US Judge confuses privacy and security, concludes that you should have neither

Senior U.S. District Judge Henry Coke Morgan Jr. a federal judge for the Eastern District of Virginia has ruled that the user of any computer which connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.

The ruling made on June 23rd was reached in one of the many cases resulting from the FBI’s infiltration of PlayPen, a hidden child exploitation site on the Tor network. After taking control of the site, the FBI kept it up and running, using it to plant malware on visitors’ computers, gathering identifying information that was used to enable prosecution.

JCM ruled that the FBI’s actions in hacking visitors’ computers did not violate Fourth Amendment protections and did not require a warrant, stating that the “Defendant here should have been aware that by going [on-line] to access Playpen, he diminished his expectation of privacy.”

JCM offered as an analogy a previous case (Minnesota v. Carter 525 U.S. 83 – 1998) which ruled that a police officer looking through broken window blinds does not violate anyone’s Fourth Amendment rights, so hacking a computer does not either.

“Just as the area into which the officer in Carter peered - an apartment - usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user's computer. People who traverse the Internet ordinarily understand the risk associated with doing so.”
JCM notes that in 2007 the Ninth Circuit found that connecting to a network did not eliminate the reasonable expectation of privacy in one’s computer, but takes the position that in the last nine years things have changed enough to render this position outdated.

“Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in today's digital world, it appears to be a virtual certainty that computers accessing the Internet can - and eventually will - be hacked.”
As justification for this opinion, JCM cites the Ashley Madison hack and a Pew Research Center study on privacy and information sharing as evidence of the acceptance that hacking is inevitable. The Pew study looked at American’s attitudes to sharing personal information in return for receiving something of perceived value. Although the focus of the Pew report was on privacy and not security it did report that focus group participants “worried about hackers”. However, these concerns were expressed exclusively in terms of a hacker’s ability to gain access to personal data from compromised business computer systems, not personal systems in the home.

Judge Coke Morgan’s level of technical understanding appears to be highly selective. The same judge who ruled on a patent case between Vir2us, INC. and INVINCEA, INC. over competing claims covering advanced anti-malware products, fails to acknowledge that anti-malware products continue to advance. In offering that “Terrorists no longer can rely on Apple to protect their electronically stored private data, as it has been publicly reported that the Government can find alternative ways to unlock Apple users’ iPhones.” He ignores the level of expertise needed to identify the exploit that was used to access the phone used by one of the San Bernardino attackers, or that the hack in question was only applicable to the now superseded iPhone 5C. While it may be possible to unlock older iPhones running back-level OS releases lacking the most up-to-date security features, Apple continues to develop new hardware-based security features and works to fix security vulnerabilities as it finds them. While it is reasonable to claim that many computers are vulnerable to attack, in suggesting that this means it is “a virtual certainty that [all] computers accessing the Internet can – and eventually will – be hacked” or that there is nothing that can be done to mitigate this risk, JCM is either being deliberately disingenuous or is failing in his analysis.

Describing the ruling as “dangerously flawed” EFF Senior Staff Attorney Mark Rumold wrote “The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all.” But holds out that the ruling is “incorrect as a matter of law, and we expect there is little chance it would hold up on appeal.”