May 13, 2010
4th Cir.: No Expectation of Privacy in Internet and Phone Subscriber Info -- U.S. v. Bynum
[Post by Venkat]
United States v. Bynum, Case No. 08-4207 (4th Cir.) (May 5, 2010)
The FBI observed Marques Bynum's activities in a Yahoo! chat room. Bynum had uploaded photos of children engaged in sex acts. The FBI served an administrative subpoena on Yahoo! seeking the subscriber information and IP address associated with Bynum's profile. Based on the information provided by Yahoo!, the FBI identified the internet service provider associated with the IP address (UUNET). The FBI then subpoenaed UUNET and obtained the email address and telephone number for the customer associated with the IP address. Finally, the FBI subpoenaed the phone and internet companies that operated the dial-up service used by the user, which revealed the "physical address from which the uploads emanated" (which happened to be the defendant's mother's house). The FBI also accessed publicly available information from the defendant's Yahoo! chat profile such as his photo, demographic information, and interests.
The defendant made what appeared to be a half-hearted argument that the Government's use of administrative subpoenas (which precluded disclosure of the subpoenas to the defendant) to obtain his subscriber information violated his Fourth Amendment rights. The court rejects this argument, noting that there was no evidence that defendant "had a subjective expectation of privacy in his internet and phone 'subscriber information' . . . ." He voluntarily provided the information to his internet and phone companies and "assumed the risk" that these companies would reveal this information to the authorities. Even if he was able to show that he had a subjective expectation, he would not be able to show that this expectation would be objectively reasonable. The court notes that "every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment's privacy expectation." Finally, the court footnotes the fact that the defendant did not allege a privacy interest in the IP address the FBI initially obtained from Yahoo!.
As this Ars Techinca article notes, although the New Jersey Supreme Court took a slightly different approach (and required a grand jury subpoena based on the state constitutional right of privacy and the fact that the IP address-identity connection is sufficiently private to warrant some protection) federal cases pretty uniformly follow the approach taken by the Fourth Circuit in this case. In light of the case law, the court's decision does not seem surprising. That said, as someone who doesn't follow the case law very closely in the criminal context, I was surprised at how easy it is for the government to track down your IP address, and through that, your account information and personal details (email address, street address, etc.). From what I understand, an "administrative subpoena" - which was used in this case - is nothing more than a letter from the FBI.
Tom O'Toole blogged recently about a file sharing (civil) case where subpoenaed Doe defendants unsuccessfully fought to remain anonymous: "File Sharers Have Little But Not Zero Privacy"
A 2009 MediaPost article discusses a decision by Judge Jones of the Western District of Washington where Judge Jones ruled that IP addresses are not "personally identifiable information": "IP Addresses Are Not 'Personally Identifiable' Information"
FourthAmendment.com covers U.S. v. Bynum: "CA4: No reasonable expectation of privacy in subscriber info with ISP"
Posted by Venkat at May 13, 2010 11:49 AM | Privacy/Security