pageok
pageok
pageok
United States v. King:
The Eleventh Circuit recently decided an interesting case applying the Fourth Amendment to computer networks, United States v. King. The question: If a person connects his machine to a computer network, and he unknowingly is sharing the contents of the machine with the rest of the network, does he retain Fourth Amendment protection in the inadvertently exposed contents?

  First, the facts. King was a civilian contractor who worked at a U.S. Air Force base in Saudi Arabia. He often connected to the base network using his personal laptop computer. Unbeknownst to him, his laptop was configured to "share" its contents with the entire network. One day, an enlisted man was searching the network for music files when he came across King's computer; he noticed that the computer contained adult pornography. The enlisted man reported this to another government employee, who conducted a similar remote search and found an empty folder in King's computer called "pedophilia." The government obtained a warrant to search King's computer at the air force base based on this evidence, and they found child pornography on his machine.

 King then filed a motion to suppress on the ground that the initial remote search of his computer was an unlawful search in violation of the Fourth Amendment. The Eleventh Circuit rejected the argument in a per curiam opinion (Pryor, Carnes, and Anderson on the panel) reasoning that King did not have a reasonable expectation of privacy in the files he had exposed to the rest of the network:
  King has not shown a legitimate expectation of privacy in his computer files. His experience with computer security and the affirmative steps he took to install security settings demonstrate a subjective expectation of privacy in the files, so the question becomes "whether society is prepared to accept [King's] subjective expectation of privacy as objectively reasonable."
  It is undisputed that King's files were "shared" over the entire base network, and that everyone on the network had access to all of his files and could observe them in exactly the same manner as the computer specialist did. As the district court observed, rather than analyzing the military official's actions as a search of King's personal computer in his private dorm room, it is more accurate to say that the authorities conducted a search of the military network, and King's computer files were a part of that network. King's files were exposed to thousands of individuals with network access, and the military authorities encountered the files without employing any special means or intruding into any area which King could reasonably expect would remain private. The contents of his computer's hard drive were akin to items stored in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public [Ed.-- both fact patterns covered under 11th Circuit law finding no Fourth Amendment protection].
  I'm not immediately comfortable with this reasoning, although I think the ultimate result is correct. A foundational principle of the Fourth Amendment is that one who "knowingly exposes" material to other government actors retains no Fourth Amendment protection in that material. See Katz v. United States. This applies just as much to computers as it does to anything else, so that if you knowingly expose files to a government network you lack Fourth Amendment protection in the knowingly exposed materials. See United States v. Barrows (10th Cir. 2007).

  Here's the twist: King did not realize he was exposing his files to the rest of the network. He thought that his files were blocked from the rest of the network. If that had been the case, the files would have been protected by the Fourth Amendment. See United States v. Heckencamp (9th Cir. 2007). I think that brings us into somewhat different territory: we're not dealing with "knowing exposure" but rather "unknowing exposure."

  Should that make any difference? I'm not sure, but I think the issue is actually pretty hard. In the physical world, you don't generally find cases of genuine "unknowing exposure." If you leave an object in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public (to take the facts of earlier 11th Circuit precedents), you generally are aware of that fact. You may still have a subjective expectation of privacy, but you are nonetheless aware of the fact that you have put your stuff in a place exposed to the public and that you are running the risk that your stuff may be seen. You have a subjective expectation of privacy but no reasonable expectation of privacy under Katz.

  Computers are different. The user typing at his machine may have a perfectly reasonable belief that his files are hidden when they are in fact being exposed. The user no longer has the usual physical clues to determine whether his materials are exposed. Whether a user has a constitutionally reasonable expectation of privacy in such setting strikes me as a complicated question, and off the top of my head I'm not sure what the answer should be.

  [UPDATE: The more I think about this, the more I think the problem is the clash between the experiences of the searcher and the searched. The searcher has no idea what the searched person has intended, and the searched person may have no idea that he is being subject to search. The absence of physical clues leads to uncertainty when both users are online interacting virtually with the network. Which perspective should the Fourth Amendment follow: the searcher or the searched? This is actually a rich and unsettled question, I think.]

  In light of these difficulties, I tend to think the better approach to resolving the King case would have been to assume a reasonable expectation of privacy and apply the "special needs" reasonableness framework of O'Connor v. Ortega. This was a government network, and users of the network had a right to conduct reasonable searches of it. It seems to me that the remote searches here were reasonable under O'Connor, meaning that they did not violate the Fourth Amendment even assuming that King retained Fourth Amendment protection in the contents of his laptop. This would lead to the same result, but on ground that is a little more certain. (Also note the interesting fact that the search occurred in Saudi Arabia; given that this was a U.S. base and a U.S. contractor, that probably doesn't make any difference.)
common sense (www):
Orin,
I only read the excerpt of the opinion that you provided, but I have to wonder if "the affirmative steps he took" to install certain security settings had a bearing. In other words, the court really didn't believe that his exposure was that unknowing, and thus ruled in a manner consistent with knowing exposure.
12.18.2007 4:29pm
OrinKerr:
Common sense,

P.2 of the opinion states, "King also believed that he had secured his computer so that others could not access the contents of its hard drive." Given that, I don't think your explanation works.
12.18.2007 4:31pm
Brian K (mail):
Orin,

with the disclaimer that I am not a lawyer, your analysis seems correct.

this situation seems analogous to the real world scenario where someone is a multi person apartment puts a lock on the door to their private room but forgets to close and lock the door. If a government employee found kiddie porn in the room in this scenario, would it be a legitimate search according to the 4th amendment?
12.18.2007 4:43pm
PatHMV (mail) (www):
Your approach would require that government employees willfully close their eyes to things that are, on the network, in actual plain sight.

Imagine the enlisted man calls up the CID and says "I've found a guy in my unit has kiddie porn on his computer." The CID man goes; "How do you know?" "Well, I was just searching open areas of the network and stumbled across it." CID man: "Did you hack into it, guess any passwords, do anything special?" "Nope, it was just sitting there." CID man: "Well, do you think the guy KNEW it was shared, or does it look like he was trying to hide it and just failed?" Enlisted man: "How the f--- should I know?" CID man: "Sorry, under the Kerr rule, I can't look at it unless it's clear that he willingly opened it up to the public, and didn't share it inadvertently."
12.18.2007 4:44pm
Anderson (mail):
"If you want to keep your computer's files private, don't connect it to any other computers" seems to be the way things are headed. Including any internet servers.

Look for the Privacy Laptop, with no ports to connect to the internet or anything else ... maybe a disk drive ....
12.18.2007 4:49pm
John Armstrong (mail) (www):
I'm usually good about closing and locking the door to my apartment, but I might forget to draw the blinds sometimes. In fact, I left my blinds open the day I murdered my wife. Jimmy Stewart was in the apartment across the way and happened to see some of the aftermath. Are his observations insufficient for a warrant to search my apartment because I have the expectation of privacy?
12.18.2007 4:52pm
Freddy Hill:
Here's a tip for would-be pedophiles: Don't use "pedophilia" as a foder name.
12.18.2007 4:52pm
OrinKerr:
PatHMV writes:

Your approach would require that government employees willfully close their eyes to things that are, on the network, in actual plain sight
PatHMV, I'm confused by your comment. Note that (a) I don't take a position and (b) I think the search was lawful. Given that, where are you getting "the Kerr rule" that such searches are unlawful? I recognize your effort to be fun and snarky, but I don't see anyone making the argument you are trying to defeat.
12.18.2007 4:54pm
OrinKerr:
Anderson: I don't think that's right, as the first part of Heckencamp is quite important.
12.18.2007 4:55pm
CM:
I am not sure that the guy looking for music constitutes a governmental actor.

Brian K, the difference here is that there was no intential intrusion. The situation is more akin to someone witnessing illegal materials through an open window.

More importantly, I do not see the rational behind affording constitutional protection to someone who intended to hide his illegal conduct from plain view, but did a bad job of it. Why should "unknowing exposure" be protected?
12.18.2007 4:57pm
OrinKerr:
John Armstrong:

Jimmy Stewart is not a state actor, unless you're watching Mr. Smith Goes to Washington, so the Fourth Amendment does not apply to him. But as for cases on government actors looking through the blinds of windows, as best I recall the cases are actually mixed, with different cases pointing in different directions.
12.18.2007 4:59pm
John Armstrong (mail) (www):
Thanks, Orin, that's a good point. Trust me not to spot that issue. Still, I think the analogy is more or less cogent, isn't it?

@ Anderson: here is the only secure computer out there.
12.18.2007 5:03pm
A.:
But Orin, the question isn't about looking through the blinds, it's about looking through an open window. If the blinds were drawn, we could argue about the reasonable presumption of privacy, even if the blinds, say, had a hole in them. However, if there is nothing obscuring the window at all, perhaps because I forgot to draw the blinds, I have no reason to complain when someone looks inside, especially if it's with a casual glance, not with a telescope.
12.18.2007 5:04pm
Tom952 (mail):

He thought that his files were blocked from the rest of the network.

I wonder why he thought that? If King wanted his computer to be private, he would make sure file sharing was turned off and install a security program.
12.18.2007 5:05pm
Maniakes (mail):
I would argue that the enlisted man who found the folder wasn't a government actor, either. While he is employed by the government, he wasn't acting as a government official at the time he found the evidence -- he found the folder while searching for shared music, presumably for personal use.

Would the window evidence be admissable if Jimmy Stewart was a non-law-enforcement government employee looking out the window of his office while bored?
12.18.2007 5:07pm
Brian K (mail):
CM,

i don't see why there must be intentional intrusion in my scenario. let's add some details to the hypothetical scenario to say that the government employee went uninvited to a party (say a friend of a friend of a friend who was there) at the apartment, but once he was there no one told him to leave. he then saw the illegal material while looking for a bathroom in the room that was supposed to be locked but wasn't. there is no intentional intrusion then...he found the illegal porn looking for the bathroom in much the same way that it was found while looking for music in this case.

I also don't agree that it is analogous to looking through an open window. the porn in this instance was found after running a search (using the computer definition, not the legal definition). it's not like you can walk outside and see it as you can an open window...you have to actively look for it with the proper equipment and software.
12.18.2007 5:11pm
OrinKerr:
A.

My vague recollection is that cases involving looking through open windows of homes are also rather mixed. Pus, you run into the analogy game trying to say whether the better analogy is an open window, a crack through the blinds, etc. To be clear, I'm not saying the argument is wrong. Only that it's a hard issue.

Maniakes,

That's an interesting question, although the second remote search was pretty clearly that of a government actor.
12.18.2007 5:12pm
common sense (www):
Orin,
A very loosely related question, and I honestly seek your opinion, not trying to make a point. What do you think of people who access a wireless access point (router) that is completely unprotected, considering that most access points come that way out of the box and most consumers don't understand how to secure them. Is that theft of the service, or is it okay? Also, if someone uses the access point to commit a crime, such as distributing kiddie porn, is there some liability there as well? I ask, because it seems that not understanding how networks operate is common, and its something courts will have to deal with as more people create wireless access points in apartments. How much "ignorance" is sufficient for protection?
12.18.2007 5:12pm
William Spieler (mail) (www):
Here's a real-world (i.e. law school) "unknowing exposure" hypothetical, I suppose: Petey Pedophile is walking down the street carrying child pornography in a Duotang folder. So far, so good: he has a subjective expectation of privacy, and a reasonably objective expectation of privacy. But then a paper falls out, and wouldn't you know it, it happens to be an image of child pornography printed on his home letterhead. Oscar Officer, a member of the police force of the city of Hypothetical, discovers the paper lying on the ground, and proceeds to obtain a search warrant for Petey's residence, whereupon child pornography is found. Should this evidence be suppressed as having violated the Fourth Amendment?

Here's another one: Daniel Druggie lives in a rowhouse directly abutting the sidewalk. He has linen curtains covering his large front windows, which he has closed so as to shield his imminent drug use from the outside world, or so he thinks. He begins to cook his heroin over his spoon. However, the silhouette of his figure is visible from the outside. And wouldn't you know it, but there comes Oscar Officer strolling down the street walking his beat. He sees the shadow of Daniel through the panoramic windows, runs back to the precinct, swears out a probable cause affidavit, gets a warrant, and wouldn't you know it, but Daniel just so happens to have illegal drugs on his possession. Fourth Amendment violation?

I'm trying to come up with real-world counterparts, I suppose...
12.18.2007 5:13pm
wm. tyroler (mail):
This was a government network, and users of the network had a right to conduct reasonable searches of it.

But isn't that, in a nutshell why King (probably) can't assert a reasonable expectation of privacy in a computer attached to that network? Because, that is, he knew (or should have known) that his networked computer was subject to search?
12.18.2007 5:20pm
SenatorX (mail):
I used to install point of sale computer systems in Vegas and I would run into this sort of this all the time (not the kiddie porn though). Basically I would be adding a new site and find on the "business network" provided by the cable company there would be all kinds of other business computers visable and accessable. You would be surprised how bad security really is out there in IT land.
12.18.2007 5:20pm
PatHMV (mail) (www):
Orin, I don't think it's a "search" if any more or less random user on the network can see the contents. Your reasoning seems to hinge on the fact that this is a government network. What if it's a private network? What if the pedophile accidentally stored his stuff in a shared P2P folder of some Napster-like P2P system? I see no "special need" for such searches of other computers on a private P2P network, so I think my hypothetical would apply if you replaced the enlisted man and the CID man with a Bit Torrent user and an FBI agent.

The fact is, the guy's own actions, whether he knew it or not, exposed his data to the rest of the network. At that point, I think it's in plain sight, regardless of his subjective desires. Objectively, it is in plain view to other users of the network.
12.18.2007 5:21pm
OrinKerr:
wm. tyroler,

No, it turns out the Fourth Amendment doesn't quite work that way. To get the long version of the reason why, see here.
12.18.2007 5:22pm
Mac (mail):
As one who has some limited knowledge of the workings of US Government and computers, I would be amazed if any military or Government network would allow anyone to hook up their "own" personal computer to a Government network. The Government is totally paranoid, rightly so I presume, about viruses and hackers etc. Are you sure this was not a Government computer provided to this person for his Government use?

If it was, and I can't believe that is was not, he can not possibly have any expectation of privacy. Anytime you log onto a Government computer, you must read explicit and repeated warnings that nothing you do is private. Along with this is warnings about sites you absolutely may not access and that anything and everything you do on the computer can and will be monitored. The idea of any Government agency, let alone the US Military, allowing any Tom, Dick or Harry to hook up his personal laptop is unbelievable.


It would seem to me to make a huge difference if this is a Government issued computer as opposed to one he purchased himself.

Can anyone shed any light on this?
12.18.2007 5:29pm
Brian K (mail):
common sense,

i don't know the definitive answer to your questions, but i do not that the RIAA has held people who unknowingly shared their wireless connection liable for music shared by a 3rd party. none of the cases that i know of made it to court...they were all settled for under $10,000
12.18.2007 5:30pm
hattio1:
Orin,
My first reaction was that the search should be allowable. After all, King did attach his computer to a network, and didn't make it unsearchable.

Here's a question for the computer geeks out there. Why did the officer who searched only find an empty folder? Why didn't he find the kiddie porn that was later found by the warrant search?

A couple of idle questions for the legal geeks. Could you argue that the officer who did a remote search was conducting an investigatory stop (Terry Stop) and didn't have reasonable suspicion? After all, the enlisted man only found adult porn. On the other hand could you try to argue that an EMPTY folder titled pedophilia doesn't give rise to PC for a search?
I wouldn't want to try either of those theories in court, but I probably would if I didn't have anything better.
12.18.2007 5:31pm
Lior:
I think computer owners should be persumed to have control of their computers. If you misconfigure your computer then that should be your problem. If you don't know how to secure your computer, then don't connect it to the network.

One way to think about this issue is as follows: if you connect a server to the network, you have invited the public to connect to the server and interact with it. Consider two different scenarios, in which I connect a machine to the network and offer services on it. In all cases I don't tell anyone about the machine, and it is discovered by scanning the network; no password it needed to contact the services.

1. The service is a webserver (httpd).
2. The service is windows shared folders or the like.

3. The service is a login shell (you need to login but can then see and download files; no password is needed).


Is the third really different from the first two? If so why? The machine is connected to the web, and the police is interacting with it the way it's designed. I don't think that these are different situations; either the rule is that having an "unlocked door" is not enough to allow the police in, or you need to lock all your doors.
12.18.2007 5:33pm
Dave N (mail):
Isn't one problem in applying O'Connor the fact that it was a plurality opinion 4-1-4. Given that, what is the holding? Justice Scalia would hold that "government searches to retrieve work-related materials or to investigate violations of workplace rules - searches of the sort that are regarded as reasonable and normal in the private-employer context - do not violate the Fourth Amendment."

Justice O'Connor's plurality opinion includes this language, "Because the parties in this case have alleged that the search was either a noninvestigatory work-related intrusion or an investigatory search for evidence of suspected work-related employee misfeasance, we undertake to determine the appropriate Fourth Amendment standard of reasonableness only for these two types of employer intrusions and leave for another day inquiry into other circumstances."

The plurarlity opinion also specifically held "that public employer intrusions on the constitutionally protected privacy interests of government employees for noninvestigatory, work-related purposes, as well as for investigations of work-related misconduct, should be judged by the standard of reasonableness under all the circumstances. Under this reasonableness standard, both the inception and the scope of the intrusion must be reasonable[.]"

While it is quite apparent that Justice Scalia's standard is less than the plurality's, the weasel language of "other circumstances" in the plurality make it a difficult case to apply to the facts in King.

In my personal view, I think that the case should turn on whether King had an objectively reasonable belief that his computer's were secure and private. On the one hand, the opinion states King had a subjective belief that he had secured his hard drive. On the other hand, the computer tech did not use any special tools to retrieve enough information to support probable cause for a later search warrant.

This makes the case very different, IMHO, from the other recent case discussed on this site where investigators used "Encase" software to mirror the hard-drive, despite the fact THAT computer had rudimentary password protection (most likely the password protection standard on Windows XP and Vista that you can set up on initial installation).

The analogy in my mind is to a door. If the door's lock is broken, and you think it is locked, you still have an expectation of privacy. On the other hand if the door is in fact open even though you subjectively believe it is closed, then the contents are surely subject to view.
12.18.2007 5:36pm
anomie:
If King wanted his computer to be private, he would make sure file sharing was turned off and install a security program.

And if, despite those actions, his computer were infected with malware that turned on global filesharing?

Is it an established fact that King's laptop was sharing files based upon King's active misconfiguration and not as a result of malware? Does it make a difference?
12.18.2007 5:43pm
Lior:
Here's the real problem here: in real life, sometimes we have well-defined boundaries (the door saying "private property -- no admission!" or "everyone welcome -- no need for permission") when it's clear what the police can do. Sometimes this is less clear (just an unlocked door) and we have traditions about what the police can and can't do (they can't enter a door no matter how it's locked, but they can look in to my yard through the fence). With computer networks we still don't have an agreed-upon division. When a person connects a machine with an unsecured shared folder, is this an like a free invitation or like an unlocked door which (legally) requires permission to enter even if there is no physical barrier?

I think the real and virtual rules need to be developed independently -- the settings are completely different. My previous scenarios are intended to show that there's a continuum of services you can open up on your computer, and it's difficult to figure out which of them are supposedly "private" and which of them are "public". I thus favor the strict rule: if you connected it to the network you intended the network to connect to it to the extent the network follows normal protocols, accepting that it'd be different than the real work, where just because my unlocked door is connected to the street does not mean that you are free to walk up the path and get in the house, even if that's the accepted procedure for entering.
12.18.2007 5:44pm
Lior:
Anomie: Say someone else posted a sign on my door that said "open to the public -- everyone welcome", without my permission. Is the police allowed to enter?

When I asked my web browser to connect to port 80 on www.volokh.com, I did not have specific (personal) permission to download files; I simply persumed that by installing a process (httpd) that listens on port 80 and serves files the owners of that machine intended for me to read these files. The internet cannot work otherwise. In different settings you need different presumptions. On a network you should persume that all servers which respond without requesting authorization indeed welcome all traffic. In the real work you persume that you may not enter a door unless given permission even if it is unlocked.
12.18.2007 5:51pm
Archit (www):
This seems most analogous to California v. Ciraolo, 476 U.S. 207 (1986) (holding warrantless aerial surveillance reasonable). There was an expectation of privacy, but it turned out that the stuff (porn here, marijuana in Ciraolo) was clearly visible from "a public vantage point." Government wins, despite the fact that this mostly guts the "knowingly expose" standard. Or less dramatically, it renders the standard an objective one instead of subjective one. This has to be the outcome since it would is too easy to argue that contraband wasn't knowingly exposed. After all, who would do that?
12.18.2007 5:53pm
Joe Hiegel:

No, it turns out the Fourth Amendment doesn't quite work that way. To get the long version of the reason why, see here.

Wow, that's some of the quickest post-publication pimping ever I have seen. (More seriously, though, the paper looks to be quite nice, and I'm looking forward to reading it.)
12.18.2007 5:54pm
AnotherView:
At least in some areas, what the original "searcher" did would be considered illegal. Just because the computer has shared files that are able to be accessed without any form of authentication, does not mean it should be (or is) legal to access those files.

As a real world example, take a house. You live in the house, and you store your items in the house. Now, one day you forget (or just don't bother) to lock the door to your house - does that then make it legal for someone to enter the house, without your previous knowledge or consent? And, assuming you purposefully left your door unlocked, because a friend was going to be visiting, does it make it legal for a third party, unknown to you, to enter your house?

A lot of people seem to want to think of computers as an exception to standard ideas, but in reality the best analogy for computers are houses, and the best analogy for a network is a street with houses on it.

Just as a side note, at least in one US jurisdiction, accessing any digital device without prior authorization is considered a crime - which, on the face of it, would make something as simple as leaving a message on a digital answering machine a crime, not to mention something like accessing someone shared files.

Do note, I am not addressing whether a file on a computer is like a physical object - personally, I think copying a file should be looked at as taking a photo of something - but in this case, that does not need to be addressed.

I guess it comes down to the presumption the legal system should make about files on a computer - and there has been a heavy trend to have a double standard of what is, and what is not, presumed to be intentionally allowed.

@hattio1: Most likely the computer was configured to share a specific set of directories, which had been emptied of content, but the content still existed elsewhere on the hard drive, perhaps even in a deleted form.
12.18.2007 5:55pm
Dan S:
I'm with Mac. I question whether he would be allowed to connect a personal laptop to "the base network." Speaking as a security consultant in a government agency, that is not anywhere near usual policy. If the policy is as usual, he was already in violation by connecting, which probably puts everything after that in bounds for investigators. The disclaimers are pretty clear when operating on a government network.

If it wasn't actually a "government network" in the formal sense, it may have just been an open connection via a local network outside the secured government nets made available to contractors. In that case this makes more sense. But it changes the government angle a little too. He's now exposing his file (pun intended) in actual public.

I don't install OSs often any more so I can't speak with absolute certainty, but it seems to me that the norm is to default to "no sharing" on even Microsoft OSs these days. If that is indeed the case (and it's certainly best practice!) then he would have had to affirmatively enable sharing of the directories in question. He can hardly argue he had no intent to share when he did that. He may have forgotten to turn in off for THIS environment, but that's a different issue. To me it's sort of like reaching into your pocket to offer a cop a cigarette and having a joint fall out.
12.18.2007 5:55pm
AnotherView:
@Lior:
You've hit the nail on the head with both posts. The only problem is that while the rules *are* being developed differently for the virtual world, there is also starting to exist a double standard of what a private citizen can expect to do, and what a company or government actor can expect to do. While in many cases the government or a commercial entity has been allowed to follow a "if you can access it you can use it" type of rule, at the sime time private individuals have been convicted for things as simple as port scanning (to find available services) and connecting to open, unprotected, wireless access points.
12.18.2007 6:00pm
anomie:
If that is indeed the case (and it's certainly best practice!) then he would have had to affirmatively enable sharing of the directories in question.

Really? My hypothetical about malware turning on sharing is not purely hypothetical.
12.18.2007 6:03pm
Lior:
AnotherView:
...the best analogy for computers are houses, and the best analogy for a network is a street with houses on it.


But it's not true that all houses are private places. Both me and the police are allowed to enter a store and examine what's on the shelves (or "shared files") without permission. We're also allowed to enter a home business without permission, as long as we stay in the parts which are clearly "public" and stay out of the bedrooms. In real life it's easy to distinguish a CVS from a private home, but computers aren't like that, hence the need for different presumptions as you say.

Just as a side note, at least in one US jurisdiction, accessing any digital device without prior authorization is considered a crime

So am I committing a crime by downloading the file http://volokh.com/posts/1198012793.shtml without prior authorization?
12.18.2007 6:09pm
OrinKerr:
Lior,

For the long answer, read this. Okay, okay, I can't help myself.
12.18.2007 6:13pm
Dan S:
anomie,

Unless a government agent were involved in distributing the malware that opened the directories to sharing, I'd think that would fall into "acts of God" (and a just god at that!)
12.18.2007 6:15pm
SenatorX (mail):
"As one who has some limited knowledge of the workings of US Government and computers, I would be amazed if any military or Government network would allow anyone to hook up their "own" personal computer to a Government network"

Yeah that doesn't make much sense to me either. I work with a lot of VA sites and they always make me use a VPN connection. He probably used the same?
12.18.2007 6:16pm
AnotherView:
Lior,

But it's not true that all houses are private places. Both me and the police are allowed to enter a store and examine what's on the shelves (or "shared files") without permission.


Actually, it is mostly true that all houses are private places - there exceptions, but not that many. Generally, in RL, the exceptions are glaring obvious because they have a sign in front. Again, we need, as a global community, to decide what form that sign should take.


So am I committing a crime by downloading the file http://volokh.com/posts/1198012793.shtml without prior authorization?


If your communications transverses the state of Oregon, then yes - see ORS 164.377 - "(4) Any person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime."
12.18.2007 6:28pm
Lior:
@AnotherView: I agree with you that the "double standard" is a problem -- the same approach should be used for regulating computer searches by the government and criminalizing computer access by the public.

Prof. Kerr's article in his reply to me discusses the situation in detail with regard to computer misuse statutes and recommends the right approach: if you interact with the computer following the normal access protocols then you are not misusing the computer.

His "UPDATE" above singles out the issue. Not being a lawyer, I'd judge limits on what the police can do from the point of view of the police and what they know. Limits on the police can't stem from the subjective state of mind or intentions of the suspect.

Prof. Kerr: could you comment why the logic behind the policy recommendation of your "computer misuse" should not apply in the current context too?
12.18.2007 6:48pm
Lior:
That's the "computer misuse" paper, of course.
12.18.2007 6:49pm
Lior:
To clarify my question to Prof. Kerr: how can the police think I have a reasonable expectation of privacy in files the world is welcome to examine?
12.18.2007 7:00pm
David Walser:
Up thread, someone said that the "best analogy" of computer and network is home and houses on a street. I don't disagree, but application of that analogy does not yield any 4th Amendment protection of King's child pornography.

King may have intended to leave his porn at "home", but he inadvertently carried it with him onto the "street" for all to see. Does it matter, for 4th Amendment purposes, that King did not intend to allow anyone to see his porn (say he just picked it up along with his mail and held it up for all to see as he walked to the corner mailbox)? No, it doesn't matter (and it shouldn't). Nor would it be a 4th Amendment violation if King's porn were sitting at his kitchen table when an earthquake caused the kitchen wall to fall down, allowing all to observe his porn from the street. In either case, it was King's actions that allowed the porn to be viewed (even granting that King had no foreknowledge that an earthquake would allow others to see his porn).

Why should Kings actions in the virtual world allowing his porn to be viewed from the "street" result in more (or less) 4th Amendment protection than they would in the physical world? His actions allowed government to readily see the porn without having to breakdown any virtual walls. The 4th Amendment is supposed to protect us from unreasonable searches, it's not supposed to protect us when we inadvertently disclose facts we'd rather keep private.
12.18.2007 7:12pm
AnotherView:
@David Walser
The contractor's computer was NOT broadcasting that it had any data available (analogous to being able to see something through an open window) - it would simply respond to any requests made to it. In our analogy, the way to make a request is to go into the house. The problem with analogies, of course, is that they are imperfect. Think of yourself on the street, walking by a lot of houses. All the houses doors are closed, and window shades drawn, but neither are locked. This is the picture you should be working from. You don't what is in a house until you enter it - it could be a resteruant, a store, or a private residence.
12.18.2007 7:33pm
OrinKerr:
Lior writes:
Prof. Kerr: could you comment why the logic behind the policy recommendation of your "computer misuse" should not apply in the current context too?
To repeat myself, I'm not sure it shouldn't. That is, I think the issue is hard, which is a very different position from saying that you are wrong. The difficulty is that perceptions can be misleading on both sides. For example, what if someone changed the base network software and had it automatically hack in to files and present those files to the user (incorrectly) as being "shared"? In that case, the enlisted man would see the files as shared; from his perspective, the network would seem to be open to him. But would you say that this was still not a search, given that, unbeknowst to him, the network software was actually "breaking in" to the user's machine? Seems like a harder argument to make. But then what's the test exactly -- when the searcher correctly believes that the files are shared? Correctly and reasonably believes that? Tricky issues, I think.
12.18.2007 7:37pm
AnotherView:
@Lior
I like the idea presented in the paper, but it raises the issue of what a normal access protocol is. For many years, (and in some cases today) it was a documented feature on many VMS systems that entering a specific string bypassed the logoin authentication check. It was well documented, but no one ever disabled it. Obviously, it is not the intent of the administrator of the system for someone to bypass the authentication - but it is documented, so could be considered a normal protocol.
What I mean to demonstrate with the above example is that what I (as a self described computer expert) might consider a "normal protocol" would be *very* different from what a layperson would consider normal.
12.18.2007 7:39pm
k parker (mail):
AnotherView,

As long as we understand that we're arguing for preferred policies/interpretations, rather then trying to say what IS, I'm going to completely disagree with you on the computer--house analogy. To have a completely open, unsecured share on a Windows machine require affirmative action. How that can be analogous to the stuff you store in your house, behind close doors, is beyond me.
12.18.2007 7:55pm
Mac (mail):
Dan S and SenatorX,

I agree with both of you. It makes no sense.

I would think if he hooked up his own personal computer to a Government network, porn and even child porn would be only a fraction of his problems.

If he used a Government issued laptop, then I would think he has no expectation of privacy as he does not own the computer and it is intended for work. Ergo, he misused his work computer by accessing forbidden sites and broke all the rules and would be in huge trouble.

Even if he used his own computer for the porn, and then hooked it up to a government network, he would be in big trouble as well as he could infect the whole system, I would think. I can't imagine it being OK to use a non-secure computer as in a truly "personal" computer on any Government network.

If he used an outside network, as Dan suggested, then that takes it out of the realm of the Government and puts in into the public arena, it seems to me.

I wish someone knew the facts here as I can't see how he has a leg to stand on.
12.18.2007 8:04pm
AnotherView:
@k parker
and how many of the people who follow the directions they found online on sharing a directory (and this is only talking about standard windows shares) actually understand what they are doing? And understand that though they shared the directory when their laptop was on their private home network, it will still be shared when they go to work?

I honestly am more for a wild west approach - if it isn't locked down, anyone should be able to do whatever they want to it, and to hell with the ignorant - but that isn't how our society works.

Also, rmemeber that someone still has to communicate directly with the machine, on the correct port, to access to service.
As well, we have been assuming this whole thread that the contractor was using windows file sharing - what if it was a web server, or a P2P program, or FTP? what if, as was mentioned earlier, he didn't know it was installed, or what the installed program did?

The major difference in my eyes between a computer and a house is that with a house you can easily physically see changes to the structure and entry points. with a computer, unless you are an expert (and even then, sometimes only with great effort), you can not see what a given program may be doing to your system.
12.18.2007 8:09pm
Henry Bramlet (mail):
I don't get this.

The whole PURPOSE of file sharing on a computer is to share those files with users on a network. That original GI wouldn't have been able to view the folder if King's computer had not advertised to the network that it had those files available for browsing.

And by the way, network sharing is a BROADCAST protocol. That is, your computer asks the network if any other hosts have services they want to share and King's computer broadcasts back "Sure, have a look in here". It is the network protocol equivalent of posting a sign on your house that says "Every person in this neighborhood welcome to enter my kitchen and peruse the contents at will." Or a cop walking down the street blaring "Free searches for anyone's house" and you calling out "Come look in my kitchen".

The great thing about computers is that, when used the way they were designed, there is an implicit handshake from the base code up to the person clicking the mouse. Now you may say that the original user didn't mean to broadcast all that information on the network, but last I checked, unknowingly advertising the contents of your Hard Drive (c.f. the numerous Kazaa, bit torrent, etc lawsuits) doesn't save you.
12.18.2007 8:32pm
SenatorX (mail):
"The contractor's computer was NOT broadcasting that it had any data available (analogous to being able to see something through an open window) - it would simply respond to any requests made to it."

Hmm yes and no. The systems are called "broadcast networks" because your NIC card DOES broadcast itself. It doesn't broadcast the file data of course just its MAC address and some other stuff.

I think someone is probably correct that this fool shared folders on the laptop probably because he was connecting to another network somewhere at another time (maybe at home and maybe to share the porn?). Unless he knew what he was doing though the laptop would always have these folders available to any network he connected to.

With Windows you can query a computer easily if you know its name or IP address (I do this every day) to see what shares are there. If you go to the bottom of a file browser though you can check the entire windows network and it will give information on every Domain available first. You open a domain and then you can see every computer that the computer you are on has DNS info for. If you click on the computers you will see every share that computer has that is not hidden (you can hide a share by putting a $ sign on the end of its share name...).

Considering this :

1) this is probably exactly how the stuff was found which makes me wonder why the guy was searching for "music" this way...

2)the perv was sharing out his folder to either copy from one computer to another on his private network OR he was sharing it with others, maybe even on the gov network.

3)if it was his private laptop he almost surely was connecting to the gov network with a VPN(virtual private network) connection.

As soon as you connect to a site with a VPN you have opened a door. IT will have virus scanning and whatnot to protect the networks so that's not so much it but that you are now accessing a domain(you have logged in and authenticated). This is exactly how I connect to my work from home and even if you expected privacy on the computer when the VPN connection is off, you certainly shouldn't expect privacy when it is connected.

"Think of yourself on the street, walking by a lot of houses. All the houses doors are closed, and window shades drawn, but neither are locked."

The house has turned the lights on, opened the doors, and is advertising to the neighborhood (the domain it signed in to) that it is open for business purposes.
12.18.2007 8:55pm
seadrive:
What if the "pedophilia" folder was empty because he had moved the contents to an encrypted file? Could he be forced to give up the password? Oh, we've already been there.
12.18.2007 8:55pm
David Schwartz (mail):
If I read this case correctly, both sides agree on the following facts:

1) He took affirmative steps to protect people from accessing those files. By some mistake or glitch, they failed to work.

2) The files were initially found by a perfectly reasonable, normal process. No unusual techniques were used to intentionally break through a barrier.

3) This process involved asking his computer what it had available, and it responded with the files in question.

Please correct me if I am wrong.
12.18.2007 10:53pm
randal (mail):
Orin, this issue isn't hard. The "reasonable expectation of privacy" standard is an objective standard - intent has nothing to do with it. This makes sense for two reasons. First, it would be way to easy to argue ignorance. Second, it would make it way to hard to judge the legality of a search.

For example, imagine someone thought they knew how their phone worked. They new that the numbers they dialed weren't protected, but they thought that if they always dialed 411 and got transferred, only the '411' would be exposed and the ultimate recipient of the call would remain private. Well, that, of course, is wrong, and for purely technological reasons. Getting transferred by the 411 operator is exactly like dialing the digits yourself from your phone in terms of how the systems and logs work. So his failure to understand the technology at hand caused him to inadvertently expose data.

I don't think you get a pass for false assumptions about technology.

As an aside, I agree with the commentor who pointed out that the fact that he attempted (and failed?) to secure his files works against him. I think it's more than likely that he intentionally opened up at least a portion of his laptop for some window of time in order to share data with a friend, and got snagged during that period. Now he's claiming ignorance.

It still may be the case that he ended up sharing more than he meant to. But this shows the extent to which sympathy for the technologically illiterate plays a role here. I doubt even you, Orin, would find this a hard case if we understood that he totally knew what he was doing, but just mis-clicked.
12.19.2007 12:38am
Brad Ford (mail):
The entire purpose of the exclusionary rule is to prevent the government from using evidence, unlawfully gathered, against its citizens. In this case, the government searched its own network (lawfully) and found evidence of criminal activity.

The fact the criminal accidently place the materials on the government network is not to the examination of the legality of the government's conduct.
12.19.2007 9:42am
Brad Ford (mail):
The entire purpose of the exclusionary rule is to prevent the government from using evidence, unlawfully gathered, against its citizens. In this case, the government searched its own network (lawfully) and found evidence of criminal activity.

The fact the criminal accidently place the materials on the government network is not relevant to the examination of the legality of the government's conduct
12.19.2007 9:43am
Aultimer:
As may be obvious, my experience in this area is rusty, but it seems to me that the infrared emanations/smell analogies (Penny-Feeny?) are at least as good as the through-the-window analogies here (especially since there aren't any "curtilage" complications), supporting the government.

I'd also guess there have been expectation of privacy cases arising from poorly configured WiFi networks (unless anti-wardriving laws got there first). Wouldn't those cases be the best fit?
12.19.2007 10:11am
OrinKerr:
Randal,

How do you explain Kyllo? It's just basic physics that every surface emanates radiation; why should Kyllo's misunderstanding about this get a pass?
12.20.2007 3:37am