The nation-wide precedent is they can access anything older than 180 days without a warrant, which for IRS's purposes is basically anything that would be relevant to a criminal tax prosecution (there is no statute of limitations on willful tax evasion or fraud).
Should we have privacy rights in our e-mails and personal messages? I think so. But the Constitution doesn't protect that, any more than it protects "one's papers" if those papers are left on the premises of a third party. Not everything that is a good idea must be necessitated by the Constitution.
 Wikipedia's article on "expectation of privacy" is pretty good: http://en.wikipedia.org/wiki/Expectation_of_privacy ("In general, one cannot have a reasonable expectation of privacy in things held out to the public."). If you understand how SMTP works, it's hard to argue that it's a private means of communication. You send a clear-text message to a publically-accessible service that is empowered to forward the message to other publically-accessible servers if necessary.
Whoa, hold it, I don't think so. Almost every SMTP server out there today requires authentication and quite a few require either SSL or TLS. That is the very definition of trying to keep things private.
Hell, I use Google's solution and have two-factor authentication set up.
Should I really start adding "this email is privileged and confidential" to every email like my lawyer?
Note how your statement does not hold in the real world.
Email being transmitted by 3rd parties is not different from voice calls being transmitted by 3rd parties. Yes, you are trusting a provider, with the expectation that your provider will send the data where you've asked it to send the data, and nowhere else. This is still true whether you're talking postal service, landline voice calls, SMS, cellular voice calls, Skype, etc.
From the parent of my original comment:
Almost every SMTP server out there today requires authentication ... That is the very definition of trying to keep things private.
Do you disagree with me? Do you believe that SMTP authentication contributes to privacy and not authenticity?
If I am using them to communicate with a 3rd party, I have a reasonable expectation of privacy between myself and that 3rd party. You would most certainly need a warrant to turn around and try to get access to a message stored on their servers.
On top of that, quite a bit of email today doesn't even touch SMTP. If I'm sending an email from one GMail user to another GMail user, I'm pretty sure it is just shuffled around on Google's internal servers. And, of course, I'm connecting to Google using SSL, an encrypted connection.
How does that not scream private?
I cut out the SSL and TLS because I don't disagree; SSL and TLS certainly says "privacy". I wanted to specifically address the notion that "authentication =~ privacy"
Why can't it be both?
Why should storing something on a third party's system obviate the need for a warrant? If I rent real property and use it to store my papers, does that mean the government should be entitled to seize them without a warrant because I'm storing them on the premises of a third party? If not, what's the difference?
In other news: you can't invoke the 4th amendment if you stash boxes of weed at a friend's house and he hands them over to the government when asked.
There are privacy policies and terms of service that cover what a service provider will share with whom and under what conditions. This represents an agreement between the user and the service.
However, that is wholly different from the rights held by the government (IRS) to compel the service provider to provide information at the government's demand.
Your analogy with the "boxes of weed" are similarly misguided and completely unrelated. The more relevant analogy would be that the government forced your friend's landlord to unlock his door without a warrant, entered, discovered the boxes of weed with your name on it, then arrested you.
And, to put your analogy back into the subject e-mail context, if you e-mailed something incriminating to your friend and your friend opted to turn you in to the authorities, that is entirely different from the government gaining access to your e-mail of its own volition, and without a warrant.
Mail theft was a pretty serious crime in USA I am led to believe, regardless of whether it is sent in encrypted form or not...
To prove to yourself that SMTP is primarily concerned about authenticity over privacy, just try setting up your own mail server. Ensuring your mail is not blocked and/or marked as spam is an involved process of establishing multiple checkpoints re-confirming your identity. DKIM, SPF, domainkeys- each intended to establish that you sent this (unencrypted) message, and not someone pretending to be you.
Google won't hand you a packet capture from eth0 on smtp.gmail.com because you asked nicely. You would have to coerce an insider (or exploit your way in).
The only situation in which your statement applies is if you're abusing a position of trust as a network administrator. While it's true that this is possible, it's also possible for someone to break into your (postal) mailbox. You still have an expectation of privacy.
Of course, if you send an email to an account with the same provider, it's probably secure.
I asked once. The answer was: no, it is not waived and no warning need be attached. Applicable law revolves around intent and that is largely determined by who you choose for recipients. There is some allowance for typos and mistakes when addressing or sending. The warning is just to remind people of appropriate conduct, encourage them to report incorrectly addressed messages, and make the intent extra clear.
Absent an expectation of privacy, the government is entitled to search whatever and whenever it pleases. Are you suggesting there is court precedent establishing the government does not require a warrant to search a box being delivered by UPS?
So, again, what actual precedent exists to support rayiner's contention?
But, absent that, the government cannot simply compel UPS to hand over the package or relay its contents without a warrant. That would be a violation of the Fourth.
OTOH, if the UPS employee simply looked in the box, it wouldn't be a Fourth issue. It is only so if the employee did so at the behest of the government. In other words, you are correct: in that case the employee is acting as a government agent, which triggers the Fourth:
Edit: Key clause:
Miller: Can private parties ever trigger the 4th Amendment?
Solari: Yes, as we discussed, if a private party were to be acting at the behest of the government -- if a government agent were to ask that FedEx person to open up a package and look inside, or to ask someone’s girlfriend to go through their things looking for evidence to turn over to the police, then that would be government activity. That would be the actions of a government agent because government agents can’t ask private parties to do something they themselves couldn’t do under the 4th Amendment, so in that type of instance it would be extended to that private party.
Now my next question is can someone force the third party to give up the information without a warrant? I know they most likely will just comply. However, just for completeness, can a company like FedEx say that they require a warrant before opening packages?
I just grepped my personal email server log to double check, here's an obfuscated entry from this morning:
> localhost postfix/smtpd: TLS connection established from mail-xxxxxxxx.google.com[xxx.xx.xxx.xxx]: TLS
v1 with cipher RC4-SHA (128/128 bits)
Doesn't look like clear text to me.
Edit: A test tool... https://www.checktls.com/
However where I do disagree with rayiner is that you should be able to expect that third parties which you willingly entrust your communication to, should not be compelled to turn over that message without a warrant.
If they turn it over willingly that's caveat emptor, but email to me feels more like a hand-to-hand transfer of a postcard than dropping a postcard on a public desk (as used in a different example), and therefore you should be able expect that it's not treated as essentially public domain.
What does "should" have to do with it? A landline telephone isn't encrypted, people still expect their conversations to be private. And I don't see why email should be different -- if it came out that human Google employees have been reading your emails it would be a huge scandal.
> If they turn it over willingly that's caveat emptor
I don't know about that. Do you think it would also be reasonable without a court order for them to provide your private emails to a party other than the government, like a reporter or your company's customers or suppliers?
But I'll take it further, to the extent that a secure channel isn't possible by phone today, people shouldn't expect privacy there any more either.
Being able to keep the government from using your information is different from privacy, and that's my big point. These conversations always go the route that Big Brother knowing about something is the worst thing that can happen to you, but really it's not. How many people get fired from their jobs without one bit of government intervention based solely on their employer becoming aware of a message they sent? That's what I'm talking about, you should not expect privacy from unencrypted email. Even if your provider is awesome, the recipient and the recipient's provider might not be, and that's beyond your control in most cases.
> > If they turn it over willingly that's caveat emptor
> I don't know about that. Do you think it would also be reasonable without a court order for them to provide your private emails to a party other than the government, like a reporter or your company's customers or suppliers?
Do I think it would be reasonable? Not at all. But it's certainly not illegal, which is why I say caveat emptor. Pick your contractors carefully and vote with your wallet for the one that will guard your data.
Privacy should not (and in more enlightened countries and legal systems it does not) mean "others are not technically able to see it".
It should mean: "this piece of information should not be attempted to be seen by others without the owners implicit or explicit permission".
(And then legal formulas could be used to define "permission" (ie the recipient of an email has an implicit permission to read it)).
If we use the BS notion of privacy of the US courts, then copyright should not exist either (because, by the same logic, one can break the copyright protection easily). Even theft would be OK (hey, I can steal your stuff if you left your belongings in a public place).
So, no, whether my mails are in Google's servers or wherever else, it should be illegal to read them for any purpose I don't agree with. Much the same as if the postman delivers my email to the neighbor's box by mistake, he should not be allowed to open and read it.
And we can do that with cryptography, with even more sophistication than a simple "yes/no" formula:
The problem with relying on legal formulas here is that you need to rely on many people -- hundreds, maybe even thousands -- to not break the law over a long period of time. Your email is not really "sent," it is copied from system to system, and anyone with access to those systems could potentially read it. Backup tapes may be lost or stolen. Hard drives full of email may be sold off. This is not privacy; it is trusting hundreds of strangers to keep your confidence for an indefinite period of time.
This is really at the heart of the disagreement in this thread. Maybe this is what you think it should mean. But that's not what it means Constitutionally. The Constitution doesn't talk about privacy, it talks about unreasonable search and seizure. And the precedent is that if you've voluntarily handed the information to someone else, its not unreasonable for the government to get that information from them.
Sure, but I don't care much about the constitution. I care about what's fair and right. Constitutions can be changed and amended, especially if they were written 3 centuries ago.
So WireShark is now illegal in your ideal world?
Email is computer technology and demands a technical answer: if you want something to not be eavesdropped on, encrypt it. This is why we use ssh and not telnet any more.
If if it's not your network and/or network traffic, or you don't have the network owners permission, then yes.
Why should it be legal? Because you like playing with it?
"Impossible" trumps "illegal" every time.
Because I don't want technology to rule us, I want us, humans, to rule technology. We say a lot of times that "technology is a tool". If we have to adopt ourselves and our society to it, instead of adapting it to our preferences, goals and morals, then it's not a tool, it's a ruler.
In this case, cryptography might be a solution. But it's not a perfect solution for me. For one, it's not widespread and it's confusing for most people to integrate to their mailing habits. Second it breaks lots of workflows and conveniences (e.g full text search of emails).
Second, I don't want the government, Google, or anybody else to have it be legal to look into my email if they can break the cryptography or find the key. I want it to be illegal even at that case.
Third, while cryptography might be a case were technology can solve this problem (privacy) there are other issues just piling technology cannot be used to solve them -- where legislation is needed.
Personally, I want technology to solve human problems. If technical solutions to problems exist, they should always be preferred over legal solutions. We do not need to increase the size of an already out-of-control legal code, and we do not need more laws that will be selectively enforced (as almost all laws are).
"it breaks lots of workflows and conveniences (e.g full text search of emails)."
That is not an insurmountable problem: get an email client that can do full text searches of your email by automatically decrypting it while the search is performed. If for some reason you need to export your search to some server, cryptographers have developed systems for doing that in a secure way, though their computation cost is a bit high (much more than searching the plaintext).
"I don't want the government, Google, or anybody else to have it be legal to look into my email if they can break the cryptography or find the key. I want it to be illegal even at that case."
I would be cautious about that. It is almost certainly the case that such a law would not be enforced when a government agency or large corporation are breaking it -- see e.g. the warrantless wiretapping program. More likely, such a law would be used when a whistleblower exploits a weakness in a cryptosystem to expose government wrongdoing.
Expanding the legal code is dangerous. We have so many laws that the government has lost track:
We have seen over and over how this vast legal code is abused to crack down on protesters and dissidents. Adding more laws to it is just asking for more trouble, and doing so when we have technical solutions is a pointless risk.
"while cryptography might be a case were technology can solve this problem (privacy) there are other issues just piling technology cannot be used to solve them -- where legislation is needed."
Sure -- but we are not talking about those problems, we are talking about a specific problems that is well studied and which has been solved for decades.
Indeed. Making something that could be made impossible (or extremely difficult) "only" illegal will tend to make people complacent. If the expectation is that bad people won't do something because it's against the law, good people may fail to ensure that they can't. And then bad people do it anyway, leading to outrage, panic and harmful reactionary legislation. Not to mention bad people getting away with doing bad things, which could all have been prevented with sound engineering.
This isn't to say that every problem can be solved with a technical solution -- but when the technical solution is extremely effective, a legal solution is surplus to requirements.
Consider, in a public restroom there is very little done to prevent people from seeing each other. However, one almost certainly has a reasonable expectation of privacy in such a situation. Hell, consider using the restroom in someone else's house. If you record videos of everyone that uses your restroom...
Really, we need encryption to be widely used, for people to learn about it in school, and for people to generally expect messages to be encrypted. We have not really won this fight until people encrypt private messages and get angry when private things are sent in the clear.
Consider, someone could have a camera mounted onto their foot or on a poll to get over the standard stall doors. Would you just claim that folks should be ok with this? Because, "hey, it was possible? Quite easily done, actually."
I am pushing this point so heavily especially because a large company is pushing cameras that are mounted on people's faces. If someone were going into a restroom taking pictures, people would feel rightfully violated. Soon, this is likely to be happening more than you'd care to consider. The ease with which it can be done is irrelevant to the legality of it.
So let's take that argument to its extreme: you are standing in an open field going to the bathroom. Do you still think you have an reasonable expectation of privacy?
The problem with your argument is that it is based on the idea that if people want privacy, they are entitled to it even if they do nothing to protect that privacy. There is nothing wrong with expecting people to be a bit proactive when it comes to their privacy -- closing doors, drawing their curtains, encrypting their email. People should not just shrug about someone filming them on the toilet, they should do something to prevent it (and if a person started to drill holes in the door, sure, prosecute them -- for destroying someone's property).
"If someone were going into a restroom taking pictures, people would feel rightfully violated"
No, if someone were going into a restroom taking pictures of other people going to the bathroom in a closed stall they would rightly feel violated. Any weaker standard is basically saying that nobody can take pictures in public, because they might accidentally catch a person peeing on a wall and thus violate their privacy.
"The ease with which it can be done is irrelevant to the legality of it."
No, it is very relevant to the legality, because when we make easy and popular things illegal we worsen an already out-of-control criminal justice system. We do not want to start arresting people just because they are using their cameras, even if their cameras are mounted on their heads, even if they wear their head-mounted cameras into bathrooms. If cameras are everywhere and used by everyone, the answer is to build bathroom stalls that go from the floor to the ceiling, not to open the door to waves of prosecution (which will almost certainly be used selectively against "undesirable" people).
The appropriate place to draw the legal line with privacy is with people taking proactive and reasonable measures to be private. Putting letters in envelopes, closing curtains, closing doors, and yes, encrypting emails. You have no expectation of privacy in public parks, nor if your door is left open, nor if your curtains are left open, so why should you expect privacy when you send unencrypted email?
As the other poster said, consider the urinal. Whether intended or not, there are about to be a lot of images of people at the urinal taken by a capture device. Should men just get used to this idea and expect these pictures online?
I roughly get and agree with what you are saying. But, consider, it is trivial to build a microphone that can pick up every word you said within your house. Do you feel that police should be able to use such a device from a van outside without a warrant? Hell, it is trivial to build a camera that can see through most clothes nowdays.
That is, the laws are there precisely to cover things which may be easy otherwise. Hell, it is trivial not to pay your taxes. Illegal. It is trivial not to honor a contract. Illegal. We don't make laws against jumping to the moon. Because... not exactly relevant from a legal perspective.
Yes, or else just walk to the stall and pee in the toilet. I see guys doing that all the time where I work -- some men want to be private about it, and urinals are not and have never been private.
"But, consider, it is trivial to build a microphone that can pick up every word you said within your house. Do you feel that police should be able to use such a device from a van outside without a warrant? Hell, it is trivial to build a camera that can see through most clothes nowdays."
I did say that closing your door should give you a reasonable expectation of privacy. I also said that things that are easy and popular should not be made illegal. If everyone walked around with a parabolic microphone or a millimeter wave scanner, we would have to adjust our laws, habits, and notions of what counts as a reasonable expectation of privacy accordingly. It is currently reasonable to expect that wearing clothes protects you from having your naked body photographed; that would have to change if it were common for people to carry cameras that could see through cotton.
However, if police wish to violate this, using relatively common and accessible tools, they have to have a warrant. Consider the phone calls you place. These are just as exposed to third parties as any email you send. Yet to intercept them police need a warrant. For others to do so is illegal.
Note, the deciding point here is not that it is hard or easy to intercept your communications. Or sit outside with a microphone. The point is that those activities require a warrant. Because they are illegal otherwise.
Why not? It's just a law away for this to happen.
We can fully well pretend that email really is private.
It doesn't matter if it is technically private (ie if someone can access it or not). What matters is for accessing it to be illegal.
If this is the criterion for success, this fight will take a very, very long time to win. It may be impossible.
How will I explain this to my grandma?
To my 10 year old cousin who is interested only in Nicki Minaj and makeup?
Except for the mail servers...
It would be as though you communicated by sending post cards, and the postal works took every post card and ran it through a copy machine, leaving them all in a neatly organized (by sender and receiver) pile somewhere.
Also, unsealing an envelope on a hot surface is trivial. Nitpicking aside, both mediums are not inherently secure.
How you transmitted or handled something at a point in time is not relevant to it's status at rest.
This issue here is that the government asserts that email is a communications system only. The problem is that while it does enable people to communicate, it also serves as a filing system to many email users. The law as written in 1986 didn't forsee 25GB mailboxes on O365 or Google with the equivalent of many file cabinets worth of memos, etc.
1) A rental car, like a rented house, is still under your control. But your e-mail account on Google's servers is under their control. They can do whatever they want with it. It's more like your friend letting you use part of his garage to store stuff--a third party still retains full control over the space.
2) As far as I can tell, Google can access your e-mail whenever it wants, so the "locked container" analogy also fails.
Again, I think the fact that Google/Microsoft/etc can scan your emails and documents to send you targeted ads is determinative here. If you're voluntarily exposing the contents of your documents to that process, how can you claim to have an expectation of privacy?
The fact that you own the box that email was delivered to and that email never left that box has no bearing in the matter for the IRS. They still claim the right to inspect it, without a warrant.
Google, Twitter, etc, come into play because they are the kinds of communications the IRS is referring to--electronic communications stored on servers controlled wholly by unrelated third parties.
The IRS isn't going to break into your mail server.
People should really, really be running their own mail servers, and I suspect should be providing their own dialtone as well. The latter is certainly much more complicated and technical, but that level of control is a very nice thing to have.
Google, Twitter, Facebook, etc., don't enter into the situation.
The extension of 4th amendment protections to telephone calls dates to a time when it was a direct analog connection between your phone and the other person's phone. But Google/Gmail is not just a dumb wire. It's an intermediate third party that can read your email and scan it to sell you ads.
It's true that this has always been the position of the Federal government, but that argument has always seemed pretty weak to me, and I don't accept it on principle, no matter how pervasive it's become. People don't expect their email to be read by others, especially the government, period. The reality that they are in fact doing this anyway just means citizens have to push harder to affect a change in the law.
This isn't a new fight. The government literally used the same exact argument when telephones were invented. It took years to work in protections for phone calls, I see no reason why the same can't be done for new modes of communications like email.
That is inconsistent with the wide usage of GMail, which (robotically) reads your mail to give you directed advertising. So GMail users at least cannot claim that they expect no one else to read their email as they've opted-in to having their mail read by running the service at all.
email servers generally aren't publicly accessible, rather they're only accessible to authorized (registered) users
The difference between telephone calls and email is that you generally don't have access to the things you need to listen in on a telephone call, but email you only need to have access to one of the routers that it's routed through
Complaint MTAs include: sendmail (>= 8.11), postfix (>= 2.2), MS Exchange (>= 5.5). Patches have existed for qmail to add support since 1.01, though they aren't in the main distribution for reasons that I'm sure make sense to djb.
No. No. No.
The test is one of reasonableness. Is it reasonable to assume that an individual--who addresses a message directly to another individual by means of that individual's unique identifier--intends that only that individual will view the e-mail? Of course it is.
The suggestion that people should understand the vulnerabilities in the underlying technology is a red herring.
Perhaps this is why the Sixth Circuit concluded that e-mail is private.
Now, the interesting question is: is IRS entitled to access emails if both the sender and receiver are using the same provider and it doesn't leave their servers? (I'm guessing the situation is similar to delivering a note by hand through a single third party... again, I wouldn't expect any privacy there.)
However, reasonable people know that no humans are required in the process of delivering e-mail, and further, the average person doesn't necessarily believe that other people will read an email even if they know it is technically possible.
Circumventing those protections requires the intervention of an independent (as in independent from the executive) judge.
Non-apathetic citizenry probably trumps well-armed citizenry.
The crux of the matter is "knowing exposure to third parties." So you have an expectation of privacy in sealed postal mail, but not say post cards or anything printed on the outside of envelopes. While a postal service as a matter of course can't read what's in peoples' sealed letter mail, e-mail is sent in plain text and can be seen by any intermediary SMTP server as well as system administrators of the sending and target mail servers. That's just the nature of the protocol.
Moreover, the fact that the U.S. Postal Service is an agency of the government puts it under heightened scrutiny as compared to e-mail providers who are private parties. The fact that people would be horrified if the U.S. Postal Service were tearing open envelopes and scanning mail to send targeted catalogs, etc, to people but accept Google, etc, doing the same thing as a matter of course really cuts at the knees of the argument that people have the same "expectation of privacy" in their e-mail as they do their letter mail.
"Reasonable expectation of privacy" doesn't have an implicit "only as against the government." If you're knowingly exposing the contents to Google and Microsoft to scan, you can't claim to have a "reasonable expectation of privacy" in the contents.
I've stopped putting my public key on emails I send, because almost no one ever encrypted email to me, unless they were specifically sending something perceived to be sensitive.
The ad-bots at Google aren't known to be very gossipy.
(I don't mean this to be snide. I think this is an instance of a very interesting phenomenon, where we reason about our society as if it were a village.)
Wrong. The users' providers can see the message, but they will only pass it to the next link in the chain to the recipient. That doesn't mean it's okay or expected that it'll be shared with anyone else.
Handing off your voice calls to AT&T does not eliminate the expectation or privacy, nor does handing off your letters to USPS. Both of these services will move your information around internally, and AT&T will route your voice call to a Verizon switch if necessary. This still does not negate the expectation of privacy.
Why should email be different?
This is how postal system works.
In the postal system, your message is generally encapsulated in a tamper-evident envelope, carried in locked cars and trucks that enjoy Federal protection against intrusion, and end up in mailboxes that are almost always on private property and/or locked.
Those are all mechanisms, not legal protections. All could be bypassed by a determined person.
In both email and physical mail, someone else can secretly read your mail if they try hard enough. In both, you expect them not to. In both, we have the same question: should the government need a warrant to violate that expectation?
I can plant a secret microphone in your house. That doesn't mean I have a right to.
That's beside the point though. People in general expect their mail correspondence to remain private, although a motivated third party might be able to defeat security.
Your analogy would make better sense if you were talking about using a government-provided email service. But trust me, you don't want to do that, at least if it's anything like my government-provided work email.
When you have a conversation in a busy mall, you have no expectation of privacy. When you communicate one on one in confines of private apartment, your speech isn't meant for others to be heard, even if that would be laughably easy to eavesdrop for a government agency.
It's not really a technicality we are arguing about but very basic expectations from a communication medium. If I write an email to my wife I don't expect it to be exposed to arbitrary strangers, although I understand that it's not as secure media as say diplomatic cables cough.
The 4th Amendment is specifically a limitation on government power to compel unreasonable search or seizures. That's why I said having a private courier give up your information (not at the demand of the government) would be at best a civil matter such as breach of contract.
Now does FedEx and UPS routinely give up our parcels to the wrong party? No, but the reason isn't the 4th Amendment. The reason they try to deliver to the right party is because of the incredible market reaction that would occur if they were known to be routinely diverting deliveries or snooping.
But your expectation of privacy in general (as opposed to privacy against government interception) does not have any backing in law AFAIK (sadly), which is what I think rayiner was pointing out. From the perspective of the law, if you're willing to disclose information to some "random" third-party then why wouldn't you be willing to disclose it to anyone else (incl. the government)?
I agree that we should be able to expect privacy even in these cases, as it seems like a fairly large loophole if rayiner is right, especially in a world that is far advanced from the days where long-distance communications of any sort required government services and so privacy really did mostly mean "privacy from government".
That is under the 4th Amendment land-line phone users have a reasonable expectation of privacy; therefore, Gov. must obtain a search warrant to use evidence gathered from such sources against the criminal defendant. Yet, Courts define cell phones as little more than radios, and one does not have a reasonable expectation of privacy of radio transmissions, so evidence gathered can be used against a criminal defendant without being obtained by warrant.
So, right or wrong, I think the whole frame is similar to mail and email, of course emails are not defined as radio transmissions. Now all that said, between the Bush and Obama administrations reasonable expectation of privacy has been eroded (and as a result the 4th Amendment), and de facto there is no expectation of privacy over anything except maybe what is in your head.
This wasn't always the case. In fact the government argued the exact opposite for years.
I suppose pay phones are landlines, but reasonable expectation of privacy is more complicated - originally courts upheld reasonable expectation of privacy when there was a phone booth, but not when the pay phone was in the open - this varies from state to state but I would not be surprised if this expectation of privacy has whittled away in the majority of states.
But I bet you wouldn't need a warrant if you wanted to just capture and show the existence of the emitted radio waves as evidence, ignoring their contents (if you were making some kind of a traffic analysis type of argument).
Now, what if you used a service like gmail, but made sure that you deleted all your mail before they aged to 180 days. What if the mails are not actually deleted from the underlying storage, but just not presented to you. If the mails still "exist" could they be used against you? Would google give them up? Was there an expectation of actual deletion?
This is true, and a great point. I often open my neighbors' postal mail using this same excuse. Sometimes you can even read the letters and notices right through the paper envelope!
With that said, it's actually a Federal crime to remove mail from someone else's mailbox to obstruct or pry into their business (even for postcards), which would seem to support your overall point.
Sure, it's easy to snoop emails in-flight, but once it arrives at its destination, it ought to be hands-off.
> "Given the fundamental similarities between email and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protection.... It follows that email requires strong protection under the Fourth Amendment; otherwise, the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve."
And of course their opinion carries quite a bit more weight, to the point that both Google and Microsoft, at least, put their disagreement with the IRS in writing, requiring a warrant before disclosing the content of emails, regardless of the age of those emails.
ctrl-f "warrant" in both of these for more details, but here are some snippets. From Google:
> "On the face of it, ECPA seems to allow a government agency to compel a communications provider to disclose the content of certain types of emails and other content with a subpoena or an ECPA court order (described below). But Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure....
> The threshold is higher still for an ECPA search warrant. To obtain one, a government agency must make a request to a judge or magistrate and meet a relatively high burden of proof: demonstrating "probable cause" to believe that contraband or certain information related to a crime is presently in the specific place to be searched. A warrant must specify the place to be searched and the things being sought. It can be used to compel the disclosure of the same information as an ECPA subpoena or court order—but also a user's search query information and private content stored in a Google Account, such as Gmail messages, documents, photos and YouTube videos. An ECPA search warrant is available only in criminal investigations."
And from Microsoft:
> "Does Microsoft reject subpoenas from law enforcement seeking content data?
> Yes. We require an order or warrant before we will consider releasing content. Like other companies, we implemented the holding of U.S. v. Warshak, which held a provision of the Electronic Communications Privacy Act to be unconstitutional."
The IRS trying this would be a great benefit to us all, short of congress getting their act together and revising the ECPA, and the EFF would love nothing more than to take up the case. Considering that it has already been confirmed that Google is requiring warrants and Microsoft has taken such a strong stand while releasing their latest transparency report, it seems like we also have at least two corporate sponsors (and, actually, this is a bad position for most companies to be in, as many email providers can't easily figure out which Appeals Court their customer falls under. This exposes them to risk if they disclose email content without a warrant, which is another motivation to take the conservative approach and ask a court to decide if they have to disclose emails with only a subpoena).
SMTP is nothing next to encryption, but it's not the equivalent of leaving papers in a filing cabinet.
Not even close.
In which case you are a network administrator of a (probably tier 1) ISP and abusing your position of trust. As well as probably violating your contracts with the companies for which you have agreed to carry traffic.
It's also possible for me to read mail from my neighbors' mailboxes, and most of their PSTN demarcs are hanging off the side of the house and not protected by a fence or anything. Mail and voice calls are still private.
Edit: added word "outgoing" for pedant below. ;) Of course it'd be nice to get their public key too if you had to correspond back without going through say their https website.
It needs some really good integration with an email client somewhere, where addresses are picked up from a public key server and automatically encrypted. I'm picturing an iMessage style thing where as you're typing someones email address, the keyserver is getting pinged and the address turns a different color and a lock icon appears by it. Now all your correspondence with that person is encrypted. PGP purists might not like it ("but you're automatically trusting some random key!! The web of trust, the web of trust!") but it would be a step in the right direction.
 Statistic I just made up.
[Edit: it pains me to say this, of course; I am not a fan of systems where some other party or coalition of parties can decrypt messages. However, it would be better than what we have now, and it is closer to the "putting a letter in an envelope" abstraction.]
gpg --auto-key-locate pka -ear mike(dot)cardwell(at)grepular(dot)com
gpg then automatically looks up the TXT record for "mike.cardwell._pka.grepular.com" in the DNS. Which gives it:
It then automatically fetches my public key from the URL in that record, checks it matches the fingperint, and then imports it.
For extra goodness, the DNS for "grepular.com" is secured with DNSSEC also.
The technology exists for sharing public keys and using PGP. The major mail providers couldn't care less about providing user interfaces for it though.
We need a system that lets people encrypt messages without having to wait for the receiver to do anything. That's the point of IBE: your public key is your email address, you get your private key from the service of the sender's choice. The service clearly needs to do something to verify your identity, which is the weakness -- but it is still better than what we do now, and it does not require us to wait for everyone to upgrade their email clients.
I received one a couple of weeks ago and it works great. I also have an OpenPGP v2 smart card, a USB smart card reader, and a reader built into my Thinkpad.
Edit: ok your edit makes more sense now :)
I would like this, too. Internet, please get on that.
We may yet return to that stage.
Google won't give your email away without a warrant, and neither will Facebook. So I'm not sure what this means.
1. Because your emails are "open" (like a postcard) when being transferred over a network, you do not enjoy an "expectation of privacy" for them
2. Therefore if the government "sees it go by" (like a postcard in the mail), they can read it
3. So if the government plants themselves in the middle of a bunch of networks to "see emails go by" and then stores them in a big database, that should be admissible, no?
It seems like the postcard analogy should hold all the way through, right? Ie the government could photograph all mail going through, store it, and look it up later to use in court if they wanted to.
Sure - the IRS may or may not actually look into those databases it in practice due to national security concerns, etc - it's just that they could. [edit: formatting]
Then the only question is whether the FBI and IRS will cooperate in their investigations - the answer there seems pretty clear.
"if you don't have anything to hide, you have nothing to fear" -- Eric Schmidt of Google
Google's stance on this particular issue is actually quite the opposite of the IRS's: http://www.wired.com/threatlevel/2013/01/google-says-get-a-w...
If the government wants to read your email, it will. If it refrains from reading your email it's only because it doesn't find you interesting enough to go through the hassle of doing so.
Every single rsync.net intra-company "email" has never crossed a wire - always just a local copy operation.
Yes, we do all use (al)pine over SSH, so no, it didn't cross a wire to a web browser.
There's your list.