pageok
pageok
pageok
Computers, the Fourth Amendment, and the Analogy Game:
In the comment thread to my post on the symposium about applying the Fourth Amendment to computers, commenter "New World Dan" states:
This is one area that drives me nuts. I can't think of one single case where conventional law was inadequate to address 4th amendment issues in the "Digital Age". Internet records are really no different than phone, library or financial records. That, of course, hasn't stopped politicians, lawyers and judges from making it more complicated than it is, though.
  Dan's comment is a bit misleading: Pretty much everyone agrees that non-content Internet records should be treated exactly like non-content phone, library, or financial records. But I take his broader point to be that there's nothing new here. We can apply the Fourth Amendment to computers by applying simple analogies to "conventional law."

  I certainly appreciate Dan's instincts. Analogies are extremely important in this area, as they are in most areas of technology law. But the fact that they are important doesn't mean that they are simple or sufficient.

  For example, if you think an e-mail message is just like a postal package, is e-mail more like a first-class package (protected by the Fourth Amendment) or a fourth-class package (not protected)? If you think e-mails are exactly like telephone calls, are they more like landline calls (protected by the Fourth Amendment) or cordless phone calls (not protected)? And what do you do with information like URLs — what's the "phone, library, or financial records" analogy to them? Are URLS more like the contents of phone calls or just records of the call?

  "New World Dan" may find these questions easy, but I suspect most of us don't. And those who find these issues easy probably disagree with each other as to what the easy answers should be. The problem, I think, is that communications networks work by sending information out into the network, and we have an intuitive sense (for good practical reasons beyond the scope of this post) that some information should be protected and other information shouldn't be. This means that we'll always have competing "conventional law" analogies that appear plausible: one side will pick an analogy to protected information, the other to unprotected information.

  As I see it, choosing among these competing analogies generally requires a broader normative theory of what should make a difference. Otherwise it's "turtles all the way down." Or at least it's turtles down to the foundational premise that the Fourth Amendment protects the inside of the home but not public spaces, which I think can plausibly be used to support nearly any result when applied to communications networks.

  Consider Olmstead v. United States, the 1928 case that considered whether wiretapping was a Fourth Amendment search when agents tapped a private telephone line from the public street. Each side offered an analogy from "conventional law" to solve how the Fourth Amendment applied to the new technology of the telephone. To the majority, the analogy was public speech: wiretapping from a public street was just like listening to someone shouting their communications into the public square. To the dissent, the analogy was invading a private space: wiretapping was just like breaking into someone's home and listening to their private conversations.

  Which side was right? To answer this, I think you need to go beyond simply applying "conventional law." The trick is how to apply conventional law, and there are substantial arguments for and against a very wide range of alternatives. Picking among the options requires a broader theory, which is why these questions are both interesting and hard.

  For more on these issues, check out my essay, "Digital Evidence and the New Criminal Procedure," which was published in the Columbia Law Review in 2005.
John T (mail):
Another example in the non-digital realm was Kyllo v. United States, where competing analogies were offered about the police using infrared heat sensors to detect heat lamps used to grow marijuana hydroponically in a house. Was these merely observing infrared rays escaping the house, no different from looking at a house through the windows without the blinds shut? Or was this somehow a search of the house that required a warrant? Thomas and Scalia joined the non-Breyer liberal wing in a 5-4 decision saying that a warrant was required, partially because heat sensors were not an extremely common technology, unlike using ones eyes or binoculars.
1.24.2007 1:52pm
18 USC 1030 (mail):
As an aside to this: what do we do when settled areas evolve to the extent that they no longer resemble (perhaps resemble less is a better description?) the original circumstances? To go along with the telephone conversations cited by Prof. Kerr, Landlines are protected, cordless are not; what about VOIP? What about merely using yahoo with a microphone? Yahoo mesenger uses terms that we'd ordinarilly associate with telephones; does this make it so? What about landlines in general resembling computer networks more than the original mechanically switched networks?

I think this is why the issue is far from settled. It seems to me that we need to determine the basis upon which we protect communications. Perhaps I'm off but I think we need to evaluate the reason for which protection was granted in the past. Once we understand the historical 4th amendment applications I believe we can apply that to the current issues created by technology.

I don't think we should be testing protection of email by trying to compare it to physical mail. Rather, we should compare the underlying cause for protection. (i.e. other's access, reasonable expectation, public view of information, etc) It seems counterproductive to compare telephones to computers and email to mail--they are not similar enough.

We also have the issue about ownership. Who owns the email? The user? the server owner? These issues have been tackled by the courts but demonstrates differences between stored data and traditional paper file cabinets.
1.24.2007 2:16pm
E:
I don't see how any issues with internet communication aren't controlled by the media they're on - e.g., a DSL connection is nothing more than a fat phone line with machines doing the talking.

Also, minor correction to John T.: Stevens, not Breyer, dissented in Kyllo.
1.24.2007 2:20pm
18 USC 1030 (mail):
Except phone conversations aren't stored anywhere. Electronic communications are stored in many intermediary servers, final destinations, and also can be intercepted "more easily".

To the first point, if a tap is placed on an intermediate server, is there a right to privacy? Why? And, to whom does that right apply? Is it applied to the sender? the receiver? or merely the owner of the intermediate server? If you say the sender has a right to privacy on the communication, on what do you base this? Do I have a right to privacy on someone's server? Why? I don't own my records with companies I deal with--they do. Or is this more akin to the storage places where you rent a box to lock your stuff; they own the box, but you own the stuff? Why? You aren't choosing which server to use; can you have a right to privacy in a place that you didn't know existed? Are you saying the communication should be protected no matter where it is, so longer as it initiates in a manner that is protected? Does that mean the internet is per se protected? Based on what? This is the problem, in order to extend protection we need to have an idea why we are protecting it--other than we don't want people to know what we say. We need a reasonable expectation of privacy and that expectation must be reasonable.

This brings us to the second and perhaps most important issue: is there a reasonable expectation of privacy on the internet? Is the internet more similar to landlines that are not considered private; or more similar to cordless phones that are considered public? Does this depend on method of access? Is there a difference between DSL,Cable, Dialup, Fiber, Wireless? Does one need to maintain some type of security defense in order to make communications private? Is encryption sufficient? Or is the internet so insecure that one cannot reasonably expect the communication will remain private? Though these questions may seem to be purely academic and without practicality--I don't think that is the case.
1.24.2007 3:02pm
billb:
18 USC 1030: Are you sure about your assertion about phone conversations not being stored in the face of modern digital switching equipment and networks?
1.24.2007 3:57pm
Falafalafocus (mail):
This is the reason I come to VC. I start reading a post on internet and the fourth amendment, I suddenly learned about an interesting phrase regardigng turtles that I had never heard of before. Perhaps I was improperly educated. In any event, kudos!
1.24.2007 4:27pm
18 USC 1030 (mail):
billb

Sorry I got messy. In my first post I mentioned the fact that telephones are no longer mechanical switches and are moving towards packet switched networks similar to computers. When I mentioned telephone in the second post I was refering to traditional telephones, prior to the changeover. I would argue that telephones today may not provide the same expectation of privacy due to the fact that they no longer operate the same way. Does this mean phone calls should no longer be protected? Or, should we continue to view phone calls as protected because we always have? I am not saying I think it would be a good policy decision to determine that phone calls are no longer protected; but, I am asking if it's possible that the technology has changed to the point that a telephone is no longer a "telephone".

Hypothetically speaking, we have always protected the inside of the home but never the parts of the home that are in public view: you have a right to privacy when in your bedroom; but you don't have it when you are on your front lawn. If we we build all houses out of nothing but clear material, and people don't cover the walls with anything, allowing anyone and everyone to peer inside, do they still have the right to privacy in their home? I'd say probably not as it is in the public view and you don't have a reasonable expectation of privacy.

I'm not suggesting telephones have now reached this point, I doubt they have--but it is, I think, something to think about as technology evolves. Though telephones may not have reached this level, have other forms of communication? If you have a bluetooth device set to roam and connect with any other device and not requiring a password to access it, is there a reasonable expectation of privacy? Is having a password/encryption requirement sufficient?

I do not suggest my examples should not be protected, merely that we must think about these possibilities when looking at the law to ensure that the law does in fact resemble the technology. As technology advances, these analogies become more and more difficult. It's one thing to compare something concrete from the common law to the first technology, perhaps even technology II to technology I to concrete--but how many hops can you have between the current example and the concrete before that analogy is no longer useful?
1.24.2007 4:44pm
John M. Perkins (mail):
Is "applying conventional law" originalist?
As a living constitution advocate, I'm very comfortable with the "underlying cause for protection" of poster 18 USC and why I hated Roe v. Wade, while legislatively pro-abortion.

Technologies outstrip prior textual limitations and meaning.
1.24.2007 5:05pm
New World Dan (www):
I suppose I ought to elaborate a bit. The reason I generally don't find these issues to be all that complicated is that I am not a lawyer. I am a technologist. As such, my approach is to dissect the particular technology at hand and work through it piece by piece. At each stage, at a fundamental level, I generally find the issues to be very straight-forward and easy to make a decision about. The lay person, however, tends to see a black box where they click 'send', and everything magically takes care of itself. They see the big picture without looking at the intricate details.

I'll also admit the prior post was rather glib. I'll concede that there are a few areas that require rules or definitions, such as the status of a packet on a switched network, but generally these are things that have been in effect for many years. What I frequently read about are situations where a judge or politician doesn't understand the fundamentals; they see the forest, but not the trees. (For the record, though, I thought Senator Stevens' "Tube" analogy showed a remarkably good understanding for a US Senator) I also tend towards the view that when in doubt, the goverment should get a warrant and the individual should take proactive steps to protect their privacy.

I take the opinion that Kyllo was wrongly decided. Unless it's illegal for an ordinary citizen to use IR googles to spy on their neighbor, I don't know why the police would be held to a different standard.
1.24.2007 5:42pm
Vovan:
Heh, New World Dan never encountered the magic that is "cell site" info, and the apparent lack of probable cause that state needs to obtain it.
1.24.2007 5:46pm
U.Va. 1L:
Orin,

This is the first I've heard about cordless phone conversations not being protected. What is the reasoning for this? Some cordless phones (I'd daresay most sold today) have various security measures in place to prevent others from listening in. See: http://en.wikipedia.org/wiki/Cordless_telephone#Security. This would distinguish them from walkie-talkies which us public frequencies and offer no protection against others listening in on the conversation. Is anything that travels via radio waves not protected by the 4th Amendment?

An interesting issue related to searches of computer data is encrypted files. I'm curious, having not yet studied anything on this subject, what effect encryption has on 4th Amendment searches.

Suppose in the pre-computer world, a felon writes out his plans for a bank robbery using secret codes on a piece of paper: "Fred will enter the barn at noon and milk the cow while I pluck the chickens." (One could imagine a more elaborate code, but for illustrations this is simpler. For an ancient example, see: http://en.wikipedia.org/wiki/Caesar_cipher.) If this note was seized under a valid 4th Amendment search, could the author be forced to provide the lexicon (or cipher) necessary to know what the note really meant? Or, would the prosecutor have to persuade the jury that "barn" means "bank" and "milk the cow" means "empty the vault" and "pluck the chickens" means "empty the cash registers"?

Suppose, instead, we are in the modern computer era and a felon types his plans for a bank robbery on his computer and encrypts the file. If the computer (or, if you like, just that file) was seized in a valid 4th Amendment search, could the author be forced to supply the password/key/cipher needed to decrypt it? Or would the prosecutor have to attempt to persuade the jury that "FC5D409DFE33C7B6F73149A93133E320
259D12DC87FBCF4EFE91DB2DA3A55A18
6CA5D5E3AE130B0BFFAA2598C13388A2
A652E0BFC59F8150BFA44BA174A7B1F8
4E59163C9899F29A" means "Fred will enter the barn at noon and milk the cow while I pluck the chickens."? (This simple example can be decrypted here: http://webnet77.com/cgi-bin/helpers/blowfish.pl with the key: 34ertyhjkm,)

Is there any law on this?

With computer encryption, we have additional problems we're not likely to have with codes generated by hand. Files encrypted on a computer can have any name, any file extension, and can even be "hidden" inside other files. (See: http://en.wikipedia.org/wiki/Steganography) So, suppose in the earlier bank robbery illustration, the felon had a file on his computer called "file.dat." The contents of the file are the hex string used above. Does the file really even have a fixed meaning unless it contains text in some spoken language? Given the potential mentioned in your article for investigators to seize a computer, make a perfect copy of the contents, and spend months or years analyzing/searching its contents, surely they could find whatever they were looking for--whether with bad intentions or not. (See: http://en.wikipedia.org/wiki/Bible_code#Criticism) This isn't really a problem in the pre-computer era because a prosecutor only has a limited number of papers lying around in the suspect's home. Except in highly unusual circumstances, a prosecutor would have a very hard time convincing a jury that a handwritten note in English has a secret meaning. But, bring in a computer expert who testifies that using a "forensic search" with a "decryption algorithm" they found a file on the suspect's computer detailing his plans, well, I think the jury might buy that.

I find in myself an interesting conflict between a strong idealogical commitment to protecting the people from an overly intrusive government abusing 4th Amendment rights (whether from a lack of warrants or a system that allows over broad warrants) and my interest in becoming a prosecutor and putting the bad guys in jail--even the computer savvy ones.
1.24.2007 9:01pm
U.Va. 1L:
Oops...my example of the bank robbery note in the computer era should have encrypted the phrase "Fred will enter the bank and empty the vault while I empty the cash registers" and not the secret code version of the note used in the pre-computer era illustration. I trust my point was not lost in the process.
1.24.2007 9:03pm
Gaius Obvious (mail):
I've always been taught and have always accepted that an e-mail is like a postcard, where the text is openly visible to the carrier, but protected, albeit minimally, at the sending and receiving end in the post box.
1.24.2007 9:56pm
OrinKerr:
UVA1L,

For an incredibly persuasive analysis of encryption's role in the Fourth Amendment, I highly recommend this outstanding law review article: The Fourth Amendment in Cyberspace: Can Encryption Create a Reasonable Expectation of Privacy?

As for cordless phones, the rationale is that the interception of cordless calls merely passively intercepts sigtnals in the air. In 1994, Congress made the issue moot by protecting cordless call far more strongly by statute than the Fourth Amendment could by constutional rule.
1.24.2007 10:25pm
18 USC 1030 (mail):
Gaius,

Why would you not view an email like a letter where "envelope information" (sender, receiver, time, etc) is public and contents are "Private"?
1.24.2007 11:26pm
Gaius Obvious (mail):
Why would you not view an email like a letter where "envelope information" (sender, receiver, time, etc) is public and contents are "Private"?

I would say that is true for any e-mail where the content is encrypted. But that's not the case in most e-mails. Any intercept of a non-encrypted e-mail's externals will provide you with the message internals with no additional effort. Same as a postcard.

If you want a wrapper like a first-class envelope, you should encrypt the message.
1.25.2007 12:54am
U.Va. 1L:
Orin,

Thanks for the link to the article.
1.25.2007 1:16am
18 USC 1030 (mail):
Gaius,

I could be wrong, but I'm pretty sure that that envelope information or header information (senders, recipients, subject, time)is not protected to the same degree that content is. Encryption I don't think matters as the courts have not accepted the argument that encryption creates a reasonable expectation of privacy--if anything it may do just the opposite: create a presumption that someone will try to decrypt it because of the fact that it is encrypted...it looks important.
1.25.2007 3:56am
New World Dan (www):
U.Va. 1L:,

Orin's paper on the 4th amendment and encryption covers the subject very well, though I wish more attention had been devoted to the subject of key escrow, which Congress seems to look at every 3 years or so. Absent a key escrow scheme, compelled revealing of an encryption key would certainly be a 5th amendment problem.

18 USC 1030 and Gaius,

Email (encrypted or not) should (from a technical level) be viewed as far less private than a post card. There are a number of laws regulating postal mail and the expectations there are well understood. With an email, unless you control the network end to end, you really have no guarantee what path it will take at the server level or the transport level. You don't know if it will leave and reenter the country. Heck, at the transport level, each packet might take a different path from A to B. Further complicated is the lack of a definition of what constitutes "email". Often, email is meant to pertain to RFC 733 and its derivitives. Some might also look at IM as a form of email. Many laws only refer to 'electronic communication'.
1.25.2007 11:21am
18 USC 1030 (mail):
NWD: what about the fact that telephones are now switched (mostly) on packet switched ntworks; not the original mechanical switched networks? Theoretically these networks can be monitored as easily as computer networks, should telephones no longer be protected because of the technology? But they always have been protected: do we say sorry Mr. Homeowner your phone is now so great, so technologically advanced that you no longer have a reasonable expectation of privacy on that phone? Or do we say well the technology has changed but obviously one still has a reasonable expectation of privacy on the phone? If we extend it to phones, why not extend to email?

This is the problem with viewing them as different; telephones and computers are growing ever-more similar.
1.25.2007 1:12pm
Toby:

Why would you not view an email like a letter where "envelope information" (sender, receiver, time, etc) is public and contents are "Private"?

If your ISP is doing SPAM protection, they are reading the private contents to look for pattersn, often across recipients.

And where does GMAIL sit, which reads the contents and produces advertising.
1.25.2007 3:23pm
Splunge (mail):
If your ISP is doing SPAM protection, they are reading the private contents to look for pattersn, often across recipients.

Well, no, they -- meaning some human eyes -- are not. Some computer programs are. According to Professor Kerr, that means the ISP isn't violating your privacy, because no human eyes are reading what you wrote. I believe Kerr says elsewhere, if I'm remembering correctly, that a "search" only takes place when the information is presented to human eyes.

Here's an example with the reg'lar mail: suppose, in its effort to eliminate anthrax scares, the Post Office installs new equipment that shines a strong light through each letter, so that the interior contents (including what you wrote) are visible to a camera lens. A computer program then analyzes the image and, by recognizing letters and words, determines whether what's inside the envelope is indeed a letter or not. If not, presumably the envelope goes for some further, legal, testing...

Leaving aside whether such a crazy scheme is useful for detecting anthrax letters, could it be said that the widget violates your privacy because a computer program is scanning your letter to see if it contains words? In principle, it's "reading" your letter, after all...
1.25.2007 4:43pm
New World Dan (www):
18 USC 1030,


This is the problem with viewing them as different; telephones and computers are growing ever-more similar.


I don't view them as different. I view them in terms of the technology at the most fundamental level, which is how this whole ruckus came about, I suppose. :) A packet on a netowork is just that. Whether it's carrying a phone call, email, or this post, it shouldn't matter in the eyes of the law. When you take technology and reduce it down to it's fundamental level you get very few scenarios which should be easy to resolve. You get a packet on a network, a voltage on a pair of wires, a signal over the air, and a physical state of a location on a disk.
1.25.2007 5:27pm
18 USC 1030 (mail):
Exactly! so does this mean that telephone conversations which have forever been protected should no longer be protected because the telephone networks have gotten "too good"? I think that would be a dangerous path to travel down. This is why the old rules don't work. They are not easily applied to what we have now. And yes, there is a difference between packet switching and mechanical switching.
1.25.2007 7:34pm