Shira A. Scheindlin, a District Judge from the United States District Court for the Southern District of New York issued a very interesting opinion on 28 October 2014 for those eager to know if the distinction between metadata and content data does make sense [members of the Peep Beep! team have already took their pens to write on the topic of metadata here]
In a nutshell, a Mr F. is facing criminal charges for the production and transportation of child pornography. His claim in the case at hand is that evidence derived from the examination of his emails by AOL (one of the main US ISPs) and his chats by Omegle (an online platform for text and video chat with strangers) was obtained in violation of the Fourth Amendment to the US Constitution. One thing to bear in mind is that F. “was on probation in connection with a 2010 conviction for possession of child pornography”. His probation agreement stipulated that F. permits his “probation officer or their designee to inspect and access [his] computer at anytime,  include[ing] storage devices and any other media”.
The Court had to address two main questions:
- Whether F. “had an expectation of privacy in the content of his emails and chats?”
What are the interesting bits of the decision?
▪ First, the decision clearly explains how AOL and Omegle monitor their users’ behaviour.
- So for those who do not know, “when AOL users send or receive emails that contain attachments, AOL runs two background monitoring systems designed to scan for illicit material, including, but not limited to, child pornography. The programs work by assigning “hash numbers” to image and video files.” One program looks for one-to-one matches with known child pornography and the other for similarities between hash numbers (in this case an AOL employee then looks at the file). If identical or similar hash numbers are found the emails are quarantined, i.e. they are not received by the recipient’s inbox, and a report is submitted to the National Center for Missing and Exploited Children (NCMEC).
- As regards Omegle, it “monitors for inappropriate content… by capturing snaphshots from chats that are conducted on Omegle, which are then analysed by an automated program for content that is likely to be inappropriate, including, but not limited to, child pornography. When the automated program flags inappropriate content, the chats are passed on to two human reviewers, and if a reviewer finds evidence of child pornography, a NCMEC report is filed”.
F.’s emails had thus been quarantined (and therefore had not been received by F.) and his chats had been analysed and NCMEC reports were filed.
▪ Second, the Court recalls that depending upon the nature of the information at stake [i.e. whether it is metadata or content data] a person can have a legitimate expectation of privacy in the information that he voluntary turns over to third parties. This is the case with content data but not with metadata. But no definition of metadata is once again provided, although IP addresses and location information are given as examples. [So Internet and online service providers can do whatever they want with metadata, can they? Even if they systematically collect and store these data? Even if they create profiles of Internet users?]
▪ Third, even a probationer can have some expectations of privacy in relation to the content of his communications, including emails and chats. The question is whether the probationer has consented to searches from law enforcement. Mere acquiescence is not enough to characterise consent. The judge could not conclude in this case that F. “’s probation agreement extinguished his expectations of privacy vis-à-vis law enforcement in general”.
At the end of the day, I am not that sure that there is really a difference between metadata and content data! [Peep Beep!]