Category Archives: Privacy

Kansas Supreme Court overturns conviction because hard drive was searched without valid warrant

Agents of the Kansas State Gaming Agency visited Zeke Rupnick in his office, and questioned him about allegations that he was illegally in possession of confidential business information. The agents seized his laptop computer, and a magistrate in a different county issued a warrant authorizing the search of the hard drive’s contents. Rupnick was convicted of felony computer crime based on the evidence obtained from the laptop.

Before trial, Rupnick sought to suppress the evidence contained on the computer, claiming violation of his Fourth Amendment rights. The trial court denied the motion to suppress. Rupnick sought review with the Kansas Supreme Court, which overturned the conviction.

The court held that the initial seizure of the laptop computer from Rupnick’s office without a warrant was justified, on the basis of probable cause plus the exigent circumstances presented by the possibility that Rupnick could easily delete the relevant data. The later warrant and search of the laptop, however, provided the basis for the reversal of the conviction.

The court began its analysis of the legality of the search by answering the question, which was one of first impression before the court, of whether a warrant must be obtained before the government may search the contents of a personal computer. In answering the question in the affirmative, the court looked to the Tenth Circuit cases of U.S. v. Carey, 172 F.3d 1268 (10th Cir. 1999) and U.S. v. Walser, 275 F.3d 981 (10th Cir. 2001).

In this case, the agents had indeed obtained a warrant before searching the contents of the laptop’s hard drive. However, the warrant failed to comply with the relevant Kansas statute (K.S.A. 22-2503), which requires that the search warrant be executed in the judicial district in which the magistrate judge resides. Because the magistrate that issued the warrant did not reside in the county in which the warrant was executed (i.e., where the search of the hard drive was made), the warrant was invalid, and the search was unlawful.

Despite the government’s argument that the defect in the warrant was a mere “technical irregularity,” the court strictly enforced the statute. The felony conviction was reversed and remanded for further proceedings.

State v. Rupnick, — P.3d —, 2005 WL 3439897 (Kan., December 16, 2005).

[Text of opinion]

Unauthorized use of username and password not a “circumvention” under DMCA

The recent case of Egilman v. Keller & Heckman LLP addressed a close question arising under a provision of the Digital Millennium Copyright Act (“DMCA”) found at 17 U.S.C. § 1201. The issue was whether accessing a computer system through the unauthorized use of a valid username and password constitutes an unlawful circumvention of a technological measure. The court held that such conduct is not “circumvention,” and thus not a violation of the DMCA.

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site. He filed suit in federal court asserting, among other things, that the use of the unauthorized username and password was an illegal circumvention of a technological measure, in violation of 17 U.S.C. § 1201.

One defendant moved to dismiss for failure to state a claim, and the others moved for judgment on the pleadings. The court granted the motions.

An essential fact that drove the court’s holding was that the username and password which the defendants allegedly used were the actual username and password which the plaintiff had chosen to protect his website from unauthorized access. For this reason, the defendants were alleged to have merely “used” the technological measure put in place by the plaintiff, and not to have “circumvented” the measure. The court specifically adopted the language and analysis of the case of I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F.Supp.2d 521 (S.D.N.Y. 2004), a case with similar facts and issues.

Quoting from I.M.S., the court stated:

Whatever the impropriety of defendant’s conduct, the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity.

The court went so far as to say:

It was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained. (Emphasis added.)

With this last statement, namely, that the means by which the username and password are obtained is irrelevant, did the court adjudicate a loophole in Section 1201? What if a defendant uses technological means to guess a username and crack a password? In that case, the defendant would ultimately be using the plaintiff’s intended username and password, and thus, according to the court, would merely be “using” and not “circumventing” a technological measure. In such a case, could one really say that for purposes of a Section 1201 analysis, how a username and password are obtained is irrelevant?

Egilman v. Keller & Heckman, LLP, — F.Supp.2d —, 2005 WL 3077260 (D.D.C., November 10, 2005).

[Text of opinion]

Technorati:


Circumvention

Delaware decision defines standards for protecting anonymous Internet speech

The recent case of Doe v. Cahill, coming to us from the Supreme Court of Delaware, illustrates a court’s willingness to ensure adequate safeguards to protect anonymous speech on the Internet.

In September of 2004, an anonymous visitor to a Smyrna, Delaware community weblog posted comments about city councilman Patrick Cahill, which Cahill believed to be damaging to his reputation. Cahill filed a defamation lawsuit. Because he did not know the identity of the anonymous commenter, he filed suit against “John Doe,” and began procedures under Delaware law to discover Doe’s true identity. Cahill learned that Doe used Comcast as an Internet service provider, and obtained a court order requiring Comcast to disclose Doe’s real name.

As required by the federal Cable Communications Policy Act of 1984, at 47 U.S.C. §551(c)(2), Comcast notified Doe of the request for information about his identity. [More on the Cable Communications Policy Act.] In response, Doe sought an emergency protective order to bar Comcast from turning over his information. The trial court denied Doe’s request for a protective order, and held that Cahill could obtain Doe’s identity from Comcast. Doe appealed directly to the Delaware Supreme Court. On appeal, the Court reversed the lower court’s decision.

The Supreme Court determined that the trial court had applied too low a standard in testing whether Comcast should be ordered to turn over Doe’s identity. The trial court had applied a “good faith” standard, namely, that disclosure was warranted because Cahill had established through his pleadings that he had a legitimate, good faith basis on which to bring the defamation claim.

The Supreme Court held that such a low standard was not sufficient to protect one’s right to speak anonymously. The lower, good faith standard might encourage meritless lawsuits brought merely to uncover the identities of anonymous critics. Accordingly, the Supreme Court adopted a standard “that appropriately balances one person’s right to speak anonymously against another person’s right to protect his reputation.”

The Court held that before a defamation plaintiff can obtain the identity of an anonymous defendant through the compulsory discovery process, he must come forth with facts sufficient to defeat a summary judgment motion. Said another way, before a Delaware court will order an anonymous speaker to be unmasked, the plaintiff has to present evidence creating a genuine issue of material fact for each element of the defamation claim.

Applying that standard to the present case, the court held that “no reasonable person could have interpreted [Doe’s] statements to be anything other than opinion.” The court observed that its conclusion was supported by the “unreliable nature of assertions posted in chat rooms and on blogs.” The case was dismissed.

Doe v. Cahill, — A.2d —, 2005 WL 2455266 (Del., October 5, 2005).
[Full text of decision in PDF]

Florida appellate court issues ruling on electronic discovery

Administrative law judge’s discovery order permitting “access to literally everything” on petitioner’s computer did not adequately protect against disclosure of confidential and privileged information.

After being suspended from his job as a school teacher, petitioner Menke was placed under investigation for alleged misconduct. In a formal proceeding against Menke before Florida’s Division of Administrative Hearings, the school board sought discovery of all of the computers in Menke’s household. The board requested that its retained computer expert be allowed to inspect Menke’s computers in a laboratory, so that it could search for improper instant messages.

Menke objected to the discovery request on the grounds that such a wholesale inspection of his computers would violate his Fifth Amendment right and his right of privacy, and would reveal privileged communications with his wife, attorneys, accountants, clergy, or doctors.

Over Menke’s objections, the administrative law judge granted the motion to compel production of the computers for inspection. Menke sought review with the Florida appellate court, which quashed the discovery order.

The appellate court looked to the only other Florida appellate court decision relating to electronic discovery, Strasser v. Yalamanchi, 669 So.2d 1142 (Fla.App.1996), noting that the relevant rules of procedure were broad enough to encompass requests to examine computer hard drives, but only in limited and strictly controlled circumstances. The court concluded that permitting unlimited access to everything on a computer would constitute irreparable harm, because it would expose confidential and privileged information to the opposing party.

The court continued by noting that in cases where there is a need for access to electronically stored information, searching for such data should first be done by the party responding to the discovery request, unless there is evidence of data destruction designed to prevent the discovery of relevant evidence.

In this case, there was no evidence of any destruction of evidence or thwarting of discovery. The court sent the matter back to the administrative body, allowing the school board to request that Menke produce relevant, non-privileged, information. In the court’s words, Menke was not required to provide unfettered access to the entire “electronic filing cabinet” that was his computers.

Menke v. Broward County School Bd., — So.2d —-, 2005 WL 2373923 (Fla.App., Sep 28, 2005).

Personal e-mail sent by government employees at work protected from disclosure under Colorado Open Records Act

Decision maintains privacy of communications between alleged philandering boss and employee.

In 2002, the Board of Commissioners of Arapahoe County, Colorado hired a private investigator to prepare a report on alleged misconduct of Tracy Baker, the Arapahoe County Clerk and Recorder. The investigator’s report contained, among other things, copies of numerous e-mail messages between Baker and one of his employees. Many of the messages contained “sexually explicit and/or romantic content.”

The Denver Publishing Company, owner of the Rocky Mountain News, requested a copy of the report containing the e-mail messages. Instead of complying with the newspaper’s request, the Board of Commissioners filed a legal action, asking the court to determine whether the requested items could be released. The newspaper intervened, claiming that the e-mail messages had to be released to the public under the Colorado Open Records Act, C.R.S. §24-72-201 et seq. (“CORA”). The district court agreed, and ordered disclosure of the full report, including the salacious e-mail messages.

Baker and the employee sought review of the district court’s decision. The appellate court reversed, holding that although the e-mail messages were “public records” as defined under CORA, they should not be released because of their authors’ constitutional right to privacy. The Denver Publishing Company appealed the decision to the Colorado Supreme Court, which affirmed in part and reversed in part.

The Supreme Court held that the appellate court had properly concluded the e-mail messages should not be disclosed, but arrived at that conclusion on different grounds. Instead of invoking a constitutional privacy concern to bar disclosure, the court held that the definition of “public records” under CORA does not include private e-mail correspondence like the messages at issue in the case.

Under the statute, “public records” include “writings made, maintained or kept . . . [by the government] . . . for use in the exercise of functions required or authorized by law or administrative rule or involving the receipt or expenditure of public funds.”

The court noted that the inquiry in the case was content-driven: “The content of the messages must address the performance of public functions or the receipt of and expenditure of public funds. Insofar as the messages do not, they remain non-public and outside the scope of CORA.” In this case, the messages at issue were made, maintained or kept by the governmental agency. However, given the content, it was clear that they were not made in connection with official public business. Accordingly, the records were protected from public disclosure.

The Denver Publishing Co. v. Board of County Comm., — P.3d —, 2005 WL 2203157 (Colo., September 12, 2005).

Taking counsel from Councilman: E-mail message in transient electronic storage is an “electronic communication” under the ECPA

First Circuit reverses dismissal of indictment for surreptitiously copying third party e-mail messages.

The recent case of U.S. v. Councilman provides valuable insight into the First Circuit’s expansive reading of the definition of “electronic communication” under the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §2510, et seq.

Defendant Councilman worked for Interloc, Inc., an online rare and out-of-print book listing service. Customers of the service were provided with interloc.com e-mail addresses. Without the customers’ consent, Councilman directed that Interloc’s servers be configured to send Councilman a copy of every message sent to the customers from Amazon.com. The copies were intercepted during the split second they were located in temporary storage on Interloc’s server, and before they were sent to the customer’s account.

Councilman was indicted for conspiracy to violate § 2511 of the ECPA by, among other things, unlawfully intercepting electronic communications. The district court dismissed the indictment, holding that the messages, at the moment they were intercepted, did not meet the definition of “electronic communication” found at 18 U.S.C. §2510(12).

A three-judge panel of the First Circuit Court of Appeals affirmed the dismissal of the indictment. The government filed a motion requesting a hearing in banc, which was granted. On rehearing, the full court reversed the district court’s dismissal of the indictment.

Councilman had argued that the e-mail messages he was accused of intercepting, because they were being held in transient storage on the server when copied and sent to him, were not “electronic communications” as defined by the ECPA. The definition of “wire communication” (found at §2510(1) of the pre-USA PATRIOT Act version in effect at the time of the alleged crimes) specifically included electronic storage of communications. The definition of “electronic communication,” however, made no mention of data in electronic storage.

Applying the maxim of statutory construction known as expressio unius est exclusio alterius – which means “the expression of one is the exclusion of others” – Councilman argued that Congress specifically intended the definition of “electronic communication” to exclude data being held in electronic storage. If data in temporary storage on the server was excluded from the definition of “electronic communication,” Councilman argued, the charge of intercepting these e-mail messages in transient storage must fail as a matter of law.

The First Circuit rejected Councilman’s argument, concluding that the term “electronic communication” includes “transient electronic storage that is intrinsic to the communication process.”

To reach this conclusion, the court looked first at the plain text of the statute, scrutinizing Councilman’s argument that the inclusion of data in electronic storage in the definition of “wire communication” necessarily excluded it from the definition of “electronic storage.” The court was not persuaded by Councilman’s arguments that the statute should be construed in this manner. Given the “continuing ambiguity” in the statutory language, the court turned to the legislative history for guidance.

The court examined the various policies and concerns underlying the enactment of the ECPA. It explained that Congress gave a broad definition to “electronic storage” in order to enlarge privacy protections for stored data under the Act. Providing such a broad definition was not for the purposes of excluding e-mail messages stored during transmission. The court further noted that the presence of “electronic storage” in the definition of “wire communications” was to protect voicemail, and was not there to exclude e-mail from the definition of “electronic communication.”

Despite a strong dissent arguing for stricter statutory construction, the court held that the alleged conduct, as a matter of law, fell within the prohibitions of the ECPA. The case was returned to the district court for further proceedings.

U.S. v. Councilman, — F.3d —, 2005 WL 1907258 (1st Cir., August 11, 2005).

[Link to full opinion]

No reasonable expectation of privacy in Internet subscriber information

Court dismisses civil suit against city and police officers for obtaining information about AOL subscriber without warrant.

Plaintiff Freedman used his AOL e-mail account to anonymously send a message to two other residents of his Connecticut town. The message contained the statement “The end is near,” and the recipients interpreted this as a threat to their safety. They immediately filed a police report.

A Detective Young and an Officer Bensey drafted an affidavit and application for a search warrant to seek information that would help them identify who sent the complained-of e-mail. Without submitting the paperwork to the state’s attorney’s office or a judge, Young faxed it to AOL’s legal department. A week later, AOL provided Freedman’s name, address, phone numbers, and various pieces of information relating to his account with AOL, including his screen names. No charges were ever filed.

Angry that his subscriber information had been released, Freedman filed suit against AOL, the City of Bridgeport, Detective Young, and Officer Bensey. (The case against AOL was transferred to federal court in Virginia.) Freedman argued, among other things, that the release of his account information was an intrusion into his privacy that violated his Fourth Amendment rights.

The defendants moved for summary judgment, arguing that Freedman’s Fourth Amendment rights could not have been violated, because he did not have a reasonable expectation of privacy in his subscriber information. The court agreed, and granted the motion for summary judgment on this issue.

Freedman was unable to show that any expectation of privacy he had regarding his subscriber information was objectively reasonable. The court pointed to three different reasons why one would not reasonably expect his or her subscriber information to be private for Fourth Amendment purposes.

First, by signing up for service, a subscriber knowingly discloses information to the ISP, which is accessed and used by the ISP to provide services. Second, AOL’s terms of service provided that AOL would release subscriber information “in special cases such as a physical threat to [its customer] or others.” Such a provision was especially relevant given the underlying facts of this case. Third, the Electronic Communications Privacy Act, 18 U.S.C. §2510 et seq. provides that subscriber information can be divulged in situations where the risk of physical injury justifies its release.

Given these factors, one should not reasonably believe that his or her subscriber information would be private for Fourth Amendment purposes. With no reasonable expectation of privacy, Freedman’s Fourth Amendment claim was without merit.

Freedman v. America Online, et al., 2005 WL 1899381 (D.Conn., August 9, 2005).

Supreme Court nominee John Roberts and the law of the Internet

John Roberts, President Bush’s nominee for the Supreme Court has only been on the bench since 2003, when he was appointed to the U.S. Court of Appeals for the District of Columbia Circuit. In that time, it does not appear that Judge Roberts authored any opinions dealing squarely with what most would consider “Internet law.”

Roberts was on the panel of judges (but not the author of the opinion) in the case of Recording Indus. Assn. of America, Inc. v. Verizon, 351 F.3d 1229 (D.C.Cir., 2003), which garnered a significant amount of attention upon its pronouncement. In that case, the Court of Appeals reversed the decision of the district court which had denied Verizon’s motion to quash subpoenas issued by the RIAA. The RIAA had issued such subpoenas pursuant to the Digital Millenium Copyright Act (“DMCA”), seeking to learn the identity of accused file sharers.

The court held that under the DMCA, a subpoena could issue only to Internet service providers that actually stored infringing material on their servers. Because Verizon was acting as a mere “conduit” for data transferred between Internet users, the subpoenas should not have issued.

Of course, the Grokster opinion has changed the overall landscape of potential liability for copyright infringement over peer-to-peer networks. The author of this weblog will defer to more knowledgeable sources rather than speculate on how a Supreme Court Justice Roberts would rule on such a matter.

Presence of encryption software relevant evidence in criminal conviction

Anyone who tracks court decisions related to the Internet knows that criminal cases involving improper conduct with a minor are quite common, and generally have little or no legal significance. A recent decision of the Court of Appeals of Minnesota in the case of State v. Levie, however, is worth noting in that the decision affirmed a controversial evidentiary ruling. The trial court judge had allowed into evidence the mere fact that the defendant had the encryption software PGP installed on his computer. The judge had determined that the presence of the software was relevant evidence to show that the defendant had engaged in improper conduct with a minor.

The decision is puzzling for a couple of different reasons. The forensic report prepared by the police revealed that nothing on the defendant’s computer had been encrypted. Furthermore, the police officer who prepared the forensic report admitted that PGP “may be included on every Macintosh that comes out today.” Given the evidence of widespread use of PGP and the lack of any evidence to show the defendant had used the encryption software in connection with any crime, one is left to wonder why the court would find it, as it stated, “at least somewhat relevant.”

Apparently, the court believed that the mere ability to conceal wrongdoing showed an actual intent to commit a crime. But such a conclusion is troubling. How is the mere presence of PGP on the defendant’s computer any different than him having a lock on his front door? Would the court have drawn the same conclusion regarding relevancy if the defendant was on trial for something less heinous, say, securities fraud?

[More coverage here.]

State v. Levie, 2005 Minn. App. LEXIS 476 (May 3, 2005).

Decision further exposes loophole in Electronic Communications Privacy Act

A federal court in Utah has held that although evidence obtained through illegal interception of wire or oral communication would not be admissible at trial, any evidence obtained through illegal interception of an electronic communication is admissible.

A confidential FBI informant accessed defendant Jones’s email account without his permission and printed out several messages which she turned over to FBI agents. Based on these messages, the agents obtained a search warrant and arrested Jones. Before trial, Jones moved to suppress the evidence contained in the e-mail messages, as well as the evidence derived from the search warrant based on those messages.

Jones argued that Section 2515 of the federal Electronic Communications Privacy Act (“ECPA”) prohibited the court from considering this evidence which he argued was illegally obtained by the confidential informant. Section 2515 provides, in relevant part: “Whenever any wire or oral communication has been intercepted, no part of the contents of such communication and no evidence derived therefrom may be received in evidence in any trial . . . if the disclosure of that information would be [prohibited].”

The court rejected Jones’s argument and denied the motion to suppress. Although the ECPA prohibits the introduction into evidence of wire or oral communications that may have been illegally obtained, the court held that the statute specifically excludes electronic communications from the statute’s suppression remedy. “Even though the [ECPA] prohibits the interception and disclosure of any wire, oral or electronic communication, the suppression remedy in §2515 applies only to intercepted wire and oral communications.”

U.S. v. Jones, — F.Supp.2d —, 2005 WL 850991 (D.Utah, April 12, 2005).