AOL’s terms of service amount notice to the user that AOL looks for illegal email content and reports it. Therefore, he lacks a reasonable expectation of privacy and he consented to AOL turning them over to NCMEC. “[B]y agreeing to AOL’s terms of service, DiTomasso consented to a search of his AOL emails by law enforcement, thereby waiving his Fourth Amendment rights.” United States v. DiTomasso, 2014 U.S. Dist. LEXIS 152505 (S.D. N.Y. October 28, 2014) (Note: This conclusion was not arrived at easily.):
DiTomasso has an AOL email account — email@example.com. When AOL users send or receive emails that contain attachments, AOL runs two background monitoring systems designed to scan for illicit material, including, but not limited to, child pornography. The programs work by assigning “hash numbers” to image and video files. In essence, hash numbers are unique number-strings that can be used to archive packets of data — “fingerprint[s]” for electronic media.
AOL employs two different hashing programs. The first — the Image Detection and Filtering Process (“IDFP”) — sweeps for one-to-one matches with known child pornography. If an attached file is a one-to-one match, the email is quarantined — i.e., diverted from the recipient’s inbox — and an automatic report is generated and sent to the National Center for Missing and Exploited Children (“NCMEC report”).
AOL’s second hashing program — “photoDNA” — looks for similarities among hash numbers. If photoDNA identifies an attachment with a hash number close enough to known child pornography to raise alarm, the email is once again quarantined, and “an AOL employee reviews the flagged file to confirm the presence of apparent child pornography.” Once the presence of apparent child pornography is confirmed, the employee “submit[s] a [NCMEC report],” and the file’s hash number is entered into the IDFP database.
On August 17, 2012, two emails intended for firstname.lastname@example.org were hashed and quarantined, giving rise to two corresponding NCMEC reports. The first email, which formed the basis of NCMEC report #1560137, was hashed using photoDNA — and its contents were reviewed by an AOL employee.10 The second email, which formed the basis of NCMEC report #1558963, was hashed using IDFP. No AOL employee reviewed its contents.
. . .
Third, the government suggests that DiTomasso had no expectation of privacy in his electronic communications because the ISPs responsible for facilitating those communications — AOL and Omegle — warned him that they might be “monitor[ing]” his activity. Given DiTomasso’s “clear and explicit” notice that AOL “reserved the right to . . . disclose the content of his communications to law enforcement, if [DiTomasso used] his email account for illegal activities,” and that Omegle was using an “automated system” to “screen [DiTomasso’s chats]” and potentially “share [them] with third parties, including law enforcement,” the government argues that DiTomasso can claim no reasonable expectation that his emails and chats “would not be review[ed].”
Along with the Sixth and Ninth Circuits, both of whom have addressed variations on this argument,[Warshak and Quon] I conclude that it would subvert the purpose of the Fourth Amendment to understand its privacy guarantee as “waivable” in the sense urged by the government. In today’s world, meaningful participation in social and professional life requires using electronic devices — and the use of electronic devices almost always requires acquiescence to some manner of consent-to-search terms. If this acquiescence were enough to waive one’s expectation of privacy, the result would either be (1) the chilling of social interaction or (2) the evisceration of the Fourth Amendment. Neither result is acceptable.
2. DiTomasso’s Probation Agreement Does Not Extinguish His Expectation of Privacy
The government argues that DiTomasso’s expectation of privacy in his computer — and by extension, in his emails and chats — was “severely diminished” by his probation agreement, which gave his “probation officer or their designee” blanket license to “inspect and access [DiTomasso’s] computer at anytime,  includ[ing] storage devices and other media.”
Even supposing the government is right, however, it requires a significant leap to conclude that DiTomasso had no expectation of privacy in his computer. Were that so, any government actor could continually surveil all of DiTomasso’s electronic communications without ever triggering Fourth Amendment scrutiny. This would be a radical extension of existing case law. If anything, the probation search cases are about a probationer’s expectations of privacy vis-a-vis his probation officer, not vis-a-vis all law enforcement. And even then, it is unclear whether probationers have no expectation of privacy from their probation officers — or whether Fourth Amendment protection still applies, but in an attenuated fashion.
In her concurrence in United States v. Jones, Justice Sonia Sotomayor wrote that in “the digital age,” people tend to “reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” making it “necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” Justice Sotomayor is certainly correct. But even beyond that, the “premise” to which she refers — that “an individual has no expectation of privacy in information voluntarily disclosed to third parties” — is not nearly as strong, in Fourth Amendment jurisprudence, as the government implies.
If it had been DiTomasso’s probation officer who examined his chat history, or who looked through his emails, this might well be a different case. As it stands, however, I cannot conclude that DiTomasso’s probation agreement extinguished his expectations of privacy vis-a-vis law enforcement in general.
AOL’s policy is quite different. Not only does it explicitly warn users that criminal activity is disallowed, and that AOL monitors for such activity; the policy also explains that “AOL reserves the right to take any action it deems warranted” in response to illegal behavior, including “terminating] accounts and cooperat[ing] with law enforcement.” The policy also makes clear that AOL reserves the right to reveal to law enforcement information about “crimes[s] that [have] been or [are] being committed.” In contrast to Omegle’s policy, which includes only a passing reference to law enforcement — and which gives no indication of the role Omegle intends to play in criminal investigations — AOL’s policy makes clear that AOL intends to actively assist law enforcement. For this reason, I conclude that a reasonable person familiar with AOL’s policy would understand that by agreeing to the policy, he was consenting not just to monitoring by AOL as an ISP, but also to monitoring by AOL as a government agent. Therefore, DiTomasso’s Fourth Amendment challenge fails as to the emails.
For the foregoing reasons, I conclude that DiTomasso had a reasonable expectation of privacy in the contents of his Omegle chats as well as his AOL emails. However, by agreeing to AOL’s terms of service, DiTomasso consented to a search of his AOL emails by law enforcement, thereby waiving his Fourth Amendment rights. Therefore, the two NCMEC reports arising from DiTomasso’s AOL emails, #1560137 and #1558963 — as well as any other evidence gathered as a result of those reports — are admissible under the Fourth Amendment.
Who would have imagined that AOL is a rat squad? Terms of service gives away your rights?