EINSTEIN and the Fourth Amendment

Overview

There is no doubt that EINSTEIN's monitoring of all communications coming to and from federal agency computers poses significant privacy implications — a concern acknowledged by the Department of Homeland Security (DHS), interest groups, academia, and the general public.^[1] This program affects not only federal employees, but also any private citizen who communicates with them. DHS has developed a set of procedures to address these concerns, such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, growth of this Internet monitoring program may trigger privacy interests protected under the Fourth Amendment.

The Fourth Amendment provides in relevant part: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated...." The principal purpose of the Fourth Amendment is to protect the privacy of individuals against invasion from government officials.^[2]. Not all government acts, however, trigger Fourth Amendment protections. For the Fourth Amendment to apply, a court must first inquire whether the governmental act constitutes a search or seizure in the constitutional sense.^[3] To determine if a search has occurred, a court will ask whether the individual had an actual expectation of privacy that society would deem reasonable.^[4] If yes, the court will then ask if the search was reasonable — the core Fourth Amendment requirement.^[5] Except in well-defined instances, a search is not reasonable unless the government obtains a warrant based upon probable cause.^[6] There are, however, exceptions to this rule such as special needs and consent that will be explored below.

There seems to be a consensus in federal courts that Internet users are not entitled to privacy in the non-content, routing information of their Internet communications.^[7] In United States v. Forrester,^[8] the government obtained court permission to install a device similar to a pen register to record the to/from addresses of the defendant's emails, the IP addresses of the sites he visited, and the total volume of data sent to and from his account. The Ninth Circuit Court of Appeals held that these surveillance techniques were indistinguishable from the pen register upheld by the U.S. Supreme Court in Smith v. Maryland. Internet users should be aware, the panel reasoned, that this routing information is provided to the Internet service provider for the purpose of directing the information.^[9]

On the other hand, the cases generally demonstrate that an individual has a legitimate expectation of privacy in the content of a communication. In United States v. Warshak,^[10] the Ninth Circuit ruled that a "subscriber enjoys a reasonable expectation of privacy in the contents of emails that are stored with, or sent or received through, a commercial ISP."^[11] In an earlier case, the Second Circuit opined that Internet users have an expectation of privacy in the content of the e-mail while in transmission.^[12] Although the Supreme Court declined to resolve this issue in City of Ontario v. Quon,^[13] deciding the case on other grounds, it opined in dicta that "cell phones and text message communications are so pervasive that some persons may consider them to be an essential means or necessary instruments for self-expression, even self-identification. That might strengthen the case for an expectation of privacy."^[14]

This content/non-content distinction is as old as Fourth Amendment case law. In the late nineteenth century, the Court explained in Ex parte Jackson^[15] that the outside of a mailed letter — its "outward form and weight" — was not entitled constitutional protection.^[16] However, the government must obtain a warrant before examining the contents of a letter or sealed package.^[17]The Court protected the inside contents of the letter, but held that the outside, non-content material was not entitled to (in modern parlance) a reasonable expectation of privacy. This same rule was carried over to the telephone context. In Katz v. United States, the Court held that the contents of Katz's conversation — the actual words spoken — were protected under the Fourth Amendment.^[18] A decade later the Court completed the other side of the doctrine in Smith v. Maryland, and held that a person has no expectation of privacy in the non-content, routing information of the telephone call — the numbers dialed.^[19]

EINSTEIN 2 not only collects the routing, non-content portions of communications, such as e-mail header information, but also scans and collects the content of the communications, such as the body of e-mails.^[20] Based on the reasoning of the Internet content cases, individuals most likely have a reasonable expectation of privacy in those electronic communications.^[21] The EINSTEIN program requires a Fourth Amendment inquiry into two discrete classes of individuals: (1) federal agency employees who access federal networks while at work; and (2) private persons who either contact a federal agency directly or who communicate via the Internet with a federal employee.^[22] The Fourth Amendment rights of the former primarily rest on cases dealing with privacy in the workplace and consent, while the latter requires a broader look at privacy and electronic communications.

Monitoring communications from federal employees

As work and personal lives can become enmeshed, many employees are accessing not only work e-mail while on the clock, but also personal e-mails. EINSTEIN monitors not only federal executive agency employees' work e-mails or other official Internet activity, but also any information accessed on a federal agency computer including personal e-mails accessed from sites such as Gmail or Hotmail, or other Internet communications such as Facebook and Twitter. This poses several Fourth Amendment issues.

In City of Ontario v. Quon,^[23] the Supreme Court upheld under the Fourth Amendment the city's search of text messages sent on a city-issued pager by a police officer employed by that city.^[24] Before issuing the pagers, the city had announced a usage policy that informed the officers that the city reserved the right to monitor the use of the pager including e-mail and Internet use, with or without notice to the employee.^[25] The Court assumed without deciding that the employee had a reasonable expectation of privacy in the sent text messages, that the review of text messages constituted a search, and that the same rules that apply to a search of an employee's office apply equally to an intrusion into his electronic communications.^[26] Further, the Court declined to decide which Fourth Amendment employment-based test from O'Connor v. Ortega applied — the plurality's "operational realities" test that looked at the specific facts of the employment situation on a case-by-case basis, or Justice Scalia's private employment equivalence test — because the Court decided the case on narrower grounds.^[27]

The Court instead relied on the "special needs" doctrine to the warrant requirement, which holds that in certain limited instances a government employer need not get a warrant to conduct a search. When a government employer conducts a warrantless search for a "non-investigatory, work-related purpose," it does not violate the warrant requirement if it is "justified at its inception and if the measures are reasonably related to the objective of the search and not excessively intrusive in light of the circumstances giving rise to the search."^[28] In the Court's judgment, the city had a "legitimate work-related rationale," and the scope of the search was reasonable and not "excessively intrusive."^[29]

Like the city communication policy in Quon, as a condition of enrolling in EINSTEIN 2, each federal agency is required to enter into an agreement with DHS that certifies that certain log-on banners or computer user agreements are used to ensure employees are aware of and consent to the monitoring, interception, and search of their communications on federal systems.^[30] Applying the "operational realities" test from O’Connor, the Department of Justice's Office of Legal Counsel posits that use of the log-on banners on all federal computers will eliminate any expectation of privacy in communications transmitted over those systems.^[31]

Professor Orin Kerr takes a different approach, treating the terms of service of an Internet service contract — the equivalent to a log-on banner — as consent rather than an outright elimination of a reasonable expectation of privacy.^[32] Under either approach, the conclusion reached is likely the same — the monitoring is in all likelihood reasonable.^[33] However, Quon was limited to searches for a "noninvestigatory work-related purpose."^[34] If EINSTEIN could be construed as overreaching this permissible purpose, say, by scanning e-mails for unlawful activity instead of simply malicious computer activity, a court may find its scope beyond Quon's holding.

Further, Quon insisted that these work-related investigations not be "excessively intrusive."^[35] A reasonable argument could be made that monitoring the content of every employee communication is excessively intrusive.

Additional questions remain. For instance, what is the scope of a non-investigatory, work-related purpose? Does scanning for malicious activity qualify as a work-related purpose? Does United States v. Jones's physical intrusion test apply here where the employee's electronic papers and effects are being scanned?^[36] Because no court has confronted a program like EINSTEIN, answers to these questions are unclear.

Monitoring communications from private persons to federal employees

EINSTEIN not only monitors the computer activity of federal agency employees, but also any communications sent by a private person to a federal employee on his governmental e-mail or personal e-mail. One may argue that these concerns are more serious than in the employment context, on the theory that there is neither a presumption that an individual's privacy rights are diminished nor has the private actor consented to monitoring by clicking on a log-on banner or user agreement that would inform him of the privacy implications of his communication.

Some would argue that the third-party doctrine permits EINSTEIN's monitoring of private parties.^[37] Traditionally, there has been no Fourth Amendment protection for information voluntarily conveyed to a third-party.^[38] It should be noted that in United States v. Jones, Justice Sotomayor opined that it "may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties."^[39] This doctrine dates back to the "secret agent" cases, in which any words uttered to another person, including a government agent or informant, were not covered by the Fourth Amendment.^[40] Because federal employees have agreed to permit governmental monitoring of their communications, the Office of Legal Counsel (OLC) argues they are permitting ex ante surveillance of all their communications, including those from private persons to the federal employee's personal e-mail.^[41]

However, the third-party cases have traditionally applied only to non-content information. In Smith v. Maryland, the Court noted that pen registers only disclose the telephone numbers dialed: "[n]either the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers."^[42] The case rested on the devices "limited capabilities."^[43] The Ninth Circuit borrowed this reasoning in Forrester, where the panel distinguished "mere addressing" in an e-mail such as the to/from line, from "more content-rich information" such as the text in the body of an e-mail.152 And as noted in United States v. Warshak, people still should expect privacy in the content of their telephone calls despite the ability of an operator to listen.153 Further, the Supreme Court has noted that “the broad and unsuspected governmental incursions into conversational privacy which electronic surveillance entails necessitate the application of Fourth Amendment safeguards."154 These cases severely diminish the argument that the third-doctrine permits absolute access to private communications. Instead, it could be reasonable to conclude from these cases that the third-party doctrine would permit access to the routing information of Internet communications, but might not go so far as to allow monitoring of the content of those communications.

Additionally, the OLC contends that under the “secret agent” cases the government can monitor private communications even if the sender is unaware that the recipient is a federal employee or did not anticipate that the communication would be opened on a federal computer.155 The “secret agent” cases generally hold that “when a person communicates to third-party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities.”156 Because these cases do not limit the instances this rule can be applied, it seems reasonable that they can be applied to EINSTEIN.

Alternative to traditional warrant requirement

Assuming both federal employees and those communicating with them have a reasonable expectation of privacy in the contents of their communications, EINSTEIN must be tested under the general reasonableness requirement of the Fourth Amendment. A search is generally unreasonable without a warrant or some individualized suspicion.157 However, under the “special needs exception” cases, the Court has held that when there are special governmental needs, beyond normal law enforcement, the government may need neither a warrant nor any level of individualized suspicion.158 To determine whether the special needs exception applies, the Court balances the individual’s privacy expectations against the governmental interest at stake.159 This rule has been used to support certain police searches at checkpoints such as sobriety roadblocks,160 border searches,161 and checkpoints looking for a witness to a crime.162 However, the Court did not permit a drug interdiction checkpoint when the “primary purpose was to detect evidence of ordinary criminal wrongdoing.”163

Here, an argument could be made that the nature of cybersecurity and the impracticability of obtaining a warrant might justify application of the special needs doctrine to the EINSTEIN program.164 The ostensible primary purpose of the program’s cybersecurity measures is not for ordinary law enforcement needs, but instead to protect the critical infrastructure of the nation. Moreover, the government will need to act quickly if the program is to be feasible.165 It could also be argued, however, that unless the threat required immediate review, a government agency should obtain a warrant based upon probable cause to review personally identifiable information, or, at a minimum, review the communications in a redacted format that includes only the threat information and no personally identifiable information.166 As one commentator noted, it is nearly impossible to predict what is reasonable without knowing the severity of the cybersecurity threat and the exact measures taken to meet it.167

Privacy and civil liberties oversight

In addition to the Fourth Amendment, there may be other mechanisms for protecting the privacy of Internet users. Indeed, the Constitution is only the floor for privacy protections. In many instances, Congress and state legislatures have created privacy protections beyond what is protected under their respective constitutions. These include statutes such as the Electronic Communications Privacy Act168 and the Privacy Act of 1974.169

As to existing privacy protections, EINSTEIN has several privacy safeguards. For example, federal agencies are required to post notices on their websites that computer security information is being collected.170 The computer programs recording network flow records strip down the information so that minimal content information is exposed.171 Further, only the raw computer network traffic that contains malicious activity is viewed by DHS personnel; any “clean” traffic is promptly deleted from the system.172 Information is only collected when it relates to an actual cyber threat.173 Analysts handling the monitored communications are given privacy training on an annual basis.174 These privacy protections are handled internally within DHS.

Jack Goldsmith, former head of the Office of Legal Counsel, has proposed a system of four oversight mechanisms similar to the Foreign Intelligence Surveillance Court175 to ensure the reasonableness of the searches under EINSTEIN: (1) independent ex ante scrutiny to ensure that the governmental procedures stay within their statutory authority; (2) privacy protections such as minimization procedures, also subject to ex ante judicial review; (3) ex post oversight mechanisms, in which the Attorney General and the Director of National Intelligence report to Congress every six months regarding privacy compliance and the inspectors general from each agency also report to Congress on a yearly basis; and (4) a sunset provision requiring Congress to reapprove the regime four years into operation.176

Others have proposed there be some form of independent oversight beyond DHS’s privacy office.177 Additionally, there are proposals that content of communications not be shared with law enforcement officials or used in any non-cyber crime investigation, unless the data was obtained as part of a legitimate cybersecurity threat.178

References

1. See, e.g., Privacy Compliance Review of the EINSTEIN Program. See also The Constitution Project, Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy (2012) (full-text); Jack Goldsmith, The Cyberthreat, Government Network Operations, and the Fourth Amendment (2010) (full-text).
2. Camara v. Municipal Court, 387 U.S. 523, 528 (1967) (full-text).
3. Kyllo v. United States, 533 U.S. 27, 32-33 (2001) (full-text).
4. This formulation for determining whether a search of seizure occurred derives from Justice Harlan’s concurrence in Katz v. United States, 389 U.S. 347, 361 (1967) (full-text) (Harlan, J., concurring).
5. Texas v. Brown, 460 U.S. 730, 739 (1983) (full-text).
6. Mincey v. United States, 437 U.S. 385, 390 (1978) (full-text). Probable cause has been defined as "the facts and circumstances within the officers' knowledge and of which they had reasonably trustworthy information are sufficient in themselves to warrant a man of reasonable caution in the belief that an offense has been or is being committed." Brinegar v. United States, 338 U.S. 160, 175 (1948) (full-text).
7. United States v. Forrester, 512 F.3d 500, 511 (9th Cir. 2007) (full-text) (holding no reasonable expectation of privacy in the to/from line addresses of e-mails and IP addresses of websites visited); United States v. Christie, 624 F.3d 558, 574 (3rd Cir. 2010) (full-text) (holding no reasonable expectation of privacy in IP address); United States v. Perrine, 518 F.3d 1196, 1205 (10th Cir. 2008) (full-text) (holding no reasonable expectation of privacy in Internet subscriber information given to an Internet service provider).
8. 512 F.3d at 510.
9. Forrester, 512 F.3d at 510.
10. 631 F.3d 266 (6th Cir. 2010) (full-text) (internal quotation marks omitted).
11. Id. at 287.
12. United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (full-text).
13. 130 S. Ct. 2619 (2010) (full-text).
14. Id. at 2630.
15. 96 U.S. 727 (1878) (full-text).
16. Id. at 133.

17. “

    The constitutional guaranty of the right of the people to be secure in their papers against unreasonable searches and seizures extends to their papers, thus closed against inspection, wherever they may be. Whilst in the mail, they can only be opened and examined under like warrant, issued upon similar oath or affirmation, particularly describing the thing to be seized, as is required when papers are subjected to search in one's own household. No law of Congress can place in the hands of officials connected with the postal service any authority to invade the secrecy of letters and such sealed packages in the mail; and all regulations adopted as to mail matter of this kind must be in subordination to the great principle embodied in the fourth amendment of the Constitution. Id.

    ”

18. 389 U.S. 347, 359 (1967) (full-text).
19. 442 U.S. 735, 745-46 (1979) (full-text).
20. Privacy Impact Assessment: Initiative Three Exercise, at 5.
21. See Legal Issues Relating to the Testing, Use, and Deployment of an Intrusion-Detection System (EINSTEIN 2.0) to Protect Unclassified Computer Networks in the Executive Branch, 33 Op. O.L.C. 1, 11 (2009) (full-text) [hereinafter Legal Issues Relating to EINSTEIN 2.0].
22. There is also a third category of cases: where a federal employee sends a communication while on the federal network to a private person. Because the principles that apply to communications from a private person to a federal employee are the same as the principles that apply to communications from a federal employee to a private person, these two categories are discussed jointly.
23. 560 U.S. 746 (2010). For an in-depth treatment of Quon, see Public Employees’ Right to Privacy in Their Electronic Communications: City of Ontario v. Quon in the Supreme Court.
24. Id..
25. Id. at 2625.
26. Id. at 2630.
27. Id.
28. Id. at 2631.
29. Id. (internal citations omitted).
30. Legal Issues Relating to EINSTEIN 2.0, at 11.
31. Id. at 32-33.
32. See Orin Kerr, "Applying the Fourth Amendment to the Internet: A General Approach," 62 Stan. L. Rev. 1005, 1031) (2010).
33. The Constitution Project, "Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy" (2012) (full-text).
34. Quon, 560 U.S. 746.
35. Id.
36. Another possible approach is that taken in United States v. Jones, in which the Court held that a physical intrusion into a constitutionally protected area — there, the defendant's car (an effect — coupled with an attempt to obtain information, was a Fourth Amendment search. If a court concluded that an e-mail is a paper (or packet of data, an effect), protected under the Fourth Amendment's catalog of protected areas (persons, houses, papers, and effects), the Jones physical intrusion analysis may call into question whether EINSTEIN's surveillance is constitutionally permissible.
37. Legal Issues Relating to EINSTEIN 2.0, at 35-36 (citing Smith v. Maryland.
38. See, e.g., United States v. Miller, 425 U.S. 435 (1976), holding that financial statements and deposit slips transmitted to a bank were not protected from police inquiry because they had been turned over to a third party); Smith, 442 U.S. 735.
39. United States v. Jones, 565 U.S. at ___ (Sotomayor, J., concurring in the judgment and the opinion).
40. See, e.g., United States v. White, 401 U.S. 745, 750 (1971) (holding that the Fourth Amendment "affords no protection to a wrongdoer's misplaced belief that a person to whom he voluntarily confides his wrongdoing will not reveal it.") (internal quotation marks omitted).
41. Legal Issues Relating to EINSTEIN 2.0, at 36-37.
42. Smith, 442 U.S. at 741 (quoting United States v. New York Tel. Co., 434 U.S. 159, 167 (1977) (full-text)).
43. Id. at 742.

Source

• Cybersecurity: Selected Legal Issues, at 15-23.