Last week, a panel of the Ninth Circuit Court of Appeals held that in the absence of an announced monitoring policy, the mere act of connecting a computer to a network does not extinguish a user’s reasonable expectation of privacy, under the Fourth Amendment, in the contents of his or her computer. The panel announced its holding in United States v. Jerome T. Heckenkamp, Nos. 05-10322 and 05-10323 (9th Cir. April 5, 2007), wherein it upheld the introduction of evidence obtained by University of Wisconsin employees through remote and direct access of a student computer attached to a university network. Although it recognized the defendant’s reasonable expectation of privacy, the panel upheld the lower court’s admission of evidence under the judicially-created “special needs” exception to the Fourth Amendment because the alleged hacking posed an immediate threat to the university network and the searches were not conducted for a law enforcement purpose.   

 Jerome Heckenkamp, a student at University of Wisconsin at Madison, was charged under 18 U.S.C. § 1030(b)(5), the Computer Fraud and Abuse Act, in connection with an alleged attempt to hack into protected systems at University of Wisconsin and Broadcom. At trial, Heckenkamp moved to suppress evidence obtained from two searches of his computer. The first search occurred after Broadcom security alerted the University that a University computer was being used in an attack on Broadcom. A University computer investigator, Jeffrey Savoy, identified the IP address of the offending computer, determined that it also posed an immediate threat to the University’s sensitive systems, and performed a remote search of Heckenkamp’s computer to confirm that it was the computer responsible. Later that day, Savoy suspected that Heckenkamp changed his computer’s IP address in an attempt to mask his activities. Notwithstanding the FBI’s recommendation that Savoy wait for a warrant before proceeding, Savoy, with the help of campus police, entered Heckenkamp’s room when the door was ajar and ran a series of commands that confirmed Heckenkamp was responsible for the attacks. Savoy justified the warrantless search on the grounds that the University’s systems could have been critically damaged and that Heckenkamp could gain access to confidential student files. Heckenkamp was a skilled computer programmer and was familiar with University systems; he had been fired from his position at the University computer help desk for attempting to access University systems without authorization.

Heckenkamp reaffirms the importance of establishing and distributing policies regarding the monitoring of computer use. The panel relied heavily on the fact that the University had no such announced policy, and in fact had assured students of data confidentiality:

A person’s reasonable expectation of privacy may be diminished in transmissions over the Internet or e-mail that have already arrived at the recipient. However, the mere act of accessing a network does not in itself extinguish privacy expectations, nor does the fact that others may have occasional access to the computer. However, privacy expectations may be reduced if the user is advised that information transmitted through the network is not confidential and that the systems administrators may monitor communications transmitted by the user. United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir. 2002) [professor using university computer]; United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) [federal employee using federal computer system].

In the instant case, there was no announced monitoring policy on the network. To the contrary, the university’s computer policy itself provides that ‘[i]n general, all computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to . . . protect the integrity of the University and the rights and property of the State.’

 Heckenkamp at 3888 (citations and quotations omitted).       

The Ninth Circuit likely will have to clarify in future litigation the scope of reduced privacy expectations where users are advised of monitoring.

A copy of the Heckenkamp opinion is available here.