A federal court in Virginia on June 23 may have put the final stake in the heart of constitutionally protected privacy rights online.
The case itself was simple enough – in an effort to investigate the murky and disreputable “business” of sharing of child pornography on the Dark Web that is accessible mostly through TOR routers, the FBI installed code (they refuse to call it malware) which, when activated, identified the IP addresses of people who both accessed the site and downloaded the child porn.
While there were legal and factual questions about the extent of probable cause and the workings of the FBI’s technology, as well as the authority of the magistrate to issue the warrant, at least the FBI got a warrant.
As a result of the Court’s ruling in the case, that may no longer be necessary. The FBI will now be permitted to examine what is on a personal (or corporate) computer without any warrant whatsoever, without probable cause, without a subpoena, or without a by your leave (request for permission). All of this because you have, according to the Virginia court, “no expectation of privacy” in your IP address, because you have voluntarily shared that data with others.
There’s a long line of authority that when you voluntarily share something with a third party, you take the risk that the third party will share it with others. You give a love letter to a (now jilted) lover, you run the risk they will expose its contents (to a point). But that doesn’t meant that the police can now take your love letter from your lover because – by exposing it to someone else you gave up any privacy interests you may have had in it. Even in the hands of third parties, you retain your privacy interests.
The seminal case on what is called the “third party doctrine” is Smith v. Maryland. A woman was robbed of her purse in Baltimore, and the thief got her personal information including her phone number. Immediately afterwards she started getting harassing and annoying calls from an unknown (but identified) phone number, and a strange person started following her and driving by her home.
When the police ran the license plate of the car, they identified Mr. Smith, and got a subpoena from the phone company for 3 days of Smith’s calling records showing that he had been calling the victim. The Supreme Court majority held that Smith couldn’t object to the warrantless demand (subpoena) for the phone company’s records of his calls – partly because he had voluntarily exposed the fact that he made these calls to the phone company, and knew that a record of these calls had been made. Justice Thurgood Marshall, dissenting in Smith, rejected the idea that a person voluntarily gave up privacy by using a phone, thereby assuming the risk that someone would get those records. Marshall noted:
“Implicit in the concept of assumption of risk is some notion of choice. At least in the third-party consensual surveillance cases, which first incorporated risk analysis into Fourth Amendment doctrine, the defendant presumably had exercised some discretion in deciding who should enjoy his confidential communications. By contrast here, unless a person is prepared to forgo use of what for many has become a personal or professional necessity, he cannot help but accept the risk of surveillance. It is idle to speak of “assuming” risks in contexts where, as a practical matter, individuals have no realistic alternative. *** In my view, whether privacy expectations are legitimate … depends not on the risks an individual can be presumed to accept when imparting information to third parties, but on the risks he should be forced to assume in a free and open society.
Justices Stewart and Brennan also objected to the Supreme Court’s finding, noting:
“The numbers dialed from a private telephone — although certainly more prosaic than the conversation itself — are not without “content.” Most private telephone subscribers may have their own numbers listed in a publicly distributed directory, but I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have called. This is not because such a list might in some sense be incriminating, but because it easily could reveal the identities of the persons and the places called, and thus reveal the most intimate details of a person’s life.”
But those were dissenting opinions. The majority essentially ruled that because what was obtained was not the contents of conversation, and because the caller knowingly exposed that information to the phone company, no warrant was needed for the police to get those records.
In the Virginia case, the government wanted to know who was accessing a particular hidden TOR site called “Playpen” dedicated (primarily if not exclusively) to child porn, and who was downloading it.
Unlike in Smith, the government did not subpoena the IP addresses of users of the site from the Playpen site. Rather, the government hacked into every computer that accessed the site, installed software (called NIT – Network Investigative Technique), and used that software not only to determine the IP address of the computer that accessed the site, but also to ping the government with that information.
When the defendant challenged the scope of the warrant and the process, not only did the Court rule that the warrant was fine, the court went on to rule that the warrant was unnecessary. The court ruled that the “Defendant lacked any expectation of privacy in the main piece of information the NIT allowed the FBI to gather – his IP address.”
Why no expectation of privacy in your IP address? Well, everyone knows that the Internet is not secure, right? So how can you expect things to be private on the Internet?
The Court explicitly said, “hacking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public’s reasonable expectations of privacy.” Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can – and eventually will – be hacked. In the recent past, the world has experienced unparalleled hacks. …”
Even password protected files don’t get a pass, and the Court rules that you have no “reasonable expectation of privacy” in the contents of password protected files noting “in 2016 it now appears unreasonable to expect that simply utilizing a password provides any practical protection…”
Onion routers, encryption, obfuscation all can be bypassed and provide no genuine security or privacy protection. Thus, the Court concludes, “FBI agents who exploit a vulnerability in an online network [with our without a warrant] do not violate the Fourth Amendment.” After all, “Law enforcement tactics must be allowed to advance with technological changes, in order to prevent criminals from circumventing the justice system.”
Essentially, the Court rules that the Internet is not safe, and it would be silly for people to think that it is. If you use a technology that’s not safe – even if you use special tools or techniques like passwords, encryption and “onion” routers, these are still not safe. And if they are not safe from hackers or from foreign governments, then the law will provide no privacy rights in them either. Which means that the FBI can hack in at will.