In a stunning decision, a Federal court has held that a user has no expectation of privacy for their personal computer if they have connected that computer to the Internet. While the case and holding is fairly complex, this part of the holding boils down to this: in this day and age we know that computers that are connected to the Internet can be hacked, and knowing this, we are not entitled to an expectation of privacy on our personal computers.
– Henry Coke Morgan, Jr., Senior United States District Judge, June 21, 2016
The case, United States v. Matish, is about the seizure of material from the defendant’s computer, following his being caught in an FBI sting operation revolving around an inappropriate site called Playpen, which was about – but not for – children, if you get our drift.
Instead of shutting Playpen down, the FBI took control of it and ran it for a few weeks, on its own FBI servers. Playpen was a TOR site, and users connecting to it had the protection that TOR provided, or so they thought. However, while they were connected, the FBI utilized its own ‘network investigative technique’ (NIT) – in other words, one of the FBI’s hacking tools. (Part of the legal wrangling is over whether the NIT is malware, or not – the FBI of course contends that it is not.)
The Court finds that Defendant did not possess a reasonable expectation of privacy in his computer.
While a user was connected to the FBI’s Playpen, the NIT grabbed not only the user’s IP address (arguably not private) but also, and we quote (“activating computer” means the personal computer of the user connecting to the site):
Additionally, the Government obtained the six other pieces of identifying data from users’ computers; unlike its acquisition of the IP addresses, which the FBI observed and captured during transmission of the data, the FBI gathered this additional data directly from suspects’ computers.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
“1. the activating computer’s IP address, and the date and time that the NIT determines what that IP address is;
2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other activating computers, that will be sent with and collected by the NIT;
3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);
4. information about whether the NIT has already been delivered to the activating computer;
5. the activating computer’s Host Name;
6. the activating computer’s activeoperating system username;and
7. the activating computer’s media access control(“MAC”)address.”
Through this information, Matish was identified, and based on that a warrant was issued and his home was searched.
Matish filed a motion to suppress evidence, challenging, among other things, the FBI’s seizure of the information from his personal computer, saying that their warrant was invalid, and as it was invalid, it was a essentially a warrantless search and seizure, and thus unconstitutional.
In the 42-page decision, covering a range of things, the Court said, in the relevant part (this is a very partial excerpt, and slightly edited for readability – you can read the entire decision here):
Defendant Has No Reasonable Expectation of Privacy in His Computer
While the Court holds that the use of the NIT, which
resulted in the Government’s ultimate capture of Defendant’s
IP address, does not represent a prohibited search under
the Fourth Amendment, the Court acknowledges that the
warrant purported to authorize searches of “activating
computers.” Without deploying the NIT to
a user’s computer, the Government would not have been able
to observe any Playpen user’s IP address. Additionally, the
Government obtained the six other pieces of identifying
data from users’ computers; unlike its acquisition of the
IP addresses, which the FBI observed and captured during
transmission of the data, the FBI gathered this additional
data directly from suspects’ computers. To be sure, “the
appropriate [Fourth Amendment] inquiry [is] whether the
individual had a reasonable expectation of privacy in the
area searched, not merely in the items found.”Thus, the Court will address whether Defendant possessed a
reasonable expectation of privacy not only in his IP address
but also in his computer, the “place to be searched.” The
Court finds that Defendant did not possess a reasonable
expectation of privacy in his computer.…
Additionally, like the employee in Simons who was put on
notice that his computer was not entirely private, Defendant
here should have been aware that by going on Tor to access
Playpen, he diminished his expectation of privacy. The Ninth
Circuit found in 2007 that connecting to a network did not
eliminate the reasonable expectation of privacy in one’s
computer (Heckenkamp); however, society’s view of the
Internet – and our corresponding expectation of privacy not
only in the information we post online but also in our
physical computers and the data they contain – recently has
undergone a drastic shift.For example, hacking is much more prevalent now than it was
even nine years ago, and the rise of computer hacking via
the Internet has changed the public’s reasonable
expectations of privacy. Now, it seems unreasonable to
think that a computer connected to the Web is immune from
invasion. Indeed, the opposite holds true: in today’s
digital world, it appears to be a virtual certainty that
computers accessing the Internet can – and eventually will
– be hacked.Thus, hacking resembles the broken blinds in Carter. 525
U.S. at 85. Just as Justice Breyer wrote in concurrence
that a police officer who peers through broken blinds does
not violate anyone’s Fourth Amendment rights, FBI agents
who exploit a vulnerability in an online network do not
violate the Fourth Amendment. Just as the area into which
the officer in Carter peered – an apartment – usually is
afforded Fourth Amendment protection, a computer afforded
Fourth Amendment protection in other circumstances is not
protected from Government actors who take advantage of an
easily broken system to peer into a user’s computer. People
who traverse the Internet ordinarily understand the risk
associated with doing so. Thus, the deployment of the NIT to
capture identifying information found on Defendant’s
computer does not represent a search under the Fourth
Amendment, and no warrant was needed.
The EFF calls this case “dangerously flawed“, and of course we agree. We suspect it will be taken up to the Supreme Court.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Wow! This article is two years old and it only occured to me to ask this question just now.
I know we are all in trouble if we have to resort to placing our faith in the supreme court to do the right thing. Unless they have some sort of judge-issued warrant, I personally expect privacy from the government on the internet. I would think that expectation to be even more valid if i take reasonable precautions to protect my privacy. Scary to know i am wrong about any expectation of privacy. I guess it is time to just accept that big brother is watching me now and move on with my life from there.
How did we ever let this happen to us? I feel so victimized! I hope i am not around to witness the the next step in the devolution of personal privacy. How many more next steps are there before they have a foot in my front door? Or is that news two years old also?
It is things like this that make me hesitant to participate in any online activities, like leaving a reply on some sites that may be watched by big brother, be they political or social.
Now we all know that laws are only as good as the people enforcing them. We also know that most homes are easy for anyone with a brick to break into. Does this ruling maintain that since they are easy for the general public to enter your home that law enforcement personnel can enter and find evidence of criminal activity then use this information to get a warrant to confiscate evidence? This ruling by one more foolish judge makes a mockery of our search and seizure rights.
Of course anyone from the highest level of government to a school child should understand that anything you do on the internet is as private as your mailbox by the curb. To my knowledge the cops can’t pillage that yet.
And was this search warrant specific to the person? Or was it a scattershot thing, that could “catch” anyone, anytime, anywhere”?
Certainly, the land is no longer free, but by golly, you now have to be very brave.
Surely, to do what they wanted to do, which was laudable, to some degree, they could have used other methods. What, indeed was their goal? If shutting down playpen was the goal….. And if they ran the site themselves, are they not as equally guilty as the original site operators? And for several weeks work they caught only one person? Interesting, no? I have to question, their orals, as well as the site’s as well as the guy they caught.
Clearly, Big Brother is Watching.
I do hope this goes to SCOTUS. And it will be interesting to see what they do. Except, technically, there is no SCOTUS at the moment!