The road to jail is paved with smart phones

Could you get me out of jail?
(Man I aint even done nothin’)
Could you get me out of jail?
(Aye look, aye somebody get my cell phone. Aye get my cell phone.)
Could you get me out of jail?
From Get Me Out Of Jail by Petey Pablo

Possibly the coolest innovation spawned by Apple’s now ubiquitous iPhone was the concept of “jailbreaking” whereby iPhone owners, myself included, could free their device from the Apple/AT&T apps/carrier monopoly by using hacked firmware. Well now, thanks in part to the Supreme Court of the State of California, your phone may require you to do some very literal jailbreaking. This article by Ryan Radia in Ars Technica explains the situation thusly.

[The] decision in People v. Diaz (PDF), [holds] that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

So if you live in or plan to visit California any time soon it would probably be a good idea to lock down your cell phone and plan on doing a little time for obstruction or contempt. “Now just hang on a gosh darn minute there, bucko!“, you’re thinking about now, “I’m a law abiding citizen with nothing to hide, so how can this possibly affect me?“. With all due respect and attendant snarkiness, you are probably a criminal whether you know it or not. Sorry, it’s sad but true. There is a disturbing phenomenon called overcriminalization, described by the Heritage Foundation as follows.

Federal criminal law has exploded in size and scope. Federal criminal law used to focus on inherently wrongful conduct: treason, murder, counterfeiting, and the like. Today, an unimaginably broad range of socially and economically beneficial conduct is criminalized. More and more Americans who are otherwise law-abiding are being trapped and unjustly punished.

Regular readers of this blog, other than you Captain X-Ploit fans who consider laws as challenges to be hacked and overcome, will recall that past entries like this and this detail egregious legal abuses in the name of copyright enforcement. So given the penchant of the entertainment industry and their trained stooges in congress [sorry, that's a bit harsh - the Three Stooges as well as Iggy and the Stooges were much smarter than congress - but I digress] to criminalize all sorts of behaviors that interfere with their unmitigated money grab (er… IP protection) I would ask you law abiding citizens this question, How certain are you that the music and videos on your smart phone are “legal” and not “pirated”?Now that’s just ridicules!“, you might respond, “Law enforcement does not enforce those kind of laws.” You think? Sorry to disabuse you of your delusions of freedom, but I’ve written about that very thing in this entry entitled Over the top copyright enforcement insanity.

Or how about those of you who engage in “sexting”? If your “sexts” sometimes include racy photos whose subject was under the legal age of adulthood at the time of the photo that’s child pornography. Or how about that clueless, tasteless friend you have – you know who I mean – that insists on sending you off-color jokes that are illustrated. If you get your email on your smart phone, and who doesn’t nowadays, guess what – potential pornography again. Law enforcement calls that “probable cause”, and no it doesn’t matter that you’ve deleted them. The point is this, again summed up by Ars Technica.

A May 2010 study from the conservative Heritage Foundation and the National Association of Criminal Defense Lawyers found that three out of every five new nonviolent criminal offenses don’t require criminal intent. The Congressional Research Service can’t even count the number of criminal offenses currently on the books in the United States, estimating the number to be in the “tens of thousands.”

So you are almost certainly a criminal whether you intend to be or not. And here is the rub: when I mentioned “locking down” your smart phone earlier, I failed to mention that it’s rarely possible to do so.

While police cannot force you to disclose your mobile phone password, once they’ve lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack). If police succeed in gaining access your mobile phone, they may make a copy of all information contained on the device for subsequent examination and analysis.

A “brute force” attack on a 4-digit lock code as the iPhone has, is hardly a daunting task since 80% of you will use “1234” or “1478”. Furthermore,

In many cases, extracting data from a mobile device is possible even if the device password is not known. Such extraction techniques take advantage of widely known vulnerabilities that make it disturbingly simple to access data stored on a smartphone by merely plugging the device into a computer and running specialized forensics software.

Ideally you would want full-disk encryption on your mobile device – just like you use on your laptop or netbook computer. But the news is grim in this area as well.

Unfortunately, few consumer-grade smartphones support full device encryption. While there are numerous smartphone apps available for encrypting particular types of files, such as emails (i.e. NitroDesk TouchDown), voice calls (i.e. RedPhone), and text messages (i.e. Cypher), these “selective” encryption tools offer insufficient protection unless you’re confident that no incriminating evidence exists anywhere on your smartphone outside of an encrypted container.

Despite the generally sorry state of mobile device security, a few options exist for privacy-conscious mobile phone owners. Research in Motion’s BlackBerry, when configured properly, is still widely considered to be the most secure smartphone platform. In fact, BlackBerry’s transport encryption is so robust that a few foreign governments have recently forced RIM to install backdoors for law enforcement purposes.

So basically if you want real protection, get a Blackberry. In the meantime there are some steps we non-Blackberry users can take to help shore up our eroding fourth amendment rights.

You should store your mobile phone in your luggage, footlocker, or in some other closed container that’s not on your person, particularly when driving an automobile. (For more on this subject, see our 2008 article summarizing the search incident to arrest exception in the context of mobile phones. Also see The iPhone Meets the Fourth Amendment, a 2008 UCLA Law Review article by law professor Adam Gershowitz.)

So always lock your phone and put it in a bag in the trunk when you drive. That’s a really good idea for a whole lot of reasons, many of which are your fellow travelers who won’t be at risk of you causing an accident because you won’t be able to text and drive.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don't] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

Facebook Carnac and Other Horrors

I believe I can see the future
Cause I repeat the same routine
I think I used to have a purpose
But then again
That might have been a dream
From Every Day Is Exactly The Same by Nine Inch Nails

In case you were feeling safer, more secure and comfortable these days with social networking allow me [with apologies to Stephen Colbert] to Keep the Fear Alive. Just about the time you start feeling more complacent because crack programmers are slowly but surely plugging the holes in the privacy sieve that is Facebook, stories like these rear their ugly heads.

Exhibit A comes to us from Mike Elgan on the IT Management blog. In this entry entitled ‘Pre-crime’ Comes to the HR Dept. he writes about a new service for Human Resources [Memo to HR: While I'm mostly human if you refer to me as a resource, I will slap you so hard that your unborn resources will be well behaved] that pushes the privacy violation envelope.

A Santa Barbara, Calif., startup called Social Intelligence data-mines the social networks to help companies decide if they really want to hire you.

While background checks, which mainly look for a criminal record, and even credit checks have become more common, Social Intelligence is the first company that I’m aware of that systematically trolls social networks for evidence of bad character.

Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and “thousands of other sources,” the company develops a report on the “real you” — not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around.

Because it’s illegal to consider race, religion, age, sexual orientation and other factors, the company doesn’t include that information in its reports. Humans review the reports to eliminate false positives. And the company uses only publically shared data — it doesn’t “friend” targets to get private posts, for example.

The reports feature a visual snapshot of what kind of person you are, evaluating you in categories like “Poor Judgment,” “Gangs,” “Drugs and Drug Lingo” and “Demonstrating Potentially Violent Behavior.” The company mines for rich nuggets of raw sewage in the form of racy photos, unguarded commentary about drugs and alcohol and much more.

That’s right sports fans, just like Carnac the Magnificent Social Intelligence claims predictive abilities. Although unlike Johnny Carson’s well known character who could psychically divine unseen answers to unknown questions, these clever entrepreneurs glean their predictions by a systematic dredging of the social networking cesspool. About now you might be going all Church Lady on me and thinking “Well, isn’t that special? Isn’t it a good thing that companies avoid hiring drunken, crackheaded, violent gang bangers exhibiting bad judgement? And besides, I’m comfortably employed so why should I care?” Well, quite simply, there’s an app for that too.

The company also offers a separate Social Intelligence Monitoring service to watch the personal activity of existing employees on an ongoing basis. The service is advertised as a way to enforce company social media policies, but given that criteria are company-defined, it’s not clear whether it’s possible to monitor personal activity.

The service provides real-time notification alerts, so presumably the moment your old college buddy tags an old photo of you naked, drunk and armed on Facebook, the boss gets a text message with a link.

Two aspects of this are worth noting. First, company spokespeople emphasize liability. What happens if one of your employees freaks out, comes to work and starts threatening coworkers with a samurai sword? You’ll be held responsible because all of the signs of such behavior were clear for all to see on public Facebook pages. That’s why you should scan every prospective hire and run continued scans on every existing employee.

In other words, they make the case that now that people use social networks, companies will be expected (by shareholders, etc.) to monitor those services and protect the company from lawsuits, damage to reputation, and other harm. And they’re probably right.

That’s right, even if you are gainfully employed and your sinful, poor judgement days are long past you are not immune. Not if you ever had unsavory friends. Or have friends now on Facebook. To paraphrase Queen guitarist Brian May, when asked about bandmate Freddie Mercury‘s infamously decadent parties, you’ve been there,  so you’re definitely going to hell.

But how is this legal? I mean this is the United States of America after all, state of martial law imposed after 9-11 notwithstanding. Surely the judicial branch of our government will put an end to this. Actually, no. As Exhibit B, this entry in the Electronic Discovery Law blog illustrates.

Defendant sought to discover plaintiff’s “current and historical Facebook and MySpace pages and accounts”, including deleted information, on the belief that information posted there was inconsistent with her injury claims.  The court granted the motion, despite plaintiff’s privacy concerns, upon finding the information was material and relevant and that plaintiff had no reasonable expectation of privacy, and because the defendant’s need for access outweighed plaintiff’s privacy concerns.

Regarding plaintiff’s privacy concerns, the court found that production of plaintiff’s MySpace and Facebook entries would not violate her right to privacy, and “that any such concerns were outweighed by Defendant’s need for the information.”  Specifically, the court found that “as neither Facebook nor MySpace guarantee complete privacy, Plaintiff has no legitimate reasonable expectation of privacy.”  The court supported this finding by noting that both MySpace and Facebook warned users against an expectation of privacy.  My Space, for example, warned users “not to forget that their profiles and MySpace forums are public spaces.”  The court concluded:

Thus, when Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings.  Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist.  Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy.  As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

So see, not only does the court not recognize a reasonable expectation of privacy with respect to social networks, it actually gives that idea a name: theoretical protocol better known as wishful thinking. So next time you post anything on Facebook you need to get a bit stricter than don’t post anything you wouldn’t want your mother to see. Your mom knows about your failings and loves you anyway. Your boss and the courts, not so much.

Is privilege transitive?

A little less than a year ago in a post called No privilege for you! a situation was discussed where communication that appears on the surface to be clearly privileged, that between a client and attorney, was not. Due to the circumstances of the communication. Namely it was an email thread that took place over a corporate email network where the court deemed that there was no reasonable expectation of privacy due to the corporate policy. No expectation of privacy, no privilege. Well now we have yet another twist in the attorney client privilege for email saga. In this entry in Electronic Discovery Law blog the situation is described as follows.

The magistrate judge rejected the explanation of plaintiffs’ son that his “technical assistance was necessary for his parents to timely receive the email communications from counsel” because his parents were “not proficient in the use [of] electronic mail.”  The magistrate judge reasoned that “[l]ack of technical competence … is not the equivalent of an inability to communicate.

Now hang on just a darn minute! This magistrate is saying that if you need help getting your email then any correspondence with your attorney isn’t privileged? Apparently this is a really young judge with no older parents or grandparents. A millennial orphan perhaps. Or possibly a tech-savvy computer senior who just wants to punish his internet-illiterate peers. In any case I can assure you that if my mom’s lawyer sent her an email, her first call would be to me to make sure she got it with no problems. Fortunately the district court that reviewed the issue when the plaintiffs objected to the order took a more realistic view.

The district court identified an exception to the principle that communications involving third parties are generally not privileged where “the purpose of the communication [to a third party] is to assist the attorney in rendering advice to the client” and where the party asserting the privilege can establish that the client had a reasonable expectation of privacy with respect to the communication at issue and that disclosure to the third party was necessary for the client to obtain informed legal advice.  The court further established that disclosure to an agent of the attorney or the client does not result in waiver.

Actually New York State law is pretty clear on this matter.

New York State law addressing the “attorney-client privilege’s application in the context of electronic communications, including email.”  Section 4548 of the New York Civil Practice Law and Rules states:  “No communication … shall lose its privileged character for the sole reason that it is communication by electronic means or because persons necessary for the delivery or facilitation of such electronic communications may have access to the content of the communication.

So this certainly brings up some interesting questions. With almost all communications happening electronically over the internet and with more lawyers and doctors becoming aware of the need to protect correspondence with clients and patients as a result of regulatory compliance, the mechanisms that will be put in place to protect these communications are only going to make it more complex for a large portion of the recipients. This will necessitate ever more assistance from tech-savvy helpers. I mean seriously, there’s no way you can expect my mom to be able to decrypt email without assistance. So does that  imply that if I help my mom (don’t worry she loves it when I use her as an example – right mom?) communicate with her lawyer electronically that the privilege is transitive to me? I mean her privilege. I certainly wouldn’t expect privilege to extend to unrelated correspondence between her lawyer and me. But if so how far does the transitive privilege extend? To children? Siblings? Cousins? Any relative? Friends? Nigerian princes? [just kidding]. In any case this is an important question that will no doubt be tested further in courts as technology continues to outstrip the ability of an ever larger portion of the population to comprehend it.

The Prurient Public Pager Privacy Peccadillo

Got a pager and the cell phone too
color contacts with the sexy attitude
From Oh My Goodness by NB Ridaz

Riddle me this, Batman – when do you have a reasonable expectation of privacy on a pager? I always thought the whole purpose of a pager was to violate your privacy by drawing the attention of strangers when it beeps in public. Apparently I was legally incorrect because the answer to the aforementioned rhetorical riddle, according to the Ninth Circuit Court is: when the pager is issued to you by your employer and they fail to have clear policy, or have conflicting policies on pager use. Say what?

Okay, lets start at the beginning with this tale of the Prurient Public Pager Privacy Peccadillo. This post in the Electronic Discovery Law blog lays it out thusly [emphasis mine].

In the summer of 2008, the Ninth Circuit held that a city employee had a reasonable expectation of privacy as to personal text-messages sent from his city-issued and city-owned text-messaging pager.  The court further ruled that the employee’s Fourth Amendment rights were violated when his supervisor read those text messages, after requesting transcripts from the service provider.

The relevant facts are as follows.  In late 2001 or early 2002, pagers were issued to city employees, including the police department.  There was no official policy regarding text-messaging on the pagers.  The City did have a general “Computer Usage, Internet and E-mail Policy”, however, which made clear that the use of city-owned “tools” was limited to business and that “use of these tools for personal benefit” was a “significant violation” of the City’s policy.  The policy also reserved the right of the City to monitor use and stated specifically that the email system was “not confidential”.

An informal policy governing the use of the pagers developed.  Specifically, the practice was that if employees went over their allotted character limit each month, they were responsible for paying the overage. [A police officer] repeatedly accrued overages.  Although the details of the conversation differ, the parties agree that [the officer and his supervisor] spoke about the overages.  [Supervisor] claimed he told [Officer] that he could pay the overages to prevent an audit, but also stated that the text messages were public records, subject to audit at any time.  [Officer] claimed [Supervisor] told him that if he didn’t want his messages read, he should pay the overage fee.  Regardless, [Officer] paid overage fees for exceeding the character limit “three or four times.”

In August 2002, [Officer] and another officer exceeded their limits.  Subsequently, an audit of the pagers was ordered to evaluate the possible need to increase the character limit.  Transcripts of the messages were obtained and read.  Thereafter, an internal affairs investigation was initiated to determine “if someone was wasting…City time not doing work when they should be.”  The investigation revealed that [Officer] had repeatedly exceeded his character limit and that many of the messages were personal and often sexual in nature.  [Officer] and those he was messaging with sued the City for violating their Fourth Amendment rights.

The District Court found that [Officer] had a reasonable expectation of privacy in his text messages.  The court further found that the reasonableness of the search turned on the purpose for which it was undertaken.  Because it was undertaken for purposes of determining a proper character limit, and not to uncover misconduct (as determined by a jury), defendants were absolved of liability.

The Ninth Circuit agreed with the district court that “the Department’s informal policy that the text messages would not be audited if he paid the overages rendered [Officer's] expectation of privacy in those messages reasonable” and noted that the formal usage policies were not the “operational reality” at the department.

So what we have here is a failure to communicate. Or rather way to much information-free communicating going on. First you have the City with their “Computer Usage, Internet and E-mail Policy” as opposed to an actual text-messaging/pager policy – because hey, pagers are just like computers, internet and e-mail, right? Then you have the supervisor telling officers that if you go ever the character limit you can pay to avoid an audit. Add to that an officer who decides that since he’s paying for those extra characters they might as well spell out something naughty. And finally you have the City deciding to do an audit to “evaluate the possible need to increase the character limit” by reading transcripts of the messages and then deciding to launch an Internal Affairs investigation to determine “if someone was wasting…City time not doing work when they should be.” Yeah – one of those kill two birds with one stone deals. This kind of sneaky “since we’re here anyway, we just though we’d violate your privacy” behavior really chaps my hide and I’ve written about it before here, here and here. Apparently the Ninth Circuit Court agrees.

Regarding the reasonableness of the search, the court determined that although the purpose of the search was reasonable, its scope was not.  By way of example, the court noted several alternatives to actually reading messages that could have accomplished the goal of determining the need to raise the character limit, including allowing [Officer] to count characters himself.  Accordingly, the court determined Appellants’ Fourth Amendment Rights had been violated.

So there you have it. Another blow struck for privacy and the Fourth Amendment. But if you think that this means your pager traffic is actually private here in “operational reality”, I have a message for you: U R A moron.

Maybe privilege for you after all

In an earlier post entitled No privilege for you! I wrote about how an employee’s attorney-client privilege was not applicable because communication with his attorney took place via his employer’s email and therefore there was no reasonable expectation of privacy. In that case the e-mail communication in question took place on the employer’s internal email system via hardware owned by the employer. The four factors the court set forth for consideration in determining whether an employee has a reasonable expectation of privacy in computer files or email are worth repeating here.

  1. does the corporation maintain a policy banning personal or other objectionable use,
  2. does the company monitor the use of the employee’s computer or email,
  3. do third parties have a right of access to the computer or e-mails, and
  4. did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?

Recently a similar case, with a subtly different twist received a completely different ruling from the Supreme Court of New Jersey. This entry in Electronic Discovery Law blog reports it as follows.

Stengart v. Loving Care Agency, Inc., 2010 WL 1189458 (N.J. Mar. 30, 2010)

In this employment litigation, the Supreme Court of New Jersey addressed whether employees have a reasonable expectation of privacy as to attorney-client privileged emails sent and received on a work computer. The court held that under the circumstances presented, the employee/plaintiff did have a reasonable expectation of privacy as to emails with her attorney. Additionally, the court remanded the case to the trial court to determine what, if any, sanctions should be imposed upon defense counsel for reading and utilizing the emails at issue, despite indications that they were protected as privileged.

So what makes the circumstances of this case different from the first case wherein the court ruled that the email in question was not protected by the attorney-client privilege because the defendant had no reasonable expectation of privacy? Well, it turns out there was at least one major difference. Ellen Messmer in this article in Network World describes the circumstances of this case.

[The employee's] lawyers and [employer's] own team of lawyers had been squabbling over whether [employer], which had collected [employee's] e-mail after she filed suit against the company, had to turn over to [employee's] lawyers the half-dozen or so Webmail-based e-mails the company had managed to capture as forensic evidence.
These were e-mails [employee] had sent via her personal password-protected Yahoo account to her lawyers before her resignation; [employee's] lawyers also wanted [employer's] lawyers disqualified in the case. [Employer's] lawyers argued [employee] had no reasonable expectation of privacy in files on a company-owned computer in light of the company’s electronic communications policy.
[Employee] had sent the e-mail via her Yahoo account via her work computer at the office, not her corporate e-mail account. [Employer's] lawyers argued that [employee] “had no reasonable expectation of privacy in files on a company-owned computer in light of the company’s policies on electronic communications,” a court document states. [Employee] argued she had been given no warning that e-mail sent from a personal account would be monitored or stored.
According to a court document, [Employer's] policy states the home care services firm may review, access, and disclose “all matters on the company’s media systems and services at any time,” and also stated that e-mail, Internet communications and computer files are the company’s business records and are “not to be considered private and personal” to employees. It also stated “occasional personal use is permitted.”

So the key difference was that in this case the employee, while utilizing the employer’s computer at the employer’s site was communicating via her personal e-mail account – not the corporate e-mail system. So this certainly sets aside the prevailing notion that there is no reasonable expectation of privacy when using your employer’s computer. Unfortunately it’s not that clear. Not yet anyway. As this summary of the history of the case shows.

Upon leaving her position and filing her complaint, [her] former employer hired experts to create a forensic image of [her] laptop. The emails, which had been stored in the laptop’s temporary files, were recovered, passed on to counsel, and eventually utilized in the course of discovery. Upon learning of defense counsel’s possession of the emails, [employee’s] counsel demanded their immediate return. Defense counsel refused, and the issue went before the court. The superior court decided in favor of [employer] and held that there was no breach of attorney-client privilege “because policy placed [employee] on sufficient notice that her emails would be considered company property”. The appellate court held that the policy upon which the trial court relied could allow an objective reader to conclude that not all personal emails were company property and reversed the trial court. The issue was then appealed to the Supreme Court. The Supreme Court found in favor of [employee].

There is another key issue here related to the use of Webmail: The employer had to resort to extraordinary means – a forensic analysis of the computer – to actually retrieve the e-mail in question. This also figured in the court’s analysis of the case.

Beginning its analysis with an evaluation of the policy addressing an employee’s personal computer use, the Supreme Court determined that the scope of [employer's] written policy was “not entirely clear.”  The ambiguity resulted from the policy’s failure to specifically address personal emails, from the lack of warning that the contents of all emails were stored on the users’ computers and could be forensically retrieved and read later, and from the policy’s explicit statement that “occasional personal use [of email] is permitted.”

The court found that “[employee] had a reasonable expectation of privacy in the emails she exchanged with her attorney on [employer’s] laptop.” Specifically, the court noted that [employee] “took steps to protect the privacy of those emails” by using a personal, password-protected email account and by not saving the password on her computer. “In other words, she had a subjective expectation of privacy in messages to and from her lawyer discussing the subject of the future lawsuit.” The court also cited the ambiguity of the policy, as explained above, in support of her “objectively reasonable” expectation of privacy and also that noted the emails were neither illegal nor inappropriate and that the emails were marked as privileged.

But don’t start celebrating this new reasonable expectation of privacy on personal communications from your employer’s equipment too soon. The court concluded that your employer still has the right to enforce electronic communication policies that you might consider quite invasive of your privacy. In other words your expectation of privacy with respect to your work laptop is not reasonable in light of a well written policy.

Regarding the effect of their conclusion, the court stated:

Our conclusion that [employee] had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers. Companies can adopt lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies. And employers can enforce such policies. They may discipline employees and, when appropriate, terminate them, for violating proper workplace rules that are not inconsistent with a clear mandate of public policy. But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy. Because of the important public policy concerns underlying the attorney-client privilege, even a more clearly written company manual–that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal, password-protected e-mail account using the company’s computer system–would not be enforceable.

So there you have it. Maybe some privilege for you after all.

Does encryption imply expectation of privacy?

Recently Chris Webster, a law student at the University of Maryland Baltimore School of Law, started this email thread which I will present here with minimal editing in hopes that some experts or interested parties among you, dear readers, can chime in. Just so everyone is clear, a disclaimer: I’m fascinated by e-discovery and legal issues surrounding security and privacy and blog about these subjects fairly often. I’m not, however, an expert in this area. And I’m certainly not a lawyer. Having said that, let’s begin.

This article from the Wall Street Journal Law Blog Newsletter about an opinion Re United States, – F.Supp.2d -, 2009 WL 3416240 (D.Or. 2009) handed down by District Judge Mosman earlier this year is what started the exchange.

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you? According to [District Judge Mosman] the answer is yes.

The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. . . . This is strong privacy protection for homes and the items within them in the physical world.

When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

It is clear that notice is an essential part of the reasonableness calculus in judging searches and seizures under the Fourth Amendment. The Federal Public Defender has argued that this constitutional notice requirement supports [the view] that the copy of the warrant and receipt . . . must be provided to the subscriber to the e-mail account, rather than just to the ISP. The notice must be provided to the subscriber because the ISP “has a far lesser privacy interest in the content of its subscriber’s e-mails than the subscribers themselves.”

This argument fails to take into account the third party context in this case. If a suspect leaves private documents at his mother’s house and the police obtain a warrant to search his mother’s house, they need only provide a copy of the warrant and a receipt to the mother, even though she is not the “owner” of the documents. (citations omitted). In such a case, it is irrelevant that the suspect had a greater privacy interest in the content of the documents than did his mother. When he left the documents in her possession he no longer has a reasonable expectation of privacy in their contents.

Chris:

I think I found a judge who reads your blog…

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

I am concerned about the legal effect of this misunderstanding – are we entering a world in which all data storage is online, and so not protected by the constitution? For example, we just bought a scanner to upload our contracts and family records (bills, medical records, insurance and such).  I thought I was being a “good” lawyer when I decided to upload these to an online account. This way a disaster striking my home would not leave me without my vital records and contracts – my primary evidence in a contractual dispute. Now I am rethinking this. I never had the intention of opening those documents up to search and seizure without notification. Now my records live on a DVD in the bank vault – where the constitution still applies. DVDs in a bank vault, it’s a 19th century solution to a 21st century problem.

Very dicey topic. Thought you might want to weigh in.

Joe:

This judge is saying that on the internet you essentially have no reasonable expectation of privacy. While I agree wholeheartedly with his assessment, I would submit that the act of encrypting data that is sent into the cloud does, in fact, give you a reasonable expectation of privacy – that being the sole purpose of encrypting the data. Therefore, while I’m not sure what the legal standing is on this, it would seem like encrypted data that requires a privately held key, explicitly excluding routine data transmission encryption (e.g. HTTPS and SSL), is no different than a safe deposit box at the bank where you hold the key. In other words, while you may be compelled to provide the key subject to a court order, that court order would require probable cause.

I can certainly offer some advice with respect to the offsite archive of your personal data.

I have a Verisign OpenID (which you can get for free here). In the process you setup a “Personal Identitly Portal” which includes an encrypted “File Vault” that holds 2 GB. That’s a lot of documents. I’m exceedingly paranoid so I encrypt everything prior to putting it in my file vault using SecureZip (which you can get for free here*) so there is minimal chance of exposure.

[* update 17-November-2010: SecureZip Express (free version) is no longer available. There is a 30-day trial available for free but the full product starts at $39US]

Chris:

If the Government seizes documents which are encrypted can they then seize the key from you? The request for the key would be effective notice of sorts, but would you have to provide it? I know this is a purely legal question, but I thought you might know the answer.

Joe:

Legally the answer is “yes” the government can compel you to reveal your password. Practically there are so many ways around it that the answer is “fat chance”. A really simple workaround would be for you to have an encrypted data store where only your wife has the key. A private key escrow. As you know your spouse can’t be compelled to testify (i.e. provide the key) against you.

The other point is that any encrypted data store whether online or not is not amenable to search. In other words you can’t even see what’s there so there is no way to know know what’s in it. From the point of view of Google, a Verisign file vault doesn’t exist.

If you are really paranoid, Bruce Schneier has this article all about plausible deniability. The article is about securing laptops but the principles apply anywhere.

The bottom line is, sure the government can try to compel you to reveal encrypted data, but only if they know it exists. TrueCrypt has this guidance on plausible deniability. So to be completely safe and secure you could create a “hidden encrypted volume” inside an encrypted volume and upload the encrypted container to a Verisign file vault. With a little creative key management, you would be untouchable in any practical sense.

Now you may end up doing time for contempt of court or some bogus DHS charge but your data will be safe.

Chris:

Ok, this is heading into some really interesting legal waters. Building on your last comment,  I am not an expert on the criminal side, but I can tell you that on the civil side a judge can compel discovery. If you do not comply the Judge can order the jury to draw the negative inference (meaning that they will be instructed that the encrypted document is what the plaintiff says it is, and that it says what they say it says). There is however a safe harbor for electronic documents destroyed in the course of regular maintenance – I would be interested to see if this would include encryption keys which are time sensitive, or single use.

Switching to the criminal example we are working with – if my wife had a physical copy of the key (on a hard drive or otherwise) a judge could compel production of this in the same way he could make her give over a murder weapon. If it was memorized, I suppose she could refuse.

My concern wasn’t really with the compulsion to turn it over, it was the fact that you get no notice. This allows for secret searches (fishing expeditions)  to take place. Also, presumably they have probable cause, or the warrant in this case would not have been issued.

I do find the distinction between encrypted data and non-encrypted data, and the differing expectations of privacy intriguing. However, would your expectation of privacy survive the fact that the data is housed on another person’s machine. In the example the case offers, a letter on your mother’s table can be taken into evidence without your notice if your mother’s house is searched under a valid warrant. In that case the only one who gets notice is dear old mum. It is hard to argue the ruling would be different if you had the papers in a safe at mom’s place – the result would be the same, notice to mom, none to you.  Would the same be true for packets of encrypted information on internet servers? Maybe you have an expectation of privacy with encrypted data (like with the safe) but the reality is governed by the physical location of the “evidence”. Once they have the encrypted data can they subpoena you, or your mom, or others, to compel the production of a key? I acknowledge this would give you notice. This is more proof that the internet is absolutely non-private, even when encryption leads to an expectation of privacy.

The problem is, the conclusion that the internet is a group of guest houses through which your packets pass, and at any given time are subject to ownership by the individual who runs the house, is a troubling roadblock for the development of the net. In order to streamline our society, the internet must at some point be viewed as an instant “post-office” type service. While people sometimes use the mail to do bad things, or even steal it, the Feds and suing parties can’t. In fact messing with people’s mail, even by carriers and third parties, is a crime. Shouldn’t the same model be imposed on the internet, even if it is a legal fiction? Wouldn’t such a model be better for the ISP’s and users?

Joe:

The salient feature of encrypted data is that it is useless (i.e. random noise) without the decryption key. If you hold that key then clearly you must be notified in order to compel you to provide the key, otherwise there is no evidence.

For example, let’s say that the letter you left on mom’s table was encoded using a one-time-pad. The letter is seized under a valid court order. What have they got? Diddley. Just some weird random text on a page that is meaningless until the key – which only you have – is applied to it.

Now they can try to decode it, but the chances of success are exceedingly unlikely. They may attempt to compel you to provide the key, at which point if you refuse, you may get slapped with contempt or adverse inference but either way you get notified.

So unless they can make the case that some random collection of bits is anything more than just that, it will be impossible to use it for a fishing expedition. The point being, who cares if they seize it, it’s useless.

The original court opinion was with respect to GMail type services where your data is stored in cleartext for anyone who has the legal authority or technical prowess to see. But even the U.S. government would have a hard time deciphering AES 256 encrypted data without the key in your lifetime.

As for the instant “post-office” model legal fiction you suggest, that’s called “Net Neutrality” and the main groups opposed to it are the entertainment industry who wants to control their copyrighted content (same clowns, different circus) and some large ISPs that would like to give precedence to their own content over competitors (everybody thinks they can be Microsoft). Of course that’s not what they’re saying, but it essentially boils down to that. For the record, I agree that net neutrality would be much better for ISPs and net users alike. Whether they recognize it or not.

No privilege for you!

Everybody knows about the idea of attorney-client privilege. At least in the USA. It’s what keeps lawyers in business and their clients out of jail. In general, any communication between attorney and client is privileged. It’s a secret that no court can compel either party to divulge. Kind of like the privilege between confessor and confessee [priest and sinner in confession]. Only God usually isn’t involved. If the conversation is via telephone? Covered. Postal mail? Ditto. E-mail? Absolutely. Except when it’s not.

You see, privilege hinges on the idea that the conversation is private. Since it’s not possible to “un-hear” a public conversation you don’t get no stinking privilege. Well duh! you might be thinking about now. Of course not. But when a client sends an email directly to an attorney then it’s private. Not so fast there, buckaroo! In this post on the Electronic Discovery Law blog an incident is described wherein that privileged email turns out not to be.

At issue before the court was an email sent from defendant’s counsel to plaintiff’s Vice President and In-House General Counsel regarding a prior conference call attended by [the] defendant, [both counsels] and another lawyer for plaintiff.  At the time of the call, [the] defendant was CEO and Vice-Chairman of the plaintiff corporation.

Evidence was presented that during [the defendant's] employment with plaintiff, [the In-House General Counsel] served as [the defendant's] personal advisor.  Accordingly, [the defendant] claimed the email was a privileged communication between his counsel and his “personal advisor and agent”.  Issues of whether the relationship between [them] was sufficient to establish privilege aside, the court ruled that the email in question “[was] not protected by the attorney-client privilege because [the defendant] had no reasonable expectation of privacy…”

That’s right. Do not pass Go, do not collect $200. This is a point I’ve been trying to drive home since I started blogging lo those many months ago (14 to be exact): when you send and receive email at work you have no reasonable expectation of privacy. Just so there’s no confusion, here are the four factors the court set forth for consideration in determining whether an employee has a reasonable expectation of privacy in computer files or email:

  1. does the corporation maintain a policy banning personal or other objectionable use,
  2. does the company monitor the use of the employee’s computer or email,
  3. do third parties have a right of access to the computer or e-mails, and
  4. did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?

That’s right, you better check the old employee manual to see what your employer’s policy is. Or better yet just pay attention to that disclaimer message that comes up every time you log in to your PC or workstation. You know, that one you always ignore? I willing to bet that it doesn’t say “Use this computer for anything you like. We don’t care and won’t pay any attention to you.

Bottom line is that you have no reasonable expectation of privacy when you email at work. And therefore no privilege. Not with your lawyer. Not with your priest. Even though God might forgive you in the latter case, a judge certainly will not in the former. You’ve been warned. Now go in peace and sin no more.