A student in a public university dormitory room had a "reasonable expectation of privacy" for his personal computer and its hard drive, a federal appeals court ruled on Thursday. The decision also found that despite that right to privacy, an administrator in the case under review had the right to conduct a remote search of the computer -- without a warrant -- because of the circumstances involved.
The decision -- by the U.S. Court of Appeals for the Ninth Circuit -- is among the highest level court rulings to date on a set of legal questions pitting privacy vs. security that are increasingly present in academe. While experts cautioned that the decision involved a specific set of facts, several also said it provided guidance for students on their privacy rights and for administrators at public colleges and universities on setting computer policies that give them the flexibility they feel they need to prevent security breaches.
The ruling dates back to an incident in 1999, and the actions of administrators at the University of Wisconsin at Madison, when they were notified by Qualcomm Corporation, a San Diego company that produces wireless computing devices, that someone on Madison's network was hacking into the company's network. Ultimately, a then-student at Madison whose computer was found to be used in the hacking entered into an agreement with prosecutors in which he agreed to admit guilt, received a sentence of time served on federal charges arising from the hacking, and was released after eight months in prison. But Jerome T. Heckenkamp, the then-student, also won the right to appeal the case in the hope of clearing his name, and his appeal focused on information gathered by Madison officials.
Jeffrey Savoy, a computer security official at Wisconsin, was the person who received Qualcomm's complaint. When he confirmed that someone on the Madison network was hacking the company, he also found that this same person appeared to have gained unauthorized access to portions of the university's network as well. Of particular concern to Savoy was that this hacker had gained access to the server used by the university to house 60,000 e-mail accounts and to deliver about 250,000 e-mail messages each day.
Savoy was able to link the intrusions to a computer from a specific dormitory room and eventually was able to identify the room and the computer accounts being used as belonging to Heckenkamp. The decision by the appeals court then details the dual tracks taken by Qualcomm and Madison. The company decided to seek a warrant for a search of Heckenkamp's room, but Savoy continued to monitor the situation in the meantime. He found that Heckenkamp had lost a job in the university's computer help desk two years before and so had extensive knowledge of the university networks -- enough to do real damage.
As the investigation continued, Savoy saw that the computer in question was being used, and that the hacker might well have been able to see that his actions were being detected. So Savoy, with university police officers, went to Heckenkamp's room, entered it when the door was ajar and nobody was there, and disconnected the cord attaching it to the network.
Using Heckenkamp's password, which he had provided to a police officer, Savoy also conducted some tests on the computer to be certain that he had been successful in blocking its access to the university network. When Heckencamp was indicted in California, evidence in the case was a mix of materials obtained with a warrant the day after Savoy was in the room, but also information Savoy had obtained remotely.
In its analysis of the case, the appeals court said there can be "no doubt" that Heckenkamp's expectation of privacy on his computer was "legitimate and objectively reasonable." Further, the court said that this privacy expectation did not go away when Heckenkamp attached his computer to the university's network. In language that would be relevant to many colleges, the court said that "the mere fact of accessing a network does not in itself extinguish privacy expectations."
While that part of the decision establishes the norm for a public university student's computers to be assumed private (thus requiring a warrant for searches), the court went on to say that Savoy's actions were protected because of the way the university had established and communicated its policies, and because of his intent.
The relevant part of the university policy, quoted by the judges, says the following: "[A]ll computer and electronic files should be free from access by any but the authorized users of those files. Exceptions to this basic principle shall be kept to a minimum and made only where essential to ... protect the integrity of the university and the rights and property of the state."
It was legitimate for the university to act as it did, the judges found, because it was acting out of concern about its own e-mail network, not to help with the law enforcement investigation set off by Qualcomm, and it acted in ways that were consistent with the university's policies that Heckenkamp had agreed to follow. Savoy "needed to act immediately to protect the system," the court found. In this situation, Savoy acted with legitimate "special needs" that justified not waiting for a warrant, the court found. The ruling was about the remote search of the computer, not the in-room search.
Benjamin Coleman, a San Diego lawyer who represented Heckenkamp in the case, said that he was disappointed that the evidence was not thrown out, and said that an appeal to the U.S. Supreme Court is possible. But Coleman said that the ruling gave students a key victory because it rejected that there was no basis for Heckenkamp to presume the privacy of his computer. Even though the court defined some narrow limits to that right, Coleman said, "this is the first decision at this level that says college students have an expectation to privacy on their computers, so this is very good for students' privacy rights."
Tracy Mitrano, director of the Computer Policy and Law Program and director of information technology policy at Cornell University, said that it was "notable" that the judges found "an objective expectation of privacy to the user in the content of his or her hard drive even when attached to a network system." Mitrano said it was important to note that there is "never an absolute expectation of privacy," but that the appeals court was setting up a balancing test.
This balancing, while not an absolute victory for students, is significant, Mitrano said, and is "a good thing for privacy advocates." She added: "From the broader cultural perspective it begins to distinguish the 'technological' from the 'legal' in the sense of offering a response to Scott McNealy's famous dictum about 'you have no privacy, get over it.' On the basis of this case one could say, 'just because something is technologically possible, i.e. remote inspection of a hard drive, does not necessarily make it legal.'"
The case also provides a clear lesson for colleges, Mitrano said: "Write good policy."
"Not only should a policy allow for free expression ('no monitoring of the network or devices attached to it for content as a practice') but also for circumstances under which exceptions will be made ('security, network maintenance, regulatory compliance, contractual obligations and investigation of violations of law or policy')," Mitrano said via e-mail.
Steven L. Worona, director of policy and networking programs for Educause, said he thought the appeals court "got it right" in balancing the various issues at play. Worona cautioned that "like most decisions involving the balance of conflicting rights and needs, this one was nuanced and highly fact-specific" so people should "exercise caution before drawing any overly broad conclusions."
He added, however: "I think students can take comfort in the clear statement that connecting a personal computer to a campus network does not do away with their expectations of privacy. And I think network administrators can take comfort in the conclusion that they can take reasonable actions when their systems are under attack."