Monday, January 09, 2012

No Expectation of Privacy in Employer-Issued Laptop

As I’ve noted in earlier posts, the 4th Amendment creates a right to be free from unreasonable “searches” and “seizures.”

A 4th Amendment “search” violates a “reasonable expectation of privacy” in a place or thing. As I’ve noted, the test used to decide if someone had a reasonable expectation of privacy in a place or thing is the test the U.S. Supreme Court enunciated in Katz v. U.S., 389 U.S. 347 (1967): The person had a subjective expectation of privacy in the place/thing and society is prepared to regard that subjective expectation of privacy as objectively reasonable. (Actually, as Wikipedia notes, this test comes from Justice Harlan’s concurring opinion in Katz and was later adopted by a majority of the Supreme Court in Smith v. Maryland, 442 U.S. 735 (1979)).

In determining whether someone’s subjective expectation of privacy is objectively “reasonable,” courts apply what is called the “assumption of risk” analysis. In the Katz case, the Supreme Court said that, for the purposes of 4th Amendment privacy analysis, “[w]hat a person knowingly exposes to the public, even in his own home or office, is not a subject of 4th Amendment protection.” Katz v. U.S. supra.

The Court applied this assumption of risk analysis in Smith v. Maryland, in which it held that it was not a 4th Amendment search for a telephone company, “at police request,” to install a pen register (a device that recorded the numbers Smith dialed on his home phone) on Smith’s account. Smith v. Maryland, supra. The Smith court explained that

[t]his analysis dictates that [Smith] can claim no legitimate expectation of privacy here. When he used his phone, [he] voluntarily conveyed numerical information to the telephone company and `exposed’ that information to its equipment in the ordinary course of business.

Smith v. Maryland, supra. In so holding, the Smith Court noted that in an earlier case involving law enforcement officer’s obtaining bank records from a suspect’s financial institution, it had held that

`[t]he depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government. . . . This Court has held repeatedly that the 4th Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.’

Smith v. Maryland, supra (quoting U.S. v. Miller, 425 U.S. 435 (1976)). So, under the assumption of risk analysis, if I know I’m giving another person or entity access to information about myself or my activities, it will be very difficult for me to establish that it was a 4th Amendment “search” for that person/entity to share the information with law enforcement voluntarily, i.e., without being required to do so by a warrant.

That brings us to U.S. v. Busby, 2011 WL 6303367 (U.S. District Court for the Northern District of California 2011). After being charged with one count of possessing child pornography in violation of 18 U.S. Code § 2252(a)(4), David Busby filed a motion to suppress, arguing, in part, that the evidence on which the prosecution was based was obtained in violation of the 4th Amendment. U.S. v. Busby, supra. More precisely, he argued that authorities searched his employer-issued laptop and other employer-owned computers without obtaining a search warrant or relying on one of the exceptions to the warrant requirement. U.S. v. Busby, supra.

This, according to the opinion, is how the prosecution arose:

In or about 2010, [Busby] was employed by the Lawrence Berkeley National Laboratory (`LBL’) in its Information Technology Division. . . . [He] worked at LBL's Oakland Scientific Facility site located in Oakland, California.


During the morning of April 20, 2010, an off-site cyber security contractor with the National Energy Research Scientific Computing Center (`NERSC’) was conducting a routine log analysis of LBL's server. . . . The contractor noticed an unusual amount of internet traffic to domain names ending in .biz and .info, preceded by entries such as `tinymodel,’ `young-angels,` `party-models,’ `newstar-bambi,’ and `skygirls.’ . . .


[T]he contractor determined that LBL's server was being used to access bittorrent files with names such as `Taboo–Incest–Father–And–Daughter–Have–Sex–But–Busted–By–Moms–HiddenCamera–Pthc–Porn–2007–incest’ and `Pthc–Russia10Yo–11Yo–LittleBrother–And–Sister–2BoyGirls–Fucking–Just–Posing–Or–Naked–Pthc–R.’ . . .


The contractor isolated the entries to a single Internet Protocol (`IP’) address as the source of the traffic . . . and traced the IP address to a laptop computer assigned to [Busby] based on his unique LBL network authentication used to login to his computer. . . .

Later in the afternoon, LBL's Director of Security contacted the University of California Police Department (`UCPD’) to report that an employee was visiting websites that potentially host child pornography. . . . LBL's cyber security team went to the Oakland facility and seized [Busby’s] MacBook Pro laptop computer, which was turned over to UCPD Detective Miller. After receiving authorization from LBL's legal counsel, Miller searched the contents of the laptop hard drive which `revealed photographs of an individual possibly in her mid-teens’ who was clothed, but was `posed in a provocative manner.’ . . .


The following day . . . UCPD detectives seized eight additional computers used by [Busby]. . . . The search and seizure of [his] computers was accomplished without a warrant; however, [Busby] had previously signed an acknowledgement that he had `no explicit or implicit expectation of privacy’ with respect to LBL computers and servers.

U.S. v. Busby, supra.

The federal judge who has the case began her analysis of Busby’s motion to suppress by citing the standard noted above, i.e., that a 4th Amendment “search” violated a “reasonable expectation of privacy” under the Katz-Smith test. U.S. v. Busby, supra. The judge then explained that as a

general matter, courts have found that an employee's expectation of privacy in files stored on a work-issued computer is not objectively reasonable where the employer notifies employees that their computer files are subject to monitoring. . . . Here, there is no dispute between the parties that during the relevant time period, LBL maintained a computer use policy which made it clear to users that they have no expectation of privacy on any LBL computers or its network. The policy states, in relevant part, that:


`Monitoring and Privacy’


`Users have no explicit or implicit expectation of privacy. NERSC retains the right to monitor the content of all activities on NERSC systems and networks and access any computer files without prior knowledge or consent of users, senders or recipients. NERSC may retain copies of any network traffic, computer files or messages indefinitely without prior knowledge or consent.’

U.S. v. Busby, supra (emphasis in the original).

The judge noted that Busby signed “an acknowledgement of the foregoing policy” on December 9, 2009. U.S. v. Busby, supra. She also noted that LBL’s computer use

policy was reinforced through the use of network security banners displayed on its computers, which notified users that their activities were subject to monitoring and interception. . . .


Moreover, [Busby] was well aware that LBL employees have no expectation of privacy with respect to their use of LBL computers, given [his] employment in the Information Technology Division at LBL and his responsibility for maintaining the network security banners for certain user groups at LBL. . . . Thus, . . . the Court finds that [Busby] lacked an objectively reasonable expectation of privacy in his assigned laptop and its contents.

U.S. v. Busby, supra (emphasis in the original).

The judge then explained that Busby

does not dispute that he was aware of and bound by LBL's computer use policy. Rather, he argues . . . that he had a reasonable expectation of privacy because: LBL issued the laptop to him specifically; he was responsible for installing and maintaining software on the laptop; access to the laptop required a log-in and password; and that, as a practical matter, he used the laptop for both work and personal activities. . . .


[Busby’s] arguments, however, are germane to his subjective expectation of privacy -- not to whether his expectation was objectively reasonable. In addition, [Busby] fails to confront the fact that the laptop was LBL's property and, at all relevant times, was subject to LBL's monitoring policy. As noted, that policy unequivocally provides that `[u]sers have no explicit or implicit expectation of privacy’ and that LBL has unfettered discretion to `access any computer files without prior knowledge or consent of users[.]’

U.S. v. Busby, supra (emphasis in the original).

Finally, the judge noted that

[a]s an ancillary matter, [Busby] argues that LBL's computer use policy only permits LBL to monitor its employees' computers for “computer security purposes,” but not to conduct criminal investigations. . . . As support for this alleged distinction, [he] points out that section 9.02 of LBL's Rules and Procedures Manual (`RPM’) contains no specific procedure for seizing and searching an employee's computer.


It is unclear, however, how the absence of specific procedures for the search and seizure of a LBL computer necessarily compels the conclusion that [he] had an objectively reasonable expectation of privacy in this instance. Indeed, the RPM reiterates that LBL employees have no such expectation. Section 9.01(D) of the RPM states, in pertinent part:

`D. CONSENT TO MONITORING’


`All use of LBNL computing and communications resources by all users, including employees, guests, collaborators, and casual users, is subject to monitoring. No user of LBNL systems has any expectation of privacy in their use of these systems, subject to applicable State, Federal, Department of Energy, and University law and policy.’


RPM § 9.01(D) (emphasis added). In addition, the RPM clearly states that personal or `incidental’ use of LBL computer is permissible, but that `[u]sers who elect to engage in incidental use do so with no expectation of personal privacy concerning their actions.’ Id. § 9.01(F)(2) (emphasis added). Thus, if anything, the RPM undermines any claim by [Busby] that he had a legitimate expectation of privacy in his use of LBL-issued computers.

U.S. v. Busby, supra.

The judge therefore found that Busby “lacked a legitimate expectation of privacy with respect to files stored on the laptop and other LBL computers.” U.S. v. Busby, supra.

As a result she denied his “motion to suppress with respect to such evidence.” U.S. v. Busby, supra.

1 comment:

Anonymous said...

What a stupid case. the dude has worked there for over 30 yrs., yet they throw a fit cuz he has some pics of a hot girl who is not naked. If I was him, I'd take my skills and go work for the Chinese and sell them all my secrets.