Expectation of Privacy Extended to Email

An anonymous reader writes "In a 6th circuit court decision [PDF] today 4th amendment expectation of privacy rights were extended to email. 'The ruling by the Sixth U.S. Circuit Court of Appeals in Ohio upholds a lower court ruling that placed a temporary injunction on e-mail searches in a fraud investigation against Steven Warshak, who runs a supplements company best known for a male enhancement product called Enzyte. Warshak hawks Enzyte using "Smiling Bob" ads that have gained some notoriety.'"

too bad

[mchale]

I agree wholeheartedly with the court's findings -- people have an expectation of privacy when sending (hardcopy) written correspondence, and it makes sense to extend that privelege to the digital realm as well.

It's just a shame that the right decision comes down on the side of the spammer.

Re:too bad

[mastershake_phd]

It's just a shame that the right decision comes down on the side of the spammer.

Everyone deserves the same rights and treatment under the law.

Re:too bad

[DragonWriter]

Yea so you can go to jail for just having an Ethernet sniffer!

Nothing in the current decision suggests that, since it is about the meaning of the Fourth Amendment and therefore the limits of government power.

It is clear text.

So are much of the the hardcopy material in which you have a reasonable expectation of privacy under the Fourth Amendment. Encryption has never been a Constitutional prerequisite to a reasonable expectation of privacy.

Re:too bad

[TFGeditor]

"Really people should have the same expectation of privacy in an email as they do with a postcard. None at all.
It is clear text."

Except for the fact that you cannot read someone's email as a routine matter of simly handling it, as in a mail carrier. It takes extraordinary effort to access/read someone's email, akin to steaming open an envelope. Ergo, your assertion is wrong.

Re:too bad

[Vancorps]

The difference is that the casual observer can hear two people holding a conversation in a public place. You cannot casually observe email without explicitly trying. That is the big difference, it takes effort to look at email and that is why there is an expectation of privacy.

I've dealt with a few organizations where they've sent credit card info in an email. They are business cards with fraud protection so most people don't worry about it. Of course you must trust the recipient. Ultimately no one things their email will be intercepted in transit because that rarely happens due to the fact that you'd have to have a compromised DNS server to accomplish it or compromise a router in the path. In either circumstance an alternate crime has already been committed and will be dealt with. I'm not sure there has ever been a case of credit card fraud because someone sent and email with credit info and the message was intercepted. It's always the recipient of the information mishandling the data in some way.

Personally I don't care either, what I write in email I freely share with others because I use my corporate account. I'm the only one in the company authorized to go through email so I really don't have to worry, beyond that it just doesn't matter. If you speak ill of someone speak ill of them to their face. I've never been afraid of my emails being public but given that the execs often plan secretive meetings and the future of the company through email I can understand the expectation of privacy. Just because I can go through everyone's email doesn't mean that I do. I require a specific reason and only then will I move forward. I do this even when an exec asks me to pry into email accounts. If they don't have a reason then I don't do it. The company lawyer supports me in it all so I'm pretty safe.

I would agree that sending CC info in email isn't necessary the brightest thing to do but no more so than giving it over the phone to someone which also enjoys an expectation of privacy.

Re:too bad

[Myopic]

Aha, but there you are wrong. If you send a postcard, you have very low expectation of privacy. However, if you put your letter inside an envelope, then you have an expectation that the envelope will only be opened by the intended recipient. Regular email as we mostly know it is like a postcard, but you can put your postcard into an electronic envelope by encrypting it, which would give you a greater expectation of privacy. Sure, a person can still break your encryption, but that person could also just open your envelope. We would recognize these actions as crimes, preserving your privacy.

One difference might be that people sort of think of email more like a letter than a postcard. A court could find that email has protections similar to a letter. As a techie, I would disagree with that, exactly because of what the GP said: it's so easy to sniff around and see emails that it's difficult to say it's a protected medium. I predict in the future a huge legal case where this exactly is the crux -- the question, what is the expectation of privacy in an unencrypted email? I further predict that the result will be similar to a postcard, not a letter.

To be clear, the decision today didn't look at that question, rather the question of whether a warrant is required to search email at all. I see that as so blatantly obvious that I'm shocked the government would even question it. Look, government, hey, you know for 250 years courts have consistently told you that you need a warrant to search just about everything that isn't an emergency, so by now you should be used to it.

Re:too bad

[Chris+Burke]

Regular email is like a snail-mail in an envelope -- it is trivial to read it, but it requires conscious effort to do so. A postcard could fall on the ground text-up and be read by random passers by who just happened to glance at it. Unless there is something serious going wrong, someone else's email is not going to just pop up on your screen. You have to make a conscious effort to read someone else's email, and yes I'm including using a packet sniffer.

Encryption is like shipping your letter in a box with a combination lock on it. That may be a really good idea if the contents of the letter are extremely important, but 100% absolutely NOT required for you to have an expectation of privacy vis a vis the 4th Ammendment.

People keep confusing "expectation of privacy" with "practical feasibility of someone violating their privacy if they want to". They are not the same thing. As a techie you might think it has something to do with how difficult it is to read email, but that's really irrelevent, which is obvious if you look at every other method of communication.

I have an expectation of privacy when conversing in my home, even though just putting your ear to my window would allow you to hear.
I have an expectation of privacy when using a cordless phone, even though especially the old ones were trivial to listen in on.
I have an expectation of privacy when sending a letter, even though a light shone through the envelope can reveal its secrets.

Now, if you are worried about people who don't care about your expectations of privacy or the law, and your data is important, then yes you should be aware of the practical reality and take extra precautions, eg encryption, or a sound-proof booth in your home, or whatever. That is not the same as an expectation of privacy.

Expectation of privacy means you expect you will be granted privacy, not that you expect that nobody can breach your privacy.

Re:too bad

[DerekLyons]

Aha, but there you are wrong. If you send a postcard, you have very low expectation of privacy.

Actually - I have a very high expectation of privacy for that postcard. Why shouldn't I? It's not on public display and at no point in its transit from sender to recipient is it ever in a state where a casual member of the public can gain acess to it to read it.
 
In fact, it takes abnormal conditions (mailbox fails in some manner and the postcard ends up on the ground) or deliberate malfeasance (somone reaches into the mailbox or delivery vehicle) for it to become exposed to a third party. Furthermore, a letter in an envelope has exactly the same privacy failure modes with the trivial requirement of opening the envelople required.
 
 

Regular email as we mostly know it is like a postcard

Precisely - regular email cannot be acessed by a third party absent accident or malfeasance.
 
 

One difference might be that people sort of think of email more like a letter than a postcard. A court could find that email has protections similar to a letter. As a techie, I would disagree with that, exactly because of what the GP said: it's so easy to sniff around and see emails that it's difficult to say it's a protected medium.

This is precisely why your analogy fails - it's easy to sniff around if the person has privileged acess _or_ deliberately utilizes tools to perform the sniffing. Just like a physical letter (or postcard) it takes either a systematic failure or deliberate action to view the contents of an email, it is virtually impossible to do so casually.

Re:Can we extend this

[DragonWriter]

Cos if we can get webmail onto the list, maybe there is a chance we can get slashdot comments done as well.

Unlikely. Slashdot comments are public by design. Webmail is simply an interface to otherwise regular email message, which this covers under the logic they are intended for an identified recipient and provided to other intermediaries on the way for delivery, much like traditional mail.

Re:Does anyone else see this as a bad thing?

[DragonWriter]

I mean, sure... it gives you leverage to make sure your privacy isn't infringed upon by government agencies, but don't you think it could create the expectation that internet communications services are _required_ at all times to encrypt communications, even when the sender might have wanted to use more open and readable formats (and possibly not necessarily agreed to be so open by one of the recipients)?

Did similar past decisions regarding public phones and postal mail compel telecoms and the USPS to encrpyt all telephone transmissions and letters?

Password-protected

[bar-agent]

Even more so, any password-protected account should give an expectation of privacy. The only people seeing those things should be you, and whoever you've got the account with, for their own purposes only and they shouldn't give access to anyone else.

That's the whole point of passwords! I'd say that's a pretty straightforward expectation.

Re:How is email privacy currently violated?

It's impossible, legally and physically, to monitor all email. When the FBI gets a warrant to search email or tap traffic, they have to install a device at the ISP's POP. So no, your domestic email isn't read at all unless they already have a warrant allowing them to read your email. I have no idea if they check all of the email heading overseas; that would be easier legally and electronically, but it's still an incredible amount of data.

Either way, they don't pick people up for one email message. They have to have enough evidence to convict in order to arrest someone for terrorism or supporting terrorism. This is why terrorism cases take so long and rarely finish prosecution; the mountain of evidence required by federal courts is incredible.

So, your test will generate a negative, and you have no control to determine whether or not it's a false negative. Unless they have physical evidence, they're not going to arrest you, and you're not going to know what level of surveilance they're putting on you.

Courts are irresponsible

The court's opinion is blatantly obvious to anyone on Slashdot:

"In considering the factors for a preliminary injunction, the district court reasoned that e-mails held by an ISP were roughly analogous to sealed letters, in which the sender maintains an expectation of privacy. This privacy interest requires that law enforcement officials warrant, based on a showing of probable cause, as a prerequisite to a search of the e-mails."

Yet the courts took 20 years to figure this out. People seem to accept it -- that's just 'the way it works' -- but it's a travesty, and an injustice to 20 years of defendants. The Judiciary is responsible for delivering justice, yet all they deliver is process. If their process doesn't work -- for 20 years -- to hell with justice for all the people that are screwed in the meantime; we'll get it right eventually. They're like the most incompetent, hide-bound business, delivering nothing profitable, committed not to outcomes but to long-established procedures.

If I took 20 years to adjust to some change in IT and deliver on my responsibilities, I'd have been fired 19 years 6 months ago. There is no accountability for the Judiciary -- I suppose that's intended, to preserve its independence -- but what frustrates me most is that the Judiciary takes no responsibility on its own, and that people are blind to it and just accept it, like Windoze users who just accept whatever was given them.

Re:Courts are irresponsible

[Chris+Burke]

Well remember that the courts can only decide issues that are placed before them. If this issue hasn't come up before, then there would have been no chance for them to explicitly state that email also falls under the 4th Ammendment. I'm not sure that's true, but in my memory most of the cases involving email as evidence those emails were obtained through a warrant and thus in those cases at least no 4th Ammendment issue arose to be ruled on.

You could call it a problem with the system that technically it is the Judiciary that decides what the law actually means, but they are only able to make that decision after a conflict has arisen and been brought before the court, and in the meantime you're basically guessing. Yet based on the precedents of postal service and telephone it should be fairly obvious that the 4th Ammendment applies to email. Also based on the fact that law enforcement generally gets warrants to recover email, I'd say they generally assume the 4th applies as well.

So when someone decides the opposite, and the issue comes before the court, the court rules on it and now we have a clear precedent of what before was merely assumed: Email is protected under the 4th Ammendment.

Not too bad!

[FuzzyDaddy]

It's just a shame that the right decision comes down on the side of the spammer.

This is often the case - think of all the free speech cases involving Nazis and white supremicists in this country. It has a good side - it reassures us in the rule of law. If these rights apply to an alleged spammer, then we can be assured that they apply to everyone.

So hold up a beer for this guy, who has accidently helped further all of our rights. And let's hope the police get a proper search warrant and put him away for a good, long time.

Re:Enzyte Why?

[The+Master+Control+P]

For the same reason that I would assume my dead-tree mail to be safe from prying eyes despite travelling in clear-text through a series of mail handling offices and mailmen. My mail is written, then enclosed in a container explicitly stating who is supposed to receive/read it. No one else is supposed to read it, despite the fact that it is usually trivially easy to do. Likewise, email is written and enclosed in an SMTP encapsulation that explicitly delimits who is meant to receive/read it. No one without legitimate access (Which, as with DTF mail, includes the government with a warrant) to the sending or receiving accounts is supposed to read it.

It is, of course, even easier to read e-mail than normal mail. What's important is that the proper regulations be applied to government. Although it's also possible for other people to read your mail, if they act on what's contained (e.g. identity theft) it's already criminal. The government is not so good at policing itself however, hence this ruling.

No legal expectation of privacy

[PurifyYourMind]

I could be wrong, but I think the 4th amendment only covers the specific case of searches and seizures by the government. To construe it as an amendment protecting our privacy in general is wrong.