Surveillance & Privacy

Gorsuch on Cyber-Related Issues: Part One

Sarah Tate Chambers
Thursday, March 23, 2017, 9:08 AM

Writing with a storyteller’s prose, Judge Neil Gorsuch’s knowledge about cyber issues leaps off the page. From explaining file or operating systems to evaluating the credibility of databases, he often deeply engages with the technology at issue—unless, that is, it was not plead, preserved, or supported with more than minimal proof. Reading his cyber-related cases as a whole, he seems to respond to detailed, creative, and thorough lawyering—opting to engage fully with cyber issues when they are teed up accordingly.

Published by The Lawfare Institute
in Cooperation With

Writing with a storyteller’s prose, Judge Neil Gorsuch’s knowledge about cyber issues leaps off the page. From explaining file or operating systems to evaluating the credibility of databases, he often deeply engages with the technology at issue—unless, that is, it was not plead, preserved, or supported with more than minimal proof. Reading his cyber-related cases as a whole, he seems to respond to detailed, creative, and thorough lawyering—opting to engage fully with cyber issues when they are teed up accordingly. On a Supreme Court that is not particularly technologically savvy, Gorsuch’s technical sophistication could be of great value.

What follows is the first in a three-part series of Judge Gorsuch’s treatment of cyber-related issues.

United States v. Ackerman (2016)

In a case decided this past summer, Walter Ackerman’s email was flagged by AOL’s automated attempt at child pornography detection.

Every image has a hash value, a set of numbers unique to it, kind of like a fingerprint. Hash values are often used to authenticate evidence, as the value will be different if the image is altered. AOL has a list of hash values for images that it has previously identified as child pornography. When an email is sent through AOL’s servers, the hash values of all images are compared to those on the known child pornography list. If there is a match, the email is never opened. Instead, it is automatically forwarded to the National Center for Missing and Exploited Children (NCMEC)’s CyberTipline.

This is what happened to Ackerman’s email. When NCMEC received the email, it confirmed that all the images in the email—including images other than just the one suspected image—contained child pornography and alerted local law enforcement agents.

Judge Gorsuch’s opinion leaves open the questions of whether and how the third party doctrine, which holds that an individual does not have a reasonable expectation of privacy in what he or she shares with third parties, applies to email. This is for a very good reason: though lower courts are sorting out this question, the district court in Ackerman never touched this argument. (In one of the various hypotheticals posed near the end of the opinion, Judge Gorsuch posits whether using the third party doctrine will preclude similar motions to suppress, but clearly states that these are just hypothetical questions.) Instead, the district court relied on the “private search” doctrine, which holds that the Fourth Amendment is not implicated when the governmental actor conducting a search does not exceed the scope of the search of the private actor. However, AOL never opened the email, so when NCMEC did so, it exceeded the scope of AOL’s search.

The case reached the Tenth Circuit when Ackerman appealed the district court’s denial of his motion to suppress. The court was presented with two questions: whether NCMEC is a governmental entity or agent and whether NCMEC exceeded the scope of AOL’s search.

Reversing the district court, Judge Gorsuch determined that NCMEC is a governmental entity, as it has police powers beyond those of private citizens that are created through a comprehensive statutory regime that produces a reciprocal “special relationship” between NCMEC and law enforcement.

Additionally, Judge Gorsuch found that NCMEC was a governmental agent, even when applying U.S. v. Souza, the Tenth Circuit’s stylized test for agency in Fourth Amendment cases. Souza requires that the government “knew of and acquiesced in” NCMEC’s search, and Judge Gorsuch found the comprehensive statutory structure was sufficient to meet that element. The judge also found that NCMEC fulfilled the second element of the Souza test in that NCMEC performed the search with some “inten[tion] to assist” law enforcement, a finding supported by the same statutory regime and NCMEC’s own professions on its website.

NCMEC’s statutory regime and website postings also helped the agency meet the requirement that the government “encourage[] and endorse[] and participate[]” in the agency’s search under Skinner v. Railway Labor Executives’ Ass’n, the Supreme Court’s Fourth Amendment agency test.

Using landmark Fourth Amendment cases, Judge Gorsuch distinguishes the case at hand from U.S. v. Jacobsen (drug testing a small amount of white powder) and U.S. v. Place (dog sniffing closed luggage when dog can only detect contraband), where “the governmental conduct could [have] reveal[ed] nothing about noncontraband items. Instead, he compares the opening of Ackerman’s email to the viewing of films in Walter v. U.S., which constituted a search and thus triggered the Fourth Amendment.

Interestingly, Judge Gorsuch refers to an email as a virtual container. This is a unique choice, as other courts have labored to distinguish technology from containers so that the container-specific Fourth Amendment law does not apply.

Judge Gorsuch’s treatment of Jacobsen requires a brief development of the evolution of Fourth Amendment search analysis. Originally, the question of whether something was a search was answered by whether it constituted a trespass on a constitutionally protected space or thing. However, Katz v. U.S. fundamentally changed the framework by asking whether the action was a violation of a reasonable expectation of privacy. In 2012, the Supreme Court decided U.S. v. Jones, which held that a search occurred either through the Katz reasonable expectation of privacy standard or through a physical intrusion on a constitutionally protected space or thing, reviving the trespass doctrine.

In Jacobsen, the Supreme Court held that “there was no ‘reasonable expectation of privacy’ in concealing whether something is or isn’t contraband.’” However, the drug test destroyed some of the substance, constituting a trespass to chattels under common law at the time of this nation’s founding. As such, Judge Gorsuch argues that under Jones, the conduct at issue in Jacobsen could be a search—and the case at hand in Ackerman is even more clearly a search than Jacobsen, as the opening of private correspondence is “exactly the type of trespass to chattels that the framers sought to prevent when they adopted the Fourth Amendment.”

For these various reasons in both lines of precedent, the Tenth Circuit reversed the district court, holding that NCMEC did “search” Ackerman’s email upon opening it.

United States v. Shaffer (2007)

Back in the heyday of peer-to-peer computer networks, the Tenth Circuit was presented the question of whether downloading child pornography and then storing it in a shared folder that was accessible to the peer-to-peer network constituted the “distribution” of child porn according to 18 U.S.C. § 2252A(a)(2).

Opening the opinion, Judge Gorsuch takes the reader through a detailed explanation of Kazaa, the peer-to-peer computer network used in the case at issue. Upon installation, Kazaa created a “My Shared Folder,” which houses all of the downloads from the network and is accessible, and therefore downloadable by, any user on the network. In order for one user to download from another, both must be on the internet and be running the Kazaa software. One feature of the software provides users with real time data of how many users are accessing and downloading their files. In order not to share particular files, a user could remove them from the “My Shared Folder.” Additionally, Kazaa provides a feature that precludes other users from downloading files from one’s computer.

Aaron Shaffer, the defendant, argued that there was insufficient evidence at trial to sustain his conviction. Namely, he was a passive participant in the transferring of child pornography. Distribution, he argued, required the active transfer of possession, “such as by mail, e-mail, or handing it to another person”: simply storing it in a shared folder did not measure up.

Since the statute does not define “distribute,” Judge Gorsuch draws from Black’s Dictionary, Webster’s Dictionary, and the district court’s jury instruction to define the term as “having ‘delivered,’ ‘transferred,’ ‘dispersed,’ or ‘dispensed.’” Comparing Kazaa to a self-service gas station, Judge Gorsuch has no trouble finding that Shaffer distributed child pornography. Rather than taking one of the steps to curtail access to the child pornography in his “My Shared Folder,” Shaffer told the law enforcement officer that he knew others downloaded child pornography from his computer and he kept it there to gain special concessions from Kazaa that occurred when others downloaded files from him.

In order to further support his broad definition of “distribution”, Judge Gorsuch relies on U.S. v. Abraham, in which the Western District of Pennsylvania found a defendant had distributed child pornography when an officer was able to download child pornography from the defendant’s computer via a peer-to-peer network.

While Kazaa and similar peer-to-peer networks are now less widely used, Judge Gorsuch’s detailed knowledge of the software, as well as general file systems, is significant.

United States v. Cortez-Galaviz (2007)

In a traffic stop case, Judge Gorsuch found that information from a query of a statewide computer database containing vehicle insurance data was both objective and particular enough to meet the reasonable suspicion standard, despite the defendant’s objections that the database produced unreliable and stale information.

In order to enforce motor vehicle insurance requirements, Utah uses a database that compares vehicle registration information (provided by the Utah Motor Vehicle Division) and insurance information (provided by insurance companies). The database is ran by Insure-Rite, which the court classifies as a third-party agent, and is, at a minimum, audited annually.

A query of the database provides three possible results: the vehicle is insured, the vehicle is not insured, or insurance is not found. For the latter, the result prompts the officer to request proof of insurance.

In the case at hand, an officer observed a man leave a suspected drug house that was under surveillance. The officer queried the license plate of the man’s car in the state insurance database and found no result; after pulling over the car, he observed drugs in plain view and found additional drugs during a subsequent search of the vehicle. After he was indicted, the defendant brought a motion to suppress.

Citing U.S. v. Cortez, Judge Gorsuch finds that the result from the state insurance database met the reasonable suspicion standard’s requirement of a particularized and objective basis. Even though the query returned the less definitive “not found” result, the ambiguity did not invalidate the stop as:

[T]he resolution of particularized and objective yet still ambiguous—potentially lawful, potentially unlawful—facts is the central purpose of an investigative detention.

Though the defendant argued that the database was unreliable, Judge Gorsuch found this unconvincing. The defendant relied on the officer’s comment that on “several occasions” the database produced “not found” results, but the officer determined that those vehicles were actually insured. However, the officer testified that he stopped over 200 people per month. Judge Gorsuch found that the combination of those two facts failed to provide adequate information about the database’s frequency of error.

The defendant also claimed that the database had a 40 percent error rate: out of 21 queries performed around the same time as the one at issue, nine produced a result of “not found.” He produced no additional information about how many of those nine vehicles actually had insurance. Judge Gorsuch noted that tells nothing of an error rate but rather of the rate of “not found” results. Additionally, the sample size would be too small to produce significant results.

Finally, and most interestingly, insurance for the vehicle at issue was actually obtained five months before the stop. However, the vehicle was not entered into the database until Insure-Rite received a vehicle registration from the Utah Motor Vehicle Division that matched the same person, which took place “shortly after” the stop. This information would seem to be key—but the defendant did not argue this issue before the district court or provide enough of a factual record to the appellate court. Judge Gorsuch acknowledges that if the defendant had demonstrated that the database was unreliable, it would have been a “persuasive basis for a suppression motion.” Nevertheless, the defendant did not, and Judge Gorsuch was not persuaded by the argument due to an undeveloped record.

Finally, the defendant argued that the “not found” report was stale, as it was issued 20 days prior the stop took place. Noting that timeliness is one of many factors in a reasonable suspicion analysis and that its relative importance decreases for ongoing crimes, Judge Gorsuch held that the 20 day old report was not stale.

Notably, the record was once again inadequate:

[The defendant] offers us no other evidence or argument to suggest that reliance on a 20 day old alert is in any way or wise unreasonable given the nature of available technology, the offense or detention at issue, or the practical challenges associated with coordinating the dissemination of registration and insurance information for every motor vehicle on the road.

The defendant also argued that the “not found” report may rely on information that is up to 90 days old. However, that 90 day figure is the maximum amount of time it takes Insure-Rite to contact registered owners who have not been matched to insurance information before reporting that the vehicle is uninsured. This information is does not answer the questions at hand: How long does it take Insure-Rite to issue a “not found” report and how old is the information that the report relies on? Since the defendant’s argument is not supported by the record, it falls flat. However, in the opinion, Judge Gorsuch notes that “outer boundaries exist for the usefulness of data.”

This case serves as a warning to preserve and brief all of the issues, especially relating to technology. From this opinion, it seems like Judge Gorsuch is ready and willing to go deep into the details of technology and may find arguments that stick to generalities less persuasive.

United States v. Davis (2015)

Despite a failure of the appellant to brief the standard of review, Judge Gorsuch upheld U.S. v. Ullmann, a Tenth Circuit case decided earlier that year, which found that supervised release conditions completely prohibiting “Internet use or use of Internet-capable devices will typically constitute greater deprivation of liberty than reasonably necessary, in violation of [18 U.S.C.] § 3583(d)(2).”

He remanded the case to the district court with the request for a new sentence consistent with Ullmann. This case is particularly interesting as the Supreme Court heard argument nearly a month ago on Packingham v. North Carolina, a case that asks whether making it a felony for sex offenders to access social media sites violates the First Amendment.

Regan–Touhy v. Walgreens Co. (2008)

In a case that has elements all too familiar to those accustomed to small-town life, Ashley Regan-Touhy brought suit against Walgreens for unlawful disclosure of her confidential medical records.

Regan-Touhy was diagnosed with genital herpes. After filling a prescription at the local Walgreen’s pharmacy, she told only a few close confidants. Four months later, her ex-husband Bryan Abrams called her and claimed that he knew that she had herpes and was worried that she infected him. When she asked how he knew, he said that someone at the clinic where she was treated told him.

In a second phone call, Abrams named the source as Shannon Flowers, who heard it from someone at the clinic. Regan-Touhy asked if the real source was Kim Frazier, Abrams’ girlfriend before and after his marriage with Regan-Touhy. Abrams denied Frazier’s involvement, but Regan-Touhy was not satisfied.

More than six months later, Abrams changed his tune, now claiming that Frazier was the source and she got the information from her friend Kim Whitlock, who worked as a pharmacy technician at the Walgreens in nearby Oklahoma City. As a result, Regan-Touhy sued Walgreens and began discovery.

Abrams changed his story once again during his deposition, claiming he heard the rumor from a friend at a bar. He now said that he had made up the clinic and pharmacy stories to pressure Regan-Touhy to reveal the truth. Meanwhile, Whitlock admitted that with Regan-Touhy’s name and area code, she could have accessed the information, but she claimed that she did not.

Regan-Touhy made extensive document requests, including for the “log files” or documents that identified who accessed her account. While Walgreens provided her with documentation, it showed only the initials of employees who completed a transaction, not those who accessed her information.

Walgreens brought a motion for summary judgment, and Regan-Touhy brought a motion to compel. The district court denied her motion, as her requests were overly broad or adequately answered. It granted Walgreens' motion.

Judge Gorsuch found that the district court did not clearly err in finding that Walgreens produced all the logs it had. In an affidavit, a member of Walgreens’ technical support group swore that at that time Walgreens’ computer system logged when someone performed a transaction on an account but not when someone simply accessed it.

As to the rest of Regan-Touhy’s document requests, Judge Gorsuch found them overly broad, rather than strategically or creatively tailored. He upheld the district court’s ruling. This case highlights Judge Gorsuch’s preference for thorough lawyering; if narrowly tailored to hit the nail on the head, there may have been the opportunity for a much more interesting opinion. It serves as a warning shot to all lawyers: wide discovery requests cannot make up for a lack of technological expertise. While a bit of a jump, a more strongly worded case from a Justice Gorsuch could further bolster the argument that lawyers owe a duty of technological competence to their clients—a duty that 27 states have already created.

Sarah Tate Chambers is a second year law student at the University of South Carolina. She currently works for the Department of Justice's Publications Unit. She graduated from the University of Minnesota with a B.A. in Religious Studies.

Subscribe to Lawfare