The United States Supreme Court has held that police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.

In a 2010 law review article, I predicted precisely this result. I wrote:

The challenge smart phones pose is that the devices contain information and communications that people reasonably expect to be free from intrusion, even when placed under arrest. . . . society is willing to recognize that expectation of privacy is reasonable, and to impose tighter limits on law enforcement‘s review of cell phone data than, for example, law enforcement‘s review of what numbers were dialed. This does not mean that law enforcement should never be permitted to review the contents of cell phones incident to arrest without a warrant, as exigent circumstances and other law enforcement needs may justify exceptions.

Arrests, even for minor offenses, such as seat belt violations, are not uncommon and could permit police unprecedented access into data stored on electronic devices held by the arrestee.328 To continue to treat advanced devices like smart phones as containers under an analytical doctrine originally developed when such devices were nonexistent or new329 would be to permit the use of technology that is commonly available and used by the public to erode the privacy guarantees of the Fourth Amendment. Instead, courts should recognize that certain electronic devices are reasonably likely to contain intimate personal information about a person, and to exclude these devices from the traditional doctrines.

Supreme Court, As Predicted, has held that police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.

The United States Supreme Court has held that police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.

In a 2010 law review article, I predicted precisely this result. I wrote:

The challenge smart phones pose is that the devices contain information and communications that people reasonably expect to be free from intrusion, even when placed under arrest. . . . society is willing to recognize that expectation of privacy is reasonable, and to impose tighter limits on law enforcement‘s review of cell phone data than, for example, law enforcement‘s review of what numbers were dialed. This does not mean that law enforcement should never be permitted to review the contents of cell phones incident to arrest without a warrant, as exigent circumstances and other law enforcement needs may justify exceptions.

Arrests, even for minor offenses, such as seat belt violations, are not uncommon and could permit police unprecedented access into data stored on electronic devices held by the arrestee.328 To continue to treat advanced devices like smart phones as containers under an analytical doctrine originally developed when such devices were nonexistent or new329 would be to permit the use of technology that is commonly available and used by the public to erode the privacy guarantees of the Fourth Amendment. Instead, courts should recognize that certain electronic devices are reasonably likely to contain intimate personal information about a person, and to exclude these devices from the traditional doctrines.

New Details Emerge On Adam Swartz Computer Fraud Prosecution

This week’s must read story is the Boston Globe’s investigation of MIT’s role in the prosecution of Adam Swartz.

Swartz committed suicide instead of facing trial on multiple charges of violating the Computer Fraud and Abuse Act.  He faced about 50 years in prison if convicted of crimes relate to the downloading of academic journal articles in a computer closet at Massachusetts Institute of Technology.  The case became controversial because Swartz faced heavy charges despite the  government’s admission that he had no plans to use the articles for personal gain, but instead may have been trying to further his goal of open access.

The article notes how MIT both assisted the prosection in gathering evidence against Swartz, and at times seemed indifferent to the prosecution:

MIT never encouraged Swartz’s prosecution, and once told his prosecutor they had no interest in jail time. However, e-mails illustrate how MIT energetically assisted authorities in capturing him and gathering evidence — even prodding JSTOR to get answers for prosecutors more quickly — before a subpoena had been issued.

In a handful of e-mails, individual MIT employees involved in the case aired sentiments that were far from neutral. One, for example, gushed to prosecutor Stephen P. Heymann about the quality of the indictment of Swartz.

More:

The documents say little about what MIT was thinking and doing once the case morphed from an investigation into an active prosecution. But MIT’s own report on the case raises serious questions about the wisdom of MIT’s neutrality stance.

The Swartz case drew attention, particularly after Swart’s suicide, to the dangers posed by prosecutorial overcharging in order to coerce a plea deal.

Federal Judge Criticizes Overbroad Search of Email Records

A federal judge “admonished the Justice Department for repeatedly requesting overly broad searches of people’s email accounts, a practice that he called ‘repugnant’ to the Constitution.”

Magistrate Judge John M. Facciola criticized the government when it requested a significant number of emails in a kickback investigation.

The problem was not that the government was seeking emails related to criminal activity, but that the government sought “every email, contact, picture and transaction record” from the subject.

The government has aggressively pursued emails stored by third parties, such as Google, Yahoo! or, in this case, Apple.

This is not new.  Back in 2010, I highlighted a Sixth Circuit case that suggested people had broader privacy interests in emails, even when the emails are stored on servers owned by third parties.

Fifth Amendment Does Not Protect Against Disclosure of Facebook Posts and Messages

A federal bankruptcy court has held that the Fifth Amendment does not protect against the compelled disclosure Facebook messages and other electronic messages — even if the content of those messages could be incriminating.

The case is in re Welsh.  Case No. 13-02457-8-SWH. United States Bankruptcy Court, E.D. North Carolina, Raleigh Division.

The bankruptcy court was involved in resolving a state court case for alienation of affection, criminal conversation and defamation arising out of an alleged affair between the debtor and the plaintiff’s former wife.

Continue reading

Fifth Amendment Does Not Protect Against Network Administrator Disclosing Passwords

A California court has upheld the conviction of a network administrator who refused to provide network passwords after he was relieved of duty.

The case is People v. Childs, Cal: Court of Appeal, 1st Appellate Dist., 4th Div. 2013

The defendant was convicted of disrupting or denying computer services to an authorized user.   The defendant was employed as the principal network engineer for Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco.

In 2005, he was assigned to configure, implement and administer the city’s then-new fiber-optic wide area network.  To protect the security of this critical infrastructure, all configurations were confidential.  Starting in spring 2007, only the defendant had administrative access.  Later, he was reassigned.  When asked to user IDs and passwords, the Defendant first said that he no longer had administrative access.  Later, he provided incorrect passwords that did not allow access to the network.

Finally, the defendant, through his attorney, gave the correct passwords and backup configurations to the Mayor Gavin Newsom.  However, for 12 days DTIS was effectively locked out of the network.

The state’s case was premised on the idea that the defendant “acted as if he—not the city—owned the FiberWAN network and that he believed that his sole access to the computer system gave him job security.”

The issue highlighted here is the defendant’s contention that his privilege against self-incrimination by the admission of evidence that he failed to divulge his user name and password after being arrested.  The argument was that he had a constitutional right to remain silent—to decline to provide the information that the city sought.

The court rejected this argument, concluding that the privilege against self-incrimination does not apply.  The court noted:  “This privilege bars the state from compelling a person to be a witness against him or herself. It does not bar all compelled disclosures, even if those disclosures might lead to criminal prosecution.”

The court reasoned that the “privilege does not apply if the incriminating disclosure is required for compelling, broadly applied reasons unrelated to criminal law enforcement.”  In this case, the disclosure of the passwords was required to allow DTIS administrative access to its computer system.  This was not an inherently criminal investigation. Instead, the disclosures served a compelling business and governmental interests, not law enforcement.

The court concluded that “for DTIS to require its outgoing computer system administrator to reveal access codes necessary to allow the new system administrator to perform those functions is not the type of disclosure protected by the privilege against self-incrimination.”

As Predicted Here: Court Says Facebook “Likes” Are Protected by First Amendment

Two years ago, I wrote an LTN article “The Social Media/First Amendment Face Off.”  I suggested that the First Amendment freedom of speech protects people from investiagtsion of their Facebook Likes.

Then, in August 2012, I wrote a long analysis of this issue.  I concluded that

likes on Facebook, just like status update histories, postings, friend and group listings, IP logs, and private messages, can provide a “map of association” of all of the contacts, associates, colleagues, and friends of users.

 

The Supreme Court has recognized a privilege, grounded in the First Amendment right of association, not to disclose information when disclosure may impede the rights of speech and assembly.

Yesterday: validation.  A Federal Appeals Court ruled that the First Amendment protects Facebook “likes.”  The court said, Liking something — in this case a political issue, is the “Internet equivalent of displaying a political sign in one’s front yard, which the Supreme Court has held is substantive speech.”

More to Come . . .

NSA Collection of Phone Records May Be Unconstitutional. Possibly Violates Fourth and First Amendment.

The New York Times is reporting that the NSA and the Federal Government “is secretly carrying out a domestic surveillance program under which it is collecting business communications records involving Americans.”  The records obtained include call logs.  It is unclear how widespread the record collecting is, and whether it includes residential or cellphone services.

The law as written, including in the Patriot Act, permits this.

The key unanswered question: is a government law that permits law enforcement to obtain cell phone records from many, or all, users permissible under the Constitution.

Here are some initial thoughts.

Fourth Amendment 

The Fourth Amendment provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause . . . .”

The Supreme Court has explained that the fundamental purpose of the Fourth Amendment “is to safeguard the privacy and security of individuals against arbitrary invasions by government officials.” Camara v. Mun. Ct., 387 U.S. 523, 528 (1967).

However, the courts have created a number of exceptions to the Fourth Amendment, so that many government actions that appear to gather personal information are not considered to be “unreasonable” and therefore subject to Fourth Amendment scrutiny.

The Supreme Court has explained that a search occurs, and the Fourth Amendment is implicated, when the government intrudes on an expectation of privacy that society is prepared to consider reasonable.  In evaluating this test, courts ask two questions:  (1) has the person demonstrated an expectation of privacy; and (2)is society willing to recognize that expectation as reasonable.

The first question is likely easy.  Most people expect that phone records are be shielded from public scrutiny.  There likely is some language in the cell phone provider agreements that address this issue.  Verizon, for example, has a privacy policy which states:  “Verizon does not sell, license or share information that individually identifies our customers with others outside of Verizon for non-Verizon purposes without your consent.”

The second question is much more complicated.

The courts have generally held that the Fourth Amendment provides little to no protection for data stored by third parties.  The most famous case is United States v Miller.  Miller concerned bank records.  In that case, the Supreme Court held the Fourth Amendment did not apply to information voluntarily provided to a third party.

There are three key differences between this situation and Miller. 

First, a key to Miller was that the information sought was business records, not likely to reveal personal information.   Cell phone records can reveal a significant amount of personal information – phone calls to friends, doctor’s offices, mental health professionals, business colleagues – can all provide clues about the most intimate details of a person’s life.  A better example is United States v. Warship.  In that case, a federal appeals court found that emails were subject to the Fourth Amendment even if they are in the possession of a third party Internet Service Provider, like Gmail or Hotmail.

Second, the amount of data collected allows the government to draw conclusions about the private lives of people from aggregated data that could not be drawn from discrete sets of records.

Courts are likely to perceive a difference between gathering a reviewing months of calls for numerous users and reviewing the records of one individual.  The aggregation of seemingly innocent pieces of data allows a clever observer to determine a person’s private contacts and routine.  This is because, as some of the Supreme Court Justices recognized in reviewing the warrantless use of use GPS tracking devices, the whole of one’s movements reveals more than does the sum of its parts.  With aggregated call data, an observer can use patterns of calls to reveal details about a person that might not available from a single action or transaction.  For example, one call to a physician doesn’t mean much, but multiple calls to a physician could allow an observer to infer a medical condition.

Third, the gathering of cell phone records could permit law enforcement to conduct surveillance beyond a targeted investigation into certain crimes. Instead, the program could permit law enforcement to undertake surveillance of a particular individual over an extended period of time in the hope of piecing together evidence of illegal conduct, including evidence of illegal conduct that was not even suspected prior to the surveillance.  This is the point I made in a law review article examining GPS tracking cases before the Supreme Court in the Jones case found that the practice violated the Fourth Amendment.

First Amendment

The government program of obtaining cell phone records can provide a “map of association” of all of the contacts, associates, colleagues, and friends of users.  Indeed, this could be the purpose.

The Supreme Court has recognized a privilege, grounded in the First Amendment right of association, not to disclose information when disclosure may impede the rights of speech and assembly.  This First Amendment check on government investigative activities was most famously explored in the United States Supreme Court in NAACP v. Alabama.  In NAACP, the state of Alabama sought to compel the NAACP to reveal the names and addresses of all its Alabama members and agents.  The Court held that the constitutional right of association – which is tied to the rights of speech and assembly – could protect those who join groups from state scrutiny.  The Court explained, “It is hardly a novel perception that compelled disclosure of affiliation with groups engaged in advocacy may constitute . . . [an] effective a restraint on freedom of association. . . .  Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association, particularly where a group espouses dissident beliefs.”

In regards to the NAACP, the court feared that compelled disclosure of the organization’s membership list might “induce members to withdraw from the Association and dissuade others from joining it because of fear of exposure of their beliefs shown through their associations and of the consequences of this exposure.”

The right to withhold lists of members in a group is not, however, absolute.  Rather, the right must be balanced against the government interest.  The extent of the First Amendment argument was tested in a case involving Julian Asante’s Wikileaks website.  In Re: §2703(d) Order, No. No. 1:11dm00003, E.D. Virginia 2011.  In order to aid in the investigation of possible criminal charges arising out of the recent Wikileaks disclosures, the government sought a court order requiring Twitter to turn over the customer information of various users suspected to have been involved in the disclosures.  (The government did not seek to obtain the contents of any communications.)

The users argued that the order violated the First Amendment.  They argued that allowing the government to obtain records of this information would have a chilling effect on the willingness of people to post information on Twitter, or to follow certain users.  The court rejected this argument, in large part because the users had already made their Twitter posts and associations publicly available.

Persons in private or restricted groups have a stronger argument that the disclosure may have a chilling effect on the willingness of others to be associated with the group.  In addition, courts will be more likely to be protective of records that reveal political or religious affiliations – purposes already within the core of the First Amendment protections.