pageok
pageok
pageok
Fourth Amendment Rights in Files Stored on Password-Protected Websites:
Does a user have a reasonable expectation of privacy in their files — including images of child pornography — posted on a password-protected website? In a decision handed down last week, Judge Stearns of the U.S. District Court for the District of Massachusetts concluded that the answer is "yes." At the same time, Judge Stearns refused to suppress the evidence in the particular case, finding that its collection was the fruits of a private search by a tipster. The case is United States v. D'Andrea.

  Unfortunately, the facts of the case are pretty gruesome, so here is a very brief version. The Massachusetts Department of Social Services received a call from a person reporting that another couple was molesting their 8-year old daughter and putting pictures of the molestation on a password-protected Sprint PCS website. The caller indicated that she was an ex-girlfriend of the man involved, and she told the officials the username and password of the website to access the pictures. A DSS official entered the username and password, accessed the website, and confirmed that images of the molestation were present. The official contacted the police, and the police obtained a warrant to search the couple's home. The woman was home when the warrant was executed; she was taken into custody and confessed to the crime. When charges were brought, both the man and the woman moved to suppress the images and the confession on the ground that they had a reasonable expectation of privacy in the stored files in the account and that the government access to the account without a warrant had violated the Fourth Amendment.

  In his opinion, Judge Stearns first concludes that a person has a reasonable expectation of privacy in the contents of files stored on password-protected websites. Judge Stearns relies on two authorities. The first authority is Professor LaFave's treatise:
Professor Warren [sic] LaFave, a preeminent authority on the Fourth Amendment, argues that a person who avails herself of a website’s password protection should be able to claim a reasonable expectation of privacy in the site’s contents. Professor LaFave makes the point that while a service provider has a need to access information regarding the identity of a site holder and the volume and extent of her usage, it has no legitimate reason to inspect the actual contents of the site, anymore than the postal service has a legitimate interest in reading the contents of first class mail, or a telephone company has a legitimate interest in listening to a customer’s conversations. “Reliance on protections such [as] individual computer accounts, password protection, and perhaps encryption of data should be no less reasonable than reliance upon locks, bolts, and burglar alarms, even though each form of protection is penetrable.”13 LaFave, 1 Search and Seizure § 2.6 at 721 (4th ed. 2006).
  Judge Stearns also relies heavily on the Sixth Circuit's Warshak case, quoting from it extensively.

  But having concluded that there is a reasonable expectation of privacy in password-protected websites, Judge Stearns then seems to reduce that entire discussion to dicta: he concludes that the defendant's Fourth Amendment rights weren't violated because the government officials that accessed the website merely reconstructed the private search of the anonymous caller.
This argument fails for the simple reason that [the government official] intruded no further into defendants’ zone of privacy than did the anonymous caller. Where a private party, acting on his or her own, searches a closed container, a subsequent warrantless search of the same container by government officials does not further burden the owner’s already frustrated expectation of privacy. United States v. Jacobsen, 466 U.S. 109, 117 (1984). “The additional invasions of [a defendant’s] privacy by the Government agent must be tested by the degree to which they exceeded the scope of the private search.” Id. at 115. Moreover, where an expectation of privacy in an item has been effectively destroyed by a private search, police do not violate the Fourth Amendment by examining the same item more thoroughly or with greater intensity so long as they do not “significantly expand” upon or “change the nature” of the underlying private search. United States v. Runyan, 275 F.3d 449, 464-465 (5th Cir. 2001).
  Judge Stearns then concludes that either the man or the woman must have given the password to the caller. True, both the man and the woman denied giving out the password. But Judge Stearns concludes in fn 17 that this must be false; there's no other way the caller could have learned the password without the man or woman giving it to her. So having given the password to the caller - at least according to Judge Stearns — the defendants had "assumed the risk" that she would access the account and tell the police about what she saw:
At day’s end, this case falls clearly into the “assumption of the risk” exception identified in Warshak and Supreme Court precedent. “It is well-settled that when an individual reveals private information to another, he assumes the risk that his confidant will reveal that information to the authorities, and if that occurs the Fourth Amendment does not prohibit governmental use of that information.” Jacobsen, 466 U.S. at 117. See also United States v. Maxwell, 45 M.J. 406, 419 (C.A.A.F. 1996) (the sender of an email runs the risk that its recipient will publish its contents). Thus, even granting defendants a reasonable expectation of privacy in the graphic website images of Jane Doe, by sharing the website access information with the anonymous caller, defendants took the risk that their right to privacy in the website’s contents could be compromised.
  Hmm, I'm not sure what I think of this case — either on the first section granting Fourth Amendment protection or the second part taking it away.
Rich B. (mail):
it would be helpful to know who registered the account, whether placing child porn on the account violates the terms of service, what the website's practices were, and more generally what the terms of service were.



Let's assume that the terms of service generally prohibit doing illegal stuff, is that enough to remove a reasonable expectation of privacy? Most things in life have implicit or explicit "terms of service" that prohibit doing ilegal stuff. Hinging a decision on these grounds essentially means that you have a reasonable right to privacy, as long as you are not doing anything illegal, sort of eviscerates the right.




Given the lack of evidence that the Social Services official merely reconstructed the private search, I'm skeptical that the private search doctrine permitted the initial search of the website without a warrant.


I'm not following this. Why is it relevant if the ex-girlfriend, who somehow obtained the password, looked at "file 1", saw it was kiddie porn, and then called the cops, rather than first looking at all files 1 through 500? The fact is that she could have seems like it should be enough. Should the cops have told the ex to go home, look at all the files, and then come back?
7.24.2007 11:45am
Brett Bellmore:
For my part, I'm dubious about the idea of circumventing warrant requirements by means of a "private" search by an anonymous tipster. Apparently not the case in this instance, but who's to say that police won't commit illegal searches, and then anonymously tip THEMSELVES off as to the result? How would we ever know?
7.24.2007 11:45am
OrinKerr:
Rich B,

I make the argument in the article linked to in the post, on the pages mentioned. That's my best response to your question.

Brett,

This is always a potential concern, but note that the tipster in this case is now known.
7.24.2007 11:49am
M.M. (mail):
This line of cases could result in the creation of a network of secret police.
7.24.2007 12:01pm
ATRGeek:
As is so often the case, I think the real problem here is the exclusionary rule, which tends to drive a lot of bad law in Fourth Amendment cases.

I agree the facts are not well-established, but I am inclined to assume that the facts are such that I would conclude the suspects did have a reasonable expectation of privacy. I also think the private-search/assumption of risk argument is factually dubious at best, but in any event I think the doctrine is flawed: I see no reason why the government officials in this case should not have been required to get a warrant based on the tipster's information before conducting their search. Similarly, I also see no reason for a special needs exception in such a case (ie, I also think social services officers should have to get warrants before they start conducting searches like this looking for evidence of child molestation).

So why aren't we requiring a warrant? Obviously because of the exclusionary rule: we don't want such bad people to go unpunished. As always, that makes me think we should dump the exclusionary rule, and instead have a direct remedy against the government officials for conducting a warrantless search.
7.24.2007 12:07pm
tmittz:
Would the special need in this case be protecting the child? It seems like that could end up being an exception that swallows the rule with respect to child pornography/molestation/abuse cases, depending on how stringently the courts apply it.
7.24.2007 12:09pm
OrinKerr:
tmittz,

Yes, it would. Here a Social Services official was trying to catch ongoing child molestation, and received a tip that clear evidence of the molestation was on the website. To the extent the access was a "search" it was not a very invasive one relative to a home invasion. True, the official could have contacted the police and asked them to obtain a warrant to obtain the contents of the account. But the fact that it was possible doesn't make it mandatory.
7.24.2007 12:20pm
BruceM (mail) (www):
Why would someone password protect and/or encrypt digital information other than to keep it private? So long as they keep the password private, they should have a reasonable expectation of privacy. I don't think that's even reasonably debatable. But if they give the password to one or two or three people, does that negate the reasonable expecation of privacy (REOP)? I don't think so. Even if they had given out the password to someone, telling them to keep it secret and not tell anyone else, that should not eviscerate the REOP.

However, I think the court was right here. By giving out the password (assuming they did), they assumed the risk that any illegal content would be given to the authorities.

I have not read the case, but I'd be curious to know whether the password was easily guessible. Was it "password" or "porn" or "12345" or something like that? Or was it something hard and impossible to guess like "zDfi23df31if3%99d9fswMJsFdkjwog!$@df"?

Regardless, much like the drug exeption to the 4th Amendment, we have now created a de facto 'kiddie porn' exception to the 4th Amendment. So, these people would have been convicted no matter what reason the court came up with.
7.24.2007 12:22pm
OrinKerr:
BruceM,

Actually, I think you're wrong about encryption: see here.

You're also wrong about a drug or kiddie porn exception to the Fourth Amendment. The Fourth Amendment has always been closely tied to contraband cases, starting with the prohibition cases in the 1920s. But I think it's hard to find a consistently different treatment of the cases based on the subject matter (as satisfying as it may be to proclaim).
7.24.2007 12:28pm
Wintermute (mail) (www):
Clay platter. If a private citizen violates your privacy, that makes it OK for the government then to.
7.24.2007 12:29pm
Justin (mail):
"So why aren't we requiring a warrant? Obviously because of the exclusionary rule: we don't want such bad people to go unpunished. As always, that makes me think we should dump the exclusionary rule"

Would you support a middle ground - an inevitable discovery rule and/or a good-faith exception that applies to the exclusionary rule but not to private damages (at least as to inevitable discovery, as good-faith does apply to private damages)?
7.24.2007 12:52pm
Justin (mail):
I'll just chime in and say as to BruceM's first paragraph, he's wrong in a positive manner, but not in a normative one. I've posted on that topic previously, BruceM, so if you want to search Volokh (via Google), you can read more on that dispute.
7.24.2007 12:53pm
Rich B. (mail):


I make the argument in the article linked to in the post, on the pages mentioned. That's my best response to your question.


Thank you. I read the relevant pages, and it appears to me that you have engaged in an odd form of double-think to reach your conclusion.

You essentially examine two binary questions:

1. "Virtual file" versus "storage device" (Casey v. Runyon). You choose "virtual file."

2. "Virtual file" versus "exposed data." You choose "exposed data" on the grounds that "virtual file" is essentially a contingent and meaningless concept, and you go on to explain why.

While your argument in (2) is pursuasive, I intuitively used to it to answer (1) differently. Since the "files" are merely designations, with no guarantee that everything is in a file, and even for things in files, they are only "virtual" files, not "real files," it seems to me that looking at separate "files" as relevant units in question one is legally suspect, and Runyan was correctly decided.

You are looking at a big warehouse, with different items having different post-it notes on them saying "John's Kiddie Porn" and "Steve's Accounting Fraud" and assuming that each post-it note is really a locked box. As you explain in (2), that assumption doesn't make sense.
7.24.2007 12:59pm
ATRGeek:
Orin,

You wrote: "True, the official could have contacted the police and asked them to obtain a warrant to obtain the contents of the account. But the fact that it was possible doesn't make it mandatory."

OK, but the general rule for criminal law enforcement searches is that they require a warrant unless they fall within one of the recognized exceptions. So, I do think it is fair to ask why there should be an exception in this case, if it was possible for the government officials to get a warrant.
7.24.2007 1:02pm
Justin (mail):
BTW, I agree mostly with everything Orin has said, except maybe in the first paragraph below the fold, and even then I'm still not sure.

But maybe Judge Sterns could have protected the confession in a different way. Even without the violation, we still have the following facts in play:

" The Massachusetts Department of Social Services received a call from a person reporting that another couple was molesting their 8-year old daughter and putting pictures of the molestation on a password-protected Sprint PCS website. The caller indicated that she was an ex-girlfriend of the man involved. . . . "

Thus, the warrant was still based on sufficient facts to reach probable cause for the issued warrant, even throwing out the police's confirmation, no? Though the pictures themselves might have to be suppressed, absent inevitable discovery, but would the confession? Maybe there's an argument that they wouldn't have gotten the confession if they didn't get confirmation of the photos, but without reading the opinion (and I don't fancy so doing given the nature of the facts), I can't really say that just because some of the evidence is tainted, all of it is?

Also, if I am right and the warrant was still based on sufficient probable cause, could the pictures come back in under inevitable discovery doctrine?

PS - Can the Second Circuit affirm based on its own factual findings, either here or for "special needs"? Or would the court need to apply a harmless error standard?
7.24.2007 1:03pm
Brett Bellmore:
"always, that makes me think we should dump the exclusionary rule, and instead have a direct remedy against the government officials for conducting a warrantless search."

But the reason the exclusionary rule was adopted in the first place, is that prosecutorial discretion and lack of sympathy for guilty victims of illegal searches assures that the remedy will never actually be implemented. How do you plan to get around that?
7.24.2007 1:06pm
John Armstrong (mail) (www):
Okay, let's take the judge's words at face value: passwords are directly analogous to locks and keys.

Now the analogy in question reads: An anonymous letter with a house key enclosed is sent to the police by someone claiming to be an ex-girlfriend of the homeowner. Presumably, the enclosed key was given to the writer by the homeowner during said relationship, and was never recovered, nor were the house's locks changed.

The writer claims that there is a stash of child pornography in plain view once inside the house, and this key will allow the police inside the house to see it.

Note especially that there is no way to verify the writer's story regarding the key. In particular, it is just as likely that the writer stole a key or illicitly obtained a duplicate in order to rob the house in question, and discovered the pornography in the process.

Now, on this basis can the police use this key to open the house while the homeowner is away and see what is in plain view inside?

IANAL, but I think I know enough about the Fourth Amendment to know the answer to this one, and shame on the judge for not knowing it.
7.24.2007 1:07pm
ATRGeek:
Justin,

I'm not quite sure I understand your proposal. What I would have in mind is no special exclusionary rule at all, so no need for exceptions like inevitable discovery and good faith. I'd also favor strong administrative remedies and statutory private damage actions. I'm not sure how to compromise on all that, and I think the exclusionary rule is so fundamentally flawed that it makes little sense to try to preserve it.
7.24.2007 1:11pm
Justin (mail):
ATR,

Obviously I wasn't asking you whether you agreed with your own proposal, but whether you would find more limited proposals acceptable to remedying the concerns one would have by eliminating the "teeth" of the Fourth Amendment.

What I am saying is that when a government agent mistakenly, but innocently, believes he doesn't need a warrant, and it turns out he did, but there was probable cause anyway, would you be okay with (instead of your full proposal) then eliminating the exclusionary rule? Alternatively, would you be okay (and not going to your full proposal) with using Saucier v. Katz analysis?
7.24.2007 1:16pm
abb3w:
Let me suggest a functional argument why passwords should create a reasonable expectation of privacy. If they are thus treated, then a social mechanism (such as a warrant) may still allow for them to be bypassed and yet be admissible for criminal proceedings; and, even if such implementation is flawed, there is still social good that can come out of it — somehow, regardless of the outcome of the criminal case, as a civil matter I'd bet the abusers will not be allowed to retain custody of the kid!

On the other hand, if a "reasonable expectation of privacy" is only presumed when strong (EG, 65536-bit GPG) encryption is used, this will expand the use of a technological privacy mechanism where the social mechanism to bypass is moot, because the technical capacity is not possible. It would be like a judge issuing a search warrant for the inspection of a suspect's immortal soul — reasonable expectation of privacy be damned, it's moot because that just can't be done.

On the gripping hand, I'd agree that the judge's presumption that there was no other way the login and password could have been obtained is technically very, very bad. I'd hope for a reversal due to the lack of factual hearing.

(I'll also note in passing that many sites make sharing of your account name and password a violation of the TOS; if the TOS were already breached by the user, they may be largely moot. As a computer geek, I've flat out told users that they should be more reluctant to share their account passwords than an unlimited power of attorney.)
7.24.2007 1:17pm
ATRGeek:
Brett,

First, I don't think the exclusionary rule effectively deals with that problem.

Second, I don't believe it is impossible to craft enforceable direct remedies. Prosecutorial discretion is a problem only if you assume a criminal remedy. An alternative would be to give private parties various administrative and civil remedies, and I would suggest not having those remedies subject to jury trials.

Whether the political will for such measures exists is a different question.
7.24.2007 1:18pm
OrinKerr:
Rich B,

I don't uderstand your position. Your view is that if a person enters a warehouse with millions of locked boxes, he has "searched" all of the the locked boxes upon entering the warehouse. That's the Runyan position. My view is that a person searches only that which actually opens; you don't open all of the contents of a warehouse when you merely enter a part of it. Why is my position "an odd form of doublethink"?

ATRGeek:

No, that's wrong (or alternatively, the private search doctrine is just an exception to the warrant requirement -- take your pick). Also, I'm curious: I thought you were a pure textualist in the Fourth Amedment context, and that you didn't consider precedents as part of the real Fourth Amendment. Where do you find your rule in the text?
7.24.2007 1:24pm
preL (mail):
I may be off here by making this comparison(I'm starting law school in a month, so don't know much) : what happens is person A (homeowner) gives person B (friend/neighbor) a key to their home. Person B knows contraband (drugs/child porn/weapons) is in the house, does person B have the right to give police access to the house and the evidence?
7.24.2007 1:25pm
nedu (mail):
In footnote 17, the judge reaches a factually incorrect conclusion:
D’Andrea states in her affidavit that she never gave the password to anyone and that she “thought” the same was true of Jordan. Jordan states in his affidavit that he never “voluntarily” gave the website information to anyone else. As the government persuasively argues, the “anonymous” caller could have learned the information from no one other than one (or both) of the defendants.


Compare this footnote with the CERT Coordination Center's statement of “Commonly Exploited Configuration Problems”. Note that CERT begins their list with:

1 Weak Passwords
2 Accounts with default passwords
3 Reusable passwords


Further, for Mozilla, Firefox and Safari users (all platforms) please note the recent widely-publicized discussion of a vulnerability in password manager which may lead to compromise of stored passwords. Note that this vulnerability is currently unpatched, although the risk is somewhat limited and there are known work-arounds.

The government's argument that the anonymous caller could have learned the defendant's password only from the defendants is just plain wrong. Further, anyone even vaguely familiar with well-known problems in computer security should have known better.

That said, I'm not sure this clear error disturbs the decision.
7.24.2007 1:26pm
ATRGeek:
Justin,

In general, without knowing why I am being forced to negotiate, it is a bit hard for me to do anything but explain what I would think about the proposal. In other words, whether I would find a given proposal "acceptable" or "okay" depends on what my alternatives might be.

Anyway, one of the reasons I don't like the exclusionary rule is that it makes liars out of the police. So, your proposed good faith exception is not very palatable to me, insofar as it is limited to cases where the officer claims something about his subjective state of mind.

I'm not clear on your proposed use of Saucier. Would the idea be to limit the exclusionary rule to cases where the police would not be entitled to qualified immunity? I guess that would help limit the exclusionary rule to cases where it is more plausible the police would be incentivized by the exclusionary rule, but again I don't really think that sort of exclusionary rule is going to be effective, and it would still encourage lying about the facts.
7.24.2007 1:32pm
Justin (mail):
"Person B knows contraband (drugs/child porn/weapons) is in the house, does person B have the right to give police access to the house and the evidence?"

IIRC, from the most recent SCOTUS answer on the topic, the answer is "yes, unless the Police have reason to believe that Person A does not consent to the search. Not sure without researching whether that answer can be implied from the consent by person A. The case involved a situation where the officers directly asked consent and got competing answers, and turned on whether the right to exclude trumped the right to allow vis a vis JT/TIC, IIRC.
7.24.2007 1:33pm
Justin (mail):
ATRGeek,

Out of curiosity, why do you think abandoning the exclusionary rule will both provide some defense of the Fourth Amendment AND stop the police from lying? If the police are actually concerned about the effects of violating the Fourth Amendment, they'll still lie, only the lie wouldn't be necessary to avoid exclusion - just to avoid civil damages. If the police are not concerned about the effects of violating the Fourth Amendment, then why have it at all?

It seems your solution is still dependant on either 1) an effective enforcement regime, or 2) the good faith of the officer. I don't get how you can reduce lying without at least a corresponding reduction in bald-face violating the Constitution. Either they'll still do it, and then continue to lie, or they'll still do it and be honest about it, and suffer no reprecussions anyway. But there seems to be nothing that *penalizes* lying in any way that doesn't also abandon any serious effort to enforce the Fourth Amendment at all.
7.24.2007 1:39pm
preL (mail):
I guess the question (assuming the password was given out) for me is: what is the level of expected privacy on a publicly accessible, but password protected website, given that the password has been distributed?

And we have no idea what this ex-girlfriend's story on the password is?
7.24.2007 1:45pm
Rich B. (mail):

I don't uderstand your position. Your view is that if a person enters a warehouse with millions of locked boxes, he has "searched" all of the the locked boxes upon entering the warehouse. That's the Runyan position. My view is that a person searches only that which actually opens; you don't open all of the contents of a warehouse when you merely enter a part of it. Why is my position "an odd form of doublethink"?


But you are positing the "millions of locked boxes." A password protection is a single lock that let's you in. You are calling each separate file a separate locked box, even though it is only even a "box" at all (locked or otherwise) if you look at the data a certain way. If you look at it a different way, it is just data that is sitting next to other data, out in the open fields of the hard-drive. Thus, my reference to "post-it notes". Just because you have written on something "This is a file, and distinct from all other items on this hard drive" doesn't make it so.

The "doublethink" comes in agreeing with Casey's "Virtual File" position -- that such a concept is legally defensible -- when placed against Runyan, when you subsequently argue that the concept of a "virtual file" is essentially meaningless.
7.24.2007 1:46pm
Orielbean (mail):
Nedu, technical expertise aside, you have to be fairly sophisticated to crack both a login &password if you don't know the person in question. I will put money down that Willie had the same login &pw for most of his browsing, and that the tipster had the same info herself from their time together. Most of the couples I know that are not super tech savvy know each other's login/pw. A simple check of Sprint's logs of that account's login activity would show a brute force attack, and a check of Jordan's machine could uncover a keylogger trojan or the compromised PW manager. I'm not convinced it was anything other than Willie just using the same info over the years and the tipster putting 2 &2 together when she thought something was fishy with the pictures.

The real issue here - if the user doesn't care enough about security to change his login/pw more than once a month, should his privacy be protected. Here we can use the analogy of the person who doesn't re-key their door lock once a month. The analogy of someone mailing in a key to the apartment and a note saying "kiddie porn on the kitchen table" is a little more apt. It's up to you lawyers to sort out if that remains to be a REOP.
7.24.2007 1:46pm
ATRGeek:
Orin,

You don't do yourself any credit by trying your hand at strawman arguments. I never claimed to be a "pure textualist in the Fourth Ame[n]dment context", and I am not even sure what that means. And I definitely do not understand what you mean by the claim "you didn't consider precedents as part of the real Fourth Amendment."

The textual grounding for a general warrant requirement in law enforcement searches is in the reasonableness clause. Of course, grounded in that way, there is also room for reasonable exceptions, such as exigent circumstances where probable cause exists but getting a warrant would be impracticable.

As for the private search doctrine: it is one thing if the private person conducts the search and then hands the evidence to the government official. In such a case, the government cannot reasonably be expected to put the evidence back where it was found and go get a warrant. But it is another thing where a private person conducts a search and then tells the government official what they would find if they conducted a similar search. In such a case, I see no reason not to require the government to first get a warrant before conducting its own search.

Again, textually I would ground all that in the reasonableness requirement of the Fourth Amendment.
7.24.2007 1:48pm
ATRGeek:
Justin,

I might agree if we assumed that exclusionary rule left the boundaries of Fourth Amendment rights untouched. Unfortunately, I think it has not: what has happened instead is a systematic weakening of Fourth Amendment rights through ever-expanding exceptions, largely because the remedy (bad people going unpunished) is too extreme for many to tolerate. It is these exceptions which generally give the police an ever-increasing incentive to lie such that their conduct will fall within one of the exceptions.

In contrast, I believe that if we did not have the exclusionary rule, we would tolerate fewer exceptions. That would give government officials less to lie about. For example, the fewer categories of exceptions we tolerate to the warrant requirement, the fewer cases in which the government official can plausibly lie in order to get around the warrant requirement, because whether or not they got a warrant will be pretty straightforward, and the fewer exceptions to the requirement the fewer the cases which might plausibly fall into an exception.

I admit, though, that all this is predicated on the notion that in the end we would end up accepting fewer limitations and exceptions with respect to Fourth Amendment rights if the remedy was administrative or a civil action, rather than the exclusionary rule. That is a hard proposition to test, but I personally think it is pretty likely to be true.
7.24.2007 2:03pm
OrinKerr:
Rich B,

Yes, I am equating individual files as individual boxes. Note that for Fourth Amendment purposes whether a box is "locked" is generally irrelevant. The question is whether the box is open or closed.

ATRGeek,

It's hard to discuss the law with you, as you repeatedly switch between what the law is and your theory of what the law should be. If your interest is in existing law, however, your argument was rejected by the Supreme Court in United States v. Jacobsen, 466 US 109, 117-18 (1984). On the other hand, if your interest is in your theory of what the law should be, I have no response.
7.24.2007 2:23pm
OrinKerr:
Rich B,

Yes, I am equating individual files as individual boxes. Note that for Fourth Amendment purposes whether a box is "locked" is generally irrelevant. The question is whether the box is open or closed.

ATRGeek,

It's hard to discuss the law with you, as you repeatedly switch between what the law is and your theory of what the law should be. If your interest is in existing law, however, your argument was rejected by the Supreme Court in United States v. Jacobsen, 466 US 109, 117-18 (1984). On the other hand, if your interest is in your theory of what the law should be, I have no response.
7.24.2007 2:23pm
Justin (mail):
"I admit, though, that all this is predicated on the notion that in the end we would end up accepting fewer limitations and exceptions with respect to Fourth Amendment rights if the remedy was administrative or a civil action, rather than the exclusionary rule. That is a hard proposition to test, but I personally think it is pretty likely to be true."

I'm far less certain that your empirical claim is true, but there certainly is the possibility of so researching.
7.24.2007 2:33pm
Rich B. (mail):

Yes, I am equating individual files as individual boxes.


But you subsequently discuss a computer with the "first page of a hundred page document on the screen" and ask if the police can scroll down. Here we have an obviously "open box" in the sense that we have an open file, and a file is a box. But you now reject the "individual box" metaphor, claiming that "the distinction between files and data . . . is tremendously important." Suddenly, we do not care that the 100 page document is all part of the same "file," you ask "if the law is keyed to files, how can it apply to information not stored in a file?"

You treat the file like a wall that only works in one direction. It is a border that stops the police who see one file from looking at other files, but from the inside it's not a proper border at all, since they are "contingent creations" and not all data is even in a file.

So, in your analysis, the "file" designation can be used to shrink the information that can be searched (You can't go there! It's another file!), but never to expand it (Hey, it was all in the same file, so what's the big deal?)

I think that a "File" must either be a revelant designation, or it is not. If it is an "open box", then I can see everything there is in the box. If it is a "contingent creation" without legal significance, then the fact that the data I find is in a different "file" from the data I am legally examining shouldn't make a difference.
7.24.2007 3:25pm
OrinKerr:
Rich B.,

In 99% of the cases, as in the D'Andrea case here, the files and the data are exactly the same. That is, the files and data are both visual images. In my paper, I address this most common case first. I conclude that as between physical device and a file/data approach, i recommend the file/data aproach. I call it the file approach because that's what the cases call it, but really it's both a file and data approach because they are the same in that common setting.

In the paper, I then consider the very rare case when the file and data are not the same, such as a case involving a long word processing document. I conclude that in that rare case, the data-based approach would be better than a file-based approach. In the D'Andrea case, we're in the common category of file=data. Given that, I don't know why I'm being incoherent by suggesting that this approach is better than the physical device approach. The key issue is the facts, not the label that you apply to the facts, and I think I'm being consistent on that basis.
7.24.2007 3:45pm
Rich B. (mail):

In 99% of the cases, as in the D'Andrea case here, the files and the data are exactly the same.


Yes, if you look at it one way. But, it's kind of like asking whether you need a search warrant to get into a house in a Potempkin village. You might need a warrant to go through the front door, but if you go around back, it's all in "plain view."

The Casey court concluded that a warrant that gave the scientist the right to search for "names, telephone numbers, ledger receipts, addresses, and other documentary evidence pertaining to the sale and distribution of controlled substances" did not give him to right to search jpegs.

But the opinion assumes that the search is going file-by-file through the computer (which is this case, granted, it was), and making law based on that assumption.

The court essentially mandates a search system that utilizes the contingent file names created by the user. But, that's only one way of searching. Saying that the data and the file are co-extensive is putting the rabbit into the hat.
7.24.2007 4:34pm
Jay Myers:
OrinKerr:

Actually, I think you're wrong about encryption: see here.

I agree that he is wrong about encryption, but one of the issues here is password protection, which is intended to bar access rather than understanding. If I put a padlock on a shed then I obviously intend to keep the contents private.

I don't think the TOS is germane. The provider may have the right to pass on evidence of crimes to the authorities but that isn't what happened here. I seriously doubt that the TOS says that third parties have the right to access the account in the event that the terms are violated.

A harder question is whether what the social worker did amounts to a recreation of the girlfriend's search. If I mail the cops the key to a house and state that evidence of a crime is in plain sight, that doesn't mean that I obtained my information through such a search.

In many states the Fourth Amendment exclusionary rule is inapplicable to civil child protection proceedings. However I can't imagine that a court would allow evidence gathered in violation of the Fourth Amendment during the course of a child protective services investigation to be used in a criminal proceeding against the parents.
7.24.2007 5:18pm
Kelvin McCabe:
I think I would have to agree with Prof. Lafave's common sense analogy. If digital password/encryption is the computer equivalent of a lock on say a rented public storage locker, why shouldnt we treat the act of placing the lock on as a sign that the owner has exhibited an expectation of privacy that society would think is reasonable?

The fact that the storage locker contained stacks of child porn or a dead body should make no difference to the initial question of whether the expectation of privacy is one that society would deem reasonable, and isnt that the relevant question? I can see why this case is kinda tricky, because the defendants apparantly uploaded photos to a website, as opposed to merely retaining files on their own computer hard drive. At the same time, its not like the couple created a webpage at geocities that anybody and everybody could access, so the attempt at privacy, via the password, should be construed for what it was- notice to the outside world that you are not welcome.

And i also agree with the commenter above that the initial government search exceeded the allowable non-governmental search doctrine. The ex could have accessed the website, printed the pictures out or saved them to a disk, and given them to the police or children services people to do with it as they wished. That would of been fine under the non-governmental search exception. Instead, the government through one investigative branch simply borrowed the "key" and accessed the contents, then sought the warrant via help from another investigative branch. The whole time they were looking for evidence of a (admittedly heinous) crime based on the tip.

And Orin's comment, that the Judge found an 'exception' to work to make sure the evidence got in and the people got what they deserved (paraphrasing here) is absolutely positively the most honest thing ive read in awhile, even though its based on pure speculation. Thank you for making the point that the criminal defense bar has been making for decades with regard to the whole 4th amendment nightmare! The charge, the crime, the age of the victim, number of victims, etc... should all be completely IRRELEVANT to the question of whether a fourth amendment violation has occurred, but often times, is the only relevant factor. As in the more drugs the police find, the more likely that a 4th amendment violation will be "excused" by one of the numerous exceptions, even if it takes a stretch of the legal imagination or the factual record to get there. THIS IS WHAT IS WRONG WITH THE SYSTEM! The Fourth Amendment is evidentiary in nature and should be content-blind. Assuming a 4th amend violation has occurred, the illegally seized evidence, whatever evidence, is ipso facto tainted. This goes for child porn, murder weapons, drugs, etc...

The ends do not justify the means- unless we are going to concede that some citizens are entitled to full constitutional rights while others, depending on the nature of the crime alleged, are not. Once you go down that road, you might as well roll up the bill of rights and smoke it because thats the only good you will get out of it.
7.24.2007 6:01pm
ATRGeek:
Orin,

You write: "It's hard to discuss the law with you, as you repeatedly switch between what the law is and your theory of what the law should be."

With all due respect, that is dichotomy not worthy of a 1L, let alone a law professor. Are you saying that it is impossible to argue that the Supreme Court got a constitutional case wrong? If someone says the Court got a constitutional case wrong, which are they doing: saying what the law is or theorizing about what the law should be?

For example, suppose I suggested that I find Justice White's opinion in Jacobsen more persuasive than the Court's (which, in fact, I do, since it makes the same argument that I already made, which you might suspect is not entirely coincidental). Now which am I doing when I say that Justice White's opinion is more persuasive--saying what the law is or theorizing about what the law should be?
7.24.2007 6:07pm
Dan Weber:
The ex could have accessed the website, printed the pictures out or saved them to a disk, and given them to the police or children services people to do with it as they wished.
I thought about that scenario, too.

But even if that occurred to the ex, she must've realized that getting copies of the child porn and passing them on could've opened her up to possible charges. After all, we've seen that justice isn't exactly calm and rational when child porn is involved, and she likely wanted to stay as far away from the blast radius as possible.
7.24.2007 6:41pm
nedu (mail):
The analogy of someone mailing in a key to the apartment and a note saying "kiddie porn on the kitchen table" is a little more apt.


Orielbean,

While the DoJ's interpretation of "access device" is very broad, I don't think their definition covers apartment keys. But the DoJ does think that "[a]ccess devices related to network crimes might include passwords". So your analogy to an apartment key breaks down when we consider that it's not outside the bounds of plausibility that the semi-anonymous informant may have been 18 U.S.C § 1029(a)(6) “without the authorization of the issuer of the access device [...]” (A) “offering an access device.” The sticking point with this analysis, though, is “with intent to defraud”. Did the semi-anonymous informant intend to falsely purport that she had authority to grant the DSS access to the computer system? If she did so falsely purport and intend to so purport, does that amount to “intent to defraud”? Even if it was, it may not matter because she was a private actor.

If, though, the semi-anonymous informant made it clear that the computer system was not under her control, then, should the DSS, a state actor, have been aware of M.G.L. Chapter 266: Section 120F.
The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users.


Otoh, I haven't really figured Massachusetts out yet. It seems that the state passes all sorts of laws, and then the people just sorta ignore all those laws and do what they feel like. So perhaps the DSS was justifiably ignorant of the notice.
7.24.2007 6:57pm
BruceM (mail) (www):
Orin: I think there is a difference between encrypted communication and encrypted data vis a vis reasonable expectations of privacy. Based solely on the abstract of your article (which I will read in full when I get a chance) it appears to be focused on encrypted conversation. Conversation involves giving out information (the essense of conversation). Keeping kiddie porn or terrorist plans or drug-making info encrypted on a hard drive is not communication (if it's on a public network and the password is given away so others can access it then it might become communication). I see a large distinction here.

As for my comment about drug and kiddie porn exceptions to the 4th amendment, let me pose this question: do you really think 4th amendment jurisprudence would be what it is today without the 'war on drugs'? The government cannot prevent its citizens from having leaves, powders, and pills hidden in their homes and pockets with limits on the ability to search and seize. As such, those limits have been eviscerated. To protect the children. And it's not just the 4th amendment. We just got a drug exception to the First amendment a few weeks ago.

We live in an age where politics of protecting TPC (the precious children) trumps all else, including "out-dated" rights that allow people to get away with hurting TPC. Saving TPC trumps the constitution 99 times out of 100. The one time it doesn't, either the court gets reversed or the law gets amended slightly and then upheld the next go around.
7.24.2007 7:30pm
OrinKerr:
ATRGeek,

My point is that normative and descriptive inquiries are simply different, not that the latter are illegitimate. I think that's a pretty simple point.

Listen, ATRGeek, I think I get your shtick. I'm sure it's fun to play, but I don't enjoy the insults. Perhaps it would be better if you commented elsewhere.
7.25.2007 5:02am
ATRGeek:
[Deleted by OK. ATRGeek, we've been debating on a number of threads, and I have consistently been put off by your attitude. It's true that I've been annoyed with you on this thread; it's because I remember your rather nasty and uncivil comments in your past comment threads. As I put it in my comment to you in our Al-Marri discussion, "You really are an uncharitable critic. You're quick to be nasty, and you don't apologize when you give a low blow ad hominem that's revealed as unfair. Ah, the advantages of anonymity." I realize that you think you have every right to be as harsh to me as you think is merited, and that you think I'm in the wrong rather than you. But I'm afraid that's not how it works at this blog. Given that, you really have two options: be polite and civil or else stop commenting. The choice is yours to make.]
7.25.2007 8:57am
ATRGeek:
[Deleted by OK. ATRGeek, let's discuss this one on one, either on the phone or using real e-mail addresses. If you prefer to use e-mail, my e-mail is okerr (at) law.gwu.edu.]
7.25.2007 2:29pm
ATRGeek:
[Deleted by OK. ATRGeek, let's discuss this one on one, either on the phone or using real e-mail addresses. If you prefer to use e-mail, my e-mail is okerr (at) law.gwu.edu.]
7.25.2007 2:32pm
arbitraryaardvark (mail) (www):
I'm thinking that the couple can't recover against the state in a Bivens or 1983 action, due to soveriegn immunity,and can't recover against the DFS employee on 4th Amendment grounds due to qualified immunity.
Is there any cause of action under Mass. law, either constitutional or statutory?

As to the facts, the ex-girlfriend probably had physical access to the computer and vicinity. Lots of people write sensitive passwords on sticky notes or otherwise leave clues to themselves, in places where they have a reasonable but mistaken expectation of privacy.
7.25.2007 5:32pm
Kelvin McCabe:
Or arbitrary, the guy uses the same password that he uses for his email, online bank account, or whatever. I know lots of people who use the same password for most everything, just because the sheer number of different passwords they have to keep a handle on is a lot. For example, im pretty sure i could gain access to an ex-g/f's email/online bank account/etc... password, only because she uses the same one for most everything she does. Does this mean that she implicitly gave me consent to access her bank account online? Her email? I would think not. (not that i would ever invade her privacy like that)

I guess im just agreeing with you and Orin that the judge's conclusion that the defendants must have voluntarily given the ex the password is very weak. Plenty of reasonable alternatives present themselves.
7.25.2007 7:34pm
OrinKerr:
ATRGeek, about once a year there is a commenter who just doesn't get the rules of the blog. The basic dynamic is always the same: the commenter insists that he hasn't gone over the line any more than someone else, and he just flatly refuses to acknowledge any error or fault. Dealing with commenters like that is the #1 headache about blogging; it's the kind of thing that tempts me to either stop blogging or just not permit comments.

In the last few weeks, and in this thread in particular, you have shown that you are one of those commenters. Based on what you have said, it's clear that you neither appreciate the fact that I put so much of my time into blogging or that your comments seem to be really bothering me. It just seems that you really don't care. I do this essentially for free, and it takes up a lot of my time; I don't know why I should have to put up with that;

Given that, and that fact that you aren't interested in contacting me one on one, I'm revoking your commenting privileges. If you would like to comment here again, send me the one-on-one message or phone call I requested. I hope you will; you're a smart guy when you decide to play nice, and your experience is helpful in these threads. But I would rather you not comment here at the Volokh Conspiracy if you're not going to play by the rules. I know you think this is unfair, but that just means that you can be unfair to me when you start your own blog and I leave the same kind of comments in your posts that you have been leaving in mine.
7.25.2007 7:41pm