Kevin Poulsen has an interesting piece at Wired.com on a recent criminal case in which the government obtained a search warrant and remotely installed spyware on a target’s computer. The program reported back a wealth of information on how the computer was being used, including IP addresses, the MAC address, etc.. No contents of communications were obtained; this would have required a Title III order rather than a traditional search warrant. The warrant affidavit is here.
Given that the government obtained a probable cause warrant and didn’t collect the contents of any communications, it’s hard to find a legal problem with what the government did. At the same time, the story does make me wonder if something like this was used in the United States v. Forrester case I blogged about earlier. I never did find out if the Forrester case involved monitoring at the ISP or involved spyware installed on the suspect’s personal machine. But if it was the latter, I tend to think a warrant probably was necessary and the court’s decision probably was wrong.
Why might it matter whether the government installed the device at the ISP or on the suspect’s machine? It’s true that the government ends up with the same information either way. But the Fourth Amendment usually focuses on how information is collected rather than what information is collected. The fact that the government can buy the morning newspaper at a corner store without a warrant doesn’t mean that they can break into your home and read your copy without obtaining a warrant first.
More broadly, I tend to think that the most persuasive rationale for the third-party doctrine underpinning Smith v. Maryland (and thus Forrester) is that the recipient of a communication is a party to the communication that can consent to monitoring. When a communication is received by its intended recipient, that recipient has control over what to do with the information received much like the recipient of a traditional letter. Thus in Smith v. Maryland, the phone company could record Smith’s telephone numbers because it was the end recipient of the communication — the communication about the numbers to be dialed — from Smith to the phone company.
Spyware is different. If the government places spyware on a private machine, it is not working with a party to the communication. Rather, it is intercepting the contents of communications between the parties, the user and the ISP. I think it’s much harder to apply the third-party doctrine in that setting. You end up having to say that the possibility the government could get the ISP to conduct the monitoring means that the government doesn’t have to try. But consent is consent in fact, not a likelihood of consent if the government had tried to obtain it. Given that, I’m dubious that spyware is covered under the rationale of Smith v. Maryland. As a result, I tend to think a warrant is probably needed to install spyware without the ISP’s involvement even if non-content information was disclosed (note that a warrant was obtained in the case covered by Wired). It’s not an open and shut case, but I think a warrant is probably needed.
Anyway, sorry if these ideas are hard to follow; I’m working on an article about the third party doctrine and my views are still forming, so some of my comments may seem disjointed. Finally, thanks to Dan Solove for the link.