What many people do not realize is that many newer cars (particularly those manufactured by GM and Ford) contain an “event data recorder” (a so-called “black box”) that is similar to those on airplanes. These devices generally are triggered by electronically-sensed problems in the engine (often called faults), a sudden change in wheel speed or airbag deployment, and store a variety of data, such as which seat belts were being worn at the time of the event and the vehicle’s speed, direction and location. The information contained in the black box can be invaluable in determining the cause of an accident.

The question is whether a driver (or car owner) has a legitimate expectation of privacy in the information stored in the black box or whether the police can download that information without a search warrant.

In a New York case, the court held that no search warrant was required for the recovery of black box data. In People v. Christmann, 3 Misc.3d 309, 776 N.Y.S.2d 437 (2004), the defendant was involved in a motor vehicle accident with a pedestrian. The police at the scene downloaded the data from the car’s black box without a warrant. The court held that exigent circumstances (“[e]vidence regarding the pre-accident conditions within Defendant’s automobile could easily be destroyed, either purposely or accidently, if the automobile was moved from the scene under its own power.” 3 Misc.3d at 315, 776 N.Y.S.2d at 441.) justified the data download at the scene without a warrant.

However, a recent California case, People v. Xinos, 192 Cal. App. 4th 637, 121 Cal. Rptr. 3d 496 (2011), review filed (Mar. 21, 2011), the court came to the opposite conclusion. In Xinos, the defendant was convicted of vehicular manslaughter, based in significant part on the data contained in an event data recorder (also called a “sensing and diagnostic module” or “SDM”) in his car. The defendant had filed a suppression motion regarding the SDM data, claiming that the downloading of the data without a warrant violated his Fourth Amendment rights. The lower court had rejected the motion. On appeal, however, the court reversed.

After an accident in which a pedestrian was killed, the defendant’s car was towed to a police impound lot. A year after the accident, at the request of the District Attorney’s Office, and without obtaining a warrant, police went to the impound lot and:

downloaded the data contained in the vehicle’s SDM. They accomplished the download using a cable connected to the diagnostic link connector (DLC), which was located underneath the vehicle’s dash area on the driver’s side. An SDM receives data from various inputs related to the vehicle’s restraint systems, seat belt pretensioners and airbags. The data includes information regarding engine speed, vehicle speed and deceleration, throttle percentage, braking, airbag deployment, and the restraint system. . . .
Using software, [the police] produced a crash data retrieval (CDR) report. It showed information captured during the five seconds before defendant’s vehicle experienced a change in velocity. It disclosed the vehicle’s speed during the five seconds before the incident. The data indicated that there had been brake activation but the braking “could just be covering the pedal” and was not necessarily hard braking.

Id. at 647, 121 Cal. Rptr. at 502-03.

In the trial court, the prosecutor argued that “no search warrant was required because defendant had no reasonable expectation of privacy in the SDM’s data, analogizing to electronic beepers and emphasizing the diminished expectation of privacy in vehicles. The People maintained that the year delay in conducting the download was immaterial.” Id. at 651, 121 Cal. Rptr. at 505. The trial court held that there was no Fourth Amendment violation:

In this matter the Court is satisfied that the police were permitted to conduct tests and discover data because the vehicle was an instrumentality of the crime of vehicular manslaughter as well as hit-and-run. Therefore, the retrieval of the data in the SDM was not a search within the meaning of the Fourth Amendment. Id.

It further stated that, even if downloading the information was “not a test or a diagnostic event” and it was a search, the search fell “within the automobile exception to the warrant requirement because the police officers had probable cause to believe that evidence pertaining to the crime was contained in the SDM.” Id. at 651, 121 Cal. Rptr. at 505.

The appellate court disagreed:

This case is fundamentally distinguishable from the cases where technology is used to allow law enforcement to capture information that a person is knowingly exposing to the public. . . .
[I]n this case, defendant could not have claimed any reasonable expectation of privacy with respect to governmental observations, including those using enhanced technology, of his driving on public roads. We are more familiar with the examples of law enforcement measuring vehicular speed with radar guns or recording failures to stop at red lights with automated cameras. But in this case, the government was not making any observations of conduct exposed to the public view. Here, defendant’s own vehicle was internally producing data for its safe operation. That exceedingly precise data was not being exposed to the public or being conveyed to any other person.

Id. at 654, 121 Cal. Rptr. at 508. The appellate court found no probable cause for the download:

[T]he scope of a legitimate warrantless search of a vehicle under the automobile exception “is defined by the object of the search and the places in which there is probable cause to believe that it may be found.” The scope of a warrantless search authorized by the automobile exception is “no broader and no narrower than a magistrate could legitimately authorize by warrant.” Moreover, probable cause to conduct a warrantless search must exist at the time the warrantless search is executed.
[I]n this case, the prosecution failed to show that the objective facts known to the police officers at the time of the download constituted probable cause to search the SDM for evidence of crime. The download occurred long after the collision and criminal investigation. The officers who conducted the download were merely complying with an unexplained request of the D.A.’s Office and believed no relevant data would be found. The download of the data was not supported by probable cause.

Id. at 661, 121 Cal. Rptr. at 513. Nor did the court find the SDM data to be lawfully seized evidence of a crime:

The Attorney General has not cited any Fourth Amendment authority permitting new intrusions into any internal part or component of a vehicle simply because the vehicle was seized as evidence. . . . The retrieval of raw data from a vehicle’s SDM not believed by police to hold any evidence of crime is not a reexamination or closer look at areas of a vehicle already reasonably believed to be or contain evidence of a crime; it is a new and different intrusion. The prosecution failed to show in this case that the download of data was justified by the circumstances warranting seizure of the vehicle and examination of its condition. Further, the download of raw data from a SDM does not qualify as a scientific test, similar to DNA or ballistics testing since downloading is merely the copying or retrieval of electronic data or information.

Id. at 663, 121 Cal. Rptr. at 515.

Clearly, the two cases can be factually distinguished. The New York case involved a download of data immediately after the accident versus the year delay in Xinos. The more important issue, however, is whether a driver has a legitimate expectation of privacy in the black box data at all, and if so, when a warrant based on probably cause should be required. As black boxes become ubiquitous in new cars, this issue is bound to be before the courts again.

It’s advice that also applies in the technology field. Just because we can develop certain technologies, doesn’t mean we should do so. Think of chemical weapons. World leaders have decided that such weapons should not be produced or deployed, even though we have the ability to do so.

It also should be applied in the tech law field. Particularly where we are dealing with technology that can invade people’s privacy. Two lines of cases come to mind. The first line of cases, including United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008), cert. denied, __ U.S. __, 129 S. Ct. 1312 (2009), have held that the government has the right to search a computer or any other electronic device possessed by a person at the border – without a warrant or probable cause. The cases have held that warrantless border searches are permissible because the government has an absolute right to regulate what crosses its borders. The fact that the government can conduct such warrantless border searches, however, does not mean that it should.

A second example are the recent cases upholding the warrantless use of GPS devices on cars. In United States v. Pineda-Moreno, 591 F.3d 1212 (9th Cir. 2010) and Foltz v. Commonwealth (Va. App. Ct. Sept. 7, 2010), the courts held that because there is no reasonable expectation of privacy in where a car is driven (since it can be observed by anyone on the street), there is no Fourth Amendment violation in attaching a GPS device to the vehicle and remotely monitoring the location and route taken by the vehicle without a warrant based on probable cause. Despite the fact that:

“The police had no policy regarding the use of GPS devices, in part because the devices were not used particularly often. The police did not predetermine how long they would track appellant. The police also did not develop a policy to avoid following the van into private areas.”

the Virginia court found no violation of the defendant’s rights.

In both of these examples, the courts have found that the government can engage in the conduct at issue without violating the Fourth Amendment. But the more important question is whether our government should be engaging in such conduct. While the Fourth Amendment provides a baseline for government conduct, it should be viewed as a minimum standard for individual rights, and not a maximum.

Congress has the right to require a higher standard from the government if it believes that our society requires the government to be held to such higher standard. We saw that happen in the passage of the Electronic Communications Privacy Act of 1986 (ECPA). The Act continued the federal law that regulated law enforcement’s use of wiretapping technology, despite the fact that the U.S. Supreme Court had previously held that warrantless wiretapping was not a violation of the Fourth Amendment as long as law enforcement did not physically trespass on the suspect’s property. See Olmstead v. United States, 277 U.S. 438 (1928).

The ECPA updated the prior wiretapping statute by adding electronic communications (e.g., e-mails) to the class of protected communications. Despite the fact that courts have held that there is no reasonable expectation of privacy under the Fourth Amendment in e-mails (since the recipient can disclose the contents of the e-mail to others), courts have recognized that the ECPA establishes a higher standard that law enforcement must meet before intercepting e-mails in transit or retrieving them from storage.

In enacting the ECPA, Congress decided that even though the government can wiretap telephone conversations and e-mails with impunity under the Fourth Amendment, it should not be allowed to do so unless it meets the ECPA’s higher standard.

Congress could and should do the same thing with warrantless border searches of electronic devices and the use of GPS devices. Unfortunately, in this political climate it is unlikely to happen.

It’s too bad they won’t take my father’s advice.

The first ten years of my practice saw a need to learn copyright law, while the second ten years required a working knowledge of patent and trademark law, and some privacy law, with a little international trade law thrown in for good measure (including U.S. export control laws and regulations). It was also the time when state and federal legislators were beginning to craft a specialized field of computer crime laws.

By the late 1980s there was a convergence of sorts between the computer and entertainment industries, primarily through videogames and CD-ROM titles. As a result, computer lawyers needed to learn about how the entertainment industry worked – again, primarily in the contracting area — but also with regard to trademarks, Hollywood guilds and unions (e.g., SAG, DGA) and right of publicity issues. It also required computer lawyers to learn a lot more about copyright and contract law in areas that had previously been limited to entertainment lawyers.

Since the 1990s we have seen the subject matter of computer law expand rapidly. We have had to learn telecommunications law, expand our knowledge of trademark law to deal with domain name issues, cope with the ever-expanding body of federal and state laws that deal with the financial laws and regulations underpinning e-commerce, privacy issues, cybercrimes, and a host of other fields that computer lawyers (now called IT lawyers) never thought they would need to deal with.

Now, cloud computing may require us to learn another body of law – admiralty law. Google has recently filed patent applications for ocean-going data centers that would be housed on large merchant ships and could be moored off-shore or sail blissfully in international waters – avoiding the problems arising from pesky local or national laws. These ships would generate their own power, provide their own cooling, have Internet connectivity (presumably from satellites or undersea cables) and generally be subject to no country’s laws. But underlying this concept is still the fact that we are dealing with ships. And ships are subject to both national and international laws – namely admiralty laws.

Dang. Just when I thought I was done learning new laws, I now find myself having to delve into the esoteric area of admiralty law. Ships containing data centers are no different than, and are subject to the same laws as, any other ship. Thus, they are subject to such things as piracy, salvage and seizure (arrest). Yet their cargoes may be infinitely more valuable than any previous ship that has ever plied international waters – the data of thousands or tens of thousands of corporations, millions of individuals, and numerous governments from around the world. How much would that cargo be worth if it fell into the hands of Somali pirates? And what if the assets of even one customer (or the ship owner itself) were subject to a seizure (arrest) order, and the entire ship was seized and the computers taken off the grid?

Far fetched? It was only a couple of months ago that the FBI, looking for assets of a company that had allegedly defraud the local telephone company, raided and seized all of the servers in several Dallas-based data centers – putting all of the data centers’ customers, not just the target of the seizure, out of business. Now multiply that by thousands of customers whose access to their data could be lost if the ship on which their servers and data are housed is arrested under existing admiralty law.

So to all of you IT lawyers representing clients that have or will be entering into cloud computing “solutions” to their data processing needs – start boning up on your admiralty law. It looks like you’re going to need it.

1. Tell me about the new Information Technology (IT) Law Summer Program in London?

The program will allow students to earn six units of course credit while enjoying five incredible weeks in London. Each student will choose two of four courses: Comparative Electronic Commerce Law, Comparative Information Privacy Law, International Cybercrimes or Drafting Information Technology Agreements. Classes will be held from 9-1, Monday through Thursday, which makes every weekend a three-day weekend. Classes will be supplemented by field trips, guest speakers and various social events.

2. When did you develop the idea for the IT Summer Law Program?

I have been interested in expanding the school’s offerings in international technology law since I joined the full-time faculty in 2003. There are not a lot of professors in Los Angeles, or even the United States, that have expertise in this area. Because of the growing importance of the European Union, and the enactment of new IT laws in the EU, it made sense to locate the program within the EU where we can hire professors knowledgeable in comparative US-EU IT laws.

3. Is this the first program of its kind?

Yes. There have been summer abroad programs that offer one or two courses in IT law, but this is the only program that focuses exclusively on international IT law. This gives students interested in practicing in this field a great opportunity to learn from professors who are internationally recognized educators in the field. It should give students participating in the program a distinct advantage over other students in getting a job in the IT sector.

4. Why London?

I actually looked at several other cities in Europe first. I had a list of characteristics I was looking for in a host city. None of the other cities had all of those characteristics; London did. In London you have first class housing and classroom facilities, a great transportation system, plenty of cultural, social and educational opportunities, easy access to other European destinations, a safe environment, and the ability to attract a world-class faculty.

London is, in my opinion, the most exciting city in the world. Spending five weeks in London is a once-in-a-lifetime opportunity. There is a dizzying array of things to do in London, from watching tennis stars at Wimbledon to enjoying plays, musicals and outdoor concerts just down the street from the school. We are literally only blocks away from the British Museum, the British Library and numerous historical sites. Stonehenge, Oxford, the Edinburgh Festival (and many other destinations) are easily accessible by train or bus. In addition, most European cities are no more than an hour or two away. For example, there is a train within walking distance of the dorm that will whisk you to downtown Paris in just two hours. You can have lunch overlooking the Eiffel Tower and be back in London in time for dinner, or spend the entire weekend in Paris or another wonderful destination.

5. What makes this such an exciting and timely program?

The Internet and electronic commerce are the fastest growing business sectors worldwide. Every company, whether considered “high tech” or otherwise, understands the importance of being “online.” As a result, there is an enormous demand for tech-savvy attorneys, even when there is a downturn in the economy. These classes are unique and will provide students with an international perspective on IT law that is simply not available elsewhere.

6. How and why was each participating faculty member selected for the program?

Having practiced in the international IT law field for almost 30 years, I have had the opportunity to travel extensively and get to know IT lawyers and academics worldwide. When I was planning this program I contacted dozens of recognized experts in the field and asked them whom they thought were the best educators in IT law in the U.S. and the UK. That search led me to each of the professors who will be teaching in the program. As shown by their biographies, they are all accomplished authors, speakers and teachers. It is a truly an amazing faculty.

7. What are some of the biggest issues in IT law and how will this program help prepare students interested in the field?

When a company establishes a website, it is instantly doing business globally. That means that the company is potentially subject to the laws of every country in which its website is accessible, including contract law, privacy law, and criminal law. It is not sufficient for a company’s lawyers to understand only the laws of the country in which that company is located. They must understand the potential impact of foreign laws on their client’s business, and the potential liability that client may face around the world. This program will provide students with that global perspective.

The four courses being offered and the instructors are:

Comparative Electronic Commerce Law and Regulations
Instructor: Dr. Julia Hornle, Queen Mary College of Law, University of London

Comparative Information Privacy Law and Regulations
Professor Ian Walden, Queen Mary College of Law, University of London

Drafting Information Technology Agreements
Professor Michael D. Scott, Southwestern Law School (me)

International Cybercrimes
Professor Susan Brenner, University of Dayton School of Law

The program will run June 21, 2009-July 24, 2009 and is open to any law student from an ABA-accredited law school in the United States, Canadian law students and other law students who can demonstrate English language proficiency. The brochure is available here.

If you are a law student, a law professor, or someone who knows a law student who might be interested in the program, please let them know about it. Due to limited classroom space, the program is limited to 48 students. Students will be admitted to the program on a rolling basis starting in January 2009, so early application is essential. The application is available here.