Privacy, ISPs and why Google needs a GMail Appliance

This never quite made it out of the backlog back in October, but I thought the implications of a case discussed on Volokh a couple of months ago were pretty staggering. To highlight the article's quote of the ruling (significantly chopped down):

The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. This is strong privacy protection for homes and the items within them in the physical world.

When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

...[snip]...

Thus subscribers are, or should be, aware that their personal information and the contents of their online communications are accessible to the ISP and its employees and can be shared with the government under the appropriate circumstances. Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

This is a pretty significant statement - what it means is that if you transmit over a public line (read: the internet) anything that could be read by a third party, you shouldn't have an expectation of privacy about it. In essence, this is what the tinfoil-hats have been saying all along,  and the only solution is to encrypt-encrypt-encrypt. Why? Because if you encrypt your transmissions and storage then suddenly you do have an expectation of privacy.

If the government wanted to read an encrypted email that was encrypted against your own private key, then following the above logic - even if it was stored on a third party server - they would need to get a warrant and they couldn't just read what they wanted.

Now one of the problems here is that the data would need to be encrypted in a way only accessible to you along each step of it's journey: sending, transmission, reception, storage and retrieval, otherwise since the ISP could have logs of any of those steps, your expectation of privacy would fly back out the window. 

The good news - the securing transmission part is getting easier. While very few people outside of the enterprise use certificates to encode and sign their emails (unless they like wearing the aforementioned metal-headpieces), a good portion of the email being sent is starting to be transported via SSL.  What this means is that if you only leave the ISP the transmission part, and host your own email servers, then your expectation of privacy would hopefully return since you're not relying on a third-party for reception, storage and retrieval.

The bad news - until Google releases a GMail appliance, there's no way to use an ISP for other services and be protected. Now while the 4th amendment only applies to governmental search and seizure, this has further implications for private enterprise moving to SaaS models. If the court has stated that you never should have had any legal expectation of privacy about any of your data in the first place then you need to be very dilligent in reading your terms of service. Could you sue a SaaS provider if they released some valuable statistics about your data to a competitor? Most likely their ToS doesn't explicitly mention all meta-data and derived data, so I don't know, but until it gets decided in court, I wouldn't throw out all those servers and cloudify all your business needs just yet.