EFF Joins with Coalition to Provide Policy Roadmap to Next President and Congress

A coalition of more than 25 organizations, including EFF, yesterday released "Liberty and Security: Recommendations for the Next Administration and Congress", a comprehensive catalogue of policy recommendations on a range of critical civil liberties issues.

This collaboratively-created transition roadmap, coordinated by our friends at the Constitution Project, contains 20 chapters providing policy recommendations on a wide variety of issues, from Guantanamo Bay to warrantless wiretapping. EFF has signed on as an ally in support of the recommendations in eleven of those chapters, concerning issues within EFF's mission to protect free speech and privacy on the electronic frontier.

Most importantly, EFF has joined as a supporter of all the recommendations made in the area of "Secrecy, Surveillance, and Privacy", covering goals such as reigning in NSA spying, updating the Electronic Communications Privacy Act, and reforming the State Secrets privilege (consistent with our Privacy Agenda for the New Administration), as well as combating excessive classification and urging greater transparency in government (as previously described in our Transparency Agenda for the New Administration).

After the jump, you can find links to PDFs of all of the individual chapters of the transition catalogue where EFF has signed on as an ally; the entire document is available here [pdf]. We hope that you — and the next President and Congress — find them enlightening.

[Read the entire post]

A Privacy Agenda For The New Administration

This is the first post in a three part series directed at restoring some of the civil liberties we've lost over the past eight years. Today's post is about our privacy rights. We'll follow this up early next week with our thoughts on intellectual property rights and government transparency.

As new leaders prepare to move into the White House and Congress over the next few months, we'd like to call on them to restore Americans' privacy rights. Here's a little "wish list" we'd like to put forward:

1. Repeal or repair the FISA Amendments Act (FISAAA). There are a great many flaws in FISAAA, which was passed last Summer after a long and difficult fight. Most significantly, the provisions granting retroactive immunity from litigation to telecommunications companies complicit in the Bush Administration's warrantless wiretapping program should be repealed so that the millions of Americans who have been illegally surveilled can have their day in court.

2. Reform the Electronic Communications Privacy Act (ECPA). ECPA is a major law restricting the government's ability to surveil citizens and is in desperate need of reform. It has become dangerously out-of-sync with recent technological developments and Americans' expectation of online privacy. In particular, the privacy of personal data should not depend on how long an ISP has stored that data or whether the data is stored locally or remotely.

3. Reform the State Secrets Privilege. The State Secrets Privilege has been radically abused by the Bush Administration, particularly to shield its electronic surveillance activity from judicial review. The new administration should voluntarily reduce its use of the privilege, and work with Congress to reform the privilege and insure that claims of state secrecy are subject to independent judicial scrutiny.

4. Scale back the use of National Security Letters to gag and acquire data from online service providers. The REAL ID Act, with its requirement that Americans carry a national ID card, has been rejected by many U.S. states and should be federally repealed. Large-scale government data collection and data-mining projects like Automated Targeting System (ATS) should be reduced or eliminated. Invasive border-searches of electronic devices should be stopped.

[Permalink]

Freedom Not Fear 2008

Freedom Not Fear is the world's ongoing demonstration against the encroachment of civil liberties by anti-terrorist laws -- particularly in the online world. This year the protests take place this Saturday, October 11th in nearly thirty countries, including the very first events in the Americas.

The origin of the campaign comes from Europeans' anger at the EU's 2006 data retention directive, a pan-European law that requires ISPs to log email and web traffic data for a minimum of six months, and often more. Terabytes of personal data on millions of innocent Europeans are now being collated, paid for by customers and taxpayers, and open for access by any criminal or civil investigation, no matter how trivial.

Freedom Not Fear has since evolved into a more general warning: showing how fundamental freedoms like privacy, freedom of expression, and democratic participation lose when reactionary surveillance systems penetrate our open networks, justified by a hyperbolic rhetoric of fear.

The range of groups and countries that have joined Freedom Not Fear has shown that just how wide the offensive front against your privacy has become, and how many are keen to join the defence. This Sunday, Freedom Not Fear events will take place in 22 European cities, as well as (thanks to the Electronic Privacy Information Center, IP Justice, EFF and others), in Washington, D.C. In South America, protests are planned in Buenos Aires, Argentina, and Manta in Ecuador, and other countries are preparing to join.

For those countries without substantial privacy legislation, this year's Freedom Not Fear demonstrations are calling for the adoption of Data Protection laws in their countries. Strong privacy laws should finally affirm freedoms guaranteed by the fundamental rights of privacy in the International Covenant on Civil and Political Rights, the Universal Declaration of Human Rights, and in many other international and regional human rights treaties.

If you'd like to join the demonstrations in your own country, reach out to your national contact listed here, and add the banner to your own web page.

[Permalink]

Chinese Skype Client Hands Confidential Communications to Eavesdroppers

This Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only blocks keywords from chat conversations, but also spies on and remotely reports the contents of Skype users' private text conversations. This directly contradicts Skype's previous assurances that "full end-to-end security is preserved and there is no compromise of people’s privacy", even on the customized Chinese client.

This special breached version of Skype, distributed by the Chinese portal company TOM Online, has long been known to block certain contentious phrases from instant message conversations. IWM's Nart Villeneuve's research shows that when these keywords are mentioned in conversations, the client software also sends an encrypted message to one of eight remote servers hosted in China.

Due to poor security on these servers, Villeneuve was able to uncover what was being sent: extensive logs on user activity, including archives of more than 166,000 censored messages from 44,000 users.

The TOM-Skype client was introduced as part of a business deal between Skype's parent company, eBay, and the Chinese Internet company. Skype has denied involvement in TOM's additions to their core client software, but it was well aware that TOM had introduced censorship features into the Chinese Skype client. At that time it asserted that its users' privacy was nonetheless secure. We now know that Skype is in no position to make that assurance.

This breach is not an isolated Chinese problem. All Skype users are affected; conversations will be monitored even if only one side of a coversation is using the Chinese client. As of June 2007, there were 42 million registered users of TOM's compromised client, increasing at a rate of 70,000 new users per day. Anyone communicating with those millions will find their communications monitored and potentially reported to an unknown third-party - even if they are not using the TOM client themselves.

What can Skype do? While it might disclaim responsibility, arguing that this political spyware was not directly written by its own coders, the company is directly implicated by its close relationship with TOM. When Chinese visitors go to the Skype homepage, they are redirected to a page offering a download of TOM's compromised client version. TOM's Skype page in turn indicates that TOM's version is an authorized Skype product for Chinese users. Skype does not warn its visitors of the differences between the non-Chinese client and TOM's client, and has made no effort to pro-actively monitor what differences there are, or convey the implications of those differences to users.

Villeneuve spent many hours decoding the extra packets to understand what was going on: Skype's own engineers could surely have spotted this behavior in seconds. Instead, an eBay spokesman said that the software's behaviour was "changed without [its] knowledge or consent and [it is] extremely concerned."

At a minimum, eBay can show its commitment to "the security and privacy of [its ] users" by terminating its relationship with TOM and withdrawing TOM's permission to use eBay trademarks. It should no longer redirect to TOM, instead presenting an eBay-developed Chinese-localized version of Skype. It should also prominently warn its own users of the dangers of talking to those using the compromised client. It should attempt to obtain binding assurances from TOM that all copies of the logged data have been destroyed, and should advise all affected users whether this has taken place.

In the meantime, if you want to chat securely, consider using Off the Record Messaging (OTR) on another instant messaging network. OTR is a publicly audited security protocol that does not depend on a third-party. It can run on a number of different instant messaging networks, and is implemented by a range of software products on MacOS, Windows, and Linux. For more peace of mind, use OT in conjunction with open source products like Pidgin, Miranda or Adium. The code of open source software is available for examination by anyone, which minimizes the possibility of a government trojan being inserted into the final downloadable version. OTR will not prevent governments from monitoring the destination of instant messages, but it will protect the contents of your messages.

(Villeneuve also found logs containing information about user's Skype voice calls, including times and destination usernames and numbers. There is no indication that the contents of Skype voice calls themselves were recorded or transmitted. Because Skype's audio encryption protocol remains secret, however, we only have eBay's assurances on its invulnerability to external surveillance. From now on, users may have less reason to trust the company's word on matters of privacy or security without external confirmation.)

[Permalink]

Court Protects Privacy of Satellite Receiver Owners

Last month, EFF filed an amicus brief in Echostar v. Freetech, where Echostar sought the identities of every consumer who purchased a Freetech "CoolSat" free-to-air (FTA) satellite receiver during the past five years. EFF argued that this demand, issued in discovery in a lawsuit between Echostar and Freetech, represented an unwarranted intrusion into the privacy of individual consumers. Today, the court agreed, issuing an order blocking Echostar's subpoenas.

The ruling potentially sets an important precedent, as it represents the first time a federal court has explicitly rejected a third-party subpoena on the basis of the privacy interests of nonparty consumers.

Echostar is the company behind the DISH satellite TV service. Freetech makes receivers for unencrypted, free-to-air satellite transmissions (there are many free, unencrypted satellite channels). In December 2007, Echostar sued Freetech, alleging that the Freetech CoolSat receiver was specifically designed for after-market modification to enable unauthorized reception of DISH programming. According to Echostar, Freetech "sold thousands of these FTA Receivers to consumer pirates for the sole purpose of circumventing [Echostar]'s Security System."

In the course of discovery, Echostar sent subpoenas to the distributors of CoolSat receivers, demanding that they hand over their customer lists, including the name, address, email address, and purchase details for every person to have purchased a CoolSat receiver over the past 5 years.

As EFF explained in its amicus brief, these subpoenas represent a serious intrusion into the privacy of legitimate purchasers of these FTA receivers. Not only would it be an intrusion to be contacted by Echostar about a device you purchased months or years ago, but other satellite TV companies have used customer lists to launch mass litigation campaigns against consumers. After DirecTV obtained similar customer lists in litigation in 2001, it sent more than 170,000 letters to individuals demanding "settlements" of $3,500.

In refusing to allow Echostar to obtain the CoolSat customer lists, the court specifically weighed Echostar's need for the information against the privacy interests of the customers whose information would be disclosed. The court expressed concern that "both those who purchase the FTA receivers for proper and improper purposes will be swept up in the process." The court went on to conclude that "the requests for customer lists, therefore, could lead to the perceived harassment of legitimate users and a concomitant chilling effect on the purchase and lawful use of Freetech's FTA receivers."

Kudos to the court for keeping the privacy interests of nonparties in mind as commercial litigants dispatch third-party subpoenas that would otherwise carelessly intrude into the lives of individual consumers.

[Permalink]

Computers Seized from Berkeley Activist Space

Yesterday, the FBI, UC Berkeley police, and Alameda County Sheriff's deputies conducted a raid on the Long Haul Infoshop, a community space that is home to a number of leftist and anarchist groups, including a newspaper and a radio station. Armed with a warrant (PDF), authorities entered and quickly removed every computer in the Long Haul space.

According to the Associated Press, a UC Berkeley spokesman said that the raid was part of an investigation into threatening e-mails tracked to computers there. Among the computers seized were computers belonging to the Slingshot newspaper, and the Berkeley Daily Planet reports that police "got [Berkeley Liberation Radio's] hard drive."

Even with a warrant, the authorities may have acted in violation of federal law when they seized the computers. The seizure of media computers would appear to be a violation of the Privacy Protection Act, which says that the authorities are not entitled to "search for or seize any work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper [or] broadcast."

The purpose of the Privacy Protection Act is to ensure the freedom of speech and of the press. While there are exceptions to the act (such as when the documents seized themselves contain classified information or child pornography), the intent of the act is to prevent the government from using its search and seizure powers to shut down newspapers and radio stations, or otherwise interfere with the free flow of information to the public.

The seizure of computers is of special interest to EFF, since the first case we fought — and won — was a result of the illegal seizure of several computers from Steve Jackson Games in 1990. In that case, the federal court held that the Secret Service violated the Privacy Protection Act, and ordered the agency to pay for the harm it had caused.

[Permalink]

Sixth Circuit Dodges Constitutional Question on Email Privacy; Warshak Case Dismissed on Procedural Grounds

Today, the full panel of Sixth Circuit judges dismissed [opinion] on procedural grounds the case of Warshak v. US, a lawsuit challenging the constitutionality of no-notice, warrantless searches of email stored by an email provider. A three-judge panel of Sixth Circuit judges had previously held [PDF], based in part on briefing by EFF [PDF], that the federal statute that authorized such searches of remote email accounts — the Stored Communications Act — violated the Fourth Amendment on its face.

It's a shame that the court refused to reach the critical question at the center of the Warshak case: does the Fourth Amendment require the government to obtain a search warrant based on probable cause before secretly rifling through your Yahoo! mail or Gmail accounts? Without clear legal rulings on such issues, we face continued uncertainty about how the Constitution protects our private Internet communications, uncertainty that the government will continue to exploit.

The Sixth Circuit en banc panel held that because Warshak could not demonstrate that the government was likely to conduct further no-notice warrantless searches of his email — the government had twice previously done so — the issue was not "ripe" for a judicial decision. EFF shares the sentiments of Circuit Judge Boyce F. Martin, Jr., who authored the original decision finding the SCA unconstitutional as well as the dissent in today's decision:

While I am saddened, I am not surprised by today’s ruling. It is but another step in the ongoing degradation of civil rights in the courts of this country.... History tells us that it is not the fact that a constitutional right is at issue that portends the outcome of a case, but rather what specific right we are talking about. If it is free speech, freedom of religion, or the right to bear arms, we are quick to strike down laws that curtail those freedoms. But if we are discussing the Fourth Amendment’s right to be free from unreasonable searches and seizures, heaven forbid that we should intrude on the government’s investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen’s private correspondence is now potentially subject to ex parte and unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless.

The decision is disappointing, but does not reject the underlying constitutional ruling on the merits. The original reasoning remains sounds, and this decision only reinforces the importance of our mission to obtain a clear ruling from the courts that your emails, IMs, text messages and web browsing receive the same Fourth Amendment protection as your private snail mail and telephone calls. Help EFF fight for an enduring and robust Fourth Amendment by joining now.

[Permalink]

Surveilling Drivers For Safety, For The Environment, and For Profit

There is a growing movement to surveil the drivers of cars — for insurance purposes.

One idea is that vehicle insurance premiums should depend on verifiable, periodic measurements of how far a car has been driven. The case for such premiums is strong: driving further clearly increases the risk of an accident, and "Pay As You Drive" premiums would allow (some) drivers to pay less for insurance; would allow insurance companies to make higher profits; and would reduce the congestion, greenhouse emission and traffic accident costs that each mile driven causes for society.

Another idea is that vehicles should collect data on the way that they are being driven (location, speed, acceleration and braking patterns, type of roads, time of day, smoothness of steering, etc). These measurements can be used to identify good drivers, and offer them insurance discounts — or to spot dangerous drivers, charge them higher premiums and encourage them to take driving skills courses. The policy case for this kind of measurement may turn out to be strong too, though it is less well-established.

The problem with these proposals is that they are often accompanied by a technical proposal for a tracking device that sits in your car and transmits voluminous data over wireless or satellite links, so that insurance companies can decide how much to charge you. Many modern vehicles are already collecting this information, and the insurance industry just needs to get a copy of it.

One state currently considering these schemes is California. The State's Department of Insurance held a workshop last week on how best to modify existing regulations to implement Pay As You Drive insurance. EFF participated in the process; you can read our letter to the Department (written with Andrew Blumberg at Stanford) here.

Briefly, EFF's view is that there is a perfectly good, ubiquitous and tamper-resistant device avaialable for measuring vehicle mileage: the odometer. It may be good policy to require fine-grained dependence of insurance premiums upon mileage — but if so, the data should be collected by examining odometers rather than 24/7 wireless or satellite surveillance. We think the public agrees: a similar tracking scheme by UK insurer Norwich Union was abandoned this week.

The best way to protect drivers' privacy, of course, is to not record any facts about where and when and how they are driving at all. But in the long run, there may be sound policy cases for devices that spot dangerous drivers, or charge road tolls based on congestion, etc. If policy-makers are persuaded that there is a strong need for such systems, they need to be built in a way that has the minimal possible privacy consequences. Cryptography offers many ways to implement these kinds of schemes without compromising locational privacy (one technical example is described in this paper). The general principle is that only the minimal amount of information should leave the vehicle: the total billable amount, for instance. If verification is an issue, cryptography and some extra hardware can provide it.

If governments are persuaded that they should allow insurers or anybody else to use detailed information on location or other vehicle observations, they should mandate that these schemes not upload any information from vehicles except for the premium itself, and they should require that the privacy properties of any technology being proposed for vehicles be audited by the computer security community before it is deployed.

If we let insurance companies, car manufacturers or tech companies build a gigantic driver surveillance system, it will be exceedingly difficult to go back to the days where you could drive to a church, or a gay bar, or a political meeting, or a cheap motel at lunchtime, without some company (or hacker) permanently recording that fact.

[Permalink]

EFF Releases Updated White Paper on Best Practices for Online Service Providers

Today EFF released a revised white paper on Best Practices for Online Service Providers, an update of the 2004 OSP Best Practices white paper. In the white paper, EFF offers some suggestions, both legal and technical, for the best privacy practices for collecting, storing and disclosing data that balance the needs of OSPs and their users' privacy and civil liberties.

OSPs are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. In the process of offering services, OSPs collect and store detailed information about their users and their user's online activities.

User information can be of great interest to the government and civil litigants, leading to numerous requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services.

In the OSP Best Practices white paper, we offer information for OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.

Summary of Recommendations

1. Develop procedures for dealing with legal information requests and providing notice to users.
2. Work with both attorneys and engineers to develop a privacy policy that fits your OSP’s practices.
3. Collect the minimum amount of information necessary to provide OSP services.
4. Store information for the minimum time necessary for operations.
5. Effectively obfuscate, aggregate and delete unneeded user information.
6. Maintain written policies addressing data collection and retention.
7. Enable SSL as much as possible throughout your site to secure users’ information and communications.
8. Understand threats to the security of sensitive information and communications on your systems, and mitigate them appropriately.
9. Follow best-practice principles for the use of cookies on your site.
10. Insist that the OSPs and other service providers you work with observe these best practices, too.

OSPs can face many other legal issues beyond user privacy, from DMCA takedown requests to defamation claims to issues with adult materials. While these are outside the scope of the OSP Best Practices paper, EFF recommends that OSPs review the EFF Bootcamp materials, which provides the basics on a number of key legal issues for Web 2.0 companies. We also recommend reading EFF’s Legal Guide for Bloggers, which provides a basic roadmap to the legal issues one may confront as an online publisher.

[Permalink]

New Ninth Circuit Case Protects Text Message Privacy From Police and Employers

Today’s Ninth Circuit Court of Appeals opinion in Quon v. Arch Wireless is a victory for the privacy of email and text messages. The holding means that law enforcement needs a probable cause warrant to access stored copies of your electronic messages less than 180 days old, regardless of whether you have already downloaded or read them. It also stops employers from getting the contents of employee emails or text messages from the service provider without employee consent.

In Quon, the City of Ontario Police Department provided its officers with two-way alphanumeric pagers. The officers were informed that it was a violation of City policy to use the pagers for personal matters. The City reserved the right to audit the messages. Employees were also informed that if they exceeded the monthly character limit set by the provider, that they would be responsible for paying the resulting additional charges. Officer Quon used his pager to send both business and personal messages, including messages to the other plaintiffs. He went over his monthly limit. Despite the formal usage policy, Quon was told that the informal policy and practice was that if he paid the overage fees, his messages would not be audited. Quon paid those fees several months in a row. At some point, the Department decided that it wanted to audit officers’ messages. It asked the text provider, defendant Arch Wireless, to deliver the contents of officers’ text messages to it. Because the City was the subscriber on the account, Arch printed out copies of the messages and delivered them to the City. Quon’s personal messages with the other plaintiffs were included in the printouts. Quon and his correspondents sued Arch for violating the Stored Communications Act and the City for violating the Fourth Amendment.

The Ninth Circuit held that Arch violated the SCA when it disclosed the contents of the text messages to the subscriber, the City, without the permission of the users. At issue was whether Arch was an Electronic Communications Service (ECS) holding the messages in “electronic storage”, or a Remote Computing Service (RCS), storing the messages on behalf of the subscriber. Messages held by an ECS receive a lot of privacy protection. An ECS is prohibited from disclosing the contents of communications without either a probable cause warrant obtained by law enforcement or consent from the “addressee or intended recipient”. Messages held by an RCS receive less privacy protection. An RCS is prohibited from disclosing the contents of communications without the consent of the subscriber. Law enforcement does not need a warrant to get messages from an RCS. It can use a mere subpoena or “specific and articulable facts” court order to get message contents from an RCS.

Arch regularly archived messages sent to and from its pagers. If Arch was an ECS holding those messages in “electronic storage”, then it was prohibited from disclosing the messages without consent from Quon, the addressee. If Arch was an RCS, then it may disclose the messages with consent from the subscriber, in this case the City, which they did.

In the past, the Department of Justice and others have argued that once a recipient accesses his messages, whether they be email or texts, the message is no longer in “electronic storage” as the SCA defines it. The message loses the higher protection granted to communications held by an ECS. The Ninth Circuit rejects this view in Quon. It looks to its ruling in Theofel v. Farey-Jones, which held that e-mails stored on an email providers servers for backup protection after delivery to the recipient— were in “electronic storage” under the statute and received ECS protection. In Theofel, the Court stated that “[w]here the underlying message has expired in the normal course, any copy is no longer performing any backup function. An ISP that kept permanent copies of temporary messages could not fairly be described as ‘backing up’ those messages.” We have wondered how to apply the “expired in the normal course” language, and this opinion makes it clear. If the archived message was created as a backup copy of an electronic communication sent through an ECS, that copy continues to receive ECS protection.

This ruling has two privacy friendly results. First, the police need a warrant to get your email and text messages if stored for less than 180 days. Second, even if your employer pays for your use of third party text or email services, your boss can’t get copies of your messages from that provider without your permission. Wow.

The next issue the Ninth Circuit decides is that text messages are protected by the Fourth Amendment. The DOJ and others have argued that because email and text messages are stored by third parties that have the practical ability to read them, senders and recipients have no expectation of privacy in those messages and thus they receive no constitutional protection from unreasonable searches and seizures. The Ninth Circuit rejects this view, as a panel of the Sixth Circuit did in a landmark ruling last year, Warshak v. US. It holds that text messages, and presumably emails, are like letters or packages, and are protected even though the shipper could open them.

One of the more complicated Fourth Amendment issues is the effect of acceptable use policies, monitoring policies or other terms of service that say that the service provider or employer reserves the right to monitor or audit the messages. While those policies may give employers or service providers the right to read messages, the question was whether law enforcement therefore could do so as well. Here, the Ninth Circuit followed its prior ruling in United States v. Heckenkamp which held that a student did not lose his reasonable expectation of privacy in information stored on his computer, despite a university policy that it could access his computer in limited circumstances while connected to the university’s network. (Full disclosure: Granick represented Heckenkamp in the first round of motions to suppress in the case.) The Court thus rejected a binary view of privacy, that user consent to access for some purposes destroyed the expectation of privacy for every purpose, including warrantless or unreasonable government searches. Unless there is regular monitoring and access, people retain a legitimate expectation of privacy in their messages.

Finally and impressively, the Court gave real teeth to the “reasonableness” inquiry under the Fourth Amendment. In this case, the Department’s access was regulated by the Fourth Amendment because it is a government employer. (Note that the first part of the ruling involving privacy rights under the SCA does not depend on whether the employer is public or private.) However, a jury found that the Police Department read the plaintiffs’ messages for the non-disciplinary purpose of learning whether continued overages meant it needed a more extensive service plan from Arch. This was a legitimate, non-law enforcement purpose. Nevertheless, the Court found that there were less intrusive means of learning this than reading employees’ text messages. Because government employers are required to use less intrusive means if feasible, the Department’s actions here violated the Fourth Amendment.

The holding that text messages and email are protected by the Fourth Amendment is an immensely important one which gives the victims of unlawful searches the ability to suppress illegally obtained evidence. It protects the privacy of employees who use a messaging service paid for by their company. It also calls into question the SCA’s disparate treatment of messages younger and older than 180 days, though the opinion does not directly address that issue. Finally, this opinion does not simply defer to a government employer’s judgment about what is reasonable where communications privacy is at stake, but actually requires a more privacy friendly course where feasible.

Professor Orin Kerr also has commentary about this opinion up on The Volokh Conspiracy. To read his thoughts, click here.

[Permalink]