This being the Internet, it was perhaps fitting that one of the seminal online privacy cases involved penis pills. And not just any penis pills—no, the case was about Enzyte, the tablet promising “natural male enhancement.” Enzyte was once such a staple of late-night TV advertising in the United States that its unspeaking spokesman Smilin’ Bob became not only the “envy of his neighborhood” but a cultural icon. The reason for Bob’s unsettling grin wasn’t spelled out directly in the ad, but the admiring housewives of his neighborhood clearly sensed that something extraordinary had taken place inside Bob’s pants.
Something extraordinary was also taking place at Berkeley Nutraceuticals, the Cincinnati startup behind Enzyte. The company, founded by Steven Warshak, eventually sold 13 different herbal products with vaguely medical-sounding names like Rovicid (allegedly enhanced sex), Ogoplex (allegedly intensified orgasms), and Keflex (allegedly masked drug traces in urine), but it was Enzyte that became the corporate gold mine.
Readers of this site aren’t the sort of people who purchase sex concoctions from online retailers, of course. Readers of this site have finely tuned senses for snake oil and secretly suspect that no one actually buys herbal penis supplements from TV pitchmen. But readers of this site live in a rarefied world.
In the real world, Enzyte proved a massive hit with late-night TV watchers and men’s-magazine readers. At the Enzyte launch in 2001, Berkeley Nutraceuticals employed some 15 people, mostly friends and family of Steven Warshak; Warshak’s septuagenarian mother Harriet even helped out in the business. By 2004, Berkeley had grown to 1,500 employees and ran a 24-hour call center to process orders. That year, it sold $250 million of supplements—most of it Enzyte.
Berkeley became an entrepreneurial success story and a major Cincinnati employer. Smilin’ Bob’s grin grew so big it looked as though it was about to split his face in two, but the grin hid a secret. Though Berkeley bragged in ads that Enzyte had a 96 percent customer-satisfaction rate, huge numbers of customers had actually complained. The complaints grew loud enough that the head of the Better Business Bureau wrote a letter to Warshak in mid-2004 to announce “serious concerns about the number of complaints” it had received. Those complaints had a single focus: Berkeley’s “auto-ship” program.
Berkeley didn’t make most of its cash from people looking to try a single box of Enzyte tablets; it made most of its cash from putting callers into a renewal program that sent them a $70 supply of Enzyte every two months until canceled. Many customers had no idea that they had even signed up for such a renewal program, however, and canceling was (purposely) difficult.
The FBI and the Federal Trade Commission both began sniffing around Berkeley and soon unearthed a set of shocking corporate practices. In 2001 and 2002, Berkeley customers were “were simply added to the [auto-ship] program at the time of the initial sale without any indication that they would be on the hook for additional charges,” wrote one federal judge, summing up the evidence amassed against Warshak and his firm. When asked why customers weren’t told about auto-shipping until their orders actually arrived in the mail, Berkeley chief operating officer James Teegarden eventually testified in court that “nobody would sign up.”
Apparently realizing that the auto-ship program might attract unwanted attention, Berkeley began making disclosures during the initial customer phone call—but only after the order had been placed. The disclosure immediately followed the line, “This product is not a contraceptive nor will it prevent any sexual disease.” Teegarden admitted that this placement was deliberate. The company believed that “if we started off with a statement about a contraceptive, something other than what it was, that people wouldn’t really listen to what we were disclosing to them,” he testified.
Not that the “disclosure” always meant much. In November 2003, Berkeley outsourced some of its Enzyte sales calls to another firm. That firm actually asked customers outright if they wanted to join auto-ship; not surprisingly, 80 percent declined. Warshak wouldn’t stand for this. “Take those customers, even if they decline[d], even if they said no to the Auto-Ship program, go ahead and put them on the Auto-Ship program,” he ordered his employees in an email. Another Berkeley email showed that “all customers, whether they know it or not, are going on [auto-ship].”
Surprised customers routinely demanded an end to auto-ship, and they wanted refunds. In late 2003, Warshak told his staff to remove the company’s return shipping address from the label on its own products. “Let’s make them call—work some deals,” he said, telling call-center staff to convince unhappy customers to accept other “nutraceuticals” in lieu of cash refunds or credit.
The resistance to refunds reached comic extremes. The dry description of 6th Circuit Appeals Court Judge Danny Boggs illustrated the lengths to which Berkeley would go to avoid returning cash: “At one point, Enzyte customers seeking a refund were told they needed to obtain a notarized document indicating that they had experienced ‘no size increase.’ The admittedly ingenious idea behind the policy was that nobody ‘would actually go and have anything notarized that said that they had a small penis.’ In 2002, ‘there was really no refund policy. It was: Sorry, you got it, you keep it, and we’ll cancel you off of future shipments.’ ”
This led to short-terms gains but long-term problems. Angry customers, unable to get satisfaction from Berkeley, went to their credit card companies instead. Berkeley’s “chargeback” ratio went through the roof as customers disputed charges and banks took money back from Berkeley, putting the company’s very ability to accept credit cards in jeopardy. (Payment processors would have cut off Berkeley if more than 1 percent of its transactions were chargebacks).
Berkeley went frantic in its attempt to keep the chargeback ratio low. The company “double-dinged” on charges, splitting transactions into two parts (one for the product, one for shipping), billing each separately. By 2003, it was triple-dinging charges to make the volume of “good” transactions appear higher. If Berkeley thought its chargeback ratio was too poor in any given month, employees would bill Warshak’s personal credit cards with a host of $1 transactions until his card limits were reached; Warshak would then be reimbursed by the company.
When even more good transactions were needed, Berkeley simply plucked random customers from its database, charged their credit cards, then immediately refunded the money. In April 2002, for instance, 2,482 customer credit cards were billed $19.95 each, after which the charges were reversed. If people called to complain, Berkeley blamed a “computer glitch.”
What customers got for their money was a supply of herbal supplements designed to look as much like a pharmaceutical as possible, right down the shape and color of the tablets. Berkeley lacked scientific evidence that Enzyte worked, but it’s fair to say that efficacy wasn’t one of the company’s chief concerns. For instance, Berkeley at some point reformulated Rovicid, its prostate-health/sex-enhancing supplement, as a “heart-health dietary supplement” instead. Rather than throw out the old Rovicid, Berkeley simply slapped new labels on the old containers—even though the new ingredient list didn’t match what was in the tablets. In 2004, when Food and Drug Administration inspectors came through the company’s warehouse, the second shift manager went to the “sick aisle” of mislabeled products, packed the relabeled Rovicid into a rental truck, and drove it to the parking lot of another Berkeley-owned building. He restocked it after the inspectors left.
An early magazine ad for Enzyte claimed that the product had been developed by “Dr. Fredrick Thomkins, a physician with a biology degree from Stanford; and Dr. Michael Moore, a leading urologist from Harvard.” But as Teegarden would later admit on the witness stand in the federal case against the company, “Those two doctors did not exist.”
The 96 percent satisfaction rate too was illusory. After receiving an email from Warshak, Teegarden simply created a spreadsheet of 500 people drawn from the Enzyte customer database, then marked 480 of them as either “satisfied” or “very satisfied.” Voilà—instant customer survey.
Berkeley’s approach to marketing its products was perhaps best summed up by a February 2005 email from Warshak that explained the secrets of his advertising success. “GET 3–4 BOTTLES OF WINE…THEN SIT AROUND AND MAKE SHIT UP!!” he wrote. “THAT’S WHAT I DO…BUT WRITE IT ALL DOWN OR YOU’LL FORGET IT THE NEXT DAY.”
Warshak argued that his company was simply the victim of its own success, overwhelmed with orders and run by people with no real experience in business at this scale. Berkeley’s “operational deficiencies,” as Warshak’s lawyers called them, were simply “a byproduct of unsophisticated business practices in Berkeley’s formative years and Berkeley’s virtually unprecedented growth, rather than the result of criminal fraud.” As evidence, they noted that the company had finally abandoned its undisclosed auto-ship program after several years and had installed an automated system to record all calls with customers. It even set up a compliance department, which at one point had nearly fifty employees, to ensure that customer interactions were aboveboard.
As for the government’s negative spin on Berkeley’s business practices—well, this was merely normal corporate behavior, went the defense argument. “Negotiating with customers to try to save sales, implementing strategies to recover credit card transactions that were declined, and continuously revising corporate policies regarding refund and guarantee programs—all of which the government sought to criminalize—are standard American business practices,” wrote Warshak’s lawyers.
They didn’t convince either a jury or a set of appeals court judges. (As Judge Boggs eventually wrote of the company, “A reasonable juror could easily conclude that Berkeley’s sales operation was, for the entire duration of its existence, little more than a colossal fraud.”) After a six-week federal trial in early 2008, Warshak was sentenced to 25 years in prison, and he had to surrender $459 million in proceeds from the sale of Berkeley products and another $44 million for money laundering. His mother, Harriet, got two years in jail. Berkeley eventually entered bankruptcy.
The case had been made partly on the back of Warshak’s private emails, even though he had taken numerous precautions to secure these. Somehow the feds got their hands on those messages even before they obtained a search warrant. How had it happened? The answer to that question made the Enzyte case a pivotal piece of Internet law—and revealed how investigators had learned to lean on another key pressure point in the Internet ecosystem: third-party servers.
***
Warshak’s emails had helped to secure the 112-count indictment against him from an Ohio grand jury in 2006. But when the government finally turned over its evidence against Warshak in the run-up to his 2008 trial, his lawyers noticed something strange: The government had grabbed 27,000 of Warshak’s emails even before executing a 2005 search warrant on Berkeley’s corporate headquarters.
This didn’t seem possible. Warshak’s email provider, NuVox, deleted his messages from its servers after Warshak’s computer grabbed a copy of them. To get access to the messages, the feds should have had to infiltrate Warshak’s computer or wiretap Warshak’s Internet connection to look for email on the wire. But there had been no software subterfuge and no Internet wiretap. Instead, government lawyers had sent NuVox a letter on Oct. 25, 2004, demanding that the company “preserve” copies of Warshak’s future emails. The company complied without notifying Warshak, maintaining a private cache of all his messages rather than deleting them when his computer downloaded copies. The feds then returned twice in 2005 with court orders—but not with the much-harder-to-get warrants—to collect the emails that had been “preserved” for them.
Warshak’s lawyers were furious. The Stored Communications Act covers situations like this one in which user data is held by a third-party service like NuVox or Google or Yahoo and is stored on that company’s servers, and it makes that data fairly simple to get. Full warrants are often not required, in part because such surveillance is “retrospective”; the government gets access only to messages already stored on the server by a suspect. Even the name of the act makes this distinction clear—it was meant to cover “stored” material.
“Prospective” surveillance is generally covered by a different law, the Wiretap Act, and by the much more stringent requirement to obtain a “probable cause” warrant first. Orin Kerr, a leading Internet privacy scholar, notes that “prospective surveillance tends to raise difficult questions of how the communications should be filtered down to the evidence the government seeks” and that “retrospective surveillance usually presents a less severe filtering challenge.”
In Warshak’s case, the government had used a retrospective process to gain access to prospective messages. The SCA does allow the government to issue “preservation” requests, but these apply only to existing records that might be at risk of deletion; they do not apply to future messages. The Department of Justice’s own surveillance manual made this clear even at the time, reminding agents that preservation requests “have no prospective effect. … [Preservation] letters can order a provider to preserve records that have already been created, but cannot order providers to preserve records not yet made.”
The fundamental issue went deeper than the improper preservation request, however, and struck at the heart of the SCA. If the government had to get warrants to open a suspect’s postal mail or to search his home, why didn’t the government need a warrant to seize email stored on a third-party server? Wasn’t this an “unreasonable search and seizure” under the Fourth Amendment?
Warshak appealed his 2008 conviction to the 6th Circuit Court of Appeals, saying that “the issue of whether the government’s secret ex parte [one-sided] acquisition of private emails without the consent of either the sender or recipient, without a showing of probable cause, without a warrant, and without limits on the scope of the privacy invasion authorized is one of grave importance in an age where email communications have largely replaced letters as the universal means of written communication and have made substantial inroads on the use of the telephone.”
The Electronic Frontier Foundation, the organization co-founded by John Perry Barlow, weighed in on Warshak’s side during the appeal. “Put simply,” it wrote, “the government misused the SCA to conduct a ‘back door wiretap’ of Warshak’s e-mails and bypass the Wiretap Act’s strict requirements, including its requirement of probable cause.”
A three-judge panel of 6th Circuit appellate judges took up the question in a lengthy opinion handed down on Dec. 14, 2010. To address the Fourth Amendment issue, the judges first had to decide if taking the emails from NuVox constituted a “search” at all—with “search” in this case defined as the government infringing upon “an expectation of privacy” that “society is prepared to consider reasonable.”
The first part of the definition proved simple to answer. Warshak clearly expected his messages to remain private. As the judges wrote, “Given the often sensitive and sometimes damning substance of his emails, we think it highly unlikely that Warshak expected them to be made public, for people seldom unfurl their dirty laundry in plain view.”
Did society concur that this expectation was reasonable? That depended on how literally the judges interpreted the Fourth Amendment—and whether they sided more with a famous bootlegger or a famous gambler.
***
The Fourth Amendment to the U.S. Constitution wasn’t written with email in mind. It protects “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures” and says that this security “shall not be violated, and no Warrants shall issue, but upon probable cause.” Read literally, this applies much more obviously to tangible items than to electrical signals on a wire.
In 1928, former President William Howard Taft confronted this issue as a Supreme Court justice. The court had taken the case of famous Seattle bootlegger Roy Olmstead, a onetime police lieutenant who set up a thriving trade in alcohol during Prohibition. Olmstead operated quite openly in Seattle, eventually becoming one of the area’s largest employers. He had an office downtown complete with six telephone lines to take orders for booze.
Prohibition agents wiretapped these lines without a warrant and used the taps in their case against Olmstead and his crew. Police eventually arrested 90 people, including Olmstead and his wife—who were accused of doing $2 million in prohibited sales per year.
The government obtained convictions, but the case was appealed to the 9th Circuit in San Francisco and then to the Supreme Court in Washington, D.C., Olmstead’s key contention was that his Fourth Amendment rights had been violated by the warrantless wiretaps. The government argued, however, that its phone taps had occurred outside Olmstead’s office building; therefore, it had not “searched” his person, property, or possessions. No warrant was needed.
Taft wrote the majority decision in the case, one woodenly literal in its interpretation. “The reasonable view is that one who installs in his house a telephone instrument with connecting wires intends to project his voice to those quite outside, and that the wires beyond his house and messages while passing over them are not within the protection of the Fourth Amendment,” he wrote. “There was no searching. There was no seizure. The evidence was secured by the use of the sense of hearing and that only. There was no entry of the houses or offices of the defendants.”
But as the telephone became ubiquitous, the Olmstead ruling became more difficult to defend. U.S. law had protected the security and privacy of the postal service since the republic’s early days, but the police were now free to listen to anyone, anywhere, so long as they resorted to an outside-the-home phone tap. Could it really be the case that the privacy of a conversation depended solely on the medium used to hold it?
This was untenable, and in 1967 the Olmstead decision collapsed as another Supreme Court articulated a wildly different privacy standard. The justices were this time dealing with small-time gambler Charles Katz, who had been arrested in Los Angeles after another warrantless wiretap. Katz routinely left his home and walked down to a group of three public pay phones, where he placed a series of calls at the same time each day. FBI agents investigating Katz for interstate gambling placed microphones on the outside of two phone booths; the phone company put an “out of order” sign on the third. A recording device on top of the booths captured Katz’s conversation, which consisted of cryptic phrases like “give me Duquesne minus 7 for a nickel!” No warrant had even been sought.
Katz objected to these recordings being played at his trial. An appellate court allowed the recordings to be played, writing that—as in the Olmstead case—no Fourth Amendment violation had occurred because the FBI microphones had been outside the private space of the phone booth.
But when the Supreme Court took the case, it gutted this logic. “The Fourth Amendment protects people, not places,” wrote Justice Potter Stewart for the majority. “What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” He went on: “No less than an individual in a business office, in a friend’s apartment, or in a taxicab, a person in a telephone booth may rely upon the protection of the Fourth Amendment. One who occupies it, shuts the door behind him, and pays the toll that permits him to place a call is surely entitled to assume that the words he utters into the mouthpiece will not be broadcast to the world. To read the Constitution more narrowly is to ignore the vital role that the public telephone has come to play in private communication.”
Though the court recognized that the agents had acted with restraint, capturing only Katz’s gambling-related calls and tossing out the rest, it refused to leave this restraint to the sole judgment of the investigators conducting the surveillance. The supervision of a judge, exerted through the warrant process, was essential. The opinion continued:
“[Agents] were not required, before commencing the search, to present their estimate of probable cause for detached scrutiny by a neutral magistrate. They were not compelled, during the conduct of the search itself, to observe precise limits established in advance by a specific court order. Nor were they directed, after the search had been completed, to notify the authorizing magistrate in detail of all that had been seized. In the absence of such safeguards, this Court has never sustained a search upon the sole ground that officers reasonably expected to find evidence of a particular crime and voluntarily confined their activities to the least intrusive means consistent with that end.”
After Katz, tapping phone calls would require a warrant.
***
Before the Warshak case, email on third-party servers was treated much as phone calls had been a century before—and the policy suffered from the same clear inconsistencies. The government needed a warrant to grab email from people’s personal computers, it needed a warrant to wiretap their Internet connections in real time, it needed a warrant to read their postal mail, and it needed a warrant to tap their phone calls. But when a person’s email was stored off-site on a third-party server—suddenly, no warrant was needed.
The government had an argument to defend this position, the so-called “third-party doctrine.” Once the target of surveillance had voluntarily revealed information to someone else, the idea went, it was no longer quite so private and so could be obtained from that third party with a mere subpoena, which didn’t require the high “probable cause” standard of evidence. This doctrine explained why remotely stored email was so easy to access under the SCA, despite the fact that no one “reveals” the contents of their email to their email provider in the same way they might show a letter to a friend. Not surprisingly, the third-party doctrine has been roundly criticized.
Whatever the intellectual oddities of this position, seizing email from Internet servers quickly became a practical boon for investigators. “Even just five years ago, if the government wanted to get access to potentially incriminating evidence from the home computers of ten different suspects, investigators had to convince a judge that they had probable cause in order to obtain a search warrant for each person,” wrote security researcher Chris Soghoian in a 2009 paper. “The investigating agency would then send agents to raid the homes of the individuals, remove the computers, and later perform labor-intensive forensic analysis in order to get the files.”
Data stored on remote Internet servers made this process much easier. No longer did agents need to raid someone’s home or obtain a wiretap order; they could peek at the email evidence first before going to those greater lengths. A whole host of such email orders targeted at Google’s Gmail, for instance, could be executed at once—and executed cheaply.
If the appellate judges handling Warshak followed Katz rather than Olmstead, however, email could become substantially more difficult for investigators to access. The Warshak ruling, the judges knew, would be a pivotal one, and they issued an expansive opinion that focused on the Fourth Amendment and its relationship to email.
Citing Katz, the court ripped into the Stored Communications Act and its low level of protection for email. Judge Danny Boggs wrote:
“If we accept that an e-mail is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP [Internet Service Provider] to turn over the contents of an e-mail without triggering the Fourth Amendment. An ISP is the intermediary that makes e-mail communication possible. E-mails must pass through an ISP’s servers to reach their intended recipient. Thus, the ISP is the functional equivalent of a post office or a telephone company. As we have discussed above, the police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant, that is.
It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber’s e-mails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement absent some exception.”
The court then dropped its bombshell: “To the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.” Email—at least in the 6th Circuit—was entitled to the same warrant protections as phone calls and letters.
Lawyers at the Electronic Frontier Foundation were jubilant. “Today’s decision is the only federal appellate decision currently on the books that squarely rules on this critically important privacy issue,” wrote EFF lawyer Kevin Bankston. “When the government secretly demands someone’s e-mail without probable cause, the e-mail provider can confidently say: ‘Come back with a warrant.’ ”
Paul Ohm, a former Justice Department lawyer turned law professor, called the ruling “a very big deal” that “marks the first time a federal court of appeals has extended the Fourth Amendment to e-mail with such care and detail.”
The ruling was good for email users; Warshak hoped it would be good for him, too. But although his constitutional rights had indeed been violated by the investigation, the court declined to overturn the verdict. Noting that most of the evidence actually presented at trial came from the physical raid on Berkeley headquarters rather than from the emails, and that the search warrant application had not used the emails as evidence, the court called the violation in Warshak’s specific case “mostly harmless.”
***
Berkeley Nutraceuticals entered bankruptcy as a result of the investigation, but it was rescued by its local landlord, Pristine Bay, which said it didn’t want to lose an anchor tenant. Berkeley’s name was changed to Vianda. The company now sells a “new” Enzyte blend that includes horny goat weed, ginseng, and ginkgo biloba—though it says it has ditched the shady sales practices. As for Smilin’ Bob, he’s still smiling his way through TV commercials; devotees can even order “Livin’ Large” T-shirts adorned with the character’s face.
Warshak now resides in an Ohio federal prison. (His mother, Harriet, was eventually given five years probation instead of jail time, and due to ill health was released from community service obligations.) He forfeited homes, numerous bank accounts, several vehicles, annuities, college savings plans, a $10,000 membership to the La Costa Resort and Spa, two grand pianos, and even a Segway scooter as part of the judgment against him.
The U.S. marshal for the Southern District of Ohio, which collected and sold Warshak’s valuables to pay his judgment, did a thorough job of tracking down his property—but the marshals couldn’t find the Segway, which Warshak’s family had reported stolen. Three years later, the Segway resurfaced in the abandoned property room of the local sheriff’s office. Someone had found it by the side of a highway back in 2008; it took until 2011 for police to realize that it was the missing Warshak scooter. In May 2012, after the gear had all been sold, the Department of Justice released $24 million to repay Berkeley victims.
With that, the case wound to an almost farcical close—but not before it set a powerful privacy precedent for the digital age. The next time you check your email, remember that its privacy was secured, in at least some small way, by a penis pill.
Excerpted from The Internet Police: How Crime Went Online, and the Cops Followed by Nate Anderson. Copyright © 2013 by Nate Anderson. With permission of the publisher, W.W. Norton & Company, Inc.
