In a stunning decision, a Federal court has held that a user has no expectation of privacy for their personal computer if they have connected that computer to the Internet. While the case and holding is fairly complex, this part of the holding boils down to this: in this day and age we know that computers that are connected to the Internet can be hacked, and knowing this, we are not entitled to an expectation of privacy on our personal computers.
– Henry Coke Morgan, Jr., Senior United States District Judge, June 21, 2016
The case, United States v. Matish, is about the seizure of material from the defendant’s computer, following his being caught in an FBI sting operation revolving around an inappropriate site called Playpen, which was about – but not for – children, if you get our drift.
Instead of shutting Playpen down, the FBI took control of it and ran it for a few weeks, on its own FBI servers. Playpen was a TOR site, and users connecting to it had the protection that TOR provided, or so they thought. However, while they were connected, the FBI utilized its own ‘network investigative technique’ (NIT) – in other words, one of the FBI’s hacking tools. (Part of the legal wrangling is over whether the NIT is malware, or not – the FBI of course contends that it is not.)
The Court finds that Defendant did not possess a reasonable expectation of privacy in his computer.
While a user was connected to the FBI’s Playpen, the NIT grabbed not only the user’s IP address (arguably not private) but also, and we quote (“activating computer” means the personal computer of the user connecting to the site):
Additionally, the Government obtained the six other pieces of identifying data from users’ computers; unlike its acquisition of the IP addresses, which the FBI observed and captured during transmission of the data, the FBI gathered this additional data directly from suspects’ computers.
“1. the activating computer’s IP address, and the date and time that the NIT determines what that IP address is;
2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other activating computers, that will be sent with and collected by the NIT;
3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);
4. information about whether the NIT has already been delivered to the activating computer;
5. the activating computer’s Host Name;
6. the activating computer’s activeoperating system username;and
7. the activating computer’s media access control(“MAC”)address.”
Through this information, Matish was identified, and based on that a warrant was issued and his home was searched.
Matish filed a motion to suppress evidence, challenging, among other things, the FBI’s seizure of the information from his personal computer, saying that their warrant was invalid, and as it was invalid, it was a essentially a warrantless search and seizure, and thus unconstitutional.
In the 42-page decision, covering a range of things, the Court said, in the relevant part (this is a very partial excerpt, and slightly edited for readability – you can read the entire decision here):
Defendant Has No Reasonable Expectation of Privacy in His Computer
While the Court holds that the use of the NIT, which
resulted in the Government’s ultimate capture of Defendant’s
IP address, does not represent a prohibited search under
the Fourth Amendment, the Court acknowledges that the
warrant purported to authorize searches of “activating
computers.” Without deploying the NIT to
a user’s computer, the Government would not have been able
to observe any Playpen user’s IP address. Additionally, the
Government obtained the six other pieces of identifying
data from users’ computers; unlike its acquisition of the
IP addresses, which the FBI observed and captured during
transmission of the data, the FBI gathered this additional
data directly from suspects’ computers. To be sure, “the
appropriate [Fourth Amendment] inquiry [is] whether the
individual had a reasonable expectation of privacy in the
area searched, not merely in the items found.”
Thus, the Court will address whether Defendant possessed a
reasonable expectation of privacy not only in his IP address
but also in his computer, the “place to be searched.” The
Court finds that Defendant did not possess a reasonable
expectation of privacy in his computer.
Additionally, like the employee in Simons who was put on
notice that his computer was not entirely private, Defendant
here should have been aware that by going on Tor to access
Playpen, he diminished his expectation of privacy. The Ninth
Circuit found in 2007 that connecting to a network did not
eliminate the reasonable expectation of privacy in one’s
computer (Heckenkamp); however, society’s view of the
Internet – and our corresponding expectation of privacy not
only in the information we post online but also in our
physical computers and the data they contain – recently has
undergone a drastic shift.
For example, hacking is much more prevalent now than it was
even nine years ago, and the rise of computer hacking via
the Internet has changed the public’s reasonable
expectations of privacy. Now, it seems unreasonable to
think that a computer connected to the Web is immune from
invasion. Indeed, the opposite holds true: in today’s
digital world, it appears to be a virtual certainty that
computers accessing the Internet can – and eventually will
– be hacked.
Thus, hacking resembles the broken blinds in Carter. 525
U.S. at 85. Just as Justice Breyer wrote in concurrence
that a police officer who peers through broken blinds does
not violate anyone’s Fourth Amendment rights, FBI agents
who exploit a vulnerability in an online network do not
violate the Fourth Amendment. Just as the area into which
the officer in Carter peered – an apartment – usually is
afforded Fourth Amendment protection, a computer afforded
Fourth Amendment protection in other circumstances is not
protected from Government actors who take advantage of an
easily broken system to peer into a user’s computer. People
who traverse the Internet ordinarily understand the risk
associated with doing so. Thus, the deployment of the NIT to
capture identifying information found on Defendant’s
computer does not represent a search under the Fourth
Amendment, and no warrant was needed.
The EFF calls this case “dangerously flawed“, and of course we agree. We suspect it will be taken up to the Supreme Court.
|Get notified of new Internet Patrol articles!
You might also like some of our other articles: