Or texting, the composing and sending of brief, electronic messages between two or more mobile phones, or between fixed or portable devices, over a phone network. The term originally referred to messages sent through the Short Message Service (SMS). It now includes messages with image, video, and sound content, which is known as Multimedia Messaging Service (MMS) messages. Text messages may be used to interact with automated systems for several activities, including ordering products or services. Companies use direct text marketing, instead of mail, email or voicemail, to inform mobile phone users about promotions, payment due dates, and similar matters.

The provider, or carrier, retains records of the customer's cell phone use, including calls, text messages, and pictures sent from the user's phone. Most cell phone carriers provide detailed information on the phone's use in bills sent to the owner. The details include when a text message or image was sent from the user's phone and how much it cost to transmit. If the user is charged for messages and pictures sent to the user's phone, the bill likely will show when it was sent. The bill does not say what was written in a text message nor does it show the images.

Federal privacy laws, such as the Consumer Telephone Records Protection Act of 2006, 120 Stat. 3568, prohibit cell phone carriers from disseminating phone records, even to the phone owner or to the party that pays the bill. The rationale for this regulation is that the records often show that someone else may have sent or received the message and that person's privacy rights must be protected. Exceptions to the rule include the following: If the owner believes that his or her phone is being used for criminal activities, or if the owner is being harassed or threatened through text messages, the phone owner may need a court order requiring the phone carrier to release the records. Some cell phone carriers limit the time period that the text messages and images are stored on their computers.

One of the landmark cases on privacy relevant text messaging is City of Ontario v. Quon, 560 U.S. 746 (2010). The U.S. Supreme Court held in this case that a government employer conducted a legal search of its employee's text messages transmitted on employer-issued pagers. Quon was an employee with the city of Ontario, California, police department. The city issued pagers to its employees, including Quon. Years prior to receiving the pagers, Quon and his coworkers had signed an employee acknowledgment of the city's computer usage, Internet and email policy. This document prohibited personal use of city-issued devices, including computers. The policy also stated, “[employees] should have no expectation of privacy or confidentiality when using [city-issued electronic] resources.” The city never formally modified its policy to include pagers; however, it did orally notify its employees that the policy applies to pager use.

According to its service contract with Arch Wireless, the city was required to pay any overage charges in pager use. Recognizing that many of the officers used the pagers for both personal and professional purposes, the city maintained an informal policy whereby if each officer paid the resulting overage charges, the city would not audit the text messages to determine if the overages were for private rather than business use.

Quon's pager usage incurred several months of overage charges. Even though he had paid for the charges, officials decided to audit his text messages. The city requested the transcripts of the text messages from the wireless company. During the audit, the city discovered several sexually explicit text messages that Quon had sent to his wife and to his girlfriend. After finding these messages, the city terminated Quon. He then sued the city for violations of his right to privacy under the California constitution and the Fourth Amendment to the U.S. Constitution, as well as Arch Wireless for violating the Stored Communications Act, 100 Stat. 1848 (1986).

The Ninth Circuit affirmed the trial court's decision in Quon's favor, holding that he had a reasonable expectation of privacy in his text messages, that the audit was constitutionally unreasonable in scope, and that Arch Wireless had violated the Stored Communications Act by sending the text message transcripts to the city. The city appealed to the U.S. Supreme Court, which granted certiorari only as to the Fourth Amendment claim against the city.

The Supreme Court held that, even assuming Quon had a reasonable expectation of privacy, the search was reasonable because the city had a legitimate, work-related rationale for the search, and it was not overly intrusive. Unlike the Sixth Circuit in United States v. Warshak, 631 F.3d 266 (2010), which recognized that interpretation of the Fourth Amendment must change with the times and evolve to be relevant in the digital era, the Supreme Court cautiously stated: “The judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.” Nonetheless, it was significant that the Quon Court indicated the following: “employer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.”

Thus, it would seem that a carefully crafted electronic use policy could eradicate, or at least considerably alter, an employee's reasonable expectation of privacy when using employer-issued electronic devices such as laptops and cell phones. Quon was the first of a large number of electronic communication appellate decisions during the 1980s, a time when use of smartphones and social media was expanding rapidly.

Employers learned that it was necessary to be specific when drafting electronic use policies. Employers must decide whether, and under what parameters, to allow limited personal use of not only company computers but also company email and personal web-based email. If employers intend to monitor employee use of company computers and e-mail, language should be included noting that the company may monitor, search, access, inspect and read computer contents and/or email, and that electronic information created, stored, received, or sent on company computers is not private. Individuals, whether in the workplace or not, must realize that password-protected email accounts, even though personal, are usually safe, but privacy rights as to cell phones and text messages, especially involving company-issued devices, are quite tenuous.

Search of texts incident to arrest

A recent California Supreme Court case, People v. Diaz, 244 P3rd 5011 (2011), further reduced the Fourth Amendment protection afforded text messages in the context of a lawful arrest. In this case, a deputy sheriff witnessed Diaz participate in the sale of narcotics to a police informant. Once the sale was completed, the deputy stopped Diaz and arrested him for conspiracy in selling drugs. Incident to his arrest, the deputy searched Diaz's person and found drugs and his cell phone. After arriving at the police station, the deputy continued to question Diaz, but Diaz refused to cooperate. A full one and one half hours after arresting Diaz, the deputy searched Diaz's cell phone and found an incriminating text message. Once confronted with the text message, Diaz admitted to his role in the drug deal. Diaz later moved to suppress both the text message and his subsequent confession as resulting from an unlawful, warrantless search.

The California Supreme Court affirmed the decisions of the appellate and lower courts, finding that the search was a lawful search incident to arrest because the cell phone was immediately associated with [Diaz's] person at the time of arrest, which is an exception to the Fourth Amendment's warrant requirement. The court did not reflect much on the impact of developments in modern technology on searches incident to a lawful arrest, indicating: “If … the wisdom of the high court's decisions ‘must be newly evaluated’ in light of modern technology[,] … then that reevaluation must be undertaken by the high court itself.” The court then echoed previous U.S. Supreme Court search and seizure cases, such as United States v. Ross, 456 U.S. 798 (1982), in articulating that the character of the searched item should not influence the analysis of whether a warrantless search was lawful, despite the seemingly infinite storage capacity of cell phones. The court noted: “differing expectations of privacy based on the amount of information a particular item contains should … be irrelevant.”

Text message spamming

In 2002, a dramatical increase in the spamming of mobile phone users through SMS led cellular service carriers to adopt steps to halt these problems before they became widespread. The existence of mobile phone spam was first reported by consumer groups. In 2005, UCAN sued Sprint for spamming its customers and charging them $0.10 per text message. In 2006, the parties reached a settlement, with Sprint agreeing not to send its customers Sprint advertisements via SMS.

In late 2006, SMS expert Acision (formerly LogicaCMG Telecoms) reported the first instances of SMiShing (which is similar to email phishing scams). In SMiShing, users receive SMS messages that claim to be from a company and that entice users to phone premium-rate numbers or reply with personal information. PhonepayPlus, a British consumer group in Britain, reported a similar problem in 2012.

Security concerns

Consumer SMS is not the appropriate media for confidential or secure communication. The network operator's systems and personnel know the contents of ordinary SMS messages. To contend with security issues, many companies use an SMS gateway provider based on SS7 connectivity to route messages. This international termination model has the advantage of routing data directly through SS7, which allows the provider to see the complete path of the SMS. Therefore, SMS messages may be sent directly to and from recipients without going through the SMS-C of other mobile operators. This approach reduces the number of mobile operators that handle the message. It is not a secure end-to-end communication because the message contents travel through the SMS gateway provider.

Failure rates without backward notification can be high between carriers (T-Mobile to Verizon is quite bad in the United States). International texting can be extremely unreliable depending on the country of origin, destination, and respective carriers.

An alternative approach is to use end-to-end security software that operates on both the sending and receiving device, where the original text message is transmitted in encrypted form as a consumer SMS. By using key rotation, the encrypted text messages stored under data retention laws at the network operator cannot be decrypted even if one of the devices is compromised. A problem with this approach is that communicating devices need to run compatible software. Key management also requires individual pairing of devices or a central point of trust.

Text messaging and surveilliance

There are two separate standards under current U.S. surveillance law, which provides differing degrees of legal protection for different data types. Communication content (the “what” of the message) generally is more protected than the associated “metadata” records ( the receiver of the message, as well as when and where the message is conveyed). Although U.S. surveillance law has many shortcomings, the law is largely neutral in governing particular types of technologies. Therefore, emails, Facebook messages, private Twitter direct messages, and Snapchat photos are all communications content and receive an equal degree of legal protection.

While U.S. law is technology-neutral in terms of communications content, it provides different treatment in terms of metadata because the communications that flow over the telephone network and on the Internet receive different treatment. The federal government can compel the production of Internet communications metadata, such as the “to” and “from” information associated with emails, with either a search warrant or other type of court order, 18 USC 2703(c)(1). In other words, to obtain records on emails or Facebook messages, federal agents must convince a judge to issue an order of production for these records.

The government may also obtain local and long-distance telephone billing records associated with an account only with a subpoena. Thus, the government can obtain a list of the numbers (and names) that the owner called with a subpoena, but determining the names or email addresses of the people that the owner emails requires a court order (18 USC 2703(c)(2)).

Such different standards for metadata surveillance of internet and phone communications is now obsolete. Today, telephone calls and emails are no longer conducted on different devices, connected to different networks, and use services provided by companies in different industries. In the contemporary environment, communications are transmitted over the same device (often a smartphone), and all types of data flow over the same network, that is, the Internet.

Surveillance standards are different for Google's many different text-messaging services.

Google includes (or distributes) at least four different text-messaging applications and services for its Android mobile operating system:

The Google+ and Talk apps are clearly Internet-based communication services. Therefore, records associated with Google+ or Talk conversations are protected by 18 USC 2703(c) (1), and their disclosure requires a court order, as is the case with government surveillance of email communications.

It is much more difficult to define Google Voice. Messages between two Google Voice subscribers using the Google Voice app on their smartphones are transmitted over the Internet and do not use the SMS functionality provided by the wireless carriers. Because Google Voice is interoperable with the wireless carriers' SMS system, however, messages sent to people not using Google Voice are transmitted by Google through the SMS system. Google Voice is a hybrid system. As such, it is very difficult, just by the letter of the statute to determine what the legal standard should be for the government to obtain metadata records.

The government is, in fact, obtaining Google Voice records without a court order. Although the law remains unclear, Google produces records to the government of SMS messages sent through Google Voice with only a subpoena. Google is considered to be in a difficult position. Obsolete surveillance law provides different treatment for telephone and Internet communications, so hybrid services that communicate over both Internet and communications networks are in a legally ambiguous area. If Google produces Google Voice text message metadata with a mere subpoena, however, will it insist on a court order before providing Google Talk or Google+ text-messaging metadata to law enforcement officers? Google should disclose its decision to its customers.

It seems highly unreasonable to impose differing legal standards for phone and Internet metadata in the current environment. Civil liberties groups, legal scholars, and telecommunications companies have asked Congress to update the Electronic Communications Privacy Act (ECPA) to reflect current circumstances. Congress has much to do to improve the privacy protections for metadata, whether transmitted by the Internet or telephone. The subpoena standard for basic subscriber records (including telephone billing records) means that obtaining these sensitive records are typically the first step in any investigation, long before the state would be able to persuade a judge to issue an order compelling the production of other forms of data. When Congress first passed the ECPA in 1986, and permitted the government to obtain communications metadata with a subpoena, the phone companies did not store vast amounts of customer data, and law enforcement did not make a large number of requests.

This environment has now dramatically changed. The low cost of digital storage, along with increased pressure from law enforcement, has led wireless carriers to create retention policies that last several years. Law enforcement has been requesting larger and larger amounts of phone records. Sprint, the third-largest wireless carrier, alone receives 500,000 subpoenas annually. Many of these likely involve historical call detail records for text messages.

Further Reading

See also: City of Ontario v. Quon; Electronic Communications Privacy Act (ECPA); Facebook; Fourth Amendment to the U.S. Constitution; Google; Metadata; Spam; Stored Communications Act (SCA); Telephones; Workplace, privacy in the