“SOCIAL NETWORKS” AND USE BY LAW ENFORCEMENT
December 21, 2009
A recent flurry of activity has been initiated regarding the manner in which law enforcement utilizes various “social networks” in its investigative activities. It has, apparently, been spearheaded by the Samuelson Law, Technology & Public Policy Clinic (“Clinic”) of the University of California, Berkeley School of Law. There have been two notable approaches to secure information regarding how law enforcement uses social networking websites to collect information for use in criminal investigations.
California CPRA Demand
The one most visible approach, here in California, was a statewide circulation of a demand pursuant to the California Public Records Act (CPRA) for all such information. It was dated November 16, 2009 and, apparently, was sent to all law enforcement agencies throughout the state. It asked for “… copies of all records, including electronic records, concerning use of social-networking websites (including but not limited to Facebook, MySpace, Twitter, Flickr and other on line social media) for investigative (criminal or otherwise) or data gathering purposes ….” The letter then lists nine categories of potential records including the use of “fake identities” to gain access to social networks, and another for documents on taking over identities through social networks.
It would appear that such information is not required to be made public under the CPRA (Gov. Code secs. 6250-6270). Government Code sec. 6254(f) states, in part, that: ” … nothing in this chapter shall be construed to require disclosure of records that are any of the following: (f) Records of complaints to, or investigations conducted by, or records of intelligence information or security procedures of, the office of the Attorney General and the Department of Justice, the California Emergency Management Agency, and any state or local police agency, or any investigatory or security files compiled by any other state or local police agency, or any investigatory or security files compiled by any other state or local agency for correctional, law enforcement, or licensing purposes.
Federal FOIA Lawsuit
Additionally, a consumer watchdog group, the Electronic Frontier Foundation (EFF), filed a lawsuit pursuant to the federal Freedom of Information Act (FOIA) against numerous federal law enforcement agencies for failing to respond to a similar demand for policies regarding the use of social media for surveillance purposes. The EFF is also working with the “Clinic,” which had filed the original FOIA demand on behalf of EFF and then filed the lawsuit when the government refused to comply.
The lawsuit, as well as the CPRA letter sent to California law enforcement, refers to several news articles which describe the apprehension of various criminals as a result of law enforcement utilizing social networks for surveillance, or taking on false identities. EFF claims they are not opposed to law enforcement using social networks for investigative purposes, they just want to know the scope of such use in order to prevent abuses.
Expectation of Privacy
The Fourth Amendment to the U.S. Constitution states, in full, that: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable clause, supported by oath or affirmation, and particularly describing the plance to be searched, and the persons or things to be seized.”
In 1967, the United States Supreme Court held, in the case of Katz v. U.S., 389 U.S. 347, that the 4th Amendment requires a court issued warrant where there is a “constitutionally protected reasonable expectation of privacy.” The Court further stated that “there is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.” (Parentheses in original.)
On August 14, 2009, the 8th Circuit U. S. Court of Appeals decided the case of United States of America v. Stults, wherein they affirmed the conviction of Stults, which was based on an FBI agent’s search of a peer to peer, or P2P, social network website called LimeWire. The FBI searched for people who used their computers to view child pornography by viewing publically shared P2P networks, including LimeWire.
The Court of Appeals held that, “users of peer-to-peer file sharing software do not have a reasonable expectation of privacy in files they make available to others using the software, and the warrantless search of defendant’s computer through the software did not violate his Fourth Amendment rights.” The Court stated that “Stults had no reasonable expectation of privacy in files that the FBI retrieved from his personal computer where Stults admittedly installed and used LimeWire to make his files accessible to others for file sharing.”
[There currently exists software which does not allow for public access to shared files but restricts access to closed groups of users. Those limited individuals privately share files among themselves only. This software employs security, such as passwords and/or encryption. This case does not address this type of network but only the publically accessible P2P systems.]
Additional Court Decisions
Two other recent decisions reached similar conclusions to that in Stults. In April, 2007, the 10th Circuit U.S. Court of Appeals decided the case of United States of America v. Barrows, 481 F. 3d 1117, wherein it held that the defendant did not have a reasonable expectation of privacy when he brought his own, personal, computer to work, placed it on a desk he shared with another employee, left it on continuously, did not have password protection, connected it to the city network and used it to conduct his city work by accessing city records and programs.
After using his computer to access city programs, others began to have difficulty opening files on city computers. The city clerk thought Barrows’ connection to the system might be the cause of the problem. As such, she asked a computer knowledgeable co-worker (who happened to be a reserve police officer) to use Barrow’s computer to try and resolve the problem. While doing so he noticed a P2P program and child pornography files. He contacted the sheriff, the computer was seized, and all further examination was done pursuant to a warrant.
Barrows pled guilty to possession of child pornography with the right to challenge the denial of his motion to suppress the computer evidence which was based on the claim that it was an illegal search. The Court of Appeals said that “a warrantless search may be unreasonable if the defendant enjoyed a legitimate expectation of privacy in the thing searched.” However, in this case, “… Mr. Barrows failure to password protect his computer, turn it off, or take any other steps to prevent third-party use…,” made it unreasonable “to conclude that Mr. Barrows harbored a subjective expectation of privacy. He certainly did not possess a reasonable one.”
Finally, on August 15, 2008, the Ninth Circuit U.S. Court of Appeals decided the case of United States of America v. Ganoe, in which it held that Ganoe had no reasonable expectation of privacy using a “file sharing program that can be downloaded from the internet free of charge….” Federal agents used LimeWire to locate people who downloaded child pornography onto their personal computers. “Once a user downloads the program onto his computer, the user can click on an icon that connects his computer to others on the network.”
The Court stated that “Although as a general matter an individual has an objectively reasonable expectation of privacy in his personal computer, we fail to see how this expectation can survive Ganoe’s decision to install and use file-sharing software, thereby opening his computer to anyone else with the same freely available program.” He was convicted of two counts of possessing child pornography and sentenced accordingly.
HOW THIS AFFECTS YOUR AGENCY
Under California law it appears that policies describing how, and under what circumstances, a law enforcement agency will use social networks, as part of it investigative process, can be withheld from disclosure. It also appears, based on the cases set forth above, that the use of publically accessible social network systems for investigative purposes does not violate anyone’s 4th Amendment rights.
Logic, as well as the law, dictates that one cannot claim any right of privacy when he or she places information on a publically accessible website. It is not the same as opening a person’s mail – that is not intended to be read by anyone in the public.
Nonetheless, this is one of those newly emerging areas of law which require law enforcement to seek out, and secure, appropriate legal advice and guidance before moving forward. That will not only protect the officers and agencies from potential civil liability, but it will protect the evidence from being suppressed.
As always, we urge that you confer with your agency’s legal advisor for guidance on these matters. However, if you wish to discuss this matter in greater detail, please do not hesitate to contact me at (714) 446 – 1400 or via e-mail at mjm@jones-mayer.com.