TAG | legal
A New York district judge has ruled that Microsoft must comply with US search warrants for emails stored in European data centers. The argument is that as a US company, Microsoft is subject to the order, and because it has control of its European subsidiary which in turn has control of the data center in Europe, it should therefor comply.
This will put Microsoft, and many other US Internet companies, in a tricky place. The EU data protection laws are being expanded to explicitly bar EU subsidiaries of US companies from sending data outside the EU for law enforcement or intelligence purposes.
This also further undermines confidence in the security and privacy of data held by US Internet companies.
In a unanimous decision, the Supreme Court ruled that police must obtain a warrant before searching suspect’s cellphone. Before this, cellphones were treated just like anything else a suspect might carry, including wallet, keys, address book, or various other “pocket litter”.
Police are generally allowed to search suspects for weapons and to prevent the distraction of evidence. Because of the massive amount of storage on a modern smartphone, and its direct connection into so many other stores of data and communications, the court felt that the contents of these devices was qualitatively different and deserving of greater protection.
It is important to remember that the police can still take the phone, and that they can then get a warrant to search it if there is probable cause. They are simply prevented from searching it without the warrant, possibly in the hope (but not expectation) of finding evidence.
This decision may lay the groundwork for according similar protections to cloud stored data, which once would have been kept in the home in hard copy. Law enforcement officials claim that technology is making life easier for criminals and harder for law enforcement. I find that hard to believe and have not seen any really good studies of the matter. If you have, please let me know!
It strikes me that the routine preservation of emails and other communications, along with the massive use of server logged communications from text messages to social media, actually makes things much easier for law enforcement on the whole.
The fact that the decision was unanimous suggests that we may be entering a period of re-evaluating outdated precedents from the pre-internet era.
Some key quotes from the decision:
- Regarding treating phones like other pocket litter – “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon,”
- On the impact on law enforcement – “Privacy comes at a cost.”
- “Cell phones differ in both a quantitative and a qualita- tive sense from other objects that might be kept on an arrestee’s person. The term “cell phone” is itself mislead- ing shorthand; many of these devices are in fact minicom- puters that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, librar- ies, diaries, albums, televisions, maps, or newspapers.”
- “The scope of the privacy interests at stake is further com- plicated by the fact that the data viewed on many modern cell phones may in fact be stored on a remote server. Thus, a search may extend well beyond papers and effects in the physical proximity of an ar- restee, a concern that the United States recognizes but cannot defini- tively foreclose.”
- “Our answer to the question of what police must do before searching a cellphone seized incident to an arrest is accordingly simple—get a warrant,”
Some Excellent Articles for further reading:
Note: In the picture above, the policeman is actually just using his own cellphone.
The Massachusetts High Court recently ruled that a suspect can be compelled to decrypt disks, files, and devices which have been seized by law enforcement. The crux of the question before the court was whether compelling the password for decryption is forbidden by the Fifth Amendment protection against self incrimination.
The analogy one most often sees is to being compelled to provide the combination to a safe, the contents of which are subject to a search warrant. That is well settled law, you can be compelled to do so.
The court said:
We now conclude that the answer
to the reported question is, “Yes, where the defendant’s compelled decryption would not
communicate facts of a testimonial nature to the Commonwealth beyond what the defendant
already had admitted to investigators.” Accordingly, we reverse the judge’s denial of the
Commonwealth’s motion to compel decryption.
In this case, there was nothing testimonial about decrypting the files because the defendant has already admitted to owning the computers and devices, and to being able to decrypt them.
The much more interesting situation will come in a case where the defendants say they never had, or have forgotten, the password. One can not be compelled to do something impossible, but generally the proof of the impossibility falls on the defendant. In this case one would have to prove a negative. How could you prove that you don’t have the password? The only thing that can be proved is that you do, and that only by doing so.
This ruling is only binding in the sate of Massachusetts, but is likely to be influential in cases in other areas.
The US Second Circuit court of appeals just ruled on a very important case about Fourth Amendment protections for seized computer files. While this ruling is only binding on courts in the 2nd circuit, it will be influential, and we are likely to see this issue addressed by the Supreme Court before too long.
The reality of computer forensics is that investigators start by grabbing everything off the computers they are searching, then look for the specific information specified in the warrant. Generally this is done by making a direct image of the computer’s hard drive. From there additional copies are made so the chain of evidence is clean, and the original image can be shown to be unchanged. It is impractical to try to capture only the targeted information because the volumes are often so large the search must be automated and may take considerable time. Additionally, suspects may have taken steps to try to hide files on the disks.
The upshot of this is that the law enforcement entity now has a great many documents far outside the scope of the warrant. This is where we come to the specifics of the case United States v. Ganias. In 2003 the government searched Ganias’ computers as part of a fraud investigation. As I described, they captured full images of all the computer’s hard drives to 19 DVDs. After competing their searches, they kept the DVDs.
In 2006, they thought Ganias might be involved in tax related crimes, so they obtained warrants to search the DVDs they had in storage for this different set of documents.
The 2nd Circuit ruled to suppress the evidence obtained from that 2006 warrant because the documents searched should never have been seized in the first place.
The ruling recognizes the realities of the search process, and allows for capture of full drive images, and keeping that data for a reasonable time, but specifically forbids keeping it indefinitely as a source of information in future searches. That would completely void the Fourth Amendment which requires that the warrant specify the specific things to be searched.
As a reminder, the full text of the Amendment is:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Thanks to the Washington Post for a more detailed legal analysis: Court adopts a Fourth Amendment right to the deletion of non-responsive computer files – The Washington Post
Canada’s Supreme Court just released a ruling providing some protection for on-line anonymity. Specifically, the ruling requires law enforcement to obtain a warrant before going to an Internet provider to obtain the identity of a user. Previously they were free to simply approach the provider and ask (but not compel) the information.
The judges found that there is a significant expectation of privacy with respect to the identifying information, and that anonymity is a foundation of that right.
Unfortunately the case in question revolves around child pornography, which creates a great deal of passion. Much of the reaction against the decision has come from those working to protect abused children. Because the ruling has implications primarily far from child porn cases, I applaud the court in taking the larger and longer view of the principle at work.
It is important to remember that the court is not saying that the information can not be obtained. This is not an absolute protection of anonymity. This decision simply requires a warrant for the information, ensuring that there is at least probable cause before penetrating the veil of anonymity.