July 30, 2007
Fourth Amendment Privacy Case Law Bonanza
By Ethan Ackerman
In June, privacy advocates generally celebrated the Sixth Circuit’s important 4th Amendment ruling in US. v. Warshak. But hot on its heels, the Ninth Circuit sobered the tone rather quickly in US. v. Alba, declining to find 4th Amendment protection for email and IP addresses. Alba dealt with the use of a pen register to collect IP addresses and out- and in-bound email addresses that the suspect visited/emailed. Based on the results of the pen register, the government got a warrant for subsequent surreptitious keylogging and screen captures on the defendant's PC. At the trial court level, the defendant challenged only the pen registers and not the subsequent warrant-based surveillance. Coming so close on the heels of the privacy-expansive holding in Warshak, US v. Alba drew attention (and quite possibly some of the best off-the-cuff 4th Amendment banter/criticism on the Web) for its apparent holding that email addresses and IP addresses have no 4th Amendment protection. The Ninth Circuit generated enough confusion over the facts surrounding this holding to merit a subsequent clarification from the court as to whether this surveillance occurred surreptitiously on the defendant's PC (nope) or at the ISP level (yep).
Following closely on Alba's release, while everyone was still confused about just where the pen register interception happened, Wired News broke the details of US v. Glazebrook, a District court opinion on FBI keylogging that used some sort of software exploit or social engineering to allow remote monitoring of the PC of a high school MySpace user making bomb threats. The Glazebrook surveillance was done pursuant to a traditional court-reviewed warrant, leaving little room for 4th Amendment issues. Nonetheless, the case (and especially the warrant affidavit) is great reading, full of interesting technological questions regarding the FBI's covert remote monitoring capabilities.
Another District court decision, United States v. D'Andrea provides an interesting take on the 4th Amendment protections of web-stored files with password protection. As Orin Kerr's thoughtful parsing points out, the decision makes some fairly big factual judgments without sharing some of the significant background details. In this case, the contraband files were password-protected but stored online, and government investigators viewed them (without a warrant) after an ex-girlfriend of the suspect tipped off the investigators and provided the web site's password. The opinion finds a reasonable expectation of privacy may exist in password-protected files stored online, even though they are physically remote and transmitted to a third party provider.
In this case, the expectation of privacy did not exist, however, as the judge concluded that the suspect gave the ex-girlfriend the necessary information to access the files. As Professor Kerr points out, this last conclusion is thin on the facts. It is not at all clear in the opinion how the ex-girlfriend acquired the passwords; the suspects vigorously denied providing them to her. Would it have made a difference if she hacked, snooped, or guessed the passwords? Although it cited to Warshak, the opinion was similarly thin on just why 4th Amendment protections existed. (Not wrong, to this author's eye, just not detailed.) The opinion also spent little time addressing statutes that might address the privacy expectations, and whether and how they might affect the expectations of the defendant. For example, the Protection of Children from Sexual Predators Act requires ISP reporting of any discovered instances of child pornography, and the Electronic Communications Privacy Act is rife with exceptions allowing for disclosure of electronic communications. While I suspect the correct opinion is that mere statutes don't influence the Constitutional standard of "reasonableness," the court doesn't address the issue in any detail.
Professor Kerr would moot these conundrums with an alternate holding based on the controversial "special needs" exception, reaching the same final result. This particular debate is fairly politicized, and arises in many 4th Amendment cases, and isn't specific to computer cases, though it often pops up there too. I’m not as willing as Professor Kerr to recognize an imaginary dividing line between criminal investigators and other government employees such as child services investigators or network administrators and ascribe no 4th Amendment significance to agents on the "correct" side of that line, but his other questions cut right to the core ambiguities of this opinion. To be fair, even some other Circuit Courts don't seem too concerned making that excuse in other computer investigation cases, either.
Posted by Ethan Ackerman at July 30, 2007 10:01 AM | Privacy/Security
TrackBack URL for this entry: