Does Attaching a Thumb Drive to a Shared Computer Waive Fourth Amendment Rights in its Contents?

“Yes,” says Judge Maurice Paul in United States v. Durdley, 2010 WL 916107 (N.D. Fla. 2010), handed down on March 11. I haven’t seen any cases quite like this, but I tend to think the decision is wrong. In this post, I wanted to explain the decision and then say why I find its reasoning rather unpersuasive.

Durdley was an emergency paramedic for the local county who was at work using a shared computer. When he was done using the shared computer, he forgot to take away the thumb drive had attached to one of the computer’s USB ports. Later on, a captain of the paramedic team named Johnson, was using the computer and saw the thumb drive attached. Johnson decided to see what was on the thumb drive, so he double-clicked on the “my computer” icon, double-clicked on the thumb drive icon to see the list of files, and then double-clicked on some files to see what they contained. Johnson found child pornography files on the thumb drive, leading to charges against Durdley.

The district court held that attaching the thumb drive to the USB port of a shared computer waived a reasonable expectation of privacy in the contents:

In the instant case it is undisputed that Durdley inadvertently shared his files with all the users of the public computer. Durdley’s files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files (such as Windows Explorer and the My Computer icon). Johnson encountered the files without employing any special means or intruding into any area which Durdley could reasonably expect to remain private once he left the drive attached to the common-use computer. The Court concludes, therefore, that Mr. Durdley had no . . . reasonable expectation of privacy in the contents of the thumb drive once he attached it to the common-use computer[.]

The Court was persuaded by the analogy between Durdley’s case and United States v. King, 509 F.3d 1338, 1341-42 (11th Cir. 2007), in which King placed a file into his “shared drive” on a laptop that was connected to the network of a military base used by thousands of people. Another user of the network was looking for music files on the network and saw the file on King’s shared drive. The file turned out to be child pornography, leading to charges against King. The Eleventh Circuit ruled that King did not have a reasonable expectation of privacy on the files he had placed in his shared drive connected to the network:

It is undisputed that King’s files were “shared” over the entire base network, and that everyone on the network had access to all of his files and could observe them in exactly the same manner as the computer specialist did. As the district court observed, rather than analyzing the military official’s actions as a search of King’s personal computer in his private dorm room, it is more accurate to say that the authorities conducted a search of the military network, and King’s computer files were a part of that network. King’s files were exposed to thousands of individuals with network access, and the military authorities encountered the files without employing any special means or intruding into any area which King could reasonably expect would remain private. The contents of his computer’s hard drive were akin to items stored in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public

In Durdley, the district court ruled that Durdley’s case was just like King:

King accidentally allowed others to have access to his files. Instead of leaving a thumb drive accidentally plugging in to a physical computer tower, King left a folder accidentally “plugged in” to a computer network, by failing to turn off sharing for that folder.

In the instant case it is undisputed that Durdley inadvertently shared his files with all the users of the public computer. Durdley’s files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files (such as Windows Explorer and the My Computer icon). Johnson encountered the files without employing any special means or intruding into any area which Durdley could reasonably expect to remain private once he left the drive attached to the common-use computer. The Court concludes, therefore, that Mr. Durdley had no more reasonable expectation of privacy in the contents of the thumb drive once he attached it to the common-use computer than the defendant in King did in his drive once he attached it to the airbase network.

I tend to think that King is right and Durdley is wrong. The operating principle here is that effectively exposing information to the public, based on prevailing social norms, eliminates any Fourth Amendment reasonable expectation of privacy in that information. I can see that in King. When you put a file in a place that is understood to make it shared with others, and you connect to a network with thousands of other users, you are effectively exposing that file to the public.

But I think that’s different from leaving a thumb drive in a laptop USB port in two critical ways. First, it seems that the only person who could access the files in the thumb drive was one other person who happened to sit down to use that particular laptop. It’s hard to see exposure to one person as the same as exposure to the public. And I don’t think there were any facts in the record as to how often the laptops were used, either.

Second, I think the social norm is that when you see a private person’s thumb drive on a shared-use computer, it’s understood that you’re invading that person’s privacy if you start clicking around to see what the files are. It’s kind of like someone leaving their luggage in the waiting room of a bus station. If the owner leaves the luggage behind for some reason, no one would see that as a waiver of privacy rights in the luggage or an invitation to unzip the luggage and look around.

To be clear, it usually won’t violate the Fourth Amendment for another government employee to click through a government employee’s thumb drive connected to a shared work computer. If the search is a reasonable work-related search, no warrant is required under O’Connor v. Ortega. But that’s a separate question of whether it’s a reasonable or unreasonable search. In contrast, the court here ruled that Johnson’s double-clicking on the thumb drive files wasn’t a search at all.

UPDATE: It occurs to me that the answer in this case may hinge on whether you see this case as involving a private sector workplace or a public sector workplace. If it’s a private sector workplace, the operating Fourth Amendment principle is the one I stated: effectively exposing information to the public, based on prevailing social norms, eliminates any Fourth Amendment reasonable expectation of privacy in that information. On the other hand, if you see the case as a government workplace search case, then the operating Fourth Amendment principle is different: As I explained here, in that setting, sharing the space with another government employee eliminates Fourth Amendment protection in that information. In that case, I think it would be fair to say that connecting the thumb drive to the shared computer does share the space. This post treated the case as a private workplace case because the opinion treats it that way, but I think that question may make all the difference in the right answer.