A federal court in the Eastern District of Virginia has held that a user utilizing a computer connected to the Internet has no expectation of privacy because hackers have repeatedly demonstrated their ability to circumvent security measures with impunity. As discussed below, the ruling could be a simple instance where hard facts lead to bad law. But perhaps more likely, it demonstrates the difficulties courts continue to grapple with when technology is changing faster than the law’s ability to absorb the change.
The underlying facts are disturbing. In 2015, the FBI launched a global sting operation targeting child pornography. The Bureau focused on child sites utilizing Tor and similar anonymous networks. During the operation, it took control of a child pornography server. Using hacking methods known as a networking investigative technique (NIT), the Bureau collected 1500 IP addresses. It then traced the IP addresses to individual defendants through their ISPs and arrested them.
The arrested individuals challenged the underlying warrants under a variety of theories with varying degrees of success. A case from the Western District of Washington marked the defendant-friendly end of the spectrum. That defendant sought the details behind the NIT. Pointing to cases where innocent computer users had becoming unwitting hosts of large amounts of child pornography after pedophiles infect their computers with malware, the defendant argued that he was entitled to this information.
The FBI declined to divulge the details of NIT, explaining that disclosure would enable future targets to evade detection. The defense argued that it was entitled to full disclosure, given the complexity of the NIT technology and the FBI’s purported history of misleading courts about that technology. The Washington district court ultimately sided with the defendant. While it denied a motion to dismiss, its decision to suppress NIT-related evidence meant the prosecution would struggle to prevail.
The Virginia case arose out of the same FBI sting, and marks the government-friendly end of the spectrum. In that case, the defendant mounted a series of challenges, seeking, inter alia, to suppress the underlying warrant and additional discovery entitling him to the workings of NIT. The court found that the defendant had no expectation of privacy in a computer connected to the Internet. Moreover, even if he had such an expectation, it would be unreasonable.
The court began its analysis by noting that the government would not have been able to identify the defendant’s address without deploying NIT to his computer. It acknowledged substantial authority from multiple jurisdictions holding that a user has an expectation of privacy in a password protected computer. Nevertheless, the court held that users’ perception of the Internet, and their corresponding expectation of privacy in physical computers and the data they contain, has shifted dramatically in recent years.
Noting that hacking is more prevalent now than a decade ago, the court reasoned that the increased risk of hacking has changed the user’s reasonable expectation of privacy to the point where “it seems unreasonable to think that a computer connected to the Web is immune from invasion.” To the contrary, the court found that “it appears to be a virtual certainty that computers accessing the Internet can – and eventually will – be hacked.” Pointing to a series of high-profile hacks including Sony, Ashley Madison, Home Depot, the so-called “Panama leaks”, and even the Office of Personnel Management, the court held that since such breaches were now unexceptional, their inevitability had sunk into the public consciousness. Therefore, a user of a computer connected to the Internet had no reasonable expectation of privacy.
The court’s finding on this point hinged on its determination that “Defendant here should have been aware that by going [on-line to access the illegal pornography site], he diminished his expectation of privacy.” The court relied on Minnesota v. Carter, 525 U.S. 83 (1998), where the Supreme Court had held that that a police officer looking through broken window blinds had not violated the defendant’s Fourth Amendment rights. The court found that Carter’s broken window blinds were analogous to a networked computer: “Just as the area into which the officer in Carter peered an apartment usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user’s computer. People who traverse the Internet ordinarily understand the risk associated with doing so.”
The court had already ruled that the FBI had acted pursuant to a valid warrant. Therefore, its holding that there is no expectation of privacy in a networked machine is arguably dicta. As such, its significance could be limited. Nevertheless, as a harbinger of potential future developments, the implications would be stunning: for instance, a government regulator could conceivably base civil or even criminal enforcement action on the basis of information contained on office computers without a warrant, probable cause, or even reasonable suspicion.
Likewise, the notion that Internet users have no reasonable expectation of privacy contradicts the very premise of online data privacy regulation namely, that individuals not only have reasonable expectations of online privacy but rights to privacy that are capable of being protected in the ordinary course of business. A creative defendant might seek to apply the court’s reasoning to challenge the level of compliance required under data privacy regulations after all, what constitutes an appropriate safeguard in a world where no-one should reasonably expect to enjoy online privacy? Admittedly, these would seem to be unlikely developments, given that they would be stemming from a single district court decision in a single matter with highly unsympathetic facts.
A larger point remains salient: as Justice Alito noted recently, technology is rapidly outpacing the law. As courts across the country grapple with unprecedented scenarios generated by technological advances, the temptation to graft onto superficially clear and simple (but potentially pernicious) solutions may prove hard to resist.
| © Poyner Spruill LLP. All rights reserved.