Search warrants and online data: Getting real

An appeals court decision, assuming it survives and is adopted broadly, marks a major turning point in the evolution of Fourth Amendment law in the Digital Age, consultant Larry Downes argues.

Editors' note: This is a guest column. See Larry Downes' bio below.

There was good news yesterday for Internet intermediaries and other cloud-computing service providers. In a highly readable decision (PDF) from Judge Danny Boggs of the Sixth Circuit Court of Appeals, the court held that key provisions of the Stored Communications Act are unconstitutional. The case is U.S. v. Warshak.

Under SCA, law enforcement agents can compel Internet service providers to disclose the contents of private communications they hold on behalf of users. Such communications include, of course, personal and business e-mail, along with other documents, photos, and videos maintained on third-party computers in the rapidly expanding cloud-computing architecture.

While the disclosure of telephone calls and traditional mail ordinarily require a search warrant, SCA gave investigators access to e-mail and other electronic documents without the same level of judicial oversight. SCA orders, for example, do not require a showing of probable cause.

The SCA, a 1986 amendment to the Electronic Communications Privacy Act, has long been viewed as dangerously outdated by the evolution of electronic communications as a principal means of business and personal interaction. SCA applies, for example, to any stored communications that the intermediary has on its systems for more than 180 days.

In 1986, stored information was likely held in transit en route to a user's computer. The expectation may have been that data left for more than 180 days had essentially been abandoned.

Male enhancement yields massive fraud
Yesterday's decision involved the operation of the benignly named Berkeley Premium Nutraceuticals, a company now operating under the name Vianda that started as a family business but which grew to more than $250 million a year in sales, with the introduction of its flagship product, Enzyte. Enzyte, a supplement, promises to magically and dramatically extend the size of a consumer's penis.

Under modern Fourth Amendment analysis, judges focus less on whether an investigator "searched" or "seized" something tangible from the defendant and more on whether the collection of evidence in any form violated an "expectation of privacy."

Perhaps to no one's surprise, the product, its development, marketing, sales, and operations all turned out to be an enormous fraud. The names and existence of two scientists who had supposedly developed the product were made up, as were data in "studies" of the product's efficacy and in customer satisfaction "surveys." Customers were put on automatic-payment plans without their knowledge, and the company played games with credit card transactions to keep from being cut off from merchant banks due to high chargeback volumes.

The Better Business Bureau compiled thousands of complaints--though not, apparently, about the product so much as the auto-shipping plan.

At issue in yesterday's decision was evidence collected by the federal grand jury from an Internet service provider used by Berkeley's principals. Although investigators complied with the SCA, the court held that disclosure of some 27,000 e-mails required a warrant to satisfy the Fourth Amendment. That Amendment protects the "right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures," a response to roving searches by British customs agents before the American Revolution.

Since the investigators had a good-faith basis to believe the SCA was constitutional, criminal convictions for Berkeley's executives will not be overturned. But "to the extent that the SCA purports to permit the government to obtain such e-mails warrantlessly," the decision holds that henceforth, "the SCA is unconstitutional."

A big win for cloud providers--as well as users
The decision, assuming it survives a potential appeal to the U.S. Supreme Court, marks a major turning point in the evolution of Fourth Amendment law in the Digital Age.

Congress and the courts have struggled since the dawn of computers to understand just what kind of protections are appropriate for users of third-party computer services, from time-sharing systems in the 1960s to today's consumer-oriented cloud services, including e-mail, social networking, document and other work space collaboration, and text messages.

Law enforcement agencies have consistently argued that advances in computing make it easier for criminals to hide their activities, necessitating looser standards for criminal investigations to remain effective.

Civil-liberties groups have taken the opposite view, noting that new technologies including infrared cameras, electronic surveillance, and forensic analysis expand the ability of police to intrude on traditionally private and even intimate aspects of the lives of ordinary citizens.

Courts are regularly called upon to balance these two views. Under modern Fourth Amendment analysis, judges focus less on whether an investigator "searched" or "seized" something tangible from the defendant and more on whether the collection of evidence in any form violated an "expectation of privacy."

If that expectation is "reasonable," the Supreme Court has held, then the Fourth Amendment requires a warrant based on probable cause and approved by a judge or other judicial officer.

What constitutes a "reasonable" expectation of privacy, however, necessarily changes over time with the evolution of social norms driven by new technology.

When home telephones were connected via shared, or "party," lines in the 1920s, for example, courts found no reasonable expectation of privacy in the content of those calls. By 1968, however, the Supreme Court held in the seminal Katz case that a user of a phone booth had a reasonable expectation of privacy. The court in that case rejected the use of evidence collected by police who attached a listening device to the outside of the booth.

Today, cell phone calls cannot be intercepted without warrants, but users who conduct their side of the conversation in public places do not enjoy Fourth Amendment protections.

To take another example, trash kept in cans inside a fenced yard of one's home cannot be searched without a warrant, but once the can is placed on the curb, the expectation of privacy disappears. In a case decided last month in Chicago, another circuit court held that trash cans behind a fence can be searched without a warrant during the winter, because a local ordinance prohibits taking cans to the curb and requires residents to provide access to trash collectors.

As these and many other cases suggest, "reasonable" privacy expectations are constantly being re-examined in light of changing conditions and social norms.

Law enforcement agencies have long argued that users who store data with third parties cannot reasonably expect such data to be protected by the Fourth Amendment. The Sixth Circuit disagreed. The judges explicitly rejected the view that since most terms-of-service agreements include provisions that allow an ISP to inspect or audit the user's information, users cannot reasonably expect that their data is private, once stored in the cloud.

The same provisions, the court noted, also apply to telephone service--and did so at the time of the Katz decision. "Given the fundamental similarities between e-mail and traditional forms of communication," the court reasoned, "it would defy common sense to afford e-mails lesser Fourth Amendment protection."

The decision, if upheld and adopted by other circuits, is a win not only for individuals but also for Internet intermediaries. There was never any doubt that data stored locally on a user's home computer could not be searched without a warrant. But if the same information was stored on a remote computer or anywhere in the cloud, the SCA put service providers in the uncomfortable position of having to retain and turn it over to police without a warrant, often without disclosing that fact to the user.

Uncertainty over whether, and under what circumstances, data stored with a third party was entitled to the same Fourth Amendment protections as local data was seen by many leading cloud providers as a serious limitation on the value and usefulness of their service to consumers. Cloud providers, including Google, felt obliged to warn users that e-mails and other data stored for more than 180 days suddenly lost constitutional protections.

With the warrantless provisions of the SCA voided, consumers would no longer forfeit their Fourth Amendment rights simply by moving storage to the more flexible and convenient cloud.

The Electronic Frontier Foundation, along with a wide range of public-interest groups of all political persuasions, have argued for many years that SCA and other provisions of the ECPA are sorely in need of congressional update.

The "Digital Due Process Coalition," as the group calls itself, certainly has a point. The last time such laws were given serious attention, there was no commercial Internet.