This article is more than 1 year old
US appeals court ruling could 'eliminate internet privacy'
Tech terms of service dissolve Fourth Amendment rights, EFF warns
The US Ninth Circuit Court of Appeals on Wednesday affirmed the 2019 conviction and sentencing of Carsten Igor Rosenow for sexually exploiting children in the Philippines – and, in the process, the court may have blown a huge hole in internet privacy law.
The court appears to have given US government agents its blessing to copy anyone's internet account data without reasonable suspicion of wrongdoing – despite the Fourth Amendment's protection against unreasonable searches and seizures. UC Berkeley School of Law professor Orin Kerr noted the decision with dismay.
"Holy crap: Although it was barely mentioned in the briefing, the CA9 just held in a single sentence, in a precedential opinion, that internet content preservation isn't a seizure," he wrote in a Twitter post. "And TOS [Terms of Service] eliminate all internet privacy."
The case at issue, US v. Rosenow, begins in October, 2014, when online money transfer service Xoom alerted Yahoo! to a number of Yahoo accounts involved in the buying and selling of child sexual abuse material. The convicted felon was formerly chief marketing officer for biotech biz Illumina.
Yahoo! investigated, reported its findings to the National Center for Missing and Exploited Children (NCMEC) and subsequently involved the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS).
Law enforcement presented preservation requests to Yahoo! to preserve relevant user account data in October 2014, December 2014, and June 2015. Included therein were three financial transactions involving Rosenow.
Investigations by Yahoo! and law enforcement continued, culminating in the June 21, 2017 arrest of Rosenow at the San Diego airport in conjunction with the execution of federal search warrants for the defendant, his baggage, and residence. The feds seized digital image and video files as evidence. Rosenow in 2020 was sentenced to 25 years in prison for child pornography offenses.
Attorneys representing Rosenow sought to have the evidence obtained from the arrest disallowed by claiming that their client's Fourth Amendment rights had been violated. They argued Rosenow had the right to privacy in his digital data. The government's preservation requests – issued years before – and subpoenas submitted without a warrant, they said, violated Fourth Amendment protection against unreasonable search and seizure.
The appeals' panel rejected the defense arguments and upheld the lower court's conviction and sentencing.
The Ninth Circuit decision [PDF] says the government's data preservation requests did not interfere with the defendants rights because the data was copied and the defendant was not deprived of it – there was no seizure.
So, since the defendant didn't lose access to his data – copying is not seizing – and consented to Terms of Service that dispensed with privacy, the appeals court sees no problem with how the evidence against Rosenow was obtained.
Some folks are having nightmares
Kerr described the decision as the nightmare scenario for jurisprudence – a major issue that gets glossed over during proceedings and gets decided without any legal reasoning or support.
"Literally, that's it," he wrote about the decision's terse dismissal of the Fourth Amendment concerns. "No analysis. No citing anything. No discussion. And just a single sentence. So now, under 9th Circuit law, the government is free to order everyone's entire Internet account copied and held for it – with no cause at all. At any time, for no reason."
Kerr recently explored the way in which internet data preservation orders can skirt Fourth Amendment requirements in an article titled "The Fourth Amendment Limits of Internet Content Preservation" that appeared last year in the St. Louis University Law Journal.
Therein, he describes a hypothetical scenario that's relevant not just to the Rosenow case, but to anyone storing data on with a service provider.
Imagine you are an FBI agent. One day you receive an anonymous tip that a particular person has committed a crime. You go online and search for the person’s name, and your search reveals that, like most American adults, the person has a Facebook account. At this point, you only have an unverified tip. You lack reasonable suspicion, much less probable cause, to believe a crime was committed. And you have no particular reason to think the Facebook account was involved. But imagine federal law gave you the power to preserve and set aside the suspect’s entire Facebook account now – including every private message and every saved photo – just in case you later had the probable cause needed to access it.
The punchline is that this isn't a hypothetical scenario but the way "18 U.S. Code § 2703 - Required disclosure of customer communications or records" actually works. And it happens often: in 2019, over 310,000 Internet accounts were preserved in response to § 2703(f) requests, according to Kerr.
What's at issue here is whether the government can bypass Fourth Amendment obligations by delegating unsupported data preservation demands – effectively a seizure – to the private sector.
"When the government requests preservation and the provider complies, the provider acts as the government’s agent and becomes a state actor," Kerr writes in his paper. "The process of copying and setting aside the contents of an Internet account is a Fourth Amendment seizure because it interferes with a user’s right to control his private communications."
In other words, authorities should have probable cause before they seize your data or direct a third-party to do so in their place, just as they would have to do for seizing parcels sent by mail. But for the Ninth Circuit, and now for the courts within its jurisdiction, that no longer appears to be the case.
The court's reasoning that accepting Terms of Service undoes privacy rights elicited concern from other legal experts.
- 60 countries sign declaration to keep future internet open
- Scraping public data from the web still OK: US court
- Apple iOS privacy clampdown 'did little' to reduce tracking
- Fake it until you make it: Can synthetic data help train your AI model?
In a statement emailed to The Register, Jennifer Lynch, surveillance litigation director for the Electronic Frontier Foundation, said the Ninth Circuit's discussion of Rosenow's Fourth Amendment rights with respect to his ISP's Terms of Service was clearly wrong.
"The Supreme Court and all other courts that have addressed the question have made clear that digital content you store with a third party is protected by the Fourth Amendment. The third parties that store and transmit our content and communications all have terms of service similar to Yahoo’s."
"These take-it-or-leave-it terms that no one reads are designed to protect companies' business interests – they cannot vitiate your Fourth Amendment rights. If they did, cases like Carpenter and US v. Warshak (a 2010 Sixth Circuit case finding the Fourth Amendment protects email) would have no teeth, and that can’t be right."
Lynch said the EFF has raised this issue in several previous court cases and expects to address it before the Ninth Circuit in a case called US v. Bohannon next month in May. ®