pageok
pageok
pageok
Fourth Amendment Rights in Online Financial Accounts:
A district court in New Jersey recently decided a case involving law enforcement access to an online financial account. I couldn't find the case online, but the citation is Patel v. Hayman, Civ. No. 08-3586 (D.N.J. June 18, 2009), available at 2009 WL 1748964.

  The facts, as alleged in the pro se complaint:
Plaintiff alleges that certain of his family members have opened a brokerage account at Firstrade.com to secure his future. Plaintiff also maintains a "debit card" account at Rushcard.com. Plaintiff alleges that in March and April 2007, Defendant Special Investigations Division Investigator Valentine R. Dolce accessed Plaintiff's account information, through an Internet connection, without a warrant and without Plaintiff's permission. Plaintiff alleges that this action violated his Fourth Amendment right to be free from unreasonable searches.
  As I understand the allegation, the criminal investigator Dolce allegedly logged on to Patel's online financial account and viewed its contents. (It's not entirely clear if the allegation is as to the firsttrade.com account or the rushcard.com account or both, but potential standing issues aside, it's not clear it matters.) Did these facts, as alleged, violate the Fourth Amendment? Judge Pisano dismissed the complaint sua sponte on the ground that they did not:
  "A 'search' occurs when an expectation of privacy that society is prepared to consider reasonable is infringed ." U.S. v. Jacobsen, 466 U.S. 109, 113 (1984) (footnote and citations omitted).
  The Supreme Court has expressly held that a customer has no legitimate expectation of privacy in financial records held by a financial institution and, thus, that a government search of such records does not violate the Fourth Amendment. See United States v. Miller, 425 U.S. 435 (1976). Thus, Plaintiff fails to state a claim for unreasonable search under the Fourth Amendment.
  I can understand why Judge Pisano might have been eager to get rid of this complaint. It is a pro se prisoner lawsuit that seems entirely bogus, as it seems extremely unlikely that Dolce actually accessed Patel's account over the Internet (among other things, how would Patel know?). Still, to the extend I understand the alleged facts, I'm not sure the result is correct.

  The problem is that, as I have noted before, the general rule for Fourth Amendment searches is that privacy rights normally are determined by the way in which the information is obtained rather than whether the information obtained turns out to be private. This is relevant to Patel v. Hayman because the third-party doctrine cases like United States v. Miller (cited in Patel) involve asking a third party for information that had been disclosed to it. For example, Miller stands for the proposition that if the government asks a financial institution for its records, divulging the records of a particular account holder does not implicate the account holder's rights. The bank is merely disclosing what its employees know.

  But that doesn't mean that all financial records are always unprotected by the Fourth Amendment. If the bank sends you your bank statement in the mail, and you open the mail and put the statement on your desk at home, those financial records are just as protected by the Fourth Amendment as everything else in your home. What matters is that the home is protected, not that the records would not have been protected if the government had asked for them from the bank.

  In the case of Patel, then, whether the Fourth Amendment would have been implicated by getting Patel's records directly from the ban via a subpoena doesn't really answer whether the Fourth Amendment is implicated by accessing a password-protected account that contains the same information. That doesn't mean the result us necessarily wrong: I would want to know more about these accounts, what kind of information is stored in them, etc. But in my view, the mere fact that they are financial record accounts should not mean that the Fourth Amendment categorically does not apply to accessing them.
PLR:
Like most lawyers I'm all for hedging when information is not complete, but based on these facts I think it's a flat out Fourth Amendment violation.

This assumes the Fourth Amendment hasn't joined the Third Amednment in de facto quaint obsolescence, of course.
8.17.2009 12:29pm
PatHMV (mail) (www):
But if anything here, it would seem that the bank's 4th Amendment rights were violated, not Patel's. That was always my understanding of Miller, anyway. So Patel would not have standing to complain of an illegal search of the bank's records, just as he wouldn't have standing to complain if he left his bank statement at a friend's house, and the police illegally searched that friend's house and found the bank statement. The friend could raise the illegality of the search, but not Patel.

Am I missing something?
8.17.2009 12:35pm
karrde (mail) (www):
Curious thought.

Did officer Dolce access the information by impersonating Patel (using his login credentials without Patel's knowledge)? If it was the account opened by family members, did the officer impersonate one of them?

If so, how did the officer obtain those credentials? And is there legal action available against the company that owns the computer-service for letting the wrong people get access to the credentials?

If not, how did the officer access the information? And how did Patel know that the officer had accessed the information?

(If it was an investigation which was furthered by details of debit-card transactions, perhaps the information was found in the household trash, and not on a computer...)
8.17.2009 12:37pm
KenB (mail):
Depending on the facts, there may have been a violation of the federal Right to Financial Privacy Act (12 U.S.C. 3401, et seq.). In the 1980's, I represented banks and savings and loans. I was shocked at how the IRS in particular would misrepresent their authority to bank employees, trying to bypass the procedures of that act and thereby subjecting the bank to potential liability
8.17.2009 12:39pm
OrinKerr:
PLR writes:
Like most lawyers I'm all for hedging when information is not complete, but based on these facts I think it's a flat out Fourth Amendment violation.

This assumes the Fourth Amendment hasn't joined the Third Amednment in de facto quaint obsolescence, of course.
PLR, perhaps you could explain why? The term "flat out" suggests you think this is an easy question, and I am interested to find out why you think that.
8.17.2009 12:46pm
Waste93 (mail):
Not a lawyer, but I thought accessing someone else's account, even if you have their username and password, is a felony. As per the Federal anti hacking laws.
8.17.2009 12:48pm
einhverfr (mail) (www):
Waste93:

Not a lawyer, but I thought accessing someone else's account, even if you have their username and password, is a felony. As per the Federal anti hacking laws.


Depends on what "unauthorized access" to a computer system actually means. Having a password or not might not be dispositive and we might have to ask how the password was obtained. Furthermore anti-hacking laws vary between misdemeanors and felonies depending on a large number of factors (past convictions, intent, damage caused, etc).

For example, if I have your username and password, and your permission for me to access your information, it might be hard for a bank to prosecute such as a misdemeanor or a felony. On the other hand if I brute-force crack your password, then it would seem to be clearly covered.
8.17.2009 1:11pm
Waste93 (mail):
einhverfr,

It was my understanding that it was the Federal law and that is was a felony to access someone's account without their permission even if you have the username and password. I think it was one of the Federal laws passed since 2000 but can't remember which one it was. I remember it because some employers were accessing their employees email without permission. Also some cases where employers were doing it for pre-employment checks.
8.17.2009 1:22pm
einhverfr (mail) (www):
Waste93:

I still think you are thinking of USC 1030 which prohibits "unauthorized access" to a computer system, which is defined as access to a system to which one is not authorized to perform or in excess of such authorizations. IANAL either, FWIW.

However, employers have broad rights to intercept and read work emails (personal emails are a different matter).

However, "even if you have the password" is desceptive. The questions occur regarding how the password was obtained etc.

Furthermore while there have been recent attempts to expand this to web-sites terms of service, these have so far been rejected by the court as a general rule thanks to the efforts of the ACLU, EFF, and our own Orin Kerr.
8.17.2009 1:34pm
einhverfr (mail) (www):
igmore my spelling errors.
8.17.2009 1:35pm
The Original TS (mail):
KenB is correct. Summary judgment is inappriate because Miller now needs to be applied in light of all the state and federal legislation that has been passed regarding financial and online privacy in the last 30+ years. In particular, The Financial Services Modernization Act specifically addresses the issue.

The computer angle also needs analysis. The complaint seems to be alleging that the police accessed the P's online accounts without his authorization. In most states, this is a crime. If the state has made unauthorized access of computer accounts a crime, doesn't that create an expectation of privacy for those accounts?

This isn't my area, but I believe that banks are legally obligated to have internal procedures for accessing client information. Even employees of the bank cannot access your information at will. So account information is no longer necessarily "known" to employees of the bank.

Miller was written in a world of local banks and green eyeshades. Its assumptions may no longer hold true in a world of fully-automated megabanks. Frankly, the idea that no one has any expectation of privacy in their on-line transactions is risible. If this were generally believed, all 50 states and both houses of Congress would stampede to pass legislation to the contrary.
8.17.2009 1:35pm
Ben P:

It was my understanding that it was the Federal law and that is was a felony to access someone's account without their permission even if you have the username and password. I think it was one of the Federal laws passed since 2000 but can't remember which one it was. I remember it because some employers were accessing their employees email without permission. Also some cases where employers were doing it for pre-employment checks.


I think you're technically correct but your example is a bit off.

I did some work with this last summer and off the top of my head what I remember is:

1. The key fact is whether access was "authorized" or "unauthorized" (with unauthorized access being illegal) but permission can be presumed in some circumstances where the password was made available even if no express permission existed.

2. I seem to remember an exception for the owners or operators of servers. So, for example, an employer can monitor employee email that's going through its own mail servers.
8.17.2009 1:37pm
Ben P:
Also, regarding the overall point.

An interesting possible parallel example to me is a safety deposit box.

The contents of a safety deposit box are in the possession of the bank, but generally only accessible by the individual, and presumably (I don't know of a case off the top of my head) could not be searched without a warrant.

If a police officer were to either take a key from someone unauthorized to consent, or manufacture a key, then use that key to access the contents of the box, would that be an unlawful search?

If so, then so would using or manufacturing a password would also be an unconstitutional search.
8.17.2009 1:46pm
guest890:
The Supreme Court has expressly held that a customer has no legitimate expectation of privacy in financial records held by a financial institution and, thus, that a government search of such records does not violate the Fourth Amendment.


As a non-lawyer, I was shocked by this. Does this mean that the government is free to access anyone's financial information without a warrant? Really?

I certainly do expect my banking institutions to keep my transaction records private. Is this expectation "illegitimate"?
8.17.2009 1:54pm
einhverfr (mail) (www):
guest890:

Congress passed a law in response to the Supreme Court's opinion requiring banks to keep customer records secret.
8.17.2009 1:55pm
einhverfr (mail) (www):
Ben P:

2. I seem to remember an exception for the owners or operators of servers. So, for example, an employer can monitor employee email that's going through its own mail servers.


I would think that accounts issued for domain names of a company might presume authorization even if the company didn't own or operate the servers. IANAL though.

Consider the following hypothetical:
Example Inc. decides not to run their own email servers and contracts with MyISP.com to do so. MyISP.com owns and runs the servers. Suppose Example Inc lawyers, acting in official capacity, circumvent access control measures through an agreed-upon measure, and download all employees work-account emails.

The issue would be whether or not MyISP.com authorized the access, not whether Example Inc had permission from their employees. I would think that since the hosting agreement was between MyISP.com and Example Inc (not between the parties), barring any language explicitly to the contrary, I would expect the company as a corporate entity to be authorized to do anything that any employee could do.
8.17.2009 2:05pm
einhverfr (mail) (www):
(also, even if such language existed to the contrary, I would expect a court to think long and hard before suggesting that such was the subject of criminal liability.)
8.17.2009 2:06pm
PLR:
PLR, perhaps you could explain why? The term "flat out" suggests you think this is an easy question, and I am interested to find out why you think that.

My financial information belongs to me. I take reasonable efforts to keep it private, by shredding mail with sensitive information and by using firewalls and passwords.

But I'm not a registered broker-dealer, people are reluctant to take my hand-printed checks, and I don't want to keep lost of cash around that's not earning interest. So I grudgingly use various providers who impose fewer and slightly lower fees for the pleasure of their services. Fortunately, those providers will also keep my information confidential, even if only because the government has told them they have to.

I'm sufficiently content with our legal system that I recognize my information will be produced in response to a subpoena or a warrant. But I don't believe that law enforcement authorities should be hacking into my account to conduct audits of my transactions with no judicial supervision of their probable cause determinations.
8.17.2009 2:06pm
CVMe:
Without reading the opinion (dangerous), couldn't you say that since the illegality of this search is not clearly established, the officer is entitled to dismissal on qualified immunity grounds regardless of whether the conduct is unconstitutional?
8.17.2009 2:11pm
OrinKerr:
The originalTS writes:
Summary judgment is inappriate because Miller now needs to be applied in light of all the state and federal legislation that has been passed regarding financial and online privacy in the last 30+ years. In particular, The Financial Services Modernization Act specifically addresses the issue.
Are you saying that (a) Patel pled these causes of action, and the court should therefore consider them, (b) Patel didn't plead these claims, but the court should sua sponte consider them, or (c) the existence of privacy statutes should be read as changing the meaning of the Constitution?
8.17.2009 2:44pm
OrinKerr:
PLR,

Just so I understand you, you're not arguing that this was a violation of the Fourth Amendment under existing precedents, but rather that if the meaning of the Constitution were up to you, it would be a clear violation?
8.17.2009 2:46pm
Nick42 (mail):
Waste93 / einhverfr:

1030 does not apply to LEO investigations:


1030 (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

----

I'd hope that there are some other legal theories that would still prevent a LEO from randomly hacking into another's computer w/o legal penalty.
8.17.2009 3:09pm
SuperSkeptic (mail):
or (c) the existence of privacy statutes should be read as changing the meaning of the Constitution?

How about the application of the Constitution in light of evolving standards of legitimate expectations of privacy?
8.17.2009 3:14pm
The Original TS (mail):
Orin,

"(c) the existence of privacy statutes should be read as changing the meaning of the Constitution?"

??

Sorry, I don't follow you. Are you arguing that Congress cannot pass a law creating a legitimate expectation of privacy?

It seems to me that there is no clearer indication of an expectation of privacy that society is prepared to recognize as reasonable than one endorsed by Congress.

Certainly, there are areas of privacy that Congress may not derogate from but I see no constitutional problem with Congress expanding them.
8.17.2009 4:11pm
einhverfr (mail) (www):
Nick42:

Thx. I would think there are other statutes involved in financial privacy. I was more closely addressing the issue of hacking laws.
8.17.2009 4:38pm
PLR:
PLR, just so I understand you, you're not arguing that this was a violation of the Fourth Amendment under existing precedents, but rather that if the meaning of the Constitution were up to you, it would be a clear violation?
Correct.

Unless, of course, I were in confirmation hearings before the Senate Judiciary Committee. Then I would impress everyone with my mastery of the relevant principles from current Fourth Amendment jurisprudence, while simultaneously demonstrating that I would have absolutely no clue about the application of such principles in hypothetical cases.
8.17.2009 4:48pm
OrinKerr:
The Original TS, to me:
Are you arguing that Congress cannot pass a law creating a legitimate expectation of privacy?

It seems to me that there is no clearer indication of an expectation of privacy that society is prepared to recognize as reasonable than one endorsed by Congress.

Certainly, there are areas of privacy that Congress may not derogate from but I see no constitutional problem with Congress expanding them.
It turns out that I have started an article on this particular question, as it comes up from time to time. My argument (at least so far) is that indeed, legislatures cannot create a reasonable expectation of privacy by enacting statutory privacy laws.

The problem is that the argument that legislation creates an REP is always used as a one-way ratchet. If Congress created a right coextensive with the Fourth Amendment, the Fourth Amendment rule would never be reached: Under the principle of Constitutional avoidance, courts would resolve cases on statutory grounds rather than constitutional ones. Thus the argument for statutory creation of Fourth Amendment rights is invoked only when Congress legislates and intentionally rejects the standard of Fourth Amendment protection and opts instead only for lesser, sub-Fourth Amendment protection.

This creates a problem, as the argument then becomes that Congress's rejection of the Fourth Amendment standard but recognition of lesser privacy as a matter of statute should be read as forcing the courts to embrace the greater Fourth Amendment standard. That would be odd. Plus, presumably it would mean that the Supreme Court should start looking to Congress to see if there is a statutory privacy law, and that if there is no such law, that should be evidence of no reasonable expectation of privacy.

And what if Congress enacts a law giving sub-Fourth Amendment protection, the Supreme Court uses that to say there is Fourth Amendment protection, and then Congress, preferring its lower standard to the constitutional higher standard, repeals the statute? If the legislation really matters, then the Supreme Court presumably should have to rethink its earlier decision and likely reverse itself.

The argument I'm sketching out is more complicated, but the gist of it is that the statutory and constitutional questions have to be independent. Or so I'm thinking so far, at least.
8.17.2009 4:54pm
DJR:
Orin,

Interesting, but I don't think your one-way ratchet theory works. In a civil case, as your questions above suggest, the statutory issue might not be at issue because it is not raised by the plaintiff? Why would the principle of constitutional avoidance lead a court to resolve an issue on statutory grounds that had not been raised?

In a criminal case it's even worse: Let's say that Congress passes a law expressly "overruling" a police-friendly Fourth Amendment rule where the Court found no reasonable expectation of privacy. For example, let's say there is a federal no-searching through people's trash rule. Police search through someone's trash illegally and find evidence of a crime. Should the evidence be admitted? Assuming the statute does not provide for an exclusion remedy, the 4th Amendment question remains whether there was a reasonable expectation of privacy. The Court said no, but then Congress made the search illegal, so why wouldn't people then have the reasonable expectation that the police would not violate the law to get evidence?
8.17.2009 5:17pm
DJR:

presumably it would mean that the Supreme Court should start looking to Congress to see if there is a statutory privacy law, and that if there is no such law, that should be evidence of no reasonable expectation of privacy.


I don't think this follows. If Congress enacts greater privacy protections, those protections affect whether it would be reasonable for a person to expect privacy in a given situation. But that does not mean that Congressional actions would be the only considerations in that question.

As for whether repeal of the law should cause the Court to reverse itself, the answer would have to be "it depends." To what extent was the law the only reason that people expected privacy in that situation, and can people reasonably rely on the Supreme Court's prior decision given the repeal of the law? I can probably come up with situations that would lead to either a yes or a no answer, and I'm not sure there's anything wrong with that.
8.17.2009 5:27pm
OrinKerr:
DJR,

Why wouldn't a civil plaintiff raise the issue? As for the rest of your 1st para at 5:17, see, e.g., Adams v. Battle Creek.

As for your second para in 5:17, and your question at 5:27, I think we have a basic disagreement on what a reasonable expectation of privacy is. My own views, with citation to the relevant cases, which explains why I disagree with your view, can be found here.
8.17.2009 6:06pm
The Original TS (mail):
Orin,

The problem is that the argument that legislation creates an REP is always used as a one-way ratchet.

Yes. That is correct. But I don't see it as a problem. Congress is not society but Congress influences society. If Congress creates a new expectation of privacy that comes to be generally relied upon, the expectation can acquire constitutional protection. On the other hand, if Congress creates a new expectation that most everyone ignores, it is free to revoke it.

This seems to me both coherent and correct. The magic words, originally from Katz are, "an expectation of privacy that society is prepared to recognize as reasonable." Once a privacy expectation has become generally recognized such that many/most people organize their affairs in reliance on it, then it ought to be protected for Fourth Amendment purposes, even if Congress decides to invade it in other ways. This, of course, admits the possibility that society can abandon previously-legitimate expectations of privacy, too. With the advent of things like Facebook, who knows what might be fair game in 50 years? ;)

The argument I'm sketching out is more complicated, but the gist of it is that the statutory and constitutional questions have to be independent.

But keeping them independent will eventually -- and arguably already has -- created a nonsense. "I know that Congress has made it a felony for anyone or any company to disclose your medical/psychiatric/financial/internet browsing records without your permission but how on earth do you imagine that that gives you a reasonable expectation of privacy?" This, of course, assumes the legislation has no escape clause for law enforcement but if Congress makes it a crime to invade your privacy then you ought to have, ipso facto, a reasonable expectation of privacy.

One way around the problem would be to adopt your analysis for a "reasonable expectation of privacy" but to recognize that the Fourth Amendment says nothing about privacy. It talks about "unreasonable searches and seizures." A "reasonable expectation of privacy" is one way to analyze "reasonableness" but it is not necessarily the only way. Wouldn't a search conduct in violation of federal law be an "unreasonable" search even if no privacy interest were invaded?

I don't like this approach much as I feel it violates Occam's razor. But if you really feel it necessary to maintain the constitutional/statutory distinction, it might work.

In summary, I think the Fourth Amendment and the "reasonable expectation of privacy" is an area where the Original Intent and the Living Constitution crowds can find common ground -- or at least an analysis that reaches the similar results. The basic principles of Fourth Amendment jurisprudence ought to be unchanging. But the social and technological circumstances in which they are applied can and do change.
8.17.2009 6:27pm
OrinKerr:
Original TS,

We disagree on what the Supreme Court means when it refers to "an expectation of privacy that society is prepared to recognize as reasonable." My own views are here.
8.17.2009 7:11pm
The Original TS (mail):
Dear Orin,

An interesting synopsis and a nice counterpoint to my own making-it-up-as-they-go-along theory. I'll have to pull the full article.

As you well know, these questions are not merely academic, e-mail being exhibit "A". If you apply old cases having to do with telegrams, e-mail probably isn't entitled to any Fourth Amendment protection at all. There are, however, certain statutory provisions that create an expectation that personal e-mail is private. Certainly, if you took a poll as to whether e-mail was "private," pretty much anyone who was not either in law enforcment or a law professor would say, "absolutely!"

Fourth Amendment rules are fundamentally about policy. To that extent I (somewhat) disagree that the phrase "an expectation of privacy that society is prepared to recognize as reasonable" is really a term of art. I think it means exactly what it says. Drawing that boundary, though, can get very complicated such that the commonly-understood meaning isn't very much of a guide.

But it can be useful to step back sometimes and look at the forest rather than the leaves. In the case of e-mail, for example, I think applying that test makes the answer very clear, even if it may be difficult to square with some specific applications, like the old telegram cases.

Do people think -- and act -- as if e-mail is private? Absolutely. People use it as a substitute for letters, which were, of course, always protected. Do they reveal personal, private information with the expectation that it will be read only by the addressee? Yes, hundreds of millions of times every day. Is e-mail privacy, as the phrase is commonly understood, "an expectation of privacy that society is prepared to recognize as reasonable?" In those somewhat overused immortal words, "You Betcha!"

So suppose Congress decided tomorrow to strip e-mail of every existing statutory privacy protection? Do you really think the Supreme Court would ignore the previously-existing statutory protections under which everyone's e-mail usage developed and rule that e-mail was now completely fair game and not entitled to any Fourth Amendment protection at all? Well, maybe, but I'm sure it would be a split court . . .

Anyway, I look forward to your upcoming article on statutory privacy interests and the Fourth Amendment.
8.17.2009 10:04pm
DJR:
So point taken as to the civil case. Given the presumption that a civil remedy is the exclusive remedy, even if there is a good reason why the statutory issue isn't in the case, it appears that would be fatal.

I'm not so sure that your article answers why a statute could not create a reasonable expectation of privacy that could be applied in a criminal case. Wouldn't that be an example of the positive law model you describe? In fact, you cite California v. Greenwood as a case rejecting a positive law argument based on state law, but it could just as easily have come out the other way under my hypothetical federal trash privacy act. If congress specifically decided to create a privacy right where the Court found no expectation was reasonable, can you really say that 50 years later reliance on that law should not have created a reasonable expectation of privacy? At that point, the law could well have created significant arguments under your probabalistic model or even the policy model.

I'm not sure I understand your argument that this particular application of the positive law model would lead the Court to then look to statutes as the exclusive marker of a reasonable expectation of privacy. Part II of your article argues that no one test can draw the right line in every case. So if Congress were to repeal the law, why wouldn't the Court look to the other models, including where they overlap with the repealed law, to determine whether the Constitutional expectation is still reasonable?
8.17.2009 11:37pm

Post as: [Register] [Log In]

Account:
Password:
Remember info?

If you have a comment about spelling, typos, or format errors, please e-mail the poster directly rather than posting a comment.

Comment Policy: We reserve the right to edit or delete comments, and in extreme cases to ban commenters, at our discretion. Comments must be relevant and civil (and, especially, free of name-calling). We think of comment threads like dinner parties at our homes. If you make the party unpleasant for us or for others, we'd rather you went elsewhere. We're happy to see a wide range of viewpoints, but we want all of them to be expressed as politely as possible.

We realize that such a comment policy can never be evenly enforced, because we can't possibly monitor every comment equally well. Hundreds of comments are posted every day here, and we don't read them all. Those we read, we read with different degrees of attention, and in different moods. We try to be fair, but we make no promises.

And remember, it's a big Internet. If you think we were mistaken in removing your post (or, in extreme cases, in removing you) -- or if you prefer a more free-for-all approach -- there are surely plenty of ways you can still get your views out.