server (rather than being deleted) did constitute storage "for purposes of backup protection," and therefore was also defined as being kept in "electronic storage." Legal scholars point to this judicial split as yet another reason why the Supreme Court (and/or Congress) should take up the issue of the Stored Communications Act.'"

_Sharp'r_ writes "Judge Flavio Peren of Mato Grosso do Sul state in Brazil has ordered the arrest of the President of Google Brazil, as well as the 24-hour shutdown of Google and Youtube for not removing videos attacking a mayoral candidate. Google is appealing, but has recently also faced ordered fines of $500K/day in Parana and the ordered arrest of another executive in Paraiba in similar cases." Early reports indicated that the judge also ordered the arrest of the Google Brazil President, but the story when this was written is that the police haven't received any such order (and an earlier such order was overuled recently). The video is in violation of their pre-election laws.

An anonymous reader writes "Ars reports on a decision from a district judge in Illinois, who ruled that sniffing traffic on an unencrypted Wi-Fi network is not wiretapping. In the ruling, the judge points out an exception in the Wiretap Act which allows people to 'intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.' He concludes that 'the communications sent on an unencrypted Wi-Fi network are readily available to the general public.' Orin Kerr disagrees with the ruling, saying that the intent of the person setting up the network is important: 'No one suggests that unsecured wireless networks are set up with the goal that everyone on the network would be free to read the private communications of others.'"

An anonymous reader writes "A legal paper (PDF), commissioned by Google and written by Eugene Volokh and Donald Falk, makes the case that search results should be protected under the First Amendment, thereby making regulation of search results illegal. The authors say a search engine 'uses sophisticated computerized algorithms, but those algorithms themselves inherently incorporate the search engine company engineers' judgments about what material users are likely to find responsive to these queries.' Cory Doctorow's reaction: 'I think that the editorial right to exercise judgment is much more widely understood than the sacred infallibility of robotic sorting. I certainly support it more. But I wonder if Google appreciates that it will now have to confront people who are angry about their search rankings by saying, "I'm sorry, we just don't like you very much" instead of "I'm sorry, our equations put you where you belong." And oy, the libel headaches they're going to face.'"

Trepidity writes "In a decision today (PDF), the Ninth Circuit Court of Appeals ruled that the Computer Fraud and Abuse Act 'does not extend to violations of use restrictions,' and therefore violating terms of service and corporate use policies is not a federal crime. Law profesor Orin Kerr cheered the decision, but since three other Courts of Appeals have reached opposite decisions, it might be heading to the Supreme Court."

Trepidity writes "In a decision today (PDF), the Ninth Circuit Court of Appeals ruled that the Computer Fraud and Abuse Act 'does not extend to violations of use restrictions,' and therefore violating terms of service and corporate use policies is not a federal crime. Law profesor Orin Kerr cheered the decision, but since three other Courts of Appeals have reached opposite decisions, it might be heading to the Supreme Court."

An anonymous reader writes "The U.S. 11th Circuit Court of Appeals has found that forcing a suspect to decrypt his hard drive when the government did not already know what it contained would violate his 5th Amendment rights. According to Orin Kerr of the Volohk Conspiracy, 'the court's analysis (PDF) isn't inconsistent with Boucher and Fricosu, the two district court cases on 5th Amendment limits on decryption. In both of those prior cases, the district courts merely held on the facts of the case that the testimony was a foregone conclusion.'"

einhverfr writes "Eugene Volokh has posted an interesting discussion of a bill that has been introduced in Arizona, which would tie public school educator conduct to the FCC standards for decency for radio and television. The bill is essentially a three strikes system, firing teachers if they violate FCC standards three times. While the goal of the bill may seem reasonable, the details strike me as silly."

Freddybear writes "Along with 90 (and still counting) other Internet law and IP law professors, David Post of the Volokh Conspiracy law blog has drafted and signed a letter in opposition to Senator Leahy's 'PROTECT IP Act.' Quoting: 'The Act would allow the government to break the Internet addressing system. It requires Internet service providers, and operators of Internet name servers, to refuse to recognize Internet domains that a court considers "dedicated to infringing activities." But rather than wait until a Web site is actually judged infringing before imposing the equivalent of an Internet death penalty, the Act would allow courts to order any Internet service provider to stop recognizing the site even on a temporary restraining order or preliminary injunction issued the same day the complaint is filed. Courts could issue such an order even if the owner of that domain name was never given notice that a case against it had been filed at all.'"

snsh writes "A US judge has ruled for Amazon.com (PDF) against North Carolina's request to turn over the names of its customers to state tax officials. The ruling was focused on privacy grounds, so the state can still re-request less detailed sales data which does not identify items purchased." Reader arbitraryaardvark adds a link to The Volokh Conspiracy's take on the decision.

Artefacto writes "Last Thursday, the Eleventh Circuit handed down a Fourth Amendment case, Rehberg v. Paulk, that takes a very narrow view of how the Fourth Amendment applies to e-mail. The Eleventh Circuit held that constitutional protection in stored copies of e-mail held by third parties disappears as soon as any copy of the communication is delivered. Under this new decision, if the government wants get your e-mails, the Fourth Amendment lets the government go to your ISP, wait the seconds it normally takes for the e-mail to be delivered, and then run off copies of your messages."

sabt-pestnu sends in an update on our story about South Carolina and subversives. "According to Eugene Volokh, the Raw Story article has got it backwards. Westlaw says that the cited statute dates back to 1951, when a lot of anti-Communist statutes were being enacted nationwide. What brought Raw Story's attention to it may be that South Carolina is once again trying to repeal the archaic law. And in any event, a half-century-old case (Yates vs. United States, 354 U.S. 298 (1957)) took most of the teeth out of such laws."

Trepidity writes "In a case that has been winding its way through the courts for a while now, a Wisconsin prison banned inmates from playing Dungeons & Dragons, using the justification that 'one player is denoted the Dungeon Master... [who] is tasked with giving directions to other players... [which] mimics the organization of a gang.' The prison also cited some sparse evidence that a handful of non-inmate D&D players once committed some crimes that allegedly were related to their D&D playing. On Monday the 7th Circuit Court of Appeals upheld the regulation (PDF) against challenges from inmates. The court appeared skeptical of the ban, sarcastically referring to it as the 'war on D&D,' but upheld it nonetheless as having a 'rational basis.' Law professor Ilya Somin suggests that the court may have had no choice, given how deferential rational-basis review usually is."

bfwebster writes "Orin Kerr, a George Washington University law professor who focuses on legal issues regarding information technology (I own a copy of his book Computer Crime Law) raises an interesting issue about a 2001 Supreme Court decision (Kyllo v. United States) that prohibited police from using a thermal imaging device on a private home without a warrant. (The police were trying to detect excess heat coming from the roof of a garage, as an indication of lamps being used to grow marijuana inside.) The Court made its decision back in 2001 because thermal imaging devices were 'not in general use' and therefore represented a technology that required a warrant. However, Kerr points out that anyone can now buy such thermal imaging devices for $50 to $150 from Amazon, and that they're advertised as a means of detecting thermal leakage from your home. In light of that, Kerr asks, is the Supreme Court's ruling still sound?"

Frequent Slashdot contributor Bennett Haselton writes "A federal judge rules that government can obtain access to a person's inbox contents without any notification to the subscriber. The pros and cons of this are complicated, but the decision hinges on the assertion that ISP customers have lowered privacy interests in e-mail because they 'expose to the ISP's employees in the ordinary course of business the contents of their e-mails.' Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' — but then what are the consequences for the rest of the argument?" Read on for the rest of Bennett's analysis.

Federal Judge Michael Mosman has ruled that the government can read your e-mails stored with a third-party provider like GMail, without notifying you that a search warrant has been executed (PDF) against your account. (Actually, the judge ruled that there is no "notice" requirement triggered at all, so that in theory, neither GMail nor the subscriber would have to be notified — but that seems only of theoretical interest, since in practice GMail would have to cooperate in order to execute the warrant, unless the government is planning to have ninjas sneak into their server farm at night. The substantive impact of the ruling is that e-mails can be read without notifying the subscriber.)

Now, as I said when writing about the possibility of undetectable encryption being installed on people's computers, at the risk of incurring the wrath of civil libertarian allies, I am not 100% in favor of limiting governmental power in cases like these. Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil. There may be cases where the government can only prevent harm from being done, by gaining access to someone's e-mail account, and by preventing the subscriber from finding out that their e-mails are being read. However, all of these arguments are also true when applied to governmental seizure of property from someone's home — and yet we still have Fourth Amendment protections against warrantless searches of your house. So should they, and do they, legally apply to e-mail? And under the "third party doctrine," should the government have to notify the subscriber of the search, or only the ISP?

Law Professor Orin Kerr of George Washington University Law School has written an article [click on the link and then press the download button to download a draft] arguing that the Fourth Amendment does apply to e-mail. But he has also written another article arguing in favor of the third-party doctrine — essentially, that when the government seizes property that is in the possession of a third party, it only has to notify the third party, not the property owner. To the extent that this is relevant to the GMail case, the argument would appear to support Judge Mosman's ruling. However, Kerr's paper also acknowledges that the third party rule has been the subject of scorching criticism of other Fourth Amendment scholars, calling it "dead wrong" and "making a mockery of the Fourth Amendment."

It will probably be a long time before courts are issuing consistent rulings on the third-party rule as it applies to e-mail. In the meantime, though, one statement in Judge Mosman's ruling sticks out in particular:

"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."

This was the basis for further reasoning that the defendants had less of an expectation of privacy in their e-mail contents, and hence that there was a strong case for allowing the government to read the e-mails without notice to the defendants. (In this he was drawing an analogy to a previous ruling in which a court held that a bank's customer has "no legitimate expectation of privacy" in his bank records because they were "voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.")

But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business." And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails. (At the e-mail provider that I use, SpeakEasy, employees can only access accounts with the explicit permission of the customer, and only then by resetting the password or obtaining the password from the customer. When I worked in MSN accounts, most employees didn't have the security clearance to access customer accounts at all.)

This tracks with what customers reasonably expect from banks versus what they reasonably expect from ISPs. If I called my bank to ask about the status of my account, and the customer service representative noted that I had a high number of overseas wire transfers and asked if I wanted to upgrade to a business account with a reduced wire fee, it probably wouldn't even occur to me to be offended that she had looked at my transaction records. On the other hand, if I called SpeakEasy and asked them to add more space in my inbox, and the tech support guy said, "Dude, you could do a lot better than Chloe," I might think he was overdue for a review of their customer privacy policy.

Judge Mosman uses several more analogies in arguing that the third-party doctrine applies to e-mails (beginning on page 12 of the ruling), analogies between e-mail and real-world situations that most of us are familiar with, like leaving documents out in the open at someone else's house. Now, most of us don't have the expertise to comment on the legal technicalities. But in the game of analogies, we're all experts, insofar as we're qualified to comment on whether we feel that one thing is "like" another, or whether our "expectations of privacy" in the two areas are similar. And under the rules of that game, I would disagree with the judge's analogies for several reasons:

1. There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice. The judge cites precedents in which courts ruled, variously: (a) that when a suspect left documents at his mother's house and the police executed a warrant there, they only had to provide notice to the mother, not the suspect, even though the mother was not the owner of the documents; (b) that a defendant had no grounds to object to the search of another person's purse, when the search turned up drugs belonging to the defendant; and (c) that defendants 'could not make a Fourth Amendment claim regarding a search of someone else's car because they had no "legitimate expectation of privacy in the glove compartment or area under the seat of the car in which they were merely passengers."' But all of those cases involved property that the defendants chose to leave in the possession of someone else, rather than keeping on their person or in their own houses. In all of these cases, the person X who left the property in the possession of person Y, could not have expected that person Y would keep their eyes off of that property, or would shield it from the view of casual acquaintances who happened to see it there. So by allowing the notice only to be served on person Y, these three cases are just specific implementations of a general rule: "If person X leaves property with person Y, with no expectation that person Y would refrain from examining the property, then the notice of warrant only has to be served on person Y."

This rule does not generalize to GMail accounts. If I send and receive messages through a GMail account, I know that they're stored on Google's servers, but that's out of necessity in order for them to provide web-based e-mail that can be accessed from multiple locations. By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice. Now, if I had printed out an e-mail from GMail and left it lying around at my Mom's house, or in a friend's glove compartment, then that could be interpreted to indicate that I had less interest in keeping that e-mail private, and it would be more analogous to the situations above. In fact if I had sent an e-mail to someone working at Google, I would understand that my expectation of privacy had been lowered significantly, and that the recipient might forward it to their friends or leave a printout on their desk, or that the police might request for him to show it to them without notifying me. Simply having an e-mail stored in a GMail account is not the same thing.

2. E-mails are not like bank records, because you have a greater expectation of privacy for e-mails, even from the institutions that hold them. It's true that bank transactions are more closely analogous to web-based e-mails, because they're both stored on company servers by the nature of the business, so this analogy isn't as badly flawed as the previous ones. But in addition to the fact mentioned above, that ISP employees do not have access to your e-mails "in the ordinary course of business" despite what Judge Mosman wrote, there is the "inside/outside" distinction that Orin Kerr describes in his paper on the Fourth Amendment and e-mail. Essentially, police don't need a warrant to observe what goes on outside your home — whatever is visible from a public street — but they would need a warrant to take their inspection inside. Kerr argues for extending this analogy to the "content/non-content" rule for Internet transactions, so that Fourth Amendment protection would apply to the contents of e-mails, but not necessarily to the "outside" information such as sender, recipient, and transmission time. (Actually that still seems like rather weak privacy protection, to say that the Fourth Amendment doesn't protect information about who we exchange e-mails with, but even this watered-down argument still implies stronger privacy protection for e-mail contents.) Bank transaction records would be more like "outside" information and less deserving of privacy protection, so the analogy doesn't hold.

3. By analogy to the expectation of privacy in people's homes, the expectation of privacy for the contents of e-mail is possibly greater. Judge Mosman writes, "The sanctity of the home is often cited as the central purpose for this notice requirement, but the requirement has not been explicitly limited to searches of homes," and quotes from another court decision: "[t]he mere thought of strangers walking through and visually examining the center of our privacy interest, our home, arouses our passion for freedom as does nothing else." Well, since he brought it up, if it's relevant to compare the "passion" that's "aroused" by the invasion of various spheres of privacy, if I had a choice I would rather have a stranger wander through my house and inspect everything except the computer, than allow them access to my browser history and all the e-mails I'd sent and received in the past year. (And that's not even taking into account the violations of other people's privacy that would be entailed by someone looking through all of my e-mails.) Applying the test of "What would you rather have people see?", most people who make more than casual use of e-mail, seem to care more about the privacy of their e-mail than about the privacy of what's visibly lying around in their house — if a good friend drops by unannounced, you can usually lead them through your house without worrying about what they'd see, but you probably wouldn't give the same person a complete record of all your e-mails in the past year. (Remember, according to the judge's quote, we're comparing "visually examining" your house vs. your e-mail, not actually physically taking anything.)

As I said, I'm not necessarily opposed to the government having the authority to obtain records of people's e-mails if they have an extremely good reason, without necessarily having to notify the subscriber that their e-mails had been read. But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails." I wonder if even Judge Mosman thinks that's true. If he got a call from his bank offering to upgrade his account based on recent transaction activity, he'd probably just politely get them off the phone like the rest of us. But if he got a call from his ISP tomorrow, saying that his e-mails were starting to sound cranky and they were wondering if there was anything they could do to cheer him up, would he just thank them for their concern and leave it at that?

Frequent Slashdot contributor Bennett Haselton writes "A federal judge rules that government can obtain access to a person's inbox contents without any notification to the subscriber. The pros and cons of this are complicated, but the decision hinges on the assertion that ISP customers have lowered privacy interests in e-mail because they 'expose to the ISP's employees in the ordinary course of business the contents of their e-mails.' Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' — but then what are the consequences for the rest of the argument?" Read on for the rest of Bennett's analysis.

Federal Judge Michael Mosman has ruled that the government can read your e-mails stored with a third-party provider like GMail, without notifying you that a search warrant has been executed (PDF) against your account. (Actually, the judge ruled that there is no "notice" requirement triggered at all, so that in theory, neither GMail nor the subscriber would have to be notified — but that seems only of theoretical interest, since in practice GMail would have to cooperate in order to execute the warrant, unless the government is planning to have ninjas sneak into their server farm at night. The substantive impact of the ruling is that e-mails can be read without notifying the subscriber.)

Now, as I said when writing about the possibility of undetectable encryption being installed on people's computers, at the risk of incurring the wrath of civil libertarian allies, I am not 100% in favor of limiting governmental power in cases like these. Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil. There may be cases where the government can only prevent harm from being done, by gaining access to someone's e-mail account, and by preventing the subscriber from finding out that their e-mails are being read. However, all of these arguments are also true when applied to governmental seizure of property from someone's home — and yet we still have Fourth Amendment protections against warrantless searches of your house. So should they, and do they, legally apply to e-mail? And under the "third party doctrine," should the government have to notify the subscriber of the search, or only the ISP?

Law Professor Orin Kerr of George Washington University Law School has written an article [click on the link and then press the download button to download a draft] arguing that the Fourth Amendment does apply to e-mail. But he has also written another article arguing in favor of the third-party doctrine — essentially, that when the government seizes property that is in the possession of a third party, it only has to notify the third party, not the property owner. To the extent that this is relevant to the GMail case, the argument would appear to support Judge Mosman's ruling. However, Kerr's paper also acknowledges that the third party rule has been the subject of scorching criticism of other Fourth Amendment scholars, calling it "dead wrong" and "making a mockery of the Fourth Amendment."

It will probably be a long time before courts are issuing consistent rulings on the third-party rule as it applies to e-mail. In the meantime, though, one statement in Judge Mosman's ruling sticks out in particular:

"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."

This was the basis for further reasoning that the defendants had less of an expectation of privacy in their e-mail contents, and hence that there was a strong case for allowing the government to read the e-mails without notice to the defendants. (In this he was drawing an analogy to a previous ruling in which a court held that a bank's customer has "no legitimate expectation of privacy" in his bank records because they were "voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.")

But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business." And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails. (At the e-mail provider that I use, SpeakEasy, employees can only access accounts with the explicit permission of the customer, and only then by resetting the password or obtaining the password from the customer. When I worked in MSN accounts, most employees didn't have the security clearance to access customer accounts at all.)

This tracks with what customers reasonably expect from banks versus what they reasonably expect from ISPs. If I called my bank to ask about the status of my account, and the customer service representative noted that I had a high number of overseas wire transfers and asked if I wanted to upgrade to a business account with a reduced wire fee, it probably wouldn't even occur to me to be offended that she had looked at my transaction records. On the other hand, if I called SpeakEasy and asked them to add more space in my inbox, and the tech support guy said, "Dude, you could do a lot better than Chloe," I might think he was overdue for a review of their customer privacy policy.

Judge Mosman uses several more analogies in arguing that the third-party doctrine applies to e-mails (beginning on page 12 of the ruling), analogies between e-mail and real-world situations that most of us are familiar with, like leaving documents out in the open at someone else's house. Now, most of us don't have the expertise to comment on the legal technicalities. But in the game of analogies, we're all experts, insofar as we're qualified to comment on whether we feel that one thing is "like" another, or whether our "expectations of privacy" in the two areas are similar. And under the rules of that game, I would disagree with the judge's analogies for several reasons:

1. There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice. The judge cites precedents in which courts ruled, variously: (a) that when a suspect left documents at his mother's house and the police executed a warrant there, they only had to provide notice to the mother, not the suspect, even though the mother was not the owner of the documents; (b) that a defendant had no grounds to object to the search of another person's purse, when the search turned up drugs belonging to the defendant; and (c) that defendants 'could not make a Fourth Amendment claim regarding a search of someone else's car because they had no "legitimate expectation of privacy in the glove compartment or area under the seat of the car in which they were merely passengers."' But all of those cases involved property that the defendants chose to leave in the possession of someone else, rather than keeping on their person or in their own houses. In all of these cases, the person X who left the property in the possession of person Y, could not have expected that person Y would keep their eyes off of that property, or would shield it from the view of casual acquaintances who happened to see it there. So by allowing the notice only to be served on person Y, these three cases are just specific implementations of a general rule: "If person X leaves property with person Y, with no expectation that person Y would refrain from examining the property, then the notice of warrant only has to be served on person Y."

This rule does not generalize to GMail accounts. If I send and receive messages through a GMail account, I know that they're stored on Google's servers, but that's out of necessity in order for them to provide web-based e-mail that can be accessed from multiple locations. By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice. Now, if I had printed out an e-mail from GMail and left it lying around at my Mom's house, or in a friend's glove compartment, then that could be interpreted to indicate that I had less interest in keeping that e-mail private, and it would be more analogous to the situations above. In fact if I had sent an e-mail to someone working at Google, I would understand that my expectation of privacy had been lowered significantly, and that the recipient might forward it to their friends or leave a printout on their desk, or that the police might request for him to show it to them without notifying me. Simply having an e-mail stored in a GMail account is not the same thing.

2. E-mails are not like bank records, because you have a greater expectation of privacy for e-mails, even from the institutions that hold them. It's true that bank transactions are more closely analogous to web-based e-mails, because they're both stored on company servers by the nature of the business, so this analogy isn't as badly flawed as the previous ones. But in addition to the fact mentioned above, that ISP employees do not have access to your e-mails "in the ordinary course of business" despite what Judge Mosman wrote, there is the "inside/outside" distinction that Orin Kerr describes in his paper on the Fourth Amendment and e-mail. Essentially, police don't need a warrant to observe what goes on outside your home — whatever is visible from a public street — but they would need a warrant to take their inspection inside. Kerr argues for extending this analogy to the "content/non-content" rule for Internet transactions, so that Fourth Amendment protection would apply to the contents of e-mails, but not necessarily to the "outside" information such as sender, recipient, and transmission time. (Actually that still seems like rather weak privacy protection, to say that the Fourth Amendment doesn't protect information about who we exchange e-mails with, but even this watered-down argument still implies stronger privacy protection for e-mail contents.) Bank transaction records would be more like "outside" information and less deserving of privacy protection, so the analogy doesn't hold.

3. By analogy to the expectation of privacy in people's homes, the expectation of privacy for the contents of e-mail is possibly greater. Judge Mosman writes, "The sanctity of the home is often cited as the central purpose for this notice requirement, but the requirement has not been explicitly limited to searches of homes," and quotes from another court decision: "[t]he mere thought of strangers walking through and visually examining the center of our privacy interest, our home, arouses our passion for freedom as does nothing else." Well, since he brought it up, if it's relevant to compare the "passion" that's "aroused" by the invasion of various spheres of privacy, if I had a choice I would rather have a stranger wander through my house and inspect everything except the computer, than allow them access to my browser history and all the e-mails I'd sent and received in the past year. (And that's not even taking into account the violations of other people's privacy that would be entailed by someone looking through all of my e-mails.) Applying the test of "What would you rather have people see?", most people who make more than casual use of e-mail, seem to care more about the privacy of their e-mail than about the privacy of what's visibly lying around in their house — if a good friend drops by unannounced, you can usually lead them through your house without worrying about what they'd see, but you probably wouldn't give the same person a complete record of all your e-mails in the past year. (Remember, according to the judge's quote, we're comparing "visually examining" your house vs. your e-mail, not actually physically taking anything.)

As I said, I'm not necessarily opposed to the government having the authority to obtain records of people's e-mails if they have an extremely good reason, without necessarily having to notify the subscriber that their e-mails had been read. But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails." I wonder if even Judge Mosman thinks that's true. If he got a call from his bank offering to upgrade his account based on recent transaction activity, he'd probably just politely get them off the phone like the rest of us. But if he got a call from his ISP tomorrow, saying that his e-mails were starting to sound cranky and they were wondering if there was anything they could do to cheer him up, would he just thank them for their concern and leave it at that?

DustyShadow writes "In the case In re United States, Judge Mosman ruled that there is no constitutional requirement of notice to the account holder because the Fourth Amendment does not apply to e-mails under the third-party doctrine. 'When a person uses the Internet, the user's actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus 'private' information is actually being held by third-party private companies."" Updated 2:50 GMT by timothy: Orin Kerr, on whose blog post of yesterday this story was founded, has issued an important correction. He writes, at the above-linked Volokh Conspiracy, "In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers."

DustyShadow writes "In the case In re United States, Judge Mosman ruled that there is no constitutional requirement of notice to the account holder because the Fourth Amendment does not apply to e-mails under the third-party doctrine. 'When a person uses the Internet, the user's actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus 'private' information is actually being held by third-party private companies."" Updated 2:50 GMT by timothy: Orin Kerr, on whose blog post of yesterday this story was founded, has issued an important correction. He writes, at the above-linked Volokh Conspiracy, "In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers."

Trepidity writes "About seven weeks after the judge tentatively overturned Lori Drew's guilty verdict for 'cyberbullying' following her online harassment of a teenager that was linked to the teenager's suicide, the case was finally officially dismissed. In a 32-page opinion (PDF), the court avoided a minefield of possible follow-on effects that civil-liberties groups had warned of by holding that merely violating a website's Terms of Service cannot constitute 'unauthorized access' for the purposes of the Computer Fraud and Abuse Act (18 U.S.C. 1030)."

Trepidity writes "About seven weeks after the judge tentatively overturned Lori Drew's guilty verdict for 'cyberbullying' following her online harassment of a teenager that was linked to the teenager's suicide, the case was finally officially dismissed. In a 32-page opinion (PDF), the court avoided a minefield of possible follow-on effects that civil-liberties groups had warned of by holding that merely violating a website's Terms of Service cannot constitute 'unauthorized access' for the purposes of the Computer Fraud and Abuse Act (18 U.S.C. 1030)."

Mike writes "Law prof Eugene Volokh blogs about a US House of Representatives bill proposed by Rep. Linda T. Sanchez and 14 others that could make it a federal felony to use your blog, social media like MySpace and Facebook, or any other Web media 'to cause substantial emotional distress through "severe, repeated, and hostile" speech.' Rep. Sanchez and colleagues want to make it easier to prosecute any objectionable speech through a breathtakingly broad bill that would criminalize a wide range of speech protected by the First Amendment. The bill is called The Megan Meier Cyberbullying Prevention Act, and if passed into law (and if it survives constitutional challenge) it looks almost certain to be misused."

lousyd writes "Volokh has hosted a paper by George Mason University law professor Adam Mossoff on the patent fracas a century and a half ago surrounding the sewing machine. A Stitch in Time: The Rise and Fall of the Sewing Machine Patent Thicket challenges assumptions by courts and scholars today about the alleged efficiency-choking complexities of the modern patent system. Mossoff says that complementary inventions, extensive patent litigation, so-called 'patent trolls,' patent thickets, and privately formed patent pools have long been features of the American patent system reaching back to the antebellum era."

An anonymous reader writes "If you're planning on traveling internationally with a laptop, consider the following: District Court Overturns Magistrate Judge in Fifth Amendment Encryption Case. Laptop searches at the border have been discussed many times previously. This is the case where a man entered the country allegedly carrying pornographic material in an encrypted file on his laptop. He initially cooperated with border agents during the search of the laptop then later decided not to cooperate citing the Fifth Amendment. Last year a magistrate judge ruled that compelling the man to enter his password would violate his Fifth Amendment right against self-incrimination. Now in a narrow ruling, US District Judge William K. Sessions III said the man had waived his right against self-incrimination when he initially cooperated with border agents." sohp notes that "the order is not that he produce the key — just that he provide an unencrypted copy."

bfwebster writes "Orin Kerr over at The Volokh Conspiracy (a great legal blog, BTW) reports on a US District Court ruling issued just last week which finds that doing hash calculations on a hard drive is a form of search and thus subject to 4th Amendment limitations. In this particular case, the US District Court suppressed evidence of child pornography on a hard drive because proper warrants were not obtained before imaging the hard drive and calculating MD5 hash values for the individual files on the drive, some of which ended up matching known MD5 hash values for known child pornography image and video files. More details at Kerr's posting." Update: 10/28 16:23 GMT by T : Headline updated to reflect that this is a Federal District Court located in Pennsylvania, rather than a court of the Commonwealth itself.

bfwebster writes "Orin Kerr over at The Volokh Conspiracy (a great legal blog, BTW) reports on a US District Court ruling issued just last week which finds that doing hash calculations on a hard drive is a form of search and thus subject to 4th Amendment limitations. In this particular case, the US District Court suppressed evidence of child pornography on a hard drive because proper warrants were not obtained before imaging the hard drive and calculating MD5 hash values for the individual files on the drive, some of which ended up matching known MD5 hash values for known child pornography image and video files. More details at Kerr's posting." Update: 10/28 16:23 GMT by T : Headline updated to reflect that this is a Federal District Court located in Pennsylvania, rather than a court of the Commonwealth itself.

physman_wiu writes "We all remember the recent incident of 13-year-old Megan Meier. Now legislation is set to be passed at least in Missouri (and possibly through Congress) that would make cyberbullying illegal. The new legislation (PDF) reads: 'Whoever transmits in interstate or foreign commerce any communication, with the intent to coerce, intimidate, harass, or cause substantial emotional distress to a person, using electronic means to support severe, repeated, and hostile behavior, shall be fined under this title or imprisoned not more than two years, or both.' Now, this seems like a great piece of legislation — until I get put in jail for some kid on WOW calling the Feds on me." Eugene Volokh is not impressed.

mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker (or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."

Throtex writes "Orin Kerr, Associate Professor of Law at George Washington University writes at The Volokh Conspiracy that the Department of Justice is having trouble finding abuses of the USA PATRIOT Act. This follows from the fact that what the media originally aired as abuses were merely allegations of abuse at the time. Could it be that there has just been a lot of fuss over nothing?"