Share Button

The Cyber Intelligence Sharing and Protection Act (“CISPA”) passed the House on Friday. Let’s assume that the Senate gets its act together and the President’s veto threat is as toothless as his 2011 NDAA threat. Would CISPA survive constitutional review? Specifically, would CISPA violate the Fourth Amendment?

Background of the Fourth Amendment, the Stored Communications Act, and Your Right to Do Naughty Things With Your Papers in Private

The prototypical Fourth Amendment protection is in the context of government-ordered searches and seizures. For example, when the police raid your house looking for drugs, they must have probable cause (typically expressed in a written warrant, signed by a judge).

Did you know that by some estimates over 40,000 wrongful drug raids occur per year?   -Image courtesy of the West Midlands Police.

Did you know that by some estimates over 40,000 wrongful drug raids occur per year?
-Image courtesy of the West Midlands Police-

However, the Fourth Amendment has also been held to protect other stuff than simply having your house invaded, including information (particularly communications) subject to a “reasonable expectation of privacy.”

What exactly is “reasonable”? Nobody knows, so we ask a bunch of lawyers.

In general, if you don’t want the government to get your information, it’s best to stay at home, only communicate via telephone from your home non-cellular phone, and send only letters through the Post Office (assuming the USPS still exists at the time of writing this article). If you must go outside to communicate, its best to do so in person, or in a telephone booth with the door closed.

Courts have refused to weigh in the nature of phone calls conducted in a space-time vehicle.

Courts have refused to weigh in on the nature of phone calls conducted in a space-time vehicle. -Image courtesy of Tama Leaver-

If you want to use the internet for sensitive conversations, you should ideally own your own ISP, and communicate exclusively with yourself. If you find yourself wishing to divulge information to individuals other than your own alter-egos, it is much more difficult to keep this secret and to prevent it from being used at your trial.

This is because a bunch of lawyers (judges) have gradually come to the conclusion that, notwithstanding the Fourth Amendment, when you give your data or information to a third party, the government can sink its juicy teeth into it, because hey, if you let your buddy Big_Bank and its employees read it, why shouldn’t the government be able to get a copy too? This is called the “third-party records doctrine.”

The safest conversation is with yourself.

The safest conversation is with yourself. -Image courtesy of Clearly Ambiguous

In the case of your Google searches, for example, you have literally told Google’s servers (and the people who have access to those servers) about your desire, e.g.,  to purchase dungeon implements, erotic swings, and the communist manifesto. Therefore the traditional third-party doctrine might find that you simply didn’t have a reasonable expectation of privacy for these searches, and the government might be able to compel Google to turn over this data without a warrant (or they might voluntarily share it).



Now, Congress (other lawyers) has passed some laws with respect to email and certain other electronic communications.

Specifically, the Stored Communications Act (“SCA”) requires that the government have a warrant to obtain unopened emails less than 180 days old. Separately, the government is permitted to obtain opened emails and unopened emails older than 180 days with only a subpoena. The SCA also generally prohibits any disclosure of an internet subscriber’s personal information and communications to non-governmental third parties.

Complicating the matter , though, is caselaw. At least one circuit court of appeals has found that that just because a third party ISP has direct access to, or control over, your personal communications as an intermediary (AOL for example), it does not automatically mean government officials can demand such communications with only a subpoena even if authorized to do so by the Stored Communications Act. In United States v. Warshak, the Sixth Circuit found that “[g]iven the fundamental similarities between email and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protection.”

Thus, in Warshak, the 6th Circuit found that a subpoena was insufficient under the 4th Amendment to overcome the internet subscriber’s Fourth Amendment reasonable expectation of privacy, even if such access was authorized under the Stored Communications Act. So Warshak says that if the government requests your emails, they need to have a warrant. However, this decision, while influential, only applied to the 6th Circuit (Lucky you Kentucky, Ohio, Michigan, and Tennessee).


Warshak does not explicitly address, though, whether Google might, totally voluntarily, search all of your email for specific threatening words, and turn over these emails to the government—just to be “helpful.” The court says only that “[t]he government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause.” Lucky for us, typically Google requires a warrant before it will turn over your emails.

Turn the page for CISPA!

Share Button
Print Friendly

2 Readers Commented

Join discussion
  1. Tom on 04/24/2013

    Interesting analysis – I’ve reached some similar conclusions. In the 4th amendment context there is concept called “agency” which means that the police cannot rely on a voluntary private entity as an end run around warrant requirements. Unfortunately it is not clear to what extend agency is prohibited in the context of statutory warrant requirements. It is clearly a risk with CISPA.

  2. lawdooder on 04/24/2013

    Thanks for the link, its helpful to see some of the other laws that are relevant, as well as this idea that third parties can’t be merely agents for law enforcement – I will have to brush up on this rule. I’m sort of divided on CISPA – its clear we want to be able to permit companies to make criminal reports about attacks on themselves (or their clients), and to be able to provide sufficient information for the government to respond. I guess the worry is that privacy laws currently prohibit adequate sharing?

    I wish the law was clearer, and that there was more specificity about what it was targeting when it says “Cyber Security Information” and “Cyber Security Purposes.”