2007 UCLA J.L. & Tech. 2
The Third Party Doctrine Redux: Internet Search Records and the Case for a "Crazy Quilt" of Fourth Amendment Protection
J.D. Candidate, Indiana University School of Law–Bloomington, 2008; M.A., Texas Tech University, 2005; B.A., Michigan State University, 2001. Thanks to Professors Fred Cate, Joshua Fairfield, and Susan Brenner, and my colleagues Mark Oram and Aaron Stucky, for comments and encouragement. All errors, as they say, are mine.1. See Dennis Murphy, Murder in the moonlight, MSNBC Interactive, (Sept 8, 2006), at http://www.msnbc.msn.com/id/14738060/.
2. Harriet Ryan, Fla. man convicted of killing his wife during faked mugging, now faces death, Court TV News, (June 26, 2006), at http://www.courttv.com/trials/barber/062406_verdict_ctv.html.
3. Murphy, supra note 1.
4. Ryan, supra note 3.
5. Derek Slater, AOL's Data Valdez Violates Users' Privacy, Electronic Frontier Foundation, (August 07, 2006), at http://www.eff.org/deeplinks/archives/004865.php; see also AOL's Massive Data Leak, Electronic Frontier Foundation, at http://www.eff.org/Privacy/AOL/ (last visited April 15, 2007).
6. Jeremy Kirk, Update: AOL reportedly released search data, InfoWorld, (August 07, 2006), at http://www.infoworld.com/article/06/08/07/HNaolsearchdata_1.html.
7. Michael Barbaro & Tom Zeller Jr., A Face Is Exposed for AOL Searcher No. 4417749, N.Y. Times, August 9, 2006, at A1.
9. 18 U.S.C. §§ 2701-12.
10. Compare 18 U.S.C. § 2515 with 18 U.S.C. § 2707; see generally Monica R. Shah, The Case for a Statutory Suppression Remedy to Regulate Illegal Private Party Searches in Cyberspace, 105 Colum. L. Rev. 250, 272 (2005) (arguing that a statutory exclusionary remedy is warranted for stored communications); see also Orin S. Kerr, Lifting the "Fog" of Internet Surveillance: How a Suppression Remedy Would Change Computer Crime Law, 54 Hastings L.J. 805, 807 (2003) (discussing a suppression remedy for contemporaneous communications); see also McVeigh v. Cohen, 983 F. Supp. 215, 220 (D.D.C. 1998) (reading a suppression remedy into the statute: "While the government makes much of the fact that § 2703 (c)(1)(B) does not provide a cause of action against the government, it is elementary that information obtained improperly can be suppressed where an individual's rights have been violated.").
11. See Kirk, supra note 7.
12. See, e.g., United States v. Hambrick, 55 F. Supp. 2d 504, 509 (D. Va. 1999) (ISP subscriber information, which also typically falls under the Stored Communications Act, was admitted despite a defective subpoena because there was no "reasonable expectation of privacy" in the information).
13. See, e.g., United States v. Maxwell, 45 M.J. 406, 416 (C.A.A.F. 1996) (finding the seizure of electronic files, in this case e-mail, far exceeded the plain language of the warrant).
14. See generally Olmstead v. United States, 277 U.S. 438 (1928); United States v. Miller, 425 U.S. 435 (1976).
15. 18 U.S.C. § 2706.
16. See Kirk, supra note 7.
17. Gonzales v. Google, Inc., 234 F.R.D. 674, 681 (N.D.C.A. 2006) (noting that Internet search records contain sensitive and identifiable information including names, social security numbers, and credit card numbers).
19. Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring).
20. U.S. Const. amend. IV.
21. Orin S. Kerr, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 Mich. L. Rev. 801, 807 (2004); Peter P. Swire, Katz is Dead. Long Live Katz, 102 Mich. L. Rev. 904, 905 (2004); see, e.g., Olmstead v.United States, 277 U.S. 438, 438 (1928).
22. Katz, 389 U.S. at 352.
23. Kyllo v. United States, 533 U.S. 27, 33 (2001); Katz, 389 U.S. at 361 (Harlan, J. concurring); see also Robert S. Steere, Keeping "Private E-Mail" Private: A Proposal to Modify the Electronic Communications Privacy Act, 33 Val. U.L. Rev. 231, 241 (1998).
24. See, e.g., Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477, 527 (2006); see also Stephen E. Henderson, Nothing New Under the Sun?: A Technologically Rational Doctrine of Fourth Amendment Search, 56 Mercer L. Rev. 507, 517 (2005).
25. See Solove, supra note 25, at 528; see also Philip H. Marcus, A Fourth Amendment Gag Order – Upholding Third Party Searches at the Expense of First Amendment Freedom of Association Guarantees, 47 U. Pitt. L. Rev. 257, 276 (1985).
26. "Made available" is used loosely here, but this idea will be explored as the knowledge requirement later in this section. United States v. Miller, 425 U.S. 435, 442; see also Marcus, supra note 26, at 276.
27. Smith v. Maryland, 442 U.S. 735, 743-44 (1979).
28. Miller, 425 U.S. at 436.
29. Id. at 437.
30. Id. at 438 ("all of the documents obtained, including financial statements and deposit slips, contain only information voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business" and "the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to government authorities.").
31. Smith, 442 U.S. at 737.
34. Id. at 743. In response to the Court's determination in Smith that there was no constitutional privacy interest in telephone numbers dialed, Congress recognized that there was a privacy interest in that information by enacting the Pen Register Act, 18 USC 3121(a), which provided a procedural hurdle (though a slight one) to law enforcement's installation and collection of information via a pen trap/register.
35. See generally Sam Kamin, The Private is Public: The Relevance of Private Actors in Defining the Fourth Amendment, 46 B.C.L. Rev. 83, 99 (2004); Lewis R. Katz, In Search of a Fourth Amendment for the Twenty-first Century, 65 Ind. L.J. 549, 562 (1990); Randolph S. Sergent, A Fourth Amendment Model for Computer Networks and Data Privacy, 81 Va. L. Rev. 1181, 1187 (1995).
36. Katz, 389 U.S. at 351.
37. See Catherine Crump, Data Retention: Privacy, Anonymity, and Accountability Online, 56 Stan. L. Rev. 191, 203 (2003) (Smith holds "that technological possibility determines what privacy expectations are reasonable."); W. LaFave, Search And Seizure: A Treatise on the Fourth Amendment § 2.7(b), at 507 (2d ed. 1987) ("Indeed, it is enough for the majority in Smith that the telephone company has the capacity to make a record of such relationships, even though the company has the good sense not to offend its subscribers by making or keeping those records for no reason.").
39. Smith, 442 U.S. at 745.
41. Id. ("The fortuity of whether or not the phone company in fact elects to make a quasi-permanent record of a particular number dialed does not, in our view, make any constitutional difference. Regardless of the phone company's election, petitioner voluntarily conveyed to it information that it had facilities for recording and that it was free to record.")
42. See Francisco J. Navarro, United States v. Bach and the Fourth Amendment in Cyberspace, 14 Alb. L.J. Sci. & Tech. 245, 251 (2003).
43. See Orin S. Kerr, Internet Surveillance Law After the USA Patriot Act: The Big Brother That Isn't, 97 Nw. U.L. Rev. 607, 611 (2003); Brian D. Kaiser, Government Access to Transactional Information and Lack of Subscriber Notice, 8 B.U.J. Sci. & Tech. L. 648, 676-678 (2002); Navarro, supra note 43, at 253.
44. See Daniel J. Solove, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264, 1286 (2004) (explaining "ECPA largely tracks the distinction made by the Court in Smith v. Maryland, between what Kerr calls ‘envelope' and ‘content' information. Analogizing to postal mail, Kerr states that ‘the content information is the letter itself, stored safely inside its envelope. The envelope information is the information derived from the outside of the envelope, including the mailing and return addresses, the stamp and postmark, and the size and weight of the envelope when sealed.') (quoting Kerr, supra note 44, at 611-616).
45. See, e.g., United States v. Hambrick, 55 F. Supp. 2d 504, 509 (W.D. Va. 1999).
46. See, e.g., United States v. Maxwell, 45 M.J. 406, 418 (C.A.A.F. 1996).
47. Moreover, the content-qua-content test is impractical: anything worth the attention of law enforcement would invariably be something a court could find to be envelope information under that test because the harm is already done and the defendant is unsympathetic.
48. It is the relationship that is key.
49. Katz, 389 U.S. at 352.
50. Reporters Committee for Freedom of Press v. American Tel. & Tel. Co., 593 F.2d 1030, 1045 (D.C. Cir. 1978) (quoting Miller, 425 U.S. at 442-44).
51. Maxwell, 45 M.J. at 417-18.
52. Id. at 417-418 The Maxwell court explained that as when an individual "seals an envelope and addresses it to another person, the sender can reasonably expect the contents to remain private" so too the sender of e-mail may maintain a reasonable expectation of privacy "until the transmissions are received by another person." Id. at 417-18. Similarly, the maker of a telephone call has a reasonable expectation that police officials will not intercept and listen to the conversation; however, the conversation itself is held with the risk that one of the participants may reveal what is said to others. Id.at 418.
53. Warshak v. United States, No. 1:06-cv-357, 2006 U.S. Dist. LEXIS 50076 (S.D. Ohio July 21, 2006).
54. Id. at *3-4. However, the Court stated that while it was "prepared to reconsider its views upon the presentation of further evidence … it [was] not persuaded -- as an initial matter -- that an individual surrenders his reasonable expectation of privacy in his personal emails once he allows those emails (or electronic copies thereof) to be stored on a subscriber account maintained on the server of a commercial ISP." Id.at *19.
55. Id. at 16 (quoting United States v. Jacobsen, 466 U.S. 109, 117 (1984)).
56. See, e.g., United States v. Jones, 149 F. App'x 954, 960 (11th Cir. 2005); United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004); Guest v. Leis, 255 F.3d 325, 333 (6th Cir. 2001); Maxwell, 45 M.J. at 418.
57. United States v. Charbonneau, 979 F. Supp. 1177 (S.D. Ohio 1997).
58. Id. at 1185.
59. Commonwealth v. Proetto, 771 A.2d 823 (Pa. Super. Ct. 2001), aff'd 837 A.2d 1163 (Pa. 2003).
60. Id. at 826, 831.
61. See, e.g., Smyth v. Pillsbury Co., 914 F. Supp. 97, 101 (E.D. Pa. 1996) (holding that once employee communicated information to his supervisor over a company e-mail system "any reasonable expectation of privacy was lost"); see also McLaren v. Microsoft Corp., No. 05-97-00824, 1999 WL 339015, at *4 (Tex. App. May 28, 1999) (finding employee had no reasonable expectation of privacy in e-mail messages transmitted over the network that "were at some point accessible by a third-party"); Garrity v. John Hancock Mut. Life Ins. Co., 2002 WL 974676,at *2 (D. Mass. May 7, 2002) (finding that e-mails sent over company intranet system were not private).
62. O'Connor v. Ortega, 480 U.S. 709, 717 (1987).
64. Id. at 713-14
66. Id. at 717, 719.
67. United States v. Long, 64 M.J. 57 (C.A.A.F. 2006).
68. Id. at 64-65.
70. Quon v. Arch Wireless Operating Co., 445 F. Supp. 2d 1116 (C.D. Cal. 2006).
71. Id. at 1148.
72. Id. at 1124.
73. In particular, Lt. Duke made it clear to Quon and other employees that he would not audit their pagers so long as they agreed to pay for any overages. Id.at 1148; see also United States v. Slanina, 283 F.3d 670, 677 (5th Cir. 2002) ("given the absence of a city policy placing Slanina on notice that his computer usage would be monitored and the lack of any indication that other employees had routine access to his computer, we hold that Slanina's expectation of privacy was reasonable" ), vacated on other grounds by 537 U.S. 802 (2002), on appeal after remand 359 F.3d 356 (5th Cir. 2004) (per curium); Leventhal v. Knapek, 266 F.3d 64, 74 (2nd Cir. 2001) (finding that an employee had a reasonable expectation of privacy in "storing personal items in his office computer" despite employer's policy prohibiting personal use of state equipment, because the employer acknowledged that employees "would not violate state policies by keeping a personal checkbook in an office drawer, even though it would take up space there"); Adams v. City of Battle Creek, 250 F.3d 980, 984 (6th Cir. 2001) (finding no diminished expectation of privacy where a pager monitoring policy had not been enforced).
74. Cf. Lopez v. United States, 373 U.S. 427, 449 (1963) (Brennan, J., dissenting) ("The right of privacy would mean little if it were limited to a person's solitary thoughts, and so fostered secretiveness. It must embrace a concept of the liberty of one's communications, and historically it has.")
75. See generally Gonzales v. Google, Inc., 234 F.R.D. 674, 687 (N.D. Cal. 2006) (noting that Internet search records contain identifiable information including names, social security numbers, and credit card numbers, and they often implicate criminal intentions; e.g., "bomb placement white house," or "communist berkeley parade route protest war.")
76. See, e.g., Google Toolbar, at http://toolbar.google.com
77. See, e.g., http://www.google.com/search?hl=en&q=aids, (last visited April 15, 2007). Also, the fact that these are likely only computer recipients, see Kerr, supra note 44, at 609 (discussing computer recipients versus human recipients), heightens the expectation of privacy, a fact wholly ignored by the traditional technological capacity approach of the third party doctrine. See generally Bradley v. Google, Inc., No. C 06-05289, 2006 U.S. Dist. LEXIS 94455 (N.D. Cal. Dec. 22, 2006) (discussing third party advertising through Google); and Google Inc. v. Am. Blind & Wallpaper Factory, Inc., No. C 03-05340,2005 U.S. Dist. LEXIS 6228 (N.D. Cal. Mar. 30, 2005) (same).
78. See, e.g., http://www.google.com/search?hl=en&q=pizza+hut&btnG=Search, (last visited April 15, 2007).
79. United States v. Simons, 206 F.3d 392 (4th Cir. 2000).
80. Id. at 398-99.
82. Muick v. Glenayre Elec., 280 F.3d 741, 743 (7th Cir. 2002).
83. Id. ("But Glenayre had announced that it could inspect the laptops that it furnished for the use of its employees, and this destroyed any reasonable expectation of privacy that Muick might have had and so scotches his claim.")
84. United States v. Ziegler, 474 F.3d 1184, 1186 (9th Cir. 2007) ("A review of Ziegler's ‘search engine cache information' also disclosed that he had searched for ‘things like ‘preteen girls' and ‘underage girls.'")
85. Id. at 1189-90.
86. United States v. Ziegler, 456 F.3d 1138, 1142-43 n.9 (9th Cir. 2006) (quoting United States v. Simons, 206 F.3d 392, 399.
87. Ziegler, 456 F.3d at 1190 ("Furthermore, Ziegler's expectation of privacy in his office was reasonable on the facts of this case. His office was not shared by co-workers, and kept locked.")
88. Ziegler, 474 F.3d at 1189-93. It should be noted that the court then used that workplace policy to find that Frontline had the authority to consent to a government search, thus complying with (and effectively overriding) Ziegler's Fourth Amendment interest.
89. The upshot of these competing constitutional tests is that public employers now have the sole power to cause Internet searches to be excluded as evidence in criminal prosecutions by implementing policies that permit employees to maintain reasonable expectations of privacy in that information; this is not to suggest, however, that they will actually ever do so. See, e.g., Muick, 280 F.3d at 743 (explaining "the abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.")
90. Olmstead, 277 U.S. at 438; Long, 64 M.J. at 57.
91. In truth, it would not have mattered in Barber's case because the government obtained a warrant.
92. Again, this would depend on many operational factors.
93. Consider that the "operational realities" test was articulated in a case involving physical not informational privacy. See O'Connor, 480 U.S. at 709.
94. Kyllo v. United States, 533 U.S. 27, 34 (2001) ("The Katz test -- whether the individual has an expectation of privacy that society is prepared to recognize as reasonable -- has often been criticized as circular, and hence subjective and unpredictable."); see also 1 Wayne R.LaFave, Search and Seizure: A Treatise on the Fourth Amendment § 2.1(d), at 393-394 (3d ed. 1996); Richard A. Posner, The Uncertain Protection of Privacy by the Supreme Court, 1979 Sup. Ct. Rev. 173, 188 (1979).
95. This approach is similar in kind to those adopted by other advocates of relational understandings of Fourth Amendment information privacy. See, e.g., Susan W. Brenner & Leo L. Clarke, Fourth Amendment Protection for Shared Privacy Rights in Stored Transactional Data, 14 J.L. Pol'y 211, 247 (2006); See generally, Mary I. Coombs, Shared Privacy and the Fourth Amendment, or the Rights of Relationships, 75 Cal. L. Rev. 1593 (1987).
96. For an excellent analysis of these cases in a similar vein see Brenner & Clarke, supra note 90.
97. Katz, 389 U.S. at 352.
99. In fact, this would seem to make Katz bad law under Smith. See Crump, supra note 34, at 203. ("One has only to apply the logic of Smith to the scenario in Katz to see that this is the case. Smith holds that there is no Fourth Amendment protection for dialed phone numbers because the average person should be aware that their phone company is technically capable of accessing this information. If this Court had applied this logic in Katz, then surely the content of phone conversations would be similarly unprotected.") (citation omitted.)
100. Brenner & Clarke, supra note 90, at 214.
101. See, e.g., United States v. Covello, 410 F.2d 536, 542 (2d Cir. 1969) ("[T]he keeping of toll records is a necessary part of the ordinary course of the telephone company's business and is necessary in order that the company may substantiate its charges to its customers. Toll records are kept for all telephone subscribers and are not kept just for subscribers being investigated by officers of the law, or ones suspected of criminal proclivities. The subscriber is fully aware that such records will be made . . . and the records of the telephone company so kept in the ordinary course of the company's business are entitled to the same evidentiary treatment as the records of other businesses.") (emphasis added); United States v. Gallo, 123 F.2d 229, 231 (2d Cir. 1941) ("When a person takes up a telephone he . . . . must be deemed to consent to whatever record the business convenience of the company requires.") (emphasis added); see also Hambrick, 55 F. Supp. 2d at 505, aff'd 225 F.3d 656 (4th Cir. 2000), cert. denied, 531 U.S. 1099 (2001) (where the government served a subpoena on MindSpring, an Internet service provider, requesting "any records pertaining to the billing and/or user records documenting the subject using your services.").
102. Miller, 425 U.S. at 443. ("This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.")
103. United States v. White, 401 U.S. 745, 751-52 (1971); Hoffa v. United States, 385 U.S., 293, 302; Lopez v. United States, 373 U.S. 427 (1963).
104. Brenner & Clarke, supra note 90, at 251 ("The reasoning in both Smith and Miller relied on cases such as United States v. Hoffa that dealt with verbal disclosures by one individual to other persons . . . . There is, however, a constitutionally significant factual distinction between Hoffa and Government access to stored digital transaction data. In the former situation, the individual who communicates with another person (i) knows what he has said, (ii) knows that the recipient is not only able, but likely, to evaluate the implications of the information transmitted, and (iii) knows that the recipient may decide, based on that evaluation, to disclose the information to others. The one who shares information with another individual is also likely to appreciate and rely on the limits of human memory and the cognitive constraints sociologists call ‘bounded rationality.' The person who shares information also is likely, as a matter of empirical reality, to have some idea of what other information the recipient can combine with the information transmitted.")(citation omitted).
105. Smith, 442 U.S. at 735.
107. Id. at 745 ("The fortuity of whether or not the phone company in fact elects to make a quasi-permanent record of a particular number dialed does not, in our view, make any constitutional difference. Regardless of the phone company's election, petitioner voluntarily conveyed to it information that it had facilities for recording and that it was free to record.").
108. Electronic Communications Privacy Act of 2000, Digital Privacy Act of 2000 and Notice of Electronic Monitoring Act: Hearing on H.R. 4987, and H.R. 4908 Before the Subcommittee on the Constitution of the Committee on the Judiciary, House of Representatives, 106th Cong. 82 (2000), ("In 1986, in enacting the ECPA's Title II and Title III provisions, the Congress was aware of the foregoing Supreme Court rulings and sought to ‘create' new privacy protection in statute to protect a subscriber's communications addressing and transactional record information."); See generally Lieutenant Colonel LeEllen Coacher, Permitting Systems Protection Monitoring: When the Government Can Look and What It Can See, 46 A.F. L. Rev. 155, 171 (1999) (noting "the ECPA was designed to confer an expectation of privacy to electronic and wire communications, and it generally prohibits the interception or accession of electronic communication.").
109. 18 U.S.C. 2511; 18 U.S.C. 2701. Though, of course, the passage of the Bank Secrecy Act failed to substantiate a similar expectation (in the Court's view) in Miller.
110. Smith, 442 U.S. at 744.
111. O'Connor, 480 U.S. at 709.
112. See generally 18 U.S.C. 1708 (2000) ("Whoever steals ... from or out of any ... mail receptacle ... any letter, postal card, package, bag, or mail ... shall be fined under this title or imprisoned not more than five years, or both.").
113. See, e.g., Warshak, 2006 U.S. Dist. LEXIS at *50076.
114. 18 U.S.C. § 2701.
115. U.S. v. Hambrick, 55 F. Supp. 2d. 504, 508 (W.D. Va. 1999).
116. Id.at 509.
118. Freedman v. Am. Online, Inc., 412 F. Supp. 2d 174 (D. Conn. 2005).
119. Id. at 183 ("Where such dissemination of information to nongovernment entities is not prohibited, there can be no reasonable expectation of privacy in that information.") (quoting Hambrick, 55 F. Supp. at 509).
121. Maxwell, 45 M.J. at 417.
122. Id. at 417 (holding while "implicit promises or contractual guarantees of privacy by commercial entities do not guarantee a constitutional expectation of privacy, we conclude that under the circumstances here appellant possessed a reasonable expectation of privacy, albeit a limited one, in the e-mail messages that he sent and/or received on AOL.").
124. Katz, 389 U.S. at 361 (Harlan, J. concurring).