Wednesday, May 23, 2007

Commentary by Jennifer Granick

Hack My Son's Computer, Please

05.23.07 | 2:00 AM

Can an elderly father give police permission to search a password-protected computer kept in his adult son's bedroom, without probable cause or a warrant? In April, a three judge panel of the 10th Circuit Court of Appeals said yes.

This week, the son's attorney, Melissa Harrison, an assistant federal public defender in Kansas City, will ask the court to reconsider the panel's ruling. At stake is whether law enforcement will have any responsibility to respect passwords and other expressions of user privacy when searching devices which contain the most sensitive kinds of private information.

In United States v. Andrus (.pdf), agents suspected that the defendant was accessing websites containing child pornography, but after eight months of investigation still did not have sufficient probable cause to get a search warrant. Instead, they decided to drop by the defendant's house for an impromptu conversation.

The suspect was not at home. However, his 91-year-old father answered the door in his pajamas, invited the agents in, and eventually gave them permission to enter his son's bedroom and search the hard drive on his son's password-protected computer. The agents used EnCase to perform the search, a common forensic tool programmed to ignore Windows logon passwords. Agents found child pornography on the computer.

Without a judge's permission, the search depended on the father's authority to allow police access to his son's computer. On this point, the fact that the son locked his parents out of the computer with a password is critical.

The Fourth Amendment generally prohibits warrantless searches of an individual's home or possessions. There is an exception to the warrant requirement when someone consents to the search. Consent can be given by the person under investigation, or by a third party with control over or mutual access to the property being searched. Because the Fourth Amendment only prohibits "unreasonable searches and seizures," permission given by a third party who lacks the authority to consent will nevertheless legitimize a warrantless search if the consenter has "apparent authority," meaning that the police reasonably believed that the person had actual authority to control or use the property.

Under existing case law, only people with a key to a locked closet have apparent authority to consent to a search of that closet. Similarly, only people with the password to a locked computer have apparent authority to consent to a search of that device. In Andrus, the father did not have the password (or know how to use the computer) but the police say they did not have any reason to suspect this because they did not ask and did not turn the computer on. Then, they used forensic software that automatically bypassed any installed password.

The majority held that the police officers not only weren't obliged to ask whether the father used the computer, they had no obligation to check for a password before performing their forensic search. In dissent, Judge Monroe G. McKay criticized the agents' intentional blindness to the existence of password protection, when physical or digital locks are such a fundamental part of ascertaining whether a consenting person has actual or apparent authority to permit a police search. "(T)he unconstrained ability of law enforcement to use forensic software such at the EnCase program to bypass password protection without first determining whether such passwords have been enabled ... dangerously sidestep(s) the Fourth Amendment."

If the 10th Circuit rehears the case, it will have the opportunity to recalculate the balance between individuals' efforts to protect computer privacy and security, and law enforcement efforts to make searches based on mere hunches without judicial supervision.

In this case, the defendant could not have done much more to keep his computer private, other than tape a piece of paper to the monitor like a teenager might post on the door to his room (Do Not Enter Or Else!!). On the other hand, the officers could have simply asked the father whether he had permission to access his son's computer, switched the computer on to see if there was a password prompt, or used a forensic program that notifies investigators when a machine is password protected. It's as if the police entered the defendant's room with x-ray specs on and searched his bureau, closet and footlocker without needing to even ask his father whether these things were private or shared.

The Supreme Court expressly disavowed this technique in Kyllo v. United States, where it held that "obtaining by sense-enhancing technology any information regarding the interior of the home that could not otherwise have been obtained without physical 'intrusion into a constitutionally protected area,' constitutes a search -- at least where ... the technology in question is not in general public use."

If courts are going to treat computers as containers, and if owners must lock containers in order to keep them private from warrantless searches, then police should be required to look for those locks. Password protected computers and locked containers are an inexact analogy, but if that is how courts are going to do it, then its inappropriate to diminish protections for computers simply because law enforcement chooses to use software that turns a blind eye to owners' passwords.

- - -

Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic.