Monday, June 09, 2014

The Professor, the Encrypted Laptop and the 4th Amendment

A federal grand jury in New York returned an indictment charging Yudong Zhu with “conspiring to commit honest services fraud in violation of 18 U.S. Code §134118 U.S. Code § 1343, 18 U.S. Code § 1346, and 18 U.S. Code § 1349; conspiring to receive bribes in violation of 18 U.S. Code §666(a)(1)(B) and 18 U.S. Code § 371; commercial bribery conspiracy in violation of 18 U.S. Code § 1952(a)(3) and 18 U.S. Code § 371; honest services fraud in violation of 18 U.S. Code § 1341 and 18 U.S.Code § 1346; receipt of bribes in violation of 18 U.S. Code §666(a)(1)(B); commercial bribery in violation of 18 U.S. Code §1952(a)(3); and falsification of records in violation of 18 U.S.C. §1519.U.S. v. Yudong Zhu, 2014 WL 2465284 (U.S. District Court for the Southern District of New York 2014).  
Zhu filed a motion to suppress “evidence seized from his laptop computer and the fruits of such evidence.”  U.S. v. Yudong Zhu, supra. The U.S.District Court Judge who has the case began his analysis of the issues raised by Zhu’s motion by explaining how the case arose:
On October 27, 2008, Zhu -- an expert in magnetic resonance imaging (`MRI’) -- began work as an assistant professor in the radiology department at the New York University School of Medicine (`NYU’). In 2010, Zhu applied, through NYU, for a grant from the National Institutes of Health (`NIH’) to conduct MRI research, and NIH awarded the grant in May 2011. All grant funds were to be the property of NYU, and NYU would become the owner of all equipment purchased with the funds. . . .

In August 2011, Zhu ordered a laptop using funds provided by the NIH grant. Upon its arrival, Zhu configured the laptop, created several levels of passwords, and encrypted the hard drive. Between its arrival and May 2013, Zhu used the laptop for both personal and professional matters. Zhu did not leave the laptop overnight in his office; he brought it home with him at the end of each day.

In early 2013, NYU began investigating Zhu regarding the current charges, and on May 8, 2013 Zhu met with NYU lawyers and an NYU vice president to discuss the investigation. At this meeting, Zhu turned over his laptop to NYU but refused to provide his passwords. Following this meeting, NYU reported Zhu to the Department of Justice, which prompted the FBI and the United States Attorney's Office to commence a criminal investigation. On May 19, 2013, the Government filed a criminal complaint against Zhu.
U.S. v. Yudong Zhu, supra.
The judge also explained that as part of the
Government's investigation of Zhu, NYU provided Zhu's laptop to the FBI. On June 27, 2013, Annette Johnson, general counsel of the NYU Medical Center, signed a `Consent to Search Computer(s)’ form, authorizing the FBI to search the laptop. Without obtaining a warrant, the FBI decrypted the laptop and searched its contents.
U.S. v. Yudong Zhu, supra.
The judge then took up the legal issues raised by the motion to suppress, which claimed the government’s conduct violated the 4th Amendment.  U.S. v. Yudong Zhu, supra.  As I have noted, the 4th Amendment creates a right to be free from “unreasonable” searches and seizures.  Zhu’s motion apparently argued that the search of his laptop violated the 4th Amendment.  U.S. v. Yudong Zhu, supra.  The judge therefore began his analysis of the 4th Amendment issues by explaining that a defendant who seeks to suppress
`the fruits of a search by reason of a violation of the 4th Amendment must show that he had a “legitimate expectation of privacy” in the place searched.’ U.S. v. Hamilton, 538 F.3d 162 (U.S. Court of Appeals for the 2d Circuit 2008) (quoting Rakas v. Illinois, 439U.S. 128 (1978)). `This inquiry involves two distinct questions: first, whether the individual had a subjective expectation of privacy; and second, whether that expectation of privacy is one that society accepts as reasonable.’ Id.
U.S. v. Yudong Zhu, supra.
The judge also explained that in
the workplace context, the Supreme Court has recognized that `employees may have a reasonable expectation of privacy against intrusions by police.’ O'Connor v. Ortega, 480 U.S. 709 (1987) (citing Mancusi v. DeForte,  392 U.S. 364 (1968)). In Mancusi, the Supreme Court held that an employee, despite the fact that he shared his office with other employees, had a reasonable expectation of privacy in the office sufficient to challenge the warrantless search of that office. Mancusi, 392 U.S. at 369.

Once a defendant successfully shows that he had a reasonable expectation of privacy in the place searched, the burden shifts to the Government to prove either that the search was conducted pursuant to a valid warrant or that the warrantless search fell within one of the `few specifically established and well-delineated exceptions’ to the warrant requirement. Katz v. U.S., 389 U.S. 347 (1967). One of the well-delineated exceptions is a search that is conducted pursuant to valid third-party consent. See Schneckloth v. Bustamonte, 412 U.S. 218 (1973). In order to satisfy the burdens imposed upon it by the third-party consent principle, the Government must prove by a preponderance of the evidence that the consent was valid. . . .
U.S. v. Yudong Zhu, supra.
As those paragraphs may indicate, the judge focused his analysis of Zhu’s 4th Amendment argument on two issues:  (i) whether Zhu had a reasonable expectation of privacy in the laptop and, if he did, (ii) whether the search of the laptop was conducted pursuant to a valid third-party consent.  U.S. v. Yudong Zhu, supra.
As to the first issue, the Department of Justice did not “contest that Zhu exhibited a subjective expectation of privacy in the laptop's contents by encrypting the laptop and establishing several layers of passwords, which he ostensibly did not share with others.”  U.S. v. Yudong Zhu, supra.  The judge also noted, however, that the Department of Justice “does dispute whether Zhu's expectation of privacy was reasonable.”  U.S. v. Yudong Zhu, supra (emphasis in the original).
The judge found that Zhu’s expectation of privacy in the laptop was “reasonable”:
Zhu took many steps to restrict third-party use and access to the computer, which weighs in favor of finding a reasonable expectation of privacy in its contents. For example, only Zhu had use of the laptop; he did not share it with any co-workers. . . .

In fact, not even NYU's computer-system administrators had access to Zhu's computer -- he both ordered and configured the laptop himself. . . . Further, Zhu had a private office at NYU and took the laptop home with him in the evenings. . . .

Zhu's use of passwords and encryption weighs in favor of finding a reasonable expectation of privacy. See U.S. v. Reeves, 2012 WL 1806164 (U.S. District Court for the District of New Jersey) (employee had reasonable expectation of privacy in password-protected work computer); Brown–Criscuolo v. Wolfe, 601 F. Supp. 441, 449 (U.S. District Court for the District of Connecticut) (employee had reasonable expectation of privacy in work computer where only she and the computer-system administrator knew the password); see also U.S. v. Ziegler, 474 F.3d 1184 (U.S.Court of Appeals for the 9th Circuit) (that defendant could lock his office with a key weighed in favor of finding a reasonable expectation of privacy).
U.S. v. Yudong Zhu, supra.  For the legal standards involved in deciding if an expectation of privacy in a laptop is “reasonable,” check out this prior post.
Unfortunately for Zhu, the judge also found that “[w]hile Zhu had a reasonable expectation of privacy in relation to the FBI's search of his laptop, the . . . search here was performed with NYU's valid, third-party consent.” U.S. v. Yudong Zhu, supra.  He explained that for “NYU's consent to be valid, the Government must show that NYU `had access to the area searched,’ and next that NYU had either ‘(a) common authority over the area, (b) a substantial interest in the area, or (c) permission to gain access to the area.’” U.S. v. Yudong Zhu, supra. 
In arguing that the search was the product of legitimate third-party consent, the prosecution relied on the two documents Zhu signed “[b]efore beginning his employment with NYU in 2008.”  U.S. v. Yudong Zhu, supra.  One was entitled
`Policy Statement on Privacy, Information Security, and Confidentiality,’ and stated, among other things,

`I understand that the confidential information and software I use for my job are not to be used for personal benefit or to benefit another unauthorized institution. I also understand that my institution may inspect the computers it owns, as well as personal PCs used for work, to ensure that its data and software are used according to its policies and procedures. . . .’

Zhu signed this document . . . on October 20, 2008.

The second document, also signed on October 20, 2008, concerned the Staff Handbook and the Code of Conduct Handbook. Zhu signed this document confirming he had received the handbooks and acknowledging that he was `responsible for reading, understanding and conforming to the policies and procedures stated in both handbooks.’ . . .  The Staff Handbook began by delineating to whom the Staff Handbook applied: “[A]ll Medical Center employees, other than members of the Faculty. . . .’

The Staff Handbook contained various policies concerning the use of NYU property. Among other things, the policy entitled `Use of Computer Systems’ stated that `[c]omputers, e-mail systems, and electronic communications and equipment are the sole property of NYU Hospitals Center and/or NYU School of Medicine, and staff should not have any expectation of privacy.’ . . . Further, it asserted that NYU `reserve[s] the right to conduct spot audits and/or examinations of any Hospital- or School-owned computer . . . equipment, including those used at home. . . .’ Finally, the policy concerning `Lockers, Desks, Personal Computers and Offices’ stated that `[a]ll personal computers . . . remain the property of NYU Medical Center. Accordingly, the Medical Center may inspect a . . . personal computer . . . at any time, with or without cause or notice.’
U.S. v. Yudong Zhu, supra (emphasis in the original).
The judge went on to explain that Zhu’s expectation of privacy in the laptop’s contents
is one that society would accept as reasonable. Zhu took many steps to restrict third-party use and access to the computer, which weighs in favor of finding a reasonable expectation of privacy in its contents. For example, only Zhu had use of the laptop; he did not share it with any co-workers. . . .

[N]ot even NYU's computer-system administrators had access to Zhu's computer—he both ordered and configured the laptop himself. . . . Further, Zhu had a private office at NYU and took the laptop home with him in the evenings. . . . Zhu's use of passwords and encryption weighs in favor of finding a reasonable expectation of privacy. . . .
U.S. v. Yudong Zhu, supra. 
As to the effect of the documents Zhu signed, the judge also found that NYU’s computer
policy does not weigh strongly toward a finding that Zhu lacked a reasonable expectation of privacy regarding a law enforcement search. The NYU Staff Handbook contained strong language warning staff of their lack of an expectation of privacy in their NYU-owned computers. Based on the Staff Handbook, `staff should have no expectation of privacy’ in NYU computers . . . and NYU reserved the right to search such computers at any time, without notice, even including computers used at home. . . . Importantly, though, the Staff Handbook did not apply to Zhu, who was a member of the faculty, not the staff. (See Staff Handbook at 4 (`The information in this handbook applies to all Medical Center employees, other than members of the Faculty. . . .’).)
U.S. v. Yudong Zhu, supra. 
He also found that, therefore, the “only NYU computer policy that applied to” Zhu
concerns the form he signed acknowledging that NYU had the right to `inspect the computers it owns, as well as personal PCs used for work, to ensure that its data and software are used according to its policies and procedures.’ . . . Zhu's authorization granted NYU only the right to search his computer; it did not contain a disclaimer of any expectation of privacy such as appeared in the Staff Handbook, and it did not state that NYU could inspect Zhu's computer at any time, without notice. This is not the type of pervasive policy that could vitiate Zhu's expectation of privacy vis-á-vis law enforcement. . . .
U.S. v. Yudong Zhu, supra. 
Unfortunately for Zhu, the judge also found that while he had a reasonable expectation
of privacy in relation to the FBI's search of his laptop, the Court is persuaded that the search here was performed with NYU's valid, third-party consent. To find NYU's consent to be valid, `the Government must show first that NYU “had access to the area searched,” and that NYU had either “(a) common authority over the area, (b) a substantial interest in the area, or (c) permission to gain access to the area.’ U.S. v. Davis, 967 F.2d 84 (U.S. Court of Appeals for the 2d Circuit 1992).
U.S. v. Yudong Zhu, supra. 
He found NYU had “access” to Zhu’s computer based on the authorization Zhu
signed acknowledging that NYU could inspect its own computers to ensure that `its data and software are being used according to its policies and procedures.’ . . .  This authorization granted NYU legal access to Zhu's laptop, which was purchased with NIH funds granted to NYU and therefore property of NYU. . . . As Zhu notes, `[c]ommon authority is not to be implied from the mere property interest a third party has in the property.’ U.S. v. Matlock, 415 U.S. 164 (1974). But while NYU's property interest in the laptop was not sufficient on its own to grant it access to Zhu's laptop, Zhu's signed authorization permitted NYU to access the laptop in order to ensure that Zhu had not violated NYU's policies and procedures. . . .

Zhu, while not its titular owner, had immediate possession of the laptop, and had communicated by his signed authorization that NYU could inspect it. So while the laptop's passwords and encryption weigh against finding that NYU had access, . . . the laptop's security measures are not determinative. More important is Zhu's written authorization, which communicated the understanding that NYU could inspect the laptop. . . .

Zhu's argument . . . would have significant implications that could not reasonably have been contemplated by Zhu or by NYU under the circumstances this case presents. In essence, enabling Zhu to withhold the passwords to the computer would grant him a unilateral means to avoid performing an obligation mutually and consensually agreed to, thus violating an employer policy by which he undertook to be bound, and rendering the employer's security measures, and the expectation it has of its employees' compliance with them, entirely meaningless
U.S. v. Yudong Zhu, supra. Finally, the judge found that NYU also satisfied the second prong of the analysis
in each of the three possible respects: it exercised common authority over the laptop, it had a substantial interest in the laptop, and it had permission to access the laptop. NYU's ownership of the laptop meant that it both exercised common authority over and had a substantial interest in the laptop. . . .
U.S. v. Yudong Zhu, supra. 

He therefore held that “[b]ecause both prongs of the Davis test are met in this case, NYU's consent to the FBI search of Zhu's laptop was valid, and therefore the search did not violate Zhu's 4th Amendment rights.”  U.S. v. Yudong Zhu, supra.  So he denied Zhu’s motion to suppress.  U.S. v. Yudong Zhu, supra. 

No comments: