How Much Protection from Search and Seizure Does Your Email Have?

Does the government need a search warrant, requiring a showing of probable cause, in order to read your email—as it would if it wanted to read a physical letter?

Not if the email has been “in electronic storage” for more than 180 days, under the 1986 Stored Communications Act (18 U.S.C. Section 2703). The Stored Communications Act (SCA) is Title II of the Electronic Communications Privacy Act (ECPA).  In contrast, that same Act states that a warrant is required for disclosures of emails that have been stored for 180 days or less.

A Recent Battle Over Email Through Webmail

How to apply the SCA to emails stored by webmail providers was the central issue in a court battle pitting several tech company heavyweights and privacy advocates against the U.S. Department of Justice.  In December of 2009, the DOJ requested and received an order from a magistrate judge that Yahoo turn over emails in specified accounts stored for less than 181 days—without a search warrant.  The DOJ’s rationale? The emails had already been read by the recipient, and thus did not count as being in “electronic storage” within the meaning of the SCA.

Yahoo refused to comply with the magistrate judge’s order. The DOJ filed a motion to compel the production of the emails in March (PDF). Yahoo’s response brief (PDF) contested the DOJ’s interpretation of “storage” and accused the DOJ of trying to overturn years of precedent in an effort to gut Fourth Amendment protections for emails.

Yahoo was not alone in its battle. Google and a coalition of digital privacy groups came to its defense, filing an amicus brief (PDF) arguing that the Fourth Amendment protects email just as much as private conversations and written papers, and supporting Yahoo’s interpretation of “electronic storage” within the meaning of the SCA.

The Government Backs Off… For Now

The fight was just coming to a head when it ended abruptly. The DOJ withdrew its motion to compel the production of the emails (PDF)—without, however, backing down from its interpretation of the law. This means that the argument may not be truly over, but may simply have been postponed. Although Yahoo briefly expressed its pleasure over the new development, the digital privacy groups (for instance, the Electronic Frontier Foundation) are less pleased because the withdrawal delayed resolution of a contentious issue. Adding to their consternation: they thought they were going to win.  Precedent indicates that the resolution the DOJ’s withdrawal delayed may have been favorable to email users and companies like Yahoo, and less than favorable to the DOJ. Although Yahoo won this short-term victory, the government’s withdrawal means that Yahoo and Google and their users will likely face similar issues very soon.

“Electronic Storage” and Cloud Computing

Yahoo, in its response to the DOJ’s motion to compel, relied on the 2003 9th Circuit case Theofel v. Farey-Jones (PDF) which plainly stated that opened emails fell within the SCA’s definition of “electronic storage.” For the purposes of SCA § 2701(a)(1), a communication is in “electronic storage” if it is stored temporarily and incidentally to transmission or if it is stored “for purposes of backup protection” (SCA § 2510(17)). In Theofel, the 9th Circuit did not decide the question of whether opened emails were stored incidentally to transmission, but held that regardless of that issue, opened emails were stored for purposes of backup protection. Accordingly they are in “electronic storage” within the plain meaning of the SCA. Yahoo argued that not only are the opened emails stored for purposes of backup protection, but that the court should also consider them to be stored incidentally to transmission. Relying on the plain meaning of the SCA provisions, Yahoo argued that whether an email was opened or not was irrelevant to its classification as “electronic storage” and consequent protection under the SCA.

The DOJ, by contrast, argued that Theofel was an erroneous decision and that the 9th Circuit was disregarding the structure and legislative history of the SCA. In particular, the DOJ argued that the protection for backup storage only applied to copies made by a service provider in case of system failure. Since opened email does not fall into this category, it is not in “electronic storage” for the purposes of the SCA, but instead falls into the category of communications held by a “remote computing service”—in this case, Yahoo.  The SCA, passed in the days before common use of webmail, does not have warrant requirements for such communications (see section 2703(a), regarding communications in “electronic storage,” compared with section 2073(b), discussing communications held by a “remote computing service”).

The SCA’s distinction between “electronic storage” and storage by a “remote computing service” suggests that much of the information stored by web users will have very little statutory privacy protection in the era of cloud computing, as more and more personal data is stored remotely. That is probably why the amici brief by Google and various digital privacy groups, in addition to supporting Yahoo’s interpretation of the SCA, also argued that the emails were protected under the Fourth Amendment—regardless of whether the SCA’s protections extend to them or not.

Fourth Amendment and Email

Citing a line of cases beginning with Katz v. United States, a Supreme Court decision from 1967 holding that governmental eavesdropping on phone conversations is a Fourth Amendment violation, the amici brief argued that email users have a “reasonable expectation of privacy” (a prerequisite to Fourth Amendment claims) for the contents of emails stored with a webmail provider. The argument was supported by analogy to conversations in person and over the phone (which are intangible, yet constitutionally protected), sealed postal mail (private for Fourth Amendment purposes even though carried by a third party) and the contents of hotel rooms (private even though the room is owned by a third party).

Possible Future Developments

Despite all these fine-tuned legal arguments, all of these parties will have to wait for a final conclusion on whether opening an email makes it less protected and whether email is as constitutionally protected as a phone conversation. However, Google and the digital privacy organizations behind the amici brief—along with Microsoft, AT&T, AOL, Loopt, and others—have joined forces to advocate federal laws that would render moot all of this analysis by changing the SCA so that police will need a search warrant to access emails even if they are stored “in the cloud.” Describing the issue as one of “digital due process,” the coalition argues that the 1986 attitude to “remote computing services” has become obsolete and that privacy protections need updating in the current era.

The fact that most of this diverse coalition banded together to support Yahoo’s case so quickly after it was announced (it was announced on March 30th and the amici brief was filed on April 13th) suggests that the coalition may have regarded the Yahoo case as the initial test run for its legal strategy. The DOJ’s withdrawal can be taken as a sign of uncertainty in its position, or at least unwillingness to argue it unless strictly necessary. However, the DOJ’s lack of any concession on this issue shows that it has by no means given up the possibility of pursuing this battle in later cases, which means that we will likely see giants like Google, Microsoft, and AT&T clash with the federal government over email privacy in the future.

One thought on “How Much Protection from Search and Seizure Does Your Email Have?

  1. Pingback: Email privacy & cloud services – U.S.

Leave a Reply