A stunningly bad decision came down from the 11th Circuit Court of Appeals that threatens the right to privacy in email. I want to alert everyone to the confused logic of this decision and point out, once again, that availability of online data provides an irresistible temptation for abuse.
Background (according to court documents): Charles Rehberg sent some faxes to the management of Phoebe Putney Memorial Hospital, criticizing some (possibly shady) recent decisions taken by the board. As a favor to the hospital, the District Attorney of Dougherty County, Kenneth Hodges, investigated Rehberg’s actions. Hodges convened a grand jury and indicted Rehberg on charges of assault, burglary, and six counts of “harassing phone calls.” It later became clear that there was no evidence to support the phantom assault and burglary charges; for example, there was no police record or investigation of either crime, and these were dismissed. Then Hodges indicted Rehberg two more times on charges that were also dismissed.
But wait, it gets better. During all this, Hodges subpoenaed Rehberg’s phone and email records. Maybe, just maybe, Hodges (who is now running for Georgia Attorney General) was looking to further embarrass or harass Rehberg.
So now Rehberg, cleared from these charges (as well as the Lindbergh kidnapping and the sinking of the Maine) is suing Hodges and his underlings, for violating Rehberg’s constitutional rights.
On March 11, the Court of Appeals decided that Rehberg's claims could not succeed because of the "third party doctrine" which essentially means that you have no privacy right to information you have turned over to a third party. It is this doctrine that allows your phone records to be seized, because you have voluntarily exposed the dialed numbers to the phone company. See Smith v. Maryland, 442 U.S. 735, 740
(1979). The Rehberg court concluded that “Rehberg’s voluntary delivery of emails to third parties constituted a relinquishment of the right to privacy to that information,” and therefore there is no “Fourth Amendment violation for the subpoenas for his Internet records.”
To understand how scary this decision is, let’s have a quick review of how the expectation of privacy works. Smith and California v. Ciraolo, 476 U.S. 207, 211 (1986), lay out a two-part test for the "constitutionally protected reasonable expectation of privacy . . . . [F]irst, has the individual manifested a subjective expectation of privacy in the object of the challenged search? Second, is society willing to recognize that expectation as reasonable?” Id. at 211 (quoting Katz v. United States, 389 U.S. 347, 360 (1967) (Harlan, J., concurring)). The argument in Smith is that the caller has no subjective expectation of privacy in the numbers he has dialed because he has transmitted those numbers to a third party. Similarly, the sender of an email may be said to have no "legitimate expectation of privacy in an email that ha[s] already reached its recipient.” Guest v. Leis, 255 F.3d 325, 333 (6th Cir. 2001). A quick example might help make this clear:
Imagine that Adam sends a letter to Bobby. When Adam sends the letter, his expectation of privacy is intact. When Bobby receives the letter, Adam’s legitimate expectation of privacy is extinguished (unless the letter was clearly marked confidential) and Bobby’s privacy right attaches. If the government illegally seizes that letter after its receipt, it is Bobby’s privacy right that has been violated.
Now, who can spot the problem with the Court of Appeals’ argument that Rehberg had no privacy right to his email? That’s right, Rehberg’s email would not only include email he had sent, but also the email he had received. So indeed, Rehberg did have a privacy interest that covered the mail in his inbox. (Note: Though case law generally affords email the same protections as the telephone, the privacy in email is statutory: 18 U.S.C. §2701-2711, Title II of the Electronic Communications Privacy Act (ECPA).)
The court may be arguing that Rehberg had no privacy interest in any of the information in his email because Rehberg's ISP had a copy of that information. Indeed, the court cited United States v. Perrine, 518 F.3d 1196, 1204-05 (10th Cir. 2008), for the proposition that “[e]very federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment’s privacy expectation."
But here, the court is confusing subscriber information with content. Rehberg provided the routing information for the email to his ISP (To: X@gmail.com), in much the same way a letter-sender provides an address on the outside of an envelope. I understand the argument that there is no legitimate privacy interest in this routing information. However, the content of the email, just like the content of the letter, has not been turned over. The ISP has no right to the content of that correspondence; it just serves as the middle man/storage medium. (Similarly, you still have a privacy interest in the briefcase you leave in a hotel room; a custodial third party does not extinguish your rights).
Courts seem to have misunderstood what a “record” of email contains. A phone record simply contains the phone number called, and the time and duration of the call. An email “record” contains the entire email. Surely, the content of that email is private (that is, Rehberg did not turn over the entirety of the email’s contents to the ISP when his computer requested the email be sent to another computer). Allowing the seizure of emails is more akin to wiretapping (which reaches a call's content) than to acquiring phone records.
There is also a strong policy reason to recognize the privacy interest in emails. When Rehberg sends an email message, his ISP makes a copy of the entire message. Email messages commonly contain or nest the contents of prior emails. If anything, the privacy interest in email should be higher than the ordinary mail, because this nesting is automatic and implicates the privacy of the entire conversation. The "third party doctrine" makes very little sense in the digital context because conversation nesting, forced copying, and storage are the norm. I shudder to think that any information I store in the cloud (often with many stated guarantees of privacy) is suddenly fair game for government seizure.
I can only hope that the Appeals Court revisits this decision en banc and undoes this unfortunate confusion of subscriber information with content and the digital with the physical.
(Andrew Moshirnia is a second-year law student at Harvard Law School and a CMLP blogger. He is still fighting charges that he was the man on the grassy knoll.)