First, stop the hating on AOL. Some of us appreciate its retro feel, not to mention the fact that for many years, it was the only game in town. Sure, today it’s frowned upon, a dinosaur, but for those of us who were early adopter, having an original AOL email address (the ones without numbers after the name) was pretty darned cool once.
Frank DiTomasso, however, might have preferred CompuServe. His choice of AOL didn’t work out all that well. Nailed for sending child porn via his AOL account, he learned that AOL monitors email attachments for illicit materials. From United States v. DiTomasso:
DiTomasso has an AOL email account — [email protected] When AOL users send or receive emails that contain attachments, AOL runs two background monitoring systems designed to scan for illicit material, including, but not limited to, child pornography. The programs work by assigning “hash numbers” to image and video files. In essence, hash numbers are unique number-strings that can be used to archive packets of data —“fingerprint[s]” for electronic media.
AOL employs two different hashing programs. The first—the Image Detection and Filtering Process (“IDFP”)—sweeps for one-to-one matches with known child pornography. If an attached file is a one-to-one match, the email is quarantined —i.e., diverted from the recipient’s inbox—and an automatic report is generated and sent to the National Center for Missing and Exploited Children (“NCMEC report”).
DiTomasso sent bad stuff, and AOL caught it. Boom. A motion to suppress was brought before SDNY Judge Shira Scheindlin, challenging the government’s acquisition of the email attachments.
In response, Judge Scheindlin made a remarkable ruling with regard to DiTomasso’s standing under the third-party doctrine:
First, the Fourth Amendment does not protect ill-advised trust. It provides no recourse for “a wrongdoer’s misplaced belief that a person to whom he voluntarily confides his wrongdoing will not reveal it.” By disclosing sensitive information to someone else, one runs the risk that the other person will reveal the information to law enforcement.
Second, “a person has no legitimate expectation of privacy in information that he voluntarily turns over to third parties.” Because this principle, if taken to its logical endpoint, would erode nearly all privacy protections, in Smith v. Maryland the Supreme Court distinguished between (1) the “contents of communication[ ]” and (2) the ancillary information that the act of communication incidentally discloses. Today, this distinction is often described as the difference between data and metadata. While the former retains Fourth Amendment protection even if disclosed to a third party, the latter loses its protection immediately once disclosed.
This is quite an extraordinary explanation, distinguishing data from metadata, and noting that while metadata may not retain protection under Smith v. Maryland, data does, or there would be essentially no privacy left in a digital world. The judge then harkens to Justice Sotomayor’s admonition in Jones for support:
In her concurrence in United States v. Jones, Justice Sonia Sotomayor wrote that in “the digital age,” people tend to “reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” making it “necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” Justice Sotomayor is certainly correct. But even beyond that, the “premise” to which she refers — that “an individual has no expectation of privacy in information voluntarily disclosed to third parties” — is not nearly as strong, in Fourth Amendment jurisprudence, as the government implies.
This reflects strong support for privacy, and rejection of an overarching third-party doctrine that eviscerates privacy as a whole in any content on the internet. So DiTomasso won? Well, not quite.
Rather than the government search his emails, AOL ratted DiTomasso out to the government.
AOL’s policy is quite different. Not only does it explicitly warn users that criminal activity is disallowed, and that AOL monitors for such activity; the policy also explains that “AOL reserves the right to take any action it deems warranted” in response to illegal behavior, including “terminating] accounts and cooperat[ing] with law enforcement.” The policy also makes clear that AOL reserves the right to reveal to law enforcement information about “crimes[s] that [have] been or [are] being committed.”
While some might react with, “how dare AOL become a government toady,” consider that AOL is a private corporation, and as such, is under no obligation to allow its services to be used to facilitate child porn. It might be harder to explain if AOL kept its handling of illicit conduct secret, but it didn’t. It made it quite clear that it wasn’t going to allow its services to be used for this purpose, and that it would do what it wanted, including cooperating with law enforcement, to prevent it.
For this reason, I conclude that a reasonable person familiar with AOL’s policy would understand that by agreeing to the policy, he was consenting not just to monitoring by AOL as an ISP, but also to monitoring by AOL as a government agent. Therefore, DiTomasso’s Fourth Amendment challenge fails as to the emails.
Notably, Judge Scheindlin’s holding refers to “a reasonable person familiar with AOL’s policy.” It’s unclear from the decision whether the defense offered a sophisticated challenge to this critical detail, whether click-through terms of service would support the conclusion that a reasonable person was, in fact, familiar with AOL’s policy. It would appear they did not, and this may be the Achilles heel of the holding.
Two commentaries on the decision raise questions as to its correctness, the first from John Wesley Hall at Fourth Amendment, where he notes:
Who would have imagined that AOL is a rat squad? Terms of service gives away your rights?
But the TOS hardly gives away anyone’s rights. Rather, it informs the user that AOL is a snitch and if you use its service to transmit child porn, it will rat you out. By using AOL to commit the crime, you give your rights away.
And at Techdirt, Mike Masnick has difficulty distinguishing the holdings:
I’m not entirely sure how to reconcile those two paragraphs. They seem to directly contradict one another. The fine line of difference here is that the court is saying the 4th Amendment rights aren’t “waived,” but that DiTomasso effectively “consented” to a search by law enforcement. This seems like a distinction without any real difference.
On the contrary, it’s neither a fine line nor the same issue. Judge Scheindlin holds that privacy rights are not lost by virtue of using the internet because of the third-party doctrine, a huge win for privacy, while they can still be lost by agreeing to the specific TOS of a private entity who fully discloses that it will drop a dime on you if you use its service for bad purposes. There is nothing here to reconcile; they’re entirely different issues.
To the extent DiTomasso is unsatisfying, it relates to the unquestioned assumption that a user is, by definition, sufficiently familiar with the click-through terms of service as to constitute a knowing, voluntary and intelligent waiver of privacy rights. But that issue will be left for another day.
And I’m fearlessly keeping my AOL email address. Because reasons.
H/T Aaron Williamson at Tor Ekland’s joint