On April 5, the U.S. Court of Appeals for the Ninth Circuit held in United States v. Heckenkamp, Nos. 05-10322 and 05-10323, that a University of Wisconsin graduate student had an objectively reasonable expectation of privacy in his dorm room computer. Despite this conclusion, the court found that the University was entitled to "hack" into the computer without a warrant, by virtue of the "special needs" exception to the Fourth Amendment. Although the court expressly limited its holding to the facts of the case, the decision provides insight into when institutions of all sorts may search networked computers without contravening Fourth Amendment limitations. The case may have a significant impact on the relationship between institutions and those who own computers that connect to the institution's network.

Factual Background

In late 1999, Qualcomm Corp. discovered that someone had hacked into its computer network and reported the incident to law enforcement authorities. The FBI traced the source of the intrusion to a computer connected to the University of Wisconsin's computer network. After the FBI alerted the University, the school's computer network investigator, Jeffrey Savoy, verified that someone using a computer on the campus network had hacked into Qualcomm's network. Savoy also discovered that the hacker had gained unauthorized access to the University's computer system and concluded that the University's student email system was threatened. Seeking to protect the email system, Savoy identified the computer used for the intrusion via its associated IP address and determined that it was used regularly by a graduate student named Heckenkamp. Savoy became alarmed because the school had terminated Heckenkamp from his job at the University's computer help desk two years earlier for similar unauthorized activities, and Savoy believed that Heckenkamp had the technical expertise to damage the University's computer system. Accordingly, Savoy blocked the IP connection between Heckenkamp's computer and the school's computer server.

After blocking the connection, Savoy reported the results of his initial investigation to FBI agents, who asked Savoy to take no further action until the FBI obtained a search warrant. In the meantime, Savoy anticipated that Heckenkamp would learn that his IP connection was blocked and could easily change the IP address of his computer to log back into the system. Savoy reasoned that Heckenkamp, aware and upset that the school had blocked his original IP address, might crash the University's computer server at any moment. So, before the FBI obtained a search warrant, Savoy logged into Heckenkamp's computer (which by then had a different IP address) and confirmed that it was the same computer that Heckenkamp had used originally. This warrantless search confirmed that Heckenkamp had regained the capability for unauthorized access to the school's server.

Based on this information and additional evidence obtained from subsequent derivative searches of his room and computer, Heckenkamp was indicted under federal statutes for recklessly causing damage by intentionally accessing a protected computer without authorization. He then conditionally pleaded guilty, subject to maintaining his right to challenge on appeal denial of his motions to suppress evidence based on claims that the searches violated his Fourth Amendment rights.

Court's Analysis

Savoy's search implicated the Fourth Amendment's warrant requirement because his employer—the University of Wisconsin—is an arm of the state government. The Fourth Amendment limits only governmental actors. Thus, warrantless searches by private institutions generally do not raise the Fourth Amendment concerns discussed in Heckenkamp. Warrantless searches by private actors, however, may be challenged under state or federal privacy laws.

Analyzing the search under the Fourth Amendment, the court first inquired whether Heckenkamp had a reasonable expectation of privacy in his dorm room computer. If Heckenkamp did not have a reasonable expectation of privacy, then the search could not have violated his Fourth Amendment rights. As the Ninth Circuit explained, determining whether an individual has a reasonable expectation of privacy is a fact-specific inquiry that requires the court to weigh a number of factors, including the measures taken by the defendant to ensure privacy, whether the materials are in a container labeled as being private, and the presence or absence of a right to exclude others from access.

Interestingly, the court started with the presumption that individuals have expectations of privacy in their password-protected computers, and then analyzed whether this expectation was eliminated when Heckenkamp connected his computer to the school's network. In this particular case, the court concluded that Heckenkamp had a reasonable expectation of privacy because, among other reasons, the University did not have a policy allowing it to actively monitor computer usage. In fact, the school's published policy indicated that students' computers would not be accessed without the student's consent.

The Ninth Circuit then inquired whether the institution needed a warrant to search/hack into the student's computer or whether the search fell within a recognized exception to the Fourth Amendment's warrant requirement. Under the "special needs" exception, a warrant is not required when special needs, which go beyond typical law enforcement needs, make the warrant and probable-cause requirement impracticable. In this case, the court determined that the search satisfied the special needs exception because (1) the remote search was not intended to aid law enforcement activities—even though law enforcement subsequently entered the student's room and confiscated his computer; and (2) the search was motivated by a legitimate need to protect the campus computer system, in that Savoy reasonably believed Heckenkamp might crash the school's computer system if immediate action was not taken.

Possible Implications

Notably, the court did not hold that institutions can always search an individual's computer without a warrant. The court made plain that, in this particular case, the school did not need to obtain a warrant because its conduct fell within a well-recognized exception to the Fourth Amendment's warrant requirement. The school had a reasonable belief that Heckenkamp could crash the institution's computer system. Heckenkamp does not authorize government institutions to engage in fishing expeditions, or randomly search computers to determine whether an individual is engaged in nefarious conduct. The circumstances that justified Savoy's actions may not recur often.

Equally, individuals will not always have reasonable expectations of privacy in computers that are attached to an institution's network. Though the Court of Appeals indicated that there is no bright line rule that institutions can use to determine whether any particular individual has a reasonable expectation of privacy, it did explain that an individual's expectation of privacy would be diminished if the institution adopted and publicized a policy authorizing the institution to monitor networked computers. Thus, if an institution wants increased flexibility to search computers that are attached to its network, then the institution should notify all users that, by connecting to the institution's network, they are consenting to specified types of searches. That approach may be prudent for private as well as public institutions because courts could apply Heckenkamp's balancing test to actions taken by non-governmental actors if, inter alia, they act at the behest of law enforcement or breach privacy laws that apply to private actors.