
Home Computers Connected to the Internet Aren't Private, Court Rules - pdpi
http://www.eweek.com/security/home-computers-connected-to-the-internet-arent-private-court-rules.html
======
grellas
Bad judging all around here.

Just because a home computer _might_ be hacked does not mean that an average
user doesn't expect his experience on that computer to be private. Every area
of life _might_ be breached by determined intruders and, if that were the test
of having a expectation of privacy, then every area of life would flunk it.
Your home, your car, your bathroom, your bedroom, you name it. In reality, of
course, break-ins, hacks, and other intrusions are the exception and not the
rule in the areas we commonly regard as private. If the legal test on
protecting privacy were to turn on whether break-ins or hacks were a regular
element of the environment (however infrequent), then the exception swallows
the rule and privacy is no more. This judge's ruling essentially embraces such
logic and is thus wildly out of line with existing law regarding protection
against unreasonable searches and seizures.

Also bad judging in reaching the issue gratuitously: the main issue here was
whether a particular warrant was misused; it was unnecessary to decide what
would have happened without a warrant of any kind. Yet the judge reached to
inject his _obiter dictum_ into the analysis as a sort of by-the-by, "here is
what I would rule if other issues were before me."

Why such an outcome? As the lawyers say, "hard facts make for bad law." You
have a despicable perp doing vile things and the natural instinct is to want
to nail him. Just as, conversely, when you have a sympathetic person who has
being seriously wronged, the natural instinct is to do what you can to help
him get justice. In either case, judges and juries will be more prone than
otherwise to engage in results-oriented jurisprudence and will thus try to
bend and shape the law to that purpose even if the law objectively says
otherwise. This factor may help explain why the judge did what he did. It does
not make it right.

Finally, bad judging means, in this case, bad precedent and this decision will
surely have pernicious effects until the day comes when its run is ended by a
higher court. For this case, that day will surely come. It is a bad decision
all around.

~~~
nostrademons
Curious whether this precedent could be used to argue that Snowden acted
legally. After all, leaks happen routinely, and the technical difficulty of
copying documents onto a thumb drive is minimal. Clearly, then, the NSA has no
reasonable expectation of privacy for any document that it keeps in electronic
form.

~~~
jliptzin
You could argue that, but you wouldn't win, despite that being a logical next
step to this ruling. Judges and legislators today seem to arrive at their
preferred judgment first, then work backwards to see what kinds of precedents
or reasoning they could massage to justify their rulings. If you're looking
for consistency and logic in the US justice system you're going to be
disappointed.

~~~
wry_discontent
To completely fair, that's how most regular people make decisions too.

~~~
Grishnakh
Most regular people are idiots and have little grasp of formal logic.

Judges are supposed to be experts at the law and better at this stuff than
"regular normal people". That's why they spend years in law school, and why
judges aren't just randomly selected from the general population.

~~~
conceit
People have an OK grasp of formal logic, that is the formalism. It's learned
at an early age, it's prerequisite for deductive (or inductive?) learning
actually. Most might lack the cognitive ability to exercise those formalism in
an abstract synthesis into long formulas.

~~~
woodman
No, people suck at it - just look at your first sentence. There are a lot of
likely reasons, my favorite being evolutionary pressure: 10,000 years ago two
men see the tall grass twitch, while one scrambles up a nearby tree the other
considers the cost in energy expenditure to flee vs the likelihood of a tiger
attAAARGH. We can't trust brains to the point where we have to invent highly
structured methods:
[https://en.wikipedia.org/wiki/Analysis_of_competing_hypothes...](https://en.wikipedia.org/wiki/Analysis_of_competing_hypotheses)

~~~
conceit
What's got energy expenditure to do with logic? Isn't what you talk about
Bayesian Inference?

> while one scrambles up a nearby tree

I'm not sure that is just a nervous reflex or the result of the logic
implication " _If_ that's a Tiger _and_ I stay _then_ I will die". Even if the
thought becomes hardwired, it would have to have been logically evaluated
before it became subconscious. To react and be afraid, the danger must be
recognized and categorized, " _If_ the grass twitches _then_ something moved
it", etc. etc. Going down that argument, small life forms would be able of
some small amount of logic reasoning, too. As long as those grow bulks of
neurons, I don't see why that should be wrong.

> just look at your first sentence

What are you trying to say?

~~~
woodman
> What's got energy expenditure to do with logic?

Nothing, but it has everything to do with the point immediately proceeding -
evolutionary pressure.

> ...it would have to have been logically evaluated before it became
> subconscious.

Yes, and at that point it would no longer be logic based - it would be pattern
matching. The human brain is a pattern matching machine, because historically
that has offered a major advantage. For your position to be true, that such a
flight mechanism is logic based, then you would have to believe that the
behavior would immediately change in the event of conflicting information
being presented. That doesn't happen, see confirmation bias (or any other kind
of bias).

> What are you trying to say?

Exactly what I did. Your statement was illogical, but I'm starting to suspect
that we might not be conversing in your native language - which would also
explain it.

------
twoodfin
I'm much less skeptical than the median HN poster about government's use of
new technology in its traditional roles of criminal justice and national
security, but if this article is a fair summary of the case, I can't see how
the ruling makes any Constitutional sense.

Because burglars regularly break into people's homes or cars doesn't make them
subject to warrant-free search. If the FBI wants to run code on my CPU in my
private home without my permission, they should have a warrant, just as they'd
need one to manipulate other objects in my home without my consent.

~~~
dantillberg
Right? It seems trivial to tweak the judges statement:

"In today's digital world, it appears to be a virtual certainty that computers
accessing the Internet can—and eventually will—be hacked."

To apply to houses:

"In today's mechanized world, it appears to be a virtual certainty that houses
connected to the earth can—and eventually will—be broken into."

Thus, warrants need not apply for search and seizure in houses. QED.

~~~
pfortuny
Not just broken into, just peered into. Do not have windows if you expect any
privacy.

And of course, do not speak at home (or do not expect any privacy).

~~~
PJDK
Genuinely curious, do you need a warrant to look through a window.

I guess the answer is "sometimes, it's complicated"...

~~~
HillaryBriss
Oh yeah. Another piece of advice I've often heard is that, if police come to
your door asking questions, it's prudent to step outside to speak with them,
rather than speaking with them through an open door. If they see something
suspicious through your opened door, they can reasonably claim probable cause
and force entry.

This may be all BS. But it's advice I've heard more than once.

~~~
anonbanker
If police are doing a "knock and talk", they don't have a warrant. Barry
Cooper had the best script for that:

If police are knocking, lock your door and say through a window: "I don't talk
to police; have your dispatcher call me. If you have a warrant, here are my
hands, go ahead and kick the door down". Then cover your ears, close your
eyes, and wait.

~~~
coldtea
The problem with those kind of scripts is that while they correctly account
for not accidentally exposing yourself to the Police (without a lawyer present
etc), they fail to account for the consequences of getting in the police's
nerves and looking like a suspect in their eyes (which can get down to them
downright making stuff up or planting stuff on you).

~~~
anonbanker
if police are targeting you, they're likely to make stuff up or plant evidence
anyway.

If you feel you can't handle your affairs, make sure to lawyer up as soon as
the police leave your house. You'll need to. let the lawyer know what you did,
so he can take appropriate action.

Just remember that a lawyer, should (s)he put your needs above the needs of
The People or The Court, (s)he would be disbarred. So don't expect magic to
happen.

------
mikegerwitz
The EFF wrote about this both last week and yesteday:

[https://www.eff.org/deeplinks/2016/06/making-sense-
troubling...](https://www.eff.org/deeplinks/2016/06/making-sense-troubling-
decision-new-court-ruling-underscores-need-stop-changes)

[https://www.eff.org/deeplinks/2016/06/federal-court-
fourth-a...](https://www.eff.org/deeplinks/2016/06/federal-court-fourth-
amendment-does-not-protect-your-home-computer)

It is very concerning indeed, but will hopefully not be a precedent. At least
if common sense and a basic level of constitutional competence prevails.

Rule 41 is a huge concern---as mentioned in the EFF posts---and risks
decisions like this becoming commonplace. As the EFF mentions, it also
encourages forum shopping: finding a court lax on fourth amendment issues, in
this case.

------
cleeus
in germany, the highest court ruled exactly the opposite:
[https://de.wikipedia.org/wiki/Grundrecht_auf_Gew%C3%A4hrleis...](https://de.wikipedia.org/wiki/Grundrecht_auf_Gew%C3%A4hrleistung_der_Vertraulichkeit_und_Integrit%C3%A4t_informationstechnischer_Systeme)

rough translation: "The right to confidentiality and integrity on IT systems"

google translate link:
[https://translate.google.com/translate?hl=de&sl=de&tl=en&u=h...](https://translate.google.com/translate?hl=de&sl=de&tl=en&u=https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FGrundrecht_auf_Gew%C3%A4hrleistung_der_Vertraulichkeit_und_Integrit%C3%A4t_informationstechnischer_Systeme)

As far as I remember the CCC wrote an expertise in the ruling and mentioned
computerized implants. That was the point were the judges understood that
there should be an expectation of privacy on home computers.

~~~
tallanvor
It looks like this was just a district court, though. Higher courts in the US
could certainly overturn this ruling.

~~~
kire456
Non-American here: glad to hear they can. Will they, in cases like this, do
that by themselves? Or should someone (EFF) appeal this ruling? Or can only
the suspect/criminal in this specific case appeal?

~~~
colechristensen
The defendant must appeal, but someone (the EFF) often supports the defendant
through either friend-of-the-court briefs [1] or directly supplying free legal
services.

[1]
[https://en.wikipedia.org/wiki/Amicus_curiae](https://en.wikipedia.org/wiki/Amicus_curiae)

------
hap1o
Homes that have a driveway connected to a street probably aren't private
then..... I mean it's essentially the same thing.

~~~
ep103
iirc, that's actually been ruled true before....

~~~
pc86
You recall incorrectly.

~~~
sixothree
I remember a case where police placed or retrieved something from a car in the
driveway without a warrant. The reasoning was that your driveway is not
private property.

~~~
whamlastxmas
You might be remembering the FBI placing GPS tracking on cars in drive ways,
which was considered fair game and not requiring a warrant.

~~~
monocasa
I think he's talking about this.

[http://arstechnica.com/tech-policy/2014/12/cops-illegally-
na...](http://arstechnica.com/tech-policy/2014/12/cops-illegally-nailed-
webcam-to-utility-pole-for-6-weeks-to-spy-on-house/)

But as far as the GPS tracking, that was declared to be a 4th amendment
violation as well.

[https://en.wikipedia.org/wiki/United_States_v._Jones_(2012)](https://en.wikipedia.org/wiki/United_States_v._Jones_\(2012\))

Reading the decisions actually shows Scalia's rare awesome side.

------
Practicality
So does this mean I am now legally entitled to all corporate documents on
computers connected to the internet?

~~~
ww520
It might work since one has no expectation of privacy in public and taking
picture of him is perfectly legal, making a copy of the document (taking
picture) on the machine with no expectation of privacy would be perfectly
legally too.

~~~
Miner49er
Probably not though. The CFAA still says it's illegal to do anything on a
computer that you're not authorized to use. It has nothing to do with
expectation of privacy.

~~~
ww520
Does CFAA apply to FBI as well?

~~~
Miner49er
No, ikeboy pointed out below that the CFAA doesn't apply to the government.

------
fredgrott
Wait no expectations of law respecting a lock because robbers can break the
lock?

Obviously, this will be struck down..

But it does raise the question what do we do when a judge refuses to
understand basic law concepts? Can we than fire the judge?

~~~
dctoedt
> _Can we than fire the judge?_

This was a federal district judge, who under the U.S. Constitution (Article
III) has life tenure and can't be fired; he can be removed from office only if
impeached by the House of Representatives and convicted by the Senate after a
trial.

The chief judge of the district could cut this judge's case load to zero [0].
In this case, though, (A) that's very unlikely to happen, and (B) the judge
would still stay on full salary.

[0] EDIT: This sort of happened, for example, to (now-former) federal district
judge Sam Kent in Galveston after he was accused of "inappropriate touching"
of female court employees. See [http://www.chron.com/news/houston-
texas/article/Criminal-cas...](http://www.chron.com/news/houston-
texas/article/Criminal-cases-stripped-from-Kent-s-docket-1556195.php) Kent
later pled guilty to a felony charge of making false statements to
investigators; he tried to retire from the bench so as to keep his pension,
but that pissed off the House judiciary committee, which pushed through
articles of impeachment, which caused Kent to resign. He served not quite
three years in prison. See [http://bigbendnow.com/2011/08/disgraced-former-
judge-complet...](http://bigbendnow.com/2011/08/disgraced-former-judge-
completes-felony-sentence-in-jeff-davis-county/) and
[https://en.wikipedia.org/wiki/Samuel_B._Kent](https://en.wikipedia.org/wiki/Samuel_B._Kent)

~~~
reacweb
I think this judge has clearly demonstrated his incompetence in handling
computer related cases and his very poor understanding of the subject.

Instead of firing him, I think he should be teached. This judgement should be
used as example of bad judgment.

~~~
michaelmior
> teached

Did you mean taught (something) or impeached?

~~~
0x6c6f6c
Why not both

------
shawn-butler
These Playpen cases are all deriving their 4th Amendment bypass based on the
IP Address = Phone Number analogy[0].

The judge in this case at least seems to understand where the others did not
that the IP Address had to be obtained by questionable means.

But decision reads: "The Court notes, however, that perhaps malware is a
better description for the program through which the provider of the
pornography attempted to conceal its distribution of contraband over the
Internet than for the efforts of the Government to uncover the pornography."

The conclusion is that Tor is more malware than the FBI spyware.

I am not entirely dissuaded by govt's logic re expectation of privacy. Most
porn/torrent sites do attempt to install spyware/malware. Everyone knows this.
Whether the govt should be doing this is another matter entirely.

I am more distressed by the fact that this judge is allowing the FBI to use
this tool and not allowing defendant access to its source code in discovery.
This is unacceptable.

[0]: [pdf]
[http://www.steptoe.com/assets/attachments/4903.pdf](http://www.steptoe.com/assets/attachments/4903.pdf)

~~~
greyfox
I am more distressed by the fact that this judge is allowing the FBI to use
this tool and not allowing defendant access to its source code in discovery.
This is unacceptable.

-Couldnt agree more

------
natch
So when the government keeps zero-days to itself with plans to exploit them,
instead of helping to strengthen security as they should, after this ruling
they now have an additional conflict of interest: they have an incentive to
keep this line of judicial interpretation viable by keeping security weak.

------
caruana
What about businesses? Should they expect all their computers to be public and
if so, doesn't that have serious ramifications for data protection and the
prosecution of hackers?

~~~
Practicality
I was thinking the same thing. Also, using this ruling to target business
documents would likely be the fastest way to get it overturned. Even if they
somehow rule that businesses are different than homes, most executives take
all their documents home regularly.

~~~
coldcode
Also Federal courts have computer systems which means all legal documents are
now available for access. Unless this Judge thinks it only applies to
defendants.

------
throwawaylalala
No home is immune from invasion.I still expect privacy there....

~~~
nxzero
You know about Ranger-R, right?

[http://www.usatoday.com/story/news/2015/01/19/police-
radar-s...](http://www.usatoday.com/story/news/2015/01/19/police-radar-see-
through-walls/22007615/)

------
blantonl
Based on this ruling, why wouldn't the suspect's defense now be "well, my
computer must have been hacked, it wasn't me downloading the questionable
content. See, look, even the courts have ruled that my computer, for all
intents and purposes, is publicly available for all kinds of hackers to
utilize for nefarious purposes."

~~~
ikeboy
They tried that, and it was rejected in the same ruling. More specifically,
they claimed that someone might have MITM'ed the FBI's program to send
different information since it didn't use encryption, and that the program may
have weakened security settings allowing someone else to plant child porn on
their computer. The first was rejected as implausible, as the program sent all
its information back quickly (less than a second) and any attacker would need
deep knowledge of the program to know what to send. The second was rejected as
not supported by evidence (no evidence that the FBI's program changed security
settings and a declaration by an agent that it didn't, and also the charges
weren't based on the files found on the computer).

~~~
ambulancechaser
And the NIT program didn't give them anything about the person except for some
identifying info. They went to the ISP located in florida to find out
information on this and then got a traditional warrant to search the house
which resulted in them finding the material. They waiting to install the NIT
until the person went into a forum and tried to access the pornography.
Everything about this to me makes sense with one exception. The judge handled
that the warrant was topical and specific, which I agree, and argued that the
issuing magistrate could issue it seems like a reasonable interpretation of
the rules but I wish they would update those instead of let precedent twist
the words a little. But I disagree with the finding that despite all of these
hoops the judge finds that a warrant wasn't necessary in the first place. That
to me is a stretch. Seems like a better thing was that the system worked.
There was suspicion, description of what information to seize, and a
triggering event. These were all met and a judge had allowed the deploying of
the NIT in these circumstances. Why say that despite all of the checks being
satisfied they weren't necessary in the first place, especially with the
argument that there can be no expectation of privacy simply by being on the
internet.

~~~
ikeboy
I'm inclined to agree that there's no expectation of having your IP be secret
even when using Tor, but there's an expectation of not having other people run
code on your computer. The judge considered this distinction and rejected it.

The IP not being secret is supported by precedent from other cases, it seems
reasonable that if the government can trace it back without hacking the
computer it should be fine.

------
noobiemcfoob
From the judge's ruling: "Just as Justice Breyer wrote in concurrence that a
police officer who peers through broken blinds does not violate anyone's
Fourth Amendment rights, jd. at 103 (Breyer, J., concurring), FBI agents who
exploit a vulnerability in an online network do not violate the Fourth
Amendment. Just as the area into which the officer in Carter peered - an
apartment - usually is afforded Fourth Amendment protection, a computer
afforded Fourth Amendment protection in other circumstances is not protected
from Government actors who take advantage of an easily broken system to peer
into a user's computer"

The keywords are "exploit a vulnerability". In that sense, I'm inclined to
agree with the judge.

Put another way, are broken blinds all that different from an unsecured
(though attempting to be secured) network?

The counter might be: using an exploit of any kind is akin to first breaking
the blinds yourself.

~~~
wyldfire
The analogy seems to break down a bit. Given that peering through broken
blinds likely doesn't violate any laws but exploiting vulnerabilities does run
afoul of CFAA (see 18 USC § 1030, a.2.C), merely "peering through the blinds"
seems like bad faith.

~~~
voxic11
The CFAA exempts law enforcement agencies so I don't think you are correct.

>This section does not prohibit any lawfully authorized investigative,
protective, or intelligence activity of a law enforcement agency of the United
States, a State, or a political subdivision of a State, or of an intelligence
agency of the United States

~~~
wyldfire
Yes, and even if it didn't specifically exempt them it wouldn't necessarily
affect the rules of evidence/fourth amendment stuff. My point was that "if a
regular guy did this it would be a crime so maybe it's not quite the same as
looking through the blinds."

------
willvarfar
Do you have no expectation of privacy indoors if you have Windows then?

~~~
sethammons
If you mean a pane of glass, you are correct. From the street, someone can
look through your window. I don't feel this ruling is akin to looking through
a window however. It is like walking though an unlocked door (or possibly wide
open door). Any sane person would call that trespassing.

~~~
willvarfar
This is from last month:
[https://news.ycombinator.com/item?id=11912696](https://news.ycombinator.com/item?id=11912696)

Basically the FBI puts cameras on utility poles to look into suspects yards.
Because a human could also climb a pole, it doesn't need a warrant.

------
wallace_f
>A judge in Virginia rules that people should have no expectation of privacy
on their home PCs because no connected computer "is immune from invasion."

Brilliant. Finally we can do away with all the stupid laws we have. Private
residences are also not immune from invasion. In fact, even a 9-year old child
could easily throw a rock through a window, reach in and unlock it, open it up
and do whatever they please. The fridge is not locked with a secure method so
they can have whatever they want from there--there's no reasonable expecation
of it being immune from invasion and theft, so why should it be illegal? This
judge is a genius. In fact, this judge is showing us how important it is to do
away with silly laws. No one is immune to being punched, kicked, stabbed or
shot, and in fact it is quite easy for someone to do that as a matter of fact,
if they certainly decide to do so, so we can finally do away with all those
ridiculous laws pertaining to assault, rape and murder as well. Another great
day for us. We're making progress in America!

------
ominous
Previous discussion:
[https://news.ycombinator.com/item?id=12007151](https://news.ycombinator.com/item?id=12007151)

------
dahart
In other news, hacking in East Virginia is now legal.

While the judge's statement and ruling seem to defy both logic and precedent,
this didn't start here, and it doesn't stop here. The government and FBI in
particular have long been trying to approach and establish the notion that
it's okay for the "good guys" to hack, and not okay for the "bad guys" to
hack. This ruling doesn't establish that, but will people in favor of this
ruling draw the logical conclusion and say what used to be criminal hacking is
no longer a crime, that an online bank has no expectation of privacy and it's
being hacked and the money stolen is inevitabile? Would this same judge throw
out a case of criminal hacking? I doubt it.

------
TeMPOraL
Things like this seem to pop up every other week now. It feels like companies
and governments alike keep trying to fuck up the Internet, or even the very
idea of personal computing. Does any other industry face such ridiculousness
on a constant basis?

~~~
stephengillie
Every other industry is busy trying not to be 'eaten by software'.

------
snake_plissken
This ruling makes no sense. My mind makes the invalid phone number noise, "do-
do-dooooooo", when I read it.

When I read about decisions like this, I often wonder if judges are
purposefully making these nonsensical rulings so that the higher courts are
forced to take the cases and make valid decisions. Though, I'm still undecided
as to why this might be; perhaps the judge isn't up to the task of making a
complicated ruling, some personal bias that favors one side of the law, or
wishing to look good in front of the Feds in hopes that he or she can move up
in the court system.

~~~
ikeboy
The part of the ruling this article is discussing isn't binding precedent, and
doesn't affect the case. Even if it were overturned the court would still have
found for the government.

------
sailfast
If this holds, it would be an excellent defense for any hacker that
infiltrates any connected system in the US.

So... hack the government freely now? "You were the idiots that connected the
system to the web... you should have no expectation of privacy."

Put a more insane way: "Your doors were unlocked therefore invading your home
was not a crime."

This will have to be struck down to preserve our democracy I would think.
Insanity.

Total aside: DoJ is really dropping the ball and will have to decide whether
they want to prosecute hackers or enable their own hacking. Can't really
support both.

------
sharemywin
So, I'm assuming as long as I'm only spying on his computer or his accountants
or his attorneys and not editing his security settings that it's not illegal
because it public information.

------
derekp7
A much better real-world analogy that would fit this case, that the judge
should have used, is: Let's say the FBI intercepts a shipment of illegal goods
(either counterfeit merchandise, drugs, whatever). They intercept the shipment
before it gets to a distributer, and they want to find out who the end
customers are. Would they be allowed to put a gps tracker in the individual
packages so that it reports their final location once they reach the end
customers?

~~~
talmand
If seizing the shipment was done in a legal manner, I don't see why not.

Although, they run the risk of their gambit being discovered, the devices
removes, and losing the shipment.

~~~
clarkmoody
Twist: the distributor discovers the trackers and routes the illicit goods to
FBI agent and bureaucrat residences.

------
clavalle
Having read through the opinion the one thing that strikes me is how
completely unnecessary deciding that people with computers connected to the
internet, because of the existence of hackers, have no expectation of privacy.

The judge had found, by tighter reasoning, that law enforcement didn't violate
the Fourth Amendment in using their tools to find the defendants IP. Then,
having gone through that, for no obvious reason, goes on to decide that no one
has an expectation of privacy on their personal computers because computers
are so full of security holes and hackers are so sophisticated these days
that, essentially everyone has 'broken blinds' that anyone else in the world
can see through on what would ordinarily be considered a private space.

It boggles the mind.

Up to that point the judge basically says "The defendant decided to go
somewhere questionable and do something illegal -- since the FBI was watching,
controlling, in fact that questionable place that was more or less public but
dedicated to illegal activity, they had every reason to collect information
because of probable cause".

Great! Perfect! There is a lot of precedent. I'm reminded of when the FBI took
over a biker bar that was known to be a nexus of drug trade and bugged the
place and wired it for surveillance and put people who went there and were
seen doing illegal things under surveillance themselves. From what I
understand, it was a fruitful endeavor. But this is like they did that then
decided since the road that connects to that bar also connected to houses that
could be seen from the street, any of those houses can be searched. It's
insane.

------
appleflaxen
The division between state-sanctioned invasion of individual privacy (in this
case) and draconian sanctions on trivial "penetration" actions (like changing
the UUID in a URL) for corporate entities using the CFAA is really
contradictory.

We need to turn it around: draconian punishments for "law enforcement" members
who violate the constitution, and protections for individuals who tinker,
probe, or explore without malicious actions/intent.

------
balabaster
Well it can't go both ways, either it is or it isn't. So I say hack every
computer in Virginia Law Enforcement - because they're connected to the
Internet and thus have no expectation of privacy, thus this supersedes
precedence for wire fraud charges for just checking stuff out on computers
that aren't after all private... you can't have it both ways. The law applies
to everyone or no one.

~~~
daphreak
Instead of hacking think of it from the other side: If no computer connected
to the Internet has a reasonable expectation of privacy then law enforcement
must develop a system to manage all of their data and IT needs that is not
connected to the Internet.

Good luck getting that budget passed.

While the the slippery slope is not a valid argument it is always interesting
to think about how precedent like this could spiral out of control.

------
logfromblammo
So would pwning every device in this judge's home and publishing all data
files found on them to the Internet count as an amicus brief?

------
coldtea
The root of the problem is this BS "reasonable expectation of privacy"
criterion.

The criterion should be open and clear: "Does the government need to get on
your internet connected PC (or mail, or whatever else)? Is that beneficial to
society?".

Whether you expect your mail or PC or whatever to be private or read by others
is beyond the point.

Even whether it's publicly visible should be beside the point (the same way
that whether you have your door open or not, nobody has the right to just get
into your house without your consent).

E.g. one's public moves (location in time) is public knowledge too, but a
society should be able to decide that it's illegal for the government (or even
companies and individuals) to aggregate that information about a person, or
even more so all citizens.

Even if some third parties still have it, your location data on your telco's
servers (period) is something very different than your location data on an
advertiser's servers or your location data on some government agency servers.

------
rdiddly
Why do "expectations" of privacy figure so prominently in this? Is it not
about rights? Like as in Bill of?

If I walk down a street in a bad neighborhood, I may or may not "expect" to be
mugged, but regardless of what I expect, or what anyone placing bets on me
expects, I have the RIGHT not to be mugged.

Edit: In other words, mugging is a crime and unreasonable searches & seizures
are crimes.

Know what else gets me about this "expectations" bit - it's ass-backwards.
Like "hacking happens a lot, therefore hacking is okay." Well, armed robbery
happens a lot, therefore that judge has no reasonable expectation of not being
robbed at gunpoint - it's totally fine everybody!

For that matter, the child porn they're trying to stop happens a lot. If
you're going to be consistent you now have to say no child has a reasonable
expectation of not being exploited.

The law is not a weather vane that swings depending on whichever way people
want to break it!

------
mfer
What could this mean?

\- Celebrities have no expectation of privacy on their cell phones (including
photos)? \- Home security systems offer no expectation of privacy (they are
remotely connected)? \- There is no expectation of security with the IoT?

Computers connected to the Internet are all part of these things.

What other things would this impact?

~~~
Buttons840
How about someone in the FBI, CIA, NSA, etc, discussing or storing something
top secret on a computer connected to the internet. This is pretty much the
same thing as just leaving the document out in public, right? </sarcasm>

------
ikeboy
Could the link be changed to [https://www.eff.org/deeplinks/2016/06/federal-
court-fourth-a...](https://www.eff.org/deeplinks/2016/06/federal-court-fourth-
amendment-does-not-protect-your-home-computer)?

------
fiatmoney
That part of the opinion is nonbinding dicta - basically the judge
freestyling, without setting precedent.

------
coroutines
I wonder if there is a legally-protected expectation of privacy when NAT is
used, vs without.

IPv4 LANs vs IPv6 LANs.

~~~
2close4comfort
I think you would be giving the Court too much credit for putting that much
thought into their decision. And I think even more important we know how good
the FBI is at "cyber" that there would be no issues in attribution of traffic
to an IP address. So this is really blanket permission for the FBI or any .gov
to hack anything internet attached.

~~~
eximius
Oh, I don't think it's too much credit to consider the court thinking about
those things. They might do it by analogy and get it all dreadfully wrong, but
they often get down to the nitty gritty implementation details.

------
burger655
If Tor is to succeed, the child pornographer must also be protected. Yes, I
know this is abhorrent, but you cannot have a service that purports to protect
you from the prying eyes of your government (or anyone else) while also being
vulnerable to exploits like this one. You may be okay with the government
collecting a series of such exploits and deploying them on child porn sites in
similar fashion (many people are), but then there's nothing stopping them from
using the same techniques to go after people buying drugs, expressing dissent,
or simply holding political or social opinions that the government wishes to
squash for whatever current reason. At that point, Tor is as good as dead.

------
graycat
Yes, sadly in a sense the judge is correct -- connecting to the Internet can
result in virus infections. About two weeks ago, I detected that my computer
had gotten a bad virus. Maybe I got rid of it. But last night my computer ran
for 9:23 minutes checking for more virus infections -- none were found.

To me, a first criterion of computer security of an operating system is that
it be able to run any software at all, including software that tries to be
malicious, and connect to any communications at all, all quite safely.

Does meeting this criterion really have to be too difficult?

With this criterion met, the judge will be wrong.

While I have no sympathy for the defendants in this case, computing is
important and so is secure computing.

------
greyfox
While i dont agree with the Judge, i also detest the criminals they were
trying to arrest.

What people should always remember is that statute or no statute, expectation
of privacy or not, precedent or no precedent...

The jury system needs to be thoroughly re-educated in their rights to
nullification. If we use these precedents to arrest child abuse criminals
today and ten years from now it becomes used to quell dissent the jury's who
sit for these trials MUST know their power to nullify the trial/law being
charged...

From wiki..."The jury in effect nullifies a law that it believes is either
immoral or wrongly applied to the defendant whose fate they are charged with
deciding."

~~~
ww520
They can always get a warrant to search and hack. It's just they don't want to
do their job properly.

~~~
greyfox
agreed

------
wuliwong
I am not familiar with this case and was wondering what the FBI did to
discover visitor IPs. My first thought was that it was done using javascript
and they just nabbed anyone who didn't disable JS. But the article says
"visited PlayPen and downloaded images from the site." This quote was used in
describing how unlikeable the accused will be to the public and may not have
been meant to be taken literally. So, I'm still assuming that it was
javascript and not some weird thing attached to an image file.

\--separate thought--

I actually haven't thought much about the legality of the Feds running JS on a
visitor's computer. I never had any issues with it, even being a complete
psycho-libertarian in the extreme. I understand the wording of this particular
ruling is distasteful but ignoring that does running JS on a visitor's
computer need a warrant?

I'm still pondering it but it seems similar to the Feds busting a store that
was a front for selling drugs and then tracking everyone that went in that
store.*

The analogy isn't perfect because in the computer case they are actually
planting a "bug" in private property (assuming our personal computers are
still considered private). Whereas in the drug case the Feds could simply
follow these people to their homes and then they know their address.

The analogy can be made better if the Feds put a tracking device inside the
drugs that the visitors to the "drug store" purchased. These people then are
carrying the tracker into their own home, unbeknownst to them. Similarly the
web surfers accessing the compromised site are downloading a tracking script
onto their computer without realizing.

My intuition tells me that we want the Feds to need to get a warrant to
deliver JS to visitors of a child porn site but not to get a warrant for each
individual visitor.

I would be quite interested to hear people's thoughts.

* The use of this fictional scenario does in no way imply my support of the U.S. government's policies on the legality of drugs nor imply recognition of said government's ability to determine this for individuals. :-p

~~~
ambulancechaser
You agree with the judge in all aspects save the not requiring a warrant in
the first place-- which i think is the only strange there here at all. The
judge ruled exactly as you think. The defendant argued that the warrant lacked
jurisdiction, being based in VA and he lived in FL. The rules of warrants
allow for implanting of tracking devices in the jurisdiction and its ok if
they are then taken out of the jurisdiction. the judge argued that you take a
digital trip to Virginia's servers, download the porn, and then head back to
florida with the contraband. This met the interpretation of the warrant
issuing guidelines so it was a valid warrant under the rules. Further, the
warrant specified who and what was to be collected: IP address, mac address
and a few others. The IP address was actually provided by the client
"voluntarily" when the rest of the payload came back. But the stretch--and
just incorrect part, to me, at least-- is that the judge opines that a warrant
was not necessary in the first part because the internet is known to be
treacherous so everyone knows you can be hacked. He gives a big list of hacks,
half of which were government actions, and then points out you can't have a
reasonable expectation of privacy, and therefore its not an unreasonable
search and seizure.

~~~
wuliwong
Indeed, I am in total opposition to the overarching spirit of the article
where my personal computer is not my private property because I connect it to
the internet.

It is funny to me to have to think about the physical location of a server
that I am accessing being important. Like my fate depending on whether I was
routed to a server in Georgia vs. Kentucky, something I absolutely do not
think about whilst navigating the internet.

------
ausjke
Without TOR(even with TOR you're still not 100% private, though 99% better
than the alternative), your PC/home-router/VPS are 100% public actually,
whatever you do can be traced back to you, even the VPS vendor such as
DigitalOcean/Linode/etc can connect your IP with you quickly, of course.

VPN can secure the tunnel, still you can be tracked to IP/MAC quickly. Same to
P2P network such as torrent etc.

My take is that when you go surfing, considering the device you used for
surfing just like your home mailbox, home address, phone number etc, those are
pretty much public info that anyone can find out who you are if they are
interested in you.

------
djrogers
In my reading of this, it appears to apply (in this case) only to obtaining
the IP address of the computer, as that is the information in question. To
wit, the user was trying to hide his IP address using TOR, and the FBI
discovered his IP address with a hack they call a "network investigative
technique" or NIT.

Nothing I see talks about the contents of the computer, so in the real world
this would be the equivalent of the police tailing you after a crime to find
out your home address so they can subsequently get a warrant to search said
property.

If it's truly this limited, than I don't have a problem with it.

------
SCHiM
Funny that they specifically mention 'Home' computers. Wouldn't want the
public snooping around on data inside court and government computers now would
we... Incompetent double-speaking idiots the lot of them.

------
jwatte
And I presume no telephone connected to the public telephone network is
private, because someone might tap into the wires?

I actually think privacy is dead anyway for all practical purposes, but
twisted logic reasoning always irks me...

------
edwhitesell
Historically, hacking was effectively an active intrusion into a computer
system. Similar to breaking into a home. By this judge's logic, that is not
the case.

Most "hacking" today is actually downloading some malicious code, which then
takes over the computer system. It's like saying, "Hey, come into my house and
go through my stuff. But, only take what you want after you've looked through
it."

That'll be the next argument made by the government for a ruling. IANAL, but
as scary [and wrong!] as it is, it seems logical.

------
yellowapple
"A judge in Virginia rules that people should have no expectation of privacy
in their homes because no house 'is immune from invasion.'"

That's basically the impression I'm getting here. If we're going to base
expectation of privacy on whether or not it's possible to break into
something, then it's reasonable to assume that this applies to one's own home
and that the Fourth Amendment is officially dead in the eyes of this judge.

------
mrinterweb
I would expect that this ruling does not exclusively apply to the FBI. Would
this mean that hackers can legally hack any computer connected to the
internet?

------
goffley3
How is this ruling possibly justified? By that same logic, breaking into
someone's house is also legal because no security system is burglar proof.
Also what I still don't understand is that the presence of any counter hacking
measures (AV, proxy, VPN services) implies someone creating measures to
protect their privacy. None of this makes sense,

~~~
ikeboy
See the excerpt quoted in
[https://news.ycombinator.com/item?id=12016318](https://news.ycombinator.com/item?id=12016318)

Note that they aren't saying it's legal for a regular person to hack, only
that hacking doesn't produce 4th Amendment violations.

~~~
pdkl95
The only way that makes _any_ sense is if there is a double standard where law
enforcement doesn't have to follow the law (4th amendment) but the citizens do
(CFAA).

Rejecting the Rule Of Law is dangerous. If the government doesn't respect the
laws - including their spirit - then why should the people? You might have
notice the recent rise populism. Many people are tired of an oligarchy that
only vaguely follows the law that is supposed to be "of the people, for the
people and by the people". Rulings like this and other events that don't even
pretend to respect the Constitution are interpreted as proof that _democracy
has already failed_.

Brexit, the drama in the recent primaries, and other forms of "trumpism"[1]
are examples of the growing blowback. Do you really want to support the path
towards more civil unrest and other types of instability?

[1]
[https://www.youtube.com/watch?v=Zzl4B3mrKQE](https://www.youtube.com/watch?v=Zzl4B3mrKQE)

~~~
ikeboy
The CFAA has an explicit exemption for law enforcement. See
[https://news.ycombinator.com/item?id=12017068](https://news.ycombinator.com/item?id=12017068)

~~~
pdkl95
You're making my point for me. The law is blatantly ignoring the plain reading
of the highest law of the land, which creates the double standard.

I'm not talking about a technical reading of the law that takes into account
modern legal theories and precedent. This is about the _perception_ that a lot
of people have that the social contract has failed. As Blyth said (see my
previous [1]), "The Hamptons is not a defensible position".

~~~
ikeboy
Huh? The statue explicitly excludes law enforcement, this isn't a tortured
reading.

What is being ignored?

~~~
pdkl95
I never claimed it didn't. Re-read my original post, and maybe watch that 4m
video?

I only referenced the CFAA as a law that applies to the _citizens_. The double
standard is that the citizens are supposed to respect the law while law
enforcement and this judge are blatantly ignoring their half of the social
contract when they skip the warrant requirement.

This isn't really that complicated. Again, legal theory doesn't matter to
people that are angry and lashing out at anything they see as "establishment".

edit:

> They had a warrant.

From the article:

    
    
        The judge argued that the FBI did not even need the original warrant
        to use the NIT against visitors to PlayPen.

~~~
ikeboy
That's a nonbinding legal opinion not relevant to the case. If anything, it's
an example of legal theory which to you should be irrelevant.

~~~
pdkl95
Of course. That would be relevant if I was talking about the legal theory of
the case itself. If you had read my previous comment, you should have noticed
that I'm talking about the popular perception.

I'm trying to give you a warning that we've struck an iceberg and the ship of
state is taking on water. You're responding with technicalities about an
unsinkable double hull. If you're not going to listen to the warning, that's
your business.

~~~
ikeboy
I view this detail that you're harping on as just such a technicality.

If you want to make a point about the media exaggerating such technicalities
to warp public perception, I may well agree.

But you're trying to show that there's a perception that "law enforcement and
this judge are blatantly ignoring their half of the social contract when they
skip the warrant requirement." This is not a very good example to show that.
It may be misinterpreted by people who already want to find evidence of double
standards, but it can't be the source of such a perception in the first place.
You can't use it as an example of such.

------
Your_Creator
As the planet gets more crowded and more interconnected, the duty intelligent
beings have to respect eachother's privacy is increased proportionally.

Because eventually, every thought every human ever has will be on the
internet, and at THAT point, humanity will have evolved into the Borg.

Might as well get in line to get your smartphone implant installed and welcome
the future.

------
SeanDav
The judgement specifically mentions "home" computers, Does this mean
"business" computers do expect privacy? If so what is magical about a
"business" computer?

If the judgement applies to all computers connected to the internet that means
one can hack into any system legally because the target has no privacy
expectations.

------
bunkydoo
There is nothing private about how 90% of internet companies make their money.
Expecting otherwise in an industry that isn't geared towards privacy is naive.
I wish the court would see it in a different light. But if you want to send a
private note, encrypt a letter offline using PGP, print it, and send via US
Mail.

------
dwarman
One wonders if the wordingnof thenruling also implies that business and
government computers - and hence their email - also have no e pe tation f
provacy f cnnected to the internet? And I would note that they hacked a Tor
node, one which couldat a stretch be called a business rsther than a home
computer.

------
talmand
>> "... even stated that the warrant is unnecessary because of the type of
crime being investigated ..."

"Sorry, you need a warrant."

"But, it's this type of crime."

"Oh, in that case go right ahead."

In what way is that even valid? The "type of crime" determines whether you
need or warrant or not?

------
inactivist
Does this mean evidence collected from my easily-hacked computer shouldn't be
admissible in court?.

------
beyondcompute
"Belongings of people who are leaving their apartments are not private, Court
Rules.

A judge in Rhode Island rules that people should have no expectation of owning
their belongings while they are outside of apartments, because no person on
the street 'is immune from robbery'."

------
beartear
In Germany, it was ruled opposite for the same thing. I'm going with their
decision on this one.

------
graycat
So, was the FBI break in on the client computer or the server computer? If the
FBI broke into the server and also traced the TOR network, then all they got
from the client computer was its IP address, which was enough to identify the
criminal?

------
carapace
Playing Devil's Advocate here: Isn't this just codifying the existing
situation?

In other words, _can the average user expect privacy on their home always-
connected machine?_ I mean this as a technical, not legislative, question.

------
cynoclast
This is why I stopped giving a shit what the courts rule when their ruling
obviously disagrees with the spirit of the constitution, or bill of rights. I
don't stop having rights because some corrupt former lawyer says so.

~~~
greyfox
couldnt agree more. rights are inherent by the creator

------
nxzero
>> "In today's digital world, it appears to be a virtual certainty that
computers accessing the Internet can—and eventually will—be hacked."

If true, then why is entering any device connected to the Internet a crime?

------
scelerat
Doesn't this ruling pretty much nullify any hacking crime?

"You put your computer on the network, BigCorp, you should have no expectation
of privacy. The case against Mr. LeetHaxx0r is dismissed."

------
rietta
Another case of how bad defendants make terrible caselaw. The court doesn't
want to let the bad guy get away on a technicality and thus rulings like this
happen.

------
caseysoftware
With that precedent, this easily extends to every other connected device...
phones, lights, webcams, and even your Fitbit scale.

Orwell was an optimist.

------
noprivacy111
Wonder what the judge will say when his computer is hacked? After all, he
should have no reasonable expectation of privacy.

------
DennisP
So the court's going to throw out cases against hackers, right? Since they're
only accessing public information?

------
philip142au
By the same reasoning, computers in corporate businesses connected to the
internet have no expectation of privacy.

------
jdavis703
So because burglars can break into over 99% of homes, people also have no
expectations of privacy in their house?

------
nthcolumn
Privacy is dead said Zuck. This is flogging the proverbial dead horse. In the
future there will be no secrets.

------
darawk
Yes, this aligns with the jurisprudence that homes are not considered private
because they may receive mail.

------
scottlocklin
I guess my diary shouldn't be considered private, since anyone could break
into my house and read it.

------
macmac
Can we please not spend any cycles on this. The judge is clearly a loon who
should have retired long ago.

------
RIMR
My bedroom isn't immune to invasion either. Does that mean I have no
expectation of privacy there?

------
Sakes
No home is impenetrable so we shouldn't expect anything there to be private
either.

------
shae
Are citizens also allowed to hack into government computers as part of this
decision?

------
0xmohit
Since your bank accounts can be accessed using the Internet, those aren't
private either.

Sweet.

------
sorokod
What's next? Households with mobile phones can have no expectation of privacy?

------
sethbannon
This just in: homes connected to roads are not private, court rules.

------
asow92
And houses connected to roads aren't private as well.

------
akerro
So now it's called `Home Computer`? Not PC any more?

~~~
kbart
I always find term "PC" somewhat inaccurate as not many PCs are actually
_personal_. "Home Computer" reflects the true meaning much more accurately.

~~~
type0
Sure, this is more and more the case families have one desktop PC to do
important stuff, like bank transfers and backups on family photos and videos.
Then we have personal computers: smartphones and tablets and some laptops.

If you can not expect privacy on your Home Computer, you can not expect
privacy in your home. End of story.

------
transfire
This judge should be made to work naked.

------
zouhair
So a car in the street is not private?

------
rainhacker
By that logic, residences are also not private. As they can be hacked into
easily (probably would require even less sophistication)

~~~
rainhacker
Why is my comment downvoted without any reason ?

------
emodendroket
I'm not clear from the article; does this pertain to the contents of the PC
itself, or only to one's activity online?

------
paradite
I hate to say this but it seems that the Chinese version of tightly regulated
Internet is slowly becoming the norm.

~~~
emodendroket
That seems like a somewhat overblown reaction.

------
Sylphine
So i guess i can download anything from a FBI server since it isn't a private
computer.

------
verelo
So I guess driveways connected to public roads are not private either? This
makes no sense.

------
cosrnos
"Homes are not private because doors are ineffectual at stopping robbers"

------
dsabanin
American illusion of freedom and democracy is being dismantled rapidly. Sad.

------
known
Sounds rational to me.

------
arrty88
what about behind a router? does that mean anything

------
Elinaorana
elina

------
mSparks
Will Guccifer be citing this case in his defense for hacking Hillary's emails
on her home server?

------
swehner
Bribed?

------
mcguire
Cue YouTube videos of Senior U.S. District Judge Henry Coke Morgan Jr.'s front
door being picked.

------
tomrod
If I use a computer that is connected to a computer that is connected to the
internet, is it private?

If not, doesn't this only apply to home routers?

------
duke360
WTF? ok from the title of the article it looks to me that now i'm legitimate
to spy/access other people's computers.... but reading the body of the article
maybe the gudge only said that you cannot expect that your _location_ is keep
secret.... which one is correct? what he actually ruled?

------
MikeNomad
And I thought I am cynical enough to no longer be surprised by GOV's process
to circumvent the Constitution and make nineteen eighty-four the reality. I
was wrong.

As a long-time IT Guy who has grown tired and disgusted with GOV's fascist,
class-war behavior, with this court decision I say to them:

Bring. It. The. FSCK. On.

While maintaining an air-gapped rig is a PITA, I can do that.

While conducting my Connected Life via a live image, removable-media-based
system is a PITA, I can do that as well.

While good encryption slathered on everything is annoying, it is doable.

BTW, GOV... As long as you are connected to a network, you have no reasonable
expectation of privacy;

Expect your thoughts and beliefs laid bare; your plans to be known by others
sooner, rather than later; your secrets to be learned by all;

You want to see what Cyber Warfare _truly_ looks like?

You can't handle the truth.

~~~
whamlastxmas
Unless you're willing to take your computer with you everywhere, it's still
easily compromised with hardware modifications when you're out of the home.
Your router's firmware probably has multiple 0 days the NSA/FBI could exploit.
Intel's Management Engine is an effortless backdoor into every laptop and
desktop you have. Securing your smart phone against privacy issues is a lost
cause.

The only real option you have left is using a typewriter with a one-time pad
in a sound isolated room with a sheet over your head. And even then what you
type isn't anonymous, it's just encrypted to withstand everything up to, but
not including, some government agent holding a wrench (insert xkcd comic here)

~~~
MikeNomad
Seriosly, some of that was pretty funny...

At a superficial level, I think I would notice extra chips/wiring/HD showing
up on a naked Mo-board.

Going further, as you wish to approach this in pseudo-apsolutist terms, GOV
would simply choke on any effort to go _that_ far. Be it the Hardware Effort
or the Software/Data Collection and Processing Effort (times many many
millions), they would gag on The Spew. Yes, no encryption protects data for
ever, blah blah. Good Encryption and other impediments just makes
persuit/enforcement not worth the effort [insert THX-1138 reference and every
real-world example of governments failing to absolutely control their populace
here].

And since I am willing to talk in Absolute Terms, GOV is lousy at math. They
may know something about Social Psychology, Propaganda, et al, but the
Citizenry has both the guns and the numbers.

