Despite some users’ lax approach to safeguarding their identities, online accounts may now be afforded greater protection following the Sixth Circuit’s ruling in United States v. Warshak. The court, which upheld a temporary injunction on a fraud investigation involving the all-too-familiar late-night “Smilin Bob” infomercials, extended the fourth amendment’s warrant requirements to messages stored on third-party servers. The Sixth Circuit wrote:
“The ISP is the functional equivalent of a post office or a telephone company… The police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant, that is.”1
Prior to the ruling, the government could (and regularly did) obtain e-mails stored on third-party hosts like Gmail, without first needing to obtain a search warrant. In its decision, the district court declared the 1986 Stored Communications Act (SCA)2 unconstitutional on the grounds that it allowed what was tantamount to a traditional search, but without the required showing of probable cause. The court noted, “given the fundamental similarities between e-mail and traditional forms of communication, it would defy common sense to afford e-mails lesser Fourth Amendment protection.”3
The SCA, written long before GMail’s all-you-can-eat storage was ever dreamed, required a warrant for any message stored on a third-party server for fewer than 180 days, but simply required a subpoena or court order for older messages or messages that had been previously downloaded by the user, thus denying the subject of the investigation both notice and the subsequent opportunity to contest the search itself. 1, 4
For the most part, the decision makes sense. As e-mail moves from download-and-delete POP-based messages stored solely on a user’s computer to the nearly limitless IMAP, Exchange, or Web-based messaging that increasingly lives in the unseen cloud, neither opportunity to download nor time spent on server are very compelling standards to determine the level of privacy that should be afforded to a message or the showing of cause that should be required to compel a host to disclose its contents.
The decision, which tips a circuit split further in favor of extending the fourth amendment, should, at least in theory, lay the groundwork to grant such protections to other forms of information stored in the cloud. Such information may include calendars or contacts on the more obvious end of the spectrum, but may arguable be construed to cover wholesale cloud services like AWS, Salesforce, Rackspace, and Azure, a possibility not to be taken lightly following the WikiLeaks hosting scramble.
Surely the decision does not settle the issue outright, but it is the latest in a long march of much-needed rulings further blurring the legal distinctions between the world online and the world off, and as persuasively written as it is, is likely to prove influential as both law and technology continue to evolve side by side.