Skip to content
Naked Security Naked Security

Judge decides we don’t have any right to privacy

If you connect your computer to the Internet, like billions of people, then you can’t expect any privacy. Or so says a judge in Virginia.

It seems we now live in a world where everyone is free to snoop on everyone else to their heart’s content.

If you connect your computer to the Internet, like billions of people, then you can’t expect any privacy. Or so says a judge in Virginia.

According to eWeek:

A federal judge for the Eastern District of Virginia has ruled that the user of any computer connected to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.

So, does that mean we can’t expect privacy in our own homes because burglars can get in if they really try? If so, surely we may just as well just leave our front doors wide open?

FBI didn’t need a warrant

This court ruling goes back to Playpen, the child porn site that the FBI operated for two weeks in 2015 as a honeytrap.

We reported in May that, during that time, the agency used a so-called “network investigative technique” (NIT) to identify the website’s users.

Computers visiting the site were unwittingly infected with code that could reveal their IP address, defeating anonymity afforded by Tor. (Users and sites on the Tor network hide their IP addresses from each other to help maintain anonymity.)

Senior U.S. District Judge Henry Coke Morgan Jr. upheld the use of a single warrant for the FBI’s mass hacking. He even stated that the FBI’s original warrant was unnecessary because of the type of crime being investigated:

The court finds that any such subjective expectation of privacy—if one even existed in this case—is not objectively reasonable.

Behind closed doors

However, while the FBI is focused on establishing the IP addresses of child porn users, another interesting court case could scupper the FBI’s efforts completely.

Gizmodo reports on the story of Thomas Gonzales, who was accused of illegally downloading Adam Sandler’s film “The Cobbler” from a shared computer. Oregon District Court Magistrate Judge Stacie Beckerman argued that you can’t hold someone accountable for copyright infringement unless you can prove they actually did it, ruling:

IP-addresses aren’t enough to prove that Gonzales was directly involved with copyright infringement.

While the precedents in these cases could affect us all, it’s actually really hard to determine where we stand. 

Looks like the FBI may have to wait until we’re all signing in with biometrics before they can prosecute anyone for online child abuse… but even that might not be enough.

21 Comments

“So, does that mean we can’t expect privacy in our own homes because burglars can get in if they really try? If so, surely we may just as well just leave our front doors wide open?”

While I agree with your point, essentially, this is the case. If someone breaks in to my home and hurts themselves in the process, or if I try to defend my home and my family, the offender could sue me and has historically high chances of winning the case.

Or, if I physically defended my family and harmed the offender in the process, I would have to spend thousands of dollars in legal fees to defend myself.

Reply

Not in Texas where use of Deadly Force to prevent the commission of a Felony during hours of darkness will likely result in a “No Bill” from the Grand Jury, and there WILL be a Grand Jury.

I am amazed that it could be otherwise, anywhere.

Reply

If they have an IP they can get a warrant to search the apparent location assigned the IP. It happens often. Even though it may be a ToR node, or hacked PC, it is still “reasonable cause” for a search. Unfortunately for the person getting searched it could be a ToR node, a hacker using your infected system as a proxy, spoofing your IP, or leaching wireless connection. Knowing all that, just arresting someone without evidence of possession of said data would be ridiculous. With the ability to do a search, I don’t see a problem being able to arrest people that do commit crimes. Years ago I used to download new release moves all the time, but after a while I became concerned about having pirate material (and running out of HD space), so these days I just watch streaming sites so I don’t have any content on my system. I’ve seen deadpool almost 20 times :) I did pay to see it in the theater first – not that a court would care.

Reply

We don’t listen to yokel judges in the US. That decision can easily be thrown out by a better judge.

Reply

I totally agree with brian6234. How come the judge in Virgina thinks he can decide for the whole world? But this fits NSA well and is typical for Ruined States of America.

Reply

“Gizmodo reports on the story of Thomas Gonzales, who was accused of illegally downloading Adam Sandler’s film “The Cobbler” from a shared computer. Oregon District Court Magistrate Judge Stacie Beckerman argued that you can’t hold someone accountable for copyright infringement unless you can prove they actually did it, ruling:”

This is analogous to camera-captured red-light violations. Post facto, there’s no way to tell who was driving the car.

Reply

The red light analogy doesn’t really work.

In many jurisdictions, the owner (in the UK, more precisely “the keeper”, who must be declared if not the owner) is responsible for the car and is expected to take responsibility for other people using it. For example, the keeper must ensure, so far as possible, that they are correctly licensed and insured. Therefore the keeper ought to know who was driving the car at any time, and is expected to sob that person in when the ticket arrives in the post.

Obviously, if the car were stolen that would be a reasonable excuse, but the keeper would presumably need to show evidence to convince (or commit perjury) to make that sort of claim.

Reply

Unless you name is Neil Hamilton, MP, who claimed that neither he nor his wife Christine could remember who was driving when his car was caught speeding in 2007. He was cleared of the offence.

Reply

There was a judge in New South Wales in Oz who tried to blame a vague acquaintance from the USA for a speeding ticket that would have taken him to 12 demerit points and cost him his licence. Someone he knew from an academic conference years ago, or some such. Turned out she’d died (ironically in a road traffic accident) some years before and therefore might have had some difficulty visiting Australia at all, let alone taking a drive in his car.

So he said he actually meant someone else from the USA, with exactly the same name, but who just happened to be unable to support his claim because she too had died, this time apparently just after the alleged offence.

Anyway, he ended up in prison. (And struck off, of course.) Over a $77 traffic fine.

Reply

That’s not quite the right story, AFAIK.

It was his wife who was charged with speeding and who offered the defence that one of them was driving but she couldn’t be sure who it was because they regularly swapped driving duties on long journeys.

Also, he wasn’t an MP at that time. Didn’t his career as an MP end in 1997?

Reply

We don’t give a shit how you do it in the shit-hole country you are from. This is America. This is an American case, an American judge, and the American legal system. Your advice here is irrelevant.

Reply

Thomas Gonzales is tainted now the world believes he may have downloaded an Adam Sandler film. Adam Sandler. Surely the shame is punishment enough.

Reply

I’ve always wondered about the right to privacy on the Internet. The Internet was not really designed for the purposes for which it is now used. A sealed envelope in the mail has an inherent attribute of privacy (the envelope), but an e-mail message has no such attribute, and because of how the Internet works, there is no guarantee of privacy, You use a private party’s server to host your e-mail; the message travels through private networks, and finally ends up on another privately owned server. In my mind, the lack of privacy in e-mail can be expanded to the rest of the Internet. Unless you have a contractual agreement with a company that guarantees your privacy, how can you expect privacy?

Reply

Thanks for bringing up email, it’s so often forgotten. I wrote about exactly the problem you describe a couple of years ago. https://nakedsecurity.sophos.com/2014/08/22/we-need-to-talk-about-email/

To my mind a contractual agreement does not enhance your guarantee of privacy, it’s an incentive for somebody to care a bit more but if they’re less technically competent than the attacker no amount of incentives will help. Mostly it improves your chances of recompense when and if your privacy is violated.

Strong encryption is probably the closest we can get to a guarantee (until somebody legitimately decrypts whatever it is you shared with them, prints it out and leaves it on their desk…)

Reply

This idea that the FBI somehow can’t find and prosecute people for posting illegal pictures on the internet is ludicrous. They do it all the time. Google it. There was probably a lot illegal porn when people were selling it through the mail. Child sexual abuse has been on a rapid decline. It has declined by more than 60% since the early 90’s. They don’t have the right to hack into anyone’s computer just for the hell of it to see if there might be something there. That’s like the Nazi police who use to randomly barge into people’s homes just to see if there might be something going on. Let’s leave that kind of mentality to Russia, China, and the Middle East. As for child exploitation, almost all of it occurs from family members and people close to the family. Almost none of it comes from people on the internet. They use these stories as scare tactics to get people to go along with mass surveillance. Sadly, there are plenty of citizens who are gullible enough to buy into it.

Reply

I don’t think that’s quite how the “government spyware” worked in the case you’re referring to.

There wasn’t any “hacking into anyone’s computer just for the hell of it,” or any “randomly barging into people’s homes.”

IIRC, a booby-trapped Flash file was used to run shellcode that exposed the IP numbers of computers that retrieved that file from the honeytrap site (which wasn’t publicly visible on the “light web”.)

That doesn’t prove who was using the computer, and it doesn’t prove that the computer retrieved the file because the user was a child abuser who was knowingly in the process of breaking the law.

But you have to admit it produces some sort of “actionable intelligence.”

Is it enough evidence for a search warrant based on probable cause? Is the probability of involving an innocent party low enough to make it a fair investigative technique?

By all means argue those points.

But don’t call it “randomly barging into people’s homes,” because I just don’t think it is.

If you are worried about excessive surveillance, I think you weaken your case against it if you use targeted surveillance as an example.

Reply

I acknowledge that they had the right to get a search warrant because someone downloaded something illegal from a honeypot. What I was responding to was the general statement that no one has a right to privacy on the internet.

Reply

The Judge’s opinion about internet security being ineffectual is true… However, that does not change our guaranteed right in the 14th amendment to some degree of privacy. The reason mole expectation of persons in their own home to be secure in their persons. So, I do expect that the courts should rule in the favor of the individual and his or her privacy rights. The kernel

Reply

That’s the Fourth, isn’t it? (Search and seizure, part of the Bill of Rights.) The Fourteenth came a bit later, patched up some of the things the Founding Fathers kind of missed out.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!