Reaffirming Use of the EINSTEIN 2.0 Intrusion-
Detection System to Protect Unclassified
Computer Networks in the Executive Branch
Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth
Amendment to the Constitution, title III of the Omnibus Crime Control and Safe
Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communica-
tions Act, and the pen-register and trap-and-trace provisions of 18 U.S.C. § 3121 et
seq., provided that certain log-on banners or computer-user agreements are consist-
ently adopted, implemented, and enforced by executive departments and agencies
using the system.
Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or
communications privacy laws, which would stand as an obstacle to the accomplish-
ment and execution of the full purposes and objectives of Congress and be unenforce-
able under the Supremacy Clause to the extent that such laws purport to apply to the
conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and im-
pose requirements that exceed those imposed by the federal statutes above.
August 14, 2009
MEMORANDUM OPINION FOR THE
ASSOCIATE DEPUTY ATTORNEY GENERAL
This memorandum briefly summarizes the current views of the Office
of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection
system. This Office previously considered the legality of the system in
an opinion of January 9, 2009. See Use of the EINSTEIN 2.0 Intrusion-
Detection System to Protect Unclassified Computer Networks in the
Executive Branch, 33 Op. O.L.C. 63 (2009) (“EINSTEIN 2.0 Opinion”).
We have reviewed that opinion and agree that the operation of the
EINSTEIN 2.0 program complies with the Fourth Amendment to the
Constitution of the United States, title III of the Omnibus Crime Control
and Safe Streets Act of 1968 (Pub. L. No. 90-351, 82 Stat. 197, 211,
codified as amended at 18 U.S.C. § 2510 et seq. (“Wiretap Act”)); the
Foreign Intelligence Surveillance Act of 1978 (Pub. L. No. 95-511, 92
Stat. 1783, codified as amended at 50 U.S.C. § 1801 et seq.); the Stored
Communications Act (18 U.S.C. § 2701 et seq.); and the pen-register and
trap-and-trace provisions of 18 U.S.C. § 3121 et seq. Accordingly, we
have drawn upon the analysis in that opinion in preparing this summary,
supplementing that material with analysis of an additional legal issue.
261
33 Op. O.L.C. 261 (2009)
I.
We have assumed for purposes of our analysis that computer users
generally have a legitimate expectation of privacy in the content of
Internet communications (such as an e-mail) while it is in transmission
over the Internet. 1 See, e.g., United States v. Lifshitz, 369 F.3d 173, 190
(2d Cir. 2004) (analogizing expectation of e-mail user in privacy of
e-mail to expectation of individuals communicating by regular mail);
United States v. Maxwell, 45 M.J. 406, 418 (C.A.A.F. 1996) (sender of
an e-mail generally “enjoys a reasonable expectation that police offi-
cials will not intercept the transmission without probable cause and a
search warrant”); see also Quon, 529 F.3d at 905 (“[U]sers do have a
reasonable expectation of privacy in the content of their text messages
vis-à-vis the service provider.”). Even given this assumption, however,
we believe the deployment, testing, and use of EINSTEIN 2.0 technol-
ogy complies with the Fourth Amendment where each agency parti-
cipating in the program consistently adopts, implements, and enforces
the model log-on banner or model computer-user agreements described
in this Office’s prior opinion, or their substantial equivalents. See
EINSTEIN 2.0 Opinion, 33 Op. O.L.C. at 68–71.
First, we conclude that the adoption, implementation, and enforcement
of model log-on banners or model computer-user agreements eliminates
federal employees’ reasonable expectation of privacy in their uses of
government-owned information systems with respect to the lawful gov-
ernment purpose of protecting federal systems against network intrusions
and exploitations. We therefore do not believe that the operation of intru-
sion-detection sensors as part of the EINSTEIN 2.0 program constitutes a
“search” for Fourth Amendment purposes. See Minnesota v. Carter, 525
U.S. 83, 88 (1998). Whether a government employee has a legitimate
expectation of privacy in his use of governmental property at work in
1 Computer users do not have an objectively reasonable expectation of privacy in ad-
dressing and routing information conveyed for the purpose of transmitting Internet
communications to or from a user. See Quon v. Arch Wireless Operating Co., 529 F.3d
892, 904 – 05 (9th Cir. 2008); United States v. Forrester, 512 F.3d 500, 510 –11 (9th Cir.
2008); cf. Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (no legitimate expectation of
privacy in dialing, routing, addressing, and signaling information transmitted to telephone
companies).
262
Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
particular circumstances is determined by “[t]he operational realities of
the workplace,” and “by virtue of actual office practices and procedures,
or by legitimate regulation.” O’Connor v. Ortega, 480 U.S. 709, 717
(1987) (plurality); see United States v. Simons, 206 F.3d 392, 398 (4th
Cir. 2000) (“[O]ffice practices, procedures, or regulations may reduce
legitimate privacy expectations.”). The existence of an expectation of
privacy, moreover, may depend on the nature of the intrusion at issue. See
O’Connor, 480 U.S. at 717–18 (plurality) (suggesting that a government
employee’s expectation of privacy might be unreasonable “when an
intrusion is by a supervisor” but reasonable when the intrusion is by a law
enforcement official). The model banner and model computer-user
agreement discussed in our prior opinion are at least as robust as—and we
think stronger than—similar materials that courts have held eliminated a
legitimate government employee expectation of privacy in the content of
Internet communications sent over government systems. See, e.g., Simons,
206 F.3d at 398 (finding no legitimate expectation of privacy in light of
computer-use policy expressly noting that government agency would
“‘audit, inspect, and/or monitor’” employees’ use of the Internet, “includ-
ing all file transfers, all websites visited, and all e-mail messages, ‘as
deemed appropriate’”) (quoting policy); United States v. Angevine, 281
F.3d 1130, 1132–33 (10th Cir. 2002) (finding no legitimate expectation of
privacy in light of computer-use policy stating that university “‘reserves
the right to view or scan any file or software stored on the computer or
passing through the network, and will do so periodically’” and has “‘a
right of access to the contents of stored computing information at any
time for any purpose which it has a legitimate need to know’” (quoting
policy)); United States v. Thorn, 375 F.3d 679, 682 (8th Cir. 2004) (find-
ing no legitimate expectation of privacy in light of computer-use policy
warning that employees “‘do not have any personal privacy rights regard-
ing their use of [the employing agency’s] information systems and tech-
nology,’” and that “‘[a]n employee’s use of [the agency’s] information
systems and technology indicates that the employee understands and
consents to [the agency’s] right to inspect and audit all such use as de-
scribed in this policy’” (quoting policy, emphasis in original)), vacated on
other grounds, 543 U.S. 1112 (2005). We therefore believe that the adop-
tion, implementation, and enforcement of the language in those model
materials, or their substantial equivalents, by agencies participating in the
263
33 Op. O.L.C. 261 (2009)
EINSTEIN 2.0 program will eliminate federal employees’ legitimate
expectations of privacy in their uses of government-owned information
systems with respect to the lawful government purpose of protecting
federal systems against network intrusions and exploitations. 2
We also believe that individuals in the private sector who communi-
cate directly with federal employees of agencies participating in the
EINSTEIN 2.0 program through government-owned information systems
do not have a legitimate expectation of privacy in the content of those
communications provided that model log-on banners or agreements are
adopted and implemented by the agency. The Supreme Court has repeat-
edly held that where a person “reveals private information to another, he
assumes the risk that his confidant will reveal that information to the
authorities, and if that occurs the Fourth Amendment does not prohibit
governmental use of that information.” United States v. Jacobsen, 466
U.S. 109, 117 (1984); see also United States v. Miller, 425 U.S. 435, 443
(1976) (“[T]he Fourth Amendment does not prohibit the obtaining of
information revealed to a third party and conveyed by him to Government
authorities, even if the information is revealed on the assumption that it
will be used only for a limited purpose and the confidence placed in the
third party will not be betrayed.”); SEC v. Jerry T. O’Brien, Inc., 467 U.S.
735, 743 (1984) (“[W]hen a person communicates information to a third
party even on the understanding that the communication is confidential,
he cannot object if the third party conveys that information or records
thereof to law enforcement authorities.”); Smith, 442 U.S. at 743–44 (“[A]
person has no legitimate expectation of privacy in information he volun-
tarily turns over to third parties.”). We believe this principle also applies
to a person who e-mails a federal employee at the employee’s personal
e-mail account when that employee accesses his or her personal e-mail
account through a government-owned information system, when the
consent procedures described above are followed. By clicking through the
model log-on banner or agreeing to the terms of the model computer-user
agreement, a federal employee gives ex ante permission to the govern-
2 The use of log-on banners or computer-user agreements may not be sufficient to
eliminate an employee’s legitimate expectation of privacy if the statements and actions of
agency officials contradict these materials. See Quon, 529 F.3d at 906–07. Management
officials of agencies participating in the EINSTEIN 2.0 program therefore should ensure
that agency practices are consistent with the statements in the model materials.
264
Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
ment to intercept, monitor, and search “any communications” and “any
data” transiting or stored on a government-owned information system for
any “lawful purpose,” including the purpose of protecting federal comput-
er systems against malicious network activity. Therefore, an individual
who communicates with a federal employee who has agreed to permit the
government to intercept, monitor, and search any personal use of the
employee’s government-owned information systems has no Fourth
Amendment right against the government activity of protecting federal
computer systems against malicious network activity, as the employee has
consented to that activity. See Jerry T. O’Brien, 467 U.S. at 743; Jacob-
sen, 466 U.S. at 117; Miller, 425 U.S. at 443.
Under Supreme Court precedent, this principle applies even where, for
example, the sender of an e-mail to an employee’s personal, web-based
e-mail account (such as G-mail or Hotmail) does not know of the recipi-
ent’s status as a federal employee or does not anticipate that the employee
might read, on a federal government system, an e-mail sent to a personal
e-mail account at work or that the employee has agreed to government
monitoring of his communications on that system. A person communi-
cating with another assumes the risk that the person has agreed to permit
the government to monitor the contents of that communication. See, e.g.,
United States v. White, 401 U.S. 745, 749–51 (1971) (plurality) (no
Fourth Amendment protection against government monitoring of commu-
nications through transmitter worn by undercover operative); Hoffa v.
United States, 385 U.S. 293, 300–03 (1966) (information disclosed to
individual who turns out to be a government informant is not protected by
the Fourth Amendment); Lopez v. United States, 373 U.S. 427, 439 (1963)
(same); cf. Rathbun v. United States, 355 U.S. 107, 111 (1957) (“Each
party to a telephone conversation takes the risk that the other party may
have an extension telephone and may allow another to overhear the con-
versation. When such takes place there has been no violation of any
privacy of which the parties may complain.”). Accordingly, when an
employee agrees to let the government intercept, monitor, and search any
communication or data sent, received, or stored by a government-owned
information system, the government’s interception of the employee’s
Internet communications with individuals outside of the relevant agency
through a government-owned information system does not infringe upon
265
33 Op. O.L.C. 261 (2009)
any legitimate expectation of privacy of the parties to that communica-
tion.
We also think that, under the Court’s precedents, an individual who
submits information through the Internet to a federal agency participating
in the EINSTEIN 2.0 program does not have a legitimate expectation of
privacy for Fourth Amendment purposes in the contents of the infor-
mation that he transmits directly to the participating agency. An indivi-
dual has no expectation of privacy in communications he makes to a
known representative of the government. See United States v. Caceres,
440 U.S. 741, 750–51 (1979) (individual has no reasonable expectation of
privacy in communications with IRS agent made in the course of an
audit). Further, as just discussed, an individual who communicates infor-
mation to another individual who turns out to be an undercover agent of
the government has no legitimate expectation of privacy in the content of
that information. It follows a fortiori that where an individual is com-
municating directly with a declared agent of the government, the individ-
ual does not have a legitimate expectation that his communication would
not be monitored or acquired by the government.
Second, even if EINSTEIN 2.0 operations were to constitute a “search”
under the Fourth Amendment, we believe that those operations would
be consistent with the Amendment’s “central requirement” that all search-
es be reasonable. Illinois v. McArthur, 531 U.S. 326, 330 (2001) (inter-
nal quotation marks omitted). As discussed in the prior opinion of this
Office, the government has a lawful, work-related purpose for the use of
EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0
program within the “special needs” exception to the Fourth Amendment’s
warrant and probable cause requirements. See O’Connor, 480 U.S. at 720
(plurality); see also Nat’l Treasury Emps. Union v. Von Raab, 489 U.S.
656, 665–66 (1989) (warrant and probable cause provisions of the Fourth
Amendment are inapplicable to a search that “serves special governmental
needs, beyond the normal need for law enforcement”); Griffin v. Wiscon-
sin, 483 U.S. 868, 872–73 (1987) (special needs doctrine applies in cir-
cumstances that make the “warrant and probable cause requirement im-
practicable”); United States v. Heckenkamp, 482 F.3d 1142, 1148 (9th
Cir. 2007) (preventing misuse of and damage to university computer
network is a lawful purpose). And, based upon the information available
to us, and as discussed in the prior opinion of this Office, we believe that
266
Reaffirming Use of the EINSTEIN 2.0 Intrusion-Detection System
the operation of the EINSTEIN 2.0 program falls under that exception and
is reasonable under the totality of the circumstances. See United States v.
Knights, 534 U.S. 112, 118–19 (2001) (reasonableness of a search under
the Fourth Amendment is measured in light of the “totality of the circum-
stances,” balancing “on the one hand, the degree to which it intrudes upon
an individual’s privacy and, on the other, the degree to which it is needed
for the promotion of legitimate governmental interests” (internal quota-
tion marks omitted)); New Jersey v. T.L.O., 469 U.S. 325, 337 (1985)
(“what is reasonable depends on the context within which a search takes
place”); O’Connor, 480 U.S. at 726 (plurality) (reasonable workplace
search must be “justified at its inception” and “reasonably related in scope
to the circumstances which justified the interference in the first place”)
(internal quotation marks omitted). In light of that conclusion, we also
think that a federal employee’s agreement to the terms of the model log-
on banner or the model computer-user agreement, or those of a banner of
user agreement that are substantially equivalent to those models, consti-
tutes valid, voluntary consent to the reasonable scope of EINSTEIN 2.0
operations. See Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
(consent is “one of the specifically established exceptions to the require-
ments of both a warrant and probable cause”); United States v. Sihler, 562
F.2d 349 (5th Cir. 1977) (prison employee’s consent to routine search of
his lunch bag valid); cf. McDonell v. Hunter, 807 F.2d 1302, 1310 (8th
Cir. 1987) (“If a search is unreasonable, a government employer cannot
require that its employees consent to that search as a condition of em-
ployment.”).
With respect to statutory issues, we have also concluded that, for the
reasons set forth in our prior opinion—and so long as participating federal
agencies consistently adopt, implement, and enforce model computer log-
on banners or model computer-user agreements—the deployment of the
EINSTEIN 2.0 program on federal information systems complies with the
Wiretap Act, the Foreign Intelligence Surveillance Act, the Stored Com-
munications Act, and the pen-register and trap-and-trace provisions of
title 18 of the United States Code. We agree with the analysis of these
issues set forth in our prior opinion, and will not repeat it here.
267
33 Op. O.L.C. 261 (2009)
II.
Finally, we do not believe the EINSTEIN 2.0 program runs afoul of
state wiretapping or communication privacy laws. See, e.g., Fla. Stat.
Ann. § 934.03 (West Supp. 2009); 18 Pa. Cons. Stat. Ann. § 5704(4)
(West Supp. 2009); Md. Code Ann., Cts. & Jud. Proc. § 10-402(c)(3)
(LexisNexis 2006); Cal. Penal Code 631(a) (West 1999). To the extent
that such laws purport to apply to the conduct of federal agencies and
agents conducting EINSTEIN 2.0 operations and impose requirements
that exceed those imposed by the federal statutes discussed above, they
would “stand[] as an obstacle to the accomplishment and execution of
the full purposes and objectives of Congress,” and be unenforceable under
the Supremacy Clause. Hines v. Davidowitz, 312 U.S. 52, 67 (1941);
see also Geier v. American Honda Motor Co., 529 U.S. 861, 873 (2000)
(same); Old Dominion Branch v. Austin, 418 U.S. 264, 273 n.5 (1974)
(Executive Order “may create rights protected against inconsistent state
laws through the Supremacy Clause”); Bansal v. Russ, 513 F. Supp. 2d
264, 283 (E.D. Pa. 2007) (concluding that “federal officers participating
in a federal investigation are not required to follow” state wiretapping law
containing additional requirements not present in the federal Wiretap Act,
because in such circumstances, “the state law would stand as an obstacle
to federal law enforcement”); Johnson v. Maryland, 254 U.S. 51 (1920);
cf. United States v. Adams, 694 F.2d 200, 201 (9th Cir. 1980) (“evidence
obtained from a consensual wiretap conforming to 18 U.S.C. § 2511(2)(c)
is admissible in federal court proceedings without regard to state law”).
DAVID J. BARRON
Acting Assistant Attorney General
Office of Legal Counsel
268