AOL, The Snitch

First, stop the hating on AOL.  Some of us appreciate its retro feel, not to mention the fact that for many years, it was the only game in town.  Sure, today it’s frowned upon, a dinosaur, but for those of us who were early adopter, having an original AOL email address (the ones without numbers after the name) was pretty darned cool once.

Frank DiTomasso, however, might have preferred CompuServe.  His choice of AOL didn’t work out all that well.  Nailed for sending child porn via his AOL account, he learned that AOL monitors email attachments for illicit materials. From United States v. DiTomasso:

DiTomasso has an AOL email account — [email protected] When AOL users send or receive emails that contain attachments, AOL runs two background monitoring systems designed to scan for illicit material, including, but not limited to, child pornography. The programs work by assigning “hash numbers” to image and video files. In essence, hash numbers are unique number-strings that can be used to archive packets of data —“fingerprint[s]” for electronic media.

AOL employs two different hashing programs. The first—the Image Detection and Filtering Process (“IDFP”)—sweeps for one-to-one matches with known child pornography. If an attached file is a one-to-one match, the email is quarantined —i.e., diverted from the recipient’s inbox—and an automatic report is generated and sent to the National Center for Missing and Exploited Children (“NCMEC report”).

DiTomasso sent bad stuff, and AOL caught it. Boom.  A motion to suppress was brought before SDNY Judge Shira Scheindlin, challenging the government’s acquisition of the email attachments.

In response, Judge Scheindlin made a remarkable ruling with regard to DiTomasso’s standing under the third-party doctrine:

First, the Fourth Amendment does not protect ill-advised trust. It provides no recourse for “a wrongdoer’s misplaced belief that a person to whom he voluntarily confides his wrongdoing will not reveal it.” By disclosing sensitive information to someone else, one runs the risk that the other person will reveal the information to law enforcement.

Second, “a person has no legitimate expectation of privacy in information that he voluntarily turns over to third parties.” Because this principle, if taken to its logical endpoint, would erode nearly all privacy protections, in Smith v. Maryland the Supreme Court distinguished between (1) the “contents of communication[ ]” and (2) the ancillary information that the act of communication incidentally discloses. Today, this distinction is often described as the difference between data and metadata. While the former retains Fourth Amendment protection even if disclosed to a third party, the latter loses its protection immediately once disclosed.

This is quite an extraordinary explanation, distinguishing data from metadata, and noting that while metadata may not retain protection under Smith v. Maryland, data does, or there would be essentially no privacy left in a digital world.  The judge then harkens to Justice Sotomayor’s admonition in Jones for support:

In her concurrence in United States v. Jones, Justice Sonia Sotomayor wrote that in “the digital age,” people tend to “reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” making it “necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” Justice Sotomayor is certainly correct. But even beyond that, the “premise” to which she refers — that “an individual has no expectation of privacy in information voluntarily disclosed to third parties” — is not nearly as strong, in Fourth Amendment jurisprudence, as the government implies.

This reflects strong support for privacy, and rejection of an overarching third-party doctrine that eviscerates privacy as a whole in any content on the internet.  So DiTomasso won? Well, not quite.

Rather than the government search his emails, AOL ratted DiTomasso out to the government.

AOL’s policy is quite different. Not only does it explicitly warn users that criminal activity is disallowed, and that AOL monitors for such activity; the policy also explains that “AOL reserves the right to take any action it deems warranted” in response to illegal behavior, including “terminating] accounts and cooperat[ing] with law enforcement.” The policy also makes clear that AOL reserves the right to reveal to law enforcement information about “crimes[s] that [have] been or [are] being committed.”

While some might react with, “how dare AOL become a government toady,” consider that AOL is a private corporation, and as such, is under no obligation to allow its services to be used to facilitate child porn.  It might be harder to explain if AOL kept its handling of illicit conduct secret, but it didn’t. It made it quite clear that it wasn’t going to allow its services to be used for this purpose, and that it would do what it wanted, including cooperating with law enforcement, to prevent it.

For this reason, I conclude that a reasonable person familiar with AOL’s policy would understand that by agreeing to the policy, he was consenting not just to monitoring by AOL as an ISP, but also to monitoring by AOL as a government agent. Therefore, DiTomasso’s Fourth Amendment challenge fails as to the emails.

Notably, Judge Scheindlin’s holding refers to “a reasonable person familiar with AOL’s policy.” It’s unclear from the decision whether the defense offered a sophisticated challenge to this critical detail, whether click-through terms of service would support the conclusion that a reasonable person was, in fact, familiar with AOL’s policy. It would appear they did not, and this may be the Achilles heel of the holding.

Two commentaries on the decision raise questions as to its correctness, the first from John Wesley Hall at Fourth Amendment, where he notes:

Who would have imagined that AOL is a rat squad? Terms of service gives away your rights?

But the TOS hardly gives away anyone’s rights. Rather, it informs the user that AOL is a snitch and if you use its service to transmit child porn, it will rat you out. By using AOL to commit the crime, you give your rights away.

And at Techdirt, Mike Masnick has difficulty distinguishing the holdings:

I’m not entirely sure how to reconcile those two paragraphs. They seem to directly contradict one another. The fine line of difference here is that the court is saying the 4th Amendment rights aren’t “waived,” but that DiTomasso effectively “consented” to a search by law enforcement. This seems like a distinction without any real difference.

On the contrary, it’s neither a fine line nor the same issue. Judge Scheindlin holds that privacy rights are not lost by virtue of using the internet because of the third-party doctrine, a huge win for privacy, while they can still be lost by agreeing to the specific TOS of a private entity who fully discloses that it will drop a dime on you if you use its service for bad purposes.  There is nothing here to reconcile; they’re entirely different issues.

To the extent DiTomasso is unsatisfying, it relates to the unquestioned assumption that a user is, by definition, sufficiently familiar with the click-through terms of service as to constitute a knowing, voluntary and intelligent waiver of privacy rights.  But that issue will be left for another day.

And I’m fearlessly keeping my AOL email address. Because reasons.

H/T Aaron Williamson at Tor Ekland’s joint

12 thoughts on “AOL, The Snitch

  1. John Barleycorn

    An outstanding Thursday volley!

    I do hope all the guilded and non-guilded sections of your readership chime in. I doubt it, due to the subject matter in front of the educating you are doing, but glad to see you are keeping the fire lit on coming quagmires that are easily ignored.

    Frankly, the affirmative consent deal has been having me make my wife shout lately which interferes with my nefarious grunts.

  2. Peter H

    One thing I wonder is whether this causes AOL to lose the safe harbor provisions of the DMCA? Once they get into the snitching biz, they’re no longer really acting as a transitory digital network per 17 USC 512 (a)(2).

    1. SHG Post author

      Since it’s initiated automatically, I don’t think it removes AOL from the safe harbor provisions. It would be no different than my moderating comments.

  3. ExCop-LawStudent

    It seems to me that this is no different than current law as to sending a package full of child porn (or other contraband) via Fedex or USPS or UPS.

    A person has a reasonable expectation of privacy in a sealed package turned over to a service for shipment. United States v. Jacobsen, 466 U.S. 109 (1984).

    If the person is given notice that the shipper retains the right to inspect the packages, there is no longer an expectation of privacy. United States v. Young, 350 F.3d 1302 (11th Cir. 2003) (such as notice on a Fedex waybill that the carrier may inspect the package for any reason).

    It seems to me that there is no difference in the AOL issue. You have an expectation of privacy on emails sent through the internet via an email service. You may waive that right to privacy if you use a service that tells you that your mail will be inspected. Duh.

    The fact that someone who may be very bright as to the technical workings of the internet does not have a clue about the legal ramifications of the internet is not really a surprise is it?

    1. SHG Post author

      There are similarities and differences (the details often differ), but generally, yes, when you use a private entity as a conduit, whether for email or packages (or anything else for that matter), and do so with notice that you have no privacy when using their service, you have waived privacy for that purpose. It’s not rocket computer science.

      And yes, despite the virtue of brilliant technical thinking, geeks tend not to get that the law isn’t binary. Much to their dismay.

      1. ExCop-LawStudent

        “There are similarities and differences (the details often differ)”

        I’m a law student… I still paint with broad strokes and use the big crayons. Staying inside the lines is for the old(er) lawyers…

        1. SHG Post author

          It’s like those cool closing statements on TV shows with grand statements about truth, justice and the ‘Murikan way. We all love ’em, but they don’t actually work that way in real life. It’s all about the details.

Comments are closed.