The Fourth Amendment, Email Headers, and IP Addresses

computer2b.jpgIs there a reasonable expectation of privacy in email headers and IP addresses under the Fourth Amendment? No, sayeth the 9th Circuit in US v. Forrester:

The Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), that the use of a pen register (a device that records numbers dialed from a phone line) does not constitute a search for Fourth Amendment purposes. According to the Court, people do not have a subjective expectation of privacy in numbers that they dial because they “realize that they must ‘convey’ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed .” . . . . Therefore the use of a pen register is not a Fourth Amendment search. Importantly, the Court distinguished pen registers from more intrusive surveillance techniques on the ground that “pen registers do not acquire the contents of communications” but rather obtain only the addressing information associated with phone calls. . . .

Neither this nor any other circuit has spoken to the constitutionality of computer surveillance techniques that reveal the to/from addresses of e-mail messages, the IP addresses of websites visited and the total amount of data transmitted to or from an account. We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to “voluntarily turn[ ] over [information] to third parties.”

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a person’s e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.

I’ve written extensively about the problematic application of Smith v. Maryland to email headers and especially IP addresses. I believe that Smith was wrongly decided, but the 9th Circuit was nevertheless bound to follow it. Accordingly, its holding that there is no reasonable expectation of privacy in email headers seems to fall within the holding of Smith. However, IP addresses present a different case. The holding in the Smith case turned on two rationales: (1) exposure of information to third parties (phone companies) eliminated one’s expectation of privacy; (2) the information was not sensitive since it didn’t involve the content of the communications. This second rationale is important, since it is an attempt to keep Smith logically consistent with Katz v. United States, 389 U.S. 347 (1967), where the Supreme Court held that a reasonable expectation of privacy exists in the contents of phone conversations. However, the contents of phone conversations, similar to the phone numbers dialed (pen register), are also accessible to the phone company. Thus, the first rationale (third party doctrine) would be inconsistent with Katz without the aid of the second rationale.

Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.

The envelope/content distinction works fairly well with email — the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content. But with IP addresses, the distinction doesn’t work. In Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I wrote:

When applied to IP addresses and URLs, the envelope/content distinction becomes even more fuzzy. An IP address is a unique number that is assigned to each computer connected to the Internet. Each website, therefore, has an IP address. On the surface, a list of IP addresses is simply a list of numbers; but it is actually much more. With a complete listing of IP addresses, the government can learn quite a lot about a person because it can trace how that person surfs the Internet. The government can learn the names of stores at which a person shops, the political organizations a person finds interesting, a person’s sexual fetishes and fantasies, her health concerns, and so on.

[Therefore,] the content/envelope distinction is not always clear. In many circumstances, to adapt Marshall McLuhan, the “envelope” is the “content.” Envelope information can reveal a lot about a person’s private activities, sometimes as much (and even more) than can content information.

Over at the VC, Orin Kerr points to an interesting ambiguity in the court’s decision. According to the court, the government used “a pen register analogue on [the defendant]’s computer.” Orin writes:

Consider two possibilities. The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. If so, the analogy to Smith v. Maryland is really clear, and the result in Forrester is clearly correct. The second possibility is that the Court meant what it said literally: the government installed a pen register analogue “on [the defendant’s] computer,” which seems to suggest some kind of surveillance device actually inside the person’s machine. If that’s right, I tend to think this is a different case. At that point the facts become a lot more like United States v. Karo, the locating device case, where the use of a surveillance device inside the home was held to be a search.

In Dahlia v. US, 441 U.S. 238 (1979), the U.S. Supreme Court concluded that a wiretap order was sufficient to justify a covert entry to install electronic bugging devices into a person’s home. However, the wiretap order involved in Dahlia was under the Wiretap Act and required even stronger standards than typical Fourth Amendment warrants. The pen register order in Forrester involved a much lower standard, one far below the requirements of a Fourth Amendment search warrant.

Nothing in the court’s opinion suggests that the law enforcement officials actually entered into the defendant’s house. But isn’t installing the the “pen register analogue” into the defendant’s computer via electronic means (perhaps as a virus, etc.) the digital equivalent of a trespass into the home?

I also wonder whether the Forrester case is consistent with the Supreme Court’s holding in Kyllo v. US, 533 U.S. 27 (2001). In Kyllo, the Court held that the use of a thermal sensor to detect heat patterns inside a home constituted a Fourth Amendment violation despite the fact that it measured heat emanations coming from the home and was positioned outside the home. The Court held that although there was no physical trespass, the Fourth Amendment was violated:

Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a “search” and is presumptively unreasonable without a warrant. . . .

Moreover, the Court in Kyllo noted that it didn’t matter how sensitive and private the information involved was:

The Government also contends that the thermal imaging was constitutional because it did not “detect private activities occurring in private areas.” . . . The Fourth Amendment’s protection of the home has never been tied to measurement of the quality or quantity of information obtained.

Why wouldn’t the pen register analogue used in Forrester be a device to explore the defendant’s conduct inside his home? Of course, to apply Kyllo here would also raise doubts about Smith v. Maryland, where the pen register device also captured activities within the home. These difficulties in the Court’s opinions are but further evidence that Smith v. Maryland was wrongly decided. It is inconsistent with so much of Fourth Amendment doctrine, and it leads to tortured attempts to make meaningless distinctions to keep the entire inconsistent doctrinal mess from falling apart.

You may also like...

10 Responses

  1. Orin Kerr says:


    Your theory wouldn’t just raise doubts about Smith v. Maryland; it would require the Supreme Court to overrule it.

    I gather you would also want the Supreme Court to overrule Hoffa, White, Miller, and Couch in addition to Smith v. Maryland? Or just Smith?

    Also, I strongly take issue with your theory that Smith v. Maryland is inconsistent with the rest of Fourth Amendment law. It’s very consistent in result, even though Justice Blackmun’s opinion for the court was terrible. The most obvious rationale is that the phone company was a party to the communication in which Smith sent the mumbers dialed; a party to the communication can consent to monitoring.

  2. Orin,

    Smith v. MD is not consistent with the misplaced trust cases (such as Hoffa). Smith pretends to flow logically from the misplaced trust cases, but it doesn’t. The misplaced trust cases (aka, the assumption of risk cases) hold that when one places trust in another and that person voluntarily betrays one’s trust, there’s no Fourth Amendment violation. Smith v. MD and the third party doctrine cases skip the voluntary betrayal step — they assume that when one places trust in another, one automatically loses any reasonable expectation of privacy. But there’s no betrayal of trust in Smith v. MD or US v. Miller or the other third party doctrine cases — the government is forcing the third parties to betray trust. That’s a big step beyond the misplaced trust cases.

    I believe that the third party doctrine cases ought to be overruled. One of the most reasonable assumptions is that a company will honor its contracts (and confidentiality is often an express or implied term in phone service contracts and especially in one’s dealings with one’s bank or financial institution). Moreover, it is tortious for a bank to breach confidentiality. It is thus reasonable for a person to assume that the bank or phone company will not breach trust unless the entity explicitly reserves the right to do so in its policies. Then, I could see a better analogy to the misplaced trust cases if the entity voluntarily decided to provide the government with the information. Otherwise, I find the logic of the third party doctrine cases to be deeply flawed.

    The best test case, in my opinion, is one that would seek to apply the third party doctrine to one’s doctor. Would the Court really conclude that because a person has disclosed sensitive medical information to her doctor that she no longer has an expectation of privacy in that information? I doubt that the Court would go that far, as such a conclusion would strike many as ludicrous, but the logic of the third party doctrine cases would support that result.

  3. Orin Kerr says:


    I wonder, though, why you object to the party-to-the-communication analogy. It seems quite plausible to understand Smith v. Maryland as simply holding that a party to the communication can consent to monitoring: If A talks to B, B can consent for the government to come in and intercept that communication sent by A.

    Isn’t that all that a pen register does in the case of monitoring by the telephone company? The caller is sending a communication to the phone company asking the company to connect the call to a particular number; the phone company is a recipient of that call, so the phone company can let the government record the information or do it for the government.

  4. Orin — But the phone company isn’t voluntarily providing the government with the information — the third party doctrine cases allow the government to subpoena the information or otherwise force the phone company to comply.

    If I talk with you on the phone, that doesn’t eliminate my expectation of privacy even though I’ve exposed the information to you and you’re a party to the conversation. Now, suppose you voluntarily allow the government in to eavesdrop — this is misplaced trust. But if neither you nor I let the government in, our call is protected. Likewise for the phone company or bank — if it doesn’t voluntarily let the government in, I don’t see how you lose a reasonable expectation of privacy.

  5. Orin Kerr says:


    First, I’m not sure that’s right as applied to Smith v. Maryland itself. Didn’t the phone company agree to install the pen register at the govermment’s request? That’s my off the cuff recollection, at least.

    More broadly, I think you’re missing that you do lose your reasonable expectation of privacy in your phone calls at the end point. This is easiest to see in the case of a letter: If I send you a letter, I have a reasonable expectation of privacy in the letter while it is in transit but not after it arrives. After the information arrives at the destination, my reasonable expectation of privacy is extinguished. The government can subpoena the letter from you after it arrives without implicating my rights at all.

    Can you analogize pen register information to the contents of a letter after the letter has been received? It still leaves open the question of how the government can order a provider to install a device prospectively, but I’ve often thought that this is a broader problem with the pen register statute.

    (This actually gets to some really interesting unresolved issues about what the actual theory is behind Smith, I think.)

  6. Your letter analogy also flows from the faulty rationale of the third party doctrine. I believe that for the purposes of expectations of privacy, there should be no difference between whether the letter is in transit or not. Why should this distinction matter? [We’re talking normatively here, of course, as my claim is that the Court’s doctrine is a logical mess, and the transit/non-transit distinction is just another example of the mess.]

    Suppose we have a conversation on the phone. The government wants to find out what we spoke about. It can do so by intercepting the conversation in transit (wiretapping, protected by the Fourth Amendment). Or it could subponea you to testify (not protected). I’ve long believed that the distinction between real-time interception and obtaining a communication after the fact is one that doesn’t seem logical to me.

    Suppose that when people spoke on the phone, the contents of the communication happened to be retained by the phone company. Imagine that the telephone technology was akin to email technology or Internet communications technology where a copy of communications is stored after transit. Would this eliminate an expectation of privacy because of post-transit storage?

    I think that the purpose of protecting against wiretapping is not because there’s something uniquely pernicious about surveillance of communications in transit. The purpose, in my opinion, is to protect the communications.

    In other words, the transit/storage distinction makes little sense to me.

    Regarding Smith, I can’t recall whether the phone company voluntarily complied or was compelled. But as I understand the reasoning of the third party doctrine cases, such as Miller, if the third party does not voluntarily comply, the government can force it to do so with a court order or subpoena. The third party doctrine cases say that you don’t have a reasonable expectation of privacy because the third party has the information and could conceivably voluntarily betray your trust. But in cases where the government can force disclosure of the information even where a third party doesn’t want to breach trust, I can’t understand why you lose an expectation of privacy.

    Let’s look at Karo, the beeper case in the home. Suppose that the police tried an end-run around Karo. As I recall Karo, the police installed a beeper into a can of ether that the defendant took into his home. The police then tracked his movements inside his home. The Court said that there was no problem with the police giving the defendant the can of ether, but that they violated his reasonable expectation of privacy by tracking his movements inside his home. Here’s a direct quote: “We conclude that no Fourth Amendment interest of Karo or of any other respondent was infringed by the installation of the beeper. Rather, any impairment of their privacy interests that may have occurred was occasioned by the monitoring of the beeper.”

    Now suppose that instead of tracking his movements in real-time with the beeper, the police used a beeper device tracked by a beeper company that kept records about the person’s movements. The police then subpoenaed the records. This would be an end-run around Karo.

    The problem is that there are increasingly ways that information can be captured not only in transit but after-the-fact via subpoenas to third parties.

  7. Orin Kerr says:

    Dan, you’ve touched on a great question that I’ve been thinking a lot about, actually. I tend to think there’s actually a pretty good reason why the reasonable expectation of privacy should end when the letter arrives at its destination: A contrary rule would create tremendous uncertainty as to whether the government needs a warrant before the government came across writing or speech.

    Imagine I send you a private letter confessing that I committed a terrible crime. You take the letter, read it, and (without telling me) decide to post it on your blog. Does the government need a warrant to read the blog? It would be nutty if the answer would be yes. But if I retain a reasonable expectation of privacy in the letter after it has been received, why should it end just because you decide to post the letter on my blog? I have no control over what you do, and don’t know what you’re doing. So if I have a reasonable expectation of privacy after I have relinquished control over the letter, it’s hard to know what if anything could extinguish that.

    More broadly, most information has been whispered down the lane dozens or even hundreds of times; you can always trace it back to some original source, and it may be that in that original source the sender had an REP in it. If that REP isn’t distinguished at some point along the line, the Fourth Amendment quickly starts to look incredibly weird: the government would need to know about the entire history of all communications they are uncovering before they uncover it to know if some one in its past had a reasonable expectation of privacy in the letter. But normally they wouldn’t know anything about the communication until accessing it, creating a difficult Catch-22.

    That’s the wisdom of the third-party doctrine, I think: It cuts off rights downstream when someone has relinquished their rights to enable a system of clear ex ante rules as to when a reasonable expectation of privacy exists.

  8. Orin,

    You write: “Imagine I send you a private letter confessing that I committed a terrible crime. You take the letter, read it, and (without telling me) decide to post it on your blog. Does the government need a warrant to read the blog? It would be nutty if the answer would be yes. But if I retain a reasonable expectation of privacy in the letter after it has been received, why should it end just because you decide to post the letter on my blog?

    This is misplaced trust. The doctrine of misplaced trust views us all as assuming some risk that others will betray us. In your hypo, one party to a communication has betrayed trust, and the government is the lucky beneficiary. There’s no reasonable expectation that the party will not betray you, and your expectation of privacy disappears after the party has posted the letter.

    But suppose I give you a document in confidence and make you sign a confidentiality agreement that prohibits you from disclosing the document. Now, if I’m protected by the law of contracts, isn’t it reasonable for me to assume that you’ll keep the document confidential? Would you say that in this case, there’s no reasonable expectation of privacy?

    Suppose you lock your diary in a safe deposit box at a bank. Should the government simply be able to subpoena the key from the bank?

    The third party doctrine cases assume that you lose privacy after you expose information to third parties, so in the safe deposit box one might argue that the diary itself wasn’t communicated or exposed to the bank. But why isn’t this like the letter you sent to another?

    And here’s one final ironic example of the silliness of the transit/non-transit distinction: I send you a letter. To do so, I give the letter to the government (via the post office) and the government delivers it to you. While the letter is in transit and in the government’s possession, the government needs a warrant to obtain its contents. But the second the postal worker delivers the letter to you, the FBI agent can be standing there at the door with a subpoena to obtain the letter. The irony — the government can’t use the subpoena to get the letter while it is in the government’s possession but suddenly can do so when it is in your possession. Does this make any sense?

  9. nedu says:

    The envelope/content distinction works fairly well with email — the headers (which contain the to/from line) are the digital equivalent of envelopes; the text of the email itself is the content.

    This is simplistic to the point of being misleadingly wrong.

    If you are sending email from your home to your workplace over your workplace “virtual private network” (VPN), then from the standpoint of the ISP which provides your residential connection, it is all “content”. And it all should be considered private.

    When someone breaks into someone else’s computer or network to obtain information, without authorization, or exceeding authorization, then they’ve crossed a line. They may be government agents, but absent consent or a warrant, they’re acting like black hats.

    A judge’s idiotic opinion doesn’t make it right.

    Failure to adequately distinguish layers and protocols makes the Ninth Circuit’s opinion ludicrous.

  10. nedu says:

    For the record, the government’s account of the installation of the “pen register” differs from the Ninth Circuit’s account.

    In a November 26, 2002 filing, the government explains on p.11 (p.12 in PDF) that the pen register trap/trace device was authorized for defendant “Alba’s Internet Protocol ‘IP’ address (designated in the wiretap pleadings as the ‘Target Acount’).”

    The pen register trap/trace intercept was accomplished through the use of a “mirror port.”

    But this is impossible to square with the Ninth Circuit’s description on p.8075 (p.5 in PDF) of their opinion:

    The surveillance began in May 2001 after the government applied for and received court permission to install a pen register analogue on Alba’s computer.

    Installing a device on equipment owned by the defendant’s internet service provider (ISP) is quite distinguishable from installing a device on the defendant’s computer. And, rightly or wrongly, the Ninth Circuit found, and based it’s decison on, the latter set of facts.

    If this were a question of qualified immunity for the conduct of the government’s agents, then we’d have to look at the facts in a different light. But to evaluate the Ninth Circuit’s reasoning, we need only look at the Ninth Circuit’s statement of how they saw the facts.

    Based on the Ninth Circuit’s description of the facts, their opinion is unreasonable and contrary to the Constitution.