Monday, June 04, 2007

Fourth Amendment privacy and operating systems

I ran across some interesting language in an Air Force court’s decision from last December: United States v. Larson, 64 M.J. 559 (Air Force Court of Criminal Appeals 2006).

Basically, Larson was caught up in a “To Catch A Predator”-type sting.

He thought he was emailing with, and setting up a meet with, 14 year-old Kristin when he was really corresponding with an undercover police officer. When he showed up to meet “Kristin,” Larson was arrested by local police officers.

After they heard of the arrest, the Air Force opened its own investigation and Larson’s commanding officer gave the investigating Air Force Office of Special Investigations (AFOSI) agents access to the office Larson used on the base.

The AFOSI agents seized the computer in the office, the one Larson had used to correspond with “Kristin.” “A search of the computer hard drive turned up data files, stored automatically by the Microsoft Windows operating system during [Larson’s] Internet browsing sessions” and the activity that led to his being charged with attempting to entice a minor for sexual purposes and related crimes. United States v. Larson, supra.

Larson moved to suppress the evidence seized from the computer he used at work, arguing that the search of the computer violated the Fourth Amendment. The AFOSI agents do not seem to have obtained a search warrant before they examined the computer’s hard drive. The appellate and lower Air Force courts might have disposed of the issue on some other grounds, such as that his commanding officer could consent to the search or, maybe, that he had no expectation of privacy at all in the contents of the computer because it was a government computer which he was supposed to use only for work.

The Air Force Court of Criminal Appeals didn’t take that approach, though. To understand what this court did, let me recap a bit how Fourth Amendment analysis works: To successfully suppress evidence, you have to show the government conducted an illegal “search” (or seizure, but we’re not dealing with that here). A “search, as I’ve explained before, violated a “reasonable expectation of privacy” in someplace or something.

To have a reasonable expectation of privacy in a place or thing, you have to meet two requirements, which come from the Supreme Court’s decision in Katz v. United States, 389 U.S. 347 (1967): (1) You have to have a subjective expectation of privacy (you, personally, think it’s private); and (2) if, and only if, you had a subjective expectation of privacy (you actually thought it was private), your subjective expectation must be objectively reasonable, that is, society must agree with you that it was private.

So, for example, if I use my cell phone while in a public place (an airport, say) to chat about robbing a bank, I can’t claim it was a search for a police officer to overhear what I said. I would probably say (being an idiot, in this hypothetical) that I thought my conversation was private; even if a court agreed that I did have this expectation it was private, the court would hold there was no search because it would say, correctly, that society would not consider my expectation of privacy in my conversation on a cell phone in a public place “reasonable.”

Courts usually accept that a defendant had a subjective expectation that a place or thing was private, but reject a defendant’s Fourth Amendment argument (if, indeed, they do reject the argument) on the second basis – by finding that the person’s expectation was not reasonable, was not one society will accept as valid.

That, though, is not what happened in the Larson case. The court rejected his Fourth Amendment argument on the first basis – it found that he did not have a subjective expectation of privacy in the data in question:
This appears to us to be a case of first impression in some respects. In military jurisprudence, the focus of Fourth Amendment litigation involving computers has primarily been on the expectation of privacy to be afforded to e-mail: personal communications between users, sent via computers using networks or the Internet. . . . The search of the government computer here did not focus on such communications. Instead, the AFOSI searched for certain data files, created as part of the `normal operating procedure’ of the Microsoft Windows operating system, which record the date, time, and Internet address of web sites visited by the computer user, as well as information about the user account in use on the computer at the time the sites were visited. . . .

The military judge concluded the appellant had no expectation of privacy in the contents of the computer. We find no abuse of discretion in his ruling. There is no evidence the appellant was aware the Internet history files existed, and we are unconvinced the appellant could entertain a subjective expectation of privacy in them without such knowledge.

United States v. Larson, supra.

(The court also, for good measure, held that he would not have had an objectively reasonable expectation even if he had had a subjective expectation of privacy in data on the computer: Larson “could not expect to keep private automatically-recorded data stored on government property he would reasonably have known would be turned over to another officer on that officer's return from deployment.”)

The court’s rejection of Larson’s subjective expectation of privacy in files generated by the operating system is quite interesting, since it’s not predicated on the fact that the computer was not “his” computer, but the government’s. Instead, it seems to be a blanket rejection of the idea that we can have a Fourth Amendment expectation of privacy in data generated by computer processes which we do not realize are going on and/or do not understand.


Anonymous said...

Being in the military myself, I will take this opportunity to educate any civilians who might come across this article. When I create my login credentials on a given network - that is on a base, in a building, whatever - I sign a letter of acknowledgment which, for all intents and purposes, is a perfectly legal waiver of my Fourth Amendment rights regarding any data I receive, generate, or access using the given computer system. This includes everything between my fingers and eyes and the internet at large - if their hardware touches it, it belongs to them; it is merely my privilege to access it. Given this, it must certainly be the case that this fellow's Fourth Amendment claim must fail on both the first basis and the second. That is, he signed a waiver giving up the subjective expectation of privacy. As for the objective case, any reasonable person in the same situation must necessarily be aware of the requirement to waive the same for use of the system.

Anonymous said...

This is not entirely true. You should read the US v. Long case. There is a limited expectation of privacy in emails sent from a gov't computer. The Long case can explain further.
I am a military attorney and teach how the 4th amendment applies to military justice.