Wednesday, July 23, 2008

ISP Subscriber Records Private in NJ

As I explained last fall, in two decisions issued in the 1970s the U.S. Supreme Court held that we do not have a 4th Amendment expectation of privacy in what are called third-party records.

In one of the cases, the Supreme Court held that a man who made calls from his home did not have an expectation of privacy in the numbers he dialed because he “knowingly revealed” them to the phone company and thereby assumed the risk the company would give them to the police (without the police’s having a search warrant).

In the other case, the Court held essentially the same thing as to a customer’s bank records; by sharing information with the bank, the customer lost any expectation of privacy in it and assumed the risk the bank would share it with law enforcement.

Like many, including Justice Marshall who wrote a great dissent in the telephone case, I think those decisions were wrong when they were decided and are still wrong. Justice Marshall pointed out that he doubted the man who made the calls really realized he was “giving” information to the phone company that it might then share with the police; he also pointed out that the assumption of risk analysis was wrong because it implies you have a choice, and the only choice the decision left telephone users with is either don’t use the phone (or any technology) or, if you do, understand that your information is not private. You can read about these issues in that earlier post I mentioned.

The Warshak case dealt with the privacy of the CONTENT of our emails. What we’re talking about now is not the content of our communications; it’s either the data used in the transmission of those communications, like phone numbers (“traffic data”) or data concerning the identity of the person who’s using the telephone or email service. That’s the issue I want to focus on here.

The New Jersey Supreme Court rather recently held that subscriber information IS private in New Jersey. It reached this result by applying the New Jersey Constitution. A state court, like the New Jersey Supreme Court, can interpret a state’s constitution in essentially any way it likes, as long as the interpretation does not provide the citizens of that state with LESS protection than they have under the federal constitution. So while the New Jersey Supreme Court can’t change the U.S. Supreme Court’s interpretation of the 4th Amendment, it can interpret its own constitution – the New Jersey Constitution – to give the citizens of that state MORE protection than they have under the federal Constitution.

The case is State v. Reid, 194 N.J. 386, 945 A.2d 26 (N.J. 2008). You can find the opinion here. And here are the facts:
On August 27, 2004, Timothy Wilson, the owner of Jersey Diesel, reported to the Lower Township Police Department that someone had used a computer to change his company's shipping address and password for its suppliers. The shipping address was changed to a non-existent address.

Wilson explained that Shirley Reid, an employee who had been on disability leave, could have made the changes. Reid returned to work on the morning of August 24, had an argument with Wilson about her . . . assignment, and left. According to Wilson, Reid was the only employee who knew the company's computer password and ID.

Wilson learned of the changes through one of his suppliers, Donaldson Company, Inc. Both the password and shipping address for Jersey Diesel had been changed on Donaldson's website on August 24, 2004. . . . [S]omeone accessed their website and used Jersey Diesel's username and password to sign on at 9:57 a.m. The individual changed the password and Jersey Diesel's shipping address and then completed the requests at 10:07 a.m.

Donaldson's website captured the user's IP address,, which was registered to Comcast.
State v. Reid, supra.

A subpoena was used (by the police or by Wilson acting as an agent of the police, I’m not sure) to get “`[a]ny and all information pertaining to IP Address . . .’” from Comcast. “Comcast . . . identified Reid as the subscriber of the IP address. In addition, Comcast provided . . . Reid's address, telephone number, type of service provided, IP assignment (dynamic), account number, e-mail address, and method of payment.” State v. Reid, supra. Based on that and probably other evidence, Reid was charged with computer theft. State v. Reid, supra.

Reid moved to suppress the information Comcast provided pursuant to the subpoena, claiming it violated her right to be free from “unreasonable searches and seizures” because she had a reasonable expectation of privacy in the information. That sounds like she was making a 4th Amendment argument, but as the NJ Supreme Court noted, both “the Fourth Amendment . . . and Article I, Paragraph 7, of the New Jersey Constitution protect, in nearly identical language, `the right of the people to be secure ... against unreasonable searches and seizures.’” State v. Reid, supra.

The NJ Supreme Court began its analysis of the argument by noting, as I explained above, that Reid had no 4th Amendment expectation of privacy in the information. It then turned to the state analog of the 4th Amendment, explaining that on multiple occasions this Court has held that the New Jersey Constitution `affords our citizens greater protection against unreasonable searches and seizures” than the Fourth Amendment.’” State v. Reid, supra. Specifically, the NJ Supreme Court had already held that the New Jersey Constitution (i) protects the privacy of the numbers one dials on their phone and (ii) protects the privacy of bank account records. So, the court had already used the state provision to, in effect, overrule the 4th Amendment insofar as searches and seizures by New Jersey officers against New Jersey citizens or residents are concerned.

In what I find a well-reasoned opinion, the NJ Supreme Court held that “Internet users . . . enjoy relatively complete IP address anonymity when surfing the Web. Given the current state of technology, the dynamic, temporarily assigned, numerical IP address cannot be matched to an individual user without the help of an ISP. Therefore, we accept as reasonable the expectation that one's identity will not be discovered through a string of numbers left behind on a website.” State v. Reid, supra. It noted that the
availability of IP Address Locator Websites has not altered that expectation because they reveal the name and address of service providers but not individual users. Should that reality change over time, the reasonableness of the expectation of privacy in Internet subscriber information might change as well. For example, if one day new software allowed individuals to type IP addresses into a “reverse directory” and identify the name of a user-as is possible with reverse telephone directories-today's ruling might need to be reexamined.
State v. Reid, supra.

The court did not go as far as to require police to get a search warrant for IP addressing information and subscriber information. In this case, the police used what was conceded to be a “defective” municipal subpoena. The NJ Supreme Court found, as had the trial court, that this was not sufficient, but it declined to require them to get a warrant in future cases. The court held that a “grand jury subpoena . . . based upon a showing of relevant” satisfies the requirements of the NJ Constitution. State v. Reid, supra.

So in the future, officers will have to go to a grand jury and get the grand jury to subpoena the records; I assume the relevancy issue comes up if the person whose records were subpoenaed later challenges the process used to obtain them. I’m assuming that if such a challenge is made, then the prosecution has to show that the grand jury had reason to believe the evidence was relevant to criminal activity, instead of simply conducting a fishing expedition.

It may not be full 4th Amendment protection, but citizens in New Jersey have a lot more privacy in their bank, telephone, utility and ISP records than citizens in most states.

No comments: