Wednesday, June 06, 2007

Privacy of computers attached to a network

While doing research for a paper on privacy rights and freedom of speech in academic networks in UK and looking for how the law and courts deal with the issue in others parts of the globe, I found a fairly recent case (April 5th 2007) of the US Court of Appeals for the Ninth Circuit that gives a mixed message about the issue. The case is USA v. Heckenkamp, where the issue was whether evidence colleted during warrantless remote search of a student's hard drive by a university network administrator who was acting in association with the FBI was admissible in court.
In the course of an investigation on unauthorized access to the computer systems of Qualcomm, the FBI determined that the intruder likely accessed the company’s systems from a computer on the University of Wisconsin network and the Feds sought and received assistance from the University. The UW investigation of network information led it to Jerome Heckenkamp, a graduate student in computer science and renown hacker (check about him on page 6 of the Hacker's Digest), and the computer in his dormitory room, and without a search warrant a UW network administrator used his computer to remotely search the hard drive of Heckenkamp's computer a day before that the FBI obtained the first search warrant and seized the student’s computer and searched his room.
The hacker moved to suppress evidence gathered from the University’s warrantless remote search of his computer and the search conducted pursuant to the FBI's search warrant, motion that was denied by the District Court. Then, Heckenkamp pled guilty to two counts of “Fraud and related activity in connection with computers”, 18 U.S.C. § 1030, conditioned upon his right to appeal the denial of his motion to suppress (the importance of the point is in the fact that suppression of evidence in this case may enable the student to escape punishment for a crime to which he pled guilty).
The court, focusing on two points, affirmed the District Court's denial of Heckenkamp's motion to suppress evidence under the special needs exception to the warrant requirement, because it found that federal prosecutors can use evidence collected in a warrantless computer search to prosecute a student for hacking computers outside of the university network, when the university acted out of an independent concern to protect its own computer systems and not to aid the federal investigation per se.
Since a prerequisite to establishing the illegality of a search under the Fourth Amendment is that the defendant shows that he had a reasonable expectation of privacy in the place searched, the first issue that the Court of Appeals dealt with was whether there is a reasonable expectation of privacy in a computer attached to a network. In this point, it found that Heckenkamp had a legitimate and objectively reasonable subjective expectation of privacy in his computer and his dormitory room, which was not extinguished or eliminated when he attached his computer to the network, especially due to the fact that the University did not advice users that that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by them.
The special needs exception constituted the second issue where the Court of Appeals put its focus. It said that the search of the Heckenkamp’s computer was justified because under the special needs exception a warrant is not required when special needs, beyond the normal need for law enforcement, make the warrant and probable-cause requirement impracticable, and while it was true that the University knew of the FBI investigation regarding unauthorized access to Qualcomm's computer it had an independent concern about the security of its own computers, even if the evidence collected by the warrantless search of the computer was used to obtain the conviction in the FBI's case.
It is a case that should give reasons to celebrate and to worry to privacy advocates because on one hand makes clear that there is a reasonable expectation of privacy in computers even when connected to networks, but on the other allows the use by law enforcement agencies of information that they acquired via circumventing the constitutional guarantees. A more rational approach by the court should establish that when the special needs exception is used, the information obtained by that course cannot be used for purposes different than those that justified the use of the exception (in this case to verify a breach on the University of Wisconsin computer’s security)…

No comments: