COMPUTER PRIVACY UPHELD, BUT SIDESTEPPED BY SILVER PLATTER DOCTRINE AND SCHOOLS SPECIAL NEEDS EXCEPTION

 

Right of privacy in personal computer hooked to network:
 

The Ninth Circuit Court of Appeals held in U.S. v. Heckenkamp:

 

“The government does not dispute that Heckenkamp had a subjective expectation of privacy in his computer and his dormitory room, and there is no doubt that Heckenkamp’s subjective expectation as to the latter was legitimate and objectively reasonable?

 

“, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. Leventhal v. Knapek, 266 F.3d 64, 74 (2d Cir. 2001)?

 

Tthe Silver Platter Doctrine was applied:
 

 Under the independent source exception, ” ‘information which is received through an illegal source is considered to be cleanly obtained when it arrives through an independent source.’ “ Murray v. United States, 487 U.S. 533, 538-39

 

The Special Needs Exception to the 4th. Amendment was applied:
Under the special needs exception, a warrant is not required when
Page 10
” ‘special needs, beyond the normal need for law enforcement, make the warrant and probable-cause requirement impracticable.’ “ Griffin v. Wisconsin, 483 U.S. 868, 873 (1987)

   So while the student was found to have a privacy interest, the court found two exceptions that allowed the evidence later seized with a warrant in violation of the privacy rights to be used.  They found that the school official was not working with the police and that he was an independent source and thus this did not taint evidence he seized in violation of the student’s fourth amendment rights.  Secondly, they used an exception to the exclusionary rule by finding that the school had “special needs?.

Synopsis of U.S. v Heckenkamp:
 

United States v. Heckenkamp, No. 05-10322 (9th Cir. 4/5/2007) (9th Cir., 2007)       April 5, 2007

     In this case, we consider whether a remote search of computer files on a hard drive by a network administrator was justified under the “special needs” exception to the Fourth Amendment because the administrator reasonably believed the computer had been used to gain unauthorized access to confidential records on a university computer. We conclude that the remote search was justified.
        Although we assume that the subsequent search of the suspect’s dorm room was not justified under the Fourth Amendment, we conclude that the district court’s denial of the suppression motion was proper under the independent source exception to the exclusionary rule.
 [1] As a prerequisite to establishing the illegality of a search under the Fourth Amendment, a defendant must show that he had a reasonable expectation of privacy in the place searched. Rakas v. Illinois, 439 U.S. 128, 143 (1978). An individual has a reasonable expectation of privacy if he can ” ‘demonstrate a subjective expectation that his activities would be private, and he [can] show that his expectation was one that society is prepared to recognize as reasonable.’ ”
Page 8
Bautista, 362 F.3d at 589 (quoting United States v. Nerber, 222 F.3d 597, 599 (9th Cir. 2000)). No single factor determines whether an individual legitimately may claim under the Fourth Amendment that a place should be free of warrantless government intrusion. Rakas, 439 U.S. at 152-153 (Powell, J., concurring). However, we have given weight to such factors as the defendant’s possessory interest in the property searched or seized, United States v. Broadhurst, 805 F.2d 849, 852 n.2 (9th Cir. 1986), the measures taken by the defendant to insure privacy, see id., whether the materials are in a container labeled as being private, see id., and the presence or absence of a right to exclude others from access, see Bautista, 362 F.3d at 589.
        [2] The government does not dispute that Heckenkamp had a subjective expectation of privacy in his computer and his dormitory room, and there is no doubt that Heckenkamp’s subjective expectation as to the latter was legitimate and objectively reasonable. Minnesota v. Olson, 495 U.S. 91, 95-96 (1990). We hold that he also had a legitimate, objectively reasonable expectation of privacy in his personal computer. See United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (“Individuals generally possess a reasonable expectation of privacy in their home computers.”); United States v. Buckner, 473 F.3d 551, 554 n.2 (4th Cir. 2007) (recognizing a reasonable expectation of privacy in password-protected computer files); Trulock v. Freeh, 275 F.3d 391, 403 (4th Cir. 2001) (same).
        [3] The salient question is whether the defendant’s objectively reasonable expectation of privacy in his computer was eliminated when he attached it to the university network. We conclude under the facts of this case that the act of attaching his computer to the network did not extinguish his legitimate, objectively reasonable privacy expectations.
        [4] A person’s reasonable expectation of privacy may be diminished in “transmissions over the Internet or e-mail that
Page 9
have already arrived at the recipient.” Lifshitz, 369 F.3d at 190. However, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. Leventhal v. Knapek, 266 F.3d 64, 74 (2d Cir. 2001). However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002); United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000).
        [5] In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that “[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the state.” When examined in their entirety, university policies do not eliminate Heckenkamp’s expectation of privacy in his computer. Rather, they establish limited instances in which university administrators may access his computer in order to protect the university’s systems. Therefore, we must reject the government’s contention that Heckenkamp had no objectively reasonable expectation of privacy in his personal computer, which was protected by a screensaver password, located in his dormitory room, and subject to no policy allowing the university actively to monitor or audit his computer usage.
III
        [6] Although we conclude that Heckenkamp had a reasonable expectation of privacy in his personal computer, we conclude that the search of the computer was justified under the “special needs” exception to the warrant requirement. Under the special needs exception, a warrant is not required when
Page 10
” ‘special needs, beyond the normal need for law enforcement, make the warrant and probable-cause requirement impracticable.’ “ Griffin v. Wisconsin, 483 U.S. 868, 873 (1987) (quoting New Jersey v. T.L.O., 469 U.S. 325, 351 (1985) (Blackmun, J., concurring in the judgment)). If a court determines that such conditions exist, it will “assess the constitutionality of the search by balancing the need to search against the intrusiveness of the search.” Henderson v. City of Simi Valley, 305 F.3d 1052, 1059 (9th Cir. 2002) (citing Ferguson v. City of Charleston, 532 U.S. 67, 78 (2001)).
  Once a court determines that the special needs doctrine applies to a search, it must “assess the constitutionality of the search by balancing the need to search against the intrusiveness of the search.” Henderson, 305 F.3d at 1059 (citing Ferguson, 532 U.S. at 78). The factors considered are the subject of the search’s privacy interest, the government’s interests in performing the search, and the scope of the intrusion. See id. at 1059-60.
Page 12
        [11] Here, although Heckenkamp had a subjectively real and objectively reasonable expectation of privacy in his computer, the university’s interest in maintaining the security of its network provided a compelling government interest in determining the source of the unauthorized intrusion into sensitive files. The remote search of the computer was remarkably limited given the circumstances. Savoy did not view, delete, or modify any of the actual files on the computer; he was only logged into the computer for 15 minutes; and he sought only to verify that the same computer that had been connected at the 117 IP address was now connected at the 120 IP address. Here, as in Henderson, “the government interest served[ ] and the relative unobtrusiveness of the search” lead to a conclusion that the remote search was not unconstitutional. Id. at 1061.
        [12] The district court did not err in denying the motion to suppress the evidence obtained through the remote search of the computer.
IV
        The district court also did not err in denying the motion to suppress evidence obtained during the searches of Heckenkamp’s room. Assuming, without deciding, that Savoy and the university police violated Heckenkamp’s Fourth Amendment rights when they entered his dormitory room for nonlaw-enforcement purposes, the evidence obtained through the search was nonetheless admissible under the independent source exception to the exclusionary rule.
        [13] Under the independent source exception, ” ‘information which is received through an illegal source is considered to be cleanly obtained when it arrives through an independent source.’ “ Murray v. United States, 487 U.S. 533, 538-39, (1988) (quoting United States v. Silvestri, 787 F.2d 736, 739 (1st Cir. 1986)). Therefore, we have held that ” ‘[t]he mere inclusion of tainted evidence in an affidavit does not, by itself,
Page 13
taint the warrant or the evidence seized pursuant to the warrant.’ “ United States v. Reed, 15 F.3d 928, 933 (9th Cir. 1994) (quoting United States v. Vasey, 834 F.2d 782, 788 (9th Cir. 1987)). In order to determine whether evidence obtained through a tainted warrant is admissible, “[a] reviewing court should excise the tainted evidence and determine whether the remaining untainted evidence would provide a neutral magistrate with probable cause to issue a warrant.” Id. (quoting Vasey, 834 F.2d at 788).
Although Heckenkamp had a reasonable expectation of privacy in his personal computer, a limited warrantless remote search of the computer was justified under the special needs exception to the warrant requirement. The subsequent search of his dorm room was justified, based on information obtained by means independent of the university search of the room. Therefore, the district courts properly denied the suppression motions.
        The judgment of the district court is AFFIRMED
 

 

                                                                                                                           

Appeals Court Misfired in Hack-Counterhack Dispute
 

Article by Jennifer Granick , former attorney for  Heckenkamp.  April 11, 2007.
  

Last week’s decision by the U.S. 9th Circuit Court of Appeals in U.S. v. Heckenkamp is a mixed bag. It assures us that a college student’s dorm room computer is protected by the Fourth Amendment, but says warrantless, and perhaps even suspicionless, searches of those computers can be justified by a university’s “special needs.”
It’s great that the court rejected the government’s view that we have no expectation of privacy in information stored on the hard drives of a computer we connect to school or other networks. But how much protection do we really have from random searches if the special-needs exception applies?
I especially care about this decision because I represented the defendant, Jerome Heckenkamp, early in the case. The charges involved allegations of hacking into Qualcomm and a host of other computer companies, as well as defacing eBay’s webpage.
Heckenkamp was young and smart, but naïve; he’d been home schooled, was the apple of his parents’ eye, and attended college close to where he grew up, at the University of Wisconsin. Upon graduation, he got a job at Los Alamos National Laboratory and moved away from his home state. He lost that job when FBI agents came to arrest him one morning in January of 2001. The family hired me to represent him.
In time, our attorney-client relationship frayed. Heckenkamp fired me and represented himself for approximately eight months — months he spent sitting in jail without any scheduled court dates, following a hearing in which he argued that the indictment against him should be dismissed because it spelled his name all in capital letters. Eventually, Heckenkamp hired San Diego-based attorney Benjamin Coleman to represent him.
One of the primary issues for both me and attorney Coleman centered on the legality of a remote search that the university system administrator conducted of Heckenkamp’s dorm-room computer.
FBI and Qualcomm investigators were able to trace the Qualcomm intrusion through several hops to the “Mail2″ e-mail server at the University of Wisconsin. At their direction, system administrator Jeffrey Savoy located a strange file on the mail server listing numerous logins to other computer through Mail2. The file also showed that someone had accessed a student dorm computer with an IP address ending in 117 using an account with the username and password “temp.”
Savoy drew the conclusion (which proved correct) that the 117 computer was the source of the unauthorized access to Mail2. Savoy then looked at the e-mail-server logs and found IP address 117 checking the e-mail account for Heckenkamp, which led him to believe that 117 was assigned to Heckenkamp’s machine. He blocked that IP from connecting to Mail2 and informed the investigating FBI agent. Savoy then went home.
That night, Savoy got to thinking about the events of the day. He logged on from home to determine what the 117 computer was up to — it was not online. But Savoy crosschecked the log of Ethernet addresses with IP addresses, and found the computer formerly known at 117 was now known as 120.
Savoy gave several plausible and not-inconsistent reasons for doing what he did next, the evening of December 8, 1999. He wanted to protect the mail system from a potentially destructive intruder; he wanted to find out who had been accessing Mail2; he wanted to confirm that the 117 computer was the same machine now using 120. He wanted to confirm that Heckenkamp was involved.
Whatever his motivation, Savoy logged on to the 120 machine using the “temp/temp” username and password he had found on Mail2. He spent 15 minutes there, looking at a phonebook file, and a list of account names, and found information that led him to believe Heckenkamp had an account on the machine. He also saw what he called “computer hacking tools” and files that Qualcomm had described. Savoy made screen-print copies of these files as evidence.
Savoy then decided to get the computer offline ASAP, informed the FBI and university police and, despite the FBI asking him to wait for a warrant, went to Heckenkamp’s dorm room to disconnect the machine and secure the premises.
School police went to Heckenkamp’s room and unplugged his machine from the network late that same night. FBI agents showed up with a warrant late on December 9th. The warrant affidavit failed to mention that Savoy had remotely searched the computer, and had searched Heckenkamp’s dorm room without a warrant, though the agents were aware of both. The warrant simply said Savoy had tracked the intrusion to Heckenkamp’s dorm-room computer.
I argued in court that the warrantless search was improper, as did Coleman later. We lost. Heckenkamp went on to plead guilty for time served, but retained the right to appeal his motion to suppress.
Last week’s appeals court opinion starts out pretty well for computer privacy — the University of Wisconsin is a state school, so the Fourth Amendment, which only covers state action, applies to its activities. The court rejected a government assertion that students don’t have privacy rights in their personal computers that they connect to a dorm or university network. That part of the ruling is a relief — imagine if connecting your computer to any private network meant police could search your system remotely without cause or authorization.
The court even held that the fact that others may have occasional access to a computer does not diminish the owner’s reasonable expectation of privacy in its contents — countering a few often-cited cases holding that disclosure of personal information to third parties destroys constitutional protections.
But then the court nonetheless upheld the remote, warrantless search of Heckenkamp’s computer under the “special needs” exception to the Fourth Amendment.
That exception was carved out in a 1985 U.S. Supreme Court decision in New Jersey v. T.L.O., a case in which a high school principal searched a student’s purse. The court found that the public interest was best served by lowering the level of suspicion needed for a school search from “probable cause” to one of mere “reasonableness”, and doing away with any warrant requirement.
Justice Blackmun’s concurrence limited the seemingly broad ruling to those exceptional circumstances in which “special needs”, beyond the normal need for law enforcement, make the warrant and probable-cause requirement impractical. In subsequent cases, the high court has applied the special needs exception to a search of a doctor’s office for administrative disciplinary proceedings, to probation searches, to drug testing following train accidents and prior to promotion to certain positions in the U.S. customs agency.
The Supreme Court has rejected the special needs exception for suspicionless blanket drug testing of candidates for public office. It also rejected it where a hospital initiated a program of drug testing pregnant women and disclosing the information to prosecutors.
In Heckenkamp, the 9th Circuit found that the special needs exception applied because Savoy remotely searched Heckenkamp’s computer for the purpose of securing the Mail2 server, and not with a motivation to collect evidence for law enforcement purposes. The court then balanced the need to search against the intrusiveness of the search, and ruled that what Savoy did was permissible.
The application of “special needs” here is pretty narrow, and tied closely to the facts of this case. The court, for example, took into account that Savoy did not delete or modify any of the files on Heckenkamp’s computer; was logged into the machine for only 15 minutes; and sought only to verify that the same computer that had been connected at 117 was now using 120.
Still, I think the 9th Circuit got it wrong. Remember, Savoy’s search began after he discovered that someone using the university’s Mail2 server had logged into Heckenkamp’s machine. The 9th Circuit classifies this as evidence that Heckenkamp’s computer was the source of the hack. But as far as Savoy knew, Mail2 compromised Heckenkamp’s computer, not the other way around. Only the remote search produced evidence to the contrary. (Editor’s note: the University of Wisconsin stands by the remote search.)
Additionally, Savoy had other reasonable, and less intrusive, ways to protect the university, including blocking the suspect computer’s Ethernet address. Finally, Savoy’s searching wasn’t limited to determining that the 117 computer was now 120. He did several searches, for 15 minutes, looking for incriminating files and making screen shots.
The larger problem may be that the court overlooked the fact that, regardless of what Savoy’s stated motives were, it’s clear that he searched a particular person’s computer because he was suspicious of that person, and with the knowledge that whatever information he found he would give to law enforcement. Savoy may have been acting to protect the university, but he was also investigating the offense. That should have made his warrantless search unconstitutional.
While U.S. v. Heckenkamp says networked computers can be private, and applies the “special needs” exception in a narrow way, future prosecutors will try to expand it. Many searches in response to computer security breaches have dual purposes: fix the breach and make a case against the intruder. It will be hard for the courts to parse dual motivations to determine whether the Heckenkamp exception applies.

 

Comments are closed.