By Jeff Kosseff
Kosseff is assistant professor of cybersecurity law at the United States Naval Academy.
In the wake of the San Bernardino shootings, Sen. Dianne Feinstein, D-Calif., re-introduced a bill that would require social media companies and other online services to contact the authorities when they have “actual knowledge” of terrorist activities.
The bill states that companies would not be required to review content – only that they must report terrorist activities that they learn of. Technology companies noted that they already work with authorities to prevent terrorism. Opponents criticized the bill, saying that it would actually discourage technology companies from voluntarily monitoring their services for terrorist content and working with law enforcement.
Looming in the background of this debate is a little-discussed but very important obstacle: the Fourth Amendment of the United States Constitution. As courts grapple with how to apply the Fourth Amendment’s privacy provisions to online crime fighting, it may become difficult for law enforcement and technology companies to collaborate to fight terrorism and other crimes.
Here’s the basic problem: Criminal defendants are increasingly arguing that any evidence that their online service providers turn over to law enforcement cannot be introduced at trial because the service providers violated the Fourth Amendment by conducting a warrantless, unreasonable search.
Sounds bizarre? Well, that’s because it is. If you think back to your high school civics class, you’ll remember that the Bill of Rights restricts the powers of the federal government, not private companies or individuals.
There is, however, an increasingly important, court-created exception to this rule: Fourth Amendment protections apply to searches conducted by private parties who act as “agents” of a government. How do you know if a private citizen or company acts as a government agent? The legal definitions and tests vary by court, but generally, a court will consider the degree of control that the government exercised over the private party’s search and whether the private party had an independent reason, unrelated to law enforcement, to conduct the search (such as a business justification).
This issue is arising increasingly in criminal cases in which online service providers turn over information that the government ultimately seeks to use as evidence of a crime. If a service provider is found to have conducted a warrantless search as a government agent, the criminal defendant may be able to prevent the court from considering not only the evidence that the service provider gave to the government, but any subsequent discoveries due to that initial evidence.
For instance, some email providers, cloud companies, and other online service providers use automated tools to scan user content for known child pornography images. No law requires them to conduct this scanning – in fact, federal law explicitly states that they are not obligated to scan for child pornography. Nonetheless, many companies scan because they believe that it is in the best interests of their users – and, ultimately, the companies’ bottom line – to keep their services free of this illegal content.
The services are, however, required by federal law to file a report with to the nonprofit National Center for Missing and Exploited Children if they ever obtain actual knowledge of apparent child pornography on their services. NCMEC then reviews the report and collaborates with law enforcement.
For years, this system has been a remarkably effective tool for fighting the online distribution of child pornography. But recently, criminal defendants have begun to argue that the service providers and NCMEC are subject to the Fourth Amendment because they are government agents. In other words, they claim that unless the companies and NCMEC obtain a warrant, all evidence of child pornography resulting from the initial scan cannot be used against them in trial.
Many courts have rejected this argument, concluding that both the companies and NCMEC operate outside of government control and for their own reasons that are independent of law enforcement. More troubling is a misguided November 2013 ruling from a federal judge in Massachusetts, which held that NCMEC is a government agent because its examination of a file provided by a service provider “was a search conducted for the sole purpose of assisting the prosecution of child pornography crimes.”
Fortunately, that same court held that the service provider was not a government agent because it had sufficient independent business reasons for creating a safe online environment. And a number of other courts have rejected the Massachusetts judge’s conclusion that NCMEC was a government agent.
But the “government agent” argument is arising with increased frequency when online service providers voluntarily collaborate with law enforcement. The U.S. Court of Appeals for the Tenth Circuit heard oral arguments in such a case last month.
What does this mean for efforts to encourage tech companies to collaborate with law enforcement in fighting terrorism? It means that it might be difficult to use in a criminal trial any terrorism-related information that the companies provide to the government.
To be sure, identifying terrorist activities is quite different than gathering evidence of child pornography – in the former, the goal often is to prevent an imminent attack, so there likely is less concern about evidentiary issues for a subsequent trial (if one would ever occur). The Fourth Amendment would not protect social media posts that are shared with the general public, though it would apply to private information. Even for private information, a number of courts likely would reject the government agency argument, as social media companies and other tech providers have a valid business reason to keep their services free of terrorist propaganda.
But the recent child pornography cases tell us that, at the very least, there is uncertainty surrounding the Fourth Amendment status of such evidence. And laws that require collaboration between technology companies and the government could increase the chances of such complications, as they might lead some courts to believe that the technology company’s terrorism prevention activities are intertwined with the government.
There are no easy solutions to this problem, as it ultimately is a constitutional decision for the courts. I predict that in the not-too-distant future, the United States Supreme Court will need to weigh in on these Fourth Amendment issues. When it does, I hope that it gives both technology companies and the government sufficient breathing room to collaborate on crime prevention.
Article was originally published on December 13, 2015 by Tech Crunch.