Student PC Privacy & US v. Heckenkamp

The 9th Circuit Court of Appeals has ruled on a case involving a university network admin’s search of a student’s personal computer. Inside Higher Ed covers the story.

University of Wisconsin student Jerome Heckenkamp pled guilty to federal charges arising from unauthorized access to Qualcomm’s private network. The Court found that the FBI did not need a warrant to search the student’s computer in this case. On the other hand, it held that in general students have a reasonable expectation of privacy on their personal computers, which happened to be outweighed in this case.

Higher ed media are calling this a win for privacy [Chronicle of Higher Ed]. Inside Higher Ed summarizes:

It was legitimate for the university to act as it did, the judges found, because it was acting out of concern about its own e-mail network, not to help with the law enforcement investigation set off by Qualcomm, and it acted in ways that were consistent with the university’s policies that Heckenkamp had agreed to follow.

IANAL, but I have to disagree with the conclusion that the Court was legitimizing the university’s conduct. Instead, the question was whether the FBI’s use of the network admin’s findings was legitimate. In the absence of a warrant, the FBI asserted — and was granted — a “special needs exception” to the warrant requirement.

The Court found that “requiring a warrant to investigate potential misuse of the university’s computer network would disrupt the operation of the university and the network that it relies upon in order to function.” [p. 11 of the decision] I’m not sure I buy that either, but the point is that, within this case, the university would be off the hook for the violation of privacy even if the FBI couldn’t use the results of that violation to prosecute the student.

And it only stands to reason that a university network admin, who is not a law enforcement officer, should not be held to the same 4th-Amendment standards as the FBI. So I would hesitate to draw campus network policy conclusions based on this decision — aside from that it’s probably safe to cooperate with the FBI.

5 replies on “Student PC Privacy & US v. Heckenkamp”

‘IANAL’? What does this mean?

And I wonder if the university doesn’t have an affirmative responsibility to protect the privacy of the student’s computer use. Are there accepted standards of privacy protection for info systems people? In the library world, privacy is a very, very big deal, and cooperation with the FBI is resisted on many fronts. Bobbie has been following a C-SPAN broadcast of a couple of Connecticut librarians who were subpoena’d by the FBI, and subject to a gag order under the PATRIOT Act. It’s pretty heady stuff–you should ask her about it if you’re interested. (I smell a… privacy committee?) I see an ethical obligation to protect patron privacy regardless of what the law might say; does your neck of the woods share a similar ethical sense?

IANAL = I am not a lawyer

IT professionals would never look at user data unless there was a threat to the integrity or security of the network. But that’s exactly the circumstance in this case, so we have no additional guidance on when or how we should violate user privacy. In IT and the 4th Amendment, and as you say, libraries, privacy is the default. The question is, when do we override that assumption?

I understood “it’s probably OK to cooperate with the FBI” to be agnostic on whether we should cooperate — just that we have no reason from this area of law to think we would get in trouble.

Leave a Reply