Great Network in the Sky Giveth, Taketh Away
Isn’t it great that when your car, or phone, or laptop gets lost or stolen, you can use modern technology to find your stuff and get it back? One might think only paranoid Luddites or the thieves themselves would oppose such an innovation. But the joy of a ubiquitous communications/tracking network is tempered by the threat to privacy — and potential liability — for enlisting SkyNet to peer into our cars, purses and bedrooms.
Part One: The Wiretap Act and Find My Computer
Last month, in Clements-Jeffrey v. Springfield , a quirky case involving sex and a stolen laptop, a U.S. District Court judge in Ohio ruled that a laptop-tracking company could be liable for intercepting sexually explicit communications in an effort to identify thieves who stole the computer one plaintiff was using to communicate with the other.
The company, Absolute Software, markets “Lojack for Laptops” software and associated services for recovering stolen machines. Absolute argued its service was like other device location products in “GoToMyPC”, “Back to Mac” and “Mobile Me”. All it was doing was acting on behalf of the rightful owner to obtain IP information and get the laptop to send photographs of the user to it. But the Court disagreed, holding that, while the company could have merely collected the stolen computer’s IP address or geographical data as part of locating the device, it went too far when it intercepted the keystrokes and captured the webcam usage of the person using the stolen laptop. The court held, precisely and correctly, that nothing in the Wiretap Act allows the owner of a stolen laptop to authorize a private company to intercept communications.
The facts are that in 2008, Clements-Jeffrey, a substitute teacher, bought a laptop from one of her students. Unbeknownst to the plaintiff, she claims, the laptop was stolen from the local school district. She used the computer to exchange sexually explicit written and visual messages with her long distance boyfriend. Meanwhile, the school district had installed Absolute’s remote-recovery software Lojack for Laptops, onto the machine. This software can be used to instruct the machine to report its IP address to Absolute, but it also gives Absolute employees remote access to the computer and allows them to record and intercept any data from the machine. One of Absolute’s technicians went beyond capturing the IP address to monitoring keystrokes, websurfing and the laptop’s built in camera, including taking screenshots of some of the couple’s explicit cam chats.
Using information collected this way, the local police came to seize the computer and arrest the plaintiff. Allegedly, they were very abusive at the point of arrest, degrading Clements-Jeffrey for having used the computer for sexually explicit interactions. (Hello, police officers, it’s the internet!) She and her boyfriend then sued Absolute Software, its technician and the city under “ECPA” and the Fourth Amendment, among other claims. (I put ECPA in quotes there because the statute consists of an amendment to the Wiretap Act to include a provision prohibiting interception of “electronic communications”, the Stored Communications Act and an amendment to the Pen Register Statute. So the ECPA claim is really what I would call a Wiretap Act claim, as amended by ECPA to include electronic communications.)
The Court started with what it called the threshold question of whether Clements-Jeffrey had a legitimate expectation of privacy in the laptop, a determination that hinged on whether she knew or should have known it was stolen.
As noted above, Plaintiffs’ claims include: (1) a 42 U.S.C. 1983 claim based on alleged violations of Clements-Jeffrey’s Fourth Amendment rights; (2) alleged violations of the Electronic Communications Privacy Act (“ECPA”) and the Stored Communications Act (“SCA”); and (3) a common law claim of invasion of privacy. (A. Legitimate Expectation of Privacy) Before turning to arguments specific to each of these causes of action, the Court will address the question of whether Plaintiffs had a legitimate expectation of privacy in their communications via the stolen laptop. In their Motion for Summary Judgment, the Absolute Defendants argue that, absent a legitimate expectation of privacy, each of Plaintiffs’ claims fails as a matter of law. (citing United States v. Mendoza, 574 F.2d 1373, 1377 (5th Cir. 1978) (holding that defendants lacked standing to challenge the admissibility of a tape of an intercepted telephone conversation because “neither has a legitimate expectation of privacy”).
Now, expectation of privacy is an essential element of the Fourth Amendment claim — there’s no “search” unless there’s a reasonable expectation of privacy. But it’s totally irrelevant for Wiretap Act liability. There is nothing in either the definition of “electronic communication”, which describes the keystroke and webcam monitoring, or in the definition of “interception” which depends on whether the victim has a legitimate expectation of privacy.
Mendoza, which the court and the defendants cited, doesn’t make the point. In Mendoza, there were multiple recorded conversations. Two of the defendants challenged the admissibility of a conversation between a co-defendant and a government agent. The Court offhandedly opined that those defendants did not have standing to challenge the admissibility of that conversation “because neither has a legitimate expectation of privacy either as a party to the conversation or through a possessory interest in the tape”. As to the co-defendant, the judge found that there was ample evidence in the record that no Wiretap Act violation occurred because the tape recording was made by an undercover agent who was a party to the conversation. Mendoza is actually wrong as to the standing issue. The Wiretap Act is clear: any wire communication (i.e. phone call) that one knows or should know has been illegally intercepted may not be received as evidence in any legal proceeding. 18 USC 2515, 2511(1)(C). But the error was of no import, because the call was lawfully recorded.
There are cases under the Wiretap Act which look at expectation of privacy but these are for interception of oral communications. The statutory definition of oral communications includes “any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation,” 18 USC 2510(2). Only that definition suggests that the individual’s expectations are at issue.
Apparently, this case settled yesterday, for an undisclosed sum. However, this legal issue is likely to arise again in the Western District of Pennsylvania Wiretap Act case pending against Aaron’s Inc. and others for placing software on its Rent-To-Own laptops that it could use to take pictures and record keystrokes if the customers were late in their payments. Right now, motions to dismiss on jurisdictional grounds are pending in that matter, but if it proceeds or is moved to another jurisdiction, the Clements-Jeffrey issue will be next on the agenda.
Absolute says it recovers on average 14 laptops a day. The excellent Kim Zetter at Wired.com’s Threat Level asked Absolute if the company’s agents have changed the way they operate in light of the lawsuit and the company declined to respond. In my opinion, companies in this space would do well to take a closer look both the training of technicians and the marketing of software and services. Advertising webcam and keystroke monitoring technology or services for use in circumstances where it is impossible to obtain consent from the intercepted parties (i.e. the thief and her friends) could implicate 18 USC 2512’s prohibition on marketing technology for unlawful interception. (Though note that there’s no civil liability provision associated with that ban.)
Part Two: The Fourth Amendment and Find My Phone
The second recent situation in which the great network in the sky was used to track down something missing, with unexpected results, is deja vu all over again, but for a different reason: another iPhone prototype lost by another Apple employee drunk in another bar. This time, it was the iPhone 5 lost in San Francisco, and this time, the police didn’t unlawfully search a reporter’s house. Rather, Apple activated the Find My Phone feature, traced the device to a home in the Bernal Heights neighborhood. Apparently, a man who lived in that house was even at the bar in question the same night that the phone was lost. Pretty cool, right? But something went wrong. When Apple employees, accompanied by local police officers, searched the house, they didn’t find the iPhone.
The Bernalwood neighborhood blog tells the story (along with a great photo, you should click). In sum, plainclothes San Francisco Police Department officers went with private Apple detectives to the home of Sergio Calderón, a 22-year-old resident of Bernal Heights. The officers did not go inside the house, but flashed their badges, gained consent, and then stood outside while two Apple investigators searched the home, car, and computer files for the phone. The phone was not found, and Calderón denies that he ever possessed it. According to the SF Weekly, either the Apple employees or the SFPD made threats, including asking Calderón and his family about their immigration status.
There are problems with the search. At least the officers didn’t go inside. But they did use their authority to get the Apple employees inside, and they did abuse their authority by asking questions well beyond the scope of any legitimate investigation as well as riffling around on the man’s computer. It’s unclear whether SFPD properly assisted Apple, or should have at least documented the visit. It’s also unclear whether Apple could have or should have done more to make clear they were not law enforcement officers.
Finally, we still don’t know where the lost iPhone prototype is. The Find My Phone feature got investigators to a home in which the occupant admitted being at the bar where the phone was lost. But he denied knowing anything about the phone, and the device wasn’t found. What a strange coincidence. Out of all the people in the general vicinity, how did Apple find one who was at the bar? Was Calderon lying? Did Apple do some additional investigation that has not yet been revealed? More importantly for future investigations, does using Find My Phone constitute a search of the interior of a home or tracking of a particular individual’s physical location subject to the Fourth Amendment? Is Find My Phone sufficiently specific to establish probable cause to get a warrant to enter a home and search further?
These and other questions, we leave for another day. In the meantime, the cases of the stolen laptop and the misplaced iPhone5 prototype show that enjoying the benefits of a ubiquitous communications and tracking network is not without its pitfalls.