Redefining Fourth Amendment Law for The Digital Age.
By Macarena Troncoso
On March 11, Brian Farrell – accused of being a staff member on silk road 2.0 – pleaded guilty of conspiracy to distribute illegal drugs using the TOR network.
The Silk Road 2.0 was a hidden service operating in the Deep Web until it was shut down by the FBI in November 2014. Farrell’s plea agreement could be the final chapter of a case that arises relevant questions about the protection afforded by the fourth amendment to internet users.
Let’s begin with undisputed facts: Carnegie Mellon University was funded by the US Department of Defense to carry out the research that allowed to reveal the identity of several Dark Market users. The information obtained during the study was later accessed by the FBI through a subpoena and permitted the identification of Brian Farrell as a prominent user of Silk Road 2.0.
To put it simply: Carnegie Mellon engaged in a prolonged and prospective surveillance of the Deep Web, used government funding, and obtained results that were used for law enforcement purposes.
What differentiates this conduct from outsourcing police work to universities? Where is the line between private searches and government searches? Was Carnegie Mellon University acting as an agent of the government? Unfortunately, these essential questions will remain unanswered since the court determined that the case did not involve a search, turning irrelevant the discussion about state action as a necessary trigger for fourth amendment safeguards.
Indeed, while denying the defendant’s motion to compel discovery, judge Richard Jones ruled that users of TOR have no reasonable expectation of privacy on their IP addresses when using TOR Network, even though the purpose of TOR is precisely to hide the identity of its users, enabling them to communicate privately and securely and to access the internet anonymously. Relying on Forrester[1], the judge considered that in the course of using TOR network, “an individual would necessarily be disclosing his identifying information to complete strangers”[2] and this submission of information “is made despite the understanding communicated by the Tor project that the Tor network has vulnerabilities and that users might not remain anonymous”.
Using the third-party doctrine announced in Smith v. Maryland[3], the judge presumed that individuals who convey information to third parties have taken the risk of an eventual disclosure to the government. Is this notion workable in the digital era? The assumption of this kind of risk appears to be an integral part of life in the XXI Century. People daily turn over a great amount of information to private and public entities through the use of computers, mobile apps, or other tech devices connected to the web. Does that mean that we have surrender our expectations of privacy?
I believe we should not yield. In her concurrence in Jones[4], Justice Sotomayor called for a reevaluation of the premise that an individual had no reasonable expectation of privacy in information voluntarily disclosed to third parties, considering this approach “ill-suited” for the digital age. It is imperative for the courts to rethink and reshape Third Party doctrine and other fundamentals notions such as State Action and the Reasonable Expectation of Privacy test to attune them to the challenges posed by the Internet era.
[1] United States v. Forrester. United States Court of Appeals for the Ninth Circuit, 2007. 495 F. 3d 1041.
[2] The mention of “complete strangers” points to the individuals that host the network nodes.
[3] Smith v. Maryland, 442 U.S. 735 (1979)
[4] United States v. Jones, 132 S. Ct. 945 (2012)