A few days ago a court’s decision regarding the suppression of evidence in the United States of America v. Edward Joseph Matish, III caused an uproar, with many publications and people on Twitter outraged, stating that the decision basically said that because hacking is becoming a widespread issue, information on your computer isn’t protected by the 4th Amendment in the U.S. That should certainly cause an uproar … but that’s not what the decision said at all.
Here’s the very quick rundown of the case, which provides context. Matish used Tor to regularly visit Playpen, a site where thousands shared and discussed child pornography. February 20, 2015, a federal judge authorized a warrant allowing the FBI to deploy a network investigative technique (NIT) on Playpen’s servers to obtain identifying information (IP addresses essentially, 6-7 detail it all explicitly) from those logging in to Playpen with their username and password. Further, the FBI says that in at least Matish’s case, they did not activate the NIT to collect said info until he had logged in, went to a forum, and actually viewed the pornography. Subsequently, the FBI then issued a subpoena to Matish’s ISP, which then resulted in an additional warrant to search his home. The defense (Matish) argued to suppress the initial evidence because it was obtained unconstitutionally. The Court (United States District Court for the Eastern District of Virginia) argued, and decided, that the information was not obtained unconstitutionally.
That’s the case (and the pertinent info to this) in a nutshell. I want to start off by firmly saying that the Court did not base the decision whatsoever on hacking or it becoming a widespread problem. Further, the decision refers to several other cases in which the 4th Amendment does apply to your computer (like this one, this one, and this one).
Here’s the paragraph from the 58 page decision that was making the rounds (page 50):
For example, hacking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public’s reasonable expectations of privacy. Cf. Lee Raine, How Americans balance privacy conerns with sharing personal information: 5 key findgs, PewResearchCenter (January 14, 2016) [link to study] (reporting that members of a focus group “worried about hackers,” though “some accept that [privacy tradeoffs are] a part of the modern life”). Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can — and eventually will — be hacked.
The Court then applies this discussion above, among much more on hacking, stating that hacking resembles a situation in another case: Minnesota v. Carter 525 U.S. 83. Here officers observed someone bagging cocaine through a window, which they could only see through due to the broken blinds. The Court argues that vulnerabilities that allow for hacking are similar to those broken blinds (meaning no search occurred), therefore the 4th Amendment’s protections do not apply (52-53).
This is one part to the several different angles in which the Court discussed the 4th Amendment and whether the FBI’s NIT violated it. Reading just the above, it does seem that the court is arguing that hacking and its prevalence means the 4th Amendment does not apply to privacy concerns in regards to your PC. However, immediately afterward, the Court mentions that just a few weeks prior, in a separate case, they said that the possibility of hacking was not enough to “defeat” a reasonable expectation of privacy because hacking is illegal. So, in the same document, the Court says that you do have a reasonable expectation of privacy despite the widespread hacking problem.
That’s enough to dispel this now, but the justification for said outcry gets a little less tenable when you look at the main two reasons the Court argues that Matish was not protected by the 4th Amendment.
First, the NIT warrant was a valid one. To understand this, you have to look at a Supreme Court ruling in Smith v. Maryland 442 U.S. 735. Basically, that ruling said that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Because we willingly give our IP addresses to third parties while on the Internet, the authorized warrant for the NIT was valid because that collected information was the same (IP address) we all give to said third parties. (This is all discussed in this decision 39-43.) Pages 44-47 discuss the use of Tor and attempts to mask said IP address (basically you still give that info to a third party when using Tor).
Second, the warrant only gathered your IP address if you logged in to Playpen to view the illegal content. Your IP was not grabbed if you simply just visited the site, but you had to actively participate by logging in before the FBI would activate the NIT. In this case, they waited further until Matish had actually went to a post displaying the content (49). In other words, Matish was actively participating in illegal activity before the FBI gathered his IP address.
There is a lot more discussion throughout the decision, but nowhere does it seem to suggest that the chief reason for their decision was due to the issue of hacking. They definitely do make the argument but recognize that the argument doesn’t really matter due to hacking’s illegal nature. That means the hacking argument had no affect on the decision laid out.
Those who haven’t read a court’s decision before should know a couple things as well. First, there’s a lot of arguing between various courts. What this court argued could come out exactly the opposite in a different state. If you read through some of this decision, you’ll see discussion of just that in the many different cases referenced in opposition to one another. So, really, this is just another in a line of cases to discuss similar issues.
Second, and related to the first reason, this wasn’t a Supreme Court of the United States (SCOTUS) ruling. Because this is specifically dealing with something in the Constitution, the 4th Amendment, what they say would be the law of the land. Because it didn’t come from them, nobody has a definitive precedent to refer to. What this Court decided has no precedence in another state, therefore we get all those discussions mentioned previously. So even if the ruling had been based all around that hacking discussion, it wouldn’t be a ruling that affected everyone. That doesn’t mean there is no effect here, as some courts will argue based on decided cases from other courts.
There is much and more to discuss about the decision itself, what it means, its significance, and everything else, but I hope this helped to dispel some misinformation floating around out there on the subject. The whole 4th Amendment discussion in relation to technology is an incredibly unwieldy and overwhelming one, with a ton of information and new cases being ruled on regularly. There’s no reason to add to the confusion.