The Fourth Amendment doesn't protect Email as much as You might think

The Fourth Amendment doesn't protect Email as much as You might think

Summary: The good news is that the courts have ruled that email is email is protected from searches without warrants. The bad news is that your email is still open to being looked at by bosses, management, and snoopy email and network administrators.

SHARE:
TOPICS: Collaboration
50

If you're concerned with email privacy, at first glance, the Sixth Circuit Court of Appeals ruling that the Constitution forbids the U.S. Federal Government from grabbing stored email without a warrant (PDF Link) sounds like great news. And, it is. It's just not as great as you might think.

What happened in the case was that the government forced an ISP to reveal 27,000 emails without securing a warrant or giving notice to the customer, Steven Warshak. The Sixth Circuit Court held that the seizure violated Warshak's Fourth Amendment rights because they were allowed to so because of the Stored Communications Act. Ironically, that act was meant to prohibit ISPs and other electronic communication providers from sharing mail or messages without their senders or receivers' permission.

To quote from the Court's decision

Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection ... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.

"The police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call -- unless they get a warrant, that is. ... It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement.

The Electronic Frontier Foundation called the Warshak v. United States decision a "landmark decision." And, so it is. But, just because the police can't demand your email without a warrant means that you think for one second that your email is really private. It's not.

As an attorney friend of mine explained it, "It's very important in the sense that it's surprising that it has taken this long for a federal Circuit court to expressly extend 4th amendment protection to emails searched or seized without a warrant. It also highlights that the complex federal statutory scheme (note that the Stored Communications Act, which is a very problematic statute lately, was a main factor in this case) contains large areas of overlap, potential conflicts and, in general, have created an environment where numerous bodies of law need be consulted to determine legality."

He also pointed out that "Many states have either already extended similar protection to email under state constitutions or statutes, or would be expected to in the face of a similar challenge on the state level."

That said, if the U.S. does decide to appeal this case to the Supreme Court of the United States (SCOTUS), my legal eagle buddy thinks that "Given the makeup of the current court though, if this decision is appealed to the SCOTUS I'd expect it to be upheld. Of course, I also think that She's a Loo will come in first at the Belmont Stakes, so this should be taken with a large grain of salt. But I can readily see a firm majority of the court, based upon other decisions in this area, readily reaching the decision that the 4th Amendment does reach email."

Page 2: [Practically Private Email] »

Practically Private Email

Still, As Richi Jennings, an independent analyst who covers email told me, "Folks who assume that it's impossible for an admin to read their email, P.T. Barnum was right--there is a sucker born every minute. Think about it: if the system needs access to your email, the admin does too. I know of no widely-used in-house corporate email system that prevents admins from doing this."

In addition, Federal Regulations on Civil Procedures (FRCP), as my attorney friend explained it, "doesn't require that email be archived ... But on a practical level one should act as if every email is in fact stored somewhere and able to be delivered because everyone does, to a greater or lesser degree, store older emails." So, in short, you, as a private individual should assume that all your corporate, school, or organization email is being stored. And, yes, that includes the ones from your old girl-friends that you deleted last week.

You should also keep in mind, as my lawyer said that, "To implicate the 4th amendment there needs to be 'state action' or someone operating under the color of law at the behest of a governmental body. Public schools are state actors for purposes of the 4th amendment. However, your private school/company is still covered by many state and federal statutes and regulations detailing what information and under what circumstances it may be used. In general, however, they are free to examine email sent across their systems for legitimate purposes (i.e., not merely to exclusively learn what someone is doing in their private life)." That, of course, doesn't mean that they won't peek over your virtual shoulder anyway.

Jennings added that "Cloud providers, such as Google Apps will typically restrict database access to a limited number of trusted individuals. But as a recent Google employee was fired for snooping on email, this strategy isn't foolproof either."

Jennings concluded, "People can counter this by using end-to-end encryption (e.g., Pretty Good Privacy (PGP), Voltage, but they're a pain to use. Encryption doesn't protect against traffic analysis, either. The government might at least be interested in who's emailing who, even if it doesn't know what you're saying."

Don't think that this matters? Don't think it can happen to you? Think again. According to the security vendor Cyber-Ark's fourth annual "Trust, Security and Passwords" (PDF Link) survey, 67 percent of IT staffers admitted that they accessed confidential information, such as email, without a job-related need.

Want to be really safe with your email? Or, as safe as you can be, anyway? Use PGP or Voltage email encryption and either run an email server of your own-I do-or get access to your own private email box from companies such as MailStreet, Intermedia, or nsMail.

Topic: Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

50 comments
Log in or register to join the discussion
  • Just have to be careful with email

    they could read every work email I've written in the last decade and find nothing of any interest.
    Anything 'interesting', or what might be interesting if misconstrued, does not go in any electronic communication.
    HollywoodDog
    • is that any differnt then regular mail?

      Sure it's illegal for someone to walk up and take your mail an read it, but it doesn't stop people from doing it, just don't get caught doing it.
      John Zern
      • and when it happen

        @John Zern
        They should should receive root canal treatment with a baseball bat ..... messy ......

        Its always the same never trust you employer never ever .... treat him for what he is a enemy . always .

        SO always have your intelligent cell phone on vibrate and answer email during break .
        Quebec-french
      • Employer is not an enemy

        @John Zern ... after all, it keeps me in car payments and drink.

        But the moment you become any sort of liability, or the moment they think you might become so, they'll get rid of you.

        One way to become a potential liability is to be unguarded in your use of email.
        HollywoodDog
      • Yes, it is A LOT DIFFERENT ...

        @John Zern ... because it would be a felony for postal working to open a letter and read it. That is a strong disincentive.

        It is not illegal for an ISP admin to read your e-mail. It is merely unethical. It is not even unethical for an employer to read e-mail you send using the employer's computers or e-mail system.
        M Wagner
  • I'm almost more suprised...

    The biggest piece that actually caught me off guard...

    "67 percent of IT staffers admitted that they accessed confidential information, such as email, without a job-related need"

    All I can say is HOLY @#$%. What happened to ethics in our industry? Sorry...but if you're a guy that has the keys to the kingdom...its part of your duty to not go snooping.
    samalie
    • RE: The Fourth Amendment doesn't protect Email as much as You might think

      @samalie Maybe 67% of the IT staffers aren't as overworked as 100% claim to be and have time to burn. Sad about that other 33%.
      ;)
      Bill4
    • RE: The Fourth Amendment doesn't protect Email as much as You might think

      @samalie You and me both. That's an insanely large percentage. And, mind you, those are the people who will admit to doing it on a survey. Yack!
      sjvn@...
    • RE: The Fourth Amendment doesn't protect Email as much as You might think

      @samalie

      Agreed. Personally, I would NEVER access confidential information without a goddamned good reason, like I thought because of circumstances or had evidence that someone was doing something illegal.
      Lerianis10
    • RE: The Fourth Amendment doesn't protect Email as much as You might think

      @samalie

      i would be interested in knowing how that question(s) was phrased.

      actively looking just to look is different than looking for something specific and work related and getting distracted by a phrase that matched the search, was not actually related, but piqued curiosity none the less
      erik.soderquist
    • Snooping is a natural human tendency

      @samalie
      Which means an admin is fighting his or her human nature every minute of every day. And funny thing about ethics, they don't apply in conditions that drop down to the first, and occasionally second, levels of Maslow's needs.

      Humans, like all apes, are curious critters. And humans, more than any other ape species, are intensely social animals. Snooping is how the social game is played.

      The ways to prevent, or limit, that snooping by those with the keys to the kingdom, have been written time and again, ad nauseum. They require resources to manage them; and managers the world over are skinflints when it comes to providing the resources necessary. the U.S. military, the Army, and Pvt Manning's superiors in specific failed in that exact manner. Yes, Manning wasn't an admin, just a user with too much access, and too little supervision, human or electronic. Manning allegedly took the diplomatic messages; but it could just as easily have been health records, mental health records, pay records, employment, or e-mail.
      Dr_Zinj
    • Accessing 'confidential' information ...

      @samalie ... is not just about reading e-mail. As asked, such an infraction might be as harmless as looking up a fellow employee's age, or middle name, or salary, or telephone number so 67% doesn't strike me as surprising in the least.
      M Wagner
  • RE: The Fourth Amendment doesn't protect Email as much as You might think

    Wow, it still amazes me how many people still don't have a clue about the Constitution. It protects people from GOVERNMENT abuses, not from each other.
    aep528
    • Exactly right! The 4th amendment is pertinent to government snooping

      and therefore, the argument presented in the article above was irrelevant in regards to that 4th amendment.

      However, there is an expected right of privacy in anything you do which is not done completely out in the open.

      Furthermore, when your privacy is invaded by a private party, be it a company or an individual, that party could turn into a whistleblower, and government could then get involved if the material in your emails is of interest to government. Thus, there should be protections against all snooping, because, anything you say can be held against you, even if government wasn't the direct party involved in snooping against you.
      adornoe
    • RE: The Fourth Amendment doesn't protect Email as much as You might think

      @aep528

      W R O N G! The Constitution protects people from PRIVATE and BUSINESS abuses as well. The rights enumerated in the Constitution are not just rights that government has to not violate, but ALL people and ALL BUSINESSES as well.

      It's just that in the past 20 years or so, people have been getting too damned milquetoast and not demanding that private people and corporations respect their rights.
      Lerianis10
      • RE: The Fourth Amendment doesn't protect Email as much as You might think

        @Lerianis10 ... Mmm, a corporation is considered a "person" in the US; the words are often interchangeable.
        twayner
      • RE: The Fourth Amendment doesn't protect Email as much as You might think

        @Lerianis10
        Not sure I agree with you there. Most of the bill of rights/Constitution have no relevance to real people (the Constitutional definition of "Real Person") or businesses.

        1) Freedom of speech/press ... you still get fired, and a newspaper doesn't have to print what you send them in an editorial. Establish a church? The government can't, but people can.
        2) Right to bear arms? Right to refuse to have them on campus or on an airplane.
        3) Quartering of troops? Eh... ok. but it's not likely this has a non-government application
        4) discussed above.
        The Bill of Rights protects the citizen from the government. Laws protect the citizen from private and business abuses.
        crythias
      • Sorry ...

        @Lerianis10 ... but you are mistaken:

        Amendment IV

        "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

        This is about government initiated "search and seizure" and requires a search warrant.

        Unfortunately, the Bush Administration violated the IV Amendment when he applied the Partiot Act and the the Senate did the same when they barred the public from suing private corporations which did not DEMAND a search warrant before granting government access to public communications.
        M Wagner
    • Fourth amendment comes in to play

      @aep528 ... when the government wants to use email as criminal evidence against you. They're going to argue that because email is stored on servers outside your immediate control, then there is no reasonable expectation of privacy, so the emails shouldn't be suppressed.

      It's not particularly likely that you get in trouble for writing emails you shouldn't. But it could lead to further evidence elsewhere.
      HollywoodDog
  • And then there was...

    The Patriot Act<br><br><a href="h-t-t-p://en.wikipedia.org/wiki/USA_PATRIOT_Act" target="_blank" rel="nofollow">http://en.wikipedia.org/wiki/USA_PATRIOT_Act</a>
    Dietrich T. Schmitz, ~ Your Linux Advocate