by Madison Gonzalez*
Courts review the constitutionality of digital surveillance technologies in criminal investigations under Fourth Amendment search doctrine. In order to constitute a search, a law enforcement practice must either violate an individual’s reasonable expectation of privacy or constitute a physical trespass on private property. In this Contribution, Madison Gonzalez (’23) argues that the use of a Network Investigative Technique (“NIT”) to collect an Internet Protocol (“IP”) address directly from an individual’s computer is a Fourth Amendment search under either test.
In recent years, seismic developments in technology have expanded the scope and capacity of government digital surveillance. For instance, law enforcement agencies such as the Federal Bureau of Investigation (“FBI”) have begun utilizing Network Investigative Techniques (“NITs”)—computer programs that enable law enforcement to remotely access a target computer without the knowledge or consent of its owner—to collect sensitive digital information, most notably a computer’s Internet Protocol (“IP”) address.1 The burgeoning use of NITs by law enforcement has raised questions about their legality, and the extent to which the Constitution protects U.S. citizens against such digital surveillance tactics.
Courts evaluate the constitutionality of NITs and other digital investigative tools under the Fourth Amendment, which protects “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”2 Fourth Amendment precedent requires that, in order to constitute a search, a law enforcement practice must violate an individual’s reasonable expectation of privacy3 or be a physical trespass on private property.4 So far, lower courts are divided about whether government use of an NIT to obtain someone’s IP address constitutes a search under either framework. On one hand, some courts have held that it is not a search under the third-party doctrine, which maintains that an individual does not have a reasonable expectation of privacy in information voluntarily disclosed to third parties because one assumes the risk that the third party might reveal that information to law enforcement.5 They note that IP addresses are routinely disclosed to third parties such as internet service providers for the routing of information, and consequently find no subjective expectation of privacy in such information.6 On the other hand, other courts have found that the use of an NIT is a search because, regardless of the third-party doctrine, the NIT violates a legitimate expectation of privacy in one’s personal computer.7 This Contribution endorses the latter view and argues that law enforcement’s use of an NIT to retrieve an IP address from an individual’s computer constitutes a Fourth Amendment search because it both violates a reasonable expectation of privacy in one’s computer and constitutes a physical trespass.
To establish a Fourth Amendment search under the two-prong test set out in Katz v. United States, an individual must demonstrate first, that they had “a subjective expectation of privacy” in the area searched and second, that “society is willing to recognize that expectation as reasonable.”8 It is essential to distinguish the area searched from the items found, because only the former is relevant to the Katz inquiry.9 Thus, as a preliminary matter, we must first establish whether the area searched by the NIT is the computer or the IP address.
As previously discussed, an NIT is a program that allows a person to remotely access another’s computer. Specifically, when the code from an NIT is deployed to a target’s computer, “[t]he NIT searches the user’s computer to discover the IP address associated with that device.”10 The NIT allows the government to access the “complete contents” of a person’s computer.11 The fact that an NIT cannot obtain an individual’s IP address without necessarily encroaching on their computer supports the conclusion that the area searched is the computer itself, whereas the IP address is merely the evidence produced by the search.12 Since the computer is the area searched by the NIT, the correct framework for the Katz inquiry is one’s expectation of privacy in the contents of their computer, not merely their IP address.
The use of an NIT to discover a person’s IP address is a search under the Katz test because it violates a subjective and reasonable expectation of privacy in their personal computer. First, people’s subjective expectation of privacy in their computers is clear “from the mass of personal and financial information often contained on computers.”13 Furthermore, courts have routinely held that individuals have a reasonable expectation of privacy in their personal computers, especially ones located within the home.14 The use of an NIT intrudes on this expectation of privacy by allowing law enforcement to gain access to the contents of an individual’s computer without their knowledge or consent. Even if the third-party doctrine defeats an individual’s expectation of privacy in their IP address, the use of an NIT to retrieve that information is still a search. This is because even if an individual has no expectation of privacy in a particular item, they may nonetheless have an expectation of privacy in the location where that item is stored.15 Therefore, law enforcement cannot conduct a warrantless search of a location in which an individual has a reasonable expectation of privacy “simply because it intends to seize property for which the defendant does not have a reasonable expectation of privacy.”16 For example, if a person wrote their IP address on a piece of paper and locked it in a drawer in their home, the police would undoubtedly need a warrant to retrieve that piece of paper, even if the person had no legitimate expectation of privacy in the IP address itself.17 Thus, while the third-party doctrine means that subpoenaing a third party for a person’s IP address may be constitutionally permissible, retrieving it directly from a person’s computer is still a Fourth Amendment search.
This conclusion finds further support in the Supreme Court’s decision in Riley v. California, in which it made clear that the government cannot conduct a warrantless search of a person’s electronic device just because the information they seek within it has been previously conveyed to a third party.18 In Riley, the government argued that the third-party doctrine permitted the police to search the call log of a cell phone because its contents would have been disclosed to the owner’s cell service provider when they made the calls.19 The Court disagreed, noting that searching through a caller’s cell phone was qualitatively different than the use of a pen register in Smith v. Maryland because the former was more intrusive of privacy interests.20 Basically, “[i]t was irrelevant that the individual might not have a reasonable expectation of privacy in the information actually obtained” because they had a legitimate expectation of privacy in the cell phone itself.21 Thus, the Court concluded that gathering the arrestee’s call logs directly from the phone, as opposed to subpoenaing them from a third party, constituted a search. The same logic applies to the use of an NIT to search a computer. Even if the user’s IP address was previously disclosed to their internet service provider (“ISP”), that does not justify the government warrantlessly deploying an NIT to search their computer to obtain that information. Furthermore, the Riley Court’s rationale for acknowledging a privacy interest in one’s cell phone applies equally to personal computers, since computer usage, like cell phone usage, “can form a revealing montage of the user’s life.”22
Finally, even independent of any expectation of privacy, the use of an NIT is a Fourth Amendment search because it also constitutes a physical trespass on an individual’s property. As the Supreme Court held in United States v. Jones, the traditional property framework under the Fourth Amendment remains valid: whenever the government “obtains information by physically intruding on a constitutionally protected area,” it has conducted a search.23 The deployment of an NIT to retrieve an individual’s IP address from their computer constitutes a search under Jones because the transmitted code trespasses on that individual’s personal property, their computer.24 Furthermore, the functional aspects of a computer, like the software that allows for data storage and internet browsing, is comprised entirely of code, so by placing code on a person’s computer, law enforcement literally invades the contents of the computer.25 Thus, by surreptitiously deploying an NIT to obtain the IP address of a personal computer, the government engages in a Fourth Amendment search because “they gathered that information by physically entering and occupying the area to engage in conduct not explicitly or implicitly permitted” by the owner.26
Under either analysis, this issue has significant policy implications. If the Court ultimately holds that the third-party doctrine precludes an NIT from being a Fourth Amendment search, that would bless the government conducting warrantless searches of people’s computers on a mass scale for any information that had been previously disclosed to a third party, including IP addresses, subscriber information,27 and medical information.28 This would have dire consequences for individuals’ privacy in their own devices where vast amounts of personal, sensitive information is stored. While, on the opposing side, holding that the use of an NIT is a search has a far less draconian impact, as it merely requires law enforcement obtain a warrant to use such digital investigative tools, as Fourth Amendment precedent demands.
* Madison Gonzalez is a J.D. Candidate (2023) at New York University School of Law. This Contribution is a commentary on the problem at the National Cybersecurity Moot Court Competition hosted by UCLA School of Law. The question presented was whether law enforcement use of a Network Investigative Technique (“NIT”) to obtain a computer’s Internet Protocol (“IP”) address constituted a search under the Fourth Amendment. This Contribution argues that it does, and the views expressed herein do not necessarily reflect the views of the author.
1. See generally United States v. Horton, 863 F.3d 1041, 1045 (8th Cir. 2017) (describing the mechanics of NITs).
2. U.S. Const. amend. IV.
3. Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring).
4. United States v. Jones, 565 U.S. 400, 404 (2012).
5. See, e.g., Smith v. Maryland, 442 U.S. 735, 743–44 (1979) (holding that the installation and use of a pen register to record the numbers dialed from petitioner’s phone was not a search because petitioner voluntarily conveyed that information to his phone company); United States v. Miller, 425 U.S. 435, 442 (1976) (holding that there is no legitimate expectation of privacy in one’s bank records because the information has been voluntarily conveyed to the bank).
6. See United States v. Lough, 221 F. Supp. 3d 770, 783 (N.D. W. Va. 2016) (holding that the defendant “had no reasonable expectation of privacy in his IP address, nor did the NIT constitute a Fourth Amendment search of the content of his computer; thus, a warrant was unnecessary”), aff’d, 721 F. App’x 291 (4th Cir. 2018); United States v. Werdene, 188 F. Supp. 3d 431, 446 (E.D. Pa. 2016) (holding that since the defendant “did not have a reasonable expectation of privacy in his IP address, the NIT cannot be considered a ‘search’ within the meaning of the Fourth Amendment”), aff’d, 883 F.3d 204 (3d Cir. 2018); United States v. Matish, 193 F. Supp. 3d 585, 613 (E.D. Va. 2016) (holding that “the government did not need a warrant to deploy the NIT” to capture the defendant’s IP address).
7. See, e.g., United States v. Vortman, No. 16-CR-00210-TEH-1, 2016 WL 7324987, at *7 (N.D. Cal. Dec. 16, 2016) (“[E]ven assuming there is no reasonable expectation of privacy in one’s IP address, the government must obtain a warrant if it seeks to extract the information directly from a person’s personal computer.”), aff’d, 801 F. App’x 470 (9th Cir. 2020); United States v. Darby, 190 F. Supp. 3d 520, 530 (E.D. Va. 2016) (“[I]t is irrelevant that Defendant might not have a reasonable expectation of privacy in some of the information searched and seized by the government. The government’s deployment of the NIT was a Fourth Amendment search.”); United States v. Hammond, 263 F. Supp. 3d 826, 830 (N.D. Cal. 2016) (holding that the use of the NIT was a search because the government did not obtain defendant’s IP address from a third party but directly from the defendant’s computer, in which he has a reasonable expectation of privacy).
8. California v. Ciraolo, 476 U.S. 207, 211 (1986) (citing Katz, 389 U.S. at 360).
9. United States v. Horowitz, 806 F.2d 1222, 1224 (4th Cir. 1986) (“[T]he appropriate inquiry [is] whether the individual had a reasonable expectation of privacy in the area searched, not merely in the items found . . . .”(citing Rawlings v. Kentucky, 448 U.S. 98, 104–06 (1980))).
10. United States v. Adams, No. 6:16-CR-11-ORL-40GJK, 2016 WL 4212079, at *4 (M.D. Fla. Aug. 10, 2016).
11. Darby, 190 F. Supp. 3d at 529.
12. See United States v. Dzwonczyk, No. 4:15-CR-3134, 2016 WL 7428390, at *9 (D. Neb. Dec. 23, 2016) (noting that an NIT obtains an IP address directly from an individual’s computer, which is substantively different from obtaining it from a third party).
13. Darby, 190 F. Supp. 3d at 529.
14. See, e.g., United States v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (“Individuals generally possess a reasonable expectation of privacy in their home computers.”); Trulock v. Freeh, 275 F.3d 391, 403 (4th Cir. 2001) (finding a reasonable expectation of privacy in password-protected files on a computer); Guest v. Leis, 255 F.3d 325, 333 (6th Cir. 2001) (“Home owners would of course have a reasonable expectation of privacy in their homes and in their belongings—including computers—inside the home.”).
15. See, e.g., Adams, 2016 WL 4212079, at *4 (“[A] defendant has an expectation of privacy in his garage, even if that defendant lacks an expectation of privacy in the stolen vehicle parked in the garage.”).
16. United States v. Workman, 205 F. Supp. 3d 1256, 1265 (D. Colo. 2016), rev’d on other grounds, 863 F.3d 1313 (10th Cir. 2017).
17. Dzwonczyk, 2016 WL 7428390, at *9.
18. 573 U.S. 373, 400 (2014).
20. Riley, 573 U.S. at 394–97, 400 (citing Smith, 442 U.S. at 745–46); see also supra note 5 and accompanying text.
21. Darby, 190 F. Supp. 3d at 529 (citing Riley, 573 U.S. at 400).
22. Riley, 573 U.S. at 396.
23. Jones, 565 U.S. at 406 n.3, 413 (holding that government’s attachment of a GPS device to the defendant’s car was a search).
24. See Adams, 2016 WL 4212079, at *4 (“Defendant’s IP address was discovered only after property residing within Defendant’s home—his computer—was searched by the NIT.”)
25. Darby, 190 F. Supp. 3d at 530.
26. Florida v. Jardines, 569 U.S. 1, 6 (2013).
27. See United States v. Trader, 981 F.3d 961, 967–68 (11th Cir. 2020), cert. denied, 211 L. Ed. 2d 139 (Oct. 4, 2021) (finding no reasonable expectation of privacy in defendant’s email address that he provided to a third party).
28. See United States v. Gayden, 977 F.3d 1146, 1152 (11th Cir. 2020), cert. denied, 211 L. Ed. 2d 42 (Oct. 4, 2021) (finding no reasonable expectation of privacy in defendant’s prescription records that he shared with third parties for regulatory purposes).