Menu
It's official: No expectation of privacy on the internet
There's no warrant requirement when the law wants at your computer, says one District Court judge, because we're all just data-theft victims waiting to happen.
According to one U.S. District Court judge, law enforcement agencies in the U.S. are now able to break into any computer, at any time, for any reasons – with no requirement for a warrant or even probable cause. In United States v. Matish, 2016 U.S. Dist. LEXIS 82279 (E.D.Va. June 23, 2016) (pdf), U.S. District Court Judge Henry Morgan Jr. states that cybercrime is so rampant that it is a “virtual certainty that computers accessing the internet can and eventually will be hacked.”
Since everyone on the Internet should expect to have their personal data stolen, it is unreasonable for us to have any expectation of privacy for anything we do online. As SC Magazine’s Bradley Barth reports in a June 27, 2016, article, Judge Morgan concludes that “[a] computer afforded Fourth Amendment protection in other circumstances is not protected from government actors who take advantage of an easily broken system to peer in to a user's computer.”
The Electronic Frontier Foundation’s Mark Rumold writes in a June 23, 2016, post that the FBI and other police and intelligence agencies in the U.S. may now “remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” The silver lining, according to Rumold, is that the decision is incorrect as a matter of law and is almost certain to be overturned on appeal. In addition, the ruling is unlikely to serve as a precedent because the warrant issue was not central to the controversy being adjudicated, which involves an FBI sting nabbing users of the encrypted TOR network who were attempting to access child pornography.
Noble cause, but dangerous implications for privacy
The FBI took over the illegal site and waited for people to sign into accounts. Once they had the users’ IP addresses and other account information, they compared them to logs of previous site users, one of whom is the plaintiff in this case. (Note that there are hundreds of other people facing similar charges as a result of this FBI investigation.)
The defense challenged the validity of the warrant used by the FBI for the searches of suspects’ computers. The court ruled that even if the warrants in this case were flawed, they were not necessary because computers and IP addresses fall outside the Fourth Amendment’s protections against warrantless searches and seizures.
In other words, everything you do on the internet is public.
Equally troubling is Judge Morgan’s interpretation of personal jurisdiction in the case. The defense argued that the local magistrate who issued the original warrant exceeded her authority because nearly all of the people arrested as a result of the investigation reside far outside the magistrate’s local jurisdiction. According to Judge Morgan, the suspects “took a virtual trip via the internet to Virginia,” where the FBI sting was operating. This means that every court now has personal jurisdiction over everyone who accesses a server located in that jurisdiction.
For one thing, how do we know where a site’s servers are located when we visit a site? With the advent of cloud computing, even the services themselves may not know where the servers hosting their site are located. So on the internet, personal-jurisdiction requirements are obliterated.
That’s not to mention the small matter of whether the “network investigative technique” used by the FBI to nab the suspects constituted malware since it placed software on the suspects’ computers without their knowledge or permission; the court ruled that NIT is not malware.
Is privacy still a ‘fundamental right’?
The U.S. Supreme Court has recognized certain fundamental rights under the Constitution that require the highest level of protection from government encroachment. Some of these rights are “enumerated,” or stated explicitly, while others are “implied” via the Supreme Court’s interpretation of the Constitution. The protections in the Bill of Rights and elsewhere in the Constitution apply to the federal government, and most have been extended to apply to the states by the Fourteenth Amendment.
Fundamental rights include freedom of religion, freedom of speech, freedom of association, due process, equal protection, the right to vote, the right to bear arms, the right to travel, the right to marry and have a family, and the right to privacy. With a few noteworthy exceptions, any law or regulation that impairs one or more of these rights is subject to strict scrutiny by the courts: It must be necessary to achieve a compelling government purpose, it must be narrowly tailored to that purpose, and there must be no less-restrictive alternatives available. The burden is on the government to prove that the law passes the strict-scrutiny test.
While a right to privacy is not enumerated in the Constitution, it is implied in the First Amendment’s protection of religious beliefs, the Third Amendment’s prohibition against the government invading people’s homes to house soldiers, the Fourth Amendment’s protection against unreasonable searches and seizures, and the Fifth Amendment’s protection against self-incrimination. The Ninth Amendment makes it clear that the framers intended to protect other “rights retained by the people” that aren’t explicitly defined in the Constitution.
Protecting against non-governmental threats to our privacy
Of course, the constitutional protections apply only to “state actors,” which means the government and those operating as government surrogates. The threats to our privacy extend beyond law enforcement and other government actions. How are we protected from privacy invasions by businesses operating on the internet? These entities have access to just as much personal information as the government, and in many cases private companies collect and share even more sensitive information about us than the government does.
According to a June 12, 2013, essay by Tim Sharp on Live Science, the U.S. Federal Trade Commission and other regulatory agencies enforce laws intended to allow citizens to control what information is collected about them, and how that information is used: the Privacy Act of 1974, the Financial Modernization Act of 1999 (also known as Gramm-Leach-Bliley), and the Fair Credit Reporting Act of 1970. Regulations affecting online privacy include the Electronic Communications Privacy Act of 1986 (now far out-of-date), the Children’s Online Privacy and Protection Act of 1998, the Cyber Intelligence Sharing and Protection Act of 2015, and the Computer Fraud and Abuse Act.
For health information, the Health Insurance Portability and Accountability Act of 1996 sets disclosure rules, data-security standards, and common file formats.
Practically speaking, we have no control over the personal information that sites collect, sell, and otherwise reuse. Our only option is not to use the services. In reality, not using the internet is nearly impossible. Many essential government and business services are now available only online. For example, my local credit union recently discontinued its telephone-banking service. Now my options are to visit the credit union’s site, or go in person to one of its branch offices.
Here’s a rundown of some resources with information on protecting your online privacy:
Now if you’ll excuse me, it’s time to change the piece of tape covering my laptop’s camera.
Since everyone on the Internet should expect to have their personal data stolen, it is unreasonable for us to have any expectation of privacy for anything we do online. As SC Magazine’s Bradley Barth reports in a June 27, 2016, article, Judge Morgan concludes that “[a] computer afforded Fourth Amendment protection in other circumstances is not protected from government actors who take advantage of an easily broken system to peer in to a user's computer.”
The Electronic Frontier Foundation’s Mark Rumold writes in a June 23, 2016, post that the FBI and other police and intelligence agencies in the U.S. may now “remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” The silver lining, according to Rumold, is that the decision is incorrect as a matter of law and is almost certain to be overturned on appeal. In addition, the ruling is unlikely to serve as a precedent because the warrant issue was not central to the controversy being adjudicated, which involves an FBI sting nabbing users of the encrypted TOR network who were attempting to access child pornography.
Noble cause, but dangerous implications for privacy
The FBI took over the illegal site and waited for people to sign into accounts. Once they had the users’ IP addresses and other account information, they compared them to logs of previous site users, one of whom is the plaintiff in this case. (Note that there are hundreds of other people facing similar charges as a result of this FBI investigation.)
The defense challenged the validity of the warrant used by the FBI for the searches of suspects’ computers. The court ruled that even if the warrants in this case were flawed, they were not necessary because computers and IP addresses fall outside the Fourth Amendment’s protections against warrantless searches and seizures.
In other words, everything you do on the internet is public.
Equally troubling is Judge Morgan’s interpretation of personal jurisdiction in the case. The defense argued that the local magistrate who issued the original warrant exceeded her authority because nearly all of the people arrested as a result of the investigation reside far outside the magistrate’s local jurisdiction. According to Judge Morgan, the suspects “took a virtual trip via the internet to Virginia,” where the FBI sting was operating. This means that every court now has personal jurisdiction over everyone who accesses a server located in that jurisdiction.
For one thing, how do we know where a site’s servers are located when we visit a site? With the advent of cloud computing, even the services themselves may not know where the servers hosting their site are located. So on the internet, personal-jurisdiction requirements are obliterated.
That’s not to mention the small matter of whether the “network investigative technique” used by the FBI to nab the suspects constituted malware since it placed software on the suspects’ computers without their knowledge or permission; the court ruled that NIT is not malware.
Is privacy still a ‘fundamental right’?
The U.S. Supreme Court has recognized certain fundamental rights under the Constitution that require the highest level of protection from government encroachment. Some of these rights are “enumerated,” or stated explicitly, while others are “implied” via the Supreme Court’s interpretation of the Constitution. The protections in the Bill of Rights and elsewhere in the Constitution apply to the federal government, and most have been extended to apply to the states by the Fourteenth Amendment.
Fundamental rights include freedom of religion, freedom of speech, freedom of association, due process, equal protection, the right to vote, the right to bear arms, the right to travel, the right to marry and have a family, and the right to privacy. With a few noteworthy exceptions, any law or regulation that impairs one or more of these rights is subject to strict scrutiny by the courts: It must be necessary to achieve a compelling government purpose, it must be narrowly tailored to that purpose, and there must be no less-restrictive alternatives available. The burden is on the government to prove that the law passes the strict-scrutiny test.
While a right to privacy is not enumerated in the Constitution, it is implied in the First Amendment’s protection of religious beliefs, the Third Amendment’s prohibition against the government invading people’s homes to house soldiers, the Fourth Amendment’s protection against unreasonable searches and seizures, and the Fifth Amendment’s protection against self-incrimination. The Ninth Amendment makes it clear that the framers intended to protect other “rights retained by the people” that aren’t explicitly defined in the Constitution.
Protecting against non-governmental threats to our privacy
Of course, the constitutional protections apply only to “state actors,” which means the government and those operating as government surrogates. The threats to our privacy extend beyond law enforcement and other government actions. How are we protected from privacy invasions by businesses operating on the internet? These entities have access to just as much personal information as the government, and in many cases private companies collect and share even more sensitive information about us than the government does.
According to a June 12, 2013, essay by Tim Sharp on Live Science, the U.S. Federal Trade Commission and other regulatory agencies enforce laws intended to allow citizens to control what information is collected about them, and how that information is used: the Privacy Act of 1974, the Financial Modernization Act of 1999 (also known as Gramm-Leach-Bliley), and the Fair Credit Reporting Act of 1970. Regulations affecting online privacy include the Electronic Communications Privacy Act of 1986 (now far out-of-date), the Children’s Online Privacy and Protection Act of 1998, the Cyber Intelligence Sharing and Protection Act of 2015, and the Computer Fraud and Abuse Act.
For health information, the Health Insurance Portability and Accountability Act of 1996 sets disclosure rules, data-security standards, and common file formats.
Practically speaking, we have no control over the personal information that sites collect, sell, and otherwise reuse. Our only option is not to use the services. In reality, not using the internet is nearly impossible. Many essential government and business services are now available only online. For example, my local credit union recently discontinued its telephone-banking service. Now my options are to visit the credit union’s site, or go in person to one of its branch offices.
Here’s a rundown of some resources with information on protecting your online privacy:
- The ultimate guide to staying anonymous and protecting your online privacy, Grant Brunner, August 15, 2015, ExtremeTech
- Privacy Tips, StaySafeOnline.org
- Personal Privacy Tips, TRUSTe
- Five online privacy tips from Edward Snowden, Larry Kim, January 13, 2015, Inc.
- Tips for protecting your privacy online, Julie Angwin, March 13, 2014, Moyers & Co.
- Privacy tips for the Internet of Things, August 30, 2015, Consumer Reports
- Five online privacy and security tips for travelers, April 20, 2015, Sophos Naked Security blog
Now if you’ll excuse me, it’s time to change the piece of tape covering my laptop’s camera.