Reaffirming Use of the EINSTEIN 2.0 Intrusion- Detection System to Protect Unclassified Computer Networks in the Executive Branch Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communica- tions Act, and the pen-register and trap-and-trace provisions of 18 U.S.C. § 3121 et seq., provided that certain log-on banners or computer-user agreements are consist- ently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws, which would stand as an obstacle to the accomplish- ment and execution of the full purposes and objectives of Congress and be unenforce- able under the Supremacy Clause to the extent that such laws purport to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and im- pose requirements that exceed those imposed by the federal statutes above.
August 14, 2009
MEMORANDUM OPINION FOR THE ASSOCIATE DEPUTY ATTORNEY GENERAL
This memorandum briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system. This Office previously considered the legality of the system in an opinion of January 9, 2009. See Use of the EINSTEIN 2.0 Intrusion- Detection System to Protect Unclassified Computer Networks in the Executive Branch, 33 Op. O.L.C. 63 (2009) (“EINSTEIN 2.0 Opinion”). We have reviewed that opinion and agree that the operation of the EINSTEIN 2.0 program complies with the Fourth Amendment to the Constitution of the United States, title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Pub. L. No. 90-351, 82 Stat. 197, 211, codified as amended at 18 U.S.C. § 2510 et seq. (“Wiretap Act”)); the Foreign Intelligence Surveillance Act of 1978 (Pub. L. No. 95-511, 92 Stat. 1783, codified as amended at 50 U.S.C. § 1801 et seq.); the Stored Communications Act (18 U.S.C. § 2701 et seq.); and the pen-register and trap-and-trace provisions of 18 U.S.C. § 3121 et seq. Accordingly, we have drawn upon the analysis in that opinion in preparing this summary, supplementing that material with analysis of an additional legal issue.
261 33 Op. O.L.C. 261 (2009)
I.
We have assumed for purposes of our analysis that computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet. 1 See, e.g., United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (analogizing expectation of e-mail user in privacy of e-mail to expectation of individuals communicating by regular mail); United States v. Maxwell, 45 M.J. 406, 418 (C.A.A.F. 1996) (sender of an e-mail generally “enjoys a reasonable expectation that police offi- cials will not intercept the transmission without probable cause and a search warrant”); see also Quon, 529 F.3d at 905 (“[U]sers do have a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provider.”). Even given this assumption, however, we believe the deployment, testing, and use of EINSTEIN 2.0 technol- ogy complies with the Fourth Amendment where each agency parti- cipating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements described in this Office’s prior opinion, or their substantial equivalents. See EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 68–71. First, we conclude that the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of government-owned information systems with respect to the lawful gov- ernment purpose of protecting federal systems against network intrusions and exploitations. We therefore do not believe that the operation of intru- sion-detection sensors as part of the EINSTEIN 2.0 program constitutes a “search” for Fourth Amendment purposes. See Minnesota v. Carter, 525 U.S. 83, 88 (1998). Whether a government employee has a legitimate expectation of privacy in his use of governmental property at work in
1 Computer users do not have an objectively reasonable expectation of privacy in ad-
dressing and routing information conveyed for the purpose of transmitting Internet communications to or from a user. See Quon v. Arch Wireless Operating Co., 529 F.3d 892, 904 – 05 (9th Cir. 2008); United States v. Forrester, 512 F.3d 500, 510 –11 (9th Cir. 2008); cf. Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (no legitimate expectation of privacy in dialing, routing, addressing, and signaling information transmitted to telephone companies).
262 Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
particular circumstances is determined by “[t]he operational realities of the workplace,” and “by virtue of actual office practices and procedures, or by legitimate regulation.” O’Connor v. Ortega, 480 U.S. 709, 717 (1987) (plurality); see United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) (“[O]ffice practices, procedures, or regulations may reduce legitimate privacy expectations.”). The existence of an expectation of privacy, moreover, may depend on the nature of the intrusion at issue. See O’Connor, 480 U.S. at 717–18 (plurality) (suggesting that a government employee’s expectation of privacy might be unreasonable “when an intrusion is by a supervisor” but reasonable when the intrusion is by a law enforcement official). The model banner and model computer-user agreement discussed in our prior opinion are at least as robust as—and we think stronger than—similar materials that courts have held eliminated a legitimate government employee expectation of privacy in the content of Internet communications sent over government systems. See, e.g., Simons, 206 F.3d at 398 (finding no legitimate expectation of privacy in light of computer-use policy expressly noting that government agency would “‘audit, inspect, and/or monitor’” employees’ use of the Internet, “includ- ing all file transfers, all websites visited, and all e-mail messages, ‘as deemed appropriate’”) (quoting policy); United States v. Angevine, 281 F.3d 1130, 1132–33 (10th Cir. 2002) (finding no legitimate expectation of privacy in light of computer-use policy stating that university “‘reserves the right to view or scan any file or software stored on the computer or passing through the network, and will do so periodically’” and has “‘a right of access to the contents of stored computing information at any time for any purpose which it has a legitimate need to know’” (quoting policy)); United States v. Thorn, 375 F.3d 679, 682 (8th Cir.
Free access — add to your briefcase to read the full text and ask questions with AI
Reaffirming Use of the EINSTEIN 2.0 Intrusion- Detection System to Protect Unclassified Computer Networks in the Executive Branch Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communica- tions Act, and the pen-register and trap-and-trace provisions of 18 U.S.C. § 3121 et seq., provided that certain log-on banners or computer-user agreements are consist- ently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws, which would stand as an obstacle to the accomplish- ment and execution of the full purposes and objectives of Congress and be unenforce- able under the Supremacy Clause to the extent that such laws purport to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and im- pose requirements that exceed those imposed by the federal statutes above.
August 14, 2009
MEMORANDUM OPINION FOR THE ASSOCIATE DEPUTY ATTORNEY GENERAL
This memorandum briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system. This Office previously considered the legality of the system in an opinion of January 9, 2009. See Use of the EINSTEIN 2.0 Intrusion- Detection System to Protect Unclassified Computer Networks in the Executive Branch, 33 Op. O.L.C. 63 (2009) (“EINSTEIN 2.0 Opinion”). We have reviewed that opinion and agree that the operation of the EINSTEIN 2.0 program complies with the Fourth Amendment to the Constitution of the United States, title III of the Omnibus Crime Control and Safe Streets Act of 1968 (Pub. L. No. 90-351, 82 Stat. 197, 211, codified as amended at 18 U.S.C. § 2510 et seq. (“Wiretap Act”)); the Foreign Intelligence Surveillance Act of 1978 (Pub. L. No. 95-511, 92 Stat. 1783, codified as amended at 50 U.S.C. § 1801 et seq.); the Stored Communications Act (18 U.S.C. § 2701 et seq.); and the pen-register and trap-and-trace provisions of 18 U.S.C. § 3121 et seq. Accordingly, we have drawn upon the analysis in that opinion in preparing this summary, supplementing that material with analysis of an additional legal issue.
261 33 Op. O.L.C. 261 (2009)
I.
We have assumed for purposes of our analysis that computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet. 1 See, e.g., United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (analogizing expectation of e-mail user in privacy of e-mail to expectation of individuals communicating by regular mail); United States v. Maxwell, 45 M.J. 406, 418 (C.A.A.F. 1996) (sender of an e-mail generally “enjoys a reasonable expectation that police offi- cials will not intercept the transmission without probable cause and a search warrant”); see also Quon, 529 F.3d at 905 (“[U]sers do have a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provider.”). Even given this assumption, however, we believe the deployment, testing, and use of EINSTEIN 2.0 technol- ogy complies with the Fourth Amendment where each agency parti- cipating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements described in this Office’s prior opinion, or their substantial equivalents. See EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 68–71. First, we conclude that the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of government-owned information systems with respect to the lawful gov- ernment purpose of protecting federal systems against network intrusions and exploitations. We therefore do not believe that the operation of intru- sion-detection sensors as part of the EINSTEIN 2.0 program constitutes a “search” for Fourth Amendment purposes. See Minnesota v. Carter, 525 U.S. 83, 88 (1998). Whether a government employee has a legitimate expectation of privacy in his use of governmental property at work in
1 Computer users do not have an objectively reasonable expectation of privacy in ad-
dressing and routing information conveyed for the purpose of transmitting Internet communications to or from a user. See Quon v. Arch Wireless Operating Co., 529 F.3d 892, 904 – 05 (9th Cir. 2008); United States v. Forrester, 512 F.3d 500, 510 –11 (9th Cir. 2008); cf. Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (no legitimate expectation of privacy in dialing, routing, addressing, and signaling information transmitted to telephone companies).
262 Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
particular circumstances is determined by “[t]he operational realities of the workplace,” and “by virtue of actual office practices and procedures, or by legitimate regulation.” O’Connor v. Ortega, 480 U.S. 709, 717 (1987) (plurality); see United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) (“[O]ffice practices, procedures, or regulations may reduce legitimate privacy expectations.”). The existence of an expectation of privacy, moreover, may depend on the nature of the intrusion at issue. See O’Connor, 480 U.S. at 717–18 (plurality) (suggesting that a government employee’s expectation of privacy might be unreasonable “when an intrusion is by a supervisor” but reasonable when the intrusion is by a law enforcement official). The model banner and model computer-user agreement discussed in our prior opinion are at least as robust as—and we think stronger than—similar materials that courts have held eliminated a legitimate government employee expectation of privacy in the content of Internet communications sent over government systems. See, e.g., Simons, 206 F.3d at 398 (finding no legitimate expectation of privacy in light of computer-use policy expressly noting that government agency would “‘audit, inspect, and/or monitor’” employees’ use of the Internet, “includ- ing all file transfers, all websites visited, and all e-mail messages, ‘as deemed appropriate’”) (quoting policy); United States v. Angevine, 281 F.3d 1130, 1132–33 (10th Cir. 2002) (finding no legitimate expectation of privacy in light of computer-use policy stating that university “‘reserves the right to view or scan any file or software stored on the computer or passing through the network, and will do so periodically’” and has “‘a right of access to the contents of stored computing information at any time for any purpose which it has a legitimate need to know’” (quoting policy)); United States v. Thorn, 375 F.3d 679, 682 (8th Cir. 2004) (find- ing no legitimate expectation of privacy in light of computer-use policy warning that employees “‘do not have any personal privacy rights regard- ing their use of [the employing agency’s] information systems and tech- nology,’” and that “‘[a]n employee’s use of [the agency’s] information systems and technology indicates that the employee understands and consents to [the agency’s] right to inspect and audit all such use as de- scribed in this policy’” (quoting policy, emphasis in original)), vacated on other grounds, 543 U.S. 1112 (2005). We therefore believe that the adop- tion, implementation, and enforcement of the language in those model materials, or their substantial equivalents, by agencies participating in the
263 33 Op. O.L.C. 261 (2009)
EINSTEIN 2.0 program will eliminate federal employees’ legitimate expectations of privacy in their uses of government-owned information systems with respect to the lawful government purpose of protecting federal systems against network intrusions and exploitations. 2 We also believe that individuals in the private sector who communi- cate directly with federal employees of agencies participating in the EINSTEIN 2.0 program through government-owned information systems do not have a legitimate expectation of privacy in the content of those communications provided that model log-on banners or agreements are adopted and implemented by the agency. The Supreme Court has repeat- edly held that where a person “reveals private information to another, he assumes the risk that his confidant will reveal that information to the authorities, and if that occurs the Fourth Amendment does not prohibit governmental use of that information.” United States v. Jacobsen, 466 U.S. 109, 117 (1984); see also United States v. Miller, 425 U.S. 435, 443 (1976) (“[T]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.”); SEC v. Jerry T. O’Brien, Inc., 467 U.S. 735, 743 (1984) (“[W]hen a person communicates information to a third party even on the understanding that the communication is confidential, he cannot object if the third party conveys that information or records thereof to law enforcement authorities.”); Smith, 442 U.S. at 743–44 (“[A] person has no legitimate expectation of privacy in information he volun- tarily turns over to third parties.”). We believe this principle also applies to a person who e-mails a federal employee at the employee’s personal e-mail account when that employee accesses his or her personal e-mail account through a government-owned information system, when the consent procedures described above are followed. By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, a federal employee gives ex ante permission to the govern-
2 The use of log-on banners or computer-user agreements may not be sufficient to eliminate an employee’s legitimate expectation of privacy if the statements and actions of agency officials contradict these materials. See Quon, 529 F.3d at 906–07. Management officials of agencies participating in the EINSTEIN 2.0 program therefore should ensure that agency practices are consistent with the statements in the model materials.
264 Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
ment to intercept, monitor, and search “any communications” and “any data” transiting or stored on a government-owned information system for any “lawful purpose,” including the purpose of protecting federal comput- er systems against malicious network activity. Therefore, an individual who communicates with a federal employee who has agreed to permit the government to intercept, monitor, and search any personal use of the employee’s government-owned information systems has no Fourth Amendment right against the government activity of protecting federal computer systems against malicious network activity, as the employee has consented to that activity. See Jerry T. O’Brien, 467 U.S. at 743; Jacob- sen, 466 U.S. at 117; Miller, 425 U.S. at 443. Under Supreme Court precedent, this principle applies even where, for example, the sender of an e-mail to an employee’s personal, web-based e-mail account (such as G-mail or Hotmail) does not know of the recipi- ent’s status as a federal employee or does not anticipate that the employee might read, on a federal government system, an e-mail sent to a personal e-mail account at work or that the employee has agreed to government monitoring of his communications on that system. A person communi- cating with another assumes the risk that the person has agreed to permit the government to monitor the contents of that communication. See, e.g., United States v. White, 401 U.S. 745, 749–51 (1971) (plurality) (no Fourth Amendment protection against government monitoring of commu- nications through transmitter worn by undercover operative); Hoffa v. United States, 385 U.S. 293, 300–03 (1966) (information disclosed to individual who turns out to be a government informant is not protected by the Fourth Amendment); Lopez v. United States, 373 U.S. 427, 439 (1963) (same); cf. Rathbun v. United States, 355 U.S. 107, 111 (1957) (“Each party to a telephone conversation takes the risk that the other party may have an extension telephone and may allow another to overhear the con- versation. When such takes place there has been no violation of any privacy of which the parties may complain.”). Accordingly, when an employee agrees to let the government intercept, monitor, and search any communication or data sent, received, or stored by a government-owned information system, the government’s interception of the employee’s Internet communications with individuals outside of the relevant agency through a government-owned information system does not infringe upon
265 33 Op. O.L.C. 261 (2009)
any legitimate expectation of privacy of the parties to that communica- tion. We also think that, under the Court’s precedents, an individual who submits information through the Internet to a federal agency participating in the EINSTEIN 2.0 program does not have a legitimate expectation of privacy for Fourth Amendment purposes in the contents of the infor- mation that he transmits directly to the participating agency. An indivi- dual has no expectation of privacy in communications he makes to a known representative of the government. See United States v. Caceres, 440 U.S. 741, 750–51 (1979) (individual has no reasonable expectation of privacy in communications with IRS agent made in the course of an audit). Further, as just discussed, an individual who communicates infor- mation to another individual who turns out to be an undercover agent of the government has no legitimate expectation of privacy in the content of that information. It follows a fortiori that where an individual is com- municating directly with a declared agent of the government, the individ- ual does not have a legitimate expectation that his communication would not be monitored or acquired by the government. Second, even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, we believe that those operations would be consistent with the Amendment’s “central requirement” that all search- es be reasonable. Illinois v. McArthur, 531 U.S. 326, 330 (2001) (inter- nal quotation marks omitted). As discussed in the prior opinion of this Office, the government has a lawful, work-related purpose for the use of EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0 program within the “special needs” exception to the Fourth Amendment’s warrant and probable cause requirements. See O’Connor, 480 U.S. at 720 (plurality); see also Nat’l Treasury Emps. Union v. Von Raab, 489 U.S. 656, 665–66 (1989) (warrant and probable cause provisions of the Fourth Amendment are inapplicable to a search that “serves special governmental needs, beyond the normal need for law enforcement”); Griffin v. Wiscon- sin, 483 U.S. 868, 872–73 (1987) (special needs doctrine applies in cir- cumstances that make the “warrant and probable cause requirement im- practicable”); United States v. Heckenkamp, 482 F.3d 1142, 1148 (9th Cir. 2007) (preventing misuse of and damage to university computer network is a lawful purpose). And, based upon the information available to us, and as discussed in the prior opinion of this Office, we believe that
266 Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
the operation of the EINSTEIN 2.0 program falls under that exception and is reasonable under the totality of the circumstances. See United States v. Knights, 534 U.S. 112, 118–19 (2001) (reasonableness of a search under the Fourth Amendment is measured in light of the “totality of the circum- stances,” balancing “on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests” (internal quota- tion marks omitted)); New Jersey v. T.L.O., 469 U.S. 325, 337 (1985) (“what is reasonable depends on the context within which a search takes place”); O’Connor, 480 U.S. at 726 (plurality) (reasonable workplace search must be “justified at its inception” and “reasonably related in scope to the circumstances which justified the interference in the first place”) (internal quotation marks omitted). In light of that conclusion, we also think that a federal employee’s agreement to the terms of the model log- on banner or the model computer-user agreement, or those of a banner of user agreement that are substantially equivalent to those models, consti- tutes valid, voluntary consent to the reasonable scope of EINSTEIN 2.0 operations. See Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973) (consent is “one of the specifically established exceptions to the require- ments of both a warrant and probable cause”); United States v. Sihler, 562 F.2d 349 (5th Cir. 1977) (prison employee’s consent to routine search of his lunch bag valid); cf. McDonell v. Hunter, 807 F.2d 1302, 1310 (8th Cir. 1987) (“If a search is unreasonable, a government employer cannot require that its employees consent to that search as a condition of em- ployment.”). With respect to statutory issues, we have also concluded that, for the reasons set forth in our prior opinion—and so long as participating federal agencies consistently adopt, implement, and enforce model computer log- on banners or model computer-user agreements—the deployment of the EINSTEIN 2.0 program on federal information systems complies with the Wiretap Act, the Foreign Intelligence Surveillance Act, the Stored Com- munications Act, and the pen-register and trap-and-trace provisions of title 18 of the United States Code. We agree with the analysis of these issues set forth in our prior opinion, and will not repeat it here.
267 33 Op. O.L.C. 261 (2009)
II.
Finally, we do not believe the EINSTEIN 2.0 program runs afoul of state wiretapping or communication privacy laws. See, e.g., Fla. Stat. Ann. § 934.03 (West Supp. 2009); 18 Pa. Cons. Stat. Ann. § 5704(4) (West Supp. 2009); Md. Code Ann., Cts. & Jud. Proc. § 10-402(c)(3) (LexisNexis 2006); Cal. Penal Code 631(a) (West 1999). To the extent that such laws purport to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and impose requirements that exceed those imposed by the federal statutes discussed above, they would “stand[] as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause. Hines v. Davidowitz, 312 U.S. 52, 67 (1941); see also Geier v. American Honda Motor Co., 529 U.S. 861, 873 (2000) (same); Old Dominion Branch v. Austin, 418 U.S. 264, 273 n.5 (1974) (Executive Order “may create rights protected against inconsistent state laws through the Supremacy Clause”); Bansal v. Russ, 513 F. Supp. 2d 264, 283 (E.D. Pa. 2007) (concluding that “federal officers participating in a federal investigation are not required to follow” state wiretapping law containing additional requirements not present in the federal Wiretap Act, because in such circumstances, “the state law would stand as an obstacle to federal law enforcement”); Johnson v. Maryland, 254 U.S. 51 (1920); cf. United States v. Adams, 694 F.2d 200, 201 (9th Cir. 1980) (“evidence obtained from a consensual wiretap conforming to 18 U.S.C. § 2511(2)(c) is admissible in federal court proceedings without regard to state law”).
DAVID J. BARRON Acting Assistant Attorney General Office of Legal Counsel