Cyber Crime March 10, 2009 Fourth Amendment Group: Najja Bullock, Hans Corteza, Channa France, Andrew Miller, and Lee Rice A Survey of Fourth Amendment Issues in Cyber Space The Fourth Amendment The Fourth Amendment protects against unreasonable and warrantless searches and seizures by the federal and state governments. It was originally ratified in the Bill of Rights in 1791 and was extended to the states through the Due Process Clause of the 14th Amendment in Mapp v. Ohio in 1961.1 The Amendment reads: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Under the Amendment, a search occurs when the government infringes upon a “legitimate expectation of privacy.” There is a two part test for this: – – 1. A person must have an actual subjective expectation of privacy 2. Society must be prepared to recognize that expectation as reasonable2 Fourth Amendment History Like much American law, the Fourth Amendment has its origins in English Common Law. The first significant Common Law search and seizure case was Semayne’s Case in 1604, nearly 200 years before the Fourth Amendment’s ratification. In that case, the court held that government agents needed a lawfully obtained warrant to search a dwelling, and they had to knock and announce before they could enter.3 The Common Law rule on search and seizures expanded in 1765, when the court held in Entick v Carrington that although a warrant had been issued, there had been no cause to grant the warrant.4 This holding was a forerunner to the probable cause requirement of the Fourth Amendment. The English Common Law rules on search and seizure were relaxed in the American Colonies, much to the dislike of the colonists. Although warrants were still needed to enter dwellings, they could be issued by a justice of the peace with very little cause. In 1754, the Excise Act gave tax collectors unlimited powers to seize un-customed imported goods through a type of warrant called a writ of assistance. Massachusetts responded by passing a law against 1 2 Mapp v. Ohio, 367 U.S. 643 (1961) Katz v. United States, 389 U.S. 347 (1967) 3 Semayne's Case (1604) 77 Eng. Rep. 194; 5 Co. Rep. 91 4 Entick v Carrington (1765) 19 Howell’s State Trials 1030 writs of assistance in 1756, and other colonies quickly followed suit.5 The Fourth Amendment was ratified in 1791 with this experience with writs of assistance and other unwanted British searches still relatively fresh memories. Nearly 100 years passed between the adoption of the Fourth Amendment and the first major Supreme Court decision interpreting the Amendment. In 1886, the Court held in Boyd v. United States that “a compulsory production of a man's private papers” was “an 'unreasonable search and seizure' within the meaning of the Fourth Amendment.”6 The next important case came in 1914, when the Supreme Court crated the exclusionary rule in its holding in Weeks v. United States. Prior to Weeks, there was no mechanism to prevent law enforcement from making unwarranted searches. In Weeks the court held that evidence seized in violation of the Fourth Amendment could not be used in trial.7 The first Fourth Amendment case to involve modern communication technology was Olmstead v. United States in 1928. In that case the Court held that the defendant’s Fourth Amendment right to privacy was not violated by a wiretap which was placed on the phone line outside of the defendant’s dwelling.8 This case was eventually overruled by Katz v. United States in 1967.9 Unlike Olmstead where agents tapped telephones, in Katz one particular phone booth was equipped with a bugging device on the outside. The Court held in Katz that the Fourth Amendment was violated when agents placed the bug without first obtaining a warrant. The Court determined that when a phone booth door is shut the user of the phone isn’t intending to broadcast their message to the world, and they should be entitled to privacy. With this case the Court moved from an earlier interpretation of the Fourth Amendment pertaining to trespass to an interpretation that the Fourth Amendment concerns privacy.10 Katz was one of two major Fourth Amendment cases before the Court in 1967, the other being Berger v. New York. In this case, agents obtained a warrant under New York law to place a bug in a defendant’s office. Under the law, however, they did not need to explain why they bug was needed other than that there was reasonable grounds that a crime would be committed. The Court found the New York law did not meet the probable cause standard of the Fourth Amendment and that people should have a reasonable expectation of privacy in their conversations.11 With its decisions in Katz and Berger the Supreme Court had brought the Fourth Amendment to the cusp of the information age. What lied ahead were once unforeseeable cases involving the internet, thermal-imaging technology and other high-tech surveillance methods. Acts and Statutes 5 W. Cuddihy, The Fourth Amendment: Origins and Original Meaning (1990) (Ph.D. Dissertation at Claremont Graduate School) 6 Boyd v. United States, 116 U.S. 616, 626 (1886) Weeks v. United States, 232 U.S. 383 (1914) 8 Olmstead v. United States 277 U.S. 438 (1928) 9 Katz v. United States, 389 U.S. 347 (1967) 10 Id. 11 Berger v. New York, 388 U.S. 41 (1967) 7 The Federal Communications Act (FCA) of 1934 stated “...no person not being authorized by the sender shall intercept any communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communications to any person.” That legislation, though well intentioned, was seemingly never destined to stay controlling. Since the FCA was enacted, there have been a series of regulations pertaining to privacy and communications. For my part of this CyberCrime project, it was my job to identify and highlight such major legislation, and key points thereof. Legislation that, looking back historically at American history after the FCA, was a major step in the development of privacy rights was the Omnibus Crime Control and Safe Streets Act (OCCSSA) of 1968. Enacted during a time of new upheaval and a surge of violence during the mid 60s, it was meant to bring about change through a reduction of crime. The provision in this legislation relating to the fourth amendment was the establishment of certain necessary procedures that law enforcement authorities had to abide by. Among other things, this law mandated that law enforcement officials receive authorization from the Attorney General before applying for a court order to intercept wire or oral communications. The Foreign Intelligence Surveillance Act (FISA) of 1978 followed OCCSSA seeking to deter espionage within the United States by foreign governments and/or components thereof. Though primarily pertaining to foreign communications rather than domestic, this law had implications for both, as it created the still utilized FISA court. The Electronic Communications Privacy Act (ECPA) of 1986 further defined and expanded the law of this area, adding definitions for “contents” and setting out rules for interception and disclosure of wire, oral, or electronic communications. It also set out provisions for law enforcement in this area under a provision called the Law Enforcement Act. By far the biggest expansion of governmental rights to legally intrude on privacy rights was the Patriot Act of 2001. Its broad nature and grant of power makes this law both ambiguous and controlling. Under USC section 3121 for instance, the FISA court is authorized to grant a court order for a pen register or trap and trace device anywhere within the United States as long as the government certifies the information may be relevant to an ongoing criminal investigation; a threshold much lower than that of the past. It further compels any electronic communication service in the United States to comply with record keeping requirements and such records must be surrendered upon the request of the government. It will be interesting to see how future legislation will be taken by the American people. The Protect America Act of 2007, recently amended in January 2009, has already sparked some controversy as it has been criticized as giving unlimited power to the government to intercept all international phone calls made by American citizens without a warrant. Privacy Interpretations Whether an individual’s Fourth Amendment right to be free from unreasonable search and seizure has been violated has depended on the court’s interpretation of the Fourth Amendment and the right to privacy. Olmstead established that violation of the Fourth Amendment was tangential to a possessory interest or a property interest. Olmstead v. United States, 277 U.S. 438 (1928). Without an interest in some element, there was nothing for the Fourth Amendment to protect. This view lasted for nearly forty years, until eclipsed by the holding in Katz. Katz stood for the proposition that the interest protected by the Fourth Amendment is one of privacy, not of property. Katz v. United States, 389 U.S. 347 (1967). To the Katz court, and courts into the modern age, if an individual has an actual expectation of privacy, and that expectation is reasonable to society, then the right is protected by the Fourth Amendment from unreasonable search and seizure. Id. Kyllo reinforced this privacy view, holding that using technology to discern intimate, private details of family-life, is a violation of the prohibition on search and seizures if done without a warrant. Kyllo v. United States, 533 U.S. 27 (2001). The predominant privacy paradigm leads to some interesting results. For example, individuals have no privacy rights to the contents of their garbage cans. California v. Greenwood, 486 U.S. 35 (1988). Those contents are available to police investigation, so too are the numbers dialed into a telephone keypad and sent to an operator for connection. Smith v. Maryland, 442 U.S. 735 (1979). Likewise, transactions done via Western Union, In Re Grand Jury Proceedings, 827 F.2d 301, 302-03 (1987), and requests for financial records, U.S. v. Miller, 425 U.S. 435 (1976), are not covered by the Fourth Amendment. In general, communications in the hands of a third party are not protected by the Fourth Amendment. The courts still must analyze what “communication” means in light of new technology. Third parties can also initiate searches, and so long as the party is not an agent of the government, that search is outside of the scope of the Fourth Amendment. That means information discovered by friends or family or coworkers, and reported to the police, is not in any way a violation of the Fourth Amendment. In one case, a hacker in Turkey hacked into a US citizen’s computer after the US citizen responded to a posting for child pornography. U.S. v. Steiger, 318 F.3d 1039 (2003). Using malware hidden in a picture posted on file server, the hacker obtained graphic photos of the user abusing a young girl. The hacker contacted the police in the suspect’s jurisdiction and anonymously turned over what he had found. Through subsequent emails, the hacker provided details of the suspect, including email address, physical addresses, phone numbers, pictures, work details, and bank account details. Because it was a third party search, the police were able to obtain a search warrant based on the initial anonymous offering. The court held that search warrant was valid and defendant’s fourth amendment right was not violated. Workplace Privacy: An Assessment of the Fourth Amendment and Online Conduct in the Public Sector Workplace Privacy: The Public Sector The state of the law on workplace privacy in the public sector stems in large part from the seminal case O’Connor v. Ortega, 480 U.S. 709 (1987), a case involving a search of a public employee office spaces and drawers. Ortega’s contextual approach set forth the operative framework for determining whether a violation of a public employee’s Fourth Amendment rights has occurred. This framework provided a two-step inquiry. First, in order to enjoy any Fourth Amendment protection, the employee must have had a “reasonable expectation of privacy” in the area or thing intruded upon or searched. Second, if the employee had such an expectation, then it must be determined whether the employer’s intrusion into this area or thing was “reasonable.” At its essence, the two-step inquiry is a balancing test in which the Supreme Court weighed whether there was a legitimate expectation of employee privacy against the public employers business reason to justify the intrusion. In Ortega, the Court found that the employee did have a reasonable expectation of privacy, because, among other things, Dr. Ortega did not share his desk or file cabinets with any other employees, and Dr. Ortega had occupied his office alone for 17 years. Workplace Privacy and Online Conduct in the Public Sector The two-step inquiry detailed above can only be assessed on a case-by-case basis. Some cases signal victories for the privacy of email and text messages, while others imply utter defeat. One pro-privacy case is Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008), a case involving a suit by a city police officer against a wireless company, the city of Ontario, Calif., and police supervisors. In the case, supervisors acquired the transcripts of Quon’s text messages, which included personal, sexually explicit text messages. The court held that there was a reasonable expectation of privacy in employees’ text messages. The implications of this holding is that law enforcement needs a probable cause warrant to access stored copies of electronic messages less than 180 days old, regardless of whether they have been downloaded or read. This holding also stops employers from getting the contents of employee emails or text messages from the service provider without employee consent. Of course, as we know, good facts make good law. In Quon, a key fact was that the city police did not properly use and apply company policy concerning the use of Quon’s city-owned alphanumeric pager. Oftentimes in cases concerning workplace privacy, courts have been more inclined to find reasonable searches if written employment policies or workplace practices establish that the government employees targeted by the search cannot reasonably expect privacy in their workplace. If this had been achieved in Quon, then perhaps that case would have come out differently. Thoughts on Future Privacy After doing this project, I feel that the judicial system will have to take a closer look towards privacy expectations in the future. One of the factors listed in Kyllo was that the equipment was not in “general use.” I do feel that even if such equipment becomes readily available to the public, the Court should not hold onto this aforementioned factor. I believe in terms of searches and seizures, the Court should not let the availability of technology be dispositive of their ruling but rather ensure that technology does not directly shape peoples’ expectations of privacy. People should not passively submit to technological innovations, and the Court should recognize that even if certain technological forms of surveillance commonly exist, such forms can still violate the 4th Amendment. In United States v. Maxwell, the FBI listed the wrong user name of the defendant in its affidavit. The Court, however, felt this discrepancy was an honest mistake. If this error were to occur today, I think that courts would not be so forgiving. In that case, it seemed as if the court was giving leeway to the fact that the FBI was unfamiliar with “AOL technology.” AOL and the Internet in general were still considered an advent during the 1990s. Internet usage has come a long way since that case was decided in 1993, and if similar errors were to occur today, courts would probably chide government agencies for their sloppy execution. Law enforcement agencies would now likely have to be more specific in securing a warrant in this area. I am sure there are many instances when the government has surveyed a party but found no evidence for their suspicions. Such a situation occurred during the Martin Luther King Jr. investigation when the FBI found no evidence of alleged communism ties. Although this situation occurred nearly 40 years ago, such surveillance probably takes place to this day.