Friday, November 21, 2008

Password-protection and the 4th Amendment

On November 3, I wrote about a decision in which a court held that the use of EnCase forensic software was a search under the 4th Amendment. This post is about a related but slightly different issue: whether the use of password-protection on computer files establishes a 4th Amendment expectation of privacy in those files.

As I explained in an earlier post, the 4th Amendment gives us a right to be free from “unreasonable” searches and seizures. As I also explained there, a “search” violates a reasonable expectation of privacy in a place or a thing. If something isn’t private, then it isn’t a search for law enforcement officers to explore it.

A case I’ve mentioned before – U.S. v. Andrus, 483 F.3d 711 (10th Cir. 2007) – dealt with whether the use of password-protection on files establishes a reasonable expectation of privacy in those files. In the Andrus case, a father consented to the search of his son’s laptop. The laptop files were password-protected; since the father didn’t know the son’s password, he couldn’t have accessed the files.

So the issue was whether his consent to the search of the files – which an investigator accessed by using EnCase to bypass the operating system – was valid. As I explained in an
earlier post,, consent to search can be valid in either of two ways: the person has actual authority to consent to the search (he owns the laptop or uses a laptop owned by someone else); or the police officers reasonably, but mistakenly, believed the person had authority to consent.

Since the father wasn’t able to access the computer himself, he didn’t have actual authority to consent to the search. So the issue was whether the police reasonably believed he had authority to consent to the search.

As I explained in the earlier post, to have a reasonable expectation of privacy in a thing, you have to have a subjective expectation of privacy that society is prepared to regard as objectively reasonable. As the Andrus court noted, the
inquiry into whether the owner of a highly personal object has indicated a subjective expectation of privacy traditionally focuses on whether the subject suitcase, footlocker, or other container is physically locked. . . . Determining whether a computer is `locked,’ or whether a reasonable officer should know a computer may be locked, presents a challenge distinct from that associated with other types of closed containers. Unlike footlockers or suitcases, where the presence of a locking device is generally apparent by looking at the item, a `lock’ on the data within a computer is not apparent from a visual inspection of the outside of the computer, especially when the computer is in the `off’ position prior to the search.
U.S. v. Andrus, supra.

The Andrus court explained that in deciding whether someone has apparent authority to consent to a search of a computer, courts have looked at the officers’ “knowledge about password protection as an indication of whether a computer is ‘locked’ in the way a footlocker would be.” U.S. v. Andrus, supra.

As the Andrus court noted, another federal court held that apparent authority did not exist when “a live-in girlfriend . . . told police she and her boyfriend shared the household computer but had separate password-protected files that were inaccessible to the other.” U.S. v. Andrus, supra. Since the police were on notice that she couldn’t access the files, they couldn’t have reasonably believed she had the authority to consent to a search of the files.

In the Andrus case, the officers knew Andrus’ (91-year-old) father owned the house where both lived and paid the Time Warner bills for Road Runner service to the house. The court noted that the father didn’t tell them he didn’t use the computer (though there was some evidence he’d told them he didn’t know how to use it). The real issue, though, was on whom the burden of clarifying the status of password-protection on the computer fell:
Andrus argues his . . .password protection indicated his computer was `locked’ to third parties, a fact the officers would have known had they asked . . . [his father] prior to searching the computer. Under our case law, however, officers are not obligated to ask questions unless the circumstances are ambiguous. In essence, by suggesting the onus was on the officers to ask about password protection prior to searching the computer, despite the absence of any indication that [his father’s] access to the computer was limited by a password, Andrus necessarily submits there is inherent ambiguity whenever police want to search a household computer and a third party has not affirmatively provided information about . . . password protection. Andrus' argument presupposes, however, that password protection of home computers is so common that a reasonable officer ought to know password protection is likely.
U.S. v. Andrus, supra. The court noted Andrus had not offered “any evidence to demonstrate a high incidence of password protection among home computer users.” It therefore held that the father had apparent authority to consent to the search.

There was a dissent. The dissenting judge noted that the majority of the judges had conceded that is password protection were
`shown to be commonplace, law enforcement's use of forensic software like EnCase . . . may well be subject to question.’ . . . But the fact that a computer password `lock’ may not be immediately visible does not render it unlocked. . . . [U]nlike the locked file cabinet, computers have no handle to pull. But, like the padlocked footlocker, computers do exhibit outward signs of password protection: they display boot password screens, username/password log-in screens, and/or screen-saver reactivation passwords.
U.S. v. Andrus (dissenting opinion).
The dissent found that the “burden on law enforcement” to ascertain whether or not a computer is password protected is “minimal,” requiring only a “simple question or two”.
Accordingly, . . . given the case law indicating the importance of computer password protection, the common knowledge about the prevalence of password usage, and the design of EnCase or similar password bypass mechanisms, the Fourth Amendment . . . mandate[s] that in consent-based, warrantless computer searches, law enforcement personnel inquire or otherwise check for the presence of password protection and, if a password is present, inquire about the consenter's knowledge of that password and joint access to the computer.
U.S. v. Andrus (dissenting opinion).

I tend to agree with the dissent. It seems to me police don’t have to ask about password-protection if they only intend to turn the computer on and look through its contents; doing that simply gives them access to files ANYONE could examine on the computer. If, though, they intend to use EnCase “or similar password bypass” software, it seems to me the burden should be on them to find out if, in so doing, they’re about to override passwords that have been installed to establish a heightened expectation of privacy.

In other words, if the officers know that the techniques they’re using COULD bypass passwords or other privacy-protection measures, then the onus is on them to determine whether those measures have, in fact, been installed on the computer. If so, it seems to me they cannot use these techniques unless they obtain a search warrant specifically authorizing them to do this.


Anonymous said...

My concern with the dissent is that while it is clearly not burdensome to *ask* whether PW protection is enabled, what happens if the answer is not a cut-and-dry yes or no?

If law enforcement asks the consenting party whether there is PW protection, and the consenting party states s/he doesn't know, does that mean that law enforcement must stop the search at that point based on the "everyone knows people use protection" argument? Would the investigator then have to contact the co-owner to find out? What if the consenting party says that there is no PW protection but is later proved incorrect--does that make it a bad search?

I realize that all of this is obviated by obtaining a search warrant, which is always the best way to go.

On a side note, I love reading your blog. I am an attorney, a cop, and a forensic computer examiner, and your analysis is always succinct and thought-provoking. Thank you!

Susan Brenner said...

You raise some really good issues . . . to which I don't have answers. But, as you noted, when in doubt a search warrant can eliminate a lot of potential problems down the road.

Thanks for the kind comments. I'll try to keep it up. ;->

Anonymous said...

What happens when the consenting party, a co-owner, hacks the password to a non-present co-owner's personal files, then contacts the police and consents to seizure of the computer, and a subsequent search? Is the search valid, simply because the police had no way of knowing that the files were password-protected, and therefore had reason to believe that the consenting party had actual authority to consent?

Also, what happens when that same consenting party calls two weeks later, before a search warrant is applied for, and asks when they will be getting their computer back? Is that a revocation of consent? And if so, if the LEA that seized the computer fails to either a) return the computer promptly, or b) apply for a search warrant within a reasonable amount of time, does that give grounds for an effective motion to suppress, based on a violation of the consenting party's 4th amendment rights once consent was revoked?

I want to be clear on the basis of that last question: Does calling the LEA and asking when your computer will be returned to you after consenting to search/seizure effectively revoke your initial consent and place a burden on the LEA to either return your property immediately or seek a warrant within a reasonable amount of time?