The Volokh Conspiracy

“Yes,” says Judge Maurice Paul in United States v. Durdley, 2010 WL 916107 (N.D. Fla. 2010), handed down on March 11. I haven’t seen any cases quite like this, but I tend to think the decision is wrong. In this post, I wanted to explain the decision and then say why I find its reasoning rather unpersuasive.

Durdley was an emergency paramedic for the local county who was at work using a shared computer. When he was done using the shared computer, he forgot to take away the thumb drive had attached to one of the computer’s USB ports. Later on, a captain of the paramedic team named Johnson, was using the computer and saw the thumb drive attached. Johnson decided to see what was on the thumb drive, so he double-clicked on the “my computer” icon, double-clicked on the thumb drive icon to see the list of files, and then double-clicked on some files to see what they contained. Johnson found child pornography files on the thumb drive, leading to charges against Durdley.

The district court held that attaching the thumb drive to the USB port of a shared computer waived a reasonable expectation of privacy in the contents:

In the instant case it is undisputed that Durdley inadvertently shared his files with all the users of the public computer. Durdley’s files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files (such as Windows Explorer and the My Computer icon). Johnson encountered the files without employing any special means or intruding into any area which Durdley could reasonably expect to remain private once he left the drive attached to the common-use computer. The Court concludes, therefore, that Mr. Durdley had no . . . reasonable expectation of privacy in the contents of the thumb drive once he attached it to the common-use computer[.]

The Court was persuaded by the analogy between Durdley’s case and United States v. King, 509 F.3d 1338, 1341-42 (11th Cir. 2007), in which King placed a file into his “shared drive” on a laptop that was connected to the network of a military base used by thousands of people. Another user of the network was looking for music files on the network and saw the file on King’s shared drive. The file turned out to be child pornography, leading to charges against King. The Eleventh Circuit ruled that King did not have a reasonable expectation of privacy on the files he had placed in his shared drive connected to the network:

It is undisputed that King’s files were “shared” over the entire base network, and that everyone on the network had access to all of his files and could observe them in exactly the same manner as the computer specialist did. As the district court observed, rather than analyzing the military official’s actions as a search of King’s personal computer in his private dorm room, it is more accurate to say that the authorities conducted a search of the military network, and King’s computer files were a part of that network. King’s files were exposed to thousands of individuals with network access, and the military authorities encountered the files without employing any special means or intruding into any area which King could reasonably expect would remain private. The contents of his computer’s hard drive were akin to items stored in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public

In Durdley, the district court ruled that Durdley’s case was just like King:

King accidentally allowed others to have access to his files. Instead of leaving a thumb drive accidentally plugging in to a physical computer tower, King left a folder accidentally “plugged in” to a computer network, by failing to turn off sharing for that folder.

In the instant case it is undisputed that Durdley inadvertently shared his files with all the users of the public computer. Durdley’s files were exposed to anyone who sat down at the computer station who used the traditional means for opening and viewing files (such as Windows Explorer and the My Computer icon). Johnson encountered the files without employing any special means or intruding into any area which Durdley could reasonably expect to remain private once he left the drive attached to the common-use computer. The Court concludes, therefore, that Mr. Durdley had no more reasonable expectation of privacy in the contents of the thumb drive once he attached it to the common-use computer than the defendant in King did in his drive once he attached it to the airbase network.

I tend to think that King is right and Durdley is wrong. The operating principle here is that effectively exposing information to the public, based on prevailing social norms, eliminates any Fourth Amendment reasonable expectation of privacy in that information. I can see that in King. When you put a file in a place that is understood to make it shared with others, and you connect to a network with thousands of other users, you are effectively exposing that file to the public.

But I think that’s different from leaving a thumb drive in a laptop USB port in two critical ways. First, it seems that the only person who could access the files in the thumb drive was one other person who happened to sit down to use that particular laptop. It’s hard to see exposure to one person as the same as exposure to the public. And I don’t think there were any facts in the record as to how often the laptops were used, either.

Second, I think the social norm is that when you see a private person’s thumb drive on a shared-use computer, it’s understood that you’re invading that person’s privacy if you start clicking around to see what the files are. It’s kind of like someone leaving their luggage in the waiting room of a bus station. If the owner leaves the luggage behind for some reason, no one would see that as a waiver of privacy rights in the luggage or an invitation to unzip the luggage and look around.

To be clear, it usually won’t violate the Fourth Amendment for another government employee to click through a government employee’s thumb drive connected to a shared work computer. If the search is a reasonable work-related search, no warrant is required under O’Connor v. Ortega. But that’s a separate question of whether it’s a reasonable or unreasonable search. In contrast, the court here ruled that Johnson’s double-clicking on the thumb drive files wasn’t a search at all.

UPDATE: It occurs to me that the answer in this case may hinge on whether you see this case as involving a private sector workplace or a public sector workplace. If it’s a private sector workplace, the operating Fourth Amendment principle is the one I stated: effectively exposing information to the public, based on prevailing social norms, eliminates any Fourth Amendment reasonable expectation of privacy in that information. On the other hand, if you see the case as a government workplace search case, then the operating Fourth Amendment principle is different: As I explained here, in that setting, sharing the space with another government employee eliminates Fourth Amendment protection in that information. In that case, I think it would be fair to say that connecting the thumb drive to the shared computer does share the space. This post treated the case as a private workplace case because the opinion treats it that way, but I think that question may make all the difference in the right answer.

Readers who were interested in the Lori Drew case, and the question of when computer use counts as criminal “unauthorized access” to a computer, will want to read this New Jersey state case from last fall: State v. Riley, 12 N.J.Super. 162, 988 A.2d 1252 (2009) (link to google cache version). It’s a case on the New Jersey computer crime statute, and only by a trial court, but it’s a good example of how courts could (and in my view should) narrowly construe unauthorized access statutes. According to the opinion, the court narrowly construes the statute by relying on “the statute’s plain language, legislative history, related case law, persuasive out-of-state authority, and scholarly commentaries” — the last of which is of course rather suspect.

Last year, Maryland law professor Danielle Citron published “Cyber Civil Rights” in the BU Law Review. Here’s the abstract:

Social networking sites and blogs have increasingly become breeding grounds for anonymous online groups that attack women, people of color, and members of other traditionally disadvantaged groups. . . . Attackers manipulate search engines to reproduce their lies and threats for employers and clients to see, creating digital “scarlet letters” that ruin reputations.

. . . .

General criminal statutes and tort law proscribe much of the mobs’ destructive behavior, but the harm they inflict also ought to be understood and addressed as civil rights violations. Civil rights suits reach the societal harm that would otherwise go unaddressed and would play a crucial expressive role. Acting against these attacks does not offend First Amendment principles when they consist of defamation, true threats, intentional infliction of emotional distress, technological sabotage, and bias-motivated abuse aimed to interfere with a victim’s employment opportunities. To the contrary, it helps preserve vibrant online dialogue and promote a culture of political, social, and economic equality.

Citron’s article detailed some particular cases of such abuses. As she acknowledged, the mob actions are solidly within the scope of existing criminal law and tort law. Nevertheless, she made the case that federal civil rights laws should be revised to cover Internet threats and defamation–since civil rights statutes provide attorney’s fees for a successful plaintiff, and since prosecutors would be more likely to bring criminal charges if the underlying offense has a civil rights association. She arguds that “Just as changing circumstances justified curtailing the right of contracts in the 1930s, today’s networked environment warrants a rejection of free speech absolutism.”

Citron also proposed that website operators be civilly liable for the content of postings on their websites (by means of an exception to 47 U.S.C. § 230, the immunity statute), and that operators be required to collect and maintains ISP logs for all posters.

Last fall, the Denver University Law Review held a symposium about Citron’s proposal, featuring commentary from 11 scholars, plus a response from Citron. Rather than being required to submit a full-length article, the commenters for the on-line symposium were asked to provide a lightly-annotated essays. The full collection of commentary is here, as a PDF. (HTML versions of individual comments are here.)

Essays by Paul Ohm, Viva Moffett, and Wendy Seltzer suggest that mandatory ISP collection and civil liability might cause many problems than they would solve. In response, Citron acknowledges the force of these arguments. Accordingly, she suggests that the best remedies would be to amend federal civil rights rights statutes so that they fully cover the abuses she has described. She also suggests that some version of Notice & Takedown might be appropriate, although, as she detailed in her Boston University article, this has problems of its own.

Comments welcome, of course, but before commenting, please read at least one of the essays, or Citron’s original article.

I have just posted a new draft article, Ex Ante Regulation of Computer Search and Seizure, forthcoming in the Virginia Law Review.

The article is a response to dynamics that have been evolving over the last decade in the lower courts that were turned up to eleven by the Ninth Circuit’s en banc decision in United States v. Comprehensive Drug Testing. The article therefore has a lot on Comprehensive Drug Testing, although it covers much more broadly than that one case.

Here’s the abstract:

In the last decade, magistrate judges around the United States have introduced a new practice of regulating the search and seizure of computers by imposing restrictions on computer warrants. These ex ante restrictions are imposed as conditions of obtaining a warrant: Magistrate judges refuse to sign warrant applications unless the government agrees to the magistrate’s limitation on how the warrant will be executed. These limitations vary from magistrate to magistrate, but they generally target four different stages of how computer warrants are executed: the on-site seizure of computers, the timing of the subsequent off-site search, the method of the off-site search, and the return of the seized computers when searches are complete.

This Article contends that ex ante restrictions on the execution of computer warrants are constitutionally unauthorized and unwise. The Fourth Amendment does not permit judges to impose limits on the execution of warrants in the name of reasonableness. When such limits are imposed, they have no legal effect. The imposition of ex ante limits on computer warrants is also harmful: Ex ante assessments of reasonableness in ex parte proceedings are highly error-prone, and they end up prohibiting reasonable practices when paired with ex post review. Although ex ante restrictions may seem necessary in light of the present uncertainty of computer search and seizure law, such restrictions end up having the opposite effect. By transforming litigation of the lawfulness of a warrant’s execution into litigation focusing on compliance with restrictions rather than reasonableness, ex ante restrictions prevent the development of reasonableness standards to be imposed ex post that are needed to regulate the new computer search process. Magistrate judges should refuse to impose such restrictions and should let the law develop via judicial review ex post.

Comments welcome, as always.

Last Thursday, the Eleventh Circuit handed down a Fourth Amendment case, Rehberg v. Paulk, that takes a very narrow view of how the Fourth Amendment applies to e-mail. The Eleventh Circuit held that constitutional protection in stored copies of e-mail held by third parties disappears as soon as any copy of the communication is delivered.    Under this new decision, if the government wants get your e-mails, the Fourth Amendment lets the government go to your ISP, wait the seconds it normally takes for the e-mail to be delivered, and then run off copies of your messages.

In this post, I want to explain why the Eleventh Circuit’s position is wrong.   I’ll start by explaining the argument’s origins in postal mail cases;  I’ll turn next to Rehberg; I’ll then explain why I think the decision is based on a conceptual error; and I’ll conclude with some final thoughts.

I.  The Source of the Argument: Fourth Amendment Protection in Postal Mail

To see where the 11th Circuit is getting this argument, you need to know a little bit about how the Fourth Amendment protects postal mail and packages.  The Fourth Amendment ordinarily protects postal mail and packages during delivery.  The same rule applies to both government postal mail and private delivery companies like UPS:  As soon as the sender drops off the mail in the mailbox, both the sender and recipient enjoy Fourth Amendment protection in the contents of the mail during delivery.  When the mail is delivered to the recipient, the sender loses his Fourth Amendment protection: The Fourth Amendment rights are transfered solely to the recipient.  In practice, this works pretty simply:  Each party has Fourth Amendment protection in the mail when they’re in possession of it, and both the sender and receiver have Fourth Amendment rights in the contents of the mail when the postal service or private mail carrier is holding the mail on their mutual behalf.

I should be clear that there are exceptions to these rules.  For example, if a person sends a letter in what the Postal Service used to call “Fourth Class” mail — that is, mail that the Postal Service reserves the right to open — then it is not protected by the Fourth Amendment.  See, e.g.,   Also, the Fourth Amendment protection only applies to the contents of the communication, not the outside.   But the basic approach has governed postal mail privacy for a long time.

The new question is, how do to these principles apply to new communications technologies like e-mail and text messages?   Unlike physical letters and packages, e-mails and text messages are just data.  Communications technologies use digital networks that generate copies of the communications in the course of delivery.  Those copies often stick around on servers when a copy of the communication reaches its destination.  The Stored Communications Act provides statutory privacy protection to those communications stored on third-party servers, see 18 U.S.C. 2703.  But does the Fourth Amendment protect those copies of communications as well?  Right now the precedents are extremely sparse.

II. Rehberg v. Paulk

Enter Rehberg v. Paulk, decided by the Eleventh Circuit last week in an opinion by Judge Hull joined by Judges Carnes and Anderson.  The case is kind of complicated, but here’s the relevant part. State investigators suspected Rehberg of a crime, and they allegedly used a state subpoena to obtain the contents of Rehberg’s e-mail from his Internet service provider, Exact Advertising. The complaint suggests that the government obtained both incoming and outgoing e-mails stored with Rehberg’s ISP; according to the complaint, investigators “obtained Mr. Rehberg’s personal e-mails that were sent and received from his personal computer.”

The charges against Rehberg were later dismissed, and Rehberg filed a lawsuit that claimed among other things that obtaining his e-mail with only a subpoena violated his Fourth Amendment rights. The defendants moved to dismiss under Rule 12(b)(6).

The district court denied the motion to dismiss without really analyzing the Fourth Amendment claim, but the Eleventh Circuit ruled that obtaining Rehberg’s e-mails with a subpoena did not violate the Fourth Amendment because e-mail, once delivered, is not protected by the Fourth Amendment:

The subpoenas covered information Rehberg had provided voluntarily to third parties and for which Rehberg did not have a legitimate expectation of privacy. Thus, the subpoenas did not violate Rehberg’s Fourth Amendment rights to be free of unreasonable search and seizure.

In order for Fourth Amendment protections to apply, the person invoking the protection must have an objectively reasonable expectation of privacy in the place searched or item seized. The Supreme Court “consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44, 99 S.Ct. 2577, 2582, 61 L.Ed.2d 220 (1979). “[T]he Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” United States v. Miller, 425 U.S. 435, 443, 96 S.Ct. 1619, 1624, 48 L.Ed.2d 71 (1976).
. . .

A person also loses a reasonable expectation of privacy in emails, at least after the email is sent to and received by a third party. See Guest v. Leis, 255 F.3d 325, 333 (6th Cir.2001) (An individual sending an email loses “a legitimate expectation of privacy in an e-mail that had already reached its recipient”); United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir.2004) (An individual may not “enjoy [ ] an expectation of privacy in transmissions over the Internet or e-mail that have already arrived at the recipient”); see also United States v. Perrine, 518 F.3d 1196, 1204-05 (10th Cir.2008) (“Every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment’s privacy expectation”) (collecting cases).

Rehberg’s voluntary delivery of emails to third parties constituted a voluntary relinquishment of the right to privacy in that information. Rehberg does not allege [the police] illegally searched his home computer for emails, but alleges [the police] subpoenaed the emails directly from the third-party Internet service provider to which Rehberg transmitted the messages. Lacking a valid expectation of privacy in that email information, Rehberg fails to state a Fourth Amendment violation for the subpoenas for his Internet records.

III. Why the Eleventh Circuit is Wrong

I think the Eleventh Circuit’s analysis is wrong. To see why, let’s start by considering Rehberg’s outgoing e-mails, which seem to be the focus of the Eleventh Circuit’s opinion. It is true that when information is disclosed to a third party, the Fourth Amendment no longer protects the information disclosed. That’s the teaching of Miller and Smith (and, for what it’s worth, and I think those teahcings are correct). But when many copies of information are made, you have to treat different copies differently. As a result, the fact that one copy of the communication has been received does not mean that all copies lose Fourth Amendment protection. As I explained in 2008:

Fourth Amendment rights are contextual. Data, whether in the form of numbers (like telephone numbers here) or text (in the case of a diary), does not have a preordained level of Fourth Amendment protection in the abstract. If you store your diary at home under your bed, you have Fourth Amendment rights in your diary because you have stored in it your home. If you go into the park and leave your diary out in the open, you lose Fourth Amendment rights in what you have left open because you have left it open. The Fourth Amendment rights derive from the steps that the government must go through to retrieve the information in context, not the essential nature of the data itself.

This means that you need to look at the government’s access to that particular copy of data, not just any copy of data. For a real-world example, imagine you write a letter and photocopy it before you put it in the mail. You file the copy in your closet and send the original. During the course of delivery, the original is protected by the Fourth Amendment; when it arrives, you lose Fourth Amendment protection. But the fact that you lose Fourth Amendment protection in the original does not mean that the Government can break into your house and read the copy you made. Conversely, the fact that the recipient of the mail does not have Fourth Amendment rights in the copy does not mean that the government can break into the recipient’s house to read the original.

For these reasons, the court should have analyzed access to the e-mails stored with the ISP based on whether there was a reasonable expectation of privacy in that remotely stored copy accessed, independently of delivery of another copy. Given that we’re only at the 12(b)(6) stage, and we don’t yet know all the facts, I don’t think we have any basis to conclude that Rehberg did not have a reasonable expectation of privacy in the e-mails obtained.

The conceptual error in Rehberg is in treating Fourth Amendment rights in the copy stored at the ISP as if it were the same as the Fourth Amendment rights in the copy that was delivered. I don’t think it works that way. The rules of Fourth Amendment protection are particular to each copy: The fact that one copy loses protection does not mean that the other copy loses protection. Indeed, just think about how differently the Fourth Amendment would apply to the postal network and e-mail under the 11th Circuit’s approach. In the postal mail setting, the government could never access postal mail without a warrant. The mail would be protected by the sender’s rights pre-sending; both the sender’s and the recipient’s rights in the course of delivery; and by the recipient’s rights post-delivery. In contrast, there would be much less Fourth Amendment protection in the e-mail setting. Because e-mail usually takes only a few seconds to deliver, the government could just go to the ISP of the person sending the e-mail and take all of their outgoing e-mails right off the server. Real-time wiretapping would be regulated, but the government would have pretty free access to stored contents.

Further, the complaint appears to allege that the government obtained both outgoing e-mails and incoming e-mails. Even if you believe that the sender’s reasonable expectation of privacy disappears as soon as a copy of the e-mail is delivered, presumably that delivery would not eliminate the recipient‘s reasonable expectation of privacy. Recall how this works in the physical letter context: The sender’s rights extinguish when the letter arrives, but the recipient’s do not. Even if you accept the Eleventh Circuit’s argument, it would seem to apply only to e-mail in Rehberg’s outbox, not the e-mail in his inbox.

IV. Some Final Thoughts

Three final thoughts. First, I think it would be a different case, or at least a potentially different case, if the government had obtained the e-mails from the ISPs of people Rehberg had been e-mailing. It’s possible to argue that Rehberg does not have any Fourth Amendment rights in the copies stored on the recipient’s servers: That issue requires answering a somewhat tricky issue of when e-mail is “delivered” for Fourth Amendment purposes, eliminating the sender’s reasonable expectation of privacy. (That issue is actually raised by the DOJ amicus brief in City of Ontario v. Quon; I’ll be blogging about that soon.)

Second, there’s a legitimate argument that the Fourth Amendment does not apply at all to contents, delivered or undelivered, based on a pure application of the third-party doctrine. I don’t read the Eleventh Circuit as trying to make that argument, but I disagree with that position in this forthcoming article.

Finally, my argument does not mean that Rehberg should have necessarily prevailed on his Fourth Amendment claim. The Stored Communications Act expressly allows some contents of communications to be compelled with a subpoena. See 18 U.S.C. 2703(b). Although I think that provision is generally unconstitutional, for reasons cited above, whether that is “clearly established” is of course another matter. Given that the officers have a qualified immunity defense, the officers may be entitled to qualified immunity even if using a subpoena to compel the contents of e-mail violated the Fourth Amendment.

The final version of my most recent article has been posted online: Fourth Amendment Seizures of Computer Data, 119 Yale L.J. 700 (2010).

Eugene links to the complaint in the school-provided-laptop-with-cameras case, and I wanted to offer a few thoughts on it from a legal standpoint. I’ll assume the school’s statement as to what happened is accurate, and the computer’s camera was turned on and a still photo was taken only when the school believed the laptop had been stolen or was missing. (To be clear, I’m not sure that statements is true, but I need to assume something to get a sense of how the law applies: That seems a reasonable starting point.)

My tentative bottom line: The schools violated the Fourth Amendment rights of students when they actually turned the cameras on when the computers were at home. On the other hand, the schools did not violate the federal statutory surveillance laws.

1. The federal Wiretap Act cause of action doesn’t work. The computers allegedly took still images of the student, but the Wiretap Act doesn’t apply to video images. The Wiretap Act applies to bugging audio equipment (“oral communications”), intercepting phone calls (“wire communications”) and intercepting computer communications (“electronic communications.”). But the alleged interception here is of a video image without sound, and the Wiretap Act doesn’t apply. See, e.g., United States v. Koyomejian, 970 F.2d 536, 539 (9th Cir.1992); United States v. Torres, 751 F.2d 875, 880 (7th Cir.1984).

2. As far as I can tell, the Pennsylvania wiretap statute is identical (as relevant here) to the federal Wiretap Act. If I’m right about that, the Pennsylvania wiretap act cause of action doesn’t work either.

3. The Stored Communications Act cause of action is frivolous. Individual laptops are not electronic communication service providers under ECPA.

4. The Computer Fraud and Abuse Act claim doesn’t work, either, even if you can get past the unauthorized access issues, because the civil cause of action under 18 U.S.C. 1030(g) requires you to show loss aggregating at least $5,000. Loss is a defined term under 1030(e)(11) which refers to reasonable economic costs suffered by the intrusion. Also, you can’t aggregate losses for other related intrusions of other students, if there were any, because this isn’t a case brought by the United States Government. See 1030(c)(4)(A)(i)(I). I don’t see how the plaintiff here suffered $5,000 in economic loss. The complaint makes no mention of any such losses.

5. The Fourth Amendment issues here are interesting. I can’t speak to the Pennsylvania common law cause of action, but at least among the other causes of action, this strikes me as the most serious. Let me break down the issues in two steps:

a) This case is brought as a class action, but the Fourth Amendment issues here don’t work as a class action. Any “search” here didn’t occur until the camera was turned on, which according to the school occurred when the laptop was thought to be lost or stolen. That means no search occurred under the Fourth Amendment for students who had laptops that were not turned on. See United States v. Karo, 468 U.S. 705 (1984) (“The mere transfer to Karo of a can containing an unmonitored beeper infringed no privacy interest. It conveyed no information that Karo wished to keep private, for it conveyed no information at all. To be sure, it created a potential for an invasion of privacy, but we have never held that potential, as opposed to actual, invasions of privacy constitute searches for purposes of the Fourth Amendment. . . . It is the exploitation of technological advances that implicates the Fourth Amendment, not their mere existence.”).

b) Taking the photograph inside the home seems pretty clearly to be a search under Karo. The school might try to justify this under the special needs exception: The school issued the laptop and could search it to investigate misconduct under New Jersey v. TLO. The problem with this argument is that the school didn’t search the laptops: They searched the home where the laptop happen to be present.

Is there some other reasonableness framework that can apply in that situation to justify the search of taking the photograph? None come to mind: I would think the government would have to use the probable cause of the computer being taken to get a warrant to justify turning on the camera. So unless I’m just missing something, this was a Fourth Amendment violation for taking the still image of the home without obtaining a warrant.

6. As I said, I’m not sure about the Pennsylvania common law tort claim. I’ll leave that one to the tort lawyers.

The Third Circuit held oral argument today in the case on the legal standard for historical cell-site information. I blogged about this important case here last week, and the oral argument audio from this morning has been posted here at the Third Circuit’s website. It was a very unusual and free-ranging argument that went for almost an hour-and-a-half, more than twice the scheduled 40 minutes. I wanted to blog my thoughts on the argument as I listened to it, as well as provide some of the key exchanges based on my best effort to transcribe them.

To set the scene, the presiding judge is Dolores Sloviter, a former Chief Judge of the Third Circuit, together with Judge Wallace Tashima, a visiting judge from the Ninth Circuit. Judge Jane Roth was also assigned to the panel, but she was absent from the hearing. Judge Sloviter is a Carter appointee; Judge Tashima a Clinton appointee; and Roth a Bush 41 appointee. The lawyer for the United States is Mark Eckenwiler, DOJ’s guru on electronic surveillance. Kevin Bankston from EFF and U of San Francisco lawprof Susan Freiwald argued as amici. This is a very strong group of advocates: All three work in this area regularly and know their way around these issues.

Here are my thoughts about the argument as I listen to it:

Around 5 minutes in, Judge Sloviter has lots of general questions about the Stored Communications Act. Her questions are somewhat surprising, as they concern sections of the statute that are not actually implicated by this case: Judge Sloviter is asking Eckenwiler to opine on why Congress drew a distinction between 2703(a) and 2703(b), while this case is about 2703(c). (I answer Judge Sloviter’s questions in my article A User’s Guide to the Stored Communications Act, if you’re curious.)

At the 15-minute mark, Judge Sloviter contends that the technology is advancing so that cell phones are giving more and more accurate location information. Eckenwiler contends that this isn’t accurate, and takes the court through the history of the FCC regulations on Enhanced 911 and the resolution of cell-site tracking. The oral argument is actually really technically interesting; there’s a lot of interesting stuff about the government’s ability to conduct cell cite surveillance. (As an aside, Eckenwiler really is a guru on this stuff, both as to the law and the technology: He was my neighbor in the Computer Crime Section in my first year at DOJ, and I spent a ton of time in his office annoying him with questions about ECPA, the Fourth Amendment, and the like.)

At the 23-minute mark, Judge Tashima asks if these sorts of records are routinely kept, and thus available to be disclosed. Eckenwiler says that they are not. Judge Sloviter comments that such records are kept for at least 180 days, which reflects a misunderstanding of the statute: The 180-day distinction is about legal standards for compelling contents if kept, and Judge Sloviter seems to think it is about a requirement to keep non-content records.

The most interesting exchange happens at the 28-minute mark. Judge Sloviter has been asking lots of questions about the technology, and she explains that she wants to say why she is asking so many technology questions. Judge Sloviter:

Let me tell you. As I work on this, I listen to the news. And you know that there are governments in the world that would like to know where some of their people are or have been. For example, have been at a what may be happening today in Iran — have been at a protest. Or at a meeting, a political meeting. Now can the government assure us that (1) it will never try to find out that information and (2) whether that informaton would not be covered by [18 U.S.C. 2703](d)?

Eckenwiler responds that he can’t speak to future hypotheticals like that. Judge Sloviter responds:

But don’t we have to be concerned about that? If the statute would permit the government — not this government right now, but a government — to get information as to where, and it doesn’t have a GPS, but this could be instead of a GPS, wouldn’t the government — a government — find it useful, if it could get that information without probable cause?

Eckenwiler then responds by discussing Supreme Court Fourth Amendment caselaw which indicates that this information isn’t protected by the Fourth Amendment. Judge Sloviter responds that she is looking to express her concerns through a reading of statutory law:

But I’ve set aside the Constitution. My concern — and I can’t talk for Judge Tashima — if we can decide this on a statutory basis, aren’t we obliged to do that rather than hypothesize what the decision would be under the Fourth Amendment? . . . And the Congress knew how to say when you have to come up with a warrant, and that’s a constitutional requirement. And it did that in [2703](a), when it was looking at content. It didn’t say a warrant in [2703](d). And that isn’t that what concerned Magistrate Judge Lenihan?

I’m not sure where Judge Sloviter is going here. She seems to want to read the statute as requiring a warrant to address her concerns with the possibility that a future government might monitor political protesters. But the statute is clear that no warrant is required, and besides, the government couldn’t monitor political protesters under 2703(d)’s Terry order standard anyway.

Continue reading ‘Thoughts on the Oral Argument in the Third Circuit Cell-Site Records Case’ »

The federal computer crime statute criminalizes accessing a computer “without authorization” or “exceeding authorized access,” with the important caveat that no one seems to know what it mean to access a computer “without authorization” or to “exceed authorized access.” See 18 U.S.C. 1030. The concepts are particularly tricky in the case of a written restriction on computer access. If a computer owner gives you permission to access a computer for a particular purpose or in a particular way, and you access the computer in ways contrary to those express limitations, does that violation render the access unauthorized? This was the main issue in the Lori Drew case, involving the violation of MySpace’s Terms of Service: The Government’s theory in that case was that an Internet user who violates MySpace’s TOS was thereby accessing the computers without authorization. The District Judge tossed the charges on the ground that this theory would render the statute unconstitutionally vague.

Now consider the Fifth Circuit’s decision yesterday in United States v. John, authored by Judge Owen and joined by Judge Smith and Judge Haynes. John was an account manager at Citigroup who provided her half-brother with customer account information so he and his friends could run up fraudulent charges. In addition to charging John with credit card fraud and conspiracy — the obvious charges in such a case — the government also charged John with unauthorized access to Citigroup’s computers. The government’s theory was that by accessing Citigroup’s computers to further a fraud, in violation of Citigroup’s apparent policies that employees could access information only for work-related reasons, John had committed an unauthorized access. The jury convicted on all counts.

On appeal, John challenged her conviction for unauthorized access on the theory that she was authorized as an employee to access the computer, as recognized recently by the Ninth Circuit in LVRC Holdings v. Brekka. The government responded with the First Circuit’s contrary opinion in EF Cultural Travel BV v. Explorica, Inc., which indicated (albeit rather confusingly) that the scope of an employemnt agreement governs access. The Fifth Circuit seemed a bit skeptical of both the First Circuit and Ninth Circuit’s approaches, instead adopting a relatively narrow theory as to when access to a computer in violation of a use restriction renders access unauthorized:

The question before us is whether “authorized access” or “authorization” may encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system. We conclude that it may, at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime.

To give but one example, an employer may “authorize” employees to utilize computers for any lawful purpose but not for unlawful purposes and only in furtherance of the employer’s business. An employee would “exceed[] authorized access” if he or she used that access to obtain or steal information as part of a criminal scheme.

. . . Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded. In other words, John’s access to Citigroup’s data was confined. She was not authorized to access that information for any and all purposes but for limited purposes.

In the present case, the Government demonstrated at trial that Citigroup’s official policy, which was reiterated in training programs that John attended, prohibited misuse of the company’s internal computer systems and confidential customer information. Despite being aware of these policies, John accessed account information for individuals whose accounts she did not manage, removed this highly sensitive and confidential information from Citigroup premises, and ultimately used this information to perpetrate fraud on Citigroup and its customers.

The opinion isn’t entirely clear, but I think I read the Fifth Circuit as saying that an express restriction on access to a computer is in fact binding at least if it prohibits acts that are criminal and the wrongdoer accesses the computer in furtherance of a criminal act. Or at least that’s the case when the restriction is a use restriction, to the extent there is a distinct category of use restrictions.

I’m not quite sure what I make of this opinion. First, I guess the goal in limiting the reasoning to furtherance of intentionally criminal acts was to be minimalist, but I find the meaning of the limitation sort of puzzling. I assume the standard is not supposed to be circular: That is, the intent to commit a crime is an intent to commit a crime other than unauthorized access. But if that’s so, then doesn’t it sort of turn the statute into the crime of using a computer to commit a crime? That would be ironic given that the prohibition on unauthorized access was originally designed to reject such an approach (see Senator Ribicoff’s 1977 proposed legislation that Congress never enacted, built on that standard). And isn’t it at least a little odd to use intent to commit a crime as important to authorization when that is also the test for the felony enhancement? It seems like triple-dipping: Intent to commit a crime triggers the misdemeanor, the felony, and the other substantive crime all at the same time.

Or perhaps the court is thinking that it wants to say that some written restrictions are recognizable under the unauthorized access statutes and others aren’t, and this is the first in what may be a case-by-case determination of which restrictions are recognized? Perhaps. I think you could build such a framework using vagueness doctrine: You could say that written restrictions are binding in circumstances when such a theory would not render the statute unconstitutionally vague, and then have a case-by-case determination of when such restrictions are permitted. You could have one set of rules for employees, for example, another for Internet use restrictions, etc. My forthcoming article on Vagueness Challenges to the Computer Fraud and Abuse Act suggests such a course. It will be interesting to see if John is eventually fit into such a framework.

More broadly, the Fifth Circuit’s lack of comfort with the analysis of both the First Circuit and the Ninth Circuit is pretty interesting. The facts of each of these cases are quite different, so at this point I see conceptual tension but not yet a formal circuit split. (The John case is also a bad vehicle because it’s a plain error case.) But I expect to see these issues leading to more disagreements among the circuits in coming years, leading to eventual Supreme Court review of just what makes computer use “without authorization” or “exceed authorized access.”

Next week a panel of the Third Circuit will be hearing oral argument in a case that considers whether federal law requires a warrant for the government to obtain historical cell-site records. I blogged a bit about this when the District Court’s decision was handed down, and I thought I would say a bit more now that the issue is before the Court of Appeals.

As I mentioned when I blogged about this issue in 2008, I think the answer to this case is easy: A Terry-stop “specific and articulable facts” court order is required, but a probable cause search warrant is not. As a statutory matter, the Stored Communications Act is clear here. The cell-site records count as a “record concerning an electronic communication service” under 18 U.S.C. 2703(c). Under 18 U.S.C. 2703(c)(2), such records can be compelled with a Terry stop “specific and articulable facts” court order obtained under 18 U.S.C. 2703(d).

But is this standard unconstitutional? That is, does the Fourth Amendment require a warrant backed by the exclusionary rule instead of the lesser standard and lesser remedy Congress has chosen? In her amicus brief, Professor Susan Freiwald argues that the Fourth Amendment protects cell-site info, which would require a warrant. But I think that is pretty clearly wrong under the Supreme Court’s decision in Smith v. Maryland. A cell site signal is closely analogous to numbers dialed in Smith: It’s a signal that the user sends to the phone company that is necessary for the phone company to deliver the user’s calls. It is a necessary part of placing the call, and information that is necessarily transmitted to the phone company. Professor Freiwald relies on various authorities to try to get around Smith v. Maryland, but I don’t think any of them work. Justice Harlan’s dissent in United States v. White was a dissent and has never been the law; Berger v. New York was a case involving content rather than non-content information; and Judge Posner’s opinion in United States v. Torres was on what kind of warrant was required for video surveillance, not whether such surveillance was a “search” in the first place. I don’t think any of these arguments can get around the pretty clear analogy to Smith v. Maryland.

The EFF’s amicus brief argues that cell site data is different than numbers dialed in Smith because people can reasonably not know that their cell phones need to communicate with cell towers to work. On that theory, people reasonably expect that their location information is private because they don’t know how cell phones function. But that seems to me like the kind of “magic box” argument that is inconsistent with Smith. In Smith, the Court presumed a telephone user who had a general understanding of how phones work: The Court presumed that people understand that when they dial a phone number, that phone number is communicated to the phone company and disclosed to them so the phone company can place a call.

Following Smith, I think the Third Circuit needs to assume that people know the basics of how cell phones work. Cell phones don’t work by magic: The phones need to communicate their location with nearby cell towers so the service provider knows where to route the calls. In my view, it’s hard to see why the Fourth Amendment should afford constitutional protection to a user’s failure to have that basic understanding. Such an approach would be especially problematic given that social understandings of how technology works can change quickly. My sense is that the percentage of cell phone users who have a basic understanding of how cell phones work increases every year. And once you know how a technology works, that understanding tends to stick. Given that, basing a rule on the incorrect understandings of a decreasing percentage of the population seems quite short-sighted.

Another argument sometimes made is that the statutory protections of the Electronic Communications Privacy Act itself should make an expectation of privacy in location data constitutionally reasonable. The argument is that Fourth Amendment privacy is sometimes phrased in terms of what “society” is prepared to accept as reasonable. By protecting the location data by statute, “society” has spoken. This argument doesn’t work, either, for a range of reasons. The first problem is the obvious bootstrapping problem. When the Fourth Amendment protects information, it protects that information with a probable cause standard and particularity backed by the exclusionary rule. In contrast, when Congress enacts legislation to protects by statute that which the Fourth Amendment does not cover, it often chooses a lesser standard and lesser remedy. (That is the case here: the standard is lower and there is no exclusionary rule.)

Saying that the legislative creation of lesser protection and a lesser remedy triggers the constitution’s higher protection and higher remedy is just bootstrapping; one might equally read the same clues as evidence that society does not construe the information as private because the legislature specifically rejected the constitutional protection standard. Put another way, if the existence of legislation shows that “society” recognizes that something is private, it is a strange homage to that judgment to strike down the legislation that is allegedly the evidence of society’s judgment. It seems to me that statutory and constitutional protection have to be considered separately.

Finally, some argue that Smith v. Maryland is wrongly decided. I happen to disagree; I think Smith is correct, as I argued in this article. But whether Smith is right or wrong, the Third Circuit is bound to follow it.

Should courts adopt a new set of Fourth Amendment rules to regulate how the police can search computers for evidence? In particular, does the fact that so much electronic evidence outside the scope of a warrant can come into “plain view” during a computer search require a different approach to whether that evidence outside the scope of the warrant should be admitted?

Some courts have thought so. In the Tenth Circuit, for example, the usual objective test for admitting plain view evidence has been replaced by a subjective test designed to narrow the scope of plain view: Evidence outside the scope of a warrant is permitted in plain view only if the agent was subjectively looking for evidence within the scope of the warrant. And in the Ninth Circuit, the en banc court recently adopted a complex set of prophylactic rules to avoid admission of plain view evidence altogether in United States v. Comprehensive Drug Testing.

In the last two days, however, two circuits have handed down published decisions creating apparent circuit splits on both of these aspects of how the plain view exception applies to computer searches. Both of these circuits, the Fourth and the Seventh, reject the idea of adopting new rules for computer search and seizure.

1. United States v. Williams. The first decision is a Fourth Circuit opinion by Judge Niemeyer in United States v. Williams, expressly disagreeing with the Tenth Circuit’s plain view decision in United States v. Carey. Carey adopted a subjective test for the plain view exception to computer searches: Under that approach, the question is whether the agent who was searching through the computer was subjectively looking for evidence within the scope of the warrant. Judge Niemeyer disagreed:

Williams, relying on the Tenth Circuit’s opinion in United States v. Carey, advances an argument that the plain-view exception cannot apply to searches of computers and electronic media when the evidence indicates that it is the officer’s purpose from the outset to use the authority of the warrant to search for unauthorized evidence because the unauthorized evidence would not then be uncovered “inadvertently.”

This argument, however, cannot stand against the principle, well-established in Supreme Court jurisprudence, that the scope of a search conducted pursuant to a warrant is defined objectively by the terms of the warrant and the evidence sought, not by the subjective motivations of an officer.

While Williams relies accurately on Carey, which effectively imposes an “inadvertence” requirement, such a conclusion is inconsistent with Horton. Inadvertence focuses incorrectly on the subjective motivations of the officer in conducting the search and not on the objective determination of whether the search is authorized by the warrant or a valid exception to the warrant requirement

In this case, because the scope of the search authorized by the warrant included the authority to open and cursorily view each file, the observation of child pornography within several of these files did not involve an intrusion on Williams’ protected privacy interests beyond that already authorized by the warrant, regardless of the officer’s subjective motivations.

Judge Niemeyer concluded by emphasizing that computer search and seizure rules should be the same as traditional search and seizure rules:

At bottom, we conclude that the sheer amount of information contained on a computer does not distinguish the authorized search of the computer from an analogous search of a file cabinet containing a large number of documents. . . . We have applied these rules successfully in the context of warrants authorizing the search and seizure of non-electronic files, see Crouch, 648 F.2d at 933-34, and we see no reason to depart from them in the context of electronic files.

2. United States v. Mann. Meanwhile, just yesterday, the Seventh Circuit handed down United States v. Mann, another plain view computer case that was authored by Judge Rovner. The Mann court seems to accept the Carey inadvertence standard for plain view (or arguably takes a third approach, that the test is whether the agent knew or should have known that the file opened was outside the scope of the warrant).

But in the court then goes on to reject the Ninth Circuit’s Comprehensive Drug Testing decision:

Although the Ninth Circuit’s rules provide some guidance in a murky area, we are inclined to find more common ground with the dissent’s position that jettisoning the plain view doctrine entirely in digital evidence cases is an “efficient but overbroad approach.” Id. at 1013 (Callahan, J., concurring in part and dissenting in part). As the dissent recognizes, there is nothing in the Supreme Court’s case law (or the Ninth Circuit’s for that matter) counseling the complete abandonment of the plain view doctrine in digital evidence cases. Id. We too believe the more considered approach “would be to allow the countours of the plain view doctrine to develop incrementally through the normal course of factbased case adjudication.” Id. We are also skeptical of a rule requiring officers to always obtain pre-approval from a magistrate judge to use the electronic tools necessary to conduct searches tailored to uncovering evidence that is responsive to a properly circumscribed warrant. Instead, we simply counsel officers and others involved in searches of digital media to exercise caution to ensure that warrants describe with particularity the things to be seized and that searches are narrowly tailored to uncover only those things described.

Two circuit splits on computer search and seizure in two days — not bad. I’ll probably offer some commentary on these decisions over the next few days, but for now I just wanted to note the new decisions. Thanks to Doug Berman for bringing them to my attention.

Two weeks ago, I wrote a post seeking updates on United States v. Payton, a Ninth Circuit computer search and seizure decision that I think was wrongly decided. Howard Bashman notes that on Friday the Ninth Circuit handed own this seven-page order explaining what happened. It seems that there was interest in rehearing the case en banc from at least one member of the Ninth Circuit, but that mootness may have gotten in the way because the government concluded there were bigger fish to fry in the CA9 and did not seek rehearing. The court also concluded that it should not vacate its decision in light of the mootness, which I think was procedurally correct even though I think the decision itself was wrong. So the bottom line is that Payton stays on the books.

A federal district court in Texas recently handed down a new case on the scope of computer warrant searches that shows how important and yet uncertain the rules of computer search and seizure are these days: United States v. Kim, — F.Supp.2d —, 2009 WL 5185389 (S.D. Texas 2009). The case was handed down December 23 by District Judge Vanessa Gilmore.

Law enforcement agents were searching a computer with a warrant for evidence of computer hacking when they come across folders containing encrypted files with the suggestive titles such as “ForbiddenFruit”, “Illegal_Loli #”, and “Loli#”. The files were encrypted with “CryptaPix,” encryption software that is generally known as a way to encrypt image files. The agents requested a warrant to open the files and search for child pornography, but the magistrate rejected the warrant application on the ground that there was insufficient probable cause. The government decided to try to decrypt the files anyway under the authority of the warrant to search for evidence of computer hacking. It took two months, but eventually the government decrypted the images and found 840 images of child pornography.

The district court suppressed the child pornography images as being beyond the scope of the warrant. However, the court did not follow the subjective approach that several courts have used in the computer search and seizure context to measure the scope of the warrant. (Under the subjective approach, courts look to whether the agents subjectively was trying to stay within the scope of the warrant when he clicked on the file.) Instead, the court concluded that it was objectively unreasonable for the government to decrypt the images based on its alleged interest in searching for evidence of computer hacking:

Looking in the encrypted folders for evidence of Computer Intrusion was unreasonable for several reasons. First, none of the other evidence of Computer Intrusion was located in encrypted folders. Agent Mance signed a sworn affidavit to the court asserting that he believed the encrypted folders to contain evidence of child pornography. He did not mention that the folders could contain evidence of Computer Intrusion. . Second, the encrypted folders were created five years before, and last modified approximately three years before the dates of the alleged computer intrusion.

Third, Cryptapix, the software used to encrypt the folders in question was not the type that could be used to encrypt images. At the hearing McGrody, the Government’s witness, established that the Defendant had version 2.2 of Cryptapix on his computer. Only Cryptapix 3.04, which was created in 2009, had the technology to store data as image files. Cryptapix 2.2, the version that the Defendant had on his computer and the version used to encrypt the files in the folder allegedly containing evidence of child pornography, did not have this feature.

Finally, at the hearing, Agent Symeonidis testified that the Government did not find any evidence of Computer Intrusion on the computer allegedly containing evidence of child pornography. In fact, McGrody testified that the Government did not have any evidence that the IP address of the computer containing the encrypted files attempted to gain access to the GEXA network. In fact, he stated that none of the IP addresses discussed in the search warrant belonged to the computer containing the encrypted files. Accordingly, the Court finds that when the Government agents began looking at the encrypted files, they were acting outside the scope of their warrant.

For the reasons stated above, the Court finds that when the Government agents decided to spend two months decoding the files in the encrypted folders, they did not do so in continuation of a valid search for evidence of Computer Intrusion. Rather, the Court finds that the Government examined the encrypted folders searching for evidence of child pornography, in direct defiance of the magistrate court’s order. The Court finds that the Government’s attempts to claim that they discovered the files while looking for evidence of Computer Intrusion is a clear attempt to justify the government’s warrantless search for evidence of child pornography and to manipulate the Court into authorizing their defiance of the Magistrate’s order.

This decision reminds me of United States v. Payton, the recent Ninth Circuit case in which the Ninth Circuit suppressed evidence found in a computer on the ground that there was no reason to think the evidence in the warrant would be on the computer. Like Payton, Kim reaches that result through a general reasonableness analysis: It seems to have a sense of when it would be objectively reasonable to open a particular file, much like Payton had a sense of when it was objectively reasonable to look inside a computer.

My own view, as I expressed in this 2005 article, is that the eventual answer — the least bad alternative, really — will be for courts to eliminate the plain view exception in the computer search and seizure context. The problem with a general reasonableness analysis is that courts have very little sense ex ante of what kinds of computer forensic searches are reasonable. Judges are not computer forensic specialists: They aren’t very well-positioned to distinguish reasonable from unreasonbale computer forensic steps. You can see that in Kim: The reasons why the court concludes it was ex ante unreasonable to decrypt the files ends up relying in large part on what the government found ex post, after the files were decrypted.

Imagine the next case. A hacker has read the Kim case, so he takes his hacker files, encrypts them using Cryptapix, and labels the folder “childpornpics.” The government comes across the folder when they’re searching the computer under a warrant for hacking evidence. Under Kim, are they allowed to even try to decrypt the files? You could read Kim as indicating that they can’t, as it would be unreasonable given the file label. Alternatively, you can read Kim as saying that the reasonableness of decrypting the files depends on what evidence they find: It’s reasonable if they end up finding evidence within the scope of the warrant but not if they find evidence outside the scope of the warrant. But if you take the latter interpretation of Kim, that’s just a complicated way of saying that the plain view exception doesn’t apply. Think about it: If the reasonableness of the search depends on whether the evidence discovered is within the scope of the warrant, that’s just an indirect way of saying that the evidence is allowed if it’s within the scope of the warrant and excluded if it’s outside the scope of the warrant.

Anyway, stay tuned: With recent cases like Payton, CDT and Kim, this seems to be an area that is moving fast these days. Thanks to Susan Brenner for the case information; she also has a post on the case at her cyb3rcrim3 blog.

Yesterday U.S. District Judge Patrick Schiltz of the District of Minnesota issued an interesting order regarding a restitution application in a child pornography case.   In his order, found here, Judge Schiltz chastises the government for failing to pursue restitution for child pornography cases in his district, even though Congress has made restitution mandatory in such cases.  Judge Schiltz wrote:

This Court has recently handled a number of other child-pornography cases in which the United States Probation Office has identified victims who are seeking restitution.  Notwithstanding the strict mandates of § 2259, the government has also declined to pursue restitution in those cases. Given the clear Congressional mandate that those convicted of child pornography offenses pay restitution to their victims, the Court will no longer accept silence from the government when an identified victim of a child-pornography offense seeks restitution.  If the government declines to seek restitution, the government will have to give the Court some explanation for its decision.

The statute that Judge Schiltz cites, found here, directs district courts to order restitution for the “full amount of the victim’s losses.”  In this particular case, a young girl who was raped and had pictures of the crime taken seeks several million dollars in restitution to pay for counseling and other expenses resulting from the crime. 

The victim has sought these damages not only from the defendant convicted in this case in Minnesota but more broadly from every defendant convicted of viewing the images taken of her  against her will.   For instance, she sought such restitution in Texas.  There, a federal district court judge ruled that she could not trace her injuries specifically to the particular defendant convicted in that case.  She sought mandamus relief in the Fifth Circuit, which held in a recent opinion that the district judge was not “clearly and indisputably” wrong in declining to order restitution for the girl.  [Full disclosure: in the district court, I filed a brief on behalf of the National Crime Victims Law Institute supporting the restitution application.] 

The issue of restitution in child pornography cases is an interesting and important one that seems destined to ultimately go to the U.S. Supreme Court.  My own view is that Congress drafted a very broad restitution statute designed to give the maximum possible recovery to victims of child pornography.  Moreover, if any doubt existed about how to interpret this remedial statute, it should be resolved in favor of the innocent victims of these offenses rather than the criminals who continue to cause injury by illegally possessing the pictures in question.

Yesterday the Justice Department filed its Brief in Support of Rehearing En Banc By the Full Court in United States v. Comprehensive Drug Testing, the blockbuster computer search and seizure case I have blogged a lot about. From the introduction:

The en banc panel’s decision announced sweeping new rules for warrants to search computers that are having an immediate and detrimental effect on law enforcement efforts. In some districts, computer searches have ground to a complete halt, and, throughout the Circuit, investigations have been delayed or impeded. Magistrate judges are uniformly viewing compliance with the newly announced rules as mandatory, but they are implementing those rules in vastly different ways. All of this was unnecessary. The parties in these cases disagree about the proper resolution of the issues presented for decision, but they agree on one fundamental point: The new rules that the en banc panel announced for the issuance and execution of warrants to search computers were unnecessary to the issues presented in these cases.

The en banc panel stepped outside the proper role of an Article III court when it set forth detailed protocols that purport to bind, and that are being understood as binding, magistrate and district judges in future cases. The seminal issues surrounding computer searches should be resolved in actual controversies—not through “guidance” that “magistrate judges must be vigilant in observing.” Op. 11891-11892. On the merits, the detailed protocols announced by the en banc panel conflict with Supreme Court decisions interpreting the Fourth Amendment and the scope of a federal court’s supervisory power. If fully implemented, they also would conflict with amendments to the Federal Rules of Criminal Procedure that are scheduled to go into effect within days.

The United States is mindful that this Court has never granted full court en banc. Indeed, the federal government has never asked the Court to do so. But the broad issues unnecessarily addressed in the en banc panel’s opinion are of surpassing importance and compel that extraordinary action. The full Court should enter an order that vacates the Court’s judgment in these cases and withdraws the en banc panel’s decision. The full Court should then either issue a new opinion limited to the issues properly before it or, at a minimum, allow the parties to brief the appropriateness of the sweeping new protocols announced by the en banc panel.

A few quick thoughts:

1) I don’t think I have ever seen a brief signed by the SG, Deputy SG, AAG, DAAG, and all of the United States Attorneys in a Circuit. If you’re presently a DOJ official and your name isn’t on the brief, you are probably feeling left out.

2) I thought the brief was excellent on the whole, although, as you might guess given my previous writing, I was not entirely persuaded by the harms of eliminating plain view for digital evidence. For example, in the case mentioned on pages 6-7 involving the men who had filmed themselves raping a child, the warrant could just be drafted broadly enough to include any images of child pornography and any evidence of unlawful child sex offenses. That way, evidence of other victims would be included within the scope of the warrant and there would be no need to rely on “plain view.” But that’s a quibble; I thought the brief was well done.

3) Given that all the parties to the case agree that the “guidance” sections were unnecessary, the sensible course would be for the Ninth Circuit to amend the opinion and take the “guidance” sections out. That is, keep the sections that were briefed and responded to the case, and take out the stuff with all the prospective rules beyond this case. Do that and everybody goes home happy, without the time and effort of going super-en-banc or the prospect of Supreme Court reversal. That seems like the sensible course to me, at least.

I’m pleased to announce that the Second Edition of my Computer Crime Law casebook has just been published. A few quick points about it, for those who are interested in such things:

1. About 20% of the main cases are new, reflecting the dramatic caselaw development in the field since the 1st edition came out in 2006. Regular readers of the VC will be familiar with a bunch of the new cases, as I’ve blogged about several of them. The most recent case in the book is the Lori Drew case, handed down on August 28th (and edited down to about 5 pages instead of 32).

2. Despite the many new cases and notes, the book is just about the same length as before. The 1st edition was 665 pages plus the statutory materials in the appendix; the 2nd edition is 684 pages plus the statutory materials in the appendix. I didn’t want the book to become bloated, as can happen to successive editions, so I tried both to add in what was needed and to take out what was no longer as useful or relevant as before.

3. I’m finishing up a Teacher’s Manual for the book, and I will also soon have a free online Supplement available for the Spring 2010 semester to include the several important caselaw developments just in the last 2 or 3 months.