Internet Service Providers' Access to e-Mail Content Is Not an Invasion of Privacy

An ISP may process ' and, hence, read ' e-mails containing medical, legal and other information that the sender may desire to keep confidential. The Internet's protocol of passing e-mails through many computers, each of which copies (but does not necessarily delete) those e-mails, may result in access to confidential information by third parties simply because the Internet, when used as a communication system, is not designed to protect content privacy.

The Hinge: Expectation

The Fourth Circuit in United States v. Richardson, 607 F.3d 357 (2010) (in child pornography case, AOL did not act as agent or instrument of government when it detected illegal images attached to defendant's e-mail transmissions through its internal security scanning programs, which it reported pursuant to federal statute to National Center for Missing and Exploited Children) found that the question of whether someone has a reasonable expectation of privacy in the content of his or her e-mail can be complex and difficult to answer. However, this is not based on whether people actually expect their e-mail content to remain private, but on the fact that e-mail's role in society hasn't yet become crystal clear.

But due to an increasing understanding of the Internet, and the greater use and enforcement of terms-of-use agreements that specifically state that ISPs are allowed to read the e-mail they process, the current reasoning is that Internet users have no reasonable expectation of privacy for their e-mail. Without an expectation of privacy, courts will not find such a right to such privacy.

Open to Third Parties

e-Mail users who understand that Internet protocol allows access by unauthorized third parties, then, abandon their expectation of e-mail privacy, per se. These e-mail users know that Internet protocol requires use of the “store-and-forward” model. They understand that typically, e-mails are sent to several intermediaries, including two ISPs (one for the sender and one for the recipient). These circumstances being present means that knowledgeable e-mail users have no expectation of e-mail privacy; hence, their privacy cannot be violated by ISP access in the due course of processing their e-mail.

Legal Bases for Access

Court rulings and contract law are the legal bases for divesting all other Internet users of their expectation of e-mail privacy. For instance, such cases as United States v. Vaghari, 653 F.Supp.2d 537 (2009), and Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (2008), contain detailed descriptions of Internet e-mail protocol. These and other cases have uniformly held that the e-mail headers specifically, and e-mail generally, do not enjoy Fourth Amendment protection when in the possession of a third party, such as an ISP.

Additionally, in order to reduce an ISP's secondary liability, most ISP terms-of-use agreements explicitly require e-mail users to abandon their expectation of e-mail privacy. Such agreements directly state that the ISP may access a user's e-mail for a host of reasons.

It should be noted, however, that not all e-mail may be accessed by an ISP. For example, normally, if an e-mail exists solely in the sender's or recipient's computer, an ISP cannot physically (or lawfully) access it, and governmental access is limited by the Fourth Amendment. However, if a copy of an e-mail is stored on an ISP's computer, then it is accessible legally and physically by the ISP and, possibly, by the government.

An e-mail sent using a post office protocol (POP) program is generally saved on the sender's and on the recipient's computer. Once the POP program has been executed, it is unusual for an ISP to have access to the e-mail that it processed. However, e-mail systems such as Gmail use an interactive message access protocol (IMAP) program that saves the e-mail on the ISP's computer. Such e-mail is accessible legally and physically by the ISP, even after the completion of the IMAP process.

IMAP ISPs are currently free to access that e-mail on their own and turn it over to law enforcement. Privacy laws and the Fourth Amendment limitation are not applicable because the ISP is an authorized third party.

It is generally accepted that the extent to which law enforcement can obtain e-mail content is strictly circumscribed, but due to the ISP agreement and the lack of an expectation of privacy, ISP access and use of e-mail content is virtually unlimited. Additionally, ISPs can restrict speech via e-mail processing with near impunity.

CDA Applications, Private Actors

In addition to contract and expectation-related immunities, ISPs in the United States enjoy freedom from liability for the actions of third parties who use their networks because they are treated as telecommunication providers by the Communications Decency Act of 1996 (CDA), 47 U.S.C. '230. Also, as found by the court in United States v. Forrester, 495 F.3d 1041 (2007), ISPs are private actors that are not subject to constitutional restrictions.

An ISP may even lawfully block an e-mail transmission based on reading its content. Just as other private Internet facilitators, including PayPal, Amazon, MasterCard and Visa, dropped their services to Wikileaks, an ISP may choose to whom it wishes to provide service. Computer programs, sometimes called “Net Nannies,” make it possible to search the content of each e-mail sent over a network and to prevent its transmission without a noticeable change in service level.

Security Concerns

It should be noted that ISPs need the ability to read the e-mail content they process in order to manage and secure their networks. In particular, ISPs need the ability to determine how much data there is to be transferred, where it's coming from, where it's going and whether any viruses, worms, bots or other malware are contained in the e-mail they process.

An ISP without the capability to search the content of the e-mail it processes could not inhibit spam or divert it to users' spam folders, nor could it detect and limit child pornography or comply with certain law enforcement requests. Without e-mail search capability, ISPs also could not, for example, find and report potential national security threats or criminal conduct, such as “violent jihad” or “money laundering.”

Conclusion

Technology also provides an alternative to existing so-called naked e-mails. While an ISP can efficiently read e-mails, the same is not true for reading attachments or encrypted e-mails. Searching e-mail attachments and encrypted e-mails is time-consuming and costly.

Additionally, e-mail users can have a reasonable expectation that an attachment or encrypted e-mail will be private.

Thus, privacy difficulties may be overcome by companies and other concerned parties using relatively simple existing technological solutions ' a tack that could lead e-commerce companies and others down a path of safety instead of one fraught with problems, and costs.

e-Mail and privacy are cornerstones of online commerce that successful e-commerce firms spend significant capital to operate properly, efficiently and legally.

e-Commerce counsel should bear in mind, however, that the e-mail-content protection that some parties may enjoy against government and private access does not extend to certain entities that process e-mail.

Thus, an Internet service provider (ISP) can legally search the e-mail that it processes. ISPs may lawfully search the content of users' e-mails for many purposes, including:

• Assisting law enforcement;
• Ensuring compliance with the ISP's terms-of-use agreement; and
• Protecting the ISP from legal difficulties.

These purposes are but a few, and such activities do not currently constitute an invasion of an e-mail user's privacy.

An ISP may process ' and, hence, read ' e-mails containing medical, legal and other information that the sender may desire to keep confidential. The Internet's protocol of passing e-mails through many computers, each of which copies (but does not necessarily delete) those e-mails, may result in access to confidential information by third parties simply because the Internet, when used as a communication system, is not designed to protect content privacy.

The Hinge: Expectation

The Fourth Circuit in United States v. Richardson , 607 F.3d 357 (2010) (in child pornography case, AOL did not act as agent or instrument of government when it detected illegal images attached to defendant's e-mail transmissions through its internal security scanning programs, which it reported pursuant to federal statute to National Center for Missing and Exploited Children) found that the question of whether someone has a reasonable expectation of privacy in the content of his or her e-mail can be complex and difficult to answer. However, this is not based on whether people actually expect their e-mail content to remain private, but on the fact that e-mail's role in society hasn't yet become crystal clear.

But due to an increasing understanding of the Internet, and the greater use and enforcement of terms-of-use agreements that specifically state that ISPs are allowed to read the e-mail they process, the current reasoning is that Internet users have no reasonable expectation of privacy for their e-mail. Without an expectation of privacy, courts will not find such a right to such privacy.

Open to Third Parties

e-Mail users who understand that Internet protocol allows access by unauthorized third parties, then, abandon their expectation of e-mail privacy, per se. These e-mail users know that Internet protocol requires use of the “store-and-forward” model. They understand that typically, e-mails are sent to several intermediaries, including two ISPs (one for the sender and one for the recipient). These circumstances being present means that knowledgeable e-mail users have no expectation of e-mail privacy; hence, their privacy cannot be violated by ISP access in the due course of processing their e-mail.

Legal Bases for Access

Court rulings and contract law are the legal bases for divesting all other Internet users of their expectation of e-mail privacy. For instance, such cases as United States v. Vaghari , 653 F.Supp.2d 537 (2009), and Quon v. Arch Wireless Operating Co., Inc. , 529 F.3d 892 (2008), contain detailed descriptions of Internet e-mail protocol. These and other cases have uniformly held that the e-mail headers specifically, and e-mail generally, do not enjoy Fourth Amendment protection when in the possession of a third party, such as an ISP.

Additionally, in order to reduce an ISP's secondary liability, most ISP terms-of-use agreements explicitly require e-mail users to abandon their expectation of e-mail privacy. Such agreements directly state that the ISP may access a user's e-mail for a host of reasons.

It should be noted, however, that not all e-mail may be accessed by an ISP. For example, normally, if an e-mail exists solely in the sender's or recipient's computer, an ISP cannot physically (or lawfully) access it, and governmental access is limited by the Fourth Amendment. However, if a copy of an e-mail is stored on an ISP's computer, then it is accessible legally and physically by the ISP and, possibly, by the government.

An e-mail sent using a post office protocol (POP) program is generally saved on the sender's and on the recipient's computer. Once the POP program has been executed, it is unusual for an ISP to have access to the e-mail that it processed. However, e-mail systems such as Gmail use an interactive message access protocol (IMAP) program that saves the e-mail on the ISP's computer. Such e-mail is accessible legally and physically by the ISP, even after the completion of the IMAP process.

IMAP ISPs are currently free to access that e-mail on their own and turn it over to law enforcement. Privacy laws and the Fourth Amendment limitation are not applicable because the ISP is an authorized third party.

It is generally accepted that the extent to which law enforcement can obtain e-mail content is strictly circumscribed, but due to the ISP agreement and the lack of an expectation of privacy, ISP access and use of e-mail content is virtually unlimited. Additionally, ISPs can restrict speech via e-mail processing with near impunity.

CDA Applications, Private Actors

In addition to contract and expectation-related immunities, ISPs in the United States enjoy freedom from liability for the actions of third parties who use their networks because they are treated as telecommunication providers by the Communications Decency Act of 1996 (CDA), 47 U.S.C. '230. Also, as found by the court in United States v. Forrester , 495 F.3d 1041 (2007), ISPs are private actors that are not subject to constitutional restrictions.

An ISP may even lawfully block an e-mail transmission based on reading its content. Just as other private Internet facilitators, including PayPal, Amazon, MasterCard and Visa, dropped their services to Wikileaks, an ISP may choose to whom it wishes to provide service. Computer programs, sometimes called “Net Nannies,” make it possible to search the content of each e-mail sent over a network and to prevent its transmission without a noticeable change in service level.

Security Concerns

It should be noted that ISPs need the ability to read the e-mail content they process in order to manage and secure their networks. In particular, ISPs need the ability to determine how much data there is to be transferred, where it's coming from, where it's going and whether any viruses, worms, bots or other malware are contained in the e-mail they process.

An ISP without the capability to search the content of the e-mail it processes could not inhibit spam or divert it to users' spam folders, nor could it detect and limit child pornography or comply with certain law enforcement requests. Without e-mail search capability, ISPs also could not, for example, find and report potential national security threats or criminal conduct, such as “violent jihad” or “money laundering.”

Conclusion

Technology also provides an alternative to existing so-called naked e-mails. While an ISP can efficiently read e-mails, the same is not true for reading attachments or encrypted e-mails. Searching e-mail attachments and encrypted e-mails is time-consuming and costly.

Additionally, e-mail users can have a reasonable expectation that an attachment or encrypted e-mail will be private.

Thus, privacy difficulties may be overcome by companies and other concerned parties using relatively simple existing technological solutions ' a tack that could lead e-commerce companies and others down a path of safety instead of one fraught with problems, and costs.