[ISN] Computer Privacy in Distress

From: InfoSec News (alerts@private)
Date: Wed Jan 17 2007 - 22:06:48 PST


http://www.wired.com/news/columns/0,72510-0.html

By Jennifer Granick
Jan, 17, 2007

My laptop computer was purchased by Stanford, but my whole life is 
stored on it. I have e-mail dating back several years, my address book 
with the names of everyone I know, notes and musings for various work 
and personal projects, financial records, passwords to my blog, my web 
mail, project and information management data for various organizations 
I belong to, photos of my niece and nephew and my pets.

In short, my computer is my most private possession. I have other things 
that are more dear, but no one item could tell you more about me than 
this machine.

Yet, a rash of recent court decisions says the Constitution may not be 
enough to protect my laptop from arbitrary, suspicionless and 
warrantless examination by the police.

At issue is the Fourth Amendment, which protects individuals from 
unreasonable searches and seizures by government agents. As a primary 
safeguard against arbitrary and capricious searches, property seizures 
and arrests, the founding fathers required the government to first seek 
a warrant from a judge or magistrate.

The warrant has to specifically describe the place to be searched and 
the items to be seized.

Searches and seizures without such a warrant are presumed to be 
unconstitutional. There are times, of course, when it would be 
unreasonable, burdensome, ineffective or just plain silly to require 
police to get a warrant before searching, so courts have carved out 
many, many exceptions to the warrant requirement. The fundamental thread 
in these decisions is a subtle and case-specific determination of what 
is "reasonable" conduct by law enforcement.

Because reasonable minds can differ on reasonable courses of action, the 
resulting Fourth Amendment law is complicated, sometimes contradictory 
and very fact-dependent.

Computers pose special Fourth Amendment search problems because they 
pack so much information in such a small, monolithic physical form. As a 
result, courts are grappling with how to protect privacy rights during 
searches of computers.

Three digital search topics in particular are converging in interesting, 
and foreboding, ways.

First, there are several new cases that suggest that agents can search 
computers at the border (including international airports) without 
reasonable suspicion or a warrant, under the routine border search 
exception to the warrant requirement.

Second, a recent case in the 9th U.S. Circuit Court of Appeals has held 
that private employees have no reasonable expectation of privacy, and 
thus no Fourth Amendment rights, in their workplace computers (gulp!).

Third and finally, the 9th Circuit is struggling, and failing, to define 
ways to judicially supervise police searches of computers to ensure that 
law enforcement gets the information it needs, while leaving undisturbed 
any private information on unrelated matters that may be on the same 
disk drive.

Together the computer search cases can paint a scary picture. But if you 
read the decisions carefully, there is ample room for courts to follow 
up with more nuanced opinions that protect computer privacy and allow 
reasonable government access.

For example, the border search exception allows "routine" searches 
without reasonable suspicion or a warrant. "Non-routine" searches still 
require reasonable suspicion. Is the examination of computers at the 
border a routine or non-routine search? The cases so far don't answer 
this question head on. Future cases will have to.

The Supreme Court has said that the definition depends on the "dignity 
and privacy interests" implicated by a search. Thus, strip searches and 
cavity searches are non-routine, but searches of vehicles and baggage 
are routine.

Given the sensitivity of information stored on a computer, the way 
people tend to archive everything, how long a comprehensive search takes 
and the likelihood of discovering contraband with such a search, courts 
may well find that computer searches are allowed at the border only 
based on reasonable suspicion, not as a baseless fishing expedition.

I hope for the best, as I do in United States v. Ziegler, the case that 
found private employees have no reasonable expectation of privacy in 
their workplace computers. Defense attorneys have asked for a rehearing, 
and the court may do better next time.

Ziegler is important, because if employees have no protected privacy 
rights, then the government can enter a private workplace, without 
cause, without a warrant, with or without the employer's consent and 
search employee computers. The business might try to sue, but the 
employee would not have the right either to challenge the government's 
actions in court, or to suppress any discovered evidence.

Similarly, defense attorneys in United States v. Comprehensive Drug 
Testing have asked the 9th Circuit for a new hearing, and the court has 
an opportunity to issue a more careful opinion in that case, which arose 
from the Balco doping scandal.

The government is investigating whether 10 professional baseball players 
were illegally taking steroids. In the course of its probe, it obtained 
multiple warrants for the results of drug tests taken by the players. 
But it didn't just seize the results for the players under scrutiny -- 
it grabbed the entire database, with samples from hundreds of other 
athletes.

Lower courts ordered the government to return the information that was 
not related to the Balco-linked players, but the government appealed and 
the 9th Circuit ruled in its favor.

The facts of the case are complicated, but the proper result is clear: 
In every computer or database search case, information responsive to the 
warrant is going to be intermingled with information about other 
matters. Warrants should not only state whether the computers will be 
removed from the premises, and how the search will be done, but should 
also establish a way agents will try to segregate private information 
from the data they are entitled to obtain pursuant to the warrant.

Otherwise, we will find that the government can use a smaller 
investigation as a stalking horse to obtain information about a vast 
number of other people.

These Fourth Amendment trends should be closely followed.

Of course, there's a chance that the courts will not recognize the 
different scope of privacy interests at stake in computer searches, or 
will not be adept at crafting a rule that gives enough leeway and 
guidance to law enforcement, while also protecting privacy. At that 
point, the Constitution may fail us, and we will have to turn to 
Congress to create rules that are better adapted for the information 
age.

-=-

Jennifer Granick is executive director of the Stanford Law School Center 
for Internet and Society, and teaches the Cyberlaw Clinic.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Wed Jan 17 2007 - 22:21:22 PST