05 May 2015

Computer Trespass and the IOT

'Norms of Computer Trespass' by Orin S. Kerr in (2015) Columbia Law Review (Forthcoming) comments
Federal and state laws prohibit computer trespass, codified as a ban on unauthorized access to a computer. In the last decade, however, courts have divided sharply on what makes access unauthorized. Some courts have interpreted computer trespass laws broadly to prohibit trivial wrongs such as violating Terms of Service to a website. Other courts have limited the laws to harmful examples of hacking into a computer. Courts have struggled to interpret authorization because they lack an underlying theory of how to distinguish authorized from unauthorized access.
This Essay offers such a theory. It contends that authorization is inherently contingent on social norms. Starting with trespass in physical space, it shows how concepts of authorization necessarily rest on shared understandings of what technologies and its users are allowed to do. Norms classify the nature of each space, the permitted means of access, and the permitted context of access. This idea, applied to the Internet, readily answers a wide range of difficult questions of authorization under computer trespass laws such as the Computer Fraud and Abuse Act. It shows that the open norms of the web authorize most kinds of web use. On the other hand, the closed norms of authentication limit use of canceled or shared accounts. Properly understood, the norms-based nature of trespass does not render unauthorized access laws uncertain. To the contrary, the lines to be drawn become surprisingly clear once you identify the correct norms of computer usage.
'The Internet of Things and the Fourth Amendment of Effects' by Andrew Guthrie Ferguson in (2016) 104 California Law Review (Forthcoming) comments 
By 2020 there will be billions of “things” connected through the “Internet of Things.” These smart devices built within our homes, cars, smartphones, clothing, and accessories present new possibilities for technological surveillance for law enforcement.
This network of smart devices also poses a new challenge for a Fourth Amendment built around “effects.” The constitutional language protecting “persons, houses, papers, and effects” from unreasonable searches and seizures must confront this change. This article addresses how a Fourth Amendment built on old-fashioned “effects” can address a new world when things are no longer just inactive, static objects, but objects that create and communicate data with other things.
The article seeks to answer two questions. First, what is the definition of an “effect” for Fourth Amendment purposes in a world defined by an interconnected, network-like Internet of Things? Second, assuming that a Fourth Amendment “effect” has a broader definition that potentially includes the digital information embedded in the object and the wireless communication signals emanating from the device, then what expectation of security should attach to these effects?
As to the first question, this article argues that the Fourth Amendment’s definition of effects can encompass the smart objects and related data that populate the Internet of Things. As a doctrinal matter, the Fourth Amendment has evolved beyond narrow constitutional definitions. “Persons” now include more than physical bodies, including clothing, bodily fluids, and even corporations. “Papers” now include digital recordings, writings, business documents, and other communication. “Houses” now include curtilage, barns, apartments, and commercial spaces. So too with “effects” – a broader understanding can be created consistent with Fourth Amendment principles. This definition would include a defined portion of the effect’s functionality including its necessary communication with other devices and stored data. An “effect” is no longer just the physical object but also the smart data and communicating signals emanating from the device.
As to the second question, once effects are defined as including not just the physical object, but also the data and functionality of the object, the threshold question of whether there was a Fourth Amendment search becomes quite complicated. Is the virtual recovery of stored data in a device a search? Is the interception of wireless data from interconnected sensors a search? Drawing a line to demarcate a threshold of protection in a non-physical world presents real challenges to technology and Fourth Amendment doctrine. The project motivating this article is redefining an effect to answer these difficult questions.
How the Fourth Amendment adapts to these new sensor surveillance systems will be a central issue in the coming years. This article seeks to establish a framework for analyzing the Internet of Things within the current Fourth Amendment doctrine, as well as to show the existing gaps in coverage. The article then seeks to provide an alternative theoretical framework to fill these doctrinal gaps.