The IT Law Wiki

Overview[]

Under current law, to establish a reasonable expectation of privacy a person must establish two things: that the individual had a subjective expectation of privacy; and that that subjective expectation of privacy is one that society is prepared to recognize as reasonable.[1] If either element is missing, no protected interest is established.

To support this privacy analysis, the Supreme Court has created a hierarchy of privacy interests:

First, expectations of privacy that "society is 'prepared to recognize as legitimate' have, at least in theory, the greatest protection.[2]
Second, diminished expectations of privacy are more easily invaded.[3]
Third, subjective expectations of privacy that society is not prepared to recognize as legitimate have no protection.[4]

No bright line rule indicates whether an expectation of privacy is constitutionally reasonable.[5] For example, the Supreme Court has held that a person has a reasonable expectation of privacy in property located inside a person’s home,[6] in conversations taking place in an enclosed phone booth,[7] and in the contents of opaque containers.[8] In contrast, a person does not have a reasonable expectation of privacy in activities conducted in open fields,[9] in garbage deposited at the outskirts of real property,[10] or in a stranger’s house that the person has entered without the owner’s consent in order to commit a theft.[11]

"Reasonable expectations of privacy arise from 'a source outside of the 4th Amendment, either by reference to concepts of real or personal property law or to understandings that are recognized and permitted by society.'"[12]

Impact of technology on the expectation of privacy[]

Electronic surveillance is dramatically shrinking the locations and activities in which one has a recognized expectation of privacy. Techniques that derive information from an individual's body fluids, body structure, mental habits, voice timbre, eye motions, temperature change, and scores of other non-controllable attributes generate knowledge about past behavior, allow monitoring and measurement of present activities, and may make possible predictions about future performance. We can electronically monitor criminals, or persons awaiting trial, in their homes. We can call up information about one person from a multitude of government or commercial databases, compare and integrate it and, in effect, reveal new information about that person without their knowledge.

While information has immense benefits and capabilities to improve our lives both individually and as a Nation, it also has dangers. Information about a person is potentially a means of influencing and controlling that person. Information challenges traditional sources of authority and institutions built on that authority. Experience, training, and education may be rendered useless by new information. Information can also erode responsibility: what was once considered a sin to be condemned or a crime to be punished may, with fuller knowledge, appear to some as an illness to be treated or a genetic defect to be repaired. This perception can lead to imposingly difficult questions about the limits on social engineering in the context of constitutional values of personal freedom and privacy.

It is for these reasons that information, and the electronic, chemical, biological, and social technologies that generate and give access to it, often affect constitutional relationships that we are accustomed to think of as political, economic, or legal in nature. constitutional relationships deal with power, with limitations on power, and with the balance between them. Directly or indirectly, information often generates that power, informs its limitations, or affects their proper balance.

Online communications[]

Computer users lack a legitimate expectation of privacy in information regarding the to/from addresses for e-mails, the IP addresses of websites visited, the total traffic volume of the user, and other addressing and routing information conveyed for the purpose of transmitting Internet communications to or from a user.[13] E-mail addresses and IP addresses provide addressing and routing information to an Internet service provider (ISP) in the same manner as a telephone number provides switching information to a telephone company.[14] Just as a telephone user has no objectively reasonable expectation of privacy in telephone numbers voluntarily turned over to the phone company to enable switching of a phone call, an Internet user has no such expectation of privacy in routing information submitted to an ISP in order to deliver an Internet communication.[15] That routing information also is akin to the addressing information written on the outside of a first-class letter, which also is not constitutionally protected.[16]

With respect to information regarding the total volume of data received and transmitted by an Internet user, that information is no different from the information produced by a pen register regarding the number of incoming and outgoing calls at a particular phone number; and the Supreme Court has long held that an individual has no legitimate expectation of privacy in such information, which already has been exposed to a telecommunications carrier for the purpose of routing a communication.[17]

With respect to the content of an Internet communication (such as an e-mail), a computer user generally has a legitimate expectation of privacy in that content while it is in transmission over the Internet. To date, the federal courts appear to agree that the sender of an e-mail, like the sender of a letter via first-class mail, has an objectively reasonable expectation of privacy in the content of a message while it is in transmission.[18] In United States v. Maxwell,[19] the court addressed e-mail privacy:

E-mail transmissions are not unlike other forms of modern communication. We can draw parallels from these other mediums. For example, if a sender of first-class mail seals an envelope and addresses it to another person, the sender can reasonably expect the contents to remain private and free from the eyes of the police absent a search warrant founded upon probable cause. However, once the letter is received and opened, the destiny of the letter then lies in the control of the recipient of the letter, not the sender, absent some legal privilege.[20]
Drawing from these parallels, we can say that the transmitter of an e-mail message enjoys a reasonable expectation that police officials will not intercept the transmission without probable cause and a search warrant. However, once the transmissions are received by another person, the transmitter no longer controls its destiny. In a sense, e-mail is like a letter. It is sent and lies sealed in the computer until the recipient opens his or her computer and retrieves the transmission. The sender enjoys a reasonable expectation that the initial transmission will not be intercepted by the police. The fact that an unauthorized "hacker" might intercept an e-mail message does not diminish the legitimate expectation of privacy in any way.[21]
Expectations of privacy in e-mail transmissions depend in large part on the type of e-mail involved and the intended recipient. Messages sent to the public at large in the "chat room" or e-mail that is "forwarded" from correspondent to correspondent lose any semblance of privacy. Once these transmissions are sent out to more and more subscribers, the subsequent expectation of privacy incrementally diminishes. This loss of an expectation of privacy, however, only goes to these specific pieces of mail for which privacy interests were lessened and ultimately abandoned.[22]

Federal courts agree that, again like the sender of a first-class letter, an individual has a "diminished" expectation of privacy in the content of an e-mail that "ha[s] already arrived at the recipient."[23]

Government employees[]

The U.S. Supreme Court has rejected the contention that public employees "can never have a reasonable expectation of privacy in their place of work."[24] "Individuals do not lose Fourth Amendment rights merely because they work for the government instead of a private employer."[25] Nevertheless, there are reasons to doubt that a government employee has a legitimate expectation of privacy in the content of his Internet communications made using government-owned information systems.

Although an individual generally possesses a legitimate expectation of privacy in his own personal computer,[26] it is less clear that a government employee has a legitimate expectation of privacy in Internet communications he makes using a computer that is the property of the U.S. Government, provided by the taxpayers for his use at work.[27] A government employee lacks an ownership or other property interest in the computer he uses at work; and he especially lacks any such interests in the network infrastructure that the Government provides to enable its employees to access the Internet, which, unlike his personal computer, ordinarily is not within his day-to-day control.

As a general matter, however, the Supreme Court has held that there may be circumstances in which a government employee has a legitimate expectation of privacy in the contents of governmental property that the employee uses or controls at work, such as an office or a locked desk drawer.[28] And the Court also has made it clear that property interests are not conclusive regarding the legitimacy of an individual's expectation of privacy.[29]

Instead, whether, in a particular circumstance, a government employee has a legitimate expectation of privacy in his use of governmental property at work is determined by "[t]he operational realities of the workplace" and "by virtue of actual office practices and procedures, or by legitimate regulation."[30]

Use of log-on banners and computer-user agreements[]

Although the U.S. Supreme Court has not addressed the issue, the federal courts of appeals have held that the use of log-on banners or computer-user agreements, can eliminate any legitimate expectation of privacy in the content of Internet communications on an employer's computer system. For example, in United States v. Simons,[31] the computer-use policy at the Foreign Bureau of Information Services ("FBIS"), a division of the Central Intelligence Agency, expressly noted that FBIS would "audit, inspect, and/or monitor" employees' use of the Internet, "including all file transfers, all websites visited, and all e-mail messages, 'as deemed appropriate.'"[32] The Fourth Circuit held that this policy "placed employees on notice that they could not reasonably expect that their Internet activity would be private" and that, "in light of the Internet policy, Simons lacked a legitimate expectation of privacy" in his use of the Internet at work.[33]

Likewise, in United States v. Angevine,[34] the Tenth Circuit held that a professor at a state university had no reasonable expectation of privacy in his Internet use in light of a broadly worded computer-use policy and log-on banner. The computer-use policy stated that the university "reserves the right to view or scan any file or software stored on the computer or passing through the network, and will do so periodically" and has "a right of access to the contents of stored computing information at any time for any purpose which it has a legitimate need to know."[35] The log-on banner provided that "all electronic mail messages . . . contain no right of privacy or confidentiality except where Oklahoma or Federal statutes expressly provide for such status," and that the university may "inspect electronic mail usage by any person at any time without prior notice as deemed necessary to protect business-related concerns . . . to the full extent not expressly prohibited by applicable statutes."[36] The court held that these notices prevent university employees "from reasonably expecting privacy in data downloaded from the Internet onto [u]niversity computers," because users are warned that data "is not confidential either in transit or in storage" and that "network administrators and others were free to view data downloaded from the Internet."[37]

The Eighth Circuit came to the same conclusion in United States v. Thorn.[38] Thorn, a state employee had acknowledged in writing a computer-use policy, which warned that employees "do not have any personal privacy rights regarding their use of [the agency's] information systems and technology. An employee’s use of [the agency’s] information systems and technology indicates that the employee understands and consents to [the agency’s] right to inspect and audit all such use as described in this policy."[39] As a result of this policy, the court held that the state employee "did not have any legitimate expectation of privacy with respect to the use and contents of his [work] computer," because under the agency's policy, employees have "no personal right of privacy with respect to their use of the agency's computers" and provides the state with a "right to access all of the agency's computers."[40]

The decisions of other federal courts that have addressed the issue support the proposition that actual and consistent use of log-on banners or computer-user agreements can eliminate any legitimate expectation of privacy of an employee with respect to his Internet communications using a government-owned information systems.[41]

References[]

  1. See, e.g., Katz v. United States, 389 U.S. 347, 361 (1967) (full-text) (Harlan, J., concurring); California v. Ciraolo, 476 U.S. 207, 214 (1986) (full-text) (stating that "Justice Harlan made it crystal clear that he was resting on the reality that one who enters a telephone booth is entitled to assume that his conversation is not being intercepted"); Smith v. Maryland, 442 U.S. 735, 740 (1979) (full-text) (stating that the Harlan test "embraces two discrete questions").
  2. New Jersey v. T.L.O., 469 U.S. 325, 338 (1985) (full-text) (quoting Hudson v. Palmer, 468 U.S. 517, 526 (1984)).
  3. See id. at 342 n.8 (discussing the individual suspicion requirement when privacy interests are minimal); accord Skinner v. Railway Labor Executives' Ass'n, 489 U.S. 602, 624-25 (1989).
  4. See, e.g., Rakas v. Illinois, 439 U.S. 128, 143 n.12 (1978); United States v. Caymen, 404 F.3d 1196, 1200-01 (9th Cir. 2005) (no reasonable expectation of privacy in the contents of computers the person has stolen or obtained by fraud).
  5. See O’Connor v. Ortega, 480 U.S. 709, 715 (1987).
  6. See Payton v. New York, 445 U.S. 573, 589-90 (1980); in “the relative heat of various rooms in the home” revealed through the use of a thermal imager, see Kyllo v. United States, 533 U.S. 27, 34-35 (2001).
  7. See Katz, 389 U.S. at 352.
  8. See United States v. Ross, 456 U.S. 798, 822-23 (1982).
  9. See Oliver v. United States, 466 U.S. 170, 177 (1984).
  10. See California v. Greenwood, 486 U.S. 35, 40-41 (1988).
  11. See Rakas v. Illinois, 439 U.S. 128, 143 n.12 (1978).
  12. United States v. Jones, 132 S.Ct. 945 (2012).
  13. See Quon v. Arch Wireless Operating Co., 529 F.3d 892, 904-05 (9th Cir. 2008), rev'd on other grounds and remanded, City of Ontario, Cal. v. Quon, 560 U.S. 746 (2010); United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008); see also Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (no legitimate expectation of privacy in dialing, routing, addressing, and signaling information transmitted to telephone companies).
  14. Forrester, 512 F.3d at 510.
  15. Id.
  16. Id. at 511 ("E-mail, like physical mail, has an outside address 'visible' to the third-party carriers that transmit it to its intended location.").
  17. Id.
  18. See, e.g., People v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (analogizing expectation of e-mail user in privacy of e-mail to expectation of individuals communicating by regular mail); United States v. Maxwell, 45 M.J. 406, 418 (U.S. Armed Forces Ct. App. 1996) (sender of an e-mail generally “enjoys a reasonable expectation that police officials will not intercept the transmission without probable cause and a search warrant”); see also Quon, 529 F.3d at 905 (“[U]sers do have a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provider.”).
  19. 45 M.J. 406 (U.S. Armed Forces Ct. App. 1996).
  20. Id. at 417.
  21. Id. at 418.
  22. Id. at 418-19.
  23. Lifshitz, 369 F.3d at 190 (internal citations omitted); see Guest v. Leis, 225 F.3d 325, 333 (6th Cir. 2001) (individual does not have a reasonable expectation of privacy "in an e-mail that had already reached its recipient; at this moment, the e-mailer would be analogous to a letter-writer, whose expectation of privacy ordinarily terminates upon delivery of the letter"); Maxwell, 45 M.J. at 417 (once an e-mail, like a letter, "is received and opened, the destiny of the [e-mail] then lies in the control of the recipient . . . , not the sender"); United States v. Jones, 149 Fed. Appx. 954, 959 (11th Cir. 2005) (unpublished) ("We have not addressed previously the existence of a legitimate expectation of privacy in text messages or e-mails. Those circuits that have addressed the question have compared e-mails with letters sent by postal mail. Although letters are protected by the Fourth Amendment, 'if a letter is sent to another, the sender's expectation of privacy ordinarily terminates upon delivery.'") (quoting United States v. King, 55 F.3d 1193, 1195-96 (6th Cir. 1995)).
  24. O'Connor v. Ortega, 480 U.S. 709, 717 (1987) (plurality); id. at 729-31 (Scalia, J., concurring).
  25. Id. at 717 (plurality).
  26. e.g., United States v. Heckenkamp, 482 F.3d 1142, 1146 (9th Cir. 2007); People v. Lifshitz, 369 F.3d at 190.
  27. Cf. Muick v. Glenayre Elecs., 280 F.3d 741, 743 (7th Cir. 2002) (Posner, J.) (employee "had no right of privacy in the computer that [his private employer] had lent him for use in the workplace"); but cf. United States v. Slanina, 283 F.3d 670, 677 (5th Cir. 2002) (employee had reasonable expectation of privacy in use of city-owned computer where there was no "city policy placing Slanina on notice that his computer usage would be monitored" and there was no "indication that other employees had routine access to his computer"), vacated on other grounds, 537 U.S. 802 (2002).
  28. See O’Connor, 480 U.S. at 716-19 (1987) (plurality) (public employee has a reasonable expectation of privacy in personal items, papers, and effects in office, desk, and file cabinets provided by public employer); see id. at 730-31 (Scalia, J., concurring) (government employee has a legitimate expectation of privacy in the contents of his office).
  29. See Oliver v. United States, 466 U.S. 170, 183 (1984) ("The existence of a property right is but one element in determining whether expectations of privacy are legitimate."); Warden v. Hayden, 387 U.S. 294, 304 (1967) ("The premise that property interests control the right of the Government to search and seize has been discredited."); see also Legality of Television Surveillance in Government Offices, 3 Op. O.L.C. 64, 66-67 (1979) (government ownership of office insufficient to establish employee’s lack of expectation of privacy where "in a practical sense" the employee exercises exclusive use of the office) ("Television Surveillance Opinion"); but cf. United States v. Ziegler, 474 F.3d 1184, 1191 (9th Cir. 2007) (private employee's "workplace computer . . . is quite different from the" property described in O’Connor, because the computer was owned by the company, was controlled jointly by the company and the employee, and was monitored to ensure that employees did not visit pornographic or other inappropriate Web sites).
  30. O’Connor, 480 U.S. at 717 (plurality); see United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) ("[O]ffice practices, procedures, or regulations may reduce legitimate privacy expectations.").
  31. 206 F.3d 392 (4th Cir. 2000).
  32. 206 F.3d at 398 (quoting policy).
  33. Id.
  34. 281 F.3d 1130 (10th Cir. 2002).
  35. Id. at 1133 (quoting policy).
  36. Id. (quoting banner).
  37. Id. at 1134.
  38. 375 F.3d 679 (8th Cir. 2004), vacated on other grounds, 543 U.S. 1112 (2005).
  39. Id. at 682 (quoting policy).
  40. Id. at 683.
  41. See Biby v. Board of Regents, 419 F.3d 845, 850-51 (8th Cir. 2005) (university computer policy warning user "not to expect privacy if the university has a legitimate reason to conduct a search" and that "computer files, including e-mail, can be searched" under certain conditions eliminates any reasonable expectation of privacy the use of the computer network); Muick v. Glenayre Elecs., 280 F.3d 741, 743 (7th Cir. 2002) (employer's announced policy of inspecting work computers "destroyed any reasonable expectation of privacy"); United States v. Monroe, 52 M.J. 326, 330 (C.A.A.F. 1999) (no reasonable expectation of privacy that network administrators would not review e-mail where banner stated that "users logging on to this system consent to monitoring"); see also United States. v. Heckenkamp, 482 F.3d 1142, 1147 (9th Cir. 2007) ("[P]rivacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user.") (citing Angevine, 281 F.3d at 1134, and Simons, 206 F.3d at 398); cf. Slanina, 283 F.3d at 677 ("[G]iven the absence of a city policy placing Slanina on notice that his computer usage would be monitored and the lack of any indication that other employees had routine access to his computer, we hold that Slanina's expectation of privacy was reasonable."); Leventhal v. Knapek, 266 F.3d 64, 73-74 (2d Cir. 2001) (public employee had reasonable expectation of privacy in the contents of his office computer because his employer neither "had a general practice of routinely conducting searches of office computers" nor "had placed [him] on notice that he should have no expectation of privacy in the contents of his office computer").