Searches of New Technologies

These posts describe the challenges that arise when law enforcement officers are trying to search devices such as computers, cell phones, iPads, etc.

locked cell phone

This week the New York Times published an op-ed which argued for allowing law enforcement officers with search warrants greater access to the cell phone data of criminal suspects.  The piece was co-written by an impressive set of authors: the District Attorney of Manhattan, the chief prosecutor of Paris, the commissioner of the City of London Police, and the chief prosecutor of the High Court of Spain.  They note that many modern cell phones are password protected, and that Apple and Google (whose operating systems together run about 96% of cell phones) no longer have a copy of that password and therefore police cannot access these cell phones even if they have legal authority to do so.  The piece argues that once law enforcement officers have obtained a warrant (having thus proved to a neutral magistrate that there is probable cause to believe there is incriminating information on the cell phone), there should be no technical barrier (such as password protection) to extracting that information from the digital device.  As they argue:

In the United States, Britain, France, Spain and other democratic societies, the legal system gives local law enforcement agencies access to places where criminals hide evidence, including their homes, car trunks, storage facilities, computers and digital networks.

Carved into the bedrock of each of these laws is a balance between the privacy rights of individuals and the public safety rights of their communities. For our investigators to conduct searches in any of our jurisdictions, a local judge or commissioner must decide whether good cause exists. None of our agencies engage in bulk data collection or other secretive practices. We engage in targeted requests for information, authorized after an impartial, judicial determination of good cause, in which both proportionality and necessity are tested.

It is this workable balance that proscribes the operations of local law enforcement in our cities, and guides our residents in developing their expectations of privacy. But in the absence of laws that keep pace with technology, we have enabled two Silicon Valley technology companies to upset that balance fundamentally.

Judging by the comments posted by the Times, the op-ed was not well-received by the readership: readers argued that encryption protects our data from thieves and hackers as well as from police; that political dissidents and activists rely upon it to communicate safely; and (echoing Riley v. California) that the sheer amount of information on a cell phone means that they need to be protected, even from police officers with search warrants.  The Electronic Frontier Foundation predictably warned that the piece was “nothing more than a blatant attempt to use fear mongering to further their anti-privacy, anti-security, and anti-constitutional agenda.”

It is hard to see what is “unconstitutional” about giving law enforcement access to information once they have obtained a warrant for that information.  Just because we now have the ability to easily password-protect  much of our personal data doesn’t mean that we somehow have greater constitutional rights in that information than we did twenty years ago.  Indeed, if the police had a search warrant for a fine cabinet, they should be able to look inside the file cabinet whether or not the owner has locked it.  The same argument should apply to cell phones–once a court has authorized the search, the police need to (and should be able to) conduct that search.

The real problem–and one that the authors of the op-ed do not really address–is how to go about ensuring that the police do have this ability once a warrant is issued.  The op-ed merely states that “regulators and lawmakers in our nations must now find an appropriate balance between the marginal benefits of full-disk encryption and the need for local law enforcement to solve and prosecute crimes.”  But it is one thing to ask for a “balance” and another to figure out what laws need to be passed to ensure that balance.  One option would be to require the manufacturers of digital devices to provide the government with a “master key” to every cell phone–but the danger of abuse in that context becomes quite obvious.  Another option would be to require the companies that design operating systems to keep a copy of every password (thus making it illegal for Apple or Google to use the operating systems they are currently using)–but this seems like a particularly severe government intrusion into the private sector.  Yet another option would be to allow police to compel the password from the owner of the device, but this raises serious Fifth Amendment questions.  Some courts have held that forcing a suspect to give up his own password is akin to self-incrimination, citing a United States Supreme Court decision which stated that the Fifth Amendment protects a defendant from producing documents which may be incriminating.

In short, the op-ed correctly identified a problem, but was silent on the solution.  Unless and until law enforcement officers develop the tools to break through password-protected phones, this problem will grow more and more severe until one of the more draconian solutions listed above becomes necessary.

 

A few months ago I wrote about (and strongly criticized) the Eleventh Circuit’s decision in United States v. Davis, in which the court held that the government needed to obtain a search warrant before it could access cell tower location information that located the defendant’s cell phone.  Now the Eleventh Circuit, in an en banc decision, has overturned the three-judge panel and held that the third-party doctrine applies to these records; thus, a warrant is not required.

cell_phone_towers

The court began by citing the Fifth Circuit decision which also applied the third party doctrine in deciding this issue.  Then the court applied Smith v. Maryland and found that the Davis case was legally no different from Smith:

For starters, like the bank customer in Miller and the phone customer in Smith, Davis can assert neither ownership nor possession of the third-party’s business records he sought to suppress. Instead, those cell tower records were created by MetroPCS, stored on its own premises, and subject to its control. Cell tower location records do not contain private communications of the subscriber. This type of non-content evidence, lawfully created by a third-party telephone company for legitimate business purposes, does not belong to Davis, even if it concerns him. Like the security camera surveillance images introduced into evidence at his trial, MetroPCS’s cell tower records were not Davis’s to withhold. Those surveillance camera images show Davis’s location at the precise location of the robbery, which is far more than MetroPCS’s cell tower location records show.

The Court not only applies the third party doctrine, it presents a robust defense of the doctrine in this context, harkening back to the Katz test:

As to the subjective expectation of privacy, we agree with the Fifth Circuit that cell users know that they must transmit signals to cell towers within range, that the cell tower functions as the equipment that connects the calls, that users when making or receiving calls are necessarily conveying or exposing to their service provider their general location within that cell tower’s range, and that cell phone companies make records of cell-tower usage. See In re Application (Fifth Circuit), 724 F.3d at 613-14. Users are aware that cell phones do not work when they are outside the range of the provider company’s cell tower network. Id. at 613. Indeed, the fact that Davis registered his cell phone under a fictitious alias tends to demonstrate his understanding that such cell tower location information is collected by MetroPCS and may be used to incriminate him.

Even if Davis had a subjective expectation of privacy, his expectation of privacy, viewed objectively, is not justifiable or reasonable under the particular circumstances of this case. The unreasonableness in society’s eyes dooms Davis’s position under Katz. In Smith, the Supreme Court presumed that phone users knew of uncontroverted and publicly available facts about technologies and practices that the phone company used to connect calls, document charges, and assist in legitimate law-enforcement investigations. See 442 U.S. at 742-43, 99 S. Ct. at 2581. Cell towers and related records are used for all three of those purposes. We find no reason to conclude that cell phone users lack facts about the functions of cell towers or about telephone providers’ recording cell tower usage.

Although the third party doctrine has been routinely criticized, applying it makes sense in this context.  As the court notes, surely every reasonable person knows that the telephone company can track their general location using the person’s cell phone–how else could cell phones function?  And, notwithstanding the famous concurrence in United States v. Jones, a person generally does not have a reasonable expectation of privacy in a public place.

The en banc decision also provides an “alternative” justification for its ruling, which is that even if the third party doctrine did not apply, the search was “reasonable” because the intrusion into privacy was minimal, cell tower location information is routinely used by government investigators, Congress has explicitly endorsed this type of investigation in the Stored Communications Act, and the government’s interest in tracking down criminals is “compelling.”  Professor Orin Kerr had a number of withering critique of this alternative justification in his blog post; one of which was that the “reasonableness” test (as opposed to the warrant requirement) should only be applied in non-criminal cases:

A basic summary of the Supreme Court’s cases might run something like this: When the search involves some kind of non-criminal investigation or purpose, the warrant requirement is often suspended. In that non-criminal context, reasonableness instead becomes a general balancing of interests. The Court has been expanding the general balancing cases, most recently in Maryland v. King. But the Katz rule of a warrant by default is still the Supreme Court’s blackletter law for a traditional criminal investigation search.

In this case, the Eleventh Circuit appears to take a different approach. It begins with the Supreme Court’s non-criminal cases and then applies them to the context of a classic criminal investigation. Instead of the Katz rule of a warrant, the court begins with general balancing. It’s important to catch criminals, the court reasons, and the statute has some good protections given that this wasn’t such an invasive practice. So on the whole the government’s conduct based on reasonable suspicion seems reasonable and therefore constitutional.

This alternative holding is a major development, I think. It’s at odds with the usual rule that a criminal search requires a warrant, and instead replaces it with a totality of the circumstances inquiry into whether the criminal search was the kind of thing that we would generally say is good or would generally say is bad. There’s not only no warrant requirement, there’s no probable cause requirement: It’s just a free-floating reasonableness inquiry.

Professor Kerr has a good point here, but he might be fighting a losing battle.  In reality,  the distinction between “criminal searches” and “non-criminal searches” is becoming blurred almost beyond recognition.  Special needs searches have always been evaluated on a “reasonableness” standard, and many of them are nothing but criminal searches thinly masquerading as non-criminal searches (for example, testing for drugs in schools, stopping cars to check for drunk drivers, and searching passengers before they board an airplane).  Most recently, in Maryland v. King, the Supreme Court applied the reasonableness test to DNA swab of arrestees which was used to determine if the arrestee had committed any other crimes was not a “criminal search.”  Applying the reasonableness test to the obtaining of cell phone location data in a bank robbery investigation definitely pushes the envelope even further, but it continues a trend which has been building for a while.

Of course, this aspect of the Davis en banc decision is merely dicta, so perhaps nothing at all will come of it.  But as far as the holding of the case is concerned, the court has at least brought consistency back to this area of law.

 

Ohio’s Supreme Court is beginning to get a reputation for aggressively protecting Fourth Amendment rights in the digital age.  Six years ago in State v. Smith it held that police officers may not search a cell phone incident to an arrest, foreshadowing the United States Supreme Court’s Riley decision by five years.  Today the Court released a decision which set out strict requirements for law enforcement officials who are seeking search warrants for computers.  The Court held that the search warrant in question lacked particularity because it essentially authorized a limitless search of the defendant’s computer.

egged cartext

 

 

 

child

 

 

 

In the case, State v. Castagnola, the defendant was initially being prosecuted for selling alcohol to a minor.  He then took the ill-advised step of egging the prosecutor’s car to show his displeasure with the case.  He then took an even less-advised step and bragged about the egging to a friend, first by text and then in person.  The “friend” ended up being a police informer, who was wearing a wire at the time of the defendant’s verbal confession.  The police then obtained a search warrant and searched the defendant’s home (including his computer) for evidence of the egging incident.  Instead, they found evidence of child pornography.  The defendant was ultimately convicted of the child pornography charge.

The issue at the Ohio Supreme Court was two-fold:

First, the defendant told the police informant that he found the prosecutor’s address by tracing him through a parking ticket the prosecutor had received a few years earlier.  In the detective’s affidavit seeking a warrant, the detective erroneously said that the defendant had mentioned that he found the prosecutor’s address after conducting an “online” search–thus supporting the detective’s request to search the defendant’s computer in order to find evidence of the search.  But the defendant in fact never mentioned how he searched for the prosecutor.  The detective had inferred that the search occurred online, but the Court held that such an inference was not strong enough to rise to the level of probable cause that the defendant had used a computer, noting that “[a]lthough we are in the computer age, records of court activity still exist in paper form and are available to the public in clerk of courts’ offices around the state.”  In other words, even though the defendant had admitted that he had searched through court records for the prosecutor’s address, the likelihood that he did so using a computer does not suffice to establish probable cause.

Second, the warrant’s language, which copied the language from the detective’s affidavit, authorized the police to search:

Records and documents either stored on computers, ledgers, or any other electronic recording device to include hard drives and external portable hard drives, cell phones, printers, storage devices of any kind, printed out copies of text messages or emails, cameras, video recorders or any photo imaging devices and their storage media to include tapes, compact discs, or flash drives.

The Ohio Supreme Court noted that this language violated the Fourth Amendment’s particularity requirement because it did not include any “limitation on what records or documents” were allowed to be searched.  Event though the warrant later specified that any evidence that was recovered was to be used as evidence in a retaliation and criminal damaging case, the warrant was still overly broad.  Thus, the evidence should have been excluded–which almost certainly means that the child pornography case will now be dismissed.

The Court’s first conclusion seems a bit strained–is it really feasible to think that the defendant actually went to the county clerk’s office in person to look up the prosecutor’s old parking ticket?  An inference that the defendant conducted an online rather than a physical search seems not only reasonable (and thus sufficient to support probable cause) but almost certain.

But the Court’s second conclusion is surely correct–courts are already struggling with how to draft warrants in order to properly limit searches of computers, and a broad warrant that permits the police to search through every digital file on every digital device does seem overbroad.  Indeed, the law enforcement technician gave a somewhat weak explanation of why she was looking at picture files when she was allegedly looking for evidence of a search for the prosecutor’s court files.  (She explained that she “went to the images [folder] to find images associated with court websites.”)  On this point, at least, the Ohio Supreme Court’s message is clear: narrow your computer search (and your language in the search warrant) to items that are related to the crime you are investigating.

 

 

 

 

 

In recent months the New York Times and the Washington Post have run articles about cell tower simulators–devices which intercept cell phone data by “tricking” the target’s cell phone into believing it is communicating with a legitimate cell phone tower.  These devices–also known as a “Stingray” or “Kingfish”–are able to locate a cell phone, download its metadata, and even eavesdrop on the calls or texts which are being sent.  However, the law enforcement agencies which use cell tower simulators are doing their best to keep the details of their use (or even the fact of their use) secret, in accordance with non-disclosure agreements that the FBI requires local agencies to sign.   In a particularly interesting development, prosecutors in a Florida case were ordered by a judge to provide details of their use of the device in an armed robbery case which carried a four-year minimum sentence.  In order to avoid revealing the information, they allowed the defendant to plea to a second-degree misdemeanor and receive 6-months probation.

This secrecy has raised obvious concerns among privacy advocates.  The ACLU has filed a number of lawsuits seeking more information about the use of cell phone simulators.   Two senators have sent a letter to the FBI demanding more information about how and when these devices are used.  But the secrecy may be justified given the types of countermeasures that are becoming available to thwart the cell tower simulators.

imsi-catcher

First, a brief description of the technology involved with cell tower simulators.  Technically they are called International Mobile Subscriber Identity (“IMSI”) catchers, because they identify the IMSI of the suspect’s cell phone and use it to intercept outgoing information from the phone.  As described in a recent Popular Science article, IMSI catchers are essentially

radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor. The baseband processor functions as a communications middleman between the phone’s main O.S. and the cell towers. And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers….

But for governments or other entities able to afford a price tag of “less than $100,000,” says Goldsmith, high-quality interceptors are quite realistic. Some interceptors are limited, only able to passively listen to either outgoing or incoming calls. But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example. Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug.

Standard cell phone network protocol requires the cell phone to authenticate itself to the network, but does not require the network to authenticate itself to the cell phone, thus allowing an IMSI catcher to access the cell phone as long as it can decode the baseband operating system.  This is the security hole that IMSI catchers are able to exploit.

Although these devices have caused consternation among privacy advocates, they do not really present any new or challenging legal issues.  Under both statutory and constitutional law, it doesn’t matter what method law enforcement agents use to conduct their surveillance; what really matters is the type of information they are obtaining.  If law enforcement officers are listening in on our cell phone conversations, or reading our text messages as they are sent through the network, they need to obtain a Title III order under the Wiretap Act, demonstrating probable cause, the ineffectiveness of alternate surveillance methods, and minimization procedures.  If they are merely collecting our telephony metadata such as outgoing dialed numbers, they merely need to certify that the information is “relevant to an investigation.”  These standards exist whether law enforcement officers are obtaining the information using a modern Stingray device or an old fashioned wiretap or pen register system.  Thus, the warnings from some privacy advocates that these devices “allow cops to gather your data without a warrant or consent” are misplaced.  Law enforcement agents have always had the ability to gather this type of information, and for decades they have faced more or less the same legal standards in obtaining court permission to gather it.   IMSI catchers do allow them to obtain the information more quickly and (probably) more cheaply, but if they do so without meeting the proper legal standard, they are still violating the law and they are subject to civil penalties.

But what about the secrecy that shrouds the use of these devices?  The FBI claims that disclosure of any details about the technology would assist criminals and terrorists who want to thwart the technology and use countermeasures to prevent law enforcement from conducting the surveillance.  This turns out to be a legitimate concern; there are a number of devices already in existence that detect the use of IMSI catchers.  Last year the Washington Post ran an article describing Cryptophones, which sell for $3,500 and will alert the user if an IMSI catcher has locked onto their cell phone.

This is only the most recent development in a technological arms race between police and criminals that has been going on for over a century.  Telephones themselves were the first salvo in this battle, dramatically increasing our own privacy and at the same time allowing criminals to communicate quickly and confidentially with each other without leaving their home.  Then police began to wiretap telephones, in order to be able to even the odds (and gain access to information they never might have been able to have before).  Then came cell phones, and then disposable cell phones, again making it easier for criminals to avoid surveillance while conducting their activities.  Now police have a cheaper, easier way to monitor cell phone activity after they obtain a court order allowing them to do so.  It makes sense for the police to try to maintain this ability for as long as possible–though soon enough, devices like Cryptophones will neutralize this ability.  But the less the police say about the details of the technology, they longer they can use the technology effectively.

This week the foundation that runs Wikipedia filed a lawsuit against the National Security Agency (“NSA”), arguing that the “upstream” internet surveillance conducted by the NSA violates the agency’s statutory authority, as well as the First and Fourth Amendments to the Constitution.  This is only the latest in a series of legal actions against the NSA in the wake of the revelations about its surveillance by Edward Snowden.  The organization Pro Publica has complied this helpful list which describes thirty-eight different lawsuits that have been filed since 2006 against the NSA, other branches of the Obama administration, or private companies who were complying with NSA orders.  Most of these lawsuits can be roughly divided into four different categories:

(1) The first wave of cases, from 2006 to 2008, which alleged that the government surveillance programs violated the First and Fourth Amendment.  These cases were all effectively disposed of by the 2008 Supreme Court decision of Clapper v. Amnesty International, in which the Supreme Court held that the plaintiffs lacked standing because they could not prove that they themselves had been surveilled by the government.

(2) Lawsuits which seek to release information–either forcing the NSA to reveal more information about its surveillance program, or permitting private companies to reveal the fact that they have provided information to the NSA.  For the most part, these lawsuits have been successful, although many are still pending.

(3) Criminal defendants who are challenging the use of covert NSA surveillance evidence in their case.  Many of these cases are still pending, but so far none have been successful.

(4) A second wave of cases, post-Clapper v. Amnesty International, in which various organizations claim that the NSA surveillance programs violate its statutory authority and the Constitution.  The new case filed by Wikimedia falls under this category.

There are three separate NSA programs that are being challenged by this second wave of lawsuits.  The first is the “bulk metadata collection” program, in which the NSA collects massive amounts of non-content data from private companies, such as telephone numbers, email addresses, and other “address” information.  Because the NSA was collecting this information pursuant to Section 215 of the USA Patriot Act, this surveillance is sometimes referred to as “Section 215 collection.”  The second program is codenamed “PRISM,” and it involves the NSA collecting information that is stored by private companies (Microsoft, Facebook, Google, Apple, etc.).  PRISM data included content information, but (allegedly) the surveillance would only take place if the NSA agent has a “reasonable belief” (defined as at least 51% assurance) that the specified target is a foreign national who is overseas at the time of the data collection.  Because this program is allegedly authorized by Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), it is sometimes referred to as “Section 702 surveillance.”  The third program is codenamed “UPSTREAM,” and it involves realtime interception of data and communication flowing across the fiber cables and other infrastructure of the internet (sometimes called the “backbone” of the internet).  The UPSTREAM program collects large amounts of data as it is transmitted, but then uses software filters to filter out purely domestic transmissions and then further filters the data to look for specific target words that would make the message of particular interest to the NSA.

upstream-slide    prism-slide-2

With the new Wikipedia lawsuit, there are now five lawsuits pending in federal court which challenge these programs:

Jewell v. NSA (filed in 2008) — This case was filed in the Northern District of California by the Electronic Frontier Foundation, an advocacy group for digital privacy, on behalf of Carolyn Jewel and other AT&T customers.  The plaintiffs were seeking an injunction against the NSA’s bulk collection of telephone metadata and against the NSA’s UPSTREAM  surveillance program.  The case was originally dismissed in 2010 for lack of standing, but was re-instated by the Ninth Circuit in 2011.  Most recently, the plaintiffs suffered a setback in February of 2015 when the district judge granted the government’s motion for summary judgment on the issue of UPSTREAM surveillance, holding that the publicly available information was not sufficient to support the plaintiff’s standing in the case, or to adjudicate the substantive Fourth Amendment issues:

Notwithstanding the unauthorized public disclosures made in the recent past and the Government’s subsequent releases of previously classified information about certain NSA intelligence gathering activities since 2013, the Court notes that substantial details about the challenged program remain classified. The question of whether Plaintiffs have standing and the substantive issue of whether there are Fourth Amendment violations cannot be litigated without impinging on that heightened security classification. Because a fair and full adjudication of the Government Defendants’ defenses would require harmful disclosures of national security information that is protected by the state secrets privilege, the Court must exclude such evidence from the case.

The trial court noted that this was a “frustrating” ruling:

The Court is frustrated by the prospect of deciding the current motions without full public disclosure of the Court’s analysis and reasoning. However, it is a necessary by-product of the types of concerns raised by this case. Although partially not accessible to the Plaintiffs or the public, the record contains the full materials reviewed by the Court. The Court is persuaded that its decision is correct both legally and factually and furthermore is required by the interests of national security.

Notwithstanding this recent ruling, the Jewell case is still pending, since the court only granted summary judgment on the UPSTREAM surveillance question, not on the bulk collection of telephone metadata.
Klayman v. Obama (filed in 2013) — This case was filed in the District of Columbia District Court by customers of Verizon Wireless, and it challenges the NSA’s bulk metadata collection program.  In December of 2013, District Court Judge Leon ruled in favor of the plaintiffs and granted an injunction that would bar the NSA from continuing the surveillance.  The judge then stayed the injunction pending appeal.  The most controversial aspect of Judge Leon’s opinion was his rejection of the Supreme Court case Smith v. Maryland, which held that the Fourth Amendment does not protect telephone numbers that an individual dials, both because of the third party doctrine and because the telephone numbers are merely “address” information as opposed to “content” information.  The government understandably relied heavily on Smith in its argument that the surveillance program did not violate the Fourth Amendment, but Judge Leon essentially held that Smith‘s reasoning–and therefore, presumably, its holding–was hopelessly outdated:

The Government, in its understandable zeal to protect our homeland, has crafted a counterterrorism program with respect to telephone metadata that strikes the balance based in large part on a thirty-four year old Supreme Court precedent, the relevance of which has been eclipsed by technological advances and a cell phone-centric lifestyle heretofore inconceivable. 

The case is now on appeal to the D.C. Circuit, and oral argument took place in November of 2014.

 

ACLU v. Clapper (filed in 2013) — This case was filed in the Southern District of New York by the ACLU as Verizon subscribers, challenging the NSA’s bulk metadata collection program.  In December of 2013, just a few days after Judge Leon ruled against the government in Klayman, Judge William Pauley ruled in favor of the government in this case.   Judge Pauley cited Smith v. Maryland as binding Supreme Court precedent, and also noted the necessity of this kind of surveillance in the modern world:

No doubt, the bulk telephony metadata collection program vacuums up information about virtually every telephone call to, from, or within the United States. That is by design, as it allows the NSA to detect relationships so attenuated and ephemeral they would otherwise escape notice. As the September 11th attacks demonstrate, the cost of missing such a thread can be horrific, Technology allowed al-Qaeda to operate decentralized and plot international terrorist attacks remotely. The bulk telephony metadata collection program represents the Government’s counter-punch: connecting fragmented and fleeting communications to re-construct and eliminate al-Qaeda’s terror network.

The case is now on appeal to the Second Circuit, and oral argument took place in September of 2014.

 

Paul v. Obama (filed in 2014) — This is a lawsuit filed in the District of Columbia District Court  by Senator Rand Paul and FreedomWorks, challenging the warrantless collection of cell phone records and metadata by the NSA.  it is currently pending in the D.C. District Court.  Although this lawsuit has more political overtones than the others, since the lead plaintiff is likely to be a contender for the Republican nomination in the 2016 Presidential Contest, the plaintiffs claim it is different from the others because it has been filed as a class action on behalf of “all Americans.”

 

Wikimedia vs. NSA (filed in 2015) — This lawsuit was filed just this week in the District of Maryland.  Like the Jewel case, Wikimedia’s case challenges the NSA’s UPSTREAM surveillance program.  And like the Jewel case, this case could be dismissed in whole or in part because national security secrecy makes the plaintiffs unable to establish a cause of action.  However, if the case is able to go forward, the case will likely turn on when (if ever) the NSA is held to have “searched” and “seized” the data in the UPSTREAM program.  The following graphic (which comes from the Electronic Frontier Foundation’s website) explains the case from Wikimedia’s point of view, arguing that the internet traffic is “seized” when it is copied as it flows along the internet backbone, and then “searched” when the NSA’s computer software sifts through it to identify messages and data that include the suspicious words or terms.

backbone-3c-color

One question that a court will eventually have to decide is whether this information is actually ever being “seized.”  A seizure occurs when the government exercises “some meaningful interference” with an individual’s possessory interest in the property.  But merely copying data as it flows through the fiber-optic cables is not really a seizure–it does not interfere at all with the individual’s possessory interest.  Under current Supreme Court doctrine, merely making a copy of information does not constitute a “seizure”–although this doctrine has been criticized by some commentators, it is hard to see how any other rule would be consistent with existing law.

The real question is: when is the information “searched?”  If the government has copies of all of the data flowing across the internet, it does not help the government at all (nor does it meaningfully infringe on our privacy rights) unless the government actually looks at the data–and once the government looks, it has committed a search.

But what exactly constitutes “looking” at the data?  When a computer program sifts through the data looking for specific key words, can we classify that as a “search,” even if no human being ever sees the data?  In a 2005 article, I wrote that using software in this way could be a valuable new tool for police–increasing the efficiency of law enforcement with very little intrusion into our privacy.

As technology gets more sophisticated, software will be better able to focus on illegal behavior and thus narrow the scope of the surveillance—perhaps even to the point where the surveillance only alerts a human law enforcement agent when there is a near certainty of illicit conduct.  At that point, only the mindless computers  will “know” the private information about what we are writing, and they will quickly and unconsciously examine and discard any private innocent information they discover.  In the meantime, the human law enforcement agents will leave us alone. 

The NSA collection methods are coming close to reaching this point, but we are not there yet.  Unfortunately, the NSA filters still allow a large amount of innocent data to come through–and as soon as the NSA officers look at innocent information, they are conducting a “search.”  It may be a very efficient search, with a very high probability of leading to illegal activity, but it is still a search.  Perhaps the filters are refined enough such that there is probable cause to believe that any data that survives the filter is evidence of a crime.   Perhaps the filters are effective in removing all purely domestic communications, and so can all be justified under a FISA warrant.  But until we get a full, public review of the program, we will be unable to answer these questions.

Next week the Eleventh Circuit will hear the en banc appeal of United States v. Davis.  This case involves the use of cell tower location information to track the movements of a suspect.  Last year a three judge panel ruled that the government needed to obtain a warrant before it could acquire this information from the phone company.  Next week, the Eleventh Circuit will re-hear the case en banc and decide whether they will pull back from the broad holding and expansive reasoning of the original decision.

cell tower location display

In the Davis case, the government suspected the defendant of numerous armed robberies.  During its investigation, the government obtained a court order to acquire the cell tower location data from the defendant’s phone pursuant to the Stored Communications Act (“SCA”).  At the outset, it should be noted that this information is the least intrusive and least precise type of location information that is available from an individual’s cell phone.  Cell tower location information merely tells the phone company (and in this case, the government) the one or two towers which were used to contact the suspect’s phone when he made or received a phone call, as well as the direction the suspect was in relation to the tower(s).  These are usually, but not always, the closest cell phone towers to the suspect at the time he or she used the cell phone.  The data is only created when the suspect actually uses the cell phone–usually when he or she is making or receiving a call.  In contrast, when law enforcement officers have the phone company “ping” a cell phone, or when it uses the GPS device built into the cell phone,the officers obtain a real-time, continuous, precise location of the suspect, regardless of whether the suspect is using the cell phone at the time.

Under the SCA, the government need only show “specific and articulable facts” that the information could be linked to a crime in order to obtain a court order.  Davis argued (and the three judge panel agreed) that acquiring this location information was a Fourth Amendment search, and so the government needed to obtain a warrant based on probable cause before gaining access to this data.  The three-judge panel acknowledged that this was a case of first impression, and so it relied heavily on Justice Alito’s four justice concurrence in the Jones case in its reasoning.  In Jones, four justices found that a twenty-eight day continuous surveillance using a GPS was a Fourth Amendment search because of the “mosaic doctrine”–i.e., the government learned so much public information about the defendant that it created a mosaic which revealed private, protected information.  The three-judge panel in Davis acknowledged the difference between the two fact patterns, but argued that the case was “sufficiently similar” to make it “clearly relevant” to their analysis.

In fact, the distinctions between Davis and Jones are significant, and they all point to the conclusion that the search in Davis does not deserve Fourth Amendment protection.  The only reason the Alito concurrence found that the government surveillance in Jones constituted a search was because of the large number of trips that were tracked; in the Davis case, the government only examined a small number of incidents (specifically, the times when a robbery was occurring).  But the Davis three judge panel ignored this distinction, arguing that tracking a person’s public location even once could constitute a search: “…[E]ven on a person’s first visit to a gynecologist, a psychiatrist, a bookie, or a priest, one may assume the visit is private if it was not conducted in a public way.”  The Jones case also involved tracking an individual at all times, while the police in Davis only gained location information from the defendant when he voluntarily provided that information to the phone company by using his cell phone.  And finally, the Jones location information was much more precise, showing the police exactly where the defendant’s car was located; the Davis location information only showed the general area where the defendant was located.  (The three judge panel brushed this difference aside, arguing that because the prosecutor claimed the cell phone location placed the defendant “near each of six crime scenes,” it could place him “near any other scene” as well, including the “home of a lover, or a dispensary of medication, or a place of worship, or a house of ill repute.”)

Essentially the Davis panel appeared to be arguing that since an individual may want to keep his general location at any given time private from the government, the Fourth Amendment protects the government from learning that information unless it first obtained a warrant.  This is certainly not supported by Jones and directly contradicts Knotts, which allows the government to use electronic means to track an individual over the course of one trip.

The only significant difference the Davis panel found between its case and the Jones case was that the Jones case involved tracking a car, whereas the Davis case involved tracking a cell phone.  The Davis court concluded that a person has less reasonable expectation of privacy in the movements of a car, because it is easily visible when in public, than it does in the movements of an individual (as tracked through a cell phone), which may not be so easily visible.  Unfortunately for the Davis court, no other court has made any such distinction.  The only distinction that matters is whether the location being tracked is in public (as in Knotts) or in private (as in Karo)–and, after Jones, whether there is so much information that it creates a mosaic.  Neither of those distinctions existed in Davis.

Finally, the Davis court had to overcome one more obstacle in order to come to its extraordinary conclusion: it had to deal with the third party doctrine.  As a general rule, a person loses all Fourth Amendment protection for any information that he or she turns over to a third party (such as a phone company).  The Davis court argued that the third party doctrine only applies when a person “voluntarily and knowingly” conveys information to a third party, and then claimed that a cell phone user has no idea that he or she is conveying her location to the phone company when he or she makes a cell phone call.  The first step of this argument seems questionable as a matter of law (there is no strong support for the proposition that the third party doctrine only applies to “voluntary and knowing” transfer of information) and the second step of this argument seems flat out wrong as a matter of fact (regardless of what the defendant in Davis might have thought, most people must know that the cell phone company needs to determine the location of their phone in order to send calls to it).

The Davis court ultimately ruled for the government and refused to suppress the evidence based on the good faith exception to the exclusionary rule, but its reasoning and dicta regarding cell phone location information still stands.  If the en banc court does not overturn that aspect of the case, it will represent a radical expansion of the Jones case–an expansion that is not consistent with the rest of Fourth Amendment doctrine in this area.

 

Last year, the United States Marshal’s Service tracked down a fugitive named Steven Denson to a house in Witchita, Kansas.  Before they stormed the house, however, they took a sensible precaution and placed a radar device on the outside of the wall to determine the location of the individual in the house.  They then entered the house, arrested the fugitive, and found a number of illegal guns as well.

ranger-radarradar through wall

The marshals had a warrant for Denson’s arrest, but they did not have a search warrant for the home.  Thus, they were only permitted to enter the home if they had “reason to believe” that Denson was inside the home at the time.  Denson challenged the entry into the home, arguing that the police officers only developed a reason to believe he was inside after using the radar device, which violated his Fourth Amendment rights.

The Tenth Circuit rejected Denson’s argument  and held that the officers did not violate the Fourth Amendment.  According to the court, the officers already had reason to believe that Denson was inside even before they used the radar device.  Thus, the court applied the independent source doctrine from the Supreme Court’s holding in Murray v. United States and allowed the search to stand without resolving the question of whether the radar device violated Denson’s Fourth Amendment rights.  Here is the Tenth Circuit’s description of the device:

the government brought with it a Doppler radar device capable of detecting from outside the home the presence of  “human breathing and movement within.”  All this packed into a hand-held unit “about 10 inches by 4 inches wide, 10 inches long.”  The government admits that it used the radar before entering — and that the device registered someone’s presence inside.  It’s obvious to us and everyone else in this case that the government’s warrantless use of such a powerful tool to search inside homes poses grave Fourth Amendment questions.  New  technologies bring with them not only new opportunities for law enforcement to catch criminals but also new risks for abuse and new ways to invade constitutional rights.  See, e.g., Kyllo v. United States, 533 U.S. 27, 33-35 (2001) (holding that using warrantless thermal imaging to show activity inside a home violated the Fourth Amendment).  Unlawful searches can give rise not only to civil claims but may require the suppression of evidence in criminal proceedings.  We have little doubt that the radar device deployed here will soon generate many questions for this court and others along both of these axes.  At the same time, in a criminal proceeding like ours the government is free to rely on facts gleaned independently from any Fourth Amendment violation.

This analysis seems cautious to a fault.  There is no conceivable way that the use of the radar device is consistent with the Kyllo case.  If law enforcement officers are conducting a Fourth Amendment search when they use a thermal imager to detect the emanations of heat inside of a home, then they are certainly conducting a Fourth Amendment search when they use a radar to detect the presence, movement, and location of individuals inside a house.  And although these devices are apparently becoming more and more popular among law enforcement, they have certainly not risen to the level of being “in general public use,” as required by Kyllo.

The use of the radar device to establish probable cause is even more clearly unconstitutional given the Supreme Court’s recent case of Florida v. Jardines, which held that a drug-dog sniff at the front door of a house constituted a Fourth Amendment search.  In Jardines, the court held that the use of a surveillance tactic which ordinarily does not implicate the Fourth Amendment becomes an unconstitutional search when it is used at the front door of a home.  In the Tenth Circuit’s case, the court was reviewing a surveillance tactic that is more intrusive than the thermal imager in Kyllo and which involved a United States Marshall placing the device directly on the outer wall of a home–a location where an individual arguably has a greater expectation of privacy than the front door.

Regardless, the Tenth Circuit’s holding in this case was almost certainly correct.  Even without the information from the radar device, the United States Marshals had sufficient evidence to establish probable cause (or at least “reason to believe,” which may be an even lower standard) that Denson was in the home.  Denson was the primary account holder on the utility for the home; and he was unemployed and running from the police, and the electric meter was  “going faster than normal”–all of which would lead the officers to believe that someone was home at the time.  Furthermore, the use of the radar device by the marshals seems perfectly legitimate in this case–once the marshals had established probable cause to believe that Denson was inside, they used the device to ensure their safety for when they entered the house.  This is a perfectly reasonable, non-investigatory use of the technology.

But even though the marshals acted properly and the Tenth Circuit reached the proper result, one could still hope that the court had been a little bolder with its dicta regarding the radar device.  Surely the question of whether the use of the radar gun was consistent with Kyllo had been fully briefed and argued by both sides, and thus there was no reason not to firmly state that the use of this device to establish probable cause violates the Fourth Amendment.  Instead, the court decided to avoid the issue and save it for another day.  This inevitably means that in some future case, a law enforcement officer will use a radar device to establish probable cause in the fruitless hope that this kind of surveillance is constitutional–with the result that the defendant’s conviction will be overturned and a criminal will walk free.  Stronger guidance on this point might have avoided that unfortunate result.

For two years beginning in 2011, Ross William Ulbricht (using the pseudonym Dread Pirate Roberts) ran the Silk Road, an illicit web-based marketplace which specialized in selling illegal drugs.  The FBI eventually caught up with Ulbricht and  arrested him, and he is now on trial in the Southern District of New York.  Ulbricht’s defense attorneys have been arguing that the government violated Ulbricht’s Fourth Amendment rights during their investigation.  Specifically, the defense argues that the government hacked into a Silk Road server in Iceland, and from there obtained information which lead to various pen-trap orders and warrants to seize servers in the United States, as well as Ulbricht’s laptop and Facebook accounts.  But without the initial access to the Iceland server, the government would not have been able to proceed with its investigation.  In other words, the defense alleges, all of the evidence against Ulbricht is fruit of a poisonous tree. silk road      dread pirate roberts

The government responded with an affidavit from an FBI agent which held that the government investigators found the Iceland server through perfectly lawful means.  The affidavit states that “the Internet protocol (“IP”) address of the [Iceland] Server was ‘leaking’ from the site due to an apparent misconfiguration of the user login interface by the site administrator”–that is, a bug in the login interface led the police to the server’s IP address.  The government also argued in its brief that the search of the server was carried out by Icelandic authorities, so the Fourth Amendment does not apply, and that even if the Fourth Amendment did apply, a search of an American citizen’s property overseas need only be “reasonable”–which this was.   Thus, the trial court had a number of interesting factual and legal questions to resolve.

But alas, Ulbricht was unwilling to take the procedural step that is necessary to allow the court to resolve these questions.  Throughout the case, he has refused to acknowledge any personal privacy interest in the Iceland server–that is, he has denied any connection to the Iceland server (and to the Dread Pirate Roberts and the Silk Road).  Thus, he did not have standing to challenge the government’s conduct–whatever it might have been–when it gained access to the server.  In other words, the entire issue ended up being nothing more than a hi-tech version of a defendant’s catch-22–either deny ownership of the contraband and lose your right to challenge the search and/or seizure of the contraband, or admit to owning contraband which establishes your guilt.  The Supreme Court has held that the prosecution cannot use that admission against you (except for impeachment, which is a significant exception)–but especially in a high-profile case like this, a defendant may still not be willing to make that admission.

Ulbricht’s unwillingness to take this step is unfortunate (though understandable), since a full analysis of the case could have led to discussions of a number of important issues.  For example, if the government did indeed hack into the Silk Road login page (as alleged by the defendant), the government had no idea that the server was located outside the United States when it committed that hacking, and so the lower “international” standard should arguably not have applied to the governments actions.

And what type of “hacking” constitutes a search under the Fourth Amendment?  If the government was able to gain access to the server (as it claims) by merely entering random characters into the login until the IP address appeared, wouldn’t this still be a search?  Does a website’s server have to be protected by a certain level of security before its owner can claim a reasonable expectation of privacy in it?  One the one hand, the defendant could argue that a server is like a home or an office, so the government would be conducting a Fourth Amendment search simply by entering the server without permission, even if there was no security preventing them from doing so.  On the other hand, the government could argue that if any Internet user in the world can reach obtain the server’s IP address simply by playing around with the login page for a few minutes, then the owner of the server has revealed the location of the server to the world, and has relinquished all reasonable expectation of privacy in the server.  In other words, when does an individual have a reasonable expectation of privacy in his server?

Professor Orin Kerr has argued that the government might have violated the Computer Fraud and Abuse Act (“CFAA”) when it obtained the IP address of the Iceland server.  In an earlier prosecution under the CFAA, the Department of Justice argued that a defendant violated the CFAA when he obtained information from an AT&T website that “AT&T had not intended for the public to see” and which was “in a place where an ordinary computer user would likely not find it.”  Based on this standard, the FBI in the Silk Road case did violate the CFAA even if we accept the government’s version of how they obtained the IP address.  Professor Kerr acknowledges that the CFAA has an exception for lawful government investigations, but notes that there is still a tension between the government’s position in the Silk Road case and its position in the CFAA prosecution.

Like many users of child pornography, Michael Meister kept his photos and videos on his computer.  When his computer stopped working, he took it into a computer repair store, True North, to transfer the data from the inoperable hard drive to a new computer.  During the transfer process, the technician noticed the child pornography and contacted the police, who immediately seized the computer.  The police also looked  transferred the offending data–now inside True North’s system–onto two separate DVDs, and conducted two separate searches of that data.  Based on the information found on the hard drive, the police obtained a search warrant and then conducted another search of the laptop.

broken laptop

After Meister was arrested, he moved to suppress all the information found on his computer.  Unsurprisingly, the  District Court denied the motion, and the Eleventh Circuit agreed.  The court held that this was a simple application of the third party doctrine:  “The Fourth Amendment only applies to governmental action; ‘it is wholly inapplicable to a search or seizure, even an unreasonable one, effected by a private individual not acting as an agent of the Government or with the participation or knowledge of any governmental official.’  Once a private individual, acting of his own accord, conducts a search—even one that frustrates a defendant’s reasonable expectation of privacy—the Fourth Amendment does not forbid the government from replicating the search.”  Furthermore, even if the pre-warrant searches by the police were beyond the scope of the third party doctrine, the police would have found all of the contraband images eventually after they obtained their warrant, and so the searches fell under the inevitable discovery doctrine.

On one level, the Meister case is very straightforward.  But it also raises an interesting issue regarding the third party doctrine.  Today, more and more courts are criticizing the application of the third party doctrine to digital information, arguing that the doctrine should not apply to such data because in modern times so much data is entrusted–sometimes unknowingly, sometimes unavoidably–to third parties.  When computer data is stored in the cloud, or when e-mails in transit pass through remote servers on the way to their recipient, the owner of the data may not have consciously entrusted the data to a third party.  Thus, the argument goes, entrusting digital data to third parties is not at all like the “assumption of risk” that occurs when you give financial records to a bank or confide to a police informant.  This argument was first made well before the computer age, by the dissenting Justices in the much-maligned Smith v. Maryland who decried the application of the third-party doctrine to data about outgoing telephone numbers that were held by a telephone company:

Implicit in the concept of assumption of risk is some notion of choice. At least in the third-party consensual surveillance cases, which first incorporated risk analysis into Fourth Amendment doctrine, the defendant presumably had exercised some discretion in deciding who should enjoy his confidential communications. By contrast here, unless a person is prepared to forgo use of what for many has become a personal or professional necessity, he cannot help but accept the risk of surveillance.  It is idle to speak of “assuming” risks in contexts where, as a practical matter, individuals have no realistic alternative.

No doubt Meister’s actions fall under the category of being a “conscious choice”–he physically took his computer to a repair store and asked them to transfer the data.  But it is not hard to tweak the facts a bit and make the case more like the scenario described by the Smith v. Maryland dissenters.  What if Meister’s data had been corrupted, and so he sent his data electronically to a company to fix it?  Probably still a conscious choice.  What if he stored it in the cloud, and one of the data storage units in the cloud had become damaged, and a technician (without Meister’s knowledge) had to transfer the data from one storage unit to another?  Probably not a conscious choice.  Of course, under current Fourth Amendment law, the mere storing of the data in the cloud would trigger the third party doctrine.  But as the courts are revising the third party doctrine to exclude data that is automatically stored or transferred by third party actors, they will need to refine exactly when (if ever) repair and maintenance of that data might re-invoke the doctrine.