Saturday, September 22, 2007

Fourth Amendment privacy: IP addresses & URLs

In United States v. Forrester, 2007 WL 2120271 (9th Circuit 2007), the Ninth Circuit Court of Appeals considered whether a defendant had a Fourth Amendment expectation of privacy in the “to and from addresses” of his email messages, the addresses of the websites he visited and the “total amount of data transmitted to or from” his Internet account. Dennis Alba, a defendant in this case, argued that the government violated his Fourth Amendment right to privacy when it used “computer surveillance” techniques to obtain this information.

As I explained in my previous post, a Fourth Amendment “search” occurs if and only if you had a “reasonable expectation of privacy” in the place or thing searched. If you had such an expectation of privacy, the government must have had either a search warrant or a valid exception to the search warrant that justified the search for it to have been “reasonable.” If they had neither, then the search was “unreasonable,” and violates the Constitution, which means the defendant can have the evidence suppressed.

This is how the opinion describes the surveillance Alba was challenging:
During its investigation of Forrester and Alba's Ecstasy-manufacturing operation, the government employed various computer surveillance techniques to monitor Alba's e-mail and Internet activity. The surveillance began in May 2001 after the government applied for and received court permission to install a pen register analogue known as a `mirror port’ on Alba's account with PacBell Internet. The mirror port was installed at PacBell's connection facility in San Diego, and enabled the government to learn the to/from addresses of Alba's e-mail messages, the IP addresses of the websites that Alba visited and the total volume of information sent to or from his account.
United States v. Forrester, supra.

In ruling on Alba’s motion to suppress, the Ninth Circuit applied the Supreme Court’s ruling in Smith v. Maryland, 442 U.S. 735 (1979). In Smith, the government put a pen register, a device that captures the numbers dialed on a telephone, on Smith’s home phone. They were investigating him for making harassing calls, and used the data collected by the pen register against him in a prosecution for doing so.

Smith argued that the use of the pen register was a “search” because he had a reasonable expectation of privacy in the numbers he dialed from his home phone. The Supreme Court, in an opinion I think was wrongly decided, said he did not. The Court said he assumed the risk (read my prior post) by giving that information to a third party. The Supreme Court said that Smith (a) could not have had a subjective expectation of privacy in that data because he knew he was giving it to the phone company and (b) even if he had such an expectation, it is not one society would accept as objectively reasonable because, the Court said, we all know that if we give information to a third party it is no longer private. It’s the assumption of risk concept I noted in my prior post.

The Forrester court noted that the issue Alba was raising had not been addressed by any other federal court of appeals, so this was an issue of “first impression.” Alba lost, but the court did reserve an issue which may prove interesting in the future.

Let’s begin with why he lost. This is the court’s explanation:
We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users' imputed knowledge that their calls are completed through telephone company switching equipment. . . . Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to “voluntarily turn[ ] over [information] to third parties.” [Smith, supra]

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a person's e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.
United States v. Forrester, supra. (In Katz v. United States, 389 U.S. 247 (1967), the Supreme Court held that we do have a Fourth Amendment expectation of privacy in the content of our phone calls.)

The Forrester court also reserved an issue: whether we have a Fourth Amendment expectation of privacy in the URLs of the pages we access. As the Forrester court explained,
Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (`URL’) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person's Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com, whereas a technique that captures URLs would also divulge the particular articles the person viewed. See Pen Register Application, 396 F.Supp.2d at 49 (`[I]f the user then enters a search phrase [in the Google search engine], that search phrase would appear in the URL after the first forward slash. This would reveal content. . . .’).

No comments: