Friday, March 30, 2007

Vista, Backdoors and the 4th Amendment

As you may know, rumors have spread that Microsoft put a backdoor in its Vista program to accommodate law enforcement’s need to search on computers.

Microsoft denies this, which I tend to believe, but I know people who claim that it’s true. At the very least, it raises some interesting 4th amendment issues.

Let’s begin with why the backdoor issue arises.

Vista incorporates a feature called BitLocker Drive Encryption. BitLocker, which “is included in the Enterprise and Ultimate editions of Vista,” encrypts data on a computer. BitLocker Drive Encryption, Wikipedia. “By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional security.”
BitLocker Drive Encryption, Wikipedia. According to Microsoft, it prevents unauthorized users from gaining access to data contained on a computer: “with BitLocker all user and system files are encrypted including the swap and hibernation files.” BitLocker, Microsoft.

Users’ ability to encrypt all the files on their computer obviously poses problems for law enforcement officers who want to search a computer for evidence of a crime. But as some have noted, BitLocker should not pose problems for law enforcement in two instances:
  • One is if the computer is running; as one source notes, “forensic tools can access the encrypted volume of a running system just like any other program”. Simson Garfunkel, Drive Encryption: Two Tales, Technology Review. If the computer is running, the encryption key has already been entered into the computer, so the encryption is not an issue.
  • The other instance in which BitLocker won’t pose problems for law enforcement is when people haven’t bothered to use it.
As we probably all now, encryption is not new; encryption is available on the Mac I am using to write this, and there are programs available which can be used to encrypt data. So far, most people simply don’t bother.

Notwithstanding all this, BitLocker will still probably raise issues for law enforcement. One is how officers should proceed when they arrive to execute a computer search and the computer is running; the officers can presumably conduct a forensic analysis of the computer and thereby avoid BitLocker’s encryption, but that remains to be seen. I am not going to address that issue here. What I want to examine is the legality (or illegality) of including a backdoor on the Vista system to let law enforcement bypass encryption that has been installed on a system and that is in effect because the system has been shut down.

We will assume, for the purposes of analysis only (which means this is all purely hypothetical), that Microsoft incorporates a backdoor that lets law enforcement bypass Vista encryption. For the purposes of analysis, we will also assume that officers arrive at John Doe’s home with a warrant to search his computer for evidence of a crime (child pornography, terrorism, murder, take your pick). He lets them in, takes them to the computer, the computer is not running and they quickly find out he has implemented BitLocker. Now, BitLocker can be implemented several ways, one of which involves storing the BitLocker encryption key on a USB drive; the USB drive must be inserted into the computer for it to boot. The officers ask Doe for the USB drive they need to boot the computer; he refuses to give it to them, says he “threw it away.”

Absent a Vista backdoor, they have two and only two options at this point: They can use a grand jury subpoena or other means to “compel” Doe to surrender the key (assuming he lied when he said he threw it away), but to do this they probably will have to give him immunity for the act of handing it over. As I explained in an earlier post, immunity lets the government override his Fifth Amendment privilege, which Doe will assert as the basis for refusing to turn over the key. Doe will say, in effect, that by turning the key over he would be forced to be a witness against himself in violation of his Fifth Amendment privilege against self-incrimination.

Unfortunately, giving Doe immunity for the act of handing over the USB drive probably means they will not be able to prosecute him, since the effect of the immunity is to bar the government from using his act of handing over the drive and any evidence derived, directly or indirectly, from that act against him in a criminal prosecution. Since the evidence, if any, found on the hard drive would derive from the act of handing over the USB drive, they would be giving up the opportunity to prosecute him. The other option is to break the encryption which, I believe, would be very difficult to do.

What if, hypothetically, Microsoft had created a backdoor in Vista that would let law enforcement bypass BitLocker encryption and access the data on Doe’s computer? If Microsoft were to do this, could law enforcement then use the backdoor without violating the 4th amendment?

I don’t know of any criminal cases in which this issue has arisen. It came up last year when Michael Crooker sued Compaq (now HP) for false advertising. Crooker claimed he bought a Compaq laptop because it was advertised as having a feature – DriveLock – that secured data on its hard drive. The FBI, which had a warrant to search Crooker’s laptop, apparently found some way around the DriveLock security. In his lawsuit, Crooker claimed they used a backdoor provided by Compaq (HP). Crooker’s suit was ultimately dismissed, for whatever reason, and is irrelevant to this discussion anyway, since it did not raise any constitutional claims.

In the Doe case, the officers have a warrant to search Doe’s computer, and that allows them to access the data it contains. They, however, need outside help to access that data. There are state and federal statutes that let law enforcement obtain help from private citizens to execute search warrants; police, for example, have always needed help from phone company employees to tap landline telephone calls. The government would probably argue that the officers’ using the backdoor Microsoft installed on the system is no different from officers’ obtaining the assistance of telephone company employees to tap telephone calls. The warrant gives the officers the constitutional authority to obtain the evidence (here, the content of the calls); the telephone company employees are simply helping them to implement that authority.

The defense would argue that law enforcement’s using our hypothetical Vista backdoor to access the data on Doe’s encrypted computer is different from the scenario I outline above. How is it different? Well, one difference goes to the issue Crooker raised in his lawsuit: Doe, the defense would argue, specifically purchased a computer with Vista in order to be able to use BitLocker to secure his data from any- and every-one, including law enforcement. Doe, the defense would say, believed he could rely on the technology he purchased from Microsoft to protect his data because (in our hypothetical) he had no reason to know there was a backdoor.

The defense would then argue that by (hypothetically) installing the backdoor, Microsoft became an agent of law enforcement. As I’ve noted before, a private party can become a law enforcement agent, which means the private party’s conduct must comply with the 4th amendment. To become a law enforcement agent, the private party must act with the purpose of assisting law enforcement (which we have here) and law enforcement must encourage the party’s engaging in conduct that assists law enforcement (which we also have here). If, then, Microsoft were to install a Vista backdoor and let law enforcement use it, Microsoft would be a law enforcement agent, at least with regard to BitLocker overrides.

The government, again, would say there’s no problem here, that the same rationale used to get phone companies to tap calls applies, i.e., the search warrant justifies what law enforcement does and what Microsoft-as-hypothetical-agent-of-law-enforcement does. Somehow, though, that just doesn’t seem right to me.

It seems to me that here Microsoft is acting like a bailor, i.e., someone who has custody of another person’s property and who is legally obligated to keep it secure. Airlines are bailors for our luggage; banks are bailors for the things we put in our safe-deposit boxes, etc. Microsoft is not technically a bailor because Doe has not given his data to Microsoft to hold and keep secure. But the relationship is analogous to a bailor-bailee relationship in that Microsoft has, at least implicitly, assumed some responsibility for keeping Doe’s computer data secure. Doe, after all, bought a Vista-equipped computer because he wanted the protection provided by BitLocker; he had no idea Microsoft could and would nullify that protection when asked to do so by law enforcement.

In a sense, what Microsoft is doing in our hypothetical is consenting to the search of Doe’s computer. Doe says “no” to the officers, Microsoft says “go ahead.” If we think of the hypothetical BitLocker backdoor as a type of consent, and if we analogize Microsoft to a bailor, then the consent would not be valid for 4th amendment purposes. There’s a federal case from the 8th Circuit Court of Appeals, United States v. James, 353 F.3d 606 (2003), in which James left disks in a sealed envelope with a friend. Federal agents asked the friend to open the envelope so they could search the disks, and the friend did. The Eighth Circuit held that this violated the 4th amendment because while the friend had lawful custody of the disks, he did not have the constitutional authority to consent to the opening of the package and to the search of the disks. Seems to me Doe could make a similar argument as to the hypothetical backdoor in Vista.

All of this will probably never come up for BitLocker, since Microsoft vehemently denies putting a backdoor in Vista (and I tend to believe them). But that does not mean law will never have to confront the problem of backdoors.

Saturday, March 24, 2007

Hackback as Self-Defense

My cybercrimes students and I are discussing hackback, or strikeback, in which the victim of a cybercrime retaliates directly against her victimizer without going through the police and the legal system.

I found our discussions useful in analyzing the arguments can be made for and against hackback, so I thought I'd share them with you.

The first question, logically, is why even discuss hackback? The reason it comes up is the actual and perceived inability of law enforcement to track down, arrest and bring to justice all or even most of those who commit cybercrimes.

As I hope everyone knows, even in the real-world police cannot arrest EVERY criminal. Instead, their goal is to arrest ENOUGH criminals to keep crime under control in a society.

Modern legal systems operate on the premise that the best way to keep crime under control is to deter people from committing crimes, and the way they do that is to make enough of us believe we will get caught if we commit a crime. Getting caught is very important. Studies have shown that the perception you will get caught if you commit a crime is much more effective as a deterrent than is raising the severity of the penalty imposed on those who are caught. If, say, I think I have a 5% chance of getting caught if I steal $50 million, I may very well weigh the odds of getting caught against the benefits of committing the crime (large) against the chances of not getting caught (good), and go for it.

The problem is, as I’ve said before, that cybercrime makes the implementation of this crime control strategy incredibly difficult. Aside from anything else, cybercrime often (usually) tends to come from “outside” the jurisdiction where the victim is, and this can pose terrific problems for police trying to investigate the crime and arrest the perpetrator. Another problem is that cybercrime is added to the crime that already exists in the real-world, so police have all that extra work to do, which means they often must triage their priorities: If people are being physically harmed in the real-world, that necessarily takes priority over what happens in the virtual world because, so far anyway, cybercrime involves little if any risk of direct physical injury or death to the victims.

So, given law enforcement’s increasing inability to apprehend cybercriminals, it only makes sense that hackback – victim self-help – begins to sound appealing. It’s the same phenomenon that generates vigilante activity. (One difference between vigilante activity and hackback is that vigilantes – a la Perverted Justice – tend to affirmatively seek out perpetrators or would-be perpetrators, while hackbackers are retaliating for what was specifically done to them.)

I’ve seen postings and articles that say hackback is permissible under our existing law because it constitutes self-defense. These sources sometimes note that the right of self-defense under U.S. (and most) law can encompass the use of deadly force against an attacker, and point out that since deadly force cannot (so far, anyway) be used online, the use of retaliatory force clearly falls within the doctrine of self-defense.

The first problem I have with these views is that the scenarios involved in hackback (so far, anyway) do not involve the threat of physical injury or death to the perpetrator; they involve the threat of damage to or loss of the victim’s property, which is a very different thing.

U.S. law (and, I believe, most other legal systems) recognizes two different justifications for using force against an attacker. One is self-defense, which means exactly what is says: I can protect my physical self from an attacker who threatens me with physical injury or death.

The Model Penal Code – the set of model laws that are the template for contemporary U.S. criminal law – says, for example, that “the use of force upon . . . another person is justifiable when the actor believes that such force is immediately necessary for the purpose of protecting himself against the use of unlawful force by such other person on the present occasion.” Model Penal Code § 3.04(1). A later section of the MPC defines “unlawful force” as “force . . . that is employed without the consent of the person against whom it is directed and the employment of which constitutes an offense or actionable tort”. Model Penal Code § 3.11(1). So, under these provisions and laws based on them, I can use force to protect myself to the extent I personally believe it is necessary (no other alternative) to protect myself from someone else’s using force to harm me. The MPC limits the use of deadly force to instances in which the would-be victim believes it is necessary to protect herself “against death, serious bodily injury, kidnapping or sexual intercourse compelled by force or threat”. Model Penal Code § 3.04(2)(b).

I do not see how these standards can apply online. The “force” that is used online is directed at things, not people. It is true that online activity can become the vector that is used to set a real-world physical attack in motion: A cyberstalker can use online postings and the manipulation of online information to try to persuade a naïf who likes to play sado-masochistic sexual games to attack the person the stalker is trying to set up, but the attack – and the victim’s use of defensive force, if any – all occur in the real-world.

Unless and until we acquire the capacity to directly cause physical injury to one another via cyberspace, hackback is really about a very different problem: defending property. U.S. law (and law in many other countries) lets people use force to defend their property, but only within limits.

Let’s go back to the Model Penal Code. Section 3.06 of the MPC says that you can use force “upon or toward the person of another” when you believe the use of such force “is immediately necessary . . . to prevent or terminate an unlawful entry or other trespass upon land or a trespass against or the unlawful carrying away of tangible, movable property” belonging to you. Model Penal Code § 3.06(1)(a). Under this provision, you can only use non-deadly force, i.e., force that is not likely to cause death or serious bodily injury. You can only use deadly force to protect property if (i) the attacker is trying to “dispossess” you of your “dwelling” or (ii) the attacker “is attempting to commit . . . arson, burglary, robbery or other felonious theft or property destruction” and has either used or threatened to use deadly force or the use of less than deadly force would expose you to a risk of death of serious bodily harm. The last option, of course, brings in self-defense. Model Penal Code § 3.06(3)(d).

So, how can we apply this to hackback? Would hacking back against someone who had unlawfully accessed your computer/data or infected your system with a virus or launched a DDoS attack on your website be a valid use of force to defend your property?

It doesn’t seem to me that these scenarios or any I can think of at the moment would qualify as “dispossessing” you from your “dwelling” . . . unless and until we decide that the computer system you use if your “dwelling.” I think that would be way too much of a stretch for the drafters of the MPC or for modern legislators, so we’ll give up on that option.

Unauthorized access to a computer system for the purposes of committing a crime (such as destroying or copying data) clearly qualifies as burglary. I can’t think of any online misconduct that would qualify as arson, so we’ll give that a pass. Robbery is using force to steal someone’s property; if we read “force” as “physical force,” this option would not seem to apply online, either. Clearly, though, spreading malware could qualify as the attempted (and consummated) destruction of property, so it falls within the traditional defense of using force to protect one’s property. I think a DDoS attack can also qualify as a destruction/attempted destruction of property if, of course, we broaden our concept of property a bit, to include lost business opportunities and costs incurred in dealing with such an attack.

One problem we do have with applying laws like the MPC provisions described above to hackback is the notion of “property.” If you look back at the MPC defensive use of force to protect property provision I quoted above, it only lets you use force to protect “tangible, movable property.” Data is certainly movable, but we’d have to qualify it as “tangible” property for this provision to apply to online attacks; the drafters of the MPC most certainly were not thinking of intangible property like data when they wrote this provision, but if we could convince legislators to broaden the scope of self-defense statutes, that would not be a problem.

It seems, then, that we can apply the “defense of property” doctrine to hackback, at least in certain instances and with certain modifications to the traditional doctrine. The one condition a hackback-er would have to meet in order to invoke this defense is the issue noted above, i.e., that the use of defensive force was “immediately necessary.” This means the hackback-er had no other alternatives but self-help; and what that generally means is that it would have been futile for the hackback-er to have taken the usual route and contacted law enforcement. The “defense of property” doctrine is really meant to apply to instances in which there is a face-to-face confrontation between a perpetrator and a would-be victim that makes it impossible, or dangerous, for the potential victim to try to call police. The “immediately necessary” element means the victim had to act at that moment or face the loss of her property.

That element might not be a problem for some instances of hackback . . . instances in which the hackback-er interrupted a perpetrator who was in the process of carrying out an attack. That scenario conforms more closely to the scenario the defense of property doctrine was intended to encompass. Applying the doctrine becomes much more difficult if the hackback occurs well after the attack has been completed and the damage has been inflicted. That starts to look a lot more like simple retaliation – hitting back to punish someone who has already hurt you – than the defense of property doctrine. The rules governing the defensive use of force all assume the victim is trying to prevent or minimize the infliction of “harm” in an ongoing, volatile situation. They do not sanction cold-blooded revenge.

There are other problems with applying the laws governing the defensive use of force to hackback, one being the accuracy of the response. That tends to be less of a problem for real-world scenarios than for online attacks because, as I just noted, in real-world attacks the attacker and victim are face-to-face. The victim may err in estimating the need to use force (and the level of force used), but the victim is usually accurate in deciding whom the force should be used against. As I assume we all know, this is not true online; attacks can be vectored through computers in many locations, so if we were to sanction hackback we would either have to incorporate an “accurate identification of the perpetrator” element or limit it to confrontations arising from attacks in progress.

Since this post is already long, I’ll take up that issue and a related issue (automating hackbacks) another time.

Thursday, March 22, 2007

To Catch a Predator . . . Must There Be Prey?

We’re probably all familiar with the NBC Dateline “To Catch a Predator” programs.

In these Dateline episodes, reporter Chris Hansen films interviews with men who have shown up at a location intending to have sex with what they believe is a minor male or female.

The men are the targets of a “sting” operation. They've actually been chatting online with someone from the group Perverted Justice.

As one court noted, Perverted Justice “is an organization dedicated to exposing child molesters” which NBC pays for its contributions to the Dateline episodes. (United States v. Kaye, 451 F. Supp.2d 775 (E.D. Va. 2006)).

The Dateline-Perverted Justice collaboration is just one, isolated instance of a “sting” model that has become popular in the United States. Police officers in jurisdictions all over the country (including one police department in a city about 30 miles from where I am writing this) go online and pretend to be barely adolescent females or males. The purpose is to identify pedophiles who will try to lure the children to a meeting for the purposes of having sex. I have spoken to officers who have run stings like these, and they tell me “it’s shooting fish in a barrel,” i.e., that once they go into an appropriate chat room pretending to be barely-pubescent “Melissa” or “Heather,” the pedophiles pounce almost immediately.

The defendants in these cases will be prosecuted for what they have done. The charge, which takes slightly different forms in various states and at the federal level, is “luring” or enticing a child into a sexual rendezvous. I just read a relatively recent decision from a Virginia federal district court in which the defendant used a common argument in an effort to have the charges against him dismissed. (United States v. Kaye, 451 F. Supp.2d 775 (E.D. Va. 2006)).

This defendant, like many before him, argued that the charges against him should be dismissed because there was no child. That is, he said he was charged with luring or enticing a “child” into a sexual rendezvous, but the online chats he had were not with a child; they were with an adult representative of Perverted Justice. He argued, therefore, that the charges could not stand because no child was involved in what he did, and no child was ever in any danger of being sexually exploited.

That is a logical argument, and has succeeded on occasion, especially under older statutes which actually require that there have been a “child.” It fails, though, when the charges are brought (i) under a statute which makes the act of luring or enticing a child to a sexual rendezvous a crime in and of itself or (ii) under a provision which makes it a crime to attempt to lure or entice a child to a sexual rendezvous. Neither of these offenses requires that there have actually been a child victim. They focus on what the defendant intended to do, so if the evidence shows that the defendant believed he was corresponding with a child and if the defendant used that correspondence to entice what he truly believed was a child to a sexual rendezvous, then the defendant has committed this crime. It is irrelevant that he was actually corresponding with, say, a 45 year old male detective or a 30 year old female representative of Perverted Justice.

You might wonder why the law finds it necessary to adopt statutes which criminalize conduct that is impossible, which is the case here. As Kaye argued in the case I cited above, based on the facts involved in that instance it was both “factually and legally impossible” for him ever to have actually had sex with a minor, more precisely, with the minor male he apparently believed he was corresponding with. And Kaye is right; these statutes do criminalize conduct that is, at least in the contexts of these stings, totally impossible.

Why do that? The rationale is based in what the law calls inchoate, or incomplete, crimes. Attempt is an inchoate crime; it criminalizes unconsummated efforts toward the commission of a crime. So, say the FBI has learned that John Doe intends to rob the First National Bank. The FBI observes Doe as he “cases” the bank and makes other preparations and tracks him as he heads to the bank on the day he intends to commit the crime. FBI agents arrest him outside the bank before he is even able to begin the process of robbing it. Doe will be charged with attempting to rob the bank; he cannot be charged with robbing the bank because he never got the chance to do that.

The law criminalizes attempts on the theory that it protects public safety. If we did not criminalize attempts, the FBI would have to wait for Doe to rob the bank and then try to arrest him afterward. Aside from letting him take money that is not his, this could also expose people in the bank to the risk of death or serious injury if something went wrong in the robbery or if Doe simply became trigger-happy. The law says it is better to have a repertoire of inchoate offenses – like attempt in this scenario and like the luring or enticing offenses I noted above – to let law enforcement intervene and head off crime before it occurs.

Now, some claim that stings like those the Dateline crew films go too far . . . that they essentially represent the manufacture of a crime. Those who make this argument would say that the people, like Kaye, who are caught in the luring and enticing stings are not like Doe because they had not independently embarked on a course of criminal conduct. The critics of these stings say that law enforcement has played a much more active role in creating these crimes than in the bank robbery scenario I outlined above.

Advocates of the stings say they are taking a pro-active approach to protecting children, and that every sting represents the interception of what could have been a real crime.

Wednesday, March 21, 2007

Employees, Employers and the Fourth Amendment

I recently heard from someone whose employer searched his office computer and used the information obtained from it against him in a civil suit.

He asked if this violated the Fourth Amendment. The answer, basically, is “almost certainly not” . . . and I want to try to explain WHY that is the answer.
To do that, I’m going to use a recent decision from the Ninth Circuit Court of Appeals: United States v. Ziegler, 474 F.3d 1184 (9th Cir. 2007).

Here are the facts as the court described them:

"On January 30, 2001, Anthony Cochenour, the owner of Frontline [Processing's] Internet-service provider . . . contacted Special Agent James A. Kennedy, Jr. of the FBI with a tip that a Frontline employee had accessed child-pornographic websites from a workplace computer. Kennedy pursued the report . . . , first contacting Frontline's Internet Technology Administrator, John Softich. One of Softich's duties . . . was to monitor employee use of the workplace computers including their Internet access. He informed Kennedy that the company had in place a firewall, which permitted constant monitoring of the employees' Internet activities. . . .

"Softich confirmed . . . that a Frontline employee had accessed child pornography via the Internet. . . . . Softich further informed Kennedy that, according to the Internet Protocol address and log-in information, the offending sites were accessed from a computer in the office of . . . Ziegler, who had been employed by Frontline as director of operations since August 2000. Softich also informed Kennedy that the IT department had already placed a monitor on Ziegler's computer to record its Internet traffic by copying its cache files.

"Kennedy next interviewed William Schneider, Softich's subordinate . . . Schneider confirmed that the IT department had placed a device in Ziegler's computer that would record his Internet activity. He . . . had `spot checked' Ziegler's cache files and uncovered . . . child pornography. A review of Ziegler's `search engine cache information' also disclosed that he had searched for “things like ‘preteen girls' and ‘underage girls.’ Furthermore, according to Schneider, Frontline owned and routinely monitored all workplace computers. The employees were aware of the IT department's monitoring capabilities. . . .

"According to . . . Softich and Schneider . . . Kennedy instructed them to make a copy of Ziegler's hard drive because he feared it might be tampered with before the FBI could make an arrest. Kennedy, however, denied that he directed the Frontline employees to do anything. . . . [H]is notes say, `IT Dept has backed up JZ's hard drive to protect info.' Kennedy testified that he instructed Softich only to ensure that no one could tamper with the backup copy.Whatever Agent Kennedy's actual instructions, . . . [a]round 10:00 p.m., Softich and Schneider obtained a key to Ziegler's private office . . . , entered Ziegler's office, opened his computer's outer casing, and made two copies of the hard drive.

"Shortly thereafter, Michael Freeman, Frontline's corporate counsel, contacted Kennedy and informed him that Frontline would cooperate fully in the investigation. Freeman indicated that the company would voluntarily turn over Ziegler's computer to the . . . . On February 5, Reavis delivered Ziegler's computer tower (containing the original hard drive) and one of the hard drive copies. . . .. Schneider delivered the second copy sometime later. Forensic examiners at the FBI discovered many images of child pornography."

United States v. Ziegler, supra. Ziegler was indicted for possession of child pornography and moved to suppress the evidence against him.

Ziegler argued that Agent Kennedy violated the Fourth Amendment by “directing” the Frontline employees to search Ziegler’s office and computer. So, Ziegler was claiming that the Frontline employees had become agents of the government, which he had to do to invoke the Fourth Amendment. The Fourth Amendment only protects us from action by the government; if a private citizen decides to search your home or office and takes what she finds there to the police, you are out of luck, as far as the Fourth Amendment goes. You can try suing the private citizen who searched your home or office for trespass or invasion of privacy or some other civil cause of action, but you have absolutely no claim under the Fourth Amendment . . . as long as the person was acting on their own.

This was Ziegler’s argument. He claimed, and the Ninth Circuit agreed, that he had a valid Fourth Amendment expectation of privacy in his office. The court noted, among other things, that the facts his computer was password-protected and his office had a lock on the door established this.

The Ninth Circuit then found that Softich and Schneider were “acting as de facto government agents,” that is, they searched Ziegler’s office because they wanted to help the FBI with its investigation, not for reasons associated with their employment by Frontline. The court also found that the government had encouraged them to do this, so that makes Softich and Schneider government agents and means their conduct has to have complied with the requirements of the Fourth Amendment, i.e., that they search of Ziegler’s office and seizure of data from his computer had to be “reasonable.”

Searches and seizures can be “reasonable” under the Fourth Amendment if (a) they are conducted pursuant to a search warrant (which was not true here) or (b) they are conducted pursuant to a valid exception to the warrant requirement, such as consent. The Ninth Circuit found that Frontline had the authority to consent to the search of Ziegler’s computer.

That authority derived from the fact that Frontline and its employees had common authority over Ziegler’s office and computer. Basically, Frontline had common authority over both because it had a key to the office and had the capacity to access his computer, notwithstanding the password Ziegler used. As the Ninth Circuit explained, while "use of each Frontline computer was subject to an individual log-in, Schneider and other IT-department employees `had complete administrative access to anybody's machine.' The company had also installed a firewall, . . .`a program that monitors Internet traffic ... from within the organization to make sure nobody is visiting any sites that might be unprofessional.' Monitoring was routine, and the IT department reviewed the log created by the firewall `[o]n a regular basis' . . . . Finally, upon their hiring, Frontline employees were apprised of the company's monitoring efforts through training and an employment manual, and they were told that the computers were company-owned and not to be used for activities of a personal nature." United States v. Ziegler, supra.

So Ziegler lost on his motion to suppress and will have to serve time for possessing child pornography.

This, I hope, illustrates why it is so difficult for employees of private companies to invoke the Fourth Amendment when their employer searches their computer. Unless the company has policies which explicitly state that the employee can use the computer for private purposes and that the company will not monitor the employee’s computer activity or otherwise investigate the contents of his or her computer, the company can, as Frontline did, consent to law enforcement’s searching the computer. And if the company itself does so for its own, private purposes, the Fourth Amendment is not implicated because there is no state action – the company is not acting for the state or federal government.