Law360 article quotes Shawn Tuma on data privacy significance of U.S. v. Cotterman

Tuma's whiteboard notes - U.S. v. CottermanBrittonTuma partner Shawn Tuma was quoted extensively about last weeks’  United States v. Cotterman opinion in a recent Law360.com article titled “9th Circ. Pioneers Laptop Search Limits in Border Case“. Here are excerpts of what Tuma had to say:

“The court is raising the level of the expectation of privacy in data closer to that of someone’s own human body and further away from that of human property, essentially creating a new standard for data and information,” Shawn E. Tuma of Texas-based law firm BrittonTuma said Monday. “Now, if someone is carrying trade secrets or other intellectual property in a device that is seized at the border, that will have a higher expectation of privacy than other property.”
The impact of this new standard on data breach litigation could extend beyond border issues. According to attorneys, courts often dismiss these suits, finding the plaintiffs didn’t suffer any damages in losing control of their personal data.But if more followed the Ninth Circuit’s example, plaintiffs could gain a stronger argument on the value of compromised or misused information, Tuma noted. And employees could use the decision to oppose policies that allow their employer to search personal devices used for business purposes.

“I can see … an argument based on this case, saying that because the Ninth Circuit found that devices at the border are entitled to a greater expectation of privacy, employers should be held to the same reasonable suspicion standard before being allowed to search employee devices,” Tuma said.

Here is a link to the full article: http://www.law360.com/articles/422542/9th-circ-pioneers-laptop-search-limits-in-border-case 

Tuma provided more explanation of these data privacy implications in two other posts:

Podcast Discussing Data Privacy and Information Security Implications of United States v. Cotterman – Now Available!

You can now listen to the podcast for Courts Showing Greater Respect for Data Privacy – United States v. Cotterman. Click HERE!

For a recap, here is my discussion of this podcast and who participated:

I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Courts Showing Greater Respect for Data Privacy – United States v. Cotterman

TAKEAWAY: Data privacy is gaining respect within the judiciary, as it should because in many ways, data is the new currency and is worthy of protection.

On March 8, 2013 the Ninth Circuit Court of Appeals (en banc) handed down a watershed case with significant privacy implications: United States v. Cotterman, No. 09-10139 (9th Cir. Mar. 8, 2013). This case (including the majority, concurring and dissenting opinions) is 82 pages so plan your time accordingly. It is worth reading because it represents a tug-of-war between competing interests of border security and data privacy. Data privacy may not have scored a knockout but it certainly gained some very important ground.

While analyzing the Cotterman case I made some notes on my whiteboard. Instead of sharing the customary random psychedelic photo with you, I decided to just share an image of the whiteboard so you can see what I thought was really important which I will briefly discuss below.

Note – it is 12:30 on Saturday night and a few hours ago I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

Facts

Cotterman was a sleazebag child molester who had been convicted for molesting a child and apparently traveled out of the country quite frequently. Cotterman was returning from Mexico with his wife, had been visiting a country known for “sex tourism,” and had what was considered to be a significant amount of electronic equipment with him (a laptop and several cameras).

Cotterman was profiled at customs while coming back into America because of the totality of all of these factors which indicated he fit within the parameters of the Operation Angel Watch program aimed at combating child sex tourism. This led to Cotterman and his wife being taken for a heightened inspection. Cotterman’s laptop and cameras were inspected, nothing inappropriate was found during the cursory inspection and he and his wife were allowed to go. Because there were files that were password protected, however, this raised another red flag and the laptop and a camera were held for forensic examination.

The forensic examiner later contacted Cotterman and asked him to provide his password. Cotterman, sensing the inevitable at this point, hopped a plane to Mexico and then on to Sydney, Australia. Meanwhile, the forensic examiner was able to crack the password and discovered 378 child porn pictures and videos, some of which showed Cotterman sexually molesting a young girl between the age of 7 to 10. 

Procedural Posture

The district court determined that the forensic examination of the laptop and camera were improper and excluded the evidence under the exclusionary rule. The prosecutors appealed, arguing that the law was clear that customs had the authority to do a routine border search without the need for any suspicion whatsoever, including the forensic examination.

The key issue in this case was whether it was reasonable to conduct a forensic examination of the computer and camera.

The Ninth Circuit’s Analysis and Ruling

The Ninth Circuit disagreed with the prosecutors argument but ultimately gave them a favorable ruling in the case that enabled the evidence to be used against Cotterman. The court found that, in order to obtain a forensic exam of data on electronic devices, there must be a “reasonable suspicion”, which is a heightened standard over what is typically required for a routine border search. The reason for requiring a reasonable suspicion for a forensics exam is because of the “comprehensive and intrusive nature of forensic examination.” The court also found, however, that the facts of this case satisfied the reasonable suspicion standard and the evidence should not have been excluded.

The court emphasizes protection of data privacy

The court also emphasized that Fourth Amendment protection of “personal papers” directly encompasses data on electronic devices because such data goes to the heart of the notions of freedom of conscious, thoughts, and ideas. Therefore, data on electronic devices is afforded a higher standard of protection than other forms of property. The court expressly stated “data on electronic devices carries with it a significant expectation of privacy.”

The court acknowledged that this case directly implicates substantial personal privacy interests and found that inspecting information individuals stored on digital devices is much less like inspecting an impersonal gas tank and more closer to inspections of people themselves, therefore, requiring a higher standard. In the court’s words: “It was essentially a computer strip search.”

I believe this represents a higher level of respect for the value and importance of data than we have seen out of many courts (especially if you consider that most of the data breach lawsuits have been tossed because there courts find there is no value in the compromised data). For me, this was the true value in this case — let’s see if other courts will follow.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).