The Fourth Amendment in A Networked World:
Jonathan Zittrain has posted a response at the Harvard Law Review Forum to my recent article on computer searches and seizures. I thought I would blog some thoughts about Zittrain's thoughtful essay, and the broader topic of computer search and seizure law.

  Zittrain's response, Searches and Seizures in A Networked World, argues that the topic and approach of my article has been "overtaken" by recent events. While my article concerns the retrieval of evidence from personal computers, Zittrain contends that the real action these days is in the network context. That's true for two reasons, Zittrain suggests. First, concerns about terrorism are now of primary importance in light of the Patriot Act, the expanded use of National Security Letters, and the NSA domestic surveillance program. Second, more and more information is being stored on networks. He then argues that principles I articulate in the context of personal computers may not provide enough Fourth Amendment protection as applied to the network context, especially in light of news such as the NSA domestic surveillance program.

  I very much appreciate Professor Zittrain's response, and wanted to offer two arguments in return. First, I agree with Professor Zittrain that network surveillance issues are critically important. Indeed, I wrote my article only after completing a series of articles on network surveillance law, including on the role of the Patriot Act (see here, here, here, and here). At the same time, the importance of network surveillance law — and its high profile in the news recently — shouldn't overshadow the continuing importance of the legal rules regulating retrieval of evidence from personal computers.

  Personal computer searches will maintain their critical importance in computer crime cases for two very practical reasons. First, no matter how much people store information remotely as a general matter, they tend to keep evidence of crime and digital contraband close to home. Second, it is quite difficult for the government to prove a case beyond a reasonable doubt based solely on evidence obtained from a network. You never know who had acccess to the network, or when, or whether the account was hacked or stolen. As a result, nearly every computer crime case ends with a retrieval and search of the suspect's personal computer(s). Finding evidence of the crime on the suspect's personal computer is damning evidence, quite persuasive to a jury. As a result, even if lots of the action happens at the network surveillance level, most investigations still end up with a personal computer search.

  Second, Professor Zittrain may be right that the approach I offer in my article may not provide a satisfactory solution to answer how the Fourth Amendment should apply to networks. But I don't think that is necessarily a flaw: Fourth Amendment rules are quite localized, and it's not clear that the same principles should apply to both contexts. More broadly, I think we need to recognize that the question of how the Fourth Amendment should apply to computer networks is remarkably difficult. Or at least it is difficult to me: I have been thinking about this question for years, and have only been able to bite off small bits of the problem so far. My first effort to write an article on how the Fourth Amendment should apply to computer networks turned into a piece on the Fourth Amendment and technological change (see here); my most recent effort has morphed into a draft about the nature of Fourth Amendment protection more generally. My uncertainty is such that when it looked like the Eighth Circuit might touch on when e-mails get Fourth Amendment protection, I wrote an amicus brief exploring the arguments on both sides without taking a position of my own.

  In the end, I think Professor Zittrain and I agree on the broad point: my article is only one small piece of a broader set of important questions and issues. I think my article covers a small but important set of questions reasonably well, but it's only the beginning of lots of work ahead.
Defending the Indefensible:
I also think network surveillance is likely to produce less useful evidence if terrorists are clever enough to use cryptographic communications protocols like PGP or Hushmail. It is more likely, however, that unencrypted and/or accessible copies of data will exist on the computers at the endpoints of the communication.
2.25.2006 3:39pm
logicnazi (mail) (www):
It seems quite possible that network surveilance will be enough in the future.

With things like google desktop there is a broadening trend of keeping one's 'personal data' on remote servers. This has a huge gain in conveince since now you can access your content from any computer (any computer can act like your own) but on the down side it means that all your personal info travels over the network.
2.25.2006 3:45pm
Defending the Indefensible:
Logic Nazi,

I don't think you are taking into consideration that people who are more protective of privacy are less likely to put them on remote servers in a transparent format.
2.25.2006 3:52pm
James Lindgren (mail):

I really liked your superb article in the HLR; it seems sensible and very well executed (even if not shockingly innovative). It is a good example of applying existing law to new problems and to new twists on old problems.

Your response above to Zittrain seems quite effective.
At first glance, Zittrain's comment seems to fall into one of the classic modes of book reviews: criticizing the author because he didn't write the book that the reviewer thought he should write.

2.25.2006 4:31pm
Wintermute (www):
I don't see how "expectation of privacy" can be ignored here.
2.25.2006 5:25pm
logicnazi (mail) (www):
I usually try to leave my username in one piece (to emphasize its seinfeild origins instead of letting 'Nazi' stand out in such a stark manner) but I guess I'm happy to respond to either as long as no one gets confused :-).

Anyway I don't think refusing to use such network services is really an option in the long run. Sure for a couple years but once a technology like this becomes universally adopted it won't really be a viable option. Besides, this is like justifying no 4th ammendment protection on phone taps on the principle that if you want privacy you won't use the phone.

From my limited knowledge I think Wintermute's point is right on the money. Especially if we start storing our personal information on corporate servers like google desktop does. At which point our expectations of privacy and the buisness records clause run smack into each other.
2.26.2006 6:45am
JZ (mail) (www):

Yes, part of the difficulty in writing a reply to a piece as thorough, reasonable, and well-argued as yours is that there's not much to say in direct response except, "You go!" Hence a reply that uses the pieces as jumping off point, taking on some quite current events and raising some questions about the implications of views of the Fourth Amendment in one place as applied to another. (Jim - hence I wouldn't take my reply to be a book review in the sense of suggesting whether or not people should read the work in question; I figure people will only see my piece if they've already read Orin's, and in that case ought to be treated to something related but new. I do think a treatment of PC searches is needed and that Orin has provided it.)

What I remain curious about is maintaining a distinction -- whether for 4th A or for statutory purposes -- of "network surveillance" vs "hard drive surveillance" when the two are becoming so interchangeable. I worry that current 4th Amendment doctrine does not sufficiently protect that which is stored at gmail (or through the new Google Desktop), and would be curious to know what you think about that.
So far I hear you saying you're uncertain, but if *you're* uncertain, imagine how the rest of us who aren't prominent 4th A and privacy scholars feel! :)

2.26.2006 12:38pm
Robert Schwartz (mail):
Why would anybody think that information he leaves on Google's servers is private? Check the ads they feed you on the right side of the screen. Its not private. If you want to keep something private, don't store it on Google. Is that too difficult to deal with?
2.26.2006 6:53pm