Wisconsin Court Says Warrants Are Needed To Search Dropbox Accounts, Even If They Belong To Cops
If you want access to content and communications, it seems pretty obvious you should get a warrant. There are plenty of warrant exceptions, but rooting around in things pretty much everyone believes have an expectation of privacy - whether it's their house, their phones, or their online document storage services - generally requires a warrant.
Cloud storage is no different. Just because it's not physically in the possession of investigation targets or suspected criminals doesn't mean they don't have a reasonable expectation of privacy in the contents of their accounts.
There's not much court precedent dealing with this particular issue, though. Fourth Amendment expert Orin Kerr suggests this may have something to do with corporate policies governing users' content.
It's surprising how little caselaw there is on this. That's partly because lawyers for Internet providers generally require a warrant before they'll turn over account contents, and investigators can't practically sue the providers over that if they disagree (it takes too long).
First off: good for service providers! Demanding a warrant even when there's a dearth of supporting case law is a good first step. It deters fishing expeditions and discourages law enforcement from wading into untested legal waters too often.
Second, pushback like this forces law enforcement to tacitly admit they too believe warrants should be used to obtain content from third party services. If they firmly believed warrant exceptions (like the Third Party Doctrine) applied, they'd perform their own pushback, especially in cases (like this one) where time doesn't appear to be of the essence.
Of course, doing this runs the risk of generating precedent that works against law enforcement's warrant-optional desires. That's what has happened here. Unsurprisingly, it took someone who knows how to work the system to get this established by a Wisconsin appeals court [PDF]: a cop.
Detective Sergeant Steven Bowers was charged with misconduct in office after sharing confidential sheriff's department files with the producers of the Cold Justice" TV show. Bowers used his Taylor County email address to create the account - a fact that apparently led investigators to believe no warrant was needed to access the contents of Sgt. Bowers' account.
They were wrong. The lower court suppressed the evidence, ruling that the warrantless search violated the Fourth Amendment. The Appeals Court comes to the same conclusion - one that makes it clear the expectation of privacy still applies to the contents of online storage services, even if the account was activated using a government provided email account.
The route taken to achieve this Fourth Amendment violation was, however, made much, much easier by Sgt. Bowers' decision to use a government email account, rather than one of his own.
Bowers had used his county e-mail address to set up his Account, although he paid for it with his own funds. Lind testified that on March 2, 2017, she performed a password reset on Bowers' Account, which then e-mailed a link to [Bowers' county] e-mail address." Given that she had access to Bowers' county e-mail account through her role in IT, she then entered his e-mail account and used that link to change Bowers' Account password, effectively severing Bowers' access to his Account. Lind then personally accessed Bowers' Account with the [district attorney] and [Daniels] present." According to Lind, the search of Bowers' Account revealed both that the Murder 3 file was in the Account and that Bowers had shared the case file with individuals outside the department.
So, yeah... OpSec is still hit and miss when it comes to rookie leakers. Bowers should have known utilizing his government email account gave him less than exclusive control of it. That much was made clear by the county's clickwrap, which informed Bowers his account was exclusively owned" by the government he worked for.
Even so, it was still his personal Dropbox account that was accessed. The lower court first said Bowers had no expectation of privacy in this account because he had no expectation of privacy in his government email account. It rolled that decision back after taking a second look at the situation after Bowers reminded the court this search involved the contents of a Dropbox account he personally paid for, rather than one provided to him by the county government.
The Appeals Court affirms: this was a search under the Fourth Amendment. And, as such, a warrant was needed. The fact that the department was able to avoid interacting with Dropbox and utilized a government email address to reset the password to gain access doesn't change the calculus of the Fourth Amendment issues.
[T]he department seized control of Bowers' private Account located on servers outside the department by using Bowers' county-owned e-mail address to change his Dropbox password. It then accessed and searched the information in his Account. The department did not receive the evidence from a third party, and it did not simply obtain specific files from Bowers' Account. The department seized and searched at least portions of, if not all of, Bowers' Account. Accordingly, the third-party doctrine cases that the State relies upon are inapt under the circumstances of this case. We agree with Bowers that the Court's decisions in Miller and Smith do not clearly control the department's actions here, as the department did much more than obtain access to metadata or Dropbox's business records.
The State focuses on the fact that Bowers created this Account with his county-owned e-mail address. Apart from using that e-mail address, however, Bowers created the Account on his own. Bowers paid for the Account with his own money, and the Account was password protected. The department did not search its own devices to access the information in Bowers' Account; it used the internet as a tool to access the outside server on which the Account was located.
Even if some of that might apply if the court were willing to fully oblige the terrible Third Party Doctrine arguments the state presented, it still wouldn't matter. There's an expectation of privacy in online storage accounts - something that can't be undone simply because the government claims there isn't.
Here, we conclude that society is willing to recognize that a user has a legitimate expectation of privacy in his or her Dropbox account. According to Dropbox, it boasts over 700 million users on its platform, and it specifically tells its users that [w]ith Dropbox, your files belong to you, not us, so you can be sure we're not reselling your data." Dropbox, https://www.dropbox.com (last visited Dec. 13, 2022). By using a password that is not shared, these users expect their cloud-storage accounts to remain private unless the user shares the files with others, even if the information is stored by a third party. See Johnson, supra, at 886 & n.126 (This is the equivalent of renting a safety deposit box, locking it, and trusting the bank not to break the lock.").
Thus, under the totality of the circumstances and when considering the Dumstrey factors, we conclude that Bowers had a reasonable expectation of privacy in his Account. Law enforcement seized Bowers' Account and searched it without a warrant, thereby violating Bowers' Fourth Amendment rights.
Rights are for the people. The government doesn't have any. It has powers, and that's what these rights constrain. What ultimately matters in terms of the reasonableness" of privacy expectations is what the public believes is reasonable. That the government believes otherwise doesn't matter. Not in this case, at least.