Terms of Service Do Not Eliminate Fourth Amendment Rights in a Google Account

The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

As regular readers may recall, I argued in a recent article that terms of service to an Internet account have little or no effect on Fourth Amendment rights in the account:

Almost everything you do on the Internet is governed by Terms of Service. The language in Terms of Service typically gives Internet providers broad rights to address potential account misuse. But do these Terms alter Fourth Amendment rights, either diminishing or even eliminating constitutional rights in Internet accounts? In the last five years, many courts have ruled that they do. These courts treat Terms of Service like a rights contract: by agreeing to use an Internet account subject to broad Terms of Service, you give up your Fourth Amendment rights.

This Article argues that the courts are wrong. Terms of Service have little or no effect on Fourth Amendment rights. Fourth Amendment rights are rights against the government, not private parties. Terms of Service can define relationships between private parties, but private contracts cannot define Fourth Amendment rights. This is true across the range of Fourth Amendment doctrines, including the "reasonable expectation of privacy" test, consent, abandonment, third-party consent, and the private search doctrine. Courts that have linked Terms of Service and Fourth Amendment rights are mistaken, and their reasoning should be rejected.

I'm pleased to say that the Second Circuit handed down a ruling in United States v. Maher this week rejecting the claim that terms of service waive Fourth Amendment rights, at least in the important context of a Google account. The decision is written in a somewhat narrow way, but I think it gets the basics correct. Here's the key passage from Maher:

The government argues that Maher's expectation of privacy in the Maher file that he emailed to his own Google account was extinguished by Google's Terms of Service, which advise users that Google (1) "may review content to determine whether it is illegal or violates our policies," App'x 113, (2) "may" report "illegal content" to "appropriate authorities," id. at 142, and (3) "will share" users' information with law enforcement when necessary to comply with applicable law, id. at 131.

This court has not had occasion to address what effect, if any, a private company's terms of service might have on a defendant's reasonable expectation of privacy. It may well be that such terms, as parts of "[p]rivate contracts[,] have little effect in Fourth Amendment law because the nature of those [constitutional] rights is against the government rather than private parties." Orin S. Kerr, Terms of Service and Fourth Amendment Rights, 172 U. PA. L. REV. 287, 291 (2024) (summarizing case law). We need not here draw any categorical conclusions about how terms of service affect a user's expectation of privacy as against the government. On this appeal, it suffices that we conclude that Google's particular Terms of Service—which advise that Google "may" review users' content, App'x 113—did not extinguish Maher's reasonable expectation of privacy in that content as against the government.

In reaching that conclusion, we adopt the reasoning of the Sixth Circuit in United States v. Warshak, 631 F.3d at 286–87 (holding that government violated Fourth Amendment when, without warrant, it compelled internet service provider to surrender contents of user emails). There too, the government argued that an internet service provider's contractual reservation of the right to access user emails extinguished a defendant's expectation of privacy in his emails. In rejecting the argument—at least with respect to a reservation phrased in terms of what the provider may do, see id. at 287 (quoting Acceptable Use Policy provision stating that provider "may access and use individual Subscriber information in the operation of the Service and as necessary to protect the Service" (emphasis in original))—the Sixth Circuit held that "the mere ability of a third-party intermediary to access the contents of a communication cannot be sufficient to extinguish a reasonable expectation of privacy" as against the government, id. at 286 (emphasis in original). As the court explained, that conclusion finds support in the seminal Fourth Amendment case, Katz v. United States, 389 U.S. 347 (1967), where "the Supreme Court found it reasonable to expect privacy during a telephone call despite the ability of an operator to listen in." United States v. Warshak, 631 F.3d at 287 (noting that telephone companies could then "listen in when reasonably necessary to protect . . . against the improper and illegal use of their facilities" (internal quotation marks omitted)). It also finds support in cases recognizing that hotel guests retain a reasonable expectation of privacy in their rooms, "even though maids routinely enter hotel rooms." Id.; see United States v. Stokes, 733 F.3d 438, 443 n.7 (2d Cir. 2013) ("Hotel guests retain a legitimate expectation of privacy in the hotel room and in any articles located in their hotel room for the duration of their rental period."). We too conclude from these precedents that Google's Terms of Service, advising users of what the company "may review," App'x 113, did not extinguish Maher's reasonable expectation of privacy in his emails as against the government.

Nor is a different conclusion compelled by the fact that Google's Terms of Service also warn users that the company "will share personal information outside of Google if . . . reasonably necessary to[] . . . [m]eet any applicable law." Id. at 131 (emphasis added). As noted supra at 7 n.5, federal law requires electronic service providers such as Google to file a report with the NCMEC when they have "actual knowledge" of child pornography on their platforms. 18 U.S.C. § 2258A(a)(1)(A), (B). But the same law specifically does not require Google "affirmatively [to] search, screen, or scan" for such material. Id. § 2258A(f)(3). Not surprisingly then, Google does not tell users that it will engage in the sort of content review for illegality that could trigger disclosure obligations under § 2258A(a)(1)(A), (B). Rather, it tells users only that it "may" engage in such review. App'x 113. Indeed, in the next sentence, Google emphasizes that it "does not necessarily . . . review content," and tells users, "please don't assume that we do." Id. at 114 (emphasis added). Such qualified language is hardly a per se signal to Google users that they can have no expectation of privacy in their emails, even as against the government. Cf. United States v. Rosenow, 50 F.4th 715, 730 (9th Cir. 2022) (stating, with respect to § 2258A, that "[m]andated reporting is different than mandated searching" (emphasis in original)).

In a different context that is nevertheless instructive here, the Supreme Court declined to construe even unqualified language in a private contract as extinguishing a person's expectation of privacy as against the government. See Byrd v. United States, 584 U.S. 395 (2018). There, a car rental agreement expressly forbade anyone not identified in the contract from operating the leased vehicle. The government argued that this meant any driver not so identified had no reasonable expectation of privacy in the vehicle. The Court, however, declined to derive such a "per se rule" from the contract's identified-operator provision. Id. at 405. Recognizing that "car-rental agreements are filled with long lists of restrictions," id. at 407, the Court adhered to the "general rule" that a person "in otherwise lawful possession and control of a rental car has a reasonable expectation of privacy" against the government in that vehicle even if he is not authorized by the rental agreement to be operating the car, id. at 398–99.

Here, we need not decide whether terms of service pertaining to content review might ever be so broadly and emphatically worded as to categorically extinguish internet service users' reasonable expectations of privacy in the contents of their emails, even as against the government. See United States v. Warshak, 631 F.3d at 287 (declining to foreclose possibility). We conclude only that Google's Terms of Service, repeatedly qualifying the content review that the company "may" conduct, do not effect such a complete extinguishment.

This issue is pending in a bunch of courts right now, and I hope (and expect) that the Second Circuit's ruling will have a significant influence on how other courts view the issue.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Thursday Open Thread

Hide Comments (15)

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

Commenter_XY 5 months ago

Congrats on the cite, and thanks for the 4A cases updates here on VC. They make fascinating reading for laymen.

Log in to Reply
1. Bwaaah 5 months ago
  
  Ditto.
  
  Log in to Reply
Krayt 5 months ago

If a third party stumbles across something illegal and sends it to government, that’s fine, unless they have a “too cosy” relationship, then they become an arm of government, and such becomes a warrantless search, at least that’s the way it’s been described around here. That’s always made me uneasy.

“Here ya go, government, our monthly report on US citizens! And thanks for forebearance on the latest $300 million fine for monopolistic behavior! Or whatever’s the latest cool-evil patter of the month.”

Yeah, one guy stumbling over something in a repair shop is not the same as an automated, industrial scale pipeline process to the DOJ. With AI now, they can probably make estimates as to illegal financial dealings and god knows what.

Log in to Reply
1. apedad 5 months ago
  
  The govt sends guidance and advisories to private companies all the time on how to detect - and report - criminal activity.
  
  Advisory on Cybercrime and Cyber-Enabled Crime
  
  Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic Detecting, preventing, and reporting illicit transactions and cyber activity will help protect legitimate relief efforts for the COVID-19 pandemic and help protect financial institutions and their customers against malicious cybercriminals and nation-state actors.
  
  https://www.fincen.gov/sites/default/files/advisory/2020-07-30/FinCEN%20Advisory%20Covid%20Cybercrime%20508%20FINAL.pdf
  
  Log in to Reply
ReaderY 5 months ago

I don’t see how it could be the case that terms of service don’t implicate 4th Amendment rights.

The text is pretty clear. “The right of the people to be secure in THEIR persons, houses, papers, and effects…” (emphasis added.)

Who owns the material being searched? The owner, by the text, possesses the accounts.

So all the terms of service have to say is something like “You agree that all content you post on Google sites is the property of Google” and it seems to me that Google, not you, then possesses any 4th Amendment rights in the account that wxist. It isn’t yours any more.

So I think the question to ask is whether the terms of service effect a transfer of ownership of the content. In the absence of a law saying otherwise, that’s a matter of contract law.

I agree that if you retain ownership of the content, you can let Google look at it without giving up your right to not let the feds look at it.

Log in to Reply
1. apedad 5 months ago
  
  But supposed it’s obviously criminal content, e.g., child sexual pornography.
  
  Certainly Google has the responsibility to report that to authorities.
  
  So I don't think it's a matter of contract law and instead, where is the line of what is reportable.
  
  Log in to Reply
  1. apedad 5 months ago
    
    And as I mentioned above, the govt sends guidance and advisories to private companies all the time on how to detect – and report – criminal activity.
    
    So suppose they send Google a list of things to watch for, e.g,, .jpg or .gif files that are sent to or received from a known child pornography site.
    
    Google's servers can flag those files and notify law enforcement.
    
    Log in to Reply
  2. Michael P 5 months ago
    
    "Certainly"? Are you speaking of a legal or moral responsibility? If a legal one, what imposes that responsibility? What happens if it's not obvious, or it's jurisdiction-dependent, whether the material is illegal?
    
    Log in to Reply
    1. apedad 5 months ago
      
      I was thinking more of a business ethics POV; Google certainly doesn’t want to be known as a site that allows child pornography and will take steps to protect their business.
      
      And whether the material is illegal, that’s what I was getting at on the ‘where is the line of reportable’ comment – and that is a tough question and the answer will spin on the definition of “reasonable” which what 4A is all about.
      
      Child pornography, yeah it would be reasonable for Google to forward that info to law enforcement.
      
      But say the police put out a statement that a suspect wanted for a murder on Tuesday in Dallas, TX, was wearing a purple shirt with zebra stripes and Google servers detect a file/email that states, “I bought a purple shirt with zebra stripes in Dallas, TX, on Monday.”
      
      Where is the line of reasonableness to report that?
      
      Good question.
      
      Log in to Reply
2. Bored Lawyer 5 months ago
  
  I don’t see how it could be the case that terms of service don’t implicate 4th Amendment rights.
  
  Of course they implicate them. Questions is whether they obviate them.
  
  Example. Someone rents an apartment to live in. Standard lease term is the landlord has the right to come in to make repairs and inspect for safety issues, or to show the apartment to prospective tenants or building purchasers. Some state laws do regulate such access, but AFAIK all permit access in some situations.
  
  Does that mean the tenant has no 4th Amendment rights? Can the landlord consent to a warrantless search by the police? I think the answer is, generally, no. Because the tenant still has an expectation of privacy.
  
  Log in to Reply
3. Drewski 5 months ago
  
  While it's simple to demand a license to copyrighted work via terms of service, transfer of ownership requires a written, signed agreement, and can interact with the UCC and state laws. The value of the work can affect the rules.
  
  Log in to Reply
DaveM 5 months ago

Oof, if I were an online messaging vendor, the very LAST thing I would want to do would be to proactively scan my users for content that might be “of interest” to the government.

Fast way to throw your business right out the virtual window!

Much as I love to watch the legal mind at work, sometimes I really wonder about youse guys. We’ve too many legal Jedi masters butting into everybody’s business. Time to restore the balance in the Force and bring in more “politically ignorant” brilliant business minds to remind everyone that not every problem must be solved with a lawsuit.

Log in to Reply
1. Brett Bellmore 5 months ago
  
  How about if you're an online messaging vendor who's so large that you really want the government to have a motive to refrain from anti-trust charges against you?
  
  Log in to Reply
Commenter_XY 5 months ago

If I do not have biometric identification turned on for my smartphone, can I be compelled to give my passcode to a police officer in absence of a warrant? I have been under the assumption that no, I cannot be compelled to provide my passcode, absent a warrant. Is that still a correct understanding?

Log in to Reply
1. apedad 5 months ago
  
  Prof. Kerr argues that a court should reject the claim of privilege when the government has independent knowledge that the person knows the password.
  
  Entering a password that unlocks a device has a testimonial component: it testifies that the person knows the password that unlocks the device.
  
  But the foregone conclusion doctrine applies when the government has independent knowledge of that fact. This standard allows the government to compel a suspect to enter a password in many but not all cases.
  
  https://texaslawreview.org/wp-content/uploads/2019/03/Kerr.V97.4.pdf
  
  I don’t particularly agree with Prof. Kerr but at the same time, I’m not sure I could muster a better legal argument.
  
  While at the same time, I agree that it’s constitutional for law enforcement to gather fingerprints and swabs for identification purposes.
  
  Those are not evidence – the fingerprint or DNA at the crime scene is.
  
  Log in to Reply

Please log in to post comments

The Volokh Conspiracy

Terms of Service Do Not Eliminate Fourth Amendment Rights in a Google Account

So holds the Second Circuit, in a new decision.

Latest

Yes, Trump Really Put Higher Tariffs on Israel Than Iran

Senators Make Modest Moves To Reclaim Tariff Powers From Trump

The Supreme Court Blesses the FDA's Rejection of Flavored Nicotine Vapes

Trump's Tariffs Target Uninhabited Islands, Economic Dead Zones, and Individual Regions of France

Trump's New Tariffs on These 3 Countries Look Particularly Foolish

Recommended

Login Form

The Volokh Conspiracy

Latest

Yes, Trump Really Put Higher Tariffs on Israel Than Iran

Senators Make Modest Moves To Reclaim Tariff Powers From Trump

The Supreme Court Blesses the FDA's Rejection of Flavored Nicotine Vapes

Trump's Tariffs Target Uninhabited Islands, Economic Dead Zones, and Individual Regions of France

Trump's New Tariffs on These 3 Countries Look Particularly Foolish

Recommended

Special Offer!