June 18, 2008 | By Jennifer Granick

New Ninth Circuit Case Protects Text Message Privacy From Police and Employers

Today’s Ninth Circuit Court of Appeals opinion in Quon v. Arch Wireless is a victory for the privacy of email and text messages. The holding means that law enforcement needs a probable cause warrant to access stored copies of your electronic messages less than 180 days old, regardless of whether you have already downloaded or read them. It also stops employers from getting the contents of employee emails or text messages from the service provider without employee consent.

In Quon, the City of Ontario Police Department provided its officers with two-way alphanumeric pagers. The officers were informed that it was a violation of City policy to use the pagers for personal matters. The City reserved the right to audit the messages. Employees were also informed that if they exceeded the monthly character limit set by the provider, that they would be responsible for paying the resulting additional charges. Officer Quon used his pager to send both business and personal messages, including messages to the other plaintiffs. He went over his monthly limit. Despite the formal usage policy, Quon was told that the informal policy and practice was that if he paid the overage fees, his messages would not be audited. Quon paid those fees several months in a row. At some point, the Department decided that it wanted to audit officers’ messages. It asked the text provider, defendant Arch Wireless, to deliver the contents of officers’ text messages to it. Because the City was the subscriber on the account, Arch printed out copies of the messages and delivered them to the City. Quon’s personal messages with the other plaintiffs were included in the printouts. Quon and his correspondents sued Arch for violating the Stored Communications Act and the City for violating the Fourth Amendment.

The Ninth Circuit held that Arch violated the SCA when it disclosed the contents of the text messages to the subscriber, the City, without the permission of the users. At issue was whether Arch was an Electronic Communications Service (ECS) holding the messages in “electronic storage”, or a Remote Computing Service (RCS), storing the messages on behalf of the subscriber. Messages held by an ECS receive a lot of privacy protection. An ECS is prohibited from disclosing the contents of communications without either a probable cause warrant obtained by law enforcement or consent from the “addressee or intended recipient”. Messages held by an RCS receive less privacy protection. An RCS is prohibited from disclosing the contents of communications without the consent of the subscriber. Law enforcement does not need a warrant to get messages from an RCS. It can use a mere subpoena or “specific and articulable facts” court order to get message contents from an RCS.

Arch regularly archived messages sent to and from its pagers. If Arch was an ECS holding those messages in “electronic storage”, then it was prohibited from disclosing the messages without consent from Quon, the addressee. If Arch was an RCS, then it may disclose the messages with consent from the subscriber, in this case the City, which they did.

In the past, the Department of Justice and others have argued that once a recipient accesses his messages, whether they be email or texts, the message is no longer in “electronic storage” as the SCA defines it. The message loses the higher protection granted to communications held by an ECS. The Ninth Circuit rejects this view in Quon. It looks to its ruling in Theofel v. Farey-Jones, which held that e-mails stored on an email providers servers for backup protection after delivery to the recipient— were in “electronic storage” under the statute and received ECS protection. In Theofel, the Court stated that “[w]here the underlying message has expired in the normal course, any copy is no longer performing any backup function. An ISP that kept permanent copies of temporary messages could not fairly be described as ‘backing up’ those messages.” We have wondered how to apply the “expired in the normal course” language, and this opinion makes it clear. If the archived message was created as a backup copy of an electronic communication sent through an ECS, that copy continues to receive ECS protection.

This ruling has two privacy friendly results. First, the police need a warrant to get your email and text messages if stored for less than 180 days. Second, even if your employer pays for your use of third party text or email services, your boss can’t get copies of your messages from that provider without your permission. Wow.

The next issue the Ninth Circuit decides is that text messages are protected by the Fourth Amendment. The DOJ and others have argued that because email and text messages are stored by third parties that have the practical ability to read them, senders and recipients have no expectation of privacy in those messages and thus they receive no constitutional protection from unreasonable searches and seizures. The Ninth Circuit rejects this view, as a panel of the Sixth Circuit did in a landmark ruling last year, Warshak v. US. It holds that text messages, and presumably emails, are like letters or packages, and are protected even though the shipper could open them.

One of the more complicated Fourth Amendment issues is the effect of acceptable use policies, monitoring policies or other terms of service that say that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement therefore could do so as well. Here, the Ninth Circuit followed its prior ruling in United States v. Heckenkamp which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that it could access his computer in limited circumstances while connected to the university’s network. (Full disclosure: Granick represented Heckenkamp in the first round of motions to suppress in the case.) The Court thus rejected a binary view of privacy, that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches. Unless there is regular monitoring and access, people retain a legitimate expectation of privacy in their messages.

Finally and impressively, the Court gave real teeth to the “reasonableness” inquiry under the Fourth Amendment. In this case, the Department’s access was regulated by the Fourth Amendment because it is a government employer. (Note that the first part of the ruling involving privacy rights under the SCA does not depend on whether the employer is public or private.) However, a jury found that the Police Department read the plaintiffs’ messages for the non-disciplinary purpose of learning whether continued overages meant it needed a more extensive service plan from Arch. This was a legitimate, non-law enforcement purpose. Nevertheless, the Court found that there were less intrusive means of learning this than reading employees’ text messages. Because government employers are required to use less intrusive means if feasible, the Department’s actions here violated the Fourth Amendment.

The holding that text messages and email are protected by the Fourth Amendment is an immensely important one which gives the victims of unlawful searches the ability to suppress illegally obtained evidence. It protects the privacy of employees who use a messaging service paid for by their company. It also calls into question the SCA’s disparate treatment of messages younger and older than 180 days, though the opinion does not directly address that issue. Finally, this opinion does not simply defer to a government employer’s judgment about what is reasonable where communications privacy is at stake, but actually requires a more privacy friendly course where feasible.

Professor Orin Kerr also has commentary about this opinion up on The Volokh Conspiracy. To read his thoughts, click here.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

América Latina: Ciberseguridad desde la perspectiva argentina, por @ADC_derechos [PDF] https://eff.org/r.pubs

Nov 24 @ 2:01pm

"I’ve come to see encryption as the natural extension a computer scientist can give a democracy" says @kaepora: https://nadim.computer/2015/1...

Nov 24 @ 11:38am

Pakistan's terrible cybercrime bill will be rushed through Parliament soon. Tell lawmakers just how bad it is: https://act.eff.org/action/st...

Nov 23 @ 10:01pm
JavaScript license information