TAKEAWAY: Data privacy is gaining respect within the judiciary, as it should because in many ways, data is the new currency and is worthy of protection.
On March 8, 2013 the Ninth Circuit Court of Appeals (en banc) handed down a watershed case with significant privacy implications: United States v. Cotterman, No. 09-10139 (9th Cir. Mar. 8, 2013). This case (including the majority, concurring and dissenting opinions) is 82 pages so plan your time accordingly. It is worth reading because it represents a tug-of-war between competing interests of border security and data privacy. Data privacy may not have scored a knockout but it certainly gained some very important ground.
While analyzing the Cotterman case I made some notes on my whiteboard. Instead of sharing the customary random psychedelic photo with you, I decided to just share an image of the whiteboard so you can see what I thought was really important which I will briefly discuss below.
Note – it is 12:30 on Saturday night and a few hours ago I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.
Cotterman was a sleazebag child molester who had been convicted for molesting a child and apparently traveled out of the country quite frequently. Cotterman was returning from Mexico with his wife, had been visiting a country known for “sex tourism,” and had what was considered to be a significant amount of electronic equipment with him (a laptop and several cameras).
Cotterman was profiled at customs while coming back into America because of the totality of all of these factors which indicated he fit within the parameters of the Operation Angel Watch program aimed at combating child sex tourism. This led to Cotterman and his wife being taken for a heightened inspection. Cotterman’s laptop and cameras were inspected, nothing inappropriate was found during the cursory inspection and he and his wife were allowed to go. Because there were files that were password protected, however, this raised another red flag and the laptop and a camera were held for forensic examination.
The forensic examiner later contacted Cotterman and asked him to provide his password. Cotterman, sensing the inevitable at this point, hopped a plane to Mexico and then on to Sydney, Australia. Meanwhile, the forensic examiner was able to crack the password and discovered 378 child porn pictures and videos, some of which showed Cotterman sexually molesting a young girl between the age of 7 to 10.
The district court determined that the forensic examination of the laptop and camera were improper and excluded the evidence under the exclusionary rule. The prosecutors appealed, arguing that the law was clear that customs had the authority to do a routine border search without the need for any suspicion whatsoever, including the forensic examination.
The key issue in this case was whether it was reasonable to conduct a forensic examination of the computer and camera.
The Ninth Circuit’s Analysis and Ruling
The Ninth Circuit disagreed with the prosecutors argument but ultimately gave them a favorable ruling in the case that enabled the evidence to be used against Cotterman. The court found that, in order to obtain a forensic exam of data on electronic devices, there must be a “reasonable suspicion”, which is a heightened standard over what is typically required for a routine border search. The reason for requiring a reasonable suspicion for a forensics exam is because of the “comprehensive and intrusive nature of forensic examination.” The court also found, however, that the facts of this case satisfied the reasonable suspicion standard and the evidence should not have been excluded.
The court emphasizes protection of data privacy
The court also emphasized that Fourth Amendment protection of “personal papers” directly encompasses data on electronic devices because such data goes to the heart of the notions of freedom of conscious, thoughts, and ideas. Therefore, data on electronic devices is afforded a higher standard of protection than other forms of property. The court expressly stated “data on electronic devices carries with it a significant expectation of privacy.”
The court acknowledged that this case directly implicates substantial personal privacy interests and found that inspecting information individuals stored on digital devices is much less like inspecting an impersonal gas tank and more closer to inspections of people themselves, therefore, requiring a higher standard. In the court’s words: “It was essentially a computer strip search.”
I believe this represents a higher level of respect for the value and importance of data than we have seen out of many courts (especially if you consider that most of the data breach lawsuits have been tossed because there courts find there is no value in the compromised data). For me, this was the true value in this case — let’s see if other courts will follow.
If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (firstname.lastname@example.org).