From: InfoSec News (alertsinfosecnews.org)
Date: Thu Jan 18 2007 - 00:06:48 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/news/columns/0,72510-0.html

By Jennifer Granick
Jan, 17, 2007

My laptop computer was purchased by Stanford, but my whole life is
stored on it. I have e-mail dating back several years, my address book
with the names of everyone I know, notes and musings for various work
and personal projects, financial records, passwords to my blog, my web
mail, project and information management data for various organizations
I belong to, photos of my niece and nephew and my pets.

In short, my computer is my most private possession. I have other things
that are more dear, but no one item could tell you more about me than
this machine.

Yet, a rash of recent court decisions says the Constitution may not be
enough to protect my laptop from arbitrary, suspicionless and
warrantless examination by the police.

At issue is the Fourth Amendment, which protects individuals from
unreasonable searches and seizures by government agents. As a primary
safeguard against arbitrary and capricious searches, property seizures
and arrests, the founding fathers required the government to first seek
a warrant from a judge or magistrate.

The warrant has to specifically describe the place to be searched and
the items to be seized.

Searches and seizures without such a warrant are presumed to be
unconstitutional. There are times, of course, when it would be
unreasonable, burdensome, ineffective or just plain silly to require
police to get a warrant before searching, so courts have carved out
many, many exceptions to the warrant requirement. The fundamental thread
in these decisions is a subtle and case-specific determination of what
is "reasonable" conduct by law enforcement.

Because reasonable minds can differ on reasonable courses of action, the
resulting Fourth Amendment law is complicated, sometimes contradictory
and very fact-dependent.

Computers pose special Fourth Amendment search problems because they
pack so much information in such a small, monolithic physical form. As a
result, courts are grappling with how to protect privacy rights during
searches of computers.

Three digital search topics in particular are converging in interesting,
and foreboding, ways.

First, there are several new cases that suggest that agents can search
computers at the border (including international airports) without
reasonable suspicion or a warrant, under the routine border search
exception to the warrant requirement.

Second, a recent case in the 9th U.S. Circuit Court of Appeals has held
that private employees have no reasonable expectation of privacy, and
thus no Fourth Amendment rights, in their workplace computers (gulp!).

Third and finally, the 9th Circuit is struggling, and failing, to define
ways to judicially supervise police searches of computers to ensure that
law enforcement gets the information it needs, while leaving undisturbed
any private information on unrelated matters that may be on the same
disk drive.

Together the computer search cases can paint a scary picture. But if you
read the decisions carefully, there is ample room for courts to follow
up with more nuanced opinions that protect computer privacy and allow
reasonable government access.

For example, the border search exception allows "routine" searches
without reasonable suspicion or a warrant. "Non-routine" searches still
require reasonable suspicion. Is the examination of computers at the
border a routine or non-routine search? The cases so far don't answer
this question head on. Future cases will have to.

The Supreme Court has said that the definition depends on the "dignity
and privacy interests" implicated by a search. Thus, strip searches and
cavity searches are non-routine, but searches of vehicles and baggage
are routine.

Given the sensitivity of information stored on a computer, the way
people tend to archive everything, how long a comprehensive search takes
and the likelihood of discovering contraband with such a search, courts
may well find that computer searches are allowed at the border only
based on reasonable suspicion, not as a baseless fishing expedition.

I hope for the best, as I do in United States v. Ziegler, the case that
found private employees have no reasonable expectation of privacy in
their workplace computers. Defense attorneys have asked for a rehearing,
and the court may do better next time.

Ziegler is important, because if employees have no protected privacy
rights, then the government can enter a private workplace, without
cause, without a warrant, with or without the employer's consent and
search employee computers. The business might try to sue, but the
employee would not have the right either to challenge the government's
actions in court, or to suppress any discovered evidence.

Similarly, defense attorneys in United States v. Comprehensive Drug
Testing have asked the 9th Circuit for a new hearing, and the court has
an opportunity to issue a more careful opinion in that case, which arose
from the Balco doping scandal.

The government is investigating whether 10 professional baseball players
were illegally taking steroids. In the course of its probe, it obtained
multiple warrants for the results of drug tests taken by the players.
But it didn't just seize the results for the players under scrutiny --
it grabbed the entire database, with samples from hundreds of other
athletes.

Lower courts ordered the government to return the information that was
not related to the Balco-linked players, but the government appealed and
the 9th Circuit ruled in its favor.

The facts of the case are complicated, but the proper result is clear:
In every computer or database search case, information responsive to the
warrant is going to be intermingled with information about other
matters. Warrants should not only state whether the computers will be
removed from the premises, and how the search will be done, but should
also establish a way agents will try to segregate private information
from the data they are entitled to obtain pursuant to the warrant.

Otherwise, we will find that the government can use a smaller
investigation as a stalking horse to obtain information about a vast
number of other people.

These Fourth Amendment trends should be closely followed.

Of course, there's a chance that the courts will not recognize the
different scope of privacy interests at stake in computer searches, or
will not be adept at crafting a rule that gives enough leeway and
guidance to law enforcement, while also protecting privacy. At that
point, the Constitution may fail us, and we will have to turn to
Congress to create rules that are better adapted for the information
age.

-=-

Jennifer Granick is executive director of the Stanford Law School Center
for Internet and Society, and teaches the Cyberlaw Clinic.

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]