EINSTEIN and the Fourth Amendment

Overview
There is no doubt that EINSTEIN’s monitoring of all communications coming to and from federal agency computers poses significant privacy implications—a concern acknowledged by DHS, interest groups, academia, and the general public.110 This program affects not only federal employees, but also any private citizen who communicates with them. DHS has developed a set of procedures to address these concerns, such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, growth of this Internet monitoring program may trigger privacy interests protected under the Fourth Amendment . The Fourth Amendment provides in relevant part: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated....”111 The principal purpose of the Fourth Amendment is to protect the privacy of individuals against invasion from government officials.112 Not all government acts, however, trigger Fourth Amendment protections. For the Fourth Amendment to apply, a court must first inquire whether the governmental act constitutes a search or seizure in the constitutional sense.113 To determine if a search has occurred, a court will ask whether the individual had an actual expectation of privacy that society would deem reasonable.114 If yes, the court will then ask if the search was reasonable—the core Fourth Amendment requirement.115 Except in well-defined instances, a search is not reasonable unless the government obtains a warrant based upon probable cause.116 There are, however, exceptions to this rule such as special needs and consent that will be explored below.

There seems to be a consensus in federal courts that Internet users are not entitled to privacy in the non-content, routing information of their Internet communications.117 In United States v. Forrester, the government obtained court permission to install a device similar to a pen register to record the to/from addresses of the defendant’s emails, the IP addresses of the sites he visited, and the total volume of data sent to and from his account.118 The Ninth Circuit Court of Appeals held that these surveillance techniques were indistinguishable from the pen register upheld by the Supreme Court in Smith v. Maryland.119 Internet users should be aware, the panel reasoned, that this routing information is provided to the Internet service provider for the purpose of directing the information.120

On the other hand, the cases generally demonstrate that an individual has a legitimate expectation of privacy in the content of a communication. In United States v. Warshak, the Ninth Circuit ruled that a “subscriber enjoys a reasonable expectation of privacy in the contents of emails that are stored with, or sent or received through, a commercial ISP.”121 In an earlier case, the Second Circuit opined that Internet users have an expectation of privacy in the content of the e-mail while in transmission.122 Although the Supreme Court declined to resolve this issue in City of Ontario v. Quon, deciding the case on other grounds, it opined in dicta that “cell phones and text message communications are so pervasive that some persons may consider them to be an essential means or necessary instruments for self-expression, even self-identification. That might strengthen the case for an expectation of privacy.”123

This content/non-content distinction is as old as Fourth Amendment case law.124 In the late nineteenth century, the Court explained in Ex parte Jackson that the outside of a mailed letter—its “outward form and weight”—was not entitled constitutional protection.125 However, the government must obtain a warrant before examining the contents of a letter or sealed package.126 The Court protected the inside contents of the letter, but held that the outside, non-content material was not entitled to (in modern parlance) a reasonable expectation of privacy. This same rule was carried over to the telephone context.127 In Katz v. United States, the Court held that the contents of Katz’s conversation—the actual words spoken—were protected under the Fourth Amendment.128 A decade later the Court completed the other side of the doctrine in Smith v. Maryland, and held that a person has no expectation of privacy in the non-content, routing information of the telephone call—the numbers dialed.129

EINSTEIN 2 not only collects the routing, non-content portions of communications, such as e- mail header information, but also scans and collects the content of the communications, such as the body of e-mails.130 Based on the reasoning of the Internet content cases, individuals most likely have a reasonable expectation of privacy in those electronic communications.131 The EINSTEIN program requires a Fourth Amendment inquiry into two discrete classes of individuals: (1) federal agency employees who access federal networks while at work; and (2) private persons who either contact a federal agency directly or who communicate via the Internet with a federal employee.132 The Fourth Amendment rights of the former primarily rest on cases dealing with privacy in the workplace and consent, while the latter requires a broader look at privacy and electronic communications.

Monitoring communications from federal employees
As work and personal lives can become enmeshed, many employees are accessing not only work e-mail while on the clock, but also personal e-mails. EINSTEIN monitors not only federal executive agency employees’ work e-mails or other official Internet activity, but also any information accessed on a federal agency computer including personal e-mails accessed from sites such as Gmail or Hotmail, or other Internet communications such as Facebook and Twitter. This poses several Fourth Amendment issues.

In City of Ontario v. Quon, the Supreme Court upheld under the Fourth Amendment the city’s search of text messages sent on a city-issued pager by a police officer employed by that city.133 Before issuing the pagers, the city had announced a usage policy that informed the officers that the city reserved the right to monitor the use of the pager including e-mail and Internet use, with or without notice to the employee.134 The Court assumed without deciding that the employee had a reasonable expectation of privacy in the sent text messages, that the review of text messages constituted a search, and that the same rules that apply to a search of an employee’s office apply equally to an intrusion into his electronic communications.135 Further, the Court declined to decide which Fourth Amendment employment-based test from O’Connor v. Ortega applied—the plurality’s “operational realities” test that looked at the specific facts of the employment situation on a case-by-case basis, or Justice Scalia’s private employment equivalence test—because the Court decided the case on narrower grounds.136

The Court instead relied on the special needs exception to the warrant requirement, which holds that in certain limited instances a government employer need not get a warrant to conduct a search. When a government employer conducts a warrantless search for a “non-investigatory, work-related purpose,” it does not violate the warrant requirement if it is “justified at its inception and if the measures are reasonably related to the objective of the search and not excessively intrusive in light of the circumstances giving rise to the search.”137 In the Court’s judgment, the city had a “legitimate work-related rationale,” and the scope of the search was reasonable and not “excessively intrusive.”138

Like the city communication policy in Quon, as a condition of enrolling in EINSTEIN 2, each federal agency is required to enter into an agreement with DHS that certifies that certain log-on banners or computer user agreements are used to ensure employees are aware of and consent to the monitoring, interception, and search of their communications on federal systems.139 Applying the “operational realities” test from O’Connor, the Department of Justice’s Office of Legal Counsel posits that use of the log-on banners on all federal computers will eliminate any expectation of privacy in communications transmitted over those systems.140 Professor Orin Kerr takes a different approach, treating the terms of service of an Internet service contract—the equivalent to a log-on banner—as consent rather than an outright elimination of a reasonable expectation of privacy.141 Under either approach, the conclusion reached is likely the same—the monitoring is in all likelihood reasonable.142 However, Quon was limited to searches for a “noninvestigatory work-related purpose.”143 If EINSTEIN could be construed as overreaching this permissible purpose, say, by scanning e-mails for unlawful activity instead of simply malicious computer activity, a court may find its scope beyond Quon’s holding. Further, Quon insisted that these work-related investigations not be “excessively intrusive.”144 A reasonable argument could be made that monitoring the content of every employee communication is excessively intrusive. Additional questions remain. For instance, what is the scope of a non- investigatory, work-related purpose? Does scanning for malicious activity qualify as a work- related purpose? Does United States v. Jones’s physical intrusion test apply here where the employee’s electronic papers and effects are being scanned?145 Because no court has confronted a program like EINSTEIN, answers to these questions are unclear.

Monitoring communications from private persons to federal employees
EINSTEIN not only monitors the computer activity of federal agency employees, but also any communications sent by a private person to a federal employee on his governmental e-mail or personal e-mail. One may argue that these concerns are more serious than in the employment context, on the theory that there is neither a presumption that an individual’s privacy rights are diminished nor has the private actor consented to monitoring by clicking on a log-on banner or user agreement that would inform him of the privacy implications of his communication.

Some would argue that the third-party doctrine permits EINSTEIN’s monitoring of private parties.146 Traditionally, there has been no Fourth Amendment protection for information voluntarily conveyed to a third-party.147 This doctrine dates back to the “secret agent” cases, in which any words uttered to another person, including a government agent or informant, were not covered by the Fourth Amendment.148 Because federal employees have agreed to permit governmental monitoring of their communications, the Office of Legal Counsel (OLC) argues they are permitting ex ante surveillance of all their communications, including those from private persons to the federal employee’s personal e-mail.149

However, the third-party cases have traditionally applied only to non-content information. In Smith v. Maryland, the Court noted that pen registers only disclose the telephone numbers dialed: “[n]either the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.”150 The case rested on the devices “limited capabilities.”151 The Ninth Circuit borrowed this reasoning in Forrester, where the panel distinguished “mere addressing” in an e-mail such as the to/from line, from “more content-rich information” such as the text in the body of an e-mail.152 And as noted in United States v. Warshak, people still should expect privacy in the content of their telephone calls despite the ability of an operator to listen.153 Further, the Supreme Court has noted that “the broad and unsuspected governmental incursions into conversational privacy which electronic surveillance entails necessitate the application of Fourth Amendment safeguards.”154 These cases severely diminish the argument that the third-doctrine permits absolute access to private communications. Instead, it could be reasonable to conclude from these cases that the third-party doctrine would permit access to the routing information of Internet communications, but might not go so far as to allow monitoring of the content of those communications.

Additionally, the OLC contends that under the “secret agent” cases the government can monitor private communications even if the sender is unaware that the recipient is a federal employee or did not anticipate that the communication would be opened on a federal computer.155 The “secret agent” cases generally hold that “when a person communicates to third-party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities.”156 Because these cases do not limit the instances this rule can be applied, it seems reasonable that they can be applied to EINSTEIN.

Alternative to traditional warrant requirement
Assuming both federal employees and those communicating with them have a reasonable expectation of privacy in the contents of their communications, EINSTEIN must be tested under the general reasonableness requirement of the Fourth Amendment. A search is generally unreasonable without a warrant or some individualized suspicion.157 However, under the “special needs exception” cases, the Court has held that when there are special governmental needs, beyond normal law enforcement, the government may need neither a warrant nor any level of individualized suspicion.158 To determine whether the special needs exception applies, the Court balances the individual’s privacy expectations against the governmental interest at stake.159 This rule has been used to support certain police searches at checkpoints such as sobriety roadblocks,160 border searches,161 and checkpoints looking for a witness to a crime.162 However, the Court did not permit a drug interdiction checkpoint when the “primary purpose was to detect evidence of ordinary criminal wrongdoing.”163

Here, an argument could be made that the nature of cybersecurity and the impracticability of obtaining a warrant might justify application of the special needs doctrine to the EINSTEIN program.164 The ostensible primary purpose of the program’s cybersecurity measures is not for ordinary law enforcement needs, but instead to protect the critical infrastructure of the nation. Moreover, the government will need to act quickly if the program is to be feasible.165 It could also be argued, however, that unless the threat required immediate review, a government agency should obtain a warrant based upon probable cause to review personally identifiable information, or, at a minimum, review the communications in a redacted format that includes only the threat information and no personally identifiable information.166 As one commentator noted, it is nearly impossible to predict what is reasonable without knowing the severity of the cybersecurity threat and the exact measures taken to meet it.167

Privacy and civil liberties oversight
In addition to the Fourth Amendment, there may be other mechanisms for protecting the privacy of Internet users. Indeed, the Constitution is only the floor for privacy protections. In many instances, Congress and state legislatures have created privacy protections beyond what is protected under their respective constitutions. These include statutes such as the Electronic Communications Privacy Act168 and the Privacy Act of 1974.169

As to existing privacy protections, EINSTEIN has several privacy safeguards. For example, federal agencies are required to post notices on their websites that computer security information is being collected.170 The computer programs recording network flow records strip down the information so that minimal content information is exposed.171 Further, only the raw computer network traffic that contains malicious activity is viewed by DHS personnel; any “clean” traffic is promptly deleted from the system.172 Information is only collected when it relates to an actual cyber threat.173 Analysts handling the monitored communications are given privacy training on an annual basis.174 These privacy protections are handled internally within DHS.

Jack Goldsmith, former head of the Office of Legal Counsel, has proposed a system of four oversight mechanisms similar to the Foreign Intelligence Surveillance Court175 to ensure the reasonableness of the searches under EINSTEIN: (1) independent ex ante scrutiny to ensure that the governmental procedures stay within their statutory authority; (2) privacy protections such as minimization procedures, also subject to ex ante judicial review; (3) ex post oversight mechanisms, in which the Attorney General and the Director of National Intelligence report to Congress every six months regarding privacy compliance and the inspectors general from each agency also report to Congress on a yearly basis; and (4) a sunset provision requiring Congress to reapprove the regime four years into operation.176

Others have proposed there be some form of independent oversight beyond DHS’s privacy office.177 Additionally, there are proposals that content of communications not be shared with law enforcement officials or used in any non-cyber crime investigation, unless the data was obtained as part of a legitimate cybersecurity threat.178

Source

 * Cybersecurity: Selected Legal Issues, at 15-23.