Featured Paper: Is the Court Allergic to Katz? Problems Posed by New Methods of Electronic Surveillance to the "Reasonable-Expectation-of Privacy" Test

Colin Shaff, a 3L at USC, has a new student note worth checking out: Is the Court Allergic to Katz? Problems Posed by New Methods of Electronic Surveillance to the "Reasonable-Expectation-of Privacy" Test. It appears in the Spring 2014 edition of the Southern California Interdisciplinary Law Journal.

The note discusses Jones, Katz, Olmstead, FISA, the ECPA, and many other facets of Fourth Amendment jurisprudence.

An excerpt from the intro:

This Note will examine the way in which the Court and Congress have reacted to the challenges posed by emerging technology with regards to the Fourth Amendment’s “unreasonable search and seizure” clause. This Note argues that the best balance between protecting personal liberties and respecting the needs of law enforcement occurs when the Court, Congress, and state legislatures collaborate to craft robust statutory schema; in contrast, when the Court makes decisions without legislative input or when Congress acts without judicial guidance, the resulting law is often inadequate or incomplete. 

Read More

Updated: GPS Tracking Case (Katzin) Oral Argument Posted

The Oral Argument audio for United States v. Katzin can be found below:

Read More

CA appellate court allows warrantless use of speed/braking records from car's airbag module (SDM)

In another first impression case, a California appellate court ruled that an individual has no reasonable expectation of privacy in the data recorded by a car's sensing diagnostic module (SDM), which is part of the airbag system. Therefore, the court upheld the police's actions to retrieve that information from a car that was lawfully impounded after an accident. The case is People v. Diaz, __ Cal. App. Ct. __ (Feb 6, 2013), and a copy of the opinion can be found: here.

The "main function of the SDM is to deploy the air bags. The SDM has the secondary function of recording throttle, speed, application of brakes, and transmission position." In this case it was used as evidence to prove the speed of a vehicle involved in an accident resulting in death (the driver was also intoxicated). The defendant argued that an individual has a reasonable expectation of privacy in that information, and that the police's actions to cut her carpet to get to the module, and then download the data, was a violation of the Fourth Amendment. As mentioned above, the car had been impounded after the accident, and was essentially totaled. The defendant attempted to make an appeal to United States v. Jones in her argument to no avail. The court quickly dismissed that argument, stating "the trespass theory underlying Jones has no relevance and, as the trial court aptly pointed out, the purpose of the SDM was not to obtain information for the police. Thus, Jones is not helpful to defendant."

The holding of the case turned on the instrumentality of crime exception to the warrant requirement, stating that: "In this case, defendant's vehicle was itself an instrumentality of the crime of vehicular manslaughter. Defendant concedes it was lawfully seized. Consistent with the California Supreme Court cases discussed above, the officers' 'subsequent examination of the [vehicle] for the purpose of examining its evidentiary value [did] not constitute a ‘search’ as that term is used in the California and federal Constitutions. [Citations.]'"

Regarding the expectation of privacy, the real interesting portion of the court's holding is below:

As the trial court pointed out, the specific data obtained from the SDM was the vehicle's speed and braking immediately before the impact. We agree that a person has no reasonable expectation of privacy in speed on a public highway because speed may readily be observed and measured through, for example, radar devices . . ., pacing the vehicle . . ., or estimation by a trained expert . . . . Similarly, a person has no reasonable expectation of privacy in use of a vehicle's brakes because statutorily required brake lights (Veh. Code, § 24603) announce that use to the public. Thus, defendant has not demonstrated that she had a subjective expectation of privacy in the SDM's recorded data because she was driving on the public roadway, and others could observe her vehicle's movements, braking, and speed, either directly or through the use of technology such as radar guns or automated cameras. In this case, technology merely captured information defendant knowingly exposed to the public—the speed at which she was travelling and whether she applied her brakes before the impact. 

We conclude there was no Fourth Amendment violation in the admission of SDM evidence.

I was unaware, until reading this case, that such information was stored on a device in cars equipped with airbags. It is a very interesting case, and I believe the court resolved it correctly. An attempt to pull Jones in to inject the ideas of "mosaic theory" and trespass was an interesting move by the defense, but knowing someone's location and tracking their every move is much different than reconstructing their speed and braking. GPS tracking can reveal much about a person's life. Speed and braking can pretty much only tell you if that person has a lead foot or rides the brakes.

New York dealt with a similar case in 2004 (which the court mentions), People v. Christmann, 776 N.Y.S.2d 437 (Just. Ct. 2004), resulting in the same outcome.

Read More

Federal District Court finds reasonable expectation of privacy in packages mailed with fake recipient and sender

Confronted with an issue of first impression, a federal district court held that the sender of packages labeled with fictitious sender and recipient information retained a reasonable expectation of privacy in the contents of those packages. The case is United States v. Williams, ___ F. Supp. 3d ___ (W.D. Tenn Dec. 6, 2012). The court's decision was based primarily on the Seventh Circuit's opinion in United States v. Pitts, 322 F.3d 449 (7th Cir. 2003), since there was no controlling precedent from the Sixth Circuit.

The facts of the case are quite simple - an informant was working with the DEA to facilitate methamphetamine buys, and when the drugs for two deals were shipped to the informant, the DEA intercepted them before delivery, and confirmed that they were in fact drugs. The defendant argues that the evidence should be suppressed, because he retained a Fourth Amendment right against search of the packages by the DEA (since they never ended up with the recipient). The government argued, alternatively that by using the fictitious names, the packages were essentially abandoned. With respect to the reasonable expectation of privacy component, the court relied on Pitts extensively, quoting a large section of language. The gist was that there are legitimate reasons for using false names, like a literary pseudonym, and those individuals should not lose their expectation of privacy due to the nefarious actions of people who abuse the system. The court quoted Pitts further, for the general point that:

Unlike the theoretical burglar in Rakas, who is plying his trade in a summer cabin during the off-season and who is wrongfully present on someone else's property, Pitts and Alexander had a right to use false names in sending and receiving mail. There is nothing inherently wrong with a desire to remain anonymous when sending or receiving a package, and thus the expectation of privacy for a person using an alias in sending or receiving mail is one that society is prepared to recognize as reasonable. A person using this means of maintaining privacy runs the risk that if the mail is undeliverable, as occurred here, it might become irretrievable. Pitts and Alexander took that risk and ended up losing - indeed, abandoning - control of their property. Having abandoned the package, they surrender their Fourth Amendment claim.

I think the court's decision here was a no-brainer. What isn't so clear is why the court would reach the issue in the first place, since in the next paragraph, the opinion notes that the defendant lacked Fourth Amendment standing to begin with, since the expectation of privacy ended upon delivery to the DEA.

The court then goes on to assume, arguendo, that the defendant did not lack standing, and tackles the issue of whether the DEA intercepting the packages before arriving at the designated recipient (the informant, who knew where to pick them up, despite the fictitious recipient name) was a valid search due to the lack of the warrant. Here, I think the opinion arrives at its muddiest point. The court concedes a fact that I think draws the entire section just mentioned into question (CS is the informant):

While it is not entirely clear that the agents ever received express consent from the CS, they at minimum had the CS's implied consent.

So, the DEA never had consent, expressly, to search the packages, and the informant was not even aware that they would be intercepted. The court finds implied consent from the informant's relationship and cooperation with the DEA, the fact that the packages were purchased with DEA money, and that the informant allowed his telephone conversations to be recorded. However, that is not enough, in my opinion. The court goes on to analogize the case to a Fourth Circuit case aptly named United States v. Williams, 106 F.3d 1173 (4th Cir. 1997). The court describes the similarities with that case and the present as follows:

The present case is similar to United States v. Williams, 106 F.3d 1173, 1177 (4th Cir. 1997). There, a confidential informant made three separate, DEA-monitored purchases of methamphetamine by mail from the defendant. The methamphetamine packages were mailed by the defendant to the informant at a post office box under the control of the DEA. The defendant argued that the agents violated his Fourth Amendment rights by opening the packages without a warrant. The Court of Appeal rejected this argument, holding that

 We are of opinion that the admission of the contents of the three envelopes did not constitute error at all, much less plain error. Even assuming Williams had standing to challenge the admissibility of the envelopes, the record indicates that [the informant's] consent was implied from his conduct during the investigation. [The informant] had the right to open, or given consent to open, the envelopes because they were addressed to him. Also at this time, [the informant] . . . and the Task Force agents who actually opened the packages were cooperating. [The informant] had agreed to buy methamphetamine using government money. . . . We believe this evidence of the relationship between [the informant] and the Task Force agents establishes [the informant's] implied consent. Accordingly, the agents' search of the packages did not violate Williams' constitutional rights as sender of the package. (my underlining added)

I think there is an easy distinction to be made between the Fourth Circuit case, Williams, and this case; namely, that the DEA owned the post office box in Williams, or had control over it, which makes it easier to jump to the implied consent conclusion - i.e. the informant knew the mail would arrive there and it was not his personal mailbox (so the assumption that the DEA would open it would be clear). Here, the box was intercepted without the knowledge of the informant, without his consent, and in route, instead of at the point of delivery (where the reasonable expectation of privacy ends, per the courts own reasoning). So the court must leap from CS acting as an agent --> assumption that he would consent to interception --> interception was OK prior to delivery (but still during the time that the court concedes there is a reasonable expectation of privacy in the package).

I don't think the distinction above is a condemnation of the opinion, but more a "why include such a long section of dicta which weakens the argument?" If the case really can be resolved on grounds of standing, it is against notions of clarity and narrowness of holding to even include this discussion in the opinion.

Read More

Breaking: In important Fourth Amendment case (Ahrndt), federal district judge GRANTS motion to suppress

We previously wrote about United States v. Ahrndt in a series of posts, after the 9th Circuit remanded the case for further consideration of the defendant's motion to suppress. Yesterday, a federal district court in Oregon granted Ahrndt's motion to suppress evidence (CP) from his iTunes library obtained by his neighbor (and later law enforcement) through an unsecured wireless network. This is a very important development, and we will get further into it in another series of posts.

Here is what we wrote, before:

Ninth Circuit remands case involving CP found on an unsecured wireless network - Jeffrey

Examination of the technology involved in Ahrndt - Jeffrey

Ahrndt considerations on remand and cordless ≠ WiFi - Justin

Arhndt's reference to Jones, and what Jones means in the context of wireless networks - Justin

Read More

Court holds that Jones concurrences do not provide that extended surveillance violates Fourth Amendment

In United States v. Brooks, No. CR 11-2265 (D. Ariz. 2012), the court held that the concurring opinions in the Supreme Court's 2012 Jones decision cannot be read to find that prolonged video surveillance violates the Fourth Amendment.

Law enforcement had placed a camera on a service pole outside the defendant's apartment complex with permission from the property owner. The camera was able to zoom and pan. Using images acquired from the camera, the government was able to build a case against the defendant.

At issue before the court was whether the placement of the camera violated the defendant's Fourth Amendment rights and the evidence should be suppressed. The defendant, relying on concurring opinions by Justices Alito and Sotomayor, argued that under United States v. Jones, "long-term continuous surveillance violate's a person's Fourth Amendment rights."

The court disagreed that the concurring opinions can be read as binding.

While it does appear that in some future case, a five justice "majority" is willing to accept the principle that Government surveillance can implicate an individual's reasonable expectation of privacy over time, Jones does not dictate the result of the case at hand because it merely reaffirms the reasonable expectation of privacy analysis.... Accordingly, the Court must determine whether Defendant's reasonable expectation of privacy required law enforcement to obtain a warrant before conducting pole camera surveillance on the parking lot of a gated apartment complex associated with Defendant from a camera whose installation was permitted.

As such, the motion to suppress was denied.

Read More

Judge allows discovery of private Facebook postings and photos in sexual harassment case

In an order, found here: Reid v. Ingerman Smith, LLP (E.D.N.Y Dec. 27, 2012), Magistrate Judge Marilyn D. Go granted (and denied in part) a motion to compel discovery of plaintiff Reid's social media usage. The case itself revolves around a sexual harassment claim brought by Reid against Ingerman Smith for an incident while Reid was employed as a legal secretary. More details regarding the case can be found here (in an order to deny in part and grant in part a motion to dismiss the case, authored by Judge Glasser).

Judge Go agreed with the defendants that Reid's Facebook postings and comments on photographs placed on Facebook were relevant to whether Reid had actually experienced the emotional distress she claimed resulted from the sexual harassment. The court reviewed how other jurisdictions had dealt with similar questions, after observing that: "[a]lthough the law regarding the scope of discovery of electronically stored information ("ESI") is still unsettled, there is no dispute that social media information may be a source of relevant information that is discoverable." The ultimate issue, then, as summarized by the court:

The defendants argue that since postings and photographs from the public portions of plaintiff's Facebook account contain information that contradict plaintiff's claims of mental anguish resulting from the alleged sexual harassment by defendant Sadowski and termination of her employment, the non-public portions may also provide relevant information. Plaintiff responds that she should not be subject to broad discovery of the entirety of her social media account and be required to disclose private information.

I think any court facing this dilemma is trying to do two things: (1) facilitate discovery of information that is no doubt relevant to the claims in the case, but more importantly, (2) attempting to prevent further emotional damage to the plaintiff, whose privacy was already violated once by the sexual harassment, by limiting the reach of the prying inquiry requested by the defendant. I'm not necessarily convinced Judge Go achieved the second goal adequately. At least in the order, she exempted trivial personal information and photographs from birthdays, but did not really delineate what should be excepted. She offered stipulations at the end regarding discovery, but it remains to be seen if the scope will be as limited as she imagined with such a dearth of adequate guidance by the court.

The court summed up its thoughts as follows:

While plaintiff is correct that disclosure of her personal social media account may raise privacy concerns, such a consideration is more "germane to the question of whether requested discovery is burdensome or oppressive and whether it has been sought for a proper purpose" rather than to affording a "basis for shielding those communications from discovery." E.E.O.C. v. Simply Storage Mgmt., 270 F.R.D. 430, 434 (S.D. Ind. 2010). 

Even had plaintiff used privacy settings that allowed only her "friends" on Facebook to see postings, she "had no justifiable expectation that h[er] 'friends' would keep h[er] profile private . . ." U.S. v. Meregildo, 2012 U.S. Dist. LEXIS 115085, 2012 WL 3264501, at *2 (S.D.N.Y. 2012). In fact, "the wider h[er] circle of 'friends,' the more likely [her] posts would be viewed by someone [s]he never expected to see them." Id. Thus, as the Second Circuit has recognized, legitimate expectations of privacy may be lower in e-mails or other Internet transmissions. U.S. v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (contrasting privacy expectation of e-mail with greater expectation of privacy of materials located on a person's computer). (emphasis added)

While many courts have stated that Internet communications are less protected, I'm not convinced that you can fully analogize a Facebook posting to an email. Here's why: An email has no built in protection to prevent forwarding to third parties; Facebook does - you personally limit who can see what on your page, and that effort in and of itself shows a subjective intent to retain an expectation of privacy in those posts. It is not a difference in kind, and I would never argue it was, but the continual need to analogize differing internet communications to email to appeal to more settled court precedent is troublesome.

I'd like to reiterate that I am not arguing the information requested isn't germane to the case, indeed, it is likely so. But, sweeping under the rug the difference between Facebook and other electronic communications does a disservice to users of these sites. It also erodes the ability of an individual to protect their own privacy interests through use of privacy mechanisms employed by electronic services such as Facebook; what's the purpose of such mechanisms, if all communications on Facebook are essentially, if not explicitly, lumped together?

My favorite part of this ruling follows:

statements regarding plaintiff's social activities may be relevant to plaintiff's claims of emotional distress and loss of enjoyment of life. The postings may also provide information regarding potential witnesses with knowledge. Thus, plaintiff must disclose social media communications and photographs "that reveal, refer, or relate to any emotion, feeling, or mental state . . . [and] that reveal, refer, or relate to events that could reasonably expected to produce a significant emotion, feeling or mental state." Simply Storage, 270 F.R.D at 435-36; see also In re Air Crash, 2011 WL 6270189, at *6 (W.D.N.Y. 2011) (ordering disclosure of electronic communications, including social media materials, as they relate to decedent's domicile and claimants' loss of support claims). Likewise, photographs uploaded by plaintiff, as well as photographs uploaded by third parties depicting plaintiff are discoverable, while other photographs that have a more tenuous connection with the party are less likely to be relevant. Clearly, "pictures of the claimant . . . will generally be discoverable because the context of the picture and the claimant's appearance may reveal the claimant's emotional or mental status" while "a picture posted on a third party's profile in which a claimant is merely 'tagged' is less likely to be relevant." Simply Storage, 270 F.R.D. at 436.

Two comments: (1) "social media communications and photographs" that reveal or relate to "any emotion, feeling, or mental state" essentially comprises anything on Facebook. Short of a picture of a tree in a field, everything on Facebook has a "feeling" connotation. Even the picture of a tree just mentioned could show a "mental state" focused on "trees." Is that helpful? The court's words are just about as vague and unhelpful to what is within the scope of social media discovery as I have ever seen. (2) photographs uploaded by third parties depicting plaintiff are discoverable? Wow. What about if those photos contain locational EXIF data, or private information a third-party believed would remain within a small social sphere? Once again, I am not arguing this type of information may or may not be relevant, but some guidance by the court regarding third-party privacy should have been noted. I ardently ascribe to judicial precision and narrowness, but not when a few extra words would clarify an order which the court admits falls in an area of judicial and legal instability.

Read More

Weindl (FBI agent's spyware vs. principal) - Why the court got it wrong

In this second post, I will explain my reasons for believing the court's reasoning in Weindl was flawed. The Weindl case, as a quick recap, involved a principal (Weindl) who was caught with child pornography after using a laptop assigned to the son of an FBI agent (Auther); the laptop was returned by Auther with spyware on it. For my original write-up of the facts of the case, see: Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression. I also wrote a quick follow-up post about the coverage and misinformation regarding the case after I wrote about it. That can be found here: Weindl - FBI agent spyware v. principal attracts attention and misinformation.

First, let me address the "smell test." It seems extremely odd that when Auther took the computer to the FBI and asked "fellow agents for advice on how to wipe it clean" they "tried to remove all the files but were unsuccessful." Two things: (1) the FBI investigates a significant number of "cyber" cases using forensics techniques to recover deleted files and search through hard drives, uncover steganography, and analyze complex network traffic. Yet, they can't wipe a hard drive - something that a simple Google search will tell you how to do? Also, (2) Auther paid for and installed the spyware, knew the "hot-keys" to access the information it collected, and set it up to email him reports. Yet, once again, he could not uninstall that program, the most cognizable change he made to a machine he did not own?

In addition, he took it to a computer store to wipe all of the files, with a service order showing "reimage" and "clean out files" as the work to be done. I accept that a local service may not have been aware of the spyware to look for it in the first place, but reimage means just that, start all over again.  And, more interestingly, Auther did not even mention that he installed spyware on the computer to the computer shop. Wouldn't that program be the first thing you would mention when cleaning up a computer?

Also, the court seemed to be quite deferential to Auther when it accepted the argument that he was more concerned about leaving than investigating the principal. Perhaps that is true, but is it not equally likely that he suspected the principal of questionable activities and, before leaving, wanted to confirm his suspicions? After all, the FBI agent did say that he was aware of the Sandusky case and that what happened at Penn State motivated some of his later actions. That coupled with the two-time failure to remove the spyware smells funny.

But lets assume that all of the facts are true - just as the court did. I find it questionable that the court omitted any discussion regarding the license agreement of eBlaster, which requires you to agree to "use [eBlaster] only on a computer you own," an agreement Auther clearly violated when he installed it on a school-loaned laptop. The court also breezes over the likelihood that Auther violated policies of the school or the PSS laptop loaner program. I point this out because Auther is permitted to walk all over policies and procedures carte blanche, but Weindl's use of the laptop in likely violation of the rules of the loaner program was sufficient to wipe out his expectation of privacy completely. More on that later.

I think one of the most glaring errors of the court is the reasoning that opening the first four emails was not a search and instead was inadvertent conduct not under the color of law.  First, the court found that the search was only the activity of the spyware program collecting the data, and did not include the person on the other end viewing that information. I am not convinced you can draw such a black and white line. The Fourth Amendment (and by proxy the protection of privacy) has been held to protect against the intrusion of the process of a search as well as the discovery of the information it provides. If the latter were not an aim, the Fourth Amendment would never have been extended outside of property notions, as it was in Katz.

Thus, Auther's decision to open an email with a subject line that clearly indicated the email regarded information collected after he had returned the PC should have been held a search. Moreover, knowledge that the email could not regard his own or his son's activity does not make opening the email inadvertent. The definition of inadvertent is: "not focusing the mind on a matter : inattentive." The case indeed indicated that Auther recognized that the emails were providing information they should not have been because he believed the program had been removed and the computer was no longer in his possession. An example is illustrative: If I move into a new house on Royal Avenue on Tuesday, and on Friday I get a package addressed to "our lifelong neighbors on Royal Avenue," opening that package would not be inadvertent. I clearly know that I do not constitute the "neighbor" the package was intended for, since I moved in three days prior. Auther's opening of the email is no different. The subject line contained prima facie evidence that it was not intended for him and arose from improper means. Thus, the only reason he could have to open it would be to pry.

I am willing to concede, however, that one might reasonably argue that opening the first email would be inadvertent. Maybe he wasn't paying attention to the subject line. But, after reading the first, he should have known something was awry. To open the other three emails, after reading the first, would indicate one very important thing: that he was now acting as an officer of the law because of the information the email contained (evidence of someone accessing child pornography). To go back to my example, if I opened the first package without paying particular attention to the address line that said "to our lifelong neighbors on Royal Avenue," it may be reasonable to say I was just careless (or it was inadvertent). However, if inside that box are pictures of a family that I don't know, then when three more packages arrive addressed the same way and similar in appearance, a reasonable person would not open them. They would instead return them to whomever delivered them. Or, in Auther's case, contact the principal or the PSS program and indicate that the spyware he installed without authorization from either the school program or the software author was in fact still installed and had generated an email to him. An interesting question raised by the case is: if the spyware email hadn't contained evidence of CP access, would he have called the school to raise the flag on the spyware? One would think so.

The last significant problem with the case is the court's decision to deny standing to Weindl on the reasonable expectation of privacy issue. The court stated:

Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.

Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. 

The court justifies the last paragraph on two reasonable expectation of privacy cases: one involving a stolen computer (Wong), and one involving a computer obtained by fraud (Caymen). The court then states that "Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer." I find the comparison to Wong and Caymen to be ill-advised. In both cases, the individual had either been convicted, or charged with obtaining the device by illegal means. Weindl did nothing of the sort, here. Additionally, in Caymen, where the defendant obtained the laptop by fraud, the court based its holding on cases from sister circuits regarding stolen cars. There is a theme here: stolen. Weindl did not steal, nor obtain anything by fraud. While he may not have had permission, he certainly was not doing anything illegal.

The Caymen court pointed out that a person who has stolen something lacks the property interests an owner has (the bundle of sticks) that define property ownership. Can the same be said for the laptop, here? Arguably, no. Weindl was permitted to have constructive possession of the laptop - something a thief would never have. Also, if the laptop had been stolen from the FBI agent's son and then recovered, it would likely have been returned to the principal (or someone under his authority). Granted, he lacked other property rights like the right to sell, but to analogize the computer to stolen property is off target.

Lastly, I believe the court was correct, technically, about the application of the Federal Wiretap Act: namely, that suppression is only for wire and aural communications in criminal cases. However, I find it fantastical to argue that placing spyware on an individual's computer isn't wiretapping. That the court had to cite to a 1978 case in support of this part of the holding is a clear illustration of the lack of coverage in this area. I hope that these facts present an opportunity for the 9th Circuit to directly address the issue and clarify that a "wire" communication should include such conduct. (Although maybe it is a legislative task, since to include what could be characterized as "electronic communications" within "wire communications" would arguably construe the civil portion of the law addressing "electronic communications" superfluous, something courts are reticent to do).

I am excited to see how the 9th Circuit handles this case. The facts of Weindl illustrate, as many other technologically centered cases do, the "play in the joints" of the law. And, with respect to the Wiretap Act, reflects the anachronistic nature of some federal statutes as applied to emerging technologies.

Read More

Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression

This case will be discussed in two posts.

In United States v. Weindl, __ F.Supp __ (D. N.M.I. Nov. 20, 2012), a Northern Mariana Islands federal district court denied suppression of evidence obtained when spyware installed on school-owned laptop (assigned to an FBI agent's son and later used by the principal) sent child pornography (CP) reports (alerts) to the FBI agent - evidence that led to charges against the school principal (two counts of receiving CP and two counts of possession of CP). There are three relevant issues in the case: (1) whether the act of "accidental" failure to remove the spyware resulted in an "inadvertent search" or an intentional one, (2) whether the FBI agent was acting under the color of law when he opened and later investigated the reports he received from the spyware, and (3) whether Weindl had standing to assert a reasonable expectation of privacy in the spyware reports.

I believe this case was wrongly decided on the all three issues. I contacted David Banes, the lawyer for Weindl, and he (not surprisingly) agrees as well. He indicated that his client "fully intend[s]" to appeal this denial of suppression after the case goes to trial (it does not look like the judge will allow a conditional plea).

In this first post, I will give a summary of the case. In the second post, I will argue why the court erred in its holding.

Summary 

The defendant Thomas Weindl ("Weindl") was a school principal at Whispering Palms public school in Saipan, Mariana Islands. The FBI agent whose actions gave rise to this case is Joseph Auther ("Auther"). Auther's eldest son was enrolled at Whispering Palms, and was assigned a laptop during his time there. Auther kept an eye on his son's use of the laptop by purchasing and installing eBlaster on the laptop (without his son's knowledge). eBlaster sent email reports directly to Auther, with keystrokes, internet sites visited, and a plethora of other information. The report in Auther's inbox "would give the subject as 'Report,' followed by the date and time span of covered activity."

Auther was reassigned to a different FBI office in April 2012 and as part of the moving process, returned the laptop to the school, and more specifically, handed it over to Weindl. Auther did not tell Weindl about eBlaster, apparently assuming that it had been removed, but had told Weindl (prior to turning it in) that he would wipe the machine. Auther did in fact attempt to wipe the machine, but failed. The court describes Auther's actions as follows:

The first step Auther took to service the laptop was to bring it into the FBI office and ask fellow agents for advice on how to wipe it clean. They tried to remove all the files but were unsuccessful. Next, . . . Auther asked a local computer store to repair a scratched screen and wipe off all the files on the laptop's hard drive. The store's service order (Ex. 1) lists the work to be done as "Reimage" and the work performed as "Clean out files." Auther did not tell the technician about eBlaster, but he expected that the cleaning would eliminate the program. 

As stated previously, eBlaster was not, in fact, removed. After handing the laptop over, Auther did not receive any emails from eBlaster for over six days. On the seventh day, Auther received four emails from eBlaster indicating someone was using the laptop to access child pornography. The emails had subject lines, as described above, that clearly indicated that they were regarding activity that occurred after Auther turned in the laptop. Auther viewed all four emails, nonetheless. Auther hypothesized that the activity could be from a virus, another student using the laptop, or Weindl himself. He thought of Weindl because the pornography searched for was of young asian children with older adults and Weindl had recently married a Korean woman and now had an 11-year-old stepdaughter.

At this point, Auther did not report the results of the reports to authorities, but instead called Weindl under false pretenses, acting as if he would like to purchase the laptop. Weindl indicated that he had given it back to the school laptop agency (PSS), and that Auther wouldn't be able to buy it. Auther did not indicate that he had received CP reports, or that eBlaster was apparently still on the computer. Auther's reasoning was:

. . .that he did not want to raise concerns in Weindl's mind about who was using the computer or about a possible investigation involving Whispering Palms teachers and students. . . . [H]e was concerned that the Internet activity might mean that a child molester was operating at Whispering Palms. He was aware that a former coach at Pennsylvania State University had just been convicted on child molestation charges, and he was determined not to allow similar conduct to go undetected at Whispering Palms. (emphasis added)

Three days later, instead of handing the case over to the authorities, Auther then proceeded to start an investigation into what was going on with the laptop. Flashing his FBI badge at the offices of the the laptop program agency (PSS), he inquired if the laptop had actually been returned, and found that it hadn't. Auther then inquired with his ISP about the IP address noted in the reports, attempting to find out where the computer was being used. Auther indicated to the court that he may have shown his FBI badge to the ISP. The ISP refused to tell him anything, but he was able to decipher that the computer usage was not from an IP at his house.

On the same day as the trip to PSS and the ISP, Auther received two more emails indicating that the computer was being used to access CP. He decided to drive by the school on his way to report everything to the FBI. He noticed Weindl's car in the parking lot and called Weindl on his cellphone. Auther asked about the laptop and Weindl said he was investigating some "hanky panky" going on at PSS. Auther knew he was lying since PSS did not have the laptop, and grew much more suspicious. He reported what was going on and his suspicion about Weindl to a special agent with the FBI (Ewing). He also asked that child protective services be sent to Weindl's house to check on his 11-year-old stepdaughter.

Over a week later, Ewing and Auther went to Weindl's office to speak with him. During the conversation, Weindl admitted he lied about returning the laptop to PSS and admitted to viewing child pornography. He also confessed that he had taken the laptop out into the jungle and smashed it. He was arrested outside the school a short time later. Prior to trial, Weindl filed a motion to suppress the eBlaster evidence arguing that it was obtained in violation of his Fourth Amendment rights.

The court, in denying suppression of the eBlaster evidence, began by declaring that to have a Fourth Amendment violation, there needed to be state action and standing (a reasonable expectation of privacy). Addressing the state action portion, the court laid out the standard relating to an off-duty officer - whether Auther was acting under color of state law, where his actions "in some way related 'to the performance of his official duties'" or "pursuant to [a] government or police goal." The court held that when Auther installed eBlaster he was acting as a private citizen, and not as an FBI agent. Despite the circumstances changing when Auther returned the laptop (that Auther wasn't acting as a concerned parent anymore), the court held that it was an inadvertent search not under color of state law because Auther did not intentionally leave eBlaster on the computer.

In reaching that result, the court was not persuaded by Weindl's argument that even if the presence of eBlaster was inadvertent, Auther opening and reading the eBlaster reports turned something inadvertent into intentional. The court reasoned that "[t]he search was the gathering of information by eBlaster, not the viewing of the contents." The court also dismissed the argument that "the initial eBlaster reports come under the Fourth Amendment via the two-part test for private-party searches."

So, to clarifiy, the original four emails from eBlaster sent to Auther, and him viewing them, were not the "product of a search conducted under color of state law."

The court did find a search, however, relating to the two eBlaster reports Auther received after he called Weindl to inquire about the laptop. The court stated:

By that time, Auther knew that someone may have been viewing illicit material on the laptop. He suspected Weindl even before he called him. When he did call, he hid his real concern about the laptop's usage behind a pretense that he was interested in purchasing the computer. After the call, he did not uninstall or disable eBlaster, even though as a private citizen he was under no obligation to continue monitoring an unknown person's offensive Internet activities. He did not immediately call his colleagues at the FBI and hand the investigation over to them — conduct that might have indicated Auther wanted to maintain a separation between his private self and his public persona as a law enforcement officer. . . . [instead] Auther continued his investigation into the child pornography website searches. . . . At the PSS offices, he showed his FBI badge. At the Internet service provider, he relied on the fact that he was known to be an FBI agent to seek information about IP addresses. The totality of the circumstances shows that at this point, Auther's actions were related to his official duties and in pursuit of a police goal. Although a formal FBI investigation had not been opened yet, Auther was now acting under color of law.

The court dismissed the government's argument to the contrary, that "even if Auther's conduct constituted state action, his discovery of the illicit Internet activity through eBlaster e-mails was accidental and therefore does not come under the Fourth Amendment." The court stated that precedent was clear that to have inadvertent discovery through plain-view doctrine, the police had to be somewhere they were justified to be. However, here, "Auther, . . . had no legitimate justification to intrude on anyone's conduct on the school laptop once it was no longer on loan to his son. Moreover, the incriminating evidence did not drop out while he was straightening the icons on the computer's desktop but came into view because of intentional spying on the keyboard and hard drive."

Addressing the argument that a violation of the federal Wiretap Act occurred, the court noted that under the criminal portion of the Act, "suppression motions are authorized only with respect to the contents of wire and oral — not electronic — communications."  The court laid out that the definition of "[a] wire communication is 'any aural transfer' involving wire or like connections between the point of origin and point of reception." 18 U.S.C. § 2510(1). And that, "an 'aural transfer' is 'a transfer containing the human voice' at some point in transmission of the communication." 18 U.S.C. § 2510(18). Thus, the court held that there was "no evidence that the transmission of information from the school laptop to Auther via eBlaster entailed hearing a human voice. Therefore, the evidence that Weindl seeks to suppress is not the product of a wire communication."

Finally, the court noted that to suppress the two eBlaster reports the arrived after Auther called Weindl under false pretenses, Weindl must have Fourth Amendment standing; that he had a subjective expectation of privacy regarding his actions on the laptop, and that his expectation was objectively reasonable. The court held that Weindl did not have standing. The court refused to accept the argument that Weindl had a property interest in the laptop. But, the court stated, the Fourth Amendment isn't solely grounded in property (note: don't tell that to Scalia), but also in privacy expectations.

Weindl argued, in that vein, that he had a legitimate expectation of privacy in the laptop because: he was the sole user, there were no warnings that his use would not be private (or that monitoring occured), he used the laptop in his own, locked office, when he was not using the laptop, he placed it in a desk drawer, and he never gave anyone else permission to use it. Not buying this argument, the court explained:

Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.

Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. See United States v. Wong, 334 F.3d 831, 839 (9th Cir. 2003) (stolen laptop); United States v. Caymen, 404 F.3d 1196, 1201 (9th Cir. 2005) (fraudulently obtained laptop). . . .

Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer. For these reasons, Weindl lacks standing to claim a Fourth Amendment violation with respect to the eBlaster reports. (emphasis added)

Accordingly, the court held that none of the eBlaster reports should be suppressed, because the first four were not part of a search under color of state law and the last two were searches, but Weindl lacked standing (a reasonable expectation of privacy) to challenge them.

The next post on this case will focus on the court's analysis and explain what I believe the correct holding should have been.

(There is an additional issue in this case regarding the interrogation of Weindl that occurred in his office (after it was determined that he had looked at the CP), specifically: whether the conversation constituted a custodial interrogation requiring Miranda rights. The court held that part of the interrogation could stand, and part had to go. I believe this issue was wrongly decided as well (the entire conversation should have been tossed). However, I'm not going to address it because it is tangential to the main issue (and actually goes away if the computer evidence is suppressed because it would be fruit of the poisonous tree)). 

Read More

When in doubt, try mosaic theory?

In United States v. Mohamud, 2012 U.S. Dist. LEXIS 151430 (Or. Oct. 22, 2012) the defendant was charged with attempt to use a weapon of mass destruction. He argued two things: (1) that evidence from an alleged date rape investigation by Oregon State Police (OSP) should be suppressed because the consent was not voluntary and the police exceeded the scope of consent, and (2) that because the OSP evidence was poisoned, the FBI's use of that evidence (since they were participating with OSP) was fruit of the poisoned tree.

The case has a number of interesting elements (I would recommend reading it), but a lot of missing info due to national security concerns. To quickly provide a synopsis of the outcome, the FBI essentially provided evidence that it would not be using any of the information from the OSP investigation against the defendant in the national security case.

Here's where it gets interesting - the defendant argued that even if the FBI wasn't going to use any evidence from OSP, what the FBI learned by participating in the OSP evidence "must have [had an effect] on the direction of the investigation, requiring suppression of all evidence obtained after an illegal search or seizure." To support this argument, the defendant attempted to invoke mosaic theory in a hail mary attempt. The defendant interviewed witnesses about mosaic theory, who explained the basics:

[T]he mosaic theory, ... the concept that while some information in specific [documents] may appear harmless to disclose when read in isolation, such information may be very valuable as part of a mosaic of information gleaned from various sources, including multiple [documents] prepared over time. The Supreme Court endorsed the mosaic theory in Sims, 

The only problem with this tactic is that mosaic theory, to the extent it has been injected in Fourth Amendment cases at all, has been used in analyzing individual's reasonable expectation of privacy, see e.g. Maynard (Orin Kerr has an upcoming Michigan Law Review article on mosaic theory and its place (or lack of a place) in Fourth Amendment jurisprudence). To the defendant's credit, mosaic theory has been used in the national security context, but to my knowledge, most often by the government to argue against disclosure of information under the Freedom of Information Act (FOIA) (even National Reporters Committee offers the defendant no support). The attorney get's an A for effort, but the court did not buy it:

The mosaic theory is not the standard, however, when deciding if tainted evidence must be suppressed. The mosaic theory is generally discussed in cases involving the state secrets privilege or the Freedom of Information Act ("FOIA") exemptions for intelligence sources and methods. In analyzing whether evidence is tainted, I will employ the standard explained in Smith, 155 F.3d 1051.

Thus, I must consider whether anything the FBI seized from the OSP investigation, or any leads it gained there, tended "significantly to direct" the national security investigation toward all evidence the FBI collected...

 My guess is that with all the attention mosaic theory has received, it was just a matter of time before it would be tried in other Fourth Amendment cases.

Read More

Another post-Jones GPS case on the calendar this week

This week, on September 6th, the Wisconsin Supreme Court is faced with a GPS tracking case - State v. Brereton. The issues are unique, and include a pre-textual stop to install the GPS tracking, seizure of the car, lies by law enforcement to conceal the process of installing the GPS tracker, and the interaction of GPS tracking with the holding of the United States Supreme Court in United States v. Jones.

I encourage you to read the case briefs. I am cited in the AG's response brief for a point that I noted as relevant but was certainly not the crux of my piece. As a personal note - I would side with the defendant in this case, but the reference to my piece is germane, nonetheless.  The AG cites me for the concept that it should not matter whether the GPS tracking is real-time or the GPS information must be downloaded with human intervention. In footnote 145 I state: "Judge Bell in United States v. Walker forecloses this GPS technology distinction in a notable way: 'That the officers here chose to use a specifically engineered GPS tracking device rather than merely duct-taping an iPhone to Defendant's bumper is of little moment. The technology in this case is in general use….' 771 F. Supp. 2d 803, 811 (W.D. Mich. 2011)." Clearly a reference to Kyllo, although I find it unconvincing.

The Defendant's Brief can be found here.

The Wisconsin Attorney General's Response Brief can be found here. (I am cited on pg. 33).

The Defendant's Reply Brief can be found here.

My law review article can be found in its entirety, here: Car-ving Out Notions of Privacy: The Impact of GPS Tracking and Why Maynard is a Move in the Right Direction

Read More

N.J. appellate court finds no reasonable expectation of privacy in cell phone number; distinguishes between "generated" and "assigned" information to reach result

In State v. DeFranco, 2012 N.J. Super. LEXIS 92 (App. Div. Jun. 8, 2012), a New Jersey appellate court held that under the New Jersey Constitution, an individual does not have a reasonable expectation of privacy in their cell phone number. This might not be head turning (at least it wasn't for me), but I was fascinated by how the court reached such a result - by distinguishing between "assigned" information (i.e. your cell phone provider assigns you a number), and "generated" information (i.e. ISP records, bank records, and other records that would be generated by a third party). I don't think I am convinced by this dichotomy, but first, let's get to the facts.

The defendant pled guilty to first and second degree assault, as well as endangering the welfare of a child, arising out of an incident that had happened years beforehand. The majority of the evidence was obtained by having the victim call the defendant on his cell phone (a number that was obtained by a school resource officer (SRO) and provided to a separate law enforcement agency), and essentially have him allocute on the phone to his previous transgressions.

The defendant's major assertion is that his cell phone number was private, and for the SRO to hand this over to law enforcement was a violation of his privacy. Unfortunately for the defendant, he had provided that number previously for a school directory and for a school trip. The directory noted that the numbers within it were private, especially those unlisted, but the defendant never corrected an error which failed to mark his number as unlisted. Based on this disclosure, the court found that even if it were to find a privacy interest in the cell phone number, the defendant would have waived such an interest. But, on to the merits.

The defendant asserted that a cell phone number was similar to bank records, ISP records, and other information that New Jersey courts had found a privacy interest in. The defendant tried to assert that New Jersey ascribed to an "informational privacy" model, a mode adopted by a New Jersey appellate court, but never explicitly adopted by the New Jersey Supreme Court:

In this regard, we note that in the Appellate Division's opinion in Reid, the panel stated that "New Jersey appears to have recognized a right to what has been called 'informational privacy.'" The panel described informational privacy in the following terms:

 Informational privacy has been variously defined as "shorthand for the ability to control                        the acquisition or release of information about oneself," or "an individual's claim to control the terms under which personal information . . . is acquired, disclosed, and used." In general, informational privacy "encompasses any information that is identifiable to an individual. This includes both assigned information, such as a name, address, or social security number, and generated information, such as financial or credit card records, medical records, and phone logs. . . . [P]ersonal information will be defined as any information, no matter how trivial, that can be traced or linked to an identifiable individual." 

 We adopt this formulation.

But, the Supreme Court did not adopt this "informational privacy" formulation when they heard Reid on appeal, stating that "[t]he contours and breadth of the standard are not entirely clear, and we need not address those issues in resolving the narrower constitutional question before us."

Because the Supreme Court rejected this approach, the court, here, rejected the defendant's attempt to squeeze cell phone numbers into such a privacy regime:

We perceive a significant difference between the "generated information" afforded protection by the New Jersey Supreme Court in its privacy decisions and the "assigned information" that defendant seeks to protect in this case. The ISP records, the long-distance billing information, the banking records, and the utility usage records of Reid, Hunt, McAllister, and Domicz, respectively, constituted the keys to the details of the lives of those to which the seemingly innocuous initial information pertained. While in some circumstances, knowledge of a telephone number might be equally revelatory, here it was not. The number was simply a number. In the circumstances of this case, we do not find that defendant's professed subjective expectation of privacy is one that society would be willing to recognize as reasonable.

Fascinating, but ultimately problematic. On the surface, this seems like a very good attempt to make a true distinction between information types, and the amount of privacy that they should receive. But, there are many "assigned" pieces of information that one would argue should receive privacy protection, such as your social security number, your IP address (I would argue that this case muddles Reid because can you really make a distinction between the assigned IP address and the generated information it could reveal), and your credit card number. State statutes protecting the information previously stated are an attestation to protection of "assigned" information, and make this distinction unconvincing. Another example would be a private encryption key assigned by an internet company. I'm sure readers can think of many more examples.  While the N.J. Supreme Court did not adopt the "informational privacy" approach, I don't think they meant to throw all "assigned" information noted above out the window.

Instead of attempting to make arbitrary distinctions that will ultimately fail to be the catch-all the court would like, this case should have been resolved on third-party doctrine alone, due to the defendant handing over the information previously. While New Jersey has tightened privacy in the third-party sphere, a little judicial restraint here to not make a sweeping judgment would have been a better approach. Is the public really unwilling to accept this privacy interest as objectively unreasonable? I'm not so sure, especially if you only disclose that number to a tight knit circle of friends/relatives.

Read More