http://www.wired.com/news/columns/0,72510-0.html By Jennifer Granick Jan, 17, 2007 My laptop computer was purchased by Stanford, but my whole life is stored on it. I have e-mail dating back several years, my address book with the names of everyone I know, notes and musings for various work and personal projects, financial records, passwords to my blog, my web mail, project and information management data for various organizations I belong to, photos of my niece and nephew and my pets. In short, my computer is my most private possession. I have other things that are more dear, but no one item could tell you more about me than this machine. Yet, a rash of recent court decisions says the Constitution may not be enough to protect my laptop from arbitrary, suspicionless and warrantless examination by the police. At issue is the Fourth Amendment, which protects individuals from unreasonable searches and seizures by government agents. As a primary safeguard against arbitrary and capricious searches, property seizures and arrests, the founding fathers required the government to first seek a warrant from a judge or magistrate. The warrant has to specifically describe the place to be searched and the items to be seized. Searches and seizures without such a warrant are presumed to be unconstitutional. There are times, of course, when it would be unreasonable, burdensome, ineffective or just plain silly to require police to get a warrant before searching, so courts have carved out many, many exceptions to the warrant requirement. The fundamental thread in these decisions is a subtle and case-specific determination of what is "reasonable" conduct by law enforcement. Because reasonable minds can differ on reasonable courses of action, the resulting Fourth Amendment law is complicated, sometimes contradictory and very fact-dependent. Computers pose special Fourth Amendment search problems because they pack so much information in such a small, monolithic physical form. As a result, courts are grappling with how to protect privacy rights during searches of computers. Three digital search topics in particular are converging in interesting, and foreboding, ways. First, there are several new cases that suggest that agents can search computers at the border (including international airports) without reasonable suspicion or a warrant, under the routine border search exception to the warrant requirement. Second, a recent case in the 9th U.S. Circuit Court of Appeals has held that private employees have no reasonable expectation of privacy, and thus no Fourth Amendment rights, in their workplace computers (gulp!). Third and finally, the 9th Circuit is struggling, and failing, to define ways to judicially supervise police searches of computers to ensure that law enforcement gets the information it needs, while leaving undisturbed any private information on unrelated matters that may be on the same disk drive. Together the computer search cases can paint a scary picture. But if you read the decisions carefully, there is ample room for courts to follow up with more nuanced opinions that protect computer privacy and allow reasonable government access. For example, the border search exception allows "routine" searches without reasonable suspicion or a warrant. "Non-routine" searches still require reasonable suspicion. Is the examination of computers at the border a routine or non-routine search? The cases so far don't answer this question head on. Future cases will have to. The Supreme Court has said that the definition depends on the "dignity and privacy interests" implicated by a search. Thus, strip searches and cavity searches are non-routine, but searches of vehicles and baggage are routine. Given the sensitivity of information stored on a computer, the way people tend to archive everything, how long a comprehensive search takes and the likelihood of discovering contraband with such a search, courts may well find that computer searches are allowed at the border only based on reasonable suspicion, not as a baseless fishing expedition. I hope for the best, as I do in United States v. Ziegler, the case that found private employees have no reasonable expectation of privacy in their workplace computers. Defense attorneys have asked for a rehearing, and the court may do better next time. Ziegler is important, because if employees have no protected privacy rights, then the government can enter a private workplace, without cause, without a warrant, with or without the employer's consent and search employee computers. The business might try to sue, but the employee would not have the right either to challenge the government's actions in court, or to suppress any discovered evidence. Similarly, defense attorneys in United States v. Comprehensive Drug Testing have asked the 9th Circuit for a new hearing, and the court has an opportunity to issue a more careful opinion in that case, which arose from the Balco doping scandal. The government is investigating whether 10 professional baseball players were illegally taking steroids. In the course of its probe, it obtained multiple warrants for the results of drug tests taken by the players. But it didn't just seize the results for the players under scrutiny -- it grabbed the entire database, with samples from hundreds of other athletes. Lower courts ordered the government to return the information that was not related to the Balco-linked players, but the government appealed and the 9th Circuit ruled in its favor. The facts of the case are complicated, but the proper result is clear: In every computer or database search case, information responsive to the warrant is going to be intermingled with information about other matters. Warrants should not only state whether the computers will be removed from the premises, and how the search will be done, but should also establish a way agents will try to segregate private information from the data they are entitled to obtain pursuant to the warrant. Otherwise, we will find that the government can use a smaller investigation as a stalking horse to obtain information about a vast number of other people. These Fourth Amendment trends should be closely followed. Of course, there's a chance that the courts will not recognize the different scope of privacy interests at stake in computer searches, or will not be adept at crafting a rule that gives enough leeway and guidance to law enforcement, while also protecting privacy. At that point, the Constitution may fail us, and we will have to turn to Congress to create rules that are better adapted for the information age. -=- Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:21:22 PST