Monday, January 05, 2009

They’re heeere!! . . . Remote Computer Searches

I did a post not long ago about the European Union’s announcing new initiatives against cybercrime, one of which was to let law enforcement officers conduct remote computer searches.

Since then, more information surfaced about precisely what this means. According to an article in the Sunday Times, in Britain it means police will be able to routinely “hack into people’s personal computers without a warrant.”

The story says that under a plan recently adopted by the British Home Office, a senior officer can conduct a remote computer search if he believes it is “proportionate” and necessary to prevent or detect serious crime . . . which is any crime that carries a jail sentence of three years or more. (Since there are a LOT of crimes in the U.S. that carry such sentences, that means a wide swath of activity could serve as the predicate for such searches.)

The story also says that an amendment to the UK’s Computer Misuse Act 1990 made hacking legal if it’s authorized and carried out by the state. I checked and found that provision. Here it is:
Section 1(1) above has effect without prejudice to the operation--
(a) in England and Wales of any enactment relating to powers of inspection, search or seizure; and
(b) in Scotland of any enactment or rule of law relating to powers of examination, search or seizure.
[and nothing designed to indicate a withholding of consent to access to any program or data from persons as enforcement officers shall have effect to make access unauthorised for the purposes of the said section 1(1).

In this section `enforcement officer' means a constable or other person charged with the duty of investigating offences; and withholding consent from a person `as' an enforcement officer of any description includes the operation, by the person entitled to control access, of rules whereby enforcement officers of that description are, as such, disqualified from membership of a class of persons who are authorised to have access.
UK Computer Misuse Act § 10. Section 1(1) of the Act is the section that makes hacking (unauthorized access to a computer) a crime. So under § 10, hacking is a crime under § 1(1) unless it’s done by law enforcement officers. An article in the Telegraph says police have already conducted “a small number” of these searches.

As to the methodology used in conducting such searches, the article says it can encompass breaking into someone’s home or office to install a keystroke logger or simply using a virus or a Trojan horse program to gain direct access to the suspect’s computer. Civil liberties groups and some Members of Parliament apparently oppose this plan, arguing that remote searches should only be authorized by a court warrant – a search warrant under U.S. law.

In my earlier post, I speculated about how searches like this would be handled under U.S. law. I specifically focused on what would be required in drafting and obtaining a warrant to surreptitiously install a Trojan horse program on someone’s computer in order to search it and/or monitor its contents.

I’m pretty nonplussed that the British would authorize this kind of thing with no judicial oversight. It’s interesting: Our 4th Amendment, which is the constitutional protection we have against unreasonable searches and seizures, grew out of a series of civil cases that were brought in eighteenth century England.

The plaintiffs in those cases sued English law enforcement officers, claiming the officers had committed trespass by breaking into their homes and searching them. To what I suspect was the government’s surprise, the plaintiffs won. The courts held that it is a trespass for a law enforcement officer to do this, just as it would be an actionable trespass if you or I were to do it. The courts also held, though, that an officer was protected from liability if he committed the breaking into and searching under the authority of a court-issued warrant, a search warrant. So the search warrant gave the officer a complete defense to a suit for trespass.

The drafters of our 4th Amendment based it on the same basic principle. But instead of relying on retroactive justification (i.e., using the warrant as a defense to a claim for trespass), they required that officers get the warrant before doing the breaking and searching (unless an exigent circumstance or other factor make that impracticable).

I find it amazing that the country whose law provided the basis for our 4th Amendment, and its concern for protecting the sanctity and privacy of our “persons, houses, papers and effects”, is willing to let remote computer searches be conducted with no prior judicial scrutiny and, apparently, with no standards defining the scope of the intrusion. I also find it a concern that they are willing to allow such searches to be conducted based on an officer’s stating that a search is “necessary” to detect “serious crime,” using a definition of serious crime that would encompass a LOT of activity in the U.S., anyway.

I’m not suggesting that police officers in the UK (or in the US, for that matter) are sinister figures who are out to get people and will use any technique they can to that end. I’ve worked with a lot of law enforcement officers, from the US and elsewhere, and I’ve been consistently impressed with their conscientiousness and professionalism. There are, of course, some bad police officers, just as there are bad lawyers, bad teachers, etc.

My concern here is the concern the US Supreme Court has expressed on several occasions. As the Court said in Johnson v. United States, 333 U.S. 10 (1948), the point of the
Fourth Amendment, which often is not grasped by zealous officers, is not that it denies law enforcement the support of the usual inferences which reasonable men draw from evidence. Its protection consists in requiring that those inferences be drawn by a neutral and detached magistrate instead of being judged by the officer engaged in the often competitive enterprise of ferreting out crime. Any assumption that evidence sufficient to support a magistrate's disinterested determination to issue a search warrant will justify the officers in making a search without a warrant would reduce the Amendment to a nullity and leave the people's homes secure only in the discretion of police officers.

Crime, even in the privacy of one's own quarters, is, of course, of grave concern to society, and the law allows such crime to be reached on proper showing. The right of officers to thrust themselves into a home is also a grave concern, not only to the individual but to a society which chooses to dwell in reasonable security and freedom from surveillance. When the right of privacy must reasonably yield to the right of search is, as a rule, to be decided by a judicial officer, not by a policeman. . . .
I wonder if Britain’s willingness to accept warrantless remote computer searches is to any extent a product of the fact that they do not involve a “real,” physical intrusion into a home of office. Maybe the implicit assumption is that intrusions into digital space are less egregious for some reasons than comparable intrusions into physical space. I, for one, do not see the distinction. As Justice Brandeis said in his famous dissent in Olmstead v. United States, 277 U.S. 438 (U.S. Supreme Court 1928), in the
‘application of a Constitution, our contemplation cannot be only of what has been, but of what may be.’ The progress of science in furnishing the government with means of espionage is not likely to stop with wire tapping. Ways may some day be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. . . . ‘That places the liberty of every man in the hands of every petty officer’ was said by James Otis of much lesser intrusions. . . . To Lord Camden a far slighter intrusion seemed ‘subversive of all the comforts of society.' Can it be that the Constitution affords no protection against such invasions of individual security?

1 comment:

Anonymous said...

It's interesting because even on the old P2p programs searches like this were possible, making them kind of a precursor to today's more developed remote control software. One of the main mistakes people would make on those was to share their whole hard drive, which enabled people unfettered access to ALL of their files (even the passwords.txt file).