Fourth Amendment Rights in Files Stored on Password-Protected Websites:
Does a user have a reasonable expectation of privacy in their files — including images of child pornography — posted on a password-protected website? In a decision handed down last week, Judge Stearns of the U.S. District Court for the District of Massachusetts concluded that the answer is "yes." At the same time, Judge Stearns refused to suppress the evidence in the particular case, finding that its collection was the fruits of a private search by a tipster. The case is United States v. D'Andrea.
Unfortunately, the facts of the case are pretty gruesome, so here is a very brief version. The Massachusetts Department of Social Services received a call from a person reporting that another couple was molesting their 8-year old daughter and putting pictures of the molestation on a password-protected Sprint PCS website. The caller indicated that she was an ex-girlfriend of the man involved, and she told the officials the username and password of the website to access the pictures. A DSS official entered the username and password, accessed the website, and confirmed that images of the molestation were present. The official contacted the police, and the police obtained a warrant to search the couple's home. The woman was home when the warrant was executed; she was taken into custody and confessed to the crime. When charges were brought, both the man and the woman moved to suppress the images and the confession on the ground that they had a reasonable expectation of privacy in the stored files in the account and that the government access to the account without a warrant had violated the Fourth Amendment.
In his opinion, Judge Stearns first concludes that a person has a reasonable expectation of privacy in the contents of files stored on password-protected websites. Judge Stearns relies on two authorities. The first authority is Professor LaFave's treatise:
But having concluded that there is a reasonable expectation of privacy in password-protected websites, Judge Stearns then seems to reduce that entire discussion to dicta: he concludes that the defendant's Fourth Amendment rights weren't violated because the government officials that accessed the website merely reconstructed the private search of the anonymous caller.
Unfortunately, the facts of the case are pretty gruesome, so here is a very brief version. The Massachusetts Department of Social Services received a call from a person reporting that another couple was molesting their 8-year old daughter and putting pictures of the molestation on a password-protected Sprint PCS website. The caller indicated that she was an ex-girlfriend of the man involved, and she told the officials the username and password of the website to access the pictures. A DSS official entered the username and password, accessed the website, and confirmed that images of the molestation were present. The official contacted the police, and the police obtained a warrant to search the couple's home. The woman was home when the warrant was executed; she was taken into custody and confessed to the crime. When charges were brought, both the man and the woman moved to suppress the images and the confession on the ground that they had a reasonable expectation of privacy in the stored files in the account and that the government access to the account without a warrant had violated the Fourth Amendment.
In his opinion, Judge Stearns first concludes that a person has a reasonable expectation of privacy in the contents of files stored on password-protected websites. Judge Stearns relies on two authorities. The first authority is Professor LaFave's treatise:
Professor Warren [sic] LaFave, a preeminent authority on the Fourth Amendment, argues that a person who avails herself of a website’s password protection should be able to claim a reasonable expectation of privacy in the site’s contents. Professor LaFave makes the point that while a service provider has a need to access information regarding the identity of a site holder and the volume and extent of her usage, it has no legitimate reason to inspect the actual contents of the site, anymore than the postal service has a legitimate interest in reading the contents of first class mail, or a telephone company has a legitimate interest in listening to a customer’s conversations. “Reliance on protections such [as] individual computer accounts, password protection, and perhaps encryption of data should be no less reasonable than reliance upon locks, bolts, and burglar alarms, even though each form of protection is penetrable.”13 LaFave, 1 Search and Seizure § 2.6 at 721 (4th ed. 2006).Judge Stearns also relies heavily on the Sixth Circuit's Warshak case, quoting from it extensively.
But having concluded that there is a reasonable expectation of privacy in password-protected websites, Judge Stearns then seems to reduce that entire discussion to dicta: he concludes that the defendant's Fourth Amendment rights weren't violated because the government officials that accessed the website merely reconstructed the private search of the anonymous caller.
This argument fails for the simple reason that [the government official] intruded no further into defendants’ zone of privacy than did the anonymous caller. Where a private party, acting on his or her own, searches a closed container, a subsequent warrantless search of the same container by government officials does not further burden the owner’s already frustrated expectation of privacy. United States v. Jacobsen, 466 U.S. 109, 117 (1984). “The additional invasions of [a defendant’s] privacy by the Government agent must be tested by the degree to which they exceeded the scope of the private search.” Id. at 115. Moreover, where an expectation of privacy in an item has been effectively destroyed by a private search, police do not violate the Fourth Amendment by examining the same item more thoroughly or with greater intensity so long as they do not “significantly expand” upon or “change the nature” of the underlying private search. United States v. Runyan, 275 F.3d 449, 464-465 (5th Cir. 2001).Judge Stearns then concludes that either the man or the woman must have given the password to the caller. True, both the man and the woman denied giving out the password. But Judge Stearns concludes in fn 17 that this must be false; there's no other way the caller could have learned the password without the man or woman giving it to her. So having given the password to the caller - at least according to Judge Stearns — the defendants had "assumed the risk" that she would access the account and tell the police about what she saw:
At day’s end, this case falls clearly into the “assumption of the risk” exception identified in Warshak and Supreme Court precedent. “It is well-settled that when an individual reveals private information to another, he assumes the risk that his confidant will reveal that information to the authorities, and if that occurs the Fourth Amendment does not prohibit governmental use of that information.” Jacobsen, 466 U.S. at 117. See also United States v. Maxwell, 45 M.J. 406, 419 (C.A.A.F. 1996) (the sender of an email runs the risk that its recipient will publish its contents). Thus, even granting defendants a reasonable expectation of privacy in the graphic website images of Jane Doe, by sharing the website access information with the anonymous caller, defendants took the risk that their right to privacy in the website’s contents could be compromised.Hmm, I'm not sure what I think of this case — either on the first section granting Fourth Amendment protection or the second part taking it away.