Sunday, August 26, 2007

Knock Knock -- Who's There?

4th Amendment Narrowed Again

The U.S. Tenth Circuit has upheld its own 2-1 panel ruling in United States v. Andrus, refusing to rehear the case. The denial of rehearing en banc at least made clear the decision was limited to the specific facts of the original case, which is a mercy. Professor Orin Keer of The Volokh Conspiracy has an interesting post, "Virtual Analogies, Physical Searches, and the Fourth Amendment", which lays out the issues more clearly.

In Andrus the case revolves around who has authority to give permission to a search. Ray Andrus wasn't home when the government knocked on his door and asked to search. His 91 year old father who lived there gave the federal agents permission to search the home. The agents went into Andrus' open bedroom -- there was no lock on the door and the bedroom door was open -- and bypassed the passwords on the computer by connecting directly to the hard drive and scanning. They found files which looked to be child porn.

The case came down to, a) did the agents have permission to make the search, b) which turned in part on the fact that Ray Andrus' room was unlocked meaning anyone in the home had access to the room and thus to the computer including his elderly father who gave the consent, and c) is a computer considered a relatively non-private item such as a briefcase, or a relatively private item such as a locked footlocker where a person might put private papers and belongings?

The 10th circuit panel ruled 2-1 with a strong dissent that a) considering the totality of the circumstances -- read the decision to grasp those; 4th amendment cases are always made considering the total facts of the specific case -- that it was a very close call, but that indeed the agents were justified in relying on the father's consent to search, given all the hoops they jumped through (which I haven't specified here -- again, feel free to read the decision linked above); b) that because Andrus' room was unlocked and the door to his room was open, the agents could reasonably assume the computer was available for public use by others in the home thus making the consent to search valid, and c) that a computer is NOT a private item such as a locked footlocker. Specifically, the majority refused to take judicial notice of how operating systems today routinely password protect a person's workspace against the government's practice of bypassing such protection. The dissent was appalled, saying people's most personal information and papers are stored on computers now, much like in past years they were stored in lock boxes with keys. But the majority refused to listen and ruled it is okay for the government to simply connect at a disk level totally ignoring ordinary passwords without that being a Fourth Amendment violation.

What do we learn from this? First, while this is only the Tenth Circuit and thus only truly applies to you if you're in the middle of the U.S., and while I'd hope for the Ninth Circuit (the West Coast) to get it right, you can't count on it. It's quite possible, even likely that till more judges from our generation and politics make it to the Bench, we're going to see this kind of nonsensical decision. It may be obvious to you and I that our personal and most private papers should be as inviolate from search on our own private computer absent a warrant or properly granted consent as if they were hard-copy papers in a locked box, but don't expect the judges to get it right for the next few to ten years. Certainly not now in Kansas. Which leads to point the second...

Andrus, according to the decision, made two mistakes. From a legal point of view. Obviously, his first mistake was storing child porn. Not the point. Point is, even if you own the home -- as he did -- or even if you're a teenager in your parent's home, if you want your personal room to be free from search, you need to lock it. Then someone else in the home can not grant permission to search the room, absent a key, and if they did, you'd have solid legal grounds to fight the search. Next, encrypt stuff you want private at a disk level. Three ways I know to do this: Encrypt the entire disk, create a virtual disk, or encrypt a specific file. I recommend only the first two for day to day operations; the last is useful only when sending a file to someone else.

PGP is good for encrypting entire disks as well as creating virtual disks. Jetco's BestCrypt also encrypts entire disks and creates virtual disks. Both will let you encrypt a single file. PGP is well known. I've used both, like and recommend both. Both also work at the enterprise level -- PGP has more experience there -- including key recovery, although of course that means you can be forced to provide a key in response to a warrant or subpoena.

Personally, I like the belt and suspenders approach. Encrypt the entire disk with one program, then create a virtual disk with another program and put your critical information on the virtual disk. A virtual disk works just like another "F" or "G" drive, but no one is going to get in absent your pass phrase.

Point being, till the law catches up with technology, use technology to protect your papers the way the Fourth Amendment used to.