pageok
pageok
pageok
No Fourth Amendment Protection in E-Mail Addresses, IP Addresses, Ninth Circuit Holds:
Commentators and Congress have long assumed that government surveillance of non-content "header" information like e-mail addresses and IP addresses, typically done by a service provider, do not violate a Fourth Amendment "reasonable expectation of privacy." Today the Ninth Circuit became the first court to hold this directly in United States v. Forrester.

  My major concern with this opinion is that, unless I'm missing something, the opinion does not actually say how the surveillance occurred. The Court states that the government used "a pen register analogue on [the defendant]'s computer" to collect the IP address, to/from e-mail addresses, and total volume transferred. But the reader is left guessing what that means.

  Consider two possibilities. The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. If so, the analogy to Smith v. Maryland is really clear, and the result in Forrester is clearly correct. The second possibility is that the Court meant what it said literally: the government installed a pen register analogue "on [the defendant's] computer," which seems to suggest some kind of surveillance device actually inside the person's machine. If that's right, I tend to think this is a different case. At that point the facts become a lot more like United States v. Karo, the locating device case, where the use of a surveillance device inside the home was held to be a search.

  So which one of these sets of facts occurred? We don't know, as best as I can tell, and without knowing I find it hard to tell if I agree with the decision. More broadly, it will be hard for other courts to know what to make of the precedent: Is the court saying that the government can remotely install a surveillance device on your personal machine so long as the information collected doesn't implicate a reasonable expectation of privacy? Or are they only saying that the provider can collect that information from inside the provider's network on the government's behalf?

  Maybe I'm just missing the part of the opinion that explains this? If so, please let me know in the comment thread. And thanks to Terry Edwards for the link.

Related Posts (on one page):

  1. Amended Opinion in Forrester:
  2. Can the FBI Install Spyware on Your Computer Without A Warrant?:
  3. No Fourth Amendment Protection in E-Mail Addresses, IP Addresses, Ninth Circuit Holds:
David Huberman (mail):
The government had a court order to install a pen register on the defendant's computers, presumably. USC3121. Yes? New(ish) devices called "pen registers" (borrowing the name from the literal pen registers of the telephonic age) are used to capture electronic data by LEAs.
7.6.2007 7:36pm
OrinKerr:
Yup, they had a pen/trap order. The question is whether that was sufficient.
7.6.2007 7:39pm
David Huberman (mail):
Why wouldn't it be? If a telephonic-age pen register (capturing telephone number information) was not a search under SCOTUS precedent, then why would an electronic-age pen register (captureing IP addresses and e-mail header information) constitute a search? I hate to stand behind the 9CA (because I have a fear of having tomatoes thrown at me) but their conclusion doesn't seem unreasonable to me. The technology is philosophically similar, in my opinion.
7.6.2007 7:52pm
Pete Fanning (mail) (www):
Ok, I'm not a legal person, just a technical person, but the same type of information can be captured prior to it's reception by the user. For example, an organization or ISP sets it's MX record to have mail delivery to a frontend spam prevention device, which inspects EVERY mail item prior to delivery to the intended mail system, a different system alltogether....

This spam prevention device "in theory" can gather the same information the government is looking for....
7.6.2007 7:55pm
David Huberman (mail):
To add color to my thoughts, if the government installed a pen register on my computer terminal, it would show that right now, my computer is accesssing 66.98.172.69 on port 80 (that's a web browsing session to www.volokh.com). Ignoring the e-mail part for a moment, all it shows is that I am exchanging packets of data with a remote site. To me, that's philosophically similar (if not near identical) to the government installing a pen register on my desk's telephone and noting that I recently called someone at 703-xxx-xxxx.

Since Smith v. Maryland indicates the latter is not a search, why should the former be possibly thought of as a search?

Apply same logic to e-mail, since the headers contain sender/recipient information (though they also contain some subject matter information).
7.6.2007 8:03pm
David Huberman (mail):
Pete, an MX record for a hostname points to a device (or set of devices): a mail relay. Not all mail relays filter mail through spam traps. Those that do are not established uniformly. There are many different flavors of mail handling software for mail relays (and many different operating system for mail relays) and many different types of spam traps (some of which may capture information as its scanned, some of which may not). When further considering encryption technologies, the best place for the government to perform surveillance of a person's internet use is at a terminal.
7.6.2007 8:09pm
David Huberman (mail):
To add one more thought (last comment, I promise), I think I finally see what Professor Kerr is saying. The pen register is likely NOT installed on a subject's computer in a residence (for example). It is likely installed similarly to a telephonic pen register, either at the demarc for DSL or leased line or the breakout for your local cable loop.
7.6.2007 8:16pm
Justin (mail):
Another Fisher opinion. Judge Fisher is writing MANY very sweeping opinions on electronic privacy, and the result in toto is very unsettling. On the bright side, this seems to be the least unsettling of his opinions. I haven't thought about whether its correct, or have too much time to even read it. I"ll check back in a bit.

I'm also not sure whether I agree with the pen register thing. Normally I'd just flat out disagree - I take a virtual rather than physical view of the 4th Amendment when dealing with electronic privacy - but if there was an ACTUAL physical presence on the person's property - i.e., if they installed a bug - then I'd be a little concerned in any event. Maybe there needs to be a physical AND virtual view - but with a very limited understanding of what physical means?
7.6.2007 8:25pm
OrinKerr:
Just to be clear, I'm not sayng it is necessarily a different outcome if the device is installed on the defendant's actual machine. But I think it becomes a much harder case, as at that point it becomes harder to fit in the voluntary disclosure rationale of Smith. Smith was an incoherent Blackmun opinion that like many Blackmun opinion throws out 4 or 5 arguments and lets you take your pick, but one argument was that the phone company could collect the information because it was in effect a party to the communication -- it was the recipient of the numbers dialed. That analogy becomes a harder case if the device is installed on the suspect's machine without even the knowledge of the phone company.
7.6.2007 8:30pm
TechieLaw (mail) (www):
The original USSC pen register case explained that a person does not have a reasonable expectation of privacy in the numbers dialed from their home telephone. Thus, no 4th Amendment violation if obtained without a warrant.

Shortly afterwards, Congress passed a law prohibiting law enforcement from obtaining this information without a warrant. In other words, Congress seemed to be saying that people do in fact, assume that the phone numbers they dial are private.

If that is the case, I'm curious why the pen register decision has never been reviewed and overturned. I'm going to assume that the "reasonable expectation of privacy" is a fluid concept that can change over time based on current expectations. As the recent HP case made clear, obtaining somebody's phone records is well beyond the scope of what citizens consider to be normal, polite, and ethical behavior. By this point in time, I see no reason why the court can't finally say "yes, you have a reasonable expectation of privacy in the numbers dialed from your phone." Basically what I'm saying is that even if the pen register case was rightly decided 30 years ago, our expectations of behavior have long since questioned that decision.

And, if that's true, the modern equivalent of phone numbers -- IP addresses, etc. -- should be just as protected.
7.6.2007 8:32pm
OrinKerr:
TechieLaw,

The Fourth Amendment doesn't work that way. If you want to get into the details of why, this article of mine might help.
7.6.2007 8:36pm
TechieLaw (mail) (www):
Orin:

Perhaps it's time to rethink the idea that if you entrust information to a 3rd party you have abdicated your privacy w/r/t that information except in some very specific circumstances.

I can't cite this, but in NY, there is supposedly no expectation of privacy in your bank records -- so the police can get them without a warrant. Assuming this is true, doesn't that disturb you? Most people consider their bank records and other financial information to be one of the most private pieces of information they have.

Perhaps it's time to move towards a more sliding scale 4th Amendment jurisprudence that considers more than just a binary yes-it's-private, no-it's-not-private system. The fact is that it's virtually impossible today *not* to entrust certain types of information to others while still living in modern society. Sure, you can keep all your cash under your mattress -- in which case you'll have some privacy in your finances -- but very few people are willing to do that. Perhaps we need to begin considering the context in which people entrust information to others via certain types of business relationships. Phone records, bank records, and ISP records are all the kinds of things which most people would be horrified to find released without their information. The service providers in these cases are "entrusted" with this information in the eyes of most people. (Also, for simplicity, I'm going to limit this suggestion to certain commercial relationships; a secret you tell your best friend shouldn't get protection.)

Would it be a more difficult system than the current yes-no jurisprudence? Absolutely. But it would also more realistically approximate how people view expectations of privacy.
7.6.2007 8:44pm
TechieLaw (mail) (www):
Just saw your posting about your article -- will look at that...
7.6.2007 8:46pm
Tom Cross (www):

Since Smith v. Maryland indicates the latter is not a search, why should the former be possibly thought of as a search?

Does it really matter that its the same kind of information? Perhaps its more important to consider to what extent the information is disclosed to a third parties.

In the early days of the phone system you had to actually tell a human being who you wanted to call before a call could be connected. Obviously a third party at that point knew who you were calling. The line that courts have drawn between phone numbers and call content seems (and IANAL) to have something to do with the fact that the phone company actually does things with the numbers, such as connecting the call, billing, etc and so some phone company employee might reasonably come across this information in the course of doing his or her job.

This seems to get less and less reasonable the more automated things are. Would an employee at an ISP ever come across the IP addressess you've accessed? Not unless they installed a sniffer, in which case they'd see the content as well. Same thing for email. The To and From addresses are stored in the same file as the content. You open it, you see everything.

So the idea that on the Internet third parties are walking around with this addressing information, and so you've no expectation of privacy in regard to it, but they aren't aware of the content of the communications, so you can consider that private, isn't terribly realistic. IHMO either you've got a natural expectation of privacy in regard to all of it or none of it.
7.6.2007 9:29pm
Ned Ulbricht (mail):
These judges are smoking crack.

On p.8086 (p.16 in PDF), "We therefore hold that the computer surveillance techniques that Alba challenges are not Fourth Amendment searches."

But according to the description on p.8075 (p.5 in PDF), the government installed surveillance software or hardware on Alba's computer.

The surveillance began in May 2001 after the government applied for and received court permission to install a pen register analogue on Alba's computer.


This was a fourth amendment search even under the (pre-Katz!), Silverman standard! If the government hadn't had a court order, I'd have no problem seeing a computer trespass! For the Ninth circuit to "hold" that these techniques are not fourth amendment searches defies credulity.

This Ninth circuit panel has lost its collective mind. They're smoking crack.
7.6.2007 9:48pm
Justin (mail):
After thinking about it, I think the opinion is correct under Orin's hypothetical facts. I'm still concerned about the tresspass, though - I think you need a warrant for any physical tresspass. In the end, I think there is (in a normative sense only) both a physical and virtual view of the 4th Amendment, for pragmatic reasons if nothing else.
7.6.2007 9:52pm
Henry Schaffer (mail):
The pen registers I used to read about were installed in the Central Office, not in the person's home or office. So there was no physical intrusion. Of course the pen register (which used to be a sizeable piece of equipment) could have been installed in the home/office - but there would be no benefit in doing so.

Is installing "a pen register analogue on Alba's computer" physical intrusion?
7.6.2007 10:02pm
Thief (mail) (www):
Random Friday night curveball:

Would it make a difference if the pen register analogue was remotely installed on the defendant's computer? (e.g. through some kind of remote exploit or Trojan Horse?)
7.6.2007 10:12pm
JM Hanes (mail):
This seems an appropriate moment for paying our respects to the Sun Micro CEO who told us nearly a decade: "You have zero privacy, anyway. Get over it."

As sundry movements to amend the Constitution have waxed and waned, I've been arguing that privacy merits status as an essential right. It deserves explicit constitutional protection and is increasingly vulnerable without it. Ordinarily, assumptions about what the Founders might or might not have sufficiently envisioned generally depend on the eye of the beholder. In this case, however, we ourselves only began to understand the powers we're unleashing a mere ten years ago. It seems increasingly clear that the nature and magnitude of potential - revolutionary! -- incursions upon one's person, in everything from medicine to electronics, represent a substantially new threat for which we are poorly provisioned and pose legal questions we are poorly equipped to answer consistently. We will not be able to limp between penumbra and expectation successfully much longer.

Unfortunately, Conservatives, who should be the natural proponents of a privacy amendment, have been hopelessly compromised by their commitment to a pro-life position which is fundamentally and necessarily anti-privacy. Anyone who disagrees should feel free to take up the challenge I'd like to propose to the Conspiracy's legal gurus:

If you could fashion a 28th Amendment, codifying the expectation of privacy, what would it look like?
7.7.2007 12:23am
Semper Why (mail):
David Huberman's post at 7:16 is correct. Pen registers are not installed on the target's machine. It's roughly equivalent to putting a man at the post office and reading the addresses on the envelopes as they pass by.

I suspect the court's terminology of "a pen register analogue" is being used in a broad sense. I submit you can translate it into layman's language as "A surveillance collection technique that is analogous to pen registers of old was used to collect the data".
7.7.2007 12:40am
vukdog:
Why are the banks, phone companies, and ISP's so forthcoming with all this information? Seems a company could gain a substantial competitive advantage by refusing to cooperate in these types of cases. Perhaps I'm misunderstanding something, but absent a warrant, the ISP's are under no legal obligation to turn over this information. I guess with the terrorism threat this type of policy could actaully backfire. Furthermore, there seem to be other ways to get the information in any event unless the messages are encrypted.
7.7.2007 1:03am
Larry Fafarman (mail) (www):
This United States v. Forrester opinion shows why that new court rule, Rule 32.1 of the Federal Rules of Appellate Procedure, which allows citation of unpublished opinions in all federal circuits, is a very bad idea. If this published opinion does not clearly describe the case's background, then what is the likelihood that an unpublished opinion will clearly describe the case's background?

Also, I am wondering -- to what extent should an ISP be expected to cooperate with investigators in invading the privacy of a customer?
7.7.2007 1:07am
vukdog:

This United States v. Forrester opinion shows why that new court rule, Rule 32.1 of the Federal Rules of Appellate Procedure, which allows citation of unpublished opinions in all federal circuits, is a very bad idea.

I didn't know this rule was passed. I think it's a good rule nevertheless if the notion of precedent is supposed to mean anything. Does this mean there is no longer any practical difference between published and unpublished opinions?
7.7.2007 1:20am
Bruce Hayden (mail) (www):
I would be very interested in what actually happened here. With the rise of DHCP and dynamic port mapping, it has become rather hard to actually tap Internet traffic from some specific person or computer. The problem is that a lot of IP addresses are allocated dynamically. Combine this with dynamic port mapping like that provided by typical firewalls, and it becomes almost impossible to identify a specific computer outside his inner firewall/router.

For example, right now I am within at least three levels of this sort of port and IP address remapping. I have a router about a foot from my laptop here that multiplexes all the ports from the various computers here onto a single IP address. Then, a second router in the basement of the building does the same for the 36 units in the building. And then the ISP sometimes does the same. Probably, more often, the ISP dynamically temporarily allocates an IP address to a user/ computer/ router (in this case, the router in the basement for the 36 units sharing the same DSL connection).

Mention above was made about logical ports. In the case of email, the typically relevant ports are 25 (SMTP) and 110 (POP3). But these are translated and multiplexed by those same firewalls and routers that screwed up the IP addresses, and, indeed, the way that this whole system works is that this translation of logical ports allows routers, etc. to multiplex all the logical ports from multiple IP addresses on a single IP address.

If you want to intercept the incoming mail for someone, the easiest place to do it is at his mail server. His incoming IP address and port are liable to change every time, but his userid (or mailbox name) stays the same. Alternatively, you can tap his email client on his computer. Anything else gets to be pretty messy.

Outgoing mail may be more difficult, depending on the sophistication of the sender. Obviously, again, it can be tapped from his email client, or as noted above, behind the inner firewall/router. If the sender is not overly sophisticated, and is using his mail provider for outgoing mail, then it can be intercepted there again. But that becomes hard if the sender is like me, and runs his own email server, that becomes difficult, since email servers most often connect directly to destination mail servers via SMTP. Of course, in that case, in order to allow for incoming mail, you need to pass SMTP traffic through the routers and firewalls without network address translation (NAT).

But if the police attached the pen register to the computer itself, or put it on the line w/i the house, how did they manage to do so? I think that I would notice new hardware hanging on the line or on my computer, and I am fairly certain that they couldn't sneak software onto my computer w/o my knowing it. If there are back doors to Windows, etc., I think that we would all like to know about them. And the current generation of spyware and virus removal software seems to do a pretty good job at removing Trojans and the like, as suggested above.
7.7.2007 5:07am
paul lukasiak (mail):

To me, that's philosophically similar (if not near identical) to the government installing a pen register on my desk's telephone and noting that I recently called someone at 703-xxx-xxxx.


I'd have to say that they are entirely different, because one can access an "incriminating" website accidentally, and APPEAR to spend considerable time on it. But if you dial a phone number accidentally, you aren't going to spend 15 minutes on the phone with the person on the other end of the line.

Imagine that you found yourself clicking on a link to an "incriminating" website by mistake, but while the page was loading, the door-bell rang, and you didn't wind up getting back to the computer for 15 minutes. The prosecutor would be able to say "Kerr spent 15 minutes on this terrorist website which described in detail how to fabricate the bomb used in the terrorist act that he has been accused of", and your defense would be what exactly?

In principle, the government should be able to collect the same kind of "envelope information" from email that they can with snail mail. The problem, of course, is that the devices that collect email information can collect a great deal of other data too...
7.7.2007 10:39am
Ursus (mail):
I don't really understand the use of a 4th amendment argument, since it would seem that installing software on the computer would be a 5th amendment violation.
7.7.2007 10:53am
Ned Ulbricht (mail):
I think that I would notice new hardware hanging on the line or on my computer, and I am fairly certain that they couldn't sneak software onto my computer w/o my knowing it.


You're not nearly paranoid enough.

At least one multinational corporation in the IT field performs routine sweeps for keylogging devices attached between the keyboard and the box. It's presumed that neither developers and testers nor administrative and management staff will notice these devices, as they typically are fairly small. This particular corporation does perform classified government work—but I'm talking solely about the computers used for unclassified and non-government work. This sweep requires manpower and costs money—this corporation's security management presumably thinks it's worth paying for.

With software, if you want to be "fairly certain" that there's been no unauthorized installation, then use a live CD, like Ubuntu or Knoppix—from a known source. Alternatively, keep the entire machine off any network and physically secured. Otherwise, you're just fooling yourself about your skills vs. the universe of potential attackers. There are attackers out there whose skills are better than yours—count on it.

At the top of most computer security threat models is the threat called a "major nation state".
7.7.2007 11:51am
K Parker (mail):
Bruce,

Regardless of the aggregation of "internal" addresses via NAT that you speak of, what's hard about monitoring your outgoing IP traffic by inspecting as it arrives from your building's router at the ISP? Yes, the monitor will get the traffic from everyone in the building, but that's only a difference in degree from the fact that even if you had your own, individual connection the monitor would still have to look at every single packet to determine which ones were SMTP or POP3 traffic.

The only hard part is figuring out which dynamic address/port currently belongs to you, but since neither SMTP nor POP3 is encrypted, the solution is left as a fairly simple exercise for the reader...
7.7.2007 12:45pm
JohnMc (mail):
Orin, I am going to side with TechieLaw not on the legal merits but the technical issues. The crux of my argument is that as a general basis, with internet your private data is hosted off your premieres. From a business perspective, were the general public not to be afforded the same 4th amendment protections as in their residence then you might as well forget about Web 2.0 and close Sun Corp. down ("The network IS the computer").

The visionaries see a not too distant future where you keep your data on a contracted provider who has the resources to guarantee always available access and multiple redundant backup. Think Google. However If the only way I can keep my papers private is to keep them on my own server in my own home then that is what will happen. At that point we are back to a technical future equivalent to 1960. It just all runs faster.

The 4th needs to be amended to expand 'reasonable searches and seizures' to your papers regardless of location or format.
7.7.2007 1:35pm
JohnMc (mail):
The only hard part is figuring out which dynamic address/port currently belongs to you, but since neither SMTP nor POP3 is encrypted, the solution is left as a fairly simple exercise for the reader... -- K Parker

In the main you are right. However I would point out that many programs and ISP's provide SMTP that is encrypted via SSL.
7.7.2007 1:38pm
David Drake:
Paul Lukasiak--

The defense to the charge would be whatever it is--There was nothing illegal about what I did; I was researching; there was a technical problem with my computer and I couldn't get out of the site (or didn't mean to go there and then couldn't get out); I went to the bathroom; the government had the device on for, say, three months, and only had one "hit;" the device shows I didn't download anything; I was just browsing, etc.

The admission of evidence captured in this fashion--like evidence obtained in any other manner--does not prove the charge; it's just evidence.

BTW--this case involved Ecstasy manufacturing, not terrrorism.
7.7.2007 2:06pm
David W. Hess (mail):
Gmail provides SSL access to POP3, SMTP, and HTTP so interception would need to be at the users system, the destination, or at Gmail itself. Most systems and users might as well be sending post cards for all the security they take advantage of currently. I keep hoping spam gets bad enough to encourage the switch to more secure email protocols.
7.7.2007 2:49pm
runape (mail):
orin, I'm not tech-savvy enough to know the answer to this: if the device was installed on the machine as opposed to somewhere "out there" (I presume a cable splitter or something is the other option?), is it true that the ISP would have no way of knowing it was installed? Or is it that it would have to do some looking to figure it out?
7.7.2007 2:51pm
otpu:
In Smith v. Maryland the court ruled that the numbers you dial from your phone and the times you call them are equivalent to the address you put on a letter and the date on the postmark.

Both sets of information were ruled to be public because both are required by the carrier in question to perform the service contracted, multiple persons associated with the carrier have to be able to access and evaluate that information in order to do their jobs under the contract, and persons not under the direct control of the carrier cannot be reasonably barred from being able to access this information.

That last one is a bit complicated but it basically boils down to the fact that the mail carrier has to be able to read the address of a letter in order to place it in the correct box and a hypothetical bystander could easily read it over his shoulder.

The Ninth Circuit's ruling in The United States v. Forrester has expanded this view of public access to address data for private communications to include internet connection and e-mail address data as well as phone numbers.

I believe this is a problematic ruling. While TCP/IP address recorders and E-mail header recorders at the Internet Service Provider would obviously fall under an expanded Smith v. Maryland, they are not the only ways of obtaining this information.


It is possible to put "internet pen registers" on a subject's personal computer. These computer resident pen registers can easily be installed on the target computer directly from the internet by using a specially constructed computer virus or Trojan Horse program. These methods do not require physical access to the computer or physical intrusion to 4th Amendment protected space.

These computer resident pen registers have some unique advantages over ISP resident pen registers; anytime the computer is on they are active and can record connection data no matter which Internet Service Provider the computer is connected to. When the subject's computer is a laptop, a computer resident pen register can record data no matter where the computer is taken and no matter what legal jurisdiction it is in. A computer resident pen register can also record data when stored documents such as archived emails or saved internet files are accessed. Even more problematic, data collected from stored documents may predate the installation of the resident pen register on the subject's personal computer.

I don't think the 9th Circuit has sufficiently evaluated the extra possibilities for intrusion that computer resident pen registers give law enforcement authorities.

otpu
7.7.2007 2:53pm
Apodaca:
paul lukasiak writes:
Imagine that you found yourself clicking on a link to an "incriminating" website by mistake, but while the page was loading, the door-bell rang, and you didn't wind up getting back to the computer for 15 minutes. The prosecutor would be able to say "Kerr spent 15 minutes on this terrorist website which described in detail how to fabricate the bomb used in the terrorist act that he has been accused of", and your defense would be what exactly?
I think this misconceives the way standard HTTP works. When you visit a typical website, once all the GETs are executed -- that is, once the page and all its component parts are downloaded to your machine -- then the session is over. The TCP connection gets closed; in short, you're done, meaning that no more traffic is exchanged.

(There are exceptions: a page can try to force a periodic reload using Javascript or the 'refresh' meta-tag. Some sites, especially news sites like the New York Times, do this, but it's not that widely used elsewhere in my experience.)

So all you have in the hypo is a burst of traffic followed by 15 minutes of no traffic. That doesn't prove squat.
7.7.2007 5:12pm
Apodaca:
otpu writes:
A computer resident pen register can also record data when stored documents such as archived emails or saved internet files are accessed. Even more problematic, data collected from stored documents may predate the installation of the resident pen register on the subject's personal computer.
... except that what you're describing isn't a "pen register" as that term is used in federal law. Acquiring "data collected from stored documents" is a search of the computer, not the collection of "dialing, routing, addressing, or signaling information" associated with a "wire communication" or "electronic communication."
7.7.2007 5:16pm
TM Lutas (mail) (www):
I think that installing software on a computer and forcing you to host it is more a 3rd amendment violation than a 4th. I know that there isn't much jurisprudence on the 3rd amendment but how much you spend on quartering or supporting agents of the state is immaterial to the 3rd amendment.

It's a missed opportunity.
7.7.2007 5:18pm
Fub:
Ned Ulbricht wrote at 7.7.2007 10:51am:
At least one multinational corporation in the IT field performs routine sweeps for keylogging devices attached between the keyboard and the box. It's presumed that neither developers and testers nor administrative and management staff will notice these devices, as they typically are fairly small. This particular corporation does perform classified government work—but I'm talking solely about the computers used for unclassified and non-government work. This sweep requires manpower and costs money—this corporation's security management presumably thinks it's worth paying for.
For individuals wouldn't it be much cheaper to buy two keyboards? Leave one attached to your computer in your absence. Never let the "clean" one out of your sight, and attach it before using the computer.
7.7.2007 5:25pm
Ned Ulbricht (mail):
I don't think the 9th Circuit has sufficiently evaluated the extra possibilities for intrusion that computer resident pen registers give law enforcement authorities.


I don't think the 9th Circuit has sufficiently evaluated the extra possibilities for official corruption from authorizing warrantless computer intrusion by law enforcement personnel.

We all know that the severest threats come from people with some form of authorized access.

Face it, your average law enforcement computer technician is just woefully underpaid.... they work hard, and they really deserve to pick up some extra cash, don't you think?
7.7.2007 5:54pm
Ned Ulbricht (mail):
For individuals wouldn't it be much cheaper to buy two keyboards? Leave one attached to your computer in your absence.


It's a trade-off between the resources expended on counter-measures and the likely attacks. The presumption is that a device can be quickly attached between a keyboard and box by a guest or someone with a limited time unobserved in the area. An attacker with more time (and sufficent resources) will presumably hide the device better.

Likewise, while the sweeps are "routine", there's still a window of vulnerability between sweeps, so there's a deterrent logic in making the counter-measure somewhat known.

For an individual, the risk assessment is probably totally different. Do you have to worry about industrial espionage? State-sanctioned industrial espionage?
7.7.2007 6:29pm
Fub:
Ned Ulbricht wrote at 7.7.2007 5:29pm:
For an individual, the risk assessment is probably totally different. Do you have to worry about industrial espionage? State-sanctioned industrial espionage?
None of the above. I was thinking of individuals within or connected with larger organizations. My presumption was that blanket keyboard bug installations for keystroke logging an entire organization would be unlikely, and that the many fewer people handling sensitive information would be the most likely targets.

My personal most formidable countermeasure against keyboard logger device installation is the absolute certainty of terminal boredom for the spy.
7.7.2007 9:18pm
Steve2:
Professor Kerr, from your description of the Smith opinion... sounds like you'd agree with the proposition that things would be better if the Marshall dissent had been the majority opinion.
7.8.2007 2:02am
Y.K.:
Apodaca, HTTP connections often do not work that way. The HTTP/1.1 standard recommends the use of "persistent connections" - connections that stay open after the data has been transmitted (this makes surfing faster if more data is to be transferred, as a new connection does not need to be established).

After a pre-set time limit has passed, most servers will auto-close the connection (Clients can also do this, but I assume that the connection won't be closed from that end, as the webpage is still open in the user's computer in our hypothetical). Apache (the most used http server) has a 15 seconds limit, but old versions of IIS (second most used http server) had a 15 minute time-limit (I believe the current limit is 120 seconds).

That said, I am not sure that this supports the assertation made by lukasiak (since it makes the amount of time spent on a website indeterminate if small enough, it tends to help the defense, rather than the prosecution, right? Then again, I'm no lawyer).
7.8.2007 3:08pm
OrinKerr:
Steve2 writes:
Professor Kerr, from your description of the Smith opinion... sounds like you'd agree with the proposition that things would be better if the Marshall dissent had been the majority opinion.
Nope. Marshall's opinion would have made it essentially impossible for the government to investigate network crimes. The government would need probable cause to do anything, which would make it very difficult to conduct investigations. I think the ultimate goal is to have a set of network rules that roughly recreate the rules for the physical world; Marshall's approach would essentially treat *all* information over a computer network as if it were protected space such as the inside of a home.
7.9.2007 1:19am
Technolawgy (mail):
I looked to Lafave on this subject: The most recent version of his Search and Seizure treatise (available on Westlaw) quotes the following article when discussing third party records:

Link to article

Lafave endorses the author's idea that "privity" analysis (a proposed term combining notions of confidentiality and standing), rather than "privacy" analysis, is what courts should engage in when deciding these cases. This seems to be what techielaw is getting at in his above post. The article also discusses the differences between Smith (involving voluntary disclosure without a subpoena) and Miller (involving compelled disclosure). And the article proposes a four-pronged test that seems to address Orin's concern about collecting otherwise unprotected information by unreasonable means. I'd imagine this area of the law will become more settled over the next decade.
7.9.2007 3:06am
Technolawgy (mail):
I looked to Lafave on this subject: The most recent version of his Search and Seizure treatise (available on Westlaw) quotes the following article when discussing third party records:

Link to article

Lafave endorses the author's idea that "privity" analysis (a proposed term combining notions of confidentiality and standing), rather than "privacy" analysis, is what courts should engage in when deciding these cases. This seems to be what techielaw is getting at in his above post. The article also discusses the differences between Smith (involving voluntary disclosure without a subpoena) and Miller (involving compelled disclosure). And the article proposes a four-pronged test that seems to address Orin's concern about collecting otherwise unprotected information by unreasonable means. I'd imagine this area of the law will become more settled over the next decade.
7.9.2007 3:07am
Apodaca:
YK writes:
After a pre-set time limit has passed, most servers will auto-close the connection (Clients can also do this, but I assume that the connection won't be closed from that end, as the webpage is still open in the user's computer in our hypothetical).
I don't know that this is a valid assumption about clients. The Wikipedia entry cites some research (a little stale, admittedly) suggesting that IE, at least, FINs the connection after 60 seconds.
7.9.2007 11:58am
vukdog:
Thanks for the link. The article cleared up many of my questions.
7.9.2007 4:08pm