Court Upholds Warrantless Internet Snooping

amigoro writes to let us know about an appeals court ruling on Friday that holds that federal agents can snoop on an individual's web surfing, email and all other forms of Internet communication habits without a warrant. The court found recording this kind of information to be analogous to the use of a pen register. In 1979 the Supreme Court ruled that this technique did not constitute a search for Fourth Amendment purposes.

More specifically

[Shadow+Wrought]

They are allowed to look at the sender information on your e-mails and domain of websites you are looking at. The contents of the e-mails and which pages of a website, ie the URL, are still off limits.

Ninth Circuit

Circuit Courts of Appeals only have jurisdiction over cases arising in their proper Circuit. This decision is not applicable anywhere but the Ninth Circuit.

http://upload.wikimedia.org/wikipedia/commons/thum b/d/df/US_Court_of_Appeals_and_District_Court_map. svg/620px-US_Court_of_Appeals_and_District_Court_m ap.svg.png

Editors, please.

Misleading Summary

[logicnazi]

What the ruling held was that the header information of your email (and web browsing I believe) is subject to exactly the same standards as the information about what phone numbers you dial. Mostly this seems like an appropriate and totally correct extension of offline legal standards to the online world. The only reason that it is more problematic is that an email header includes things like the subject which contains a little bit of the content.

Still all things considered this seems like the correct rule. Subject lines don't contain that much information and if you are concerned you can just use an unrevealing subject. Moreover, we already contemplate the possibility that someone who happens to glance at the recipients screen might notice the title so it really doesn't seem like we have the same expectation of privacy for the title of the message as we do for the body.

Anyway for a better more interesting discussion about this case you can check out Orin Kerr's comments over at the Volokh Conspiracy.

How this mess developed

[Animats]

This mess developed over time.

All this stems from a distinction in wiretap law that goes back to the dial telephone era. Listening to voice requires a warrant, because that info belongs to the parties of the call only. But information used by the telephone company itself to route the call, like dial digits, can be requested from the telephone company. A "pen register" was classically a little electromechanical gadget that recorded dial pulses as dashes on a paper tape. There was no way to extract voice info with a pen register.

Then came Touch-Tone. Now the switching data was in the voice channel. After some court decisions, it was established that listening to the voice channel and extracting tones was OK, if done with "minimal" access to the voice channel.

Over time, this led to the "pen register" exception being extended to content the telco didn't process, including tones sent during a call to third-party services like voice mail, packet headers, E-mail headers, cellular location data, etc. Then came a "lower standard for stored messages", which included SMS messages and E-mail. Then came bulk interception via CALEA. Then the Patriot Act.

Re:Address implies content

[Anonamused+Cow-herd]

Hmm. Turns out the SF gate article is misleading. Disregard the above. http://blog.wired.com/27bstroke6/2007/07/appeals-c ourt-r.html

Re:Address implies content

[Kadin2048]

The GP was wrong in his interpretation of the court's decision.

They actually realized that a log of IP addresses and a log of URLs are two very different things, and convey different levels of information. This was actually mentioned in a footnote (quoting from the Wired article):

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ whereas a technique that captures URLs would also divulge the particular articles the person viewed.

An example is the difference between a log that shows "http://en.wikipedia.org/wiki/Surface-to-air_missi le, http://en.wikipedia.org/wiki/Missile_guidance" and one that shows "http://66.230.200.100". The latter is analogous to the numbers I'd dial into a phone in order to connect me to someone; the former is more indicative of the content of the communication.

Furthermore, just because a resource is "publicly available" doesn't mean that there's "no reasonable expectation of privacy." I expect that my Wikipedia browsing habits are between me, my ISP, and Wikipedia (and anyone else snooping on the line), likewise, although my Google searches are sent via GET URLs, that doesn't mean that they're public. (Particularly given that there's no alternative method, at least that I'm aware of, to use most search engines.) Libraries are public, also, but that doesn't mean that everyone's records are public information.