A federal grand jury in New York returned an indictment charging Yudong Zhu with
“conspiring to commit honest services fraud in violation of 18 U.S. Code §1341, 18 U.S. Code § 1343, 18 U.S. Code § 1346, and 18 U.S. Code § 1349; conspiring to receive bribes in violation of 18 U.S. Code §666(a)(1)(B) and 18 U.S. Code § 371; commercial bribery conspiracy in
violation of 18 U.S. Code § 1952(a)(3) and 18 U.S. Code § 371; honest
services fraud in violation of 18 U.S. Code § 1341 and 18 U.S.Code § 1346; receipt of bribes in violation of 18 U.S. Code §666(a)(1)(B); commercial bribery in violation of 18 U.S. Code §1952(a)(3); and falsification of records in violation of 18 U.S.C. §1519.” U.S. v. Yudong Zhu, 2014 WL
2465284 (U.S. District Court for the Southern District of New York 2014).
Zhu filed a motion to suppress “evidence
seized from his laptop computer and the fruits of such evidence.” U.S. v.
Yudong Zhu, supra. The U.S.District Court Judge who has the case began his analysis of the issues raised
by Zhu’s motion by explaining how the case arose:
On October 27, 2008, Zhu -- an expert in magnetic
resonance imaging (`MRI’) -- began work as an assistant professor in the
radiology department at the New York University School of Medicine (`NYU’). In
2010, Zhu applied, through NYU, for a grant from the National Institutes of
Health (`NIH’) to conduct MRI research, and NIH awarded the grant in May 2011.
All grant funds were to be the property of NYU, and NYU would become the owner
of all equipment purchased with the funds. . . .
In August
2011, Zhu ordered a laptop using funds provided by the NIH grant. Upon its
arrival, Zhu configured the laptop, created several levels of passwords, and
encrypted the hard drive. Between its arrival and May 2013, Zhu used the laptop
for both personal and professional matters. Zhu did not leave the laptop
overnight in his office; he brought it home with him at the end of each day.
In early 2013, NYU began investigating Zhu regarding the
current charges, and on May 8, 2013 Zhu met with NYU lawyers and an NYU vice
president to discuss the investigation. At this meeting, Zhu turned over his
laptop to NYU but refused to provide his passwords. Following this meeting, NYU
reported Zhu to the Department of Justice, which prompted the FBI and the
United States Attorney's Office to commence a criminal investigation. On May
19, 2013, the Government filed a criminal complaint against Zhu.
U.S. v. Yudong Zhu, supra.
The judge
also explained that as part of the
Government's investigation of Zhu, NYU
provided Zhu's laptop to the FBI. On June 27, 2013, Annette Johnson, general
counsel of the NYU Medical Center, signed a `Consent to Search Computer(s)’
form, authorizing the FBI to search the laptop. Without obtaining a warrant,
the FBI decrypted the laptop and searched its contents.
U.S. v. Yudong Zhu, supra.
The judge
then took up the legal issues raised by the motion to suppress, which claimed
the government’s conduct violated the 4th Amendment. U.S. v.
Yudong Zhu, supra. As I have noted,
the 4th Amendment creates a right to be free from “unreasonable”
searches and seizures. Zhu’s motion
apparently argued that the search of his laptop violated the 4th
Amendment. U.S. v. Yudong Zhu, supra. The judge therefore began his analysis of the
4th Amendment issues by explaining that a defendant who seeks to
suppress
`the fruits of a search by reason of a violation of the 4th
Amendment must show that he had a “legitimate expectation of privacy” in the
place searched.’ U.S. v. Hamilton, 538 F.3d 162 (U.S. Court of Appeals for the 2d Circuit 2008) (quoting Rakas v. Illinois, 439U.S. 128 (1978)). `This inquiry involves two distinct questions: first, whether
the individual had a subjective expectation of privacy; and second, whether
that expectation of privacy is one that society accepts as reasonable.’ Id.
U.S. v. Yudong Zhu, supra.
the workplace context, the Supreme Court has recognized that
`employees may have a reasonable expectation of privacy against intrusions by
police.’ O'Connor v. Ortega, 480 U.S. 709 (1987) (citing Mancusi
v. DeForte, 392 U.S. 364 (1968)). In Mancusi, the
Supreme Court held that an employee, despite the fact that he shared his office
with other employees, had a reasonable expectation of privacy in the office
sufficient to challenge the warrantless search of that office. Mancusi, 392
U.S. at 369.
Once a defendant successfully shows that he had a reasonable
expectation of privacy in the place searched, the burden shifts to the
Government to prove either that the search was conducted pursuant to a valid
warrant or that the warrantless search fell within one of the `few specifically
established and well-delineated exceptions’ to the warrant requirement. Katz v. U.S., 389 U.S. 347 (1967). One of the well-delineated
exceptions is a search that is conducted pursuant to valid third-party consent.
See Schneckloth
v. Bustamonte, 412 U.S. 218 (1973). In order to satisfy the
burdens imposed upon it by the third-party consent principle, the Government
must prove by a preponderance of the evidence that the consent was valid. .
. .
U.S. v. Yudong Zhu, supra.
As those
paragraphs may indicate, the judge focused his analysis of Zhu’s 4th
Amendment argument on two issues: (i)
whether Zhu had a reasonable expectation of privacy in the laptop and, if he
did, (ii) whether the search of the laptop was conducted pursuant to a valid
third-party consent. U.S. v. Yudong Zhu, supra.
As to the
first issue, the Department of Justice did not “contest that Zhu exhibited a
subjective expectation of privacy in the laptop's contents by encrypting the
laptop and establishing several layers of passwords, which he ostensibly did
not share with others.” U.S. v. Yudong Zhu, supra. The judge also noted, however, that the
Department of Justice “does dispute whether Zhu's expectation of
privacy was reasonable.” U.S. v. Yudong Zhu, supra (emphasis in
the original).
The judge
found that Zhu’s expectation of privacy in the laptop was “reasonable”:
Zhu took many steps to restrict third-party use and access to
the computer, which weighs in favor of finding a reasonable expectation of
privacy in its contents. For example, only Zhu had use of the laptop; he did
not share it with any co-workers. . . .
In fact, not even NYU's computer-system administrators had
access to Zhu's computer -- he both ordered and configured the laptop
himself. . . . Further, Zhu had a private office at NYU and took
the laptop home with him in the evenings. . . .
Zhu's use of passwords and encryption weighs in favor of
finding a reasonable expectation of privacy. See U.S. v. Reeves, 2012
WL 1806164 (U.S. District Court for the District of New Jersey) (employee
had reasonable expectation of privacy in password-protected work
computer); Brown–Criscuolo v. Wolfe, 601 F. Supp. 441,
449 (U.S. District Court for the District of Connecticut) (employee had
reasonable expectation of privacy in work computer where only she and the
computer-system administrator knew the password); see also U.S. v. Ziegler, 474 F.3d 1184 (U.S.Court of Appeals for the 9th Circuit) (that defendant could
lock his office with a key weighed in favor of finding a reasonable expectation
of privacy).
U.S. v. Yudong Zhu, supra. For the
legal standards involved in deciding if an expectation of privacy in a laptop
is “reasonable,” check out this prior post.
Unfortunately
for Zhu, the judge also found that “[w]hile Zhu had a reasonable expectation of
privacy in relation to the FBI's search of his laptop, the . . . search here
was performed with NYU's valid, third-party consent.” U.S. v. Yudong Zhu, supra.
He explained that for “NYU's consent to be valid, the Government must
show that NYU `had access to the area searched,’ and next that NYU had
either ‘(a) common authority over the area, (b) a substantial interest in the
area, or (c) permission to gain access to the area.’” U.S. v. Yudong Zhu, supra.
In arguing
that the search was the product of legitimate third-party consent, the
prosecution relied on the two documents Zhu signed “[b]efore beginning his
employment with NYU in 2008.” U.S. v. Yudong Zhu, supra. One was entitled
`Policy Statement on Privacy, Information Security, and
Confidentiality,’ and stated, among other things,
`I understand that the confidential information and
software I use for my job are not to be used for personal benefit or to benefit
another unauthorized institution. I also understand that my institution may
inspect the computers it owns, as well as personal PCs used for work, to ensure
that its data and software are used according to its policies and procedures. .
. .’
Zhu signed this document . . . on October 20, 2008.
The second document, also signed on October 20, 2008,
concerned the Staff Handbook and the Code of Conduct Handbook. Zhu signed this
document confirming he had received the handbooks and acknowledging that he was
`responsible for reading, understanding and conforming to the policies and
procedures stated in both handbooks.’ . . .
The Staff Handbook began by delineating to whom the Staff Handbook
applied: “[A]ll Medical Center employees, other than members of the Faculty. .
. .’
The Staff Handbook contained various policies concerning the
use of NYU property. Among other things, the policy entitled `Use of Computer
Systems’ stated that `[c]omputers, e-mail systems, and electronic
communications and equipment are the sole property of NYU Hospitals Center
and/or NYU School of Medicine, and staff should not have any expectation of
privacy.’ . . . Further, it asserted that NYU `reserve[s] the right to conduct
spot audits and/or examinations of any Hospital- or School-owned computer . . .
equipment, including those used at home. . . .’ Finally, the policy concerning
`Lockers, Desks, Personal Computers and Offices’ stated that `[a]ll personal
computers . . . remain the property of NYU Medical Center. Accordingly, the Medical
Center may inspect a . . . personal computer . . . at any time, with or without
cause or notice.’
U.S. v. Yudong Zhu, supra (emphasis in the original).
The judge
went on to explain that Zhu’s expectation of privacy in the laptop’s contents
is one that society would accept as reasonable. Zhu took many
steps to restrict third-party use and access to the computer, which weighs in
favor of finding a reasonable expectation of privacy in its contents. For
example, only Zhu had use of the laptop; he did not share it with any co-workers. .
. .
[N]ot even NYU's computer-system administrators had
access to Zhu's computer—he both ordered and configured the laptop
himself. . . . Further, Zhu had a private office at NYU and took
the laptop home with him in the evenings. . . . Zhu's use of passwords
and encryption weighs in favor of finding a reasonable expectation of
privacy. . . .
U.S. v. Yudong Zhu, supra.
As to the
effect of the documents Zhu signed, the judge also found that NYU’s computer
policy does not weigh strongly toward a finding that Zhu
lacked a reasonable expectation of privacy regarding a law enforcement search.
The NYU Staff Handbook contained strong language warning staff of their lack of
an expectation of privacy in their NYU-owned computers. Based on the Staff
Handbook, `staff should have no expectation of privacy’ in NYU computers . . .
and NYU reserved the right to search such computers at any time, without
notice, even including computers used at home. . . . Importantly, though, the
Staff Handbook did not apply to Zhu, who was a member of the faculty, not the
staff. (See Staff Handbook at 4 (`The information in this handbook applies to all Medical Center
employees, other than members of the Faculty. . . .’).)
U.S. v. Yudong Zhu, supra.
He also
found that, therefore, the “only NYU computer policy that applied to” Zhu
concerns the form he signed acknowledging that NYU
had the right to `inspect the computers it owns, as well as personal PCs used
for work, to ensure that its data and software are used according to its
policies and procedures.’ . . . Zhu's authorization granted NYU only the right
to search his computer; it did not contain a disclaimer of any expectation of
privacy such as appeared in the Staff Handbook, and it did not state that NYU
could inspect Zhu's computer at any time, without notice. This is not the type
of pervasive policy that could vitiate Zhu's expectation of privacy vis-á-vis
law enforcement. . . .
U.S. v. Yudong Zhu, supra.
Unfortunately
for Zhu, the judge also found that while he had a reasonable expectation
of privacy in relation to the FBI's search of his laptop, the
Court is persuaded that the search here was performed with NYU's valid,
third-party consent. To find NYU's consent to be valid, `the Government must
show first that NYU “had access to the area searched,” and that NYU had
either “(a) common authority over the area, (b) a substantial interest in the
area, or (c) permission to gain access to the area.’ U.S. v. Davis, 967 F.2d 84 (U.S. Court of Appeals for the 2d
Circuit 1992).
U.S. v. Yudong Zhu, supra.
He found
NYU had “access” to Zhu’s computer based on the authorization Zhu
signed acknowledging that NYU could inspect its own computers
to ensure that `its data and software are being used according to its policies
and procedures.’ . . . This
authorization granted NYU legal access to Zhu's laptop, which was purchased
with NIH funds granted to NYU and therefore property of NYU. . . . As Zhu notes,
`[c]ommon authority is not to be implied from the mere property interest a third
party has in the property.’ U.S. v. Matlock, 415 U.S. 164
(1974). But while NYU's property interest in the laptop was not sufficient on
its own to grant it access to Zhu's laptop, Zhu's signed authorization
permitted NYU to access the laptop in order to ensure that Zhu had not violated
NYU's policies and procedures. . . .
Zhu, while not its titular owner, had immediate possession of
the laptop, and had communicated by his signed authorization that NYU could
inspect it. So while the laptop's passwords and encryption weigh against
finding that NYU had access, . . . the laptop's security measures are not
determinative. More important is Zhu's written authorization, which
communicated the understanding that NYU could inspect the laptop. . . .
Zhu's argument . . . would have significant implications that
could not reasonably have been contemplated by Zhu or by NYU under the
circumstances this case presents. In essence, enabling Zhu to withhold the
passwords to the computer would grant him a unilateral means to avoid
performing an obligation mutually and consensually agreed to, thus violating an
employer policy by which he undertook to be bound, and rendering the employer's
security measures, and the expectation it has of its employees' compliance with
them, entirely meaningless
U.S. v. Yudong Zhu, supra. Finally, the
judge found that NYU also satisfied the second prong of the analysis
in each of the three possible respects: it exercised common
authority over the laptop, it had a substantial interest in the laptop, and it
had permission to access the laptop. NYU's ownership of the laptop meant that
it both exercised common authority over and had a substantial interest in the
laptop. . . .
U.S. v. Yudong Zhu, supra.
He
therefore held that “[b]ecause both prongs of the Davis test
are met in this case, NYU's consent to the FBI search of Zhu's laptop was
valid, and therefore the search did not violate Zhu's 4th Amendment rights.” U.S. v.
Yudong Zhu, supra. So he denied
Zhu’s motion to suppress. U.S. v. Yudong Zhu, supra.
No comments:
Post a Comment