The Sarah Palin E-mail Privacy Act of 2009

As has been widely reported, Sarah Palin’s Yahoo e-mail account has been breached, and its contents have been posted to wikileaks. Gawker.com is posting excerpts from the e-mail messages including photographs.

As usual, Orin Kerr (with some assists from his merry band of commenters) is doing a great job fleshing out the legal analysis. A crime has been committed, there can be no doubt, and Yahoo!’s lawyers will probably be kept up late tonight receiving and responding to incoming subpoenas and court orders.

I wanted to come at this story from a slightly different angle: I predict that some day we will look back on this breach as a watershed event in the history of statutory Internet privacy. As Dan and many others have noted in their articles, Congress often enacts privacy protecting legislation only in the wake of salient, sensationalized, harmful privacy breaches. Thus, Judge Bork’s video rental records begat the Video Privacy Protection Act and the murder of actress Rebecca Schaeffer by a stalker with DMV records led, eventually, to the Drivers’ Privacy Protection Act.

Compared to these examples, the breach of Sarah Palin’s e-mail account is on a higher plane of salience and sensationalization. The most scrutinized woman in the country has dozens of her private correspondences pasted all over the blogs. Even if nothing is found in these messages which damages her or the campaign, and whether or not the perpetrators are caught, many will call for tougher privacy laws, and Congress and state legislatures will feel great pressure to deliver. And they won’t just be targeting the breachers–many will criticize the Gawkers and Wikileaks for helping disseminate the e-mail messages (if not the Kerrs and Ohms and Washington Posts for linking to Gawker), so expect a fierce First Amendment debate. I can even see calls to make IP addresses easier to track. Mandatory data retention, anyone?

If I am right about this, expect the E-mail Privacy Act of 2009, and expect it to be a blockbuster. If you’re an activist, government lawyer, e-mail provider, or scholar with an interest in information privacy, I advise you to start putting together your statutory wish lists.

You may also like...

14 Responses

  1. Mark says:

    Yes, electronic privacy and civil liberties are extremely important and I hope this elevates public interest on the matter.

    However, government transparency is also pretty crucial to a functioning democracy. Palin tried to exercise her executive privilege and circumvent proper archiving techniques by using a private email account. In doing so she took a huge stupid risk. We have intelligence officials and IT security on government payroll for a reason. It’s so that your Yahoo account with password “hockeymom08” or whatever doesn’t get hacked.

    The Bush administration has been doing this for years. Americans deserve to have archives so we can see how decisions were made.

  2. Eric Goldman says:

    Funny, the possible solutions you identify might increase email privacy (in a sense) but most privacy advocates would feel they degrade privacy protections overall. Maybe the event will become a trojan horse for anti-privacy laws? Eric.

  3. I tend to doubt that this will spark much of a change in the law. If this weren’t a violation of existing law, then there might be a push for a change, but since the law addresses this already, I wonder whether we’ll see a Palin Privacy Act of 2009. ECPA needs a major overhaul, and the CFAA at least needs some clarification given its incredible vagueness, but this case isn’t one of the many that fall into the gaps and ambiguous swamps of ECPA and CFAA.

    It’s true that Bork’s video records and Schaeffer begat laws, but notice too that the laws they sparked were rather narrow. So the VPPA could have covered a wider range of records than merely video records, but it didn’t because the reporters only happened to go after Bork’s video records. Had they gone after his bookstore records, Congress would have passed the Bookstore Privacy Protection Act. My point here is that Congress is unlikely to use the Palin violation as something to spark a wider rethinking of ECPA and CFAA — and since this specific case is covered, there probably will be little legislative impact here.

  4. Paul Ohm says:

    In response to both Dan and Eric:

    Here are some “gaps” in the CFAA that may come to light once the case progresses:

    1. 1030(a)(2)(C) is by default merely a misdemeanor. It’s a felony only if there is a criminal or tortious purpose (c)(2)(B)(ii), if the e-mail messages are worth $5000 (c)(2)(B)(iii), or if the messages were obtained with intent to defraud (a)(4). If the perpetrators are found, there will be great pressure to seek a felony indictment, and if one can’t be brought, people will want to change the laws.

    18 USC 2701(a) is another possible avenue for prosecution, but that is merely a six-month misdemeanor, increased to a year with aggravating circumstances.

    2. Had these messages been wiretapped instead of taken from storage, then Gawker and Wikileaks might’ve faced felony charges for downstream use and distribution with knowledge that they had been illegally obtained. 18 USC 2511(1)(c) and (1)(d). (As Orin points out, they would have had a pretty good First Amendment defense under Bartnicki v. Vopper). I can see people calling for this kind of third-party, downstream liability in 1030 as well.

    3. If they don’t find the perpetrators, expect some creative thinking about the “problem” of untraceable IP addresses. As Eric puts it, this might end up being anti-privacy dressed up as privacy.

    4. In order to bring a civil suit against the breachers, Palin needs to show $5000 worth of loss. 1030(g). I can see people calling for the abolition of that requirement.

    5. Congress might clamor for more robust passwords/ID systems on webmail.

    Maybe none of this adds up to the “blockbuster” I predicted in the post. I concede that. But I still think new legislation will be proposed. And, I expect people more creative than I will be trying to point out all sorts of other “gaps” in the law that need to be shored up.

  5. Scote says:

    “Palin tried to exercise her executive privilege and circumvent proper archiving techniques by using a private email account. In doing so she took a huge stupid risk. We have intelligence officials and IT security on government payroll for a reason. It’s so that your Yahoo account with password “hockeymom08″ or whatever doesn’t get hacked.”

    ————-

    Quite. A law (one with teeth) that prevents government officials from circumventing possible subpeopna’s and proper archiving should be a priority.

  6. otis says:

    “The most scrutinized woman in the country has dozens of her private correspondences pasted all over the blogs.”

    If only it were private conversations! The reason this account was targeted is because she hid her official communications in a “private” email account to avoid public scrutiny. Nice ironic twist if you ask me. Scote is right in that if any new legislation is spawned by this incident, it should require government officials to use government email accounts for government business.

  7. Goose&Gander says:

    I don’t think Sarah Palin would go back on her free market principles to endorse such invasive government regulation. There’s always a market solution for these problems…Yahoo will get less email business and that’ll teach them a lesson.

  8. eck says:

    18 USC 2701(a) is another possible avenue for prosecution, but that is merely a six-month misdemeanor, increased to a year with aggravating circumstances.

    Paul, I think you’re forgetting that the penalties were presciently revised in 2002. First offenses are 1-year misdemeanors, increased to a maximum of 5 years with aggravating circumstances.

  9. If we go over and read the emails, are we complicit somehow? I would think that if we knew that someone stole her television, we would be dirtying our hands by going and watching her television.

  10. Gene Koo says:

    One of the most interesting angles to this is going to be the degree to which Yahoo!, Google, et.al. are going to be on the hook from now on to maintain the strictest-of-breed email retention policies — and how that will butt up against the need for privacy. I suspect we shall never be able to fully expunge our email histories…

  11. Paul:

    You say “Even if nothing is found in these messages which damages her or the campaign, and whether or not the perpetrators are caught…”

    I actually think both those factors will matter a lot.

    If they don’t catch anyone you could be right, especially about authentication, but if they do get a prosecution then Dan is probably right that existing law will do a passable enough job to blunt political momentum.

    And if these messages do cause her political damage, then all privacy issues will be swamped by partisan calculations — Dems wanting to draw more attention to them and Republicans less. Only because Judge Bork’s video rentals were entirely benign could they spur the VPPA. Even though the overall hearings were divisive, everyone could put aside their differences to agree that his privacy had been invaded. If instead the rentals had somehow become an issue in his nomination fight, I bet that consensus could never have emerged.

  12. “Even though the overall hearings were divisive, everyone could put aside their differences to agree that his privacy had been invaded.”

    you mean, up until the Thomas nomination…

  13. Anon says:

    from glenn greenwald:

    “The same political faction which today is [hysteric over] over the sanctity of Sarah Palin’s privacy are the same ones who scoffed with indifference as it was revealed during the Bush era that the FBI systematically abused its Patriot Act powers to gather and store private information on thousands of innocent Americans; that Homeland Security officials illegally infiltrated and monitored peaceful, law-abiding left-wing groups devoted to peace activism, civil liberties and other political agendas disliked by the state; and that the telephone calls of journalists and lawyers have been illegally and repeatedly monitored.”

  14. Brian says:

    Largely lost in all of the accusations is the definition of “state business”:

    “…policy, procedures, regulation; contracts;

    grievance procedures; medical information; hearings; case and/or project files subject/correspondence files; substantive correspondence and memoranda; substantive subject files (strategic planning, reorganization, pay plans, legislative sessions, etc); minutes; administrative rules; records of births, deaths certificates; corporate charters; critical environmental data and reports; specific project, subject or case files; hearing transcripts, court decisions, board rulings, etc.”

    Obviously smarter minds than mine are going to make a ruling on this. Two people can look at the same email and one will think “intent to circumvent” and the other will think “trying to clarify”.

    I’m just disappointed about Obama’s silence in this. His inaction is downplaying the seriousness of hacking a candidate’s private e-mail accounts, and he should realize that he’s lowering the bar on what’s acceptable behavior in campaign tactics and public discourse.

    If you think it’s OK to lower your ethical bar to the behavior of the worst miscreant who says he agrees with your opponent, you might as well just do whatever you want to and skip the middle man. It’s a good bet that in a country of 300 million people, there’s someone in the half you don’t belong to who’s doing whatever you’ll come up with. Such is the beauty of message boards.