Category Archives: Privacy

On the radio: Mobile devices and the Fourth Amendment

I was honored to be a guest on this morning’s episode of Oregon Public Broadcasting’s show Listen Out Loud, talking with host Dave Miller about the recent case of Schlossberg v. Solesbee.

Listen to the interview here:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

We talked about the Fourth Amendment and, more specifically, the exceptions to the warrant requirement for searches made incident to lawful arrests. Some courts have given special treatment to mobile devices when considering whether the information contained on them may be searched without a warrant, because of the vast amounts of personal information that is present.

There is no “generalized right to rummage” through an adversary’s Facebook account

Tompkins v. Detroit Metro. Airport, 2012 WL 179320 (E.D. Mich. January 18, 2012)

Plaintiff filed a personal injury lawsuit against defendants claiming she was impaired in her ability to work and enjoy life. One of the defendants filed a motion with the court asking it to order plaintiff to authorize access to her entire Facebook account. The court denied the motion. Finding that defendant had not made a “sufficient predicate” showing that the sought-after information was relevant, and that the request was overly broad, the court held that defendant “[did] not have a generalized right to rummage at will through information that [plaintiff had] limited from public view.”

The court distinguished two other well-known social media discovery cases, Romano v. Steelcase and McMillen v. Hummingbird Speedway. In those cases, the Facebook users had posted photos of themselves engaged in activities that were inconsistent with their claimed injuries (e.g., going fishing and traveling to Florida). The publicly-visible photos that plaintiff in this case posted, which defendant argued made the rest of her account relevant, were of her holding a 2-pound dog, and standing with friends at a birthday party. “If [her] public Facebook page contained pictures of her playing golf or riding horseback,” the court noted, “[defendant] might have a stronger argument for delving into the nonpublic section of her account.”

The court made clear that its decision did not address the question of whether a Facebook user has a reasonable expectation of privacy in so-called private pages. (And there’s nothing in the decision to suggest that inquiry should be answered in the affirmative.) The court also noted that it was not answering the question of whether one could challenge a subpoena to Facebook under the Stored Communications Act (18 U.S.C. 2701 et seq.) as contemplated by Crispin v. Christian Audigier, 717 F.Supp.2d 965 (S.D. Cal. 2010).

Other coverage from Eric B. Meyer.

Ordering defendant to decrypt hard drive did not violate her Fifth Amendment rights

U.S. v. Fricosu, 10-CR-00509 (D. Colo. January 23, 2012)

Pursuant to a warrant, federal agents seized defendant’s laptop from her home. When investigators turned it on, they saw the hard drive’s contents were encrypted using PGP Desktop. Defendant would not voluntarily turn over the password to decrypt the drive, so the Government filed an application under the All Writs Act to require defendant to “assist” in the execution of the search warrant. Defendant objected, asserting her privilege against self-incrimination under the Fifth Amendment.

The court rejected defendant’s arguments, granted the Government’s application and ordered defendant to provide an unencrypted copy of the hard drive. It found that the situation did not implicate defendant’s Fifth Amendment rights.

The Fifth Amendment provides that no person shall be compelled in any
criminal case to be a witness against himself. For the most part, this privilege only covers testimony. But an act that implicitly communicates a statement of fact may be within the purview of the privilege as well. For example, producing a document (or electronic data, for that matter) is an acknowledgment that the material:

  • exists
  • is in the possession or control of the producer
  • is authentic (i.e., is what it purports to be)

The court held that defendant’s Fifth Amendment rights were not implicated because providing an unencrypted copy of the hard drive did not serve to accomplish any of the three points listed above.

The feds had confiscated the computer, so they knew of the location and existence of the computer files. (The court found that the fact that investigators did not know the specific content of any specific files on the computer did not matter.) And as for the authenticity of the computer files, the government would presumably be able to do that in other ways. Among other things, the computer was found in defendant’s bedroom. Information on the screen that showed up when it was turned on contained defendant’s first name. And perhaps most damningly, investigators had a taped phone conversation between defendant and her ex-husband discussing the computer and the fact it was password protected.

Supreme Court: GPS device attached to car was an unconstitutional search

U.S. v. Jones, 565 U.S. ___ (2012)

Decision looks to 18th century sensibilities on the sanctity of personal property to resolve modern day legal problem occasioned by technology.

Today the Supreme Court issued its opinion in U.S. v. Jones, which addresses the question of whether it was a “search or seizure” under the Fourth Amendment when the police attached a GPS tracking device to a drug suspect’s car. The information gathered from the device was used to convict defendant and send him to prison for life.

An originalist kind of opinion

Justice Scalia authored an opinion (which four other justices, including Roberts and Thomas, joined) holding that the placement of the GPS device on defendant’s car was a “physical intrusion [which] would have been considered a ‘search’ within the meaning of the Fourth Amendment when it was adopted.” Because the device was placed on the car outside the scope of the warrant authorizing it (after the warrant’s expiration and outside its geographic jurisdiction), defendant’s Fourth Amendment rights were violated.

Property is key

Key to Court’s opinion was the Fourth Amendment’s close connection to property. Historically, Fourth Amendment jurisprudence has been tied to the concept of common-law trespass. Later cases, such as Katz v. United States, 389 U.S. 347 (1967) deviated from that approach, looking more to a personal interest, namely one’s “reasonable expectation of privacy.”

Reasonable expectation of privacy does not matter here

The Government had argued that there was no search here because defendant had no reasonable expectation of privacy in the underbody of his car, nor in the information about the public places he went. The court rejected that argument. Instead, it observed that “[a]t bottom, we must ‘assur[e] preservation of that degree of privacy against government that existed when the Fourth Amendment was adopted.”

This “at bottom” analysis meant looking to the property interest defendant had (as informed by principles of common law trespass). By attaching the device to defendant’s car, the officers encroached on a protected area.

Open questions about information tracking

The case involved more than the mere transmission of electronic signals. In dicta, the court noted that in cases that do not involve physical intrusion, the Katz “reasonable expectation of privacy” analysis would apply. And the court was able to skirt the thorny question of whether the pervasive gathering of information while assisted by technology (something that it would take an army of agents and vehicles to accomplish) would be unconstitutional:

It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question.

Many commentators have observed that the case bears similarities to United States v. Knotts, 460 U. S. 276 (1982) which involved a location-transmitting “beeper” that was placed in a canister of chloroform, which made its way into the defendant’s trunk. In Knotts, the Court held that the gathering of location information in such a fashion did not violate the Fourth Amendment. The Jones case is different — in Knotts, the cops were not reponsible for placing the canister into the vehicle. Here, the cops actually had to encroach on defendant’s property (and even changed the batteries on the device at a later date).

The Court’s decision comes as a relief to those who worried about the Orwellian-like consequences of a Government victory. It appears that all of us — including the Justices of the Supreme Court themselves — are free from indiscriminate government surveilance of this sort. It will be interesting to go back and watch This Week in Law Episode 137, where we discussed this case and its issues.

What do you think? Was the court correct in looking at 18th century doctrines to solve a 21st century problem? Let’s have a conversation below.

Cops violated Fourth Amendment in warrantless search of digital camera

Schlossberg v. Solesbee, 2012 WL 141741 (D.Or. January 18, 2012)

Plaintiff was being questioned by defendant police officer when defendant noticed plaintiff was using a digital camera to capture the exchange. The cop got enraged and took the camera away. He arrested plaintiff and looked through the files on the camera without getting a warrant.

So plaintiff filed a civil rights lawsuit. Before trial, the court asked the parties to file briefs on whether plaintiff’s Fourth Amendment rights were violated. The court found that the warrantless search of the camera was an unlawful search incident to an arrest, thereby violating the Fourth Amendment.

In its decision, the court noted that cases which have allowed warrantless searches of electronic devices incident to arrest established a dangerous new rule, namely, that any citizen committing even the most minor arrestable offense is at risk of having his or her most intimate information viewed by an arresting officer. The court recounted the case of some cops who, in a warrantless search of a drunk driving suspect’s cell phone, found and shared some naked photos of the suspect’s girlfriend. See Newhard v. Borders, 649 F.Supp.2d 440 (W.D. Va 2009).

The court disagreed with the rationale of previous cases that held electronic devices such as phones and cameras were like “closed containers” and were thereby subject to warrantless searches. It found that warrantless searches of electronic devices are not reasonable when they are incident to a valid arrest absent a showing that the search is necessary to:

  • prevent the destruction of evidence
  • ensure officer safety, or
  • address other exigent circumstances

The court further found that all electronic devices should be subject to this broad protection — police should not have to distinguish between laptops, traditional cell phones, smart phones and cameras before deciding whether to proceed with a search of the device incident to arrest.

In sum, the court found that because plaintiff had a high expectation of privacy in his camera’s contents, defendant should not have reviewed its contents in a search incident to the arrest. He should have gotten a warrant instead.

So what do you think? Did the court get this one right?

Video: my appearance on the news talking about isanyoneup.com

Last night I appeared in a piece that aired on the 9 o’clock news here in Chicago, talking about the legal issues surrounding isanyoneup.com. (That site is definitely NSFW and I’m not linking to it because it doesn’t deserve the page rank help.) The site presents some interesting legal questions, like whether and to what extent it is shielded by Section 230 of the Communications Decency Act for the harm that arises from the content it publishes (I don’t think it is shielded completely). The site also engages in some pretty blatant copyright infringement, and does not enjoy safe harbor protection under the Digital Millennium Copyright Act.

Here’s the video:

Employer did not violate employee’s privacy by accessing personal laptop

Sitton v. Print Direction, Inc., — S.E.2d —, 2011 WL 4469712 (Ga.App. September 28, 2011)

A Georgia court held that an employee using a personal laptop to conduct business for a competitor did not have an invasion of privacy claim when his employer busted him at work using the laptop to send email.

Plaintiff-employee worked for a printing company. His wife also owned a printing business. On the side, plaintiff would broker printing jobs, sending them to his wife’s company. He would bring his own laptop to work and use that to conduct business for his wife’s company while at work for his employer.

One day, the boss came into plaintiff’s office (apparently when plaintiff was not in the room) and saw that the computer screen on plaintiff’s computer showed a non-work related email account, with messages concerning the brokering of print jobs to the wife’s company. The boss printed out the email messages.

Plaintiff sued, claiming, among other things, common law invasion of privacy and violation of a provision of the Georgia Computer Systems Protection Act. The case went to trial, and plaintiff lost. In fact, he ended up having to pay almost $40,000 to his employer on counterclaims for breach of loyalty. Plaintiff sought review of the trial court’s decision. On appeal, the court affirmed.

The appellate court affirmed the trial court’s finding that the boss’s access to plaintiff’s computer did not constitute common law invasion of privacy based upon an intrusion upon plaintiff’s seclusion or solitude, or into his private affairs. The court held that the boss’s activity was “reasonable in light of the situation” because:

  • He was acting in order to obtain evidence in connection with an investigation of improper employee behavior,
  • The company’s interests were at stake, and
  • He had “every reason” to suspect that plaintiff was conducting a competing business on the side, as in fact he was.

To bolster this holding, the court cited from a Georgia Supreme Court case that said, “[T]here are some shocks, inconveniences and annoyances which members of society in the nature of things must absorb without the right of redress.”

Sexy MySpace photos stay out of evidence

Webb v. Jessamine County Fiscal Court, 2011 WL 3652751 (E.D. Ky. August 19, 2011)

Plaintiff filed a civil rights lawsuit against the local jail and other governmnet officials after she gave birth while incarcerated. She claimed, among other things, that the jail’s failure to get her proper medical care before and during the delivery caused her extreme humiliation, mental anguish and emotional distress.

The defendants tried an extremely bizarre and highly questionable tactic — they sought to use provocative photos purportedly copied from plaintiff’s MySpace profile, to demonatrate that it is “less probable that [plaintiff] would experience humiliation and mental anguish by being in a jail cell while delivering a baby.” Defendants claimed that the photos were “of such a nature that a reasonable person would be embarrassed if such photographs were placed in public view.”

In other words, defendants argued that because plaintiff would post photos like that of herself online, she did not have the dignity to be free from being ignored or called a child and a liar during labor.

The court granted plaintiff’s motion in limine, excluding the photos from evidence. It found that the photos were irrelevant:

Although the appearance of provocative photos online may cause some humiliation, it bears no relation at all to the extreme humiliation and mental anguish a woman forced to go through labor on her own in a jail cell would bring.

The court also found that the defendants had not properly authenticated the photos, i.e., had not provided enough supporting evidence to show that they actually were of plaintiff. The photos that the defendants offered bore “no indicia of authenticity, such as a web address or a photo of these images on the public MySpace account from which Defendants claim they originated.”

Using remote tracking software to find stolen laptop may have violated federal wiretap statute

Clements-Jeffrey v. City of Springfield, Ohio, 2011 WL 3678397 (S.D. Ohio August 22, 2011) [PDF copy of opinion]

Services that help track down stolen laptops and other lost mobile hardware are indispensable. Consider, for example, the year-long saga of Jeff Blakeman who used MobileMe to help recover his MacBook Pro that a TSA agent stole from checked luggage. Or how Joshua Kaufman used the remote recovery application Hidden to snap pics of the creepy dude who made off with his MacBook.

It is hard to not rejoice when one reads stories about laptop thieves being brought to justice. And we generally feel no pangs of conscience over whether the apprehended criminal had any privacy rights that were violated when he was being monitored with the software.

But what if the person being tracked did not steal the device, and did not know that it was stolen? Do we then care about whether the remote tracking process violated that person’s privacy? If so, how should that privacy right stack up against the theft victim’s right to get his or her property back?

A recent case from Ohio shows how the privacy right of the innocent user can constrain the rightful owner from using all means of what we might call “remote self help.” The court applied the Electronic Communications Privacy Act (“ECPA”) in a way that should cause users and purveyors of theft recovery services to reevaluate their methodologies.

Hot communications using hot property

The facts of the case were salacious and embarassing. Plaintiff bought a non-functioning laptop for $60 from one of her students (she was a substitute teacher at an “alternative” high school). After she got the computer working, she used it to have sexually explicit communications with her out-of-state boyfriend — they even got naked in front of their webcams with one another.

As it turns out, however, the student who sold plaintiff the laptop had stolen it. The teacher claimed she did not know it was purloined. The original, rightful owner of the laptop had installed Absolute Software’s LoJack for Laptops on the device. After it was stolen, and after it had made its way into plaintiff’s hands, Absolute began its work of locating the machine and gathering information about its whereabouts and its user.

In this process, one of Absolute’s employees obtained real-time access to what was happening on the stolen computer. He was able to collect keystrokes of the sexually explicit communications, and gather three screen shots of plaintiff and her boyfriend, both naked, fooling around on the webcam.

Absolute turned the information — including the X-rated screen shots — over to the police. Plaintiff was arrested and handcuffed. The criminal court dismissed the case against her.

But plaintiff (and her boyfriend) sued. They brought several claims against the police for violation of their constitutional rights, and claims against Absolute for, among other things, violation of the ECPA. Absolute moved for summary judgment on the ECPA claim but the court denied the motion. The court found that Absolute could not show, as a matter of law, that it should not be liable for the interception of the explicit communications.

Legitimate privacy expectation, even on a stolen computer

Subject to certain exceptions, the ECPA prohibits one from surreptitiously intercepting or disclosing the contents of any wire, oral or electronic communications of another. The defendants first argued that plaintiff could not put forward a valid ECPA claim because she did not have a legitimate expectation of privacy in these communications.

The court rejected this argument, finding that plaintiff’s belief as to her privacy was reasonable both subjectively and objectively. She felt safe enough to engage in the explicit communications (subjective belief), and she demonstrated that she had no reason to suspect the laptop was stolen (objective belief). Had she known or had reason to know it was stolen, her claim of privacy would have been subordinated to the possessory interest of the owner. (As an aside, there was some interesting evidentiary wrangling that went on a few weeks ago about defendants’ expert witnesses opining on internet privacy. Read more about that at Bow Tie Law.)

Public policy did not come to the rescue

Absolute next argued that certain exceptions to liability for violation of the ECPA should protect it. The court rejected each of these arguments. It found that the exception for those acting “under color of law” to track down “computer trespassers” did not apply, because Absolute was a private entity, not one acting under color of law. The court also rejected Absolute’s argument that it could divulge the intercepted contents as a provider of an electronic communications service. The court found that Absolute did not provide an “electronic communications service to the public” as defined by the ECPA.

So Absolute was left with one final argument, namely, that public policy should shield it from liability for the unauthorized interception and disclosure of the keystrokes and screen shots. Absolute argued that the legal owner of the stolen laptop should be able to take steps to locate and recover that property, and that the rights of the property owner must trump those of a thief.

The court declined to implement such a per se rule, noting that:

It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.

In so many words, the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer. Had the information collection stopped at IP addresses and other non-content information, the remote tracking efforts may not have run afoul of the ECPA.

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.