What would United States v. Ackerman be, without AOL?
Eight years ago, I wrote that, when it comes to email, the more interesting barrier to its proper usage may be laws that only see companies and individuals, but nothing in between. A case under appeal now in the USA shows that, indeed, this may be the case.
Back in 2010, I wrote that:
All laws or law proposals I know of only deal with scenarios where the individual email user and his/her email provider are two different, independent entities: a clueless customer vs a skilled professional offering the service for profit. The only issues seem to be if and how long an ISP should keep copies of the email of all its customers, and in which cases the police can get them from the ISP.
This month, the Electronic Frontier Foundation (EFF) just filed an amicus brief about another side of the very same problem. EFF says that (emphasis mine):
It’s hard to conceive how an agreement with your email provider to deliver and store your emails could eviscerate your Fourth Amendment rights. But that’s what the district court decided in Ackerman. AOL shut down Ackerman’s email account after its automated anti-child pornography filters were triggered by an image attached to one of his emails. Following federal law, AOL sent the email and attachments to the National Center for Missing and Exploited Children (NCMEC), which searched them, leading to an indictment on child pornography charges. Ackerman pleaded guilty but reserved his right to argue that the evidence used against him shouldn’t have been allowed because it was obtained through searches of his email without a warrant.
EFF argues that (emphasis mine, again):
The district court's reasoning is simply wrong. Under the court's logic, your Fourth Amendment rights rise or fall based on unilateral contracts with your service providers—contracts that almost none of us even read. As we argued in our brief, a company's TOS should not dictate your constitutional rights. Companies draft terms of service to govern how their platforms may be used; these are rules about the relationship between **you and your email provider**, not you and the government.
See? I have no idea who is or should win that particular case. But the basic issues still hanging in its background is exactly the one I mentioned in that post of mine. What I mean is that that whole case is about Terms of Services and policies of email providers, and the relationships and obligatios towards law enforcement. It’s about what email providers can or should do with the messages of their users, and about what law enforcement should do with what email providers find. Because that is what both the Terms of Service and the current laws deal with. But, as I wrote
What would (will!) happen when the ISP and the customer become the same person? Compliance with any data retention policy would become self-certification completely useless in court. Besides, can you yourself be forced to keep copies of email that may put you in troubles? The only real solution to this problem would be to make illegal to be your own email provider period, even if it's easy and cheap to do it and you do have, on paper, some rights to privacy. What do you think?
That was in 2010. Today, the control and surveillance problem created by services like (just to name the biggest two) Gmail and Facebook have become big and known enough to make that question much more urgent than it was in 2010, so I ask it again:
- when it comes to data retention, privacy, communication to law enforcement… what should laws say about individuals being their own providers, of email or any other digital communication service?
- in general: how should law, and law enforcement agencies, innovate and deal with a world where every, every individual has her own, complete personal cloud like this?