Leaving Your WiFi Open Decreases Your Fourth Amendment Rights To Privacy?

from the wait-a-second... dept

We've had numerous discussions on this site about both the legality and ethics of open WiFi networks. And yet, the issue still comes up now and again -- but who knew it was a Constitutional issue? Thomas O'Toole shares the news of a ruling in Oregon, that suggests a user who left his WiFi open gave up certain 4th Amendment rights to privacy. Though, actually, the details of the case suggest it's not so much the open WiFi that's the issue, but the fact that the guy also left illegal material in shared Limewire and iTunes folders. It was just that police were able to confirm that by connecting to his open WiFi. But the court does make a specific statement on the WiFi issue, noting:

"as a result of the ease and frequency with which people use each others' wireless networks, I conclude that society recognizes a lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network."

While O'Toole doesn't think there's anything earth shattering about this, I'm not sure I agree. I think, in this case, the guy probably gave up rights to privacy by putting the content in shared folders that were available widely -- but I don't think that just because you're using an open WiFi network you've set yourself a "lower expectation of privacy." I would suspect that most users have no idea that it's less secure, and I wonder why the type of network used should really determine the level of 4th Amendment protections.

Filed Under: fourth amendment, open wifi, privacy, wifi

Do You Have Any Legal Right To Privacy For Information Stored Online?

from the there's-a-legal-fight-brewing dept

A year and a half ago, we had an interesting discussion here about whether or not the Fourth Amendment and your right to privacy extended to information you stored online via any sort of "cloud" service. The arguments basically fell into two camps, with some citing the "third party doctrine," which basically says that once you gave up info to a third party, you no longer have any right to expect it to be kept private. This argument came from a lawsuit (Smith v. Maryland) that basically said phone numbers you dialed were not "secret" because you were supplying them to the phone company. Of course, the other side of that argument is that it's ridiculous to extend this concept to online storage, noting that the Supreme Court had recognized in the Katz case (about wiretapping public pay phones) that the Fourth Amendment applies to "people, not places."

It looks like this debate is kicking off again, with a discussion on News.com over whether or not the Fourth Amendment covers information stored in "the cloud." It tackles some of the same ground that we covered a while back, but points to a recent law review paper on this topic (pdf) by David A. Couillard.

The paper does a good job separating out the thinking here, and explaining why the Fourth Amendment absolutely should apply to information you store online. As it notes, while the Smith case said that phone numbers dialed might not be private, that did not extend to the contents of the phone call itself. And that's key. The reason that the phone company gets the phone numbers dialed is because that information is key to it delivering its service of connecting the phone call. So you can make a reasonable argument that while such information (the information needed to initiate a service) might not be subject to privacy protection, everything else communicated or stored via that service still deserves those protections.

The issue is that right now we really don't know how the courts feel about this -- and you can bet this is going to become an issue that shows up in the court system before too long. Hopefully, the courts will recognize that any "third party doctrine" when it comes to the Fourth Amendment is limited to a very narrow subset of information provided for a particular purpose, rather than all information stored on third party servers.

Filed Under: cloud, fourth amendment, information, privacy, storage

Congress Ponders Cybersecurity Power Grab

from the no-cybersecurity-licenses-please dept

There was a lot of attention paid last week to a new "cybersecurity" bill that would drastically expand the government's power over the Internet. The two provisions that have probably attracted the most attention are the parts that would allow the president to "declare a cybersecurity emergency" and then seize control of "any compromised Federal government or United States critical infrastructure information system or network." Perhaps even more troubling, the EFF notes a section that states that the government "shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access." Read literally, this language would seem to give the government the power to override the privacy protections in such laws as the Electronic Communications Privacy Act and the Foreign Intelligence Surveillance Act. Thankfully, Congress can't override the Fourth Amendment by statute, but this language poses a real threat to Fourth Amendment rights.

One clause that I haven't seen get the attention it deserves is the provision that would require a federal license, based on criteria determined by the Secretary of Commerce, to provide cybersecurity services to any federal agency or any "information system or network" the president chooses to designate as "critical infrastructure." It's hard to overstate how bad an idea this is. Cybersecurity is a complex and fast-moving field. There's no reason to think the Department of Commerce has any special expertise in certifying security professionals. Indeed, security experts tend to be a contrarian bunch, and it seems likely that some of the best cybersecurity professionals will refuse to participate. Therefore, it's a monumentally bad idea to ban the government from soliciting security advice from people who haven't jumped through the requisite government hoops. Even worse, the proposal leaves the definition of "critical infrastructure" to the president's discretion, potentially allowing him to designate virtually any privately-owned network or server as "critical infrastructure," thereby limiting the freedom of private firms to choose cybersecurity providers.

When thinking about cyber-security, it's important to keep in mind that an open network like the Internet is never going to be perfectly secure. Providers of genuinely critical infrastructure like power grids and financial networks should avoid connecting it to the Internet at all. Moreover, the most significant security threats on the Internet, including botnets and viruses, are already illegal under federal law. If Congress is going to pass cybersecurity legislation this session (and it probably shouldn't) it should focus on providing federal law enforcement officials with the resources to enforce the cyber-security laws we already have (and getting the government's own house in order), not give the government sweeping and totally unnecessary new powers that are likely to be abused.

Filed Under: certification, congress, critical infrastructure, cybersecurity, fourth amendment

Police Officers Can Search Your iPhone Following Arrest For A Traffic Violation

from the fourth-amendment dept

Adam Gershowitz writes "I am a criminal law professor from Houston, Texas and I have recently finished an article about the ability of police officers to search the contents of a person's iPhone at a traffic stop. In brief, under what is referred to as the "search incident to arrest doctrine," police can search through any container found on the body of a person who has been arrested. It does not matter that the arrest was for running a stop sign, or speeding, or some other seemingly minor traffic infraction. Regardless of the reason for the arrest, police can search through every container on the person's body, even if the police have no suspicion that there is anything illegal in it. A few courts have concluded that this doctrine permits police to search text messages found on cell phones. My article explores the circumstances under which police can now search not only text messages, but also the email, pictures, movies, calendar entries, and internet browsing history found on iPhones and similar devices -- even if the police have no suspicion that there is anything illegal on the iPhone. In short, the article explores ways in which the police can search through the thousands of pages of data on individuals' wireless technology even if there is no probable cause or other suspicion of illegal activity."

Filed Under: fourth amendment, iphone, police, privacy, traffic stop

The Fourth Amendment Two-Step

from the where-your-privacy-has-gone dept

Tom Lee has already weighed in with an excellent post on the news that law enforcement officials are often able to turn cell phones into real-time tracking devices without having to make the traditional showing of probable cause required for a search warrant. But it may be worth lingering a bit over the tortuous legal history that is being used to justify a form of snooping that is, intuitively, almost as intrusive as a conventional physical search.

The problem is a series of precedents that, as legal scholar Richard Posner has observed, enable the government to do a two-step end run around the Fourth Amendment. In the 1974 case California Bankers Association v. Schulz, the Supreme Court ruled that the Bank Secrecy Act, which required financial institutions to collect certain kinds of information from customers, did not run afoul of the Fourth Amendment's privacy protections. (Similarly, Enhanced 911 rules implemented in 1998 required telecom providers to make their networks capable of pinpointing the locations of cell users for the convenience of 911 operators.) The Court reasoned that "the mere maintenance by the bank of records without any requirement that they be disclosed to the Government" did not constitute an "illegal search and seizure." But two years later, in U.S. v. Miller, the Court determined that individuals lost their "expectation of privacy" in such information once it had been turned over to a third party, such as a bank. And businesses such as banks, unlike individuals, could not claim Fourth Amendment privacy interests in their records.

That brings us to 1979's Smith v. Maryland, in which the Court determined that no "search" was conducted, for Fourth Amendment purposes, when police sought to obtain from telephone companies a list of the numbers dialed from a particular telephone. The Court's reasoning was two pronged: In part, the justices relied upon the "third party" rationale of Miller. But they also noted the ways that such information gathering was distinct from, and less intrusive than, eavesdropping on the calls themselves: "Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers."

Different jurisdictions have differed on how this logic applies in the case of cell tracking, where there's the added hurdle of language in the Communications Assistance for Law Enforcement Act that would appear to forbid using a mobile phone as a GPS device without a full-fledged search warrant. It seems likely that, at least in the near term, judges will rely on such statutory constraints to check such tracking. But it also looks like a good reason for the courts to revisit this whole line of Fourth Amendment jurisprudence, and reconsider whether, when so much data about us is stored in a variety of "third party" databases, it makes sense to presume citizens have no reasonable expectation of privacy in such information, even when the "third party" has pledged not to share it.

Filed Under: fourth amendment, gps, mobile phone tracking, privacy