Taking a few moments to secure a residential wireless network with a password is a good idea, a fact recently noted by the Federal Trade Commission. An open network is an invitation for piggy-backers and data thieves.
Who knew that password-protecting a wireless router also had constitutional significance? According to a recent court decision from Oregon, the failure to password-protect a wireless network can diminish the extent to which the Fourth Amendment protects computers and information on that network from government searches.
In United States v. Ahrndt, No. 08-cr-468 (D. Ore. Jan. 28, 2010), a federal trial court held that a child pornography suspect had no constitutionally protected privacy right in the files found on his personal computer, stored in a shared iTunes folder fed by a Limewire account, accessible by a neighbor who was piggybacking on his unsecured wireless network.
Limewire account. iTunes software configured for sharing. Unsecured wireless network.
Together these facts convinced the court that the Fourth Amendment was not violated when a local sheriff, acting without a warrant, used the defendant's unsecured wireless network to search the defendant's computer for child pornography. The court saw the situation like this:
When a person shares files on Limewire, it is like leaving one's documents in a box marked "free" on a busy city street. When a person shares files on iTunes over an unsecured wireless network, it is like leaving one's documents in a box marked "take a look" at the end of a cul-de-sac."
The court further remarked that, "as a result of the ease and frequency with which people use each others' wireless networks, I conclude that society recognizes a lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network."
I'm doubtful that the court has plowed new constitutional ground here, or that its ruling is going to surprise Fourth Amendment experts, although the court's opinion does appear to be the first to discuss the interplay between the Fourth Amendment and wireless security measures.
We already have a pretty well-developed law of passwords. The fact that has person has placed a password on a computer has been found constitutionally significant (but not dispositive) in several cases, including United States v. Heckenkamp, No. 05-10322 (9th Cir. April 5, 2007), and United States v. Long, No. 05-5002 (U.S. Ct. Mil.app. Sept. 27, 2006). Sharing passwords was found relevant -- and unwise -- in United States v. D'Andrea, No. 06-10082 (D. Mass. July 20, 2007), and the lack of a password on a cell phone in Casella v. Borders, No. 09-19 (W.D. Va. Sept. 2, 2009), was cited as one reason for finding no Fourth Amendment protection for photos stored on the phone. Further, the Fourth Amendment doesn't protect people who are careless about computer security. In United States v. King, No. 07-11808 (11th Cir. Dec. 14, 2007), the court held that the defendant did not have a reasonable expectation of privacy in a password-protected laptop computer that he unwisely connected to a military network.
Finally, there is the case of United States v. Ganoe, No. 07-50195 (9th Cir. Aug. 15, 2008), in which the court held that a defendant lacked a reasonable expectation of privacy in computer files he exposed to the internet via his Limewire account. The court was not sympathetic to Ganoe's claim that his sharing was accidental rather than intentional.
[H]e was explicitly warned before completing the installation that the folder into which files are downloaded would be shared with other users in the peer-to-peer network. Ganoe thus opened up his download folder to the world, including Agent Rochford. To argue that Ganoe lacked the technical savvy or good sense to configure LimeWire to prevent access to his pornography files is like saying that he did not know enough to close his drapes. Having failed to demonstrate an expectation of privacy that society is prepared to accept as reasonable, Ganoe cannot invoke the protections of the Fourth Amendment.
The court's ruling in Ahrndt doesn't mean that police are free to conduct drive-by searches of unsecured wireless networks. Other factors were at work in this case, such as the defendant's use of Limewire and his decision to "share" the contents of the iTunes folder containing the Limewire-fed materials. The Ahrndt court made a big deal of the fact that the defendant had taken the trouble to change the settings on his iTunes folders, which by default are set to not share contents. (Ironically, the court did not ascribe any significance to the fact that the out-of-the box setting for wireless routers is wide open to the public.)
The Ahrndt ruling does suggest, however, that in this area the law helps those who help themselves. The Fourth Amendment is very unforgiving when it comes to lax data security measures.
Comments