Whose Computer Is It, Anyway? by ELe90QyK


									Whose Computer Is It, Anyway?

       Steven J. McDonald
         General Counsel
   Rhode Island School of Design

   Computer Policy and Law 2005
  The Key to Handling
Computer Privacy Issues

      Ignore the law
  But First, Let's Invade a Little

• http://maps.google.com
• http://www.infospace.com/home/white-
Never Metadata I Didn't Like
    The Spy Who Loves You?

• http://www.privacy.net
     What is Privacy?

"[T]he right to be let alone – the
most comprehensive of rights, and
the right most valued by civilized
          Justice Louis Brandeis
          Olmstead v. U.S.
 The Legal Basis for Privacy:
     A Patchwork Quilt
• U.S. and state constitutions
   – But no explicit reference in U.S.
   – Fourth amendment (and state versions)
• Statutory privacy
   – Electronic Communications Privacy Act
     (and state versions)
   – FERPA and other general privacy statutes
   – But also federal and state FOIA laws
• The common law of privacy
  The Fourth Amendment
"The right of the people to be secure in
their persons, houses, papers, and effects,
against unreasonable searches and
seizures, shall not be violated, and no
warrants shall issue, but upon probable
cause, supported by oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be
  The Fourth Amendment
      in Cyberspace

"We are satisfied that the Constitution
requires that the FBI and other police
agencies establish probable cause to enter
into a personal and private computer."
                           U.S. v. Maxwell
      Publics are Private,
       Privates are Not
"Although individuals have a right under the
Fourth Amendment of the United States
Constitution to be free from unreasonable
searches and seizures by the Government,
private searches are not subject to
constitutional restrictions."

                                 U.S. v. Hall
      O'Connor v. Ortega
"Fourth Amendment rights are implicated
[whenever] the conduct of the [government]
officials at issue . . . infringe[s] 'an
expectation of privacy that society is
prepared to consider reasonable.'"
             O'Connor v. Ortega
"[W]e reject the contention . . . that public employees can
never have a reasonable expectation of privacy in their
place of work. Individuals do not lose their Fourth
Amendment rights merely because they work for the
government instead of a private employer. The operational
realities of the workplace, however, may make some
employees' expectations of privacy unreasonable when an
intrusion is by a supervisor rather than a law enforcement
official. Public employees' expectations of privacy in their
offices, desks, and file cabinets, like similar expectations of
employees in the private sector, may be reduced by virtue
of actual office practices and procedures, or by legitimate
       O'Connor v. Ortega

"Given the great variety of work
environments in the public sector, the
question whether an employee has a
reasonable expectation of privacy must be
addressed on a case-by-case basis."
 Reasonable Expectations
     in Cyberspace
• Who owns the system?
• Who has access to the system?
• How does the system work?
• How is the system used?
• Is the system password-protected?
• What policies apply to the system?
• What is the ordinary practice?
 The Electronic Communications
      Privacy Act (ECPA)
• "[A] fog of inclusions and exclusions" – Briggs
  v. American Air Filter Co. (5th Cir. 1980)
• "[A] statute . . . which is famous (if not
  infamous) for its lack of clarity" – Steve
  Jackson Games, Inc. v. United States Secret
  Service (5th Cir. 1994)
• "[T]he Fifth Circuit . . . might have put the
  matter too mildly." – U.S. v. Smith (9th Cir.
         ECPA Prohibitions
• Generally illegal to:
  – Intercept an electronic communication
    while it is in transmission (§2511(1)(a))
  – Disclose the contents of an electronic
    communication that has been illegally
    intercepted (§2511(1)(c))
  – Use the contents of an electronic
    communication that has been illegally
    intercepted (§2511(1)(d))
               "In Transmission"
• "[T]he seizure of a computer on which is stored private e-
  mail that has been sent to an electronic bulletin board, but
  not yet read (retrieved) by the recipients" did not violate
  §2511(1)(a) "because [the] acquisition of the contents of
  the electronic communications was not contemporaneous
  with the transmission of those communications". – Steve
  Jackson Games, Inc. v. United States Secret Service
• ECPA "protects electronic communications from
  interception when stored to the same extent as when in
  transit." – Konop v. Hawaiian Airlines, Inc. I
• "We therefore hold that for a website such as Konop's to
  be 'intercepted' in violation of the Wiretap Act, it must be
  acquired during transmission, not while it is in electronic
  storage." – Konop v. Hawaiian Airlines, Inc. II
             "In Transmission"
• "We believe that the language of the statute
  makes clear that Congress meant to give lesser
  protection to electronic communications than wire
  and oral communications. Moreover, at this
  juncture, much of the protection may have been
  eviscerated by the realities of modern technology.
  We observe, as most courts have, that the
  language may be out of step with the
  technological realities of computer crimes.
  However, it is not the province of this court to graft
  meaning onto the statute where Congress has
  spoken plainly." – United States v. Councilman
          ECPA Exceptions
• A provider of electronic communication
  service may intercept an electronic
  communication, or disclose or use an
  intercepted communication, "while engaged
  in any activity which is a necessary incident to
  the rendition of [its] service or to the
  protection of [its] rights or property".
     More ECPA Exceptions
• A party to an electronic communication, or a
  person to whom a party to an electronic
  communication has given consent, may
  intercept the communication "unless such
  communication is intercepted for the purpose
  of committing any criminal or tortious act".
   – An exception to the exception: Some
     states require that all parties consent.
  Still More ECPA Prohibitions
         and Exceptions
• It generally is illegal to access an electronic communication
  while it is in electronic storage. (§2701(a))
    – But a provider of electronic communication service has
      apparently unlimited authority to access stored
      communications on its system. (§2701(c)(1))
        • But a provider of electronic communication service to the
          public generally may not divulge the contents of a stored
          communication. (§2702(a)(1))
             – But any provider may divulge the contents of a
                stored communication with consent or as a
                necessary incident to the rendition of service or to
                protects its rights or property. (§2702(b))
            "To the Public"
"The statute does not define 'public'. The word
'public', however, is unambiguous. Public means
the 'aggregate of the citizens' or 'everybody' or 'the
public at large' or 'the community at large'. Black's
Law Dictionary 1227 (6th ed. 1990). Thus, the
statute covers any entity that provides electronic
communication service (e.g., e-mail) to the
community at large."

                   Andersen Consulting LLP v. UOP
    Law Enforcement Access
• Voluntary or at government request?
• Obtained inadvertently or intentionally?
• In transmission or in storage?
  – In storage more than 180 days?
• Contents or log files?
• With consent of user or without?
• With notice to user or without?
    Searching and Seizing Computers and
   Obtaining Electronic Evidence in Criminal
• http://www.cybercrime.gov/searching.html#A
          USA PATRIOT Act
• A provider of electronic communication service may
  disclose subscriber information concerning, and the
  contents of, a stored communication to a law
  enforcement agency if the provider reasonably
  believes that an emergency involving immediate
  danger of death or serious physical injury to any
  person requires disclosure of the information without
  delay (§2702(b)(6)(C) and (c)(4))
• The owner of a computer system may, under certain
  circumstances, authorize law enforcement to
  intercept communications of a computer trespasser
          USA PATRIOT Act
• Governmental entities may subpoena a provider of
  electronic communication service for a subscriber's:
   – Name
   – Address
   – Records of session times and durations
   – Length and types of service
   – Subscriber number or identity, including any
     temporarily assigned network address
   – Means and source of payment, including credit
     card or bank numbers (§2703(c)(2))
          Common Law
       Invasion of Privacy
• Four theories:
  – Intrusion
  – Public Disclosure of Private Facts
  – Misappropriation of Name or Likeness
  – False Light
• Few cases
• Room for growth?
         In summary . . .

"In Hell, there will be nothing but law,
and due process will be meticulously

                         Grant Gilmore
Untangling the Privacy Mess
 • Ignore the law
 • Establish – and follow – a policy
    – What expectations are reasonable?
    – Consent
 • Options:
    – No privacy
    – Total privacy
    – Somewhere in between
 The Importance of Being Earnest
    (About Privacy Policies) I
"Leventhal had a reasonable expectation of privacy in the
contents of his office computer. . . . Leventhal occupied a
private office with a door. He had exclusive use of the
desk, filing cabinet, and computer in his office. Leventhal
did not share use of his computer with other employees
. . . nor was there evidence that visitors of the public had
access to his computer. . . . [W]e do not find that the DOT
either had a general practice of routinely conducting
searches of office computers or had placed Leventhal on
notice that he should have no expectation of privacy in the
contents of his office computer."
                                         Leventhal v. Knapek
 The Importance of Being Earnest
    (About Privacy Policies) II
"The general policy of the department that department-
issued equipment . . . was not to be 'converted to personal
use' cannot provide the necessary notice to officers to find
consent to surreptitious interception of their messages . . . .
The so-called policy prohibiting personal use cannot form
an after-the-fact justification for intercepting plaintiff's pager
where the policy had not been enforced and the
department conceded it was aware that pagers were used
by many members of the force for personal use."
                                 Adams v. City of Battle Creek
  The Importance of Being Earnest
     (About Privacy Policies) III
"Oklahoma State University policies and procedures prevent its
employees from reasonably expecting privacy in data downloaded
from the Internet onto University computers. The University computer-
use policy reserved the right to randomly audit Internet use and to
monitor specific individuals suspected of misusing University
computers. The policy explicitly cautions computer users that
information flowing through the University network is not confidential
either in transit or in storage on a University computer. Under this
policy, reasonable Oklahoma State University computer users should
have been aware network administrators and others were free to view
data downloaded from the Internet."
                                                         U.S. v. Angevine
  The Importance of Being Earnest
     (About Privacy Policies) IV
"The only evidence relied upon by the defendants to suggest
that plaintiff's expectation of privacy was not objectively
reasonable is the policy that was displayed each day on the
employee's computers in the AG's office. . . . This particular
statement obviously has considerable significance here.
The court, however, must consider this fact in conjunction
with . . . the oral representations made by AG employees to
the plaintiff [to the effect that he could maintain a 'private file'
to which no one would have access]. These other facts
suggest that plaintiff's expectation of privacy was objectively
                                                     Haynes v. Kline

To top