My earlier post on how the Wiretap Act applies to wireless networks triggered a lot of comments on how the Fourth Amendment might apply, so I thought I would have a post specifically on the matter. Here’s the question: Does governmental interception and analysis of the contents of a person’s wi-fi traffic constitute a Fourth Amendment search? And does it depend on whether the traffic is encrypted or unencrypted?
The answer turns out to be surprisingly murky. Because the Wiretap Act has been thought to protect wireless networks, the Fourth Amendment issue has not come up: There’s a surprising lack of caselaw on it. Second, there are plausible arguments on either side of the debate both for encrypted and unencrypted transmissions. So I wanted to run through the arguments and then ask which side readers find more persuasive. I’ll start with unencrypted communications and then turn to encrypted communications.
I. Unencrypted Communications
Imagine a criminal suspect uses an unencrypted wireless access point to send a communication to a co-conspirator. Maybe the suspect is using a wireless network at a hotel or a coffee shop, and he sends an e-mail indicating his involvement in the crime. A government agent is watching the suspect, however, and is sniffing all of the traffic over the wireless access point. Does reading the suspect’s e-mail broadcast over the network constitute a search?
There are two ways to look at the question. One way is to focus on how the technology actually works. The suspect may think his communications are private, but the network is actually broadcasting them to others: It’s just that the others’ computers are normally configured to ignore the broadcast. If you focus on how the network works, then you probably would conclude that the communications are not private and the sniffing is not a search. Notably, that is how courts ruled when they were presented with the analogous question in the context of cordless telephones. As I wrote in a Note in my computer crime law casebook:
In the 1980s, companies began offering cordless telephones for sale to the public. Cordless telephones work by broadcasting FM radio signals between the base of the phone and the handset. Each phone has two radio transmitters that work at the same time: the base transmits the incoming call signal to the handset, and the handset transmits the outgoing call signal to the base. Before the mid–1990s, cordless phones generally used analog FM signals that were easy to intercept. Government agents would occasionally use widely available FM radio scanners to listen in on the cordless telephone calls of suspects without a warrant. Courts that have addressed this issue have rejected claims of Fourth Amendment protection in the contents of cordless telephone calls. Because cordless-phone intercepting devices merely pick up a signal that has been “broadcast over the radio waves to all who wish to overhear,” the interception was held not to violate any reasonable expectation of privacy. McKamey v. Roach, 55 F.3d 1236, 1239–40 (6th Cir. 1995). See also Tyler v. Berodt, 877 F.2d 705, 707 (8th Cir. 1989); Price v. Turner, 260 F.3d 1144, 1149 (9th Cir. 2001). Courts reached the same result when the suspect was using a traditional landline telephone and happened to engage in conversation with someone who was using a cord-less phone. See United States v. McNulty, 47 F.3d 100, 104–106 (4th Cir. 1995).
That’s one plausible view. An alternative plausible view is to focus on the social understanding of wireless networks. Users of unsecured wireless networks may recognize the risk that their communications will be monitored, but for the most part they still consider their communications over wireless networks to be private in nature. And the mere risk of observation doesn’t eliminate a reasonable expectation of privacy: A person still has a reasonable expectation of privacy in their home if they live in a bad neighborhood with frequent break-ins and leave their doors closed but unlocked. Those common social understandings are changing over time, to be sure. In the last five years or so, unsecured networks have gone from common to uncommon. But most people still consider their communications over unsecured wireless networks to be private. So which governs: The details of how the network works or prevailing social understandings?
II. Encrypted Communications
Now imagine the same case, except the wi-fi access point is password-protected and the communications are encrypted. The contents are scrambled into ciphertext during transmission, so any effort to collect the communications only reveals the gibberish of ciphertext. The government agent collects the scrambled ciphertext and takes it back to the government’s lab. Back at the lab, the agent figures out a way to break the encryption and convert the ciphertext into plain text and read the communications. Let’s ask the question again: Does this constitute a search? Did the agent violate the suspect’s reasonable expectation of privacy?
Once again, it depends on whether you look at how the technology works or social understandings. If you focus on social understandings, the prevailing social understanding today is that using encryption is a good way of making something private. We think of encryption as something like a lock, so locking the communication is like keeping it private using a lock. If you think social understandings should govern the Fourth Amendment test, then it seems that breaking the encryption should be considered a search.
But again, you reach a different result if you focus on how the technology works. Decrypting ciphertext may seem like unlocking a locked communication, but the ciphertext is actually already exposed: Decryption is a matter of analyzing that which has been already exposed rather than bringing new things into view. From that perspective, decryption is not a search. I made this argument in an early article that I think I still find persuasive: The Fourth Amendment in Cyberspace: Can Encryption Create a Reasonable Expectation of Privacy?, 33 Conn. L. Rev. 503 (2001). Readers are invited to read the whole article to understand the full argument (it’s relatively short), but here’s an excerpt:
When the government obtains ciphertext that can only be decrypted with an individual’s private key, that individual enjoys an excellent chance that the government will be unable to discover the key and decrypt the communication. However, the Fourth Amendment does not protect the individual if the government decides to devote its resources to decrypting the communication and manages to succeed. From a rights-based perspective, the individual has no enforceable legal means of blocking the government from attempting to translate the ciphertext into plaintext. She has no right to stop government agents from examining the ciphertext and trying to think of patterns that might provide the key to translating the ciphertext into plaintext. She cannot obtain a court injunction preventing the government from examining the ciphertext legally in its possession. Nor does the fact that the government would try to decrypt ciphertext using a computer make any difference: the question is what the government does, not what technologies it uses to do it. Thus, the government is free to try to crack the code if it wishes: the fact that it will probably fail does not create Fourth Amendment protection.
Despite the high-tech atmospherics, decryption of Internet communications without a warrant hardly presents a novel question from the perspective of the rights-based Fourth Amendment. A rational expectation that law enforcement will be unable to decrypt ciphertext is just like a burglar’s rational expectation that he can burglarize an unoccupied home without being detected, a husband’s rational expectation that his wife will not consent to a search of their bedroom, or a drug smuggler’s expectation that no one will find narcotics that he has stored in a hidden compartment. The odds may be in his favor, but the Fourth Amendment does not protect him if he later turns out to be wrong. The Fourth Amendment simply does not recognize such expectations as “legitimate.” Decoding communications by taping together shreds, finding someone who speaks a foreign language, locating someone who has an encryption “key,” or cracking the encryption using brute force methods merely affects the government’s understanding of a communication, not the government’s access to it. If the government obtains communications in a form that it does not understand, the Fourth Amendment does not require law enforcement to obtain a warrant before translating the documents into understandable English. Accordingly, decryption cannot violate the Fourth Amendment.
From this perspective, the lock and key analogy is flawed because it acts at the level of metaphor rather than technology. Also, it raises the strange question of how strong the encryption must be to generate Fourth Amendment rights:
In the real world, of course, the statistical reasonableness of an expectation of privacy in an encrypted communication is a function of many factors, including the time allowed to decrypt it, the number of people trying to decrypt it, and the resources at their disposal. For example, a person would reasonably expect that a 56-bit encryption scheme is unbreakable if law enforcement has ten minutes and a Radio Shack TRS-80 Model III computer to break the code, but could not reasonably expect that the scheme would be unbreakable if law enforcement has ten years and a dozen Cray supercomputers to crack the code. Would that mean law enforcement needs a warrant to crack the code with a TRS-80, but can crack it without a warrant using supercomputers? Or that law enforcement would need a warrant to crack encryption in a day, but would not need a warrant if it waited ten years? Or that law enforcement would not need a warrant to crack encryption in a high-profile case that would obviously merit the allocation of significant law enforcement resources, but that a warrant would be required in a low-profile case? Such results would be extremely strange, but appear unavoidable if we accept the view that encryption acts as a “lock” that can create a reasonable expectation of privacy.
So which governs: The social understanding or the technology? And combining the two cases, encrypted and unencrypted communications, is there a consistent answer as to whether the Fourth Amendment test should focus on social understanding or technology? Some will want to focus on technology in one case and social understanding in another; others will want to focus on technology in both cases or social understanding in both cases.
Which side is right?