Whose Computer Is It, Anyway? Steven J. McDonald General Counsel Rhode Island School of Design Computer Policy and Law 2005
The Key to Handling Computer Privacy Issues Successfully Ignore the law
But First, Let's Invade a Little pages/reverse-address
Never Metadata I Didn't Like ( hives/individual/2005_05/ php)
The Spy Who Loves You?
What is Privacy? "[T]he right to be let alone – the most comprehensive of rights, and the right most valued by civilized men." Justice Louis Brandeis Olmstead v. U.S.
The Legal Basis for Privacy: A Patchwork Quilt U.S. and state constitutions –But no explicit reference in U.S. constitution –Fourth amendment (and state versions) Statutory privacy –Electronic Communications Privacy Act (and state versions) –FERPA and other general privacy statutes –But also federal and state FOIA laws The common law of privacy
The Fourth Amendment "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The Fourth Amendment in Cyberspace "We are satisfied that the Constitution requires that the FBI and other police agencies establish probable cause to enter into a personal and private computer." U.S. v. Maxwell
Publics are Private, Privates are Not "Although individuals have a right under the Fourth Amendment of the United States Constitution to be free from unreasonable searches and seizures by the Government, private searches are not subject to constitutional restrictions." U.S. v. Hall
O'Connor v. Ortega "Fourth Amendment rights are implicated [whenever] the conduct of the [government] officials at issue... infringe[s] 'an expectation of privacy that society is prepared to consider reasonable.'"
O'Connor v. Ortega (continued) "[W]e reject the contention... that public employees can never have a reasonable expectation of privacy in their place of work. Individuals do not lose their Fourth Amendment rights merely because they work for the government instead of a private employer. The operational realities of the workplace, however, may make some employees' expectations of privacy unreasonable when an intrusion is by a supervisor rather than a law enforcement official. Public employees' expectations of privacy in their offices, desks, and file cabinets, like similar expectations of employees in the private sector, may be reduced by virtue of actual office practices and procedures, or by legitimate regulation."
O'Connor v. Ortega (continued) "Given the great variety of work environments in the public sector, the question whether an employee has a reasonable expectation of privacy must be addressed on a case-by-case basis."
Reasonable Expectations in Cyberspace Who owns the system? Who has access to the system? How does the system work? How is the system used? Is the system password-protected? What policies apply to the system? What is the ordinary practice?
The Electronic Communications Privacy Act (ECPA) "[A] fog of inclusions and exclusions" – Briggs v. American Air Filter Co. (5th Cir. 1980) "[A] statute... which is famous (if not infamous) for its lack of clarity" – Steve Jackson Games, Inc. v. United States Secret Service (5th Cir. 1994) "[T]he Fifth Circuit... might have put the matter too mildly." – U.S. v. Smith (9th Cir. 1998)
ECPA Prohibitions Generally illegal to: –Intercept an electronic communication while it is in transmission (§2511(1)(a)) –Disclose the contents of an electronic communication that has been illegally intercepted (§2511(1)(c)) –Use the contents of an electronic communication that has been illegally intercepted (§2511(1)(d))
"In Transmission" "[T]he seizure of a computer on which is stored private e- mail that has been sent to an electronic bulletin board, but not yet read (retrieved) by the recipients" did not violate §2511(1)(a) "because [the] acquisition of the contents of the electronic communications was not contemporaneous with the transmission of those communications". – Steve Jackson Games, Inc. v. United States Secret Service ECPA "protects electronic communications from interception when stored to the same extent as when in transit." – Konop v. Hawaiian Airlines, Inc. I "We therefore hold that for a website such as Konop's to be 'intercepted' in violation of the Wiretap Act, it must be acquired during transmission, not while it is in electronic storage." – Konop v. Hawaiian Airlines, Inc. II
"In Transmission" "We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications. Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology. We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly." – United States v. Councilman
ECPA Exceptions A provider of electronic communication service may intercept an electronic communication, or disclose or use an intercepted communication, "while engaged in any activity which is a necessary incident to the rendition of [its] service or to the protection of [its] rights or property". (§2511(2)(a)(i))
More ECPA Exceptions A party to an electronic communication, or a person to whom a party to an electronic communication has given consent, may intercept the communication "unless such communication is intercepted for the purpose of committing any criminal or tortious act". (§2511(2)(d)) –An exception to the exception: Some states require that all parties consent.
Still More ECPA Prohibitions and Exceptions It generally is illegal to access an electronic communication while it is in electronic storage. (§2701(a)) –But a provider of electronic communication service has apparently unlimited authority to access stored communications on its system. (§2701(c)(1)) But a provider of electronic communication service to the public generally may not divulge the contents of a stored communication. (§2702(a)(1)) –But any provider may divulge the contents of a stored communication with consent or as a necessary incident to the rendition of service or to protects its rights or property. (§2702(b))
"To the Public" "The statute does not define 'public'. The word 'public', however, is unambiguous. Public means the 'aggregate of the citizens' or 'everybody' or 'the public at large' or 'the community at large'. Black's Law Dictionary 1227 (6th ed. 1990). Thus, the statute covers any entity that provides electronic communication service (e.g., ) to the community at large." Andersen Consulting LLP v. UOP
Law Enforcement Access Voluntary or at government request? Obtained inadvertently or intentionally? In transmission or in storage? –In storage more than 180 days? Contents or log files? With consent of user or without? With notice to user or without?
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
USA PATRIOT Act A provider of electronic communication service may disclose subscriber information concerning, and the contents of, a stored communication to a law enforcement agency if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay (§2702(b)(6)(C) and (c)(4)) The owner of a computer system may, under certain circumstances, authorize law enforcement to intercept communications of a computer trespasser (§2511(2)(i))
USA PATRIOT Act Governmental entities may subpoena a provider of electronic communication service for a subscriber's: –Name –Address –Records of session times and durations –Length and types of service –Subscriber number or identity, including any temporarily assigned network address –Means and source of payment, including credit card or bank numbers (§2703(c)(2))
Common Law Invasion of Privacy Four theories: –Intrusion –Public Disclosure of Private Facts –Misappropriation of Name or Likeness –False Light Few cases Room for growth?
In summary... "In Hell, there will be nothing but law, and due process will be meticulously observed." Grant Gilmore
Untangling the Privacy Mess Ignore the law Establish – and follow – a policy –What expectations are reasonable? –Consent Options: –No privacy –Total privacy –Somewhere in between
The Importance of Being Earnest (About Privacy Policies) I "Leventhal had a reasonable expectation of privacy in the contents of his office computer.... Leventhal occupied a private office with a door. He had exclusive use of the desk, filing cabinet, and computer in his office. Leventhal did not share use of his computer with other employees... nor was there evidence that visitors of the public had access to his computer.... [W]e do not find that the DOT either had a general practice of routinely conducting searches of office computers or had placed Leventhal on notice that he should have no expectation of privacy in the contents of his office computer." Leventhal v. Knapek
The Importance of Being Earnest (About Privacy Policies) II "The general policy of the department that department- issued equipment... was not to be 'converted to personal use' cannot provide the necessary notice to officers to find consent to surreptitious interception of their messages.... The so-called policy prohibiting personal use cannot form an after-the-fact justification for intercepting plaintiff's pager where the policy had not been enforced and the department conceded it was aware that pagers were used by many members of the force for personal use." Adams v. City of Battle Creek
The Importance of Being Earnest (About Privacy Policies) III "Oklahoma State University policies and procedures prevent its employees from reasonably expecting privacy in data downloaded from the Internet onto University computers. The University computer- use policy reserved the right to randomly audit Internet use and to monitor specific individuals suspected of misusing University computers. The policy explicitly cautions computer users that information flowing through the University network is not confidential either in transit or in storage on a University computer. Under this policy, reasonable Oklahoma State University computer users should have been aware network administrators and others were free to view data downloaded from the Internet." U.S. v. Angevine
The Importance of Being Earnest (About Privacy Policies) IV "The only evidence relied upon by the defendants to suggest that plaintiff's expectation of privacy was not objectively reasonable is the policy that was displayed each day on the employee's computers in the AG's office.... This particular statement obviously has considerable significance here. The court, however, must consider this fact in conjunction with... the oral representations made by AG employees to the plaintiff [to the effect that he could maintain a 'private file' to which no one would have access]. These other facts suggest that plaintiff's expectation of privacy was objectively reasonable." Haynes v. Kline