United States v. King:
The Eleventh Circuit recently decided an interesting case applying the Fourth Amendment to computer networks, United States v. King. The question: If a person connects his machine to a computer network, and he unknowingly is sharing the contents of the machine with the rest of the network, does he retain Fourth Amendment protection in the inadvertently exposed contents?
First, the facts. King was a civilian contractor who worked at a U.S. Air Force base in Saudi Arabia. He often connected to the base network using his personal laptop computer. Unbeknownst to him, his laptop was configured to "share" its contents with the entire network. One day, an enlisted man was searching the network for music files when he came across King's computer; he noticed that the computer contained adult pornography. The enlisted man reported this to another government employee, who conducted a similar remote search and found an empty folder in King's computer called "pedophilia." The government obtained a warrant to search King's computer at the air force base based on this evidence, and they found child pornography on his machine.
King then filed a motion to suppress on the ground that the initial remote search of his computer was an unlawful search in violation of the Fourth Amendment. The Eleventh Circuit rejected the argument in a per curiam opinion (Pryor, Carnes, and Anderson on the panel) reasoning that King did not have a reasonable expectation of privacy in the files he had exposed to the rest of the network:
Here's the twist: King did not realize he was exposing his files to the rest of the network. He thought that his files were blocked from the rest of the network. If that had been the case, the files would have been protected by the Fourth Amendment. See United States v. Heckencamp (9th Cir. 2007). I think that brings us into somewhat different territory: we're not dealing with "knowing exposure" but rather "unknowing exposure."
Should that make any difference? I'm not sure, but I think the issue is actually pretty hard. In the physical world, you don't generally find cases of genuine "unknowing exposure." If you leave an object in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public (to take the facts of earlier 11th Circuit precedents), you generally are aware of that fact. You may still have a subjective expectation of privacy, but you are nonetheless aware of the fact that you have put your stuff in a place exposed to the public and that you are running the risk that your stuff may be seen. You have a subjective expectation of privacy but no reasonable expectation of privacy under Katz.
Computers are different. The user typing at his machine may have a perfectly reasonable belief that his files are hidden when they are in fact being exposed. The user no longer has the usual physical clues to determine whether his materials are exposed. Whether a user has a constitutionally reasonable expectation of privacy in such setting strikes me as a complicated question, and off the top of my head I'm not sure what the answer should be.
[UPDATE: The more I think about this, the more I think the problem is the clash between the experiences of the searcher and the searched. The searcher has no idea what the searched person has intended, and the searched person may have no idea that he is being subject to search. The absence of physical clues leads to uncertainty when both users are online interacting virtually with the network. Which perspective should the Fourth Amendment follow: the searcher or the searched? This is actually a rich and unsettled question, I think.]
In light of these difficulties, I tend to think the better approach to resolving the King case would have been to assume a reasonable expectation of privacy and apply the "special needs" reasonableness framework of O'Connor v. Ortega. This was a government network, and users of the network had a right to conduct reasonable searches of it. It seems to me that the remote searches here were reasonable under O'Connor, meaning that they did not violate the Fourth Amendment even assuming that King retained Fourth Amendment protection in the contents of his laptop. This would lead to the same result, but on ground that is a little more certain. (Also note the interesting fact that the search occurred in Saudi Arabia; given that this was a U.S. base and a U.S. contractor, that probably doesn't make any difference.)
First, the facts. King was a civilian contractor who worked at a U.S. Air Force base in Saudi Arabia. He often connected to the base network using his personal laptop computer. Unbeknownst to him, his laptop was configured to "share" its contents with the entire network. One day, an enlisted man was searching the network for music files when he came across King's computer; he noticed that the computer contained adult pornography. The enlisted man reported this to another government employee, who conducted a similar remote search and found an empty folder in King's computer called "pedophilia." The government obtained a warrant to search King's computer at the air force base based on this evidence, and they found child pornography on his machine.
King then filed a motion to suppress on the ground that the initial remote search of his computer was an unlawful search in violation of the Fourth Amendment. The Eleventh Circuit rejected the argument in a per curiam opinion (Pryor, Carnes, and Anderson on the panel) reasoning that King did not have a reasonable expectation of privacy in the files he had exposed to the rest of the network:
King has not shown a legitimate expectation of privacy in his computer files. His experience with computer security and the affirmative steps he took to install security settings demonstrate a subjective expectation of privacy in the files, so the question becomes "whether society is prepared to accept [King's] subjective expectation of privacy as objectively reasonable."I'm not immediately comfortable with this reasoning, although I think the ultimate result is correct. A foundational principle of the Fourth Amendment is that one who "knowingly exposes" material to other government actors retains no Fourth Amendment protection in that material. See Katz v. United States. This applies just as much to computers as it does to anything else, so that if you knowingly expose files to a government network you lack Fourth Amendment protection in the knowingly exposed materials. See United States v. Barrows (10th Cir. 2007).
It is undisputed that King's files were "shared" over the entire base network, and that everyone on the network had access to all of his files and could observe them in exactly the same manner as the computer specialist did. As the district court observed, rather than analyzing the military official's actions as a search of King's personal computer in his private dorm room, it is more accurate to say that the authorities conducted a search of the military network, and King's computer files were a part of that network. King's files were exposed to thousands of individuals with network access, and the military authorities encountered the files without employing any special means or intruding into any area which King could reasonably expect would remain private. The contents of his computer's hard drive were akin to items stored in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public [Ed.-- both fact patterns covered under 11th Circuit law finding no Fourth Amendment protection].
Here's the twist: King did not realize he was exposing his files to the rest of the network. He thought that his files were blocked from the rest of the network. If that had been the case, the files would have been protected by the Fourth Amendment. See United States v. Heckencamp (9th Cir. 2007). I think that brings us into somewhat different territory: we're not dealing with "knowing exposure" but rather "unknowing exposure."
Should that make any difference? I'm not sure, but I think the issue is actually pretty hard. In the physical world, you don't generally find cases of genuine "unknowing exposure." If you leave an object in the unsecured common areas of a multi-unit apartment building or put in a dumpster accessible to the public (to take the facts of earlier 11th Circuit precedents), you generally are aware of that fact. You may still have a subjective expectation of privacy, but you are nonetheless aware of the fact that you have put your stuff in a place exposed to the public and that you are running the risk that your stuff may be seen. You have a subjective expectation of privacy but no reasonable expectation of privacy under Katz.
Computers are different. The user typing at his machine may have a perfectly reasonable belief that his files are hidden when they are in fact being exposed. The user no longer has the usual physical clues to determine whether his materials are exposed. Whether a user has a constitutionally reasonable expectation of privacy in such setting strikes me as a complicated question, and off the top of my head I'm not sure what the answer should be.
[UPDATE: The more I think about this, the more I think the problem is the clash between the experiences of the searcher and the searched. The searcher has no idea what the searched person has intended, and the searched person may have no idea that he is being subject to search. The absence of physical clues leads to uncertainty when both users are online interacting virtually with the network. Which perspective should the Fourth Amendment follow: the searcher or the searched? This is actually a rich and unsettled question, I think.]
In light of these difficulties, I tend to think the better approach to resolving the King case would have been to assume a reasonable expectation of privacy and apply the "special needs" reasonableness framework of O'Connor v. Ortega. This was a government network, and users of the network had a right to conduct reasonable searches of it. It seems to me that the remote searches here were reasonable under O'Connor, meaning that they did not violate the Fourth Amendment even assuming that King retained Fourth Amendment protection in the contents of his laptop. This would lead to the same result, but on ground that is a little more certain. (Also note the interesting fact that the search occurred in Saudi Arabia; given that this was a U.S. base and a U.S. contractor, that probably doesn't make any difference.)