PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Privacy of Email Headers

Is there a reasonable expectation of privacy in email headers and IP addresses under the Fourth Amendment? No, sayeth the 9th Circuit in US v. Forrester:

The Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), that the use of a pen register (a device that records numbers dialed from a phone line) does not constitute a search for Fourth Amendment purposes. According to the Court, people do not have a subjective expectation of privacy in numbers that they dial because they ā€œrealize that they must ā€˜conveyā€™ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed .ā€ . . . . Therefore the use of a pen register is not a Fourth Amendment search. Importantly, the Court distinguished pen registers from more intrusive surveillance techniques on the ground that ā€œpen registers do not acquire the contents of communicationsā€ but rather obtain only the addressing information associated with phone calls. . . .

Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the usersā€™ imputed knowledge that their calls are completed through telephone company switching equipment. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to ā€œvoluntarily turn[ ] over [information] to third parties.ā€

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a personā€™s e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.

Iā€™ve written extensively about the problematic application of Smith v. Maryland to email headers and especially IP addresses. I believe that Smith was wrongly decided, but the 9th Circuit was nevertheless bound to follow it. Accordingly, its holding that there is no reasonable expectation of privacy in email headers seems to fall within the holding of Smith. However, IP addresses present a different case. The holding in the Smith case turned on two rationales: (1) exposure of information to third parties (phone companies) eliminated oneā€™s expectation of privacy; (2) the information was not sensitive since it didnā€™t involve the content of the communications. This second rationale is important, since it is an attempt to keep Smith logically consistent with Katz v. United States, 389 U.S. 347 (1967), where the Supreme Court held that a reasonable expectation of privacy exists in the contents of phone conversations. However, the contents of phone conversations, similar to the phone numbers dialed (pen register), are also accessible to the phone company. Thus, the first rationale (third party doctrine) would be inconsistent with Katz without the aid of the second rationale.

Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.

The envelope/content distinction works fairly well with email ā€” the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content. But with IP addresses, the distinction doesnā€™t work. In Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I wrote:

When applied to IP addresses and URLs, the envelope/content distinction becomes even more fuzzy. An IP address is a unique number that is assigned to each computer connected to the Internet. Each website, therefore, has an IP address. On the surface, a list of IP addresses is simply a list of numbers; but it is actually much more. With a complete listing of IP addresses, the government can learn quite a lot about a person because it can trace how that person surfs the Internet. The government can learn the names of stores at which a person shops, the political organizations a person finds interesting, a personā€™s sexual fetishes and fantasies, her health concerns, and so on.

[Therefore,] the content/envelope distinction is not always clear. In many circumstances, to adapt Marshall McLuhan, the ā€œenvelopeā€ is the ā€œcontent.ā€ Envelope information can reveal a lot about a personā€™s private activities, sometimes as much (and even more) than can content information.

Over at the VC, Orin Kerr points to an interesting ambiguity in the courtā€™s decision. According to the court, the government used ā€œa pen register analogue on [the defendant]ā€™s computer.ā€ Orin writes:

Consider two possibilities. The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. If so, the analogy to Smith v. Maryland is really clear, and the result in Forrester is clearly correct. The second possibility is that the Court meant what it said literally: the government installed a pen register analogue ā€œon [the defendantā€™s] computer,ā€ which seems to suggest some kind of surveillance device actually inside the personā€™s machine. If thatā€™s right, I tend to think this is a different case. At that point the facts become a lot more like United States v. Karo, the locating device case, where the use of a surveillance device inside the home was held to be a search.

In Dahlia v. US, 441 U.S. 238 (1979), the U.S. Supreme Court concluded that a wiretap order was sufficient to justify a covert entry to install electronic bugging devices into a personā€™s home. However, the wiretap order involved in Dahlia was under the Wiretap Act and required even stronger standards than typical Fourth Amendment warrants. The pen register order in Forrester involved a much lower standard, one far below the requirements of a Fourth Amendment search warrant.

Nothing in the courtā€™s opinion suggests that the law enforcement officials actually entered into the defendantā€™s house. But isnā€™t installing the the ā€œpen register analogueā€ into the defendantā€™s computer via electronic means (perhaps as a virus, etc.) the digital equivalent of a trespass into the home?

I also wonder whether the Forrester case is consistent with the Supreme Courtā€™s holding in Kyllo v. US, 533 U.S. 27 (2001). In Kyllo, the Court held that the use of a thermal sensor to detect heat patterns inside a home constituted a Fourth Amendment violation despite the fact that it measured heat emanations coming from the home and was positioned outside the home. The Court held that although there was no physical trespass, the Fourth Amendment was violated:

Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a ā€œsearchā€ and is presumptively unreasonable without a warrant. . . .

Moreover, the Court in Kyllo noted that it didnā€™t matter how sensitive and private the information involved was:

The Government also contends that the thermal imaging was constitutional because it did not ā€œdetect private activities occurring in private areas.ā€ . . . The Fourth Amendmentā€™s protection of the home has never been tied to measurement of the quality or quantity of information obtained.

Why wouldnā€™t the pen register analogue used in Forrester be a device to explore the defendantā€™s conduct inside his home? Of course, to apply Kyllo here would also raise doubts about Smith v. Maryland, where the pen register device also captured activities within the home. These difficulties in the Courtā€™s opinions are but further evidence that Smith v. Maryland was wrongly decided. It is inconsistent with so much of Fourth Amendment doctrine, and it leads to tortured attempts to make meaningless distinctions to keep the entire inconsistent doctrinal mess from falling apart.

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01