Monday, March 19, 2012

Cubicles, Passwords and Privacy

After being convicted of “capital murder, rape, aggravated kidnapping, aggravated indecent liberties with a child, and violation of a protection from abuse order”, Elgin Ray Robinson Jr. appealed. State v. Robinson, __ P.3d __, 2012 WL 688816 (Kansas Supreme Court 2012).

“The 14-year-old victim of Robinson's crimes, C.B., was 9 months' pregnant with Robinson's child at the time of her murder.” State v. Robinson, supra. The state’s theory was that Robinson believed “he could go to jail for impregnating C.B.” and so decided “`to get rid of’” her. State v. Robinson, supra. I’ll spare you the details of her murder, which was carried out by two accomplices because Robinson “would be the `number one suspect’” in her death. State v. Robinson, supra.

Since the jury “was unable to reach a unanimous verdict regarding . . . the death penalty”, the trial judge sentenced him to life in prison without parole plus 247 months. State v. Robinson, supra.

Robinson raised a lot of issues on appeal, but this post is only concerned with one of them. State v. Robinson, supra. It involves the search of a computer:

When [Robinson’s mentor] Danny Reisig learned of [his] arrest, he contacted his company's attorney and inquired what . . . he should do about the computer [Robinson] had been using and the materials that remained at his workstation. . . . He instructed Reisig to take an inventory of everything, box it up and bring it to his office then he would handle the matter from that point. . . .

After the items were dropped off, the attorney contacted Lieutenant Landwehr with the Wichita Police Department and advised him what [he] had in his possession. . . . Detectives were dispatched to collect the items . . . and a warrant was prepared to facilitate a search of the computer. . . .

State v. Robinson, supra.

When officers searched the computer, they found “the hard disk showed someone had searched Yahoo for, `how can I miscarry,’ and for, `how to kill my baby.’” State v. Robinson, supra. This evidence was introduced at trial, presumably to support the theory that Robinson had reason to want C.B. dead. State v. Robinson, supra.

Prior to trial, Robinson moved to suppress evidence of

Internet search activity obtained through the search of a computer Robinson used at the workplace of his mentor, Dan Reisig. Robinson contended the search violated his 4th Amendment right to be free from unreasonable searches and seizures because the warrant was overly broad and not supported by probable cause.

State v. Robinson, supra.

The trial judge denied Robinson’s motion to suppress, finding he “lacked a reasonable expectation of privacy in the computer and therefore lacked standing to challenge the search.” State v. Robinson, supra. As the article you can find here explains, standing used to be a separate inquiry in 4th Amendment analysis, but the Supreme Court has moved away from that approach to one in which standing becomes part of the general 4th Amendment analysis. Rakas v. Illinois, 439 U.S. 128 (1978).

The Supreme Court followed that approach in analyzing Robinson’s argument. It noted that while “[g]enerally, evidence obtained by the government . . . as the result of an unreasonable search . . .cannot be used against the defendant in a criminal prosecution”, the 4th Amendment “is not implicated when the defendant had no `reasonable’ . . . expectation of privacy in the place searched.” State v. Robinson, supra.

The court noted, therefore, that the “threshold inquiry” in addressing Robinson’s 4th Amendment was whether he had a reasonable expectation of privacy “in the evidence at issue here -- i.e., his Internet search activity on a third party's computer.” State v. Robinson, supra. It explained that while Robinson was not Reisig’s employee and did

not own the computer, [he] . . . argues he had a legitimate expectation of privacy in the contents of the computer because his account on the computer was password protected. The State contends Robinson lacked a reasonable expectation of privacy in the contents of the computer in light of Reisig's `unfettered, third-party access’ to [it] and because Reisig specifically advised Robinson his Internet activity could be monitored.

State v. Robinson, supra. According to the prosecution’s brief on appeal, despite

Robinson's failure to complete high school, he had dreams of bettering his life. . . . To that end, he had established a mentoring relationship with Danny Reisig, a man who owned a business in the office building where Robinson worked in the basement cafeteria. . . . Reisig . . . agreed to help him learn . . . the basic principles inherent to owning a business. . . . Reisig allowed Robinson to utilize a work space and computer at his office during business hours.

Brief of Appellee, State v. Robinson, 2010 WL 3903190.

As I’ve explained in other posts, to have a reasonable 4th Amendment expectation of privacy in a place or thing, you must (i) believe that place or thing is private and (ii) society must accept your belief as objectively reasonable. This is the test the Supreme Court enunciated in Katz v. U.S., 389 U.S. 347 (1967). In this case, the trial judge found

Robinson had a limited subjective expectation of privacy in any password-protected documents, files, and folders found in the computer. But the court . . . concluded [he] had no objectively reasonable expectation of privacy in his Internet search activity because: (1) Reisig's company owned the computer; (2) Robinson accessed the Internet through the company's network; (3) as a network systems administrator, Reisig could access Robinson's computer and monitor Robinson's Internet activity; and (4) Reisig informed Robinson the company could monitor Robinson's use of the company's network, including his use of the Internet.

State v. Robinson, supra.

The judge based these finding, in part, on Reisig’s testimony at trial that Robinson

used a computer located in an open cubicle and the computer was connected to Reisig's company's network. . . . Reisig [said] he personally informed Robinson of the company's computer usage and privacy policies, and Robinson attended a company meeting in which Reisig discussed appropriate `web surfing’ and computer use.

Further, Reisig informed Robinson that the company had an automatic filter which tracked Internet usage and . . . could access networked computers through the use of administrative privileges.

State v. Robinson, supra.

Robinson argued that “because he had a log-in password, he had an expectation of privacy in his computer search activity.” State v. Robinson, supra. He elaborated on this theory in his brief on appeal, explaining that he had been using the

workstation for at least a year before his arrest. . . . [His] personal password was required to log on to the computer, and one must log on to the computer to find the internet searches on the hard drive. . . .

The State's expert had to break the password to search the computer. . . . The password for the `Ray’ account, where most of the expert's information came from, was `Elgin Ray.’ . . . Reisig could have found the same information if he logged in with his administrator account. . . .

However, it appears that the password for the administrator account was `Chelsel9.’ . . . It is unlikely this was a password. Reisig would know or use, and it therefore appears that . . . Reisig did not even have access under his administrative account, to this computer.

There was no evidence of a banner display on start up of the computer warning of a diminished privacy right. Reisig initially gave Ray a password `hotstuff’, but it was the last password Reisig knew of whereas Agent Stone testified that the login password was `Elgin Ray.’

Brief of Appellant, State v. Robinson, 2010 WL 763953. Robinson claimed all this established he had a reasonable expectation of privacy in the computer and its contents.

But Reisig testified that “while Robinson's log-in password allowed [him] access to the computer's desktop functions and file systems, Reisig's administrative privileges could override Robinson's log-in password.” State v. Robinson, supra. Reisig also said “he could review websites visited by Robinson without requiring Robinson's password.” State v. Robinson, supra. And Detective Stone testified that “he discovered evidence of Robinson's Internet search activity by searching the computer's tracking files, which were not password protected.” State v. Robinson, supra.

The Supreme Court agreed with the trial judge, holding that the evidence showed Reisig

allowed Robinson, a nonemployee, to use a networked computer in an open cubicle at Reisig's place of business. Robinson utilized that computer knowing that his Internet activity was monitored by a network filter and that Reisig or anyone with administrative privileges also could monitor that activity. And while Robinson's log-in password may have protected some files, the only evidence at issue here -- Robinson's Internet search activity -- was not password protected. . . .

State v. Robinson, supra. The court therefore affirmed the trial judge’s denial of Robinson’s motion to suppress. State v. Robinson, supra.


Loki said...

What all the evidence you've described really shows is a massive lack of understanding of the technical aspects.

The technical aspects of this case aren't even all that complex - to the average IT staffer - but they were obviously beyond confusing for a judge trying to determine if there was a reasonable subjective expectation of privacy.

It really makes me wonder if perhaps we do need to have "IT" courts, financial crimes courts, and medical courts - or at least judges that have some proven baseline understanding of the subject matter.

Anonymous said...

Exactly, I agree. It also could have been that the lack of IT policy and standards within the company... or more so, the attorneys inability to ask the right technical questions to get the clear, concise statements needed. The denial was upheld in the end, thank goodness.

J Hoover said...

Regardless of other privacy aspects of the case, when the accused used a company workstation, he negated any claim to privacy that he might expect from his personal computer. First, one of the first security measures implemented by any ISSO professional is a user rights agreement which (usually) clearly states that there are certain standards of use for all company equipment and employees have no reasonable expectation of privacy. A non employee can expect even less privacy as he is, in effect stealing the service from the company.

Secondly, there are no useable digital forensic tools on the market that require a user password to conduct a forensic examination of a hard drive. Even when whole disc encryption is used, most corporate workstations have keys available to unlock the station without the user password.

Lastly, when you hide something in my house and I give permission to law enforcement to search, you have zero (nil, nix) expectation of privacy. In fact, in this case, the computer is the actual physical evidence and any information in any memory thus belongs to the owner of the hardware.

J. Hoover, CISSP,
DE Committee, IAI

Randy Stone said...

As the forensic examiner in this case, I would like to add a few things. It's been a few years and I don't have my report available to refer to so I'm relying on memory:

1. I did not have to break the password in order to do the exam. Because there were questions about whether Dan had login access to the computer, I used rainbow tables to obtain the local login passwords from the SAM. It turned out that even though Dan had access via the local admin password, he did not know Robinson's local login as he said he did.

2. Even though Concergent (Dan's IT business) ran a domain, I don't believe Robinson's computer was on the domain (this part may be wrong. It's been a few years, but that's what I remember.) This would have prevented Dan from using his domain credentials to login into the computer over the network. So, based on this and the fact that he did not know the local admin account password, unless he broke the password, Dan did not have access to the computer. Arguably, even though the index.dat files were not password protected, the computer profile in which they resided was password protected.

3. Robinson did not work for Concergent but instead was using the computer to run his own event/party planning business. There was no Concergent work product on the computer and it did not have domain access to the Concergent network resources. There was no signed user rights agreement and the only notification of privacy rights was verbal and the verbal notifications were focused on Concergent monitoring his Internet activities to ensure they were appropriate. I don't remember from the SID/RID whether the computer activity was occurring from a local login or from a domain login but I don't believe it was on the domain.

4. There were no network filter or proxy logs showing Robinson's Internet or other activity (at least when I asked for them, none could be provided.)

5. If I remember right, when cleaning up Robinson's work space, Dan found suspicious information on some hand written documents which prompted him to call his attorney. This was part of the probable cause that we used to obtain a search warrant for the computer.

This debate is less an issue of an employer providing an employee's computer for analysis than it initially appears. In some ways, it is closer to: than is is to an employer/employee work computer issue. We had discussed all of these issues prior to the exam and the initial opinion was to rely on Concergent's authority to consent to the search. It was my recommendation to get a search warrant because the questions of whether the fact that Robinson wasn't an employee of Concergent would negate their ability to give consent for the search and that the verbal discussions of monitoring focused on administrative monitoring and did not include notification that they would consent to searches for criminal purposes.

Putting the computer aspect of it aside for a moment, imagine if I ran a business and allowed you to use an office for you to run your own business. You were not affiliated with my business at all. After you move in into the office, you change the locks on the door. Sure, I can kick in the door to gain access to search the office, but for criminal investigative purposes, have you reclaimed some of your expectation of privacy by changing the locks or can I consent to the police kicking in your office door and looking through your file cabinets?

But in the end, it doesn't really matter. A properly granted search warrant would allow me to kick in the office door and search for whatever was on the warrant regardless of whether there was an expectation of privacy from the person providing the office space.

Randy Stone
Detective (Retired)
Wichita PD

Susan Brenner said...

Thanks a lot for those very informative comments, Randy.

Jerry said...

Randy, Thanks for the clarification. And you are completely correct. The circumstances are way different than depicted in the original article.

But as you said, When in doubt, get a warrant.

J. Hoover, CISSP,
DE Committee, IAI