Ruling Endangers Privacy in Email and IP Addresses
The Ninth Circuit recently held [PDF] in US v. Forrester that the Fourth Amendment does not protect against government surveillance of the to/from addresses of one's email messages, the IP addresses of websites one has visited, and the total volume of information transmitted to or from one's ISP account.
This dangerous decision relies on a faulty analogy. The court accepted the argument that, because it is not a Fourth Amendment search for the government to capture dialed telephone numbers with "pen registers" and "trap and trace devices," the same is true for capturing email addresses (as opposed to subject lines in email headers) and IP addresses. But, as we've pointed out elsewhere, the latter can reveal far more intimate details about Internet activities. Unlike a phone number, an email address can communicate a message (e.g., "VoteBush@aol.com" or "repealPatriot@eff.org") and include constitutionally protected content.
The court appears to grasp this distinction, but, unfortunately, doesn't follow it to the correct conclusion. In a footnote, the court points out that capturing URLs of webpages visited "might be more constitutionally problematic" because "[a] URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person's Internet activity. However, an IP address can point to a particular website and can also be used to identify "much more information about the person's Internet activity." For instance, it can be combined with information about the size of a file downloaded from a particular IP to identify a particular page on a website.
On top of this casual, erroneous reasoning, the court oddly says almost nothing about how the surveillance actually occurred. Indeed, at one point the opinion says, "the government applied for and received court permission to install a pen register analogue on [defendant's] computer." Ordinarily, pen register surveillance takes place on the provider's system, not on the target's computer; so this statement, along with the fact that keylogging software was used, raised questions about whether the court approved physical entry or some kind of remote surveillance like the FBI's "Magic Lantern." EFF has confirmed with defense counsel that the surveillance in fact occurred at the provider's system, but these ambiguities only underscore the need for review of the opinion.
Update, 7/25: The court has now amended its opinion to clarify that the surveillance was conducted at the ISP's facilities, not on the defendants' computer. We still think the decision is wrong that the Internet data seized by the government was not protected by the Fourth Amendment, regardless of where the surveillance was conducted, but we're glad the court clarified that it was not endorsing warrantless computer intrusions by the government.