One of the FBI’s most controversial cases in recent memory – where hundreds have been charged after getting caught in an online pedophilia sting – has been producing contentious rulings in US courts. Due to the nature of the case, the courts have been issuing contradictory rulings and opinions, testament to the inchoate nature of time-tested laws when it involves the digital realm.
In United States v. Matish, the judge has… well, he has made many rulings. But among these is a particularly controversial judgment. According to US District Judge Henry Coke Morgan, Jr., the implication is that the US government does not need a warrant to essentially hack a private citizen’s computer if it’s connected to the internet. He made that conclusion based on the “broken blinds” rule (my emphasis):
Thus, hacking resembles the broken blinds in Carter. 525 U.S. at 85. Just as Justice Breyer wrote in concurrence that a police officer who peers through broken blinds does not violate anyone’s Fourth Amendment rights, jd. at 103 (Breyer, J., concurring), FBI agents who exploit a vulnerability in an online network do not violate the Fourth Amendment. Just as the area into which the officer in Carter peered – an apartment – usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user’s computer. People who traverse the Internet ordinarily understand the risk associated with doing so.
Thus, the deployment of the NIT to capture identifying information found on Defendant’s computer does not represent a search under the Fourth Amendment, and no warrant was needed.
What’s All This About Blinds?
The case the judge is alluding to is this (my emphasis):
…in Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home’s closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer’s observation did not violate the respondents’ Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the “precautions that the apartment’s dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing” where the police officer stood. Id at 104. He specified that whether the officer conducted an illegal search cannot turn “upon ‘gaps’ in drawn blinds. Whether there were holes in the blinds or they were simply pulled the ‘wrong way’ makes no difference.” Id at 105. “One who lives in a basement apartment that fronts a publicly traveled street, or similar space, ordinarily understands the need for care lest a member of the public simply direct his gaze downward,” he continued. Id. Thus, Justice Breyer opined that peering into a gap in closed blinds is a permissible act under the Fourth Amendment. Id at 103.
While others may not agree, this is an argument I find compelling. At the end of the day, if you’re expecting privacy, you must ensure that certain standards are met. Case in point: if you don’t want strange people bursting in while you’re sitting on the can, you lock the Porta Potty door. You get more leeway if you’ve decided to keep your bathroom door unlocked in your own place.
A caveat is present, however: the police officer’s actions were compared to what an ordinary passerby could have done. Would the Justice say that Fourth Amendment rights were not violated if the apartment window was on the second floor and the officer had to literally scale walls and parkour his body to the window ledge, hanging from his finger tips, so as not to be discovered, while he peeked inside?
Doubtful, and reading Justice Breyer’s arguments in full shows exactly that. As you can expect, there are nuances as to why a particular conclusion was arrived at in the broken blinds scenario (my emphasis):
Officer Thielen’s observation made “from a public area outside the curtilage of the residence” [did not violate] Fourth Amendment rights.
I would answer the question on the basis of the following factual assumptions, derived from the evidentiary record presented here:
(1) On the evening of May 15, 1994, an anonymous individual approached Officer Thielen, telling him that he had just walked by a nearby apartment window through which he had seen some people bagging drugs;
(2) the apartment in question was a garden apartment that was partly below ground level;
(3) families frequently used the grassy area just outside the apartment’s window for walking or for playing;
(4) members of the public also used the area just outside the apartment’s window to store bicycles;
(5) in an effort to verify the tipster’s information, Officer Thielen walked to a position about 1 to 1½ and one-half feet in front of the window;
(6) Officer Thielen stood there for about 15 minutes looking down through a set of Venetian blinds;
(7) what he saw, namely, people putting white powder in bags, verified the account he had heard; and
(8) he then used that information to help obtain a search warrant.
Combine the above with the previous observation about the “need for care” if living in a basement apartment, and the key point is that the suspects/defendants weren’t taking adequate care of their privacy.
Consider, too, that in 2013 the Supreme Court ruled that peering through a front window counts as a search if it’s two feet away, to the sides, from the front steps.
The question here is, would you say that Matish, despite being in his home when he was tending to his illegal and disturbing proclivities, had placed himself in a situation similar to the broken blinds scenario? Namely, that families and members of the public could have seen what he was up to – or whatever its equivalent is on the Web at large?
Blinds Analogy Does Not Hold Water
The obvious answer is “no.” The broken blinds analogy is easy to defeat when you think about it.
In the broken blinds scenario, there was no reasonable expectation of privacy, and so no need for a warrant, and hence the officer peering into the room is not violating the Fourth Amendment. This would still be true had there been no blinds, broken blinds, blinds with too much of a gap, blinds moving due to a fan blowing, etc.
But what if the blinds perfectly prevented the officer from seeing inside, and so he reaches in and surreptitiously pokes his finger through one of the slats to see what’s going on? That changes the dynamics of the situation.
In Matish, the broken blind analogy is closer to “the officers wanted to peer into the room (which, incidentally, they had no idea where said room was, except that it existed) and to do so they poked the blind in a particular location to capitalize on a flaw that most professionals don’t know what it is.” Obviously, evidence collected in this manner in the physical world, and without a warrant, would be tainted.
Perhaps I’m being unfair? After all, the Tor network is already “broken”; the FBI didn’t have to “poke the blinds.”
But the court’s argument still breaks down. As the Justice pointed out and the judge quoted, anyone passing by could have seen what was going on. This is what set the grounds for “no expectation of privacy.”
Vulnerability of Broken Blind Self-evident; Not So for Tor
When it comes to the Tor vulnerability that is being exploited by the government’s NIT, some of the smartest minds in the profession are puzzled as to what it could possibly be. Furthermore, the creators of Tor went through quite the trouble to ensure that Tor is as secure as possible. You could say that blinds are installed for privacy; others would say that they’re used to keep the sun out; yet for others, it’s a decision on interior design.
The only purported purpose for Tor is privacy (and it does an exceptional job, too, current court case notwithstanding). This further highlights how Matish veers away from the broken blind analogy.
The fact that an exploit exists is immaterial; an exploit exists in all security solutions, be they virtual or physical. May an officer break into a house without a warrant because he knows how to pick a particular lock? Certain exclusions do apply, as they always do (such as the possibility of imminent danger), but the answer is overwhelmingly “no.”
Not Easily Broken
Also, perhaps it’s pedantry, but the judge ruled that (my emphasis):
a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user’s computer.
So, how easy is it to break Tor? Again, outside of law enforcement circles, people do not know what the vulnerability is.
How much time and how many resources were used to find and develop the exploit? One dollar? One hundred dollars? One million dollars? Would the dollar figure in the latter still qualify Tor as an “easily broken system”?
Would an exploit be “easy” if it is highly sophisticated and not easily broken but the government stumbled across it purely by luck?
And, if one of the most secure means of communication is deemed “easily broken” – and everyone seems to be in agreement that Tor is pretty darn secure, again, current exploit notwithstanding – then what does it mean for warrantless hacking of computers where security is extremely weak or non-existent?
At the root of all of the judge’s rulings lies the observation that because anyone can potentially be hacked, there is no expectation of privacy online. Basing a ruling on this is a disingenuous act. Consider what this means.
- Calls over the phone, private; calls over Skype, not. The government can eavesdrop without a warrant.
- Sending a letter, private; sending an email, not.
- Borrowing a book from a library, private; borrowing a book from Amazon, not.
- Companies whose computers are networked? Ripe for hacking by the government. No warrants necessary.
Imagine what this means for the future. Voting on-line to choose government reps wouldn’t be private. Your government could hack you, without a warrant, to see how you voted (as if anyone in their right mind would grant it). Do it at a polling booth with paper, though, and you’re protected. (Although there is always the potentially troubling question of “hanging chads” and whatnot).
Of course, a lot of this is nonsense (or at least should be), and furthermore, unfair to Judge Morgan. The truth is that he notes time and again how all of this requires a delicate balance, and that his judgment is based on the pernicious nature of the crimes involved and the FBI’s actions. If the FBI were caught hacking a computer to see if it was being used to access a legal porn site, I imagine the judge would chew out the agents involved.
However, there are certain things that you can’t ride roughshod over. Online privacy is one of them. Whether people have it or not, people expect it and demand it. Did the CIA, FBI, and NSA not get an earful from US representatives, the media, and ordinary people when PRISM’s existence was revealed? Did it not catch people by surprise?
The fact that privacy online is tenuous cannot be reason for the government to become part of the problem.
Related Articles and Sites: