Judge Gorsuch and Technology (and Privacy)
By Mark Rasch
Attorney and Cybersecurity Expert
When Walter Ackerman sent an email from his AOL account to someone else, it never arrived. It never arrived because AOL’s computers examined the contents of the email, using an MD5 hash function, and determined that one of the attachments’ electronic signature matched that of suspected child pornography contained in a database maintained by the National Center for Missing and Exploited Children. AOL scanned the contents of Ackerman’s emails using an automated procedure, and then turned the results over to the Justice Department for prosecution.
The questions for the Court to decide then included, when AOL was scanning Ackerman’s email, were they acting as an agent for the government? Was automated scanning a search within the meaning of the Fourth Amendment? Did Ackerman have any expectation of privacy vis a vis an Internet Service Provider or email provider like AOL?
The judge who had to decide these issues was Neil Gorsuch of the 8th Circuit Court of Appeals, President Trump’s nominee to the United States Supreme Court.
Under the law ISP’s and email providers are required to notify the Cybertip line operated under statute by NCMEC, whenever they have “actual knowledge” of the transmission through the ISP of child pornography.
NCMEC is then required to report information to law enforcement if it finds child pornography or obscene materials. Interestingly, AOL is not required by law to scan for child porn, just to notify if it finds it. In previous cases courts had held that searches by private entites like AOL do not implicate the Fourth Amendment that only relates to “unreasonable searches” by government agents.
The term “government agents” is broader than simply government employees – it extends to anyone working on behalf of law enforcement and under their directions – and include informants and third parties. Indeed, on question currently under consideration is whether employees of Best Buy’s “Geek Squad” who are paid a bounty by the government for finding and reporting child porn are “government agents” for the purposes of the Fourth Amendment.
In deciding that NMCEC was a “government entity” for the purposes of receiving child porn from ISP’s, Judge Gorsuch focused on four points. First, NCMEC was the sole operator of the Cybertip line to which ISP’s were required to report child porn, and for which NCMEC was required to refer to law enforcement. Second, ONLY NCMEC was allowed to receive child porn reports from ISP’s. Third, NCMEC was required to preserve evidence received from ISP’s as if they had received a preservation request from law enforcement – acting to preserve the evidence for the benefit of law enforcement and in the same manner as if they had received such a request. Fourth, while it is generally illegal to knowingly possess child pornography, NCMEC is exempt from this legal requirement.
Finding not only that NCMEC was a government entity but also a “government agent” in examining the contents of Ackerman’s emails, Judge Gorsuch then determined a thorny issue in computer privacy law. Was an automated examination of the emails a “search” under the law, and if so, did Ackerman have any reasonable expectation of privacy in the contents of mail that he entrusted with a third party (AOL?) On both these issues, Gorsuch half punted. Judge Gorsuch noted:
No one in this appeal disputes that an email is a "paper" or "effect" for Fourth Amendment purposes, a form of communication capable of storing all sorts of private and personal details, from correspondence to images, video or audio files, and so much more. The undisputed facts show, too, that NCMEC opened Mr. Ackerman's email, found four attachments, and proceeded to view each of them. And that sort of rummaging through private papers or effects would seem pretty obviously a "search." After all, if opening and reviewing "physical" mail is generally a "search" — and it is, — why not "virtual" mail too?
Fine as far as it goes, but unanswered is whether the automated scanning of millions of emails and comparing their contents against MD5 hashes of contraband constitutes a “search” of both the individuals whose emails match and those who don’t.
In fact, Gorsuch muddied these waters by noting “Yes, AOL ran a search that suggested a hash value match between one attachment to Mr. Ackerman's email and an image AOL employees had previously identified as child pornography. But AOL never opened the email itself. Only NCMEC did that, and in at least this way exceeded rather than repeated AOL's private search.”
This suggests that the PRIVATE search (by AOL) may not have implicated privacy, but the GOVERNMENTAL search of the contents forwarded as a result of the private search (by NCMEC) was unlawful.
Also unaddressed was the scope of the so-called “third party” doctrine – the idea that Ackerman gave up his privacy when he trusted AOL. Judge Gorsuch simply noted that “the district court didn't rely upon third-party doctrine in ruling against Mr. Ackerman. Exactly to the contrary, throughout its decision the court assumed that Mr. Ackerman had a reasonable expectation of privacy in his email.”
The Ackerman decision, handed down in August of 2016, demonstrates the court’s struggle with complex issues related to privacy, constitutional law, search and seizure, government powers, and new and emerging technologies. It’s not necessary that Judge Gorsuch “got it right” or that he “got it wrong.” From a cybersecurity perspective, it’s more important that he “got it” – that is, that he was able to understand the nature of the technology and its implications for privacy.
Here there’s a mixed bag. In comparing the Ackerman/AOL search to a Supreme Court case involving a FedEx employee accidentally opening a box for delivery and finding a white powder (cocaine) Judge Ackerman distinguished the cases, he noted:
…AOL never opened the email itself. Only NCMEC did that, and in at least this way exceeded rather than repeated AOL's private search. Neither is there any doubt NCMEC's search of the email itself quite easily "could [have] disclose[d]" information previously unknown to the government besides whether the one attachment contained contraband. Indeed, when NCMEC opened Mr. Ackerman's email it could have learned any number of private and protected facts, for (again) no one before us disputes that an email is a virtual container, capable of storing all sorts of private and personal details, from correspondence to other private (and perfectly legal) images, video or audio files, and beyond. And we know, too, that this particular container did contain three additional attachments, the content of which AOL and NCMEC knew nothing about before NCMEC opened them too. As far as anyone knew at the time, they could have revealed virtually any kind of noncontraband information to the prying eye.
All true. But even if NCMEC’s search was ONLY of the contents of the attachment that matched the MD5 of child porn, the search by NCMEC, which would not have exceeded the search by AOL, would be put in question. Also, Judge Gorsuch skipped on the fundamental question of whether AOL was acting as a government agent (or whether Yahoo! would be when it scanned files at the behest of the government) is undecided.
In the future, we will need judges on the Supreme Court who understand technology, privacy, and the interplay between them. And we will need judges who don’t simply rubber stamp government (and quasi government) actions in the name of national security and/or child pornography. This is not an endorsement or condemnation of any particular judge. Just that, in the Internet Age, we need judges and law enforcement officials who, in the words of Tyrion Lannister, “drink wine and know things.” We’ll be watching.