Skip

A person...loses a reasonable expectation of privacy in emails...after the email is sent to and received by a third party.
March 15, 2010 5:01 PM   Subscribe

The United States Court of Appeals for the Eleventh Circuit rules that once emails have been received by a third party, no Fourth Amendment protection applies to any copies. In Rehburg v. Paulik, among other claims, Charles Rehburg alleged a violation of his constitutional rights by the improper subpoena of his emails from his ISP. Last week, the Eleventh Circuit ruled against him:

Rehberg’s voluntary delivery of emails to third parties constituted a
voluntary relinquishment of the right to privacy in that information. Rehberg does
not allege Hodges and Paulk illegally searched his home computer for emails, but
alleges Hodges and Paulk subpoenaed the emails directly from the third-party
Internet service provider to which Rehberg transmitted the messages. Lacking a
valid expectation of privacy in that email information, Rehberg fails to state a
Fourth Amendment violation for the subpoenas for his Internet records.


The Volokh Conspiracy's Orin Kerr provides further analysis, and discuss the traditional Fourth Amendment protections due to postal mail. He suggests that this decision, if upheld, would mean that " the government could just go to the ISP of the person sending the e-mail and take all of their outgoing e-mails right off the server."
posted by PMdixon (46 comments total) 6 users marked this as a favorite

 
" the government could just go to the ISP of the person sending the e-mail and take all of their outgoing e-mails right off the server."

Well, they're doing this already. That barn door was left open a few years ago.
posted by Blazecock Pileon at 5:05 PM on March 15, 2010 [3 favorites]


Judge Ted Stevens?
posted by DU at 5:06 PM on March 15, 2010


Hmm yeah, I'm not sure what the change is suppose to be, they've been doing this with so-called "national security letters" for a while.
posted by delmoi at 5:06 PM on March 15, 2010


IANAL or a legal scholar, but as I understand it the difference would basically be that the rubber-stamps of FISA or national security letters would no longer be necessary.
posted by PMdixon at 5:08 PM on March 15, 2010 [2 favorites]


The obvious solution is to encrypt your email using ROT13, then if your emails are read you can sue under the anti-circumvention clause of the DMCA.
posted by mullingitover at 5:13 PM on March 15, 2010 [27 favorites]


.
posted by finite at 5:16 PM on March 15, 2010 [4 favorites]


Does the court know how a computer works?
posted by haltingproblemsolved at 5:29 PM on March 15, 2010


Does the court know how a computer works?

The obvious joke here would involve some combination of the average age of the judges and the geographical area covered by the 11th circuit.
posted by PMdixon at 5:30 PM on March 15, 2010 [1 favorite]


Does the court know how a computer works?

Your friendly FBI agent can intercept your package in transit by subpoenaing FedEx. How is this any different? Because it involves *gasp* computers? And computers mean freedom!!!111!!!

Pro tip: If you don't want your email read by the gubmint then encrypt it before sending.
posted by Talez at 5:52 PM on March 15, 2010


Axiom: Email is an inherently insecure medium of communication.

Theorem: Anyone who assumes any privacy in email is asking to be disappointed.

Corollary: anyone who encrypts their email is asking for the attention of spooks.
posted by unSane at 5:53 PM on March 15, 2010 [7 favorites]


Privacy is dead, long live privacy.

By encrypting your email, even/especially if you think you have "nothing to hide", you help protect everyone's privacy by keeping the sending of encrypted email from being a suspicious act.

By my (not a lawyer) understanding of this decision, if the 3rd parties only ever see ciphertext then the 4th amendment should still apply, so, various means of circumventing crypto software (most likely, by putting malware on one side or the other) should still require a warrant.
posted by finite at 5:53 PM on March 15, 2010 [3 favorites]


If you don't want your email read by the gubmint then encrypt it before sending.

Because nothing is less suspicious to a G-Man that an encrypted e-mail.
posted by Joey Michaels at 5:54 PM on March 15, 2010


Then again, by my understanding of the 4th amendment, this decision is completely absurd, so it is difficult to draw any logical conclusions from it.
posted by finite at 5:54 PM on March 15, 2010


While I agree that email (and for that matter, any other data you put on the internet) is inherently an insecure medium and that you shouldn't expect anything you transmit over the internet to remain private, I also think this is a crap ruling by a crap judge, and that the subpoena of e-mail from ISPs violates the spirit, if not the letter, of the 4th Amendment. Dear FBI agents reading my email: the founding fathers are ashamed of you.
posted by Caduceus at 6:02 PM on March 15, 2010 [4 favorites]


The first thing I thought of when I read this was how CALEA will work with it. If we have no expectation of privacy in email under the 4th Amendment, if you're hooked up to any network with CALEA implemented on it, it sounds like any email you send or receive can be intercepted and read without a warrant. Scary.
posted by immlass at 6:22 PM on March 15, 2010


it sounds like any email you send or receive can be intercepted and read without a warrant. Scary.

This was already the case, albeit after 30 days.
posted by mek at 6:42 PM on March 15, 2010


Your friendly FBI agent can intercept your package in transit by subpoenaing FedEx. How is this any different? Because it involves *gasp* computers? And computers mean freedom!!!111!!!

From Volokh:
The Fourth Amendment ordinarily protects postal mail and packages during delivery. The same rule applies to both government postal mail and private delivery companies like UPS: As soon as the sender drops off the mail in the mailbox, both the sender and recipient enjoy Fourth Amendment protection in the contents of the mail during delivery.

The question privacy-concerned people are asking is how is this any different? It isn't, really, and so there should be protection.
posted by Lemurrhea at 7:00 PM on March 15, 2010 [2 favorites]


mullingitover: "The obvious solution is to encrypt your email using ROT13, then if your emails are read you can sue under the anti-circumvention clause of the DMCA."

Yeah, but does the DMCA apply to The Government? I doubt that it does.
posted by ArgentCorvid at 7:02 PM on March 15, 2010


In the end, the only expectation of privacy will be the courtesy flush.
posted by digitalprimate at 7:03 PM on March 15, 2010


if your emails are read you can sue under the anti-circumvention clause of the DMCA

That might work if the wiretappers didn't have a license to kill those particular rights.

No, really, they do. Title 17, Chapter 12, § 1201 (e):
This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State.
posted by finite at 7:06 PM on March 15, 2010 [1 favorite]


It would be nice if someone made *easy* encrypted email.
posted by mecran01 at 7:18 PM on March 15, 2010 [1 favorite]


It would be nice if someone made *easy* encrypted email.

Agrees 1000%. I have tried and tried...
posted by bz at 7:24 PM on March 15, 2010


11th is mega conservative. What do the other circuits saÿ?
posted by Ironmouth at 7:25 PM on March 15, 2010


Probably the simplest encrypted email setup is to use the Enigmail plugin with the Thunderbird email client. It's not a trivial install, but not too tough, either. Agreed that they should include encryption with the base Thunderbird, and maybe default it on.

I've been using Thunderbird on Win XP for over 2 years without problems. the only "Outlook" thing it's missing is the whole meeting scheduler thing... but they're working on that.
posted by Artful Codger at 7:43 PM on March 15, 2010 [1 favorite]


Unfortunately, google has a huge interest in you not encrypting. Right now they don't do anything to stop you, but it would strongly nerf their ad targeting / sentient panopticon development project. I PGPd for a while, but it was annoying to everyone else. I do use OTR for instant messaging, which takes the nice step of auto-figuring-out if the other person has it.
posted by a robot made out of meat at 8:12 PM on March 15, 2010 [1 favorite]


J(wf!sfbe!Sficfsh(t!fnbjmt!
posted by HP LaserJet P10006 at 8:28 PM on March 15, 2010 [2 favorites]


When the telephone came along, it was exactly because it was ridiculously easy to tap a phone call that special legal protections were set up against having your phone tapped. This time they're taking the opposite conclusion from the same situation.
posted by winston at 8:30 PM on March 15, 2010 [5 favorites]


Probably the simplest encrypted email setup is to use the Enigmail plugin with the Thunderbird email client.

I disagree, not with the spirit of the recommendation but on practical grounds: this would involve a change of mail client for most people (those not already using webmail), who are probably using Outlook. I hate the MS monopoly as much as anyone, but any solution that doesn't involve Outlook is dead before it leaves the starting gate, for all but a very small number of users.

Also, GPG/PGP mail is…well, I'll be blunt: it's a geek thing. There was a time when it seemed like it might get adopted as The Standard Encrypted Email Format, but that time is past; S/MIME won. Yeah, it's ugly and a lot of the original arguments for it, about CAs being superior to the PGP web of trust, turned out to be false, but like Microsoft it's entrenched and not going anywhere. It's what the government and major corporations use, and it's well-integrated with far more clients (without add-ons) than PGP.

The most practical path to secure email, for the Windows/Outlook "average user," is this one. You pays your money and you gets your certificate (make sure to use IE when getting the cert, don't use Firefox or Chrome; yes just this once, use IE), and the whole thing just works if you go through it and follow Microsoft's and Verisign's instructions exactly. (S/MIME support is also built into Apple Mail for OS X, and the process is much the same except you must use Safari instead of IE to get the certificate stored in the system Keychain.)

I've been experimenting with email encryption for over a decade now and it's when you deviate from this path that you run into issues. There are ways to do it without buying a real certificate, but they result in messages that won't verify cleanly on the receiving end. (It's really, really not worth the hassle just to save the twenty bucks; if your correspondents are anything like mine, you'll get all sorts of panicked replies from people wanting to know if you sent them a virus because your signed messages cause warnings to pop up on their machines.) Do it right, with a well-recognized CA, and they'll get a nice little signed-message indicator, no problems.

The perfect is the enemy of the good when it comes to email cryptosystems. I carried a vicious hatred of X.509 and the whole Certificate Authority scheme for years, until I finally gave in because no other system is worth the time to implement, unless you are very active in one of the communities where PGP still sees use (but in that case you're probably already using PGP/GPG). But X.509 is where the world is going as people are slowly catching onto the need for secure email; I have seen more and more emails originating from companies large and small that are signed, and I have actually begun to see conversations get encrypted opportunistically, because both parties happen to have certificates and so the replies just get encrypted. This is how things are supposed to work. It's ten years late, but we're finally getting there.

Microsoft, Outlook, X.509 and S/MIME, Verisign, paying twenty bucks a year for a certificate, they all suck. But it's the best solution out there right now if you want end-to-end encrypted email that will let you communicate with the greatest number of recipients with the least amount of hassle.
posted by Kadin2048 at 9:30 PM on March 15, 2010 [11 favorites]


Now if emails were protected it would be fun to see a case where computers were confiscated as part of a criminal investigation but their contents were inadmissible because the computers an a SMTP server or somesuch.
posted by GuyZero at 9:41 PM on March 15, 2010


I can't think of anything that would create a rush for encrypted mail clients faster than sending out some chain letters to gullible chain letter forwarder types that start with:

Subj: AL QAEDA IS MONITORING EMAILS

I think if Thunderbird and other clients can add in some basic encryption that can be turned on and off with each email, depending on the address book settings and recipient, that would be all it would take to encourage widespread use. On the other hand, running a couple of forums and noticing trends over the years, it seems a whole lot of people are shifting to webmail like Yahoo, Hotmail, and GMail, so I'm not sure how much interest there really is in improving POP mail.
posted by crapmatic at 10:22 PM on March 15, 2010


The easiest way to encrypt an email is to send an encrypted zip or pdf and call your buddy on the phone to tell them the password. Works with any machine that can download and open zip and pdf, so outlook, webmail, whatever. Probably won't work on some smartphones, but I'm not sure they'll handle x.509.

The other way is to make the recipient register on your website to receive all communications over https.

Google should probably offer some kind of free x.509 certificate email where they 'hold on' to the cert for you for search indexing, etc...
posted by BrotherCaine at 1:18 AM on March 16, 2010


Oh, and the 11th circuit blew this decision completely. This is exactly analogous to postal mail. Let's hope SCOTUS reverses.
posted by BrotherCaine at 1:20 AM on March 16, 2010


Let's hope SCOTUS reverses.

Ha!
posted by grouse at 6:19 AM on March 16, 2010


Lacking a valid expectation of privacy in that email information, Rehberg fails to state a Fourth Amendment violation for the subpoenas for his Internet records.

Does this imply that if your email states an expectation of privacy - "this email is intended only for the person designated" - that the situation would be different?
posted by Big_B at 8:25 AM on March 16, 2010


This is exactly analogous to postal mail.

It's still a bit of a question whether it's more like a letter, or more like a postcard.
posted by ROU_Xenophobe at 8:59 AM on March 16, 2010


Probably won't work on some smartphones, but I'm not sure they'll handle x.509

Blackberries do, when integrated with the right BES package / service plan. (So the Blackberry that Joe Schmoe purchases from the AT&T store probably won't do it, but a corporate deployment almost certainly will. And the government ones do.)

S/MIME is very notably absent in the iPhone native mail client. This was surprising to many people (myself included) because the OS X Mail program's S/MIME support is decent. (Not flawless, particularly if you have multiple certificates/identities, but decent.) So it's a bit of a kick in the teeth that they didn't implement it there.

It's under development for Android, although I don't think there's anything out there yet.

Expect to see it as a corporate feature that trickles down to individual consumers, rather than the other way around; encryption isn't a compelling feature to most average users (although it probably should be), but commercial users finally seem to be getting it together. It's no surprise that the Blackberry is the best platform right now for end-to-end encrypted email.

Also, people who use webmail exclusively might want to check out GMail S/MIME for Firefox. It's a Firefox addon that implements S/MIME completely in the browser. (You have to load your certificate into Firefox's keystore for it to work.) It has some rough edges still based on my testing but it's interesting. Keep in mind though that if you use it and then you go to another computer and try to check your email, you won't be able to read any encrypted messages (that being the purpose of encryption). Thus I still prefer thick clients, but if you really like Gmail's web interface it's better than nothing.
posted by Kadin2048 at 9:36 AM on March 16, 2010 [1 favorite]


the subpoena of e-mail from ISPs

The evil point of this is that a subpoena isn't required. Any government agent can simply tell your ISP to show them your email at will. To get a subpoena, they would have to show cause to a judge, something that isn't all that onerous of their motive is worthy. The fact that someone doesn't want to have to do that is the most worrying part of the whole thing, since it opens up law enforcement to all kinds of corruption, including using it for political ends.
posted by Jimmy Havok at 9:41 AM on March 16, 2010 [1 favorite]


It's still kinda sinking in for me. First citizen's united, now this. Way to go, judicial branch, really hitting home runs this year.

So what exactly would the consequence be for an ISP that refuses to cooperate? Without any judicial oversight it seems like this would be begging for abuse. What's to stop a police officer from demanding that his ex-wife's ISP turn over her emails to him? Or for that matter, what about corporate communication that contains trade secrets or other confidential information? Doesn't this mean that e-mail is out for any doctor/patient communication?
posted by mullingitover at 10:45 AM on March 16, 2010 [1 favorite]


Corollary: anyone who encrypts their email is asking for the attention of spooks.

Agreed. Which is why I send the crazy shit I plan on doing in clear text and encrypt things like my shopping lists. I want them dedicating some serious time to bust through 4096 bit encryption only to find out that after my freedom fighters meeting, I'm going to pick up some bananas and milk.
posted by quin at 11:43 AM on March 16, 2010


I read the decision, and I don't think the 4th Amendment ruling is very substantive to the case. The ruling was over prosecutor mis-conduct and absolute immunity and the court was trying very hard for find every little reason to let one of their own off the hook for retaliatory prosecution.
posted by MiltonRandKalman at 12:45 PM on March 16, 2010


Rehberg’s voluntary delivery of emails to third parties

I'm confused as to how an ISP is considered a third party recipient in this scenario. My understanding is that an ISP is considered a neutral carrier of data and that is how they avoid any liability for what passes over their networks. How is it they can be viewed as a neutral carrier when it comes to data that is stored temporarily on their switches or longer on their caching servers but now magically become a recipient when somebody wants to read another person's email? If they are a recipient then how are they not also liable for all that dinosaur porn I keep forwarding? These two views of what an ISP represents seem incompatible to me.
posted by well_balanced at 1:45 PM on March 16, 2010


Metafilter: all that dinosaur porn I keep forwarding
posted by finite at 2:33 PM on March 16, 2010 [1 favorite]


I think the solution for this is to have some quickwitted lawyer set up a service in which he agrees to receive a courtesy copy of all your e-mails.-- Just in case they need to be referenced in a future case. That way you'll have confidential e-mail that is protected and inadmissible since it will be between you and your lawyer.
posted by chinabound at 7:38 PM on March 16, 2010


Do we treat e-mail the same as postal mail? Why/why not?
posted by rubah at 10:35 PM on March 16, 2010


Kadin2048: "Microsoft, Outlook, X.509 and S/MIME, Verisign, paying twenty bucks a year for a certificate, they all suck. But it's the best solution out there right now if you want end-to-end encrypted email that will let you communicate with the greatest number of recipients with the least amount of hassle."

I have to disagree with the main thrust of your post (ease of use/installation). On the basis of this thread, I just tried to get a S/MIME ("digital ID") certificate. About 10 minutes worth of clicking and verifying I am who I say I am and I have a PKCS12 file in my inbox. Thunderbird took maybe 5 clicks to import, and Outlook took another 4. Bonus points: I used Firefox to request the certificate, I found several places to buy such a certificate (though they all cost $19.95), and my Mac-using friend received the message without issue.
posted by fireoyster at 1:43 AM on March 17, 2010


bout 10 minutes worth of clicking and verifying I am who I say I am and I have a PKCS12 file in my inbox

The problem that seems to get people (in my experience) isn't importing the public cert (the one you get emailed) but the private key, which is generated in the browser as part of requesting the certificate. If you requested the certificate in Firefox, then the private key is stored in Firefox's keystore and you have to export it in order to get it into Outlook so you can sign and decrypt messages. But if you do the request in IE, the private key goes directly into the Windows equivalent of a Keychain (I've never paid a lot of attention to exactly how this is implemented), and all you need to do is import the public cert when it arrives. (Which, for me, has never involved anything except saving it to the desktop and then clicking on it.)

There's nothing inherently wrong with using Firefox to perform the cert request, but because it requires an additional export step in order to get the key usable by Outlook, I don't think it's as moron-proof as just using IE for the whole thing. Plus, most of the Microsoft documentation assumes IE, so if I was talking someone through the process it's easy to point them to step-by-step instructions that they can follow.

If you know what you're doing you can perform the request in just about any browser, and you'll probably want to export the key and certificate for backup purposes anyway. (I keep my certs and private keys backed up on a couple of SD cards in a safe-deposit box, rather than an online backup service; cards are also a good way of securely moving them from one computer to another, too.)

But glad to hear you got the certificate set up, regardless of how you did it; the more people using or at least set up to use encrypted email, the better.
posted by Kadin2048 at 9:31 AM on March 17, 2010


« Older Drinkin' beer from a bottle, on a Friday night.   |   The Adventure of the the Sweet Cross-Hatching Newer »


This thread has been archived and is closed to new comments



Post