A federal judge for the Eastern District of Virginia has ruled that the user of any computer that connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.
The June 23 ruling came in one of the many cases resulting from the FBI's infiltration of PlayPen, a hidden service on the Tor network that acted as a hub for child exploitation, and the subsequent prosecution of hundreds of individuals. To identify suspects, the FBI took control of PlayPen for two weeks and used, what it calls, a "network investigative technique," or NIT—a program that runs on a visitor's computer and identifies their Internet address.
Such mass hacking using a single warrant has riled privacy and digital-rights advocates, but Senior U.S. District Judge Henry Coke Morgan Jr. upheld the use of the warrant and even stated that the warrant is unnecessary because of the type of crime being investigated and because users should have no "objectively reasonable expectation of privacy."
Even using countermeasures, such as the Tor network, does not mean that the user should expect their location or their activities to remain private, according to the judge.
"It is clear to the Court that Defendant took great strides to hide his IP address via his use of the Tor network," the judge wrote in the ruling. "However, the court FINDS that any such subjective expectation of privacy—if one even existed in this case—is not objectively reasonable."
Other courts have found the opposite. The Ninth Circuit, for example, held in 2007 that just connecting a computer to the network does not undermine a user's "subjective expectation of privacy and an objectively reasonable expectation of privacy in his personal computer."
Yet there has been a dramatic shift in the public's reasonable expectation of privacy because people do expect to be able to defend their computers against attack, Judge Morgan argued.
"[H]acking is much more prevalent now than it was even nine years ago, and the rise of computer hacking via the Internet has changed the public's reasonable expectations of privacy," the judge wrote. "Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: In today's digital world, it appears to be a virtual certainty that computers accessing the Internet can—and eventually will—be hacked."
The judge argued that the FBI did not even need the original warrant to use the NIT against visitors to PlayPen.
The Electronic Frontier Foundation, a digital rights group, warned that the ruling is far outside any current legal notion of privacy. The group expects, however, that law enforcement will begin to use the ruling unless it is overturned.
"The Justice Department has a practice of carving out novel legal interpretations and then advancing them in court," Andrew Crocker, a staff attorney for EFF told eWEEK. "I would not be surprised if they did try to rely on the idea that they don't need a warrant for this type of hacking."
Few people will have sympathy for the defendant, a man who allegedly visited PlayPen and downloaded images from the site, but the precedents in the case could affect everyone, the EFF stated.
"The decision underscores a broader trend in these cases," the group stated in a blog post. "Courts across the country, faced with unfamiliar technology and unsympathetic defendants, are issuing decisions that threaten everyone's rights."
The case may also cause the industry to determine a better definition of the term "malware." While the word originally comes from "malicious software," the intent of the software is less an issue than the expectations of the user on whose system the software runs. Adware, spyware and other forms of tracking are often considered malware.
Special Agent Daniel Alfin, who sought the warrant, declared that the NIT program is not malware.
"The NIT utilized in this investigation was court-authorized and made no changes to the security settings of the the target computers to which it was deployed," he said. "As such, I do not believe it is appropriate to describe its operation as 'malicious.'"