Cloud computing lets Feds read your email

Last week the Court of Appeals, not satisfied with finding that Warshak's claim was not "ripe" because he couldn't say where or when the government was going to seize his email, went further in a very dangerous manner. The Warshak court said that it had no idea if emails potentially seized by the government without a warrant would be subject to any expectation of privacy by Warshak. The Court noted that ISPs have all kinds of policies and practices regarding the privacy of their customers electronic communications, with some like AOL saying that the ISP "will not read or disclose subscribers' emails to anyone except authorized users," some like Juno saying they "will not intentionally monitor or disclose any private email message" but that it "reserves the right to do so in some cases" and some like Yahoo stating that they shall have the right to pre-screen content, or that content may be provided to the government on request.

The court for example relied on Google's Gmail service, which permits automated review of the contents of email (for advertising purposes), or statements by corporate employers eschewing an expectation of privacy by users of the system. The government urged the court to go even further, arguing that there is no constitutional protection of privacy in email where, for example, the ISP used malware scanners to look for malicious code in email or deep packet inspection of email.

Couple this with prior Supreme Court precedent in Smith v. Maryland, where the government sought to subpoena from a telephone company a subscriber's use data - information such as time of calls, who they called and how long the call lasted. Just as with Warshak, the defendant claimed that the government needed a search warrant, and the government claimed that Smith had no reasonable expectation of privacy in this "non-content" information. The Supreme Court agreed with the government, noting "we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills."

Applying that rationale to email, all (well, most) internet users realize that they must "convey" email content to the ISP, since it is through the ISP's routers that their emails are transferred. All (most) users realize that the ISP has facilities for making permanent records of the contents of their email - storing it - for they see a list of their emails when they log on.

The Smith court went further. It noted that the Court "consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties" and that:

When [Smith] used his phone, [he] voluntarily conveyed numerical information to the telephone company and "exposed" that information to its equipment in the ordinary course of business. In so doing, [he] assumed the risk that the company would reveal to police the numbers he dialed.

Thus, when you "voluntarily" turn stuff over to a third party - a bank, an accountant, the phone company, or presumably an ISP, you run the risk that they can turn it over to the cops, and therefore you have "no expectation of privacy".