The Fourth Amendment doesn't protect Email as much as You might think

The good news is that the courts have ruled that email is email is protected from searches without warrants. The bad news is that your email is still open to being looked at by bosses, management, and snoopy email and network administrators.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

If you're concerned with email privacy, at first glance, the Sixth Circuit Court of Appeals ruling that the Constitution forbids the U.S. Federal Government from grabbing stored email without a warrant (PDF Link) sounds like great news. And, it is. It's just not as great as you might think.

What happened in the case was that the government forced an ISP to reveal 27,000 emails without securing a warrant or giving notice to the customer, Steven Warshak. The Sixth Circuit Court held that the seizure violated Warshak's Fourth Amendment rights because they were allowed to so because of the Stored Communications Act. Ironically, that act was meant to prohibit ISPs and other electronic communication providers from sharing mail or messages without their senders or receivers' permission.

To quote from the Court's decision

Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection ... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.

"The police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call -- unless they get a warrant, that is. ... It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement.

The Electronic Frontier Foundation called the Warshak v. United States decision a "landmark decision." And, so it is. But, just because the police can't demand your email without a warrant means that you think for one second that your email is really private. It's not.

As an attorney friend of mine explained it, "It's very important in the sense that it's surprising that it has taken this long for a federal Circuit court to expressly extend 4th amendment protection to emails searched or seized without a warrant. It also highlights that the complex federal statutory scheme (note that the Stored Communications Act, which is a very problematic statute lately, was a main factor in this case) contains large areas of overlap, potential conflicts and, in general, have created an environment where numerous bodies of law need be consulted to determine legality."

He also pointed out that "Many states have either already extended similar protection to email under state constitutions or statutes, or would be expected to in the face of a similar challenge on the state level."

That said, if the U.S. does decide to appeal this case to the Supreme Court of the United States (SCOTUS), my legal eagle buddy thinks that "Given the makeup of the current court though, if this decision is appealed to the SCOTUS I'd expect it to be upheld. Of course, I also think that She's a Loo will come in first at the Belmont Stakes, so this should be taken with a large grain of salt. But I can readily see a firm majority of the court, based upon other decisions in this area, readily reaching the decision that the 4th Amendment does reach email."

Page 2: [Practically Private Email] »

Practically Private Email

Still, As Richi Jennings, an independent analyst who covers email told me, "Folks who assume that it's impossible for an admin to read their email, P.T. Barnum was right--there is a sucker born every minute. Think about it: if the system needs access to your email, the admin does too. I know of no widely-used in-house corporate email system that prevents admins from doing this."

In addition, Federal Regulations on Civil Procedures (FRCP), as my attorney friend explained it, "doesn't require that email be archived ... But on a practical level one should act as if every email is in fact stored somewhere and able to be delivered because everyone does, to a greater or lesser degree, store older emails." So, in short, you, as a private individual should assume that all your corporate, school, or organization email is being stored. And, yes, that includes the ones from your old girl-friends that you deleted last week.

You should also keep in mind, as my lawyer said that, "To implicate the 4th amendment there needs to be 'state action' or someone operating under the color of law at the behest of a governmental body. Public schools are state actors for purposes of the 4th amendment. However, your private school/company is still covered by many state and federal statutes and regulations detailing what information and under what circumstances it may be used. In general, however, they are free to examine email sent across their systems for legitimate purposes (i.e., not merely to exclusively learn what someone is doing in their private life)." That, of course, doesn't mean that they won't peek over your virtual shoulder anyway.

Jennings added that "Cloud providers, such as Google Apps will typically restrict database access to a limited number of trusted individuals. But as a recent Google employee was fired for snooping on email, this strategy isn't foolproof either."

Jennings concluded, "People can counter this by using end-to-end encryption (e.g., Pretty Good Privacy (PGP), Voltage, but they're a pain to use. Encryption doesn't protect against traffic analysis, either. The government might at least be interested in who's emailing who, even if it doesn't know what you're saying."

Don't think that this matters? Don't think it can happen to you? Think again. According to the security vendor Cyber-Ark's fourth annual "Trust, Security and Passwords" (PDF Link) survey, 67 percent of IT staffers admitted that they accessed confidential information, such as email, without a job-related need.

Want to be really safe with your email? Or, as safe as you can be, anyway? Use PGP or Voltage email encryption and either run an email server of your own-I do-or get access to your own private email box from companies such as MailStreet, Intermedia, or nsMail.

Editorial standards