What many people do not realize is that many newer cars (particularly those manufactured by GM and Ford) contain an “event data recorder” (a so-called “black box”) that is similar to those on airplanes. These devices generally are triggered by electronically-sensed problems in the engine (often called faults), a sudden change in wheel speed or airbag deployment, and store a variety of data, such as which seat belts were being worn at the time of the event and the vehicle’s speed, direction and location. The information contained in the black box can be invaluable in determining the cause of an accident.

The question is whether a driver (or car owner) has a legitimate expectation of privacy in the information stored in the black box or whether the police can download that information without a search warrant.

In a New York case, the court held that no search warrant was required for the recovery of black box data. In People v. Christmann, 3 Misc.3d 309, 776 N.Y.S.2d 437 (2004), the defendant was involved in a motor vehicle accident with a pedestrian. The police at the scene downloaded the data from the car’s black box without a warrant. The court held that exigent circumstances (“[e]vidence regarding the pre-accident conditions within Defendant’s automobile could easily be destroyed, either purposely or accidently, if the automobile was moved from the scene under its own power.” 3 Misc.3d at 315, 776 N.Y.S.2d at 441.) justified the data download at the scene without a warrant.

However, a recent California case, People v. Xinos, 192 Cal. App. 4th 637, 121 Cal. Rptr. 3d 496 (2011), review filed (Mar. 21, 2011), the court came to the opposite conclusion. In Xinos, the defendant was convicted of vehicular manslaughter, based in significant part on the data contained in an event data recorder (also called a “sensing and diagnostic module” or “SDM”) in his car. The defendant had filed a suppression motion regarding the SDM data, claiming that the downloading of the data without a warrant violated his Fourth Amendment rights. The lower court had rejected the motion. On appeal, however, the court reversed.

After an accident in which a pedestrian was killed, the defendant’s car was towed to a police impound lot. A year after the accident, at the request of the District Attorney’s Office, and without obtaining a warrant, police went to the impound lot and:

downloaded the data contained in the vehicle’s SDM. They accomplished the download using a cable connected to the diagnostic link connector (DLC), which was located underneath the vehicle’s dash area on the driver’s side. An SDM receives data from various inputs related to the vehicle’s restraint systems, seat belt pretensioners and airbags. The data includes information regarding engine speed, vehicle speed and deceleration, throttle percentage, braking, airbag deployment, and the restraint system. . . .
Using software, [the police] produced a crash data retrieval (CDR) report. It showed information captured during the five seconds before defendant’s vehicle experienced a change in velocity. It disclosed the vehicle’s speed during the five seconds before the incident. The data indicated that there had been brake activation but the braking “could just be covering the pedal” and was not necessarily hard braking.

Id. at 647, 121 Cal. Rptr. at 502-03.

In the trial court, the prosecutor argued that “no search warrant was required because defendant had no reasonable expectation of privacy in the SDM’s data, analogizing to electronic beepers and emphasizing the diminished expectation of privacy in vehicles. The People maintained that the year delay in conducting the download was immaterial.” Id. at 651, 121 Cal. Rptr. at 505. The trial court held that there was no Fourth Amendment violation:

In this matter the Court is satisfied that the police were permitted to conduct tests and discover data because the vehicle was an instrumentality of the crime of vehicular manslaughter as well as hit-and-run. Therefore, the retrieval of the data in the SDM was not a search within the meaning of the Fourth Amendment. Id.

It further stated that, even if downloading the information was “not a test or a diagnostic event” and it was a search, the search fell “within the automobile exception to the warrant requirement because the police officers had probable cause to believe that evidence pertaining to the crime was contained in the SDM.” Id. at 651, 121 Cal. Rptr. at 505.

The appellate court disagreed:

This case is fundamentally distinguishable from the cases where technology is used to allow law enforcement to capture information that a person is knowingly exposing to the public. . . .
[I]n this case, defendant could not have claimed any reasonable expectation of privacy with respect to governmental observations, including those using enhanced technology, of his driving on public roads. We are more familiar with the examples of law enforcement measuring vehicular speed with radar guns or recording failures to stop at red lights with automated cameras. But in this case, the government was not making any observations of conduct exposed to the public view. Here, defendant’s own vehicle was internally producing data for its safe operation. That exceedingly precise data was not being exposed to the public or being conveyed to any other person.

Id. at 654, 121 Cal. Rptr. at 508. The appellate court found no probable cause for the download:

[T]he scope of a legitimate warrantless search of a vehicle under the automobile exception “is defined by the object of the search and the places in which there is probable cause to believe that it may be found.” The scope of a warrantless search authorized by the automobile exception is “no broader and no narrower than a magistrate could legitimately authorize by warrant.” Moreover, probable cause to conduct a warrantless search must exist at the time the warrantless search is executed.
[I]n this case, the prosecution failed to show that the objective facts known to the police officers at the time of the download constituted probable cause to search the SDM for evidence of crime. The download occurred long after the collision and criminal investigation. The officers who conducted the download were merely complying with an unexplained request of the D.A.’s Office and believed no relevant data would be found. The download of the data was not supported by probable cause.

Id. at 661, 121 Cal. Rptr. at 513. Nor did the court find the SDM data to be lawfully seized evidence of a crime:

The Attorney General has not cited any Fourth Amendment authority permitting new intrusions into any internal part or component of a vehicle simply because the vehicle was seized as evidence. . . . The retrieval of raw data from a vehicle’s SDM not believed by police to hold any evidence of crime is not a reexamination or closer look at areas of a vehicle already reasonably believed to be or contain evidence of a crime; it is a new and different intrusion. The prosecution failed to show in this case that the download of data was justified by the circumstances warranting seizure of the vehicle and examination of its condition. Further, the download of raw data from a SDM does not qualify as a scientific test, similar to DNA or ballistics testing since downloading is merely the copying or retrieval of electronic data or information.

Id. at 663, 121 Cal. Rptr. at 515.

Clearly, the two cases can be factually distinguished. The New York case involved a download of data immediately after the accident versus the year delay in Xinos. The more important issue, however, is whether a driver has a legitimate expectation of privacy in the black box data at all, and if so, when a warrant based on probably cause should be required. As black boxes become ubiquitous in new cars, this issue is bound to be before the courts again.

It’s advice that also applies in the technology field. Just because we can develop certain technologies, doesn’t mean we should do so. Think of chemical weapons. World leaders have decided that such weapons should not be produced or deployed, even though we have the ability to do so.

It also should be applied in the tech law field. Particularly where we are dealing with technology that can invade people’s privacy. Two lines of cases come to mind. The first line of cases, including United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008), cert. denied, __ U.S. __, 129 S. Ct. 1312 (2009), have held that the government has the right to search a computer or any other electronic device possessed by a person at the border – without a warrant or probable cause. The cases have held that warrantless border searches are permissible because the government has an absolute right to regulate what crosses its borders. The fact that the government can conduct such warrantless border searches, however, does not mean that it should.

A second example are the recent cases upholding the warrantless use of GPS devices on cars. In United States v. Pineda-Moreno, 591 F.3d 1212 (9th Cir. 2010) and Foltz v. Commonwealth (Va. App. Ct. Sept. 7, 2010), the courts held that because there is no reasonable expectation of privacy in where a car is driven (since it can be observed by anyone on the street), there is no Fourth Amendment violation in attaching a GPS device to the vehicle and remotely monitoring the location and route taken by the vehicle without a warrant based on probable cause. Despite the fact that:

“The police had no policy regarding the use of GPS devices, in part because the devices were not used particularly often. The police did not predetermine how long they would track appellant. The police also did not develop a policy to avoid following the van into private areas.”

the Virginia court found no violation of the defendant’s rights.

In both of these examples, the courts have found that the government can engage in the conduct at issue without violating the Fourth Amendment. But the more important question is whether our government should be engaging in such conduct. While the Fourth Amendment provides a baseline for government conduct, it should be viewed as a minimum standard for individual rights, and not a maximum.

Congress has the right to require a higher standard from the government if it believes that our society requires the government to be held to such higher standard. We saw that happen in the passage of the Electronic Communications Privacy Act of 1986 (ECPA). The Act continued the federal law that regulated law enforcement’s use of wiretapping technology, despite the fact that the U.S. Supreme Court had previously held that warrantless wiretapping was not a violation of the Fourth Amendment as long as law enforcement did not physically trespass on the suspect’s property. See Olmstead v. United States, 277 U.S. 438 (1928).

The ECPA updated the prior wiretapping statute by adding electronic communications (e.g., e-mails) to the class of protected communications. Despite the fact that courts have held that there is no reasonable expectation of privacy under the Fourth Amendment in e-mails (since the recipient can disclose the contents of the e-mail to others), courts have recognized that the ECPA establishes a higher standard that law enforcement must meet before intercepting e-mails in transit or retrieving them from storage.

In enacting the ECPA, Congress decided that even though the government can wiretap telephone conversations and e-mails with impunity under the Fourth Amendment, it should not be allowed to do so unless it meets the ECPA’s higher standard.

Congress could and should do the same thing with warrantless border searches of electronic devices and the use of GPS devices. Unfortunately, in this political climate it is unlikely to happen.

It’s too bad they won’t take my father’s advice.

Some fads, however, do seem to peak. While virtual worlds still seem to be growing, they are not expanding nearly as quickly as in their early days. Many of those who went into virtual worlds thinking that they would be as liberating as the Internet was in its early days have been disappointed and have scaled down their presence or left entirely.

Music-based videogames, like “Guitar Hero,” seem to have peaked and people are talking about “Guitar Hero burnout” – people seem to be tiring of the genre.

Today, “cloud computing” seems to be all the rage. Virtually every computer industry publication is filled with articles about the subject, even though people vary greatly on what they mean by the term. As stated in the IT Law Wiki:

Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections. Cloud computing services exist in many variations, including data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, and many more.

From a legal perspective, the critical factor in “cloud computing” is that the applications programs and your client’s data reside on computers that are not under your client’s control. This obviously raises security and privacy issues. One of the “benefits” of the “cloud” is that the user does not need to be concerned about where the computers are located. A given application could use computers in multiple jurisdictions to provide services and the user is unaware of where the computers are located. But since sensitive data is being processed in these cloud computing applications (e.g., corporate payroll, individual tax returns), the user must be concerned about where that data is being processed and stored.

Not all countries have the same data protection laws as the United States, yet U.S. laws may place a non-delegable legal obligation on your client to safeguard that data, no matter where it is physically located. Adding to the problem is the fact that many cloud computing applications are contracted for online using a clickwrap license, which does not give the client the opportunity to negotiate appropriate safeguards for the data to be supplied.

Another problem with cloud computing is the possibility that the vendor will cease doing business. Not only will the applications no longer be available to process the company’s data, but the data may disappear as well. And even if the client retains backup copies, the data may be useless without access to the applications needed to run it, display it, or even port it to a different vendor.

Whether cloud computing is a fad is still an open question. But whether or not it is, there are some real legal issues that exist today that clients need to be concerned about and must be dealt with before they jettison their in-house computer systems and move to the cloud. Clients cannot afford to bury their heads in the cloud!

Click the play button below to listen, or click here to subscribe to us on iTunes!

[display_podcast]

Here are the show notes for this week’s episode:

Shownotes for The Singularity Law Podcast: Episode 3 for October 12, 2008

Our Panel for Today:

• Josh Kagan, author of The Josh Kagan Blog
• Prof. Michael Scott of The Singularity Law Blog
• Tigran Palyan, author of “Common Law Privacy in a Not So Common World: Prospects for the Tort of Intrusion upon Seclusion in Virtual Worlds”

Privacy in Virtual Worlds – Tigran tells Michael and Josh about his new article

• “Common Law Privacy in a Not So Common World: Prospects for the Tort of Intrusion upon Seclusion in Virtual Worlds” by Tigran Palyan

Kentucky Seizes Gambling Domains

• Ars Technica: “Kentucky seizes two gambling domains, sites fight back”
• Ars Technica: “Kentucky tries to seize gambling site domain name”

Talking Point of the Week: A EULA to End All EULAs

• BoingBoing: “Sleeping Beauty Blu-Ray requires viewers to agree to 57 page EULA”