The Constitutionality of Policing Technology: Evaluating Network Investigative Techniques Under Fourth Amendment Search Doctrine

by Madi­son Gon­za­lez*

Courts review the con­sti­tu­tion­al­i­ty of dig­i­tal sur­veil­lance tech­nolo­gies in crim­i­nal inves­ti­ga­tions under Fourth Amend­ment search doc­trine. In order to con­sti­tute a search, a law enforce­ment prac­tice must either vio­late an individual’s rea­son­able expec­ta­tion of pri­va­cy or con­sti­tute a phys­i­cal tres­pass on pri­vate prop­er­ty. In this Con­tri­bu­tion, Madi­son Gon­za­lez (’23) argues that the use of a Net­work Inves­tiga­tive Tech­nique (“NIT”) to col­lect an Inter­net Pro­to­col (“IP”) address direct­ly from an individual’s com­put­er is a Fourth Amend­ment search under either test.

In recent years, seis­mic devel­op­ments in tech­nol­o­gy have expand­ed the scope and capac­i­ty of gov­ern­ment dig­i­tal sur­veil­lance. For instance, law enforce­ment agen­cies such as the Fed­er­al Bureau of Inves­ti­ga­tion (“FBI”) have begun uti­liz­ing Net­work Inves­tiga­tive Tech­niques (“NITs”)—computer pro­grams that enable law enforce­ment to remote­ly access a tar­get com­put­er with­out the knowl­edge or con­sent of its owner—to col­lect sen­si­tive dig­i­tal infor­ma­tion, most notably a computer’s Inter­net Pro­to­col (“IP”) address.¹ The bur­geon­ing use of NITs by law enforce­ment has raised ques­tions about their legal­i­ty, and the extent to which the Con­sti­tu­tion pro­tects U.S. cit­i­zens against such dig­i­tal sur­veil­lance tactics.

Courts eval­u­ate the con­sti­tu­tion­al­i­ty of NITs and oth­er dig­i­tal inves­tiga­tive tools under the Fourth Amend­ment, which pro­tects “[t]he right of the peo­ple to be secure in their per­sons, hous­es, papers, and effects, against unrea­son­able search­es and seizures.”² Fourth Amend­ment prece­dent requires that, in order to con­sti­tute a search, a law enforce­ment prac­tice must vio­late an individual’s rea­son­able expec­ta­tion of pri­va­cy³ or be a phys­i­cal tres­pass on pri­vate prop­er­ty.⁴ So far, low­er courts are divid­ed about whether gov­ern­ment use of an NIT to obtain someone’s IP address con­sti­tutes a search under either frame­work. On one hand, some courts have held that it is not a search under the third-par­ty doc­trine, which main­tains that an indi­vid­ual does not have a rea­son­able expec­ta­tion of pri­va­cy in infor­ma­tion vol­un­tar­i­ly dis­closed to third par­ties because one assumes the risk that the third par­ty might reveal that infor­ma­tion to law enforce­ment.⁵ They note that IP address­es are rou­tine­ly dis­closed to third par­ties such as inter­net ser­vice providers for the rout­ing of infor­ma­tion, and con­se­quent­ly find no sub­jec­tive expec­ta­tion of pri­va­cy in such infor­ma­tion.⁶ On the oth­er hand, oth­er courts have found that the use of an NIT is a search because, regard­less of the third-par­ty doc­trine, the NIT vio­lates a legit­i­mate expec­ta­tion of pri­va­cy in one’s per­son­al com­put­er.⁷ This Con­tri­bu­tion endors­es the lat­ter view and argues that law enforcement’s use of an NIT to retrieve an IP address from an individual’s com­put­er con­sti­tutes a Fourth Amend­ment search because it both vio­lates a rea­son­able expec­ta­tion of pri­va­cy in one’s com­put­er and con­sti­tutes a phys­i­cal trespass.

To estab­lish a Fourth Amend­ment search under the two-prong test set out in Katz v. Unit­ed States, an indi­vid­ual must demon­strate first, that they had “a sub­jec­tive expec­ta­tion of pri­va­cy” in the area searched and sec­ond, that “soci­ety is will­ing to rec­og­nize that expec­ta­tion as rea­son­able.”⁸ It is essen­tial to dis­tin­guish the area searched from the items found, because only the for­mer is rel­e­vant to the Katz inquiry.⁹ Thus, as a pre­lim­i­nary mat­ter, we must first estab­lish whether the area searched by the NIT is the com­put­er or the IP address.

As pre­vi­ous­ly dis­cussed, an NIT is a pro­gram that allows a per­son to remote­ly access another’s com­put­er. Specif­i­cal­ly, when the code from an NIT is deployed to a target’s com­put­er, “[t]he NIT search­es the user’s com­put­er to dis­cov­er the IP address asso­ci­at­ed with that device.”¹⁰ The NIT allows the gov­ern­ment to access the “com­plete con­tents” of a person’s com­put­er.¹¹ The fact that an NIT can­not obtain an individual’s IP address with­out nec­es­sar­i­ly encroach­ing on their com­put­er sup­ports the con­clu­sion that the area searched is the com­put­er itself, where­as the IP address is mere­ly the evi­dence pro­duced by the search.¹² Since the com­put­er is the area searched by the NIT, the cor­rect frame­work for the Katz inquiry is one’s expec­ta­tion of pri­va­cy in the con­tents of their com­put­er, not mere­ly their IP address.

The use of an NIT to dis­cov­er a person’s IP address is a search under the Katz test because it vio­lates a sub­jec­tive and rea­son­able expec­ta­tion of pri­va­cy in their per­son­al com­put­er. First, people’s sub­jec­tive expec­ta­tion of pri­va­cy in their com­put­ers is clear “from the mass of per­son­al and finan­cial infor­ma­tion often con­tained on com­put­ers.”¹³ Fur­ther­more, courts have rou­tine­ly held that indi­vid­u­als have a rea­son­able expec­ta­tion of pri­va­cy in their per­son­al com­put­ers, espe­cial­ly ones locat­ed with­in the home.¹⁴ The use of an NIT intrudes on this expec­ta­tion of pri­va­cy by allow­ing law enforce­ment to gain access to the con­tents of an individual’s com­put­er with­out their knowl­edge or con­sent. Even if the third-par­ty doc­trine defeats an individual’s expec­ta­tion of pri­va­cy in their IP address, the use of an NIT to retrieve that infor­ma­tion is still a search. This is because even if an indi­vid­ual has no expec­ta­tion of pri­va­cy in a par­tic­u­lar item, they may nonethe­less have an expec­ta­tion of pri­va­cy in the loca­tion where that item is stored.¹⁵ There­fore, law enforce­ment can­not con­duct a war­rant­less search of a loca­tion in which an indi­vid­ual has a rea­son­able expec­ta­tion of pri­va­cy “sim­ply because it intends to seize prop­er­ty for which the defen­dant does not have a rea­son­able expec­ta­tion of pri­va­cy.”¹⁶ For exam­ple, if a per­son wrote their IP address on a piece of paper and locked it in a draw­er in their home, the police would undoubt­ed­ly need a war­rant to retrieve that piece of paper, even if the per­son had no legit­i­mate expec­ta­tion of pri­va­cy in the IP address itself.¹⁷ Thus, while the third-par­ty doc­trine means that sub­poe­naing a third par­ty for a person’s IP address may be con­sti­tu­tion­al­ly per­mis­si­ble, retriev­ing it direct­ly from a person’s com­put­er is still a Fourth Amend­ment search.

This con­clu­sion finds fur­ther sup­port in the Supreme Court’s deci­sion in Riley v. Cal­i­for­nia, in which it made clear that the gov­ern­ment can­not con­duct a war­rant­less search of a person’s elec­tron­ic device just because the infor­ma­tion they seek with­in it has been pre­vi­ous­ly con­veyed to a third par­ty.¹⁸ In Riley, the gov­ern­ment argued that the third-par­ty doc­trine per­mit­ted the police to search the call log of a cell phone because its con­tents would have been dis­closed to the owner’s cell ser­vice provider when they made the calls.¹⁹ The Court dis­agreed, not­ing that search­ing through a caller’s cell phone was qual­i­ta­tive­ly dif­fer­ent than the use of a pen reg­is­ter in Smith v. Mary­land because the for­mer was more intru­sive of pri­va­cy inter­ests.²⁰ Basi­cal­ly, “[i]t was irrel­e­vant that the indi­vid­ual might not have a rea­son­able expec­ta­tion of pri­va­cy in the infor­ma­tion actu­al­ly obtained” because they had a legit­i­mate expec­ta­tion of pri­va­cy in the cell phone itself.²¹ Thus, the Court con­clud­ed that gath­er­ing the arrestee’s call logs direct­ly from the phone, as opposed to sub­poe­naing them from a third par­ty, con­sti­tut­ed a search. The same log­ic applies to the use of an NIT to search a com­put­er. Even if the user’s IP address was pre­vi­ous­ly dis­closed to their inter­net ser­vice provider (“ISP”), that does not jus­ti­fy the gov­ern­ment war­rant­less­ly deploy­ing an NIT to search their com­put­er to obtain that infor­ma­tion. Fur­ther­more, the Riley Court’s ratio­nale for acknowl­edg­ing a pri­va­cy inter­est in one’s cell phone applies equal­ly to per­son­al com­put­ers, since com­put­er usage, like cell phone usage, “can form a reveal­ing mon­tage of the user’s life.”²²

Final­ly, even inde­pen­dent of any expec­ta­tion of pri­va­cy, the use of an NIT is a Fourth Amend­ment search because it also con­sti­tutes a phys­i­cal tres­pass on an individual’s prop­er­ty. As the Supreme Court held in Unit­ed States v. Jones, the tra­di­tion­al prop­er­ty frame­work under the Fourth Amend­ment remains valid: when­ev­er the gov­ern­ment “obtains infor­ma­tion by phys­i­cal­ly intrud­ing on a con­sti­tu­tion­al­ly pro­tect­ed area,” it has con­duct­ed a search.²³ The deploy­ment of an NIT to retrieve an individual’s IP address from their com­put­er con­sti­tutes a search under Jones because the trans­mit­ted code tres­pass­es on that individual’s per­son­al prop­er­ty, their com­put­er.²⁴ Fur­ther­more, the func­tion­al aspects of a com­put­er, like the soft­ware that allows for data stor­age and inter­net brows­ing, is com­prised entire­ly of code, so by plac­ing code on a person’s com­put­er, law enforce­ment lit­er­al­ly invades the con­tents of the com­put­er.²⁵ Thus, by sur­rep­ti­tious­ly deploy­ing an NIT to obtain the IP address of a per­son­al com­put­er, the gov­ern­ment engages in a Fourth Amend­ment search because “they gath­ered that infor­ma­tion by phys­i­cal­ly enter­ing and occu­py­ing the area to engage in con­duct not explic­it­ly or implic­it­ly per­mit­ted” by the own­er.²⁶

Under either analy­sis, this issue has sig­nif­i­cant pol­i­cy impli­ca­tions. If the Court ulti­mate­ly holds that the third-par­ty doc­trine pre­cludes an NIT from being a Fourth Amend­ment search, that would bless the gov­ern­ment con­duct­ing war­rant­less search­es of people’s com­put­ers on a mass scale for any infor­ma­tion that had been pre­vi­ous­ly dis­closed to a third par­ty, includ­ing IP address­es, sub­scriber infor­ma­tion,²⁷ and med­ical infor­ma­tion.²⁸ This would have dire con­se­quences for indi­vid­u­als’ pri­va­cy in their own devices where vast amounts of per­son­al, sen­si­tive infor­ma­tion is stored. While, on the oppos­ing side, hold­ing that the use of an NIT is a search has a far less dra­con­ian impact, as it mere­ly requires law enforce­ment obtain a war­rant to use such dig­i­tal inves­tiga­tive tools, as Fourth Amend­ment prece­dent demands.

* Madi­son Gon­za­lez is a J.D. Can­di­date (2023) at New York Uni­ver­si­ty School of Law. This Con­tri­bu­tion is a com­men­tary on the prob­lem at the Nation­al Cyber­se­cu­ri­ty Moot Court Com­pe­ti­tion host­ed by UCLA School of Law. The ques­tion pre­sent­ed was whether law enforce­ment use of a Net­work Inves­tiga­tive Tech­nique (“NIT”) to obtain a computer’s Inter­net Pro­to­col (“IP”) address con­sti­tut­ed a search under the Fourth Amend­ment. This Con­tri­bu­tion argues that it does, and the views expressed here­in do not nec­es­sar­i­ly reflect the views of the author.

1. See gen­er­al­ly Unit­ed States v. Hor­ton, 863 F.3d 1041, 1045 (8th Cir. 2017) (describ­ing the mechan­ics of NITs).

2. U.S. Con­st. amend. IV.

3. Katz v. Unit­ed States, 389 U.S. 347, 361 (1967) (Har­lan, J., concurring).

4. Unit­ed States v. Jones, 565 U.S. 400, 404 (2012).

5. See, e.g., Smith v. Mary­land, 442 U.S. 735, 743–44 (1979) (hold­ing that the instal­la­tion and use of a pen reg­is­ter to record the num­bers dialed from petitioner’s phone was not a search because peti­tion­er vol­un­tar­i­ly con­veyed that infor­ma­tion to his phone com­pa­ny); Unit­ed States v. Miller, 425 U.S. 435, 442 (1976) (hold­ing that there is no legit­i­mate expec­ta­tion of pri­va­cy in one’s bank records because the infor­ma­tion has been vol­un­tar­i­ly con­veyed to the bank).

6. See Unit­ed States v. Lough, 221 F. Supp. 3d 770, 783 (N.D. W. Va. 2016) (hold­ing that the defen­dant “had no rea­son­able expec­ta­tion of pri­va­cy in his IP address, nor did the NIT con­sti­tute a Fourth Amend­ment search of the con­tent of his com­put­er; thus, a war­rant was unnec­es­sary”), aff’d, 721 F. App’x 291 (4th Cir. 2018); Unit­ed States v. Wer­dene, 188 F. Supp. 3d 431, 446 (E.D. Pa. 2016) (hold­ing that since the defen­dant “did not have a rea­son­able expec­ta­tion of pri­va­cy in his IP address, the NIT can­not be con­sid­ered a ‘search’ with­in the mean­ing of the Fourth Amend­ment”), aff’d, 883 F.3d 204 (3d Cir. 2018); Unit­ed States v. Matish, 193 F. Supp. 3d 585, 613 (E.D. Va. 2016) (hold­ing that “the gov­ern­ment did not need a war­rant to deploy the NIT” to cap­ture the defendant’s IP address).

7. See, e.g., Unit­ed States v. Vort­man, No. 16-CR-00210-TEH‑1, 2016 WL 7324987, at *7 (N.D. Cal. Dec. 16, 2016) (“[E]ven assum­ing there is no rea­son­able expec­ta­tion of pri­va­cy in one’s IP address, the gov­ern­ment must obtain a war­rant if it seeks to extract the infor­ma­tion direct­ly from a person’s per­son­al com­put­er.”), aff’d, 801 F. App’x 470 (9th Cir. 2020); Unit­ed States v. Dar­by, 190 F. Supp. 3d 520, 530 (E.D. Va. 2016) (“[I]t is irrel­e­vant that Defen­dant might not have a rea­son­able expec­ta­tion of pri­va­cy in some of the infor­ma­tion searched and seized by the gov­ern­ment. The government’s deploy­ment of the NIT was a Fourth Amend­ment search.”); Unit­ed States v. Ham­mond, 263 F. Supp. 3d 826, 830 (N.D. Cal. 2016) (hold­ing that the use of the NIT was a search because the gov­ern­ment did not obtain defendant’s IP address from a third par­ty but direct­ly from the defendant’s com­put­er, in which he has a rea­son­able expec­ta­tion of privacy).

8. Cal­i­for­nia v. Cirao­lo, 476 U.S. 207, 211 (1986) (cit­ing Katz, 389 U.S. at 360).

9. Unit­ed States v. Horowitz, 806 F.2d 1222, 1224 (4th Cir. 1986) (“[T]he appro­pri­ate inquiry [is] whether the indi­vid­ual had a rea­son­able expec­ta­tion of pri­va­cy in the area searched, not mere­ly in the items found .…”(cit­ing Rawl­ings v. Ken­tucky, 448 U.S. 98, 104–06 (1980))).

10. Unit­ed States v. Adams, No. 6:16-CR-11-ORL-40GJK, 2016 WL 4212079, at *4 (M.D. Fla. Aug. 10, 2016).

11. Dar­by, 190 F. Supp. 3d at 529.

12. See Unit­ed States v. Dzwon­czyk, No. 4:15-CR-3134, 2016 WL 7428390, at *9 (D. Neb. Dec. 23, 2016) (not­ing that an NIT obtains an IP address direct­ly from an individual’s com­put­er, which is sub­stan­tive­ly dif­fer­ent from obtain­ing it from a third party).

13. Dar­by, 190 F. Supp. 3d at 529.

14. See, e.g., Unit­ed States v. Lif­shitz, 369 F.3d 173, 190 (2d Cir. 2004) (“Indi­vid­u­als gen­er­al­ly pos­sess a rea­son­able expec­ta­tion of pri­va­cy in their home com­put­ers.”); Tru­lock v. Freeh, 275 F.3d 391, 403 (4th Cir. 2001) (find­ing a rea­son­able expec­ta­tion of pri­va­cy in pass­word-pro­tect­ed files on a com­put­er); Guest v. Leis, 255 F.3d 325, 333 (6th Cir. 2001) (“Home own­ers would of course have a rea­son­able expec­ta­tion of pri­va­cy in their homes and in their belongings—including computers—inside the home.”).

15. See, e.g., Adams, 2016 WL 4212079, at *4 (“[A] defen­dant has an expec­ta­tion of pri­va­cy in his garage, even if that defen­dant lacks an expec­ta­tion of pri­va­cy in the stolen vehi­cle parked in the garage.”).

16. Unit­ed States v. Work­man, 205 F. Supp. 3d 1256, 1265 (D. Colo. 2016), rev’d on oth­er grounds, 863 F.3d 1313 (10th Cir. 2017).

17. Dzwon­czyk, 2016 WL 7428390, at *9.

18. 573 U.S. 373, 400 (2014).

19. Id.

20. Riley, 573 U.S. at 394–97, 400 (cit­ing Smith, 442 U.S. at 745–46); see also supra note 5 and accom­pa­ny­ing text.

21. Dar­by, 190 F. Supp. 3d at 529 (cit­ing Riley, 573 U.S. at 400).

22. Riley, 573 U.S. at 396.

23. Jones, 565 U.S. at 406 n.3, 413 (hold­ing that government’s attach­ment of a GPS device to the defendant’s car was a search).

24. See Adams, 2016 WL 4212079, at *4 (“Defendant’s IP address was dis­cov­ered only after prop­er­ty resid­ing with­in Defendant’s home—his computer—was searched by the NIT.”)

25. Dar­by, 190 F. Supp. 3d at 530.

26. Flori­da v. Jar­dines, 569 U.S. 1, 6 (2013).

27. See Unit­ed States v. Trad­er, 981 F.3d 961, 967–68 (11th Cir. 2020), cert. denied, 211 L. Ed. 2d 139 (Oct. 4, 2021) (find­ing no rea­son­able expec­ta­tion of pri­va­cy in defendant’s email address that he pro­vid­ed to a third party).

28. See Unit­ed States v. Gay­den, 977 F.3d 1146, 1152 (11th Cir. 2020), cert. denied, 211 L. Ed. 2d 42 (Oct. 4, 2021) (find­ing no rea­son­able expec­ta­tion of pri­va­cy in defendant’s pre­scrip­tion records that he shared with third par­ties for reg­u­la­to­ry purposes).