The Fourth Amendment protects citizens against unreasonable search and seizure by requiring that law enforcement agencies obtain a judicially sanctioned warrant supported by probable cause before conducting a search and seizure operation. However, there are instances in which it is lawful to search without a warrant, including in cases where the citizen has no reasonable expectation of privacy. But how far does our right to privacy extend into the digital realm? Is it possible that when we connect to open WiFi networks, we may be tacitly agreeing to give up our constitutional right to privacy?
As early as 1890, Brandeis and Warren asserted that advances in technology must change our concept of “privacy,” and in his article “Rethinking Reasonable Expectations of Privacy in Online Social Networks,” Newell addresses the need to reflect on our reasonable expectation of privacy in online social networks. “Despite what many feel are reasonable expectations to the contrary,” Newell writes, “current privacy rulings have allowed personal information to be freely ‘proclaimed from the house-tops’.” Indeed, several court rulings have reflected that privacy protection does not apply to information posted in online social networks. While it may be relatively intuitive (at least, for the “digital native”) to assume that it is unreasonable to believe that information willingly posted to a semi-public forum qualifies as “private,” the topic of one’s constitutional right to privacy becomes less so when dealing with data mined from one’s home computer through an open wireless network.
The 2010 case U.S. v. Ahrndt is the first instance of a court ruling regarding reasonable expectation of privacy in an unprotected wireless network. It dates back to 2007, when the defendant’s neighbor accessed his wireless account and found child pornography in his unsecured iTunes shared folder. The defendant’s lawyers argued that the warrant that enabled the subsequent search of his computer was enabled by evidence provided by his neighbor’s intrusion, and that this intrusion violated his Fourth Amendment right to privacy. The judge agreed that the salient issue in the case was whether or not one does have a Fourth Amendment “expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network.”
The court ruled against the defendant, holding that though “as a general matter an individual has an objectively reasonable expectation of privacy in his personal computer,” because the files were located in a shared folder that was accessed via an unsecured wireless network, Ahrndt did not have a reasonable expectation of privacy, and thus he had no constitutionally protected privacy right. However, the legal brief clearly states that the fact that the wireless network was unsecured “does not alone eliminate defendant’s right to privacy under the Fourth Amendment [emphasis mine].” Despite this statement, some bloggers still continue to misrepresent the court’s ruling, minimizing the fact that the files were located in a shared folder and claiming that it sets a tone that implies that users of open wireless networks give up their Fourth Amendment right to privacy.
Thomas O’Toole from the E-Commerce and Tech Law Blog is one legal analyst that implies that this ruling sets the precedent that our right to privacy is not constitutionally protected when we fail to password-protect our home wireless network. He titles one related blog post “Court Finds Constitutional Significance in Defendant’s Failure to Password-Protect Home Wireless Network,” again emphasizing the unprotected wireless network over the fact that Ahrndt’s files were in his iTunes shared folder. He further tells readers, “the failure to password-protect a wireless network can diminish the extent to which the Fourth Amendment protects computers and information on that network from government searches.”
O’Toole cites the somewhat similar case of U.S. v. Ganoe, in which law enforcement accessed the defendant’s LimeWire account to access child pornography on his computer. The court found that the defendant’s constitutional right to privacy had not been violated, though the defendant claimed that his sharing was unintentional. However, the issue salient in Ganoe’s case is, as stated in the legal brief, that “Ganoe ‘knew or should have known that the software might allow others to access his computer’… [and] was explicitly warned before completing the installation that the folder into which files are downloaded would be shared with other users in the peer-to-peer network [emphasis mine].” The issue was not, then, the open wireless network, but that Ganoe installed software that, again, “explicitly warned” the user that his files would be shared on a peer-to-peer network.
Similarly, in U.S. v. Ahrndt, the salient issue was not only the open wireless network, but also the fact that the files were in a folder designed for peer-to-peer sharing. Furthermore, in 2007, both iTunes and Mac OS X required users to actively take steps to share the iTunes library. This is illustrated in the images seen below.
In both cases, it is reasonable to argue that the defendants were or should have been aware that they were publicly sharing their files.
Though O’Toole wisely points out in his blog post that “an open [wireless] network is an invitation for piggy-backers and data thieves,” it is not reasonable to assume that connecting to an unprotected wireless network transforms one’s computer into a public place where members of the general public can freely access our private data. Connecting to an unsecured wireless network usually only requires one click, and some computer operating systems (like Mac OS X) do not warn users that files may be unsecure. This is vastly different from the voluntary file sharing that Ganoe and Ahrndt participated in, which, respectively, warned the user that files would be shared or required the user to take steps to enable file sharing. On the contrary, as Bradley Mitchell points out, it is relatively easy to set up an unsecured network, and “configuring [a network’s] security features can be time-consuming and non-intuitive.”
Mike Masnick of Techdirt agrees that “most users have no idea [open wireless networks] are less secure” and “wonder[s] why the type of network used should really determine the level of Fourth Amendment protections.” One commenter likens an intrusion into one’s computer over an open wireless network to an intrusion into one’s house and asks, “If I have my front door unlocked but shut, do you have the legal right of entry?” Unless one explicitly opens one’s house to the public, “everyone has a reasonable expectation of privacy in their home.”
Currently, users should retain their constitutional right to privacy on open wireless networks. As Judge King pointed out, “as a general matter an individual has an objectively reasonable expectation of privacy in his personal computer,” and in the cases outlined above, the fact that the defendants used open wireless networks was not enough to eliminate the right to privacy. Unless a user explicitly agrees to open his computer to the public, one’s Fourth Amendment right to privacy should not be jeopardized.
Certainly, reasonable expectation of privacy is held in question in the event that the user’s computer operating system warns users of security risks when connecting to unsecured networks. Windows OS, for instance, warns users when connecting to unsecured wireless networks that security may be compromised, and asks users to agree to “connect anyway.” In instances such as those, because of the explicit agreement to “connect anyway,” the user’s reasonable expectation of privacy is diminished. However, the fact that some operating systems warn users that the connection may be unsecure does not diminish all users’ expectation of privacy.
Though society’s perception may yet change, currently the general public does not have a realistic grasp of online security best practices and thus may not fully understand the security risks of connecting to an unsecured wireless network. Therefore, we cannot assume that society recognizes a lower expectation of privacy on an open wireless network. Unless the user explicitly agrees to access an unsecured wireless network even when warned of the risks, reasonable expectation of privacy is not diminished.
Though court rulings have set the precedent that there is no expectation of privacy in the contents of shared folders, this is far from abolishing our constitutional right to privacy on open wireless networks. Courts have thus far held that reasonable expectation of privacy is diminished when connected to an open wireless network, but there is no current precedent that eradicates the right to privacy. However, we must always be aware that expectations of privacy change over time, and it is certainly possible—even likely—that, eventually, it will not be reasonable to expect our data to be private when connected to unprotected wireless networks.