State v. Reid

State v. Reid, 194 N.J. 386, 954 A.2d 503 (N.J. 2008), was a criminal court case in which the New Jersey Supreme Court ruled that Internet service provider (ISP) subscribers have a reasonable expectation of privacy in the identifying information they provide to ISPs. This case has helped place New Jersey at the forefront of the states committed to providing their residents with broader privacy protections than those available under federal law.

The issues under the court's consideration were: 1) do ISP subscribers have a protected privacy interest in their subscription information; 2) how is it proper for law enforcement officials to gain access to that information; and 3) what is the proper remedy when law enforcement officials gain access to that information by unlawful means?

Facts
Shirley Reid, an employee of Jersey Diesel, had been away from her job on disability leave. Reid returned to work on the morning of August 24, 2004 and had an argument with Timothy Wilson, the company's owner, about her temporary light duty assignment. At 9:57 a.m., someone accessed Jersey Diesel's account on website of its supplier Donaldson Company, Inc.. At 10:07 a.m., that person changed the account's password and changed the shipping address to a non-existent address.

Donaldson contacted Wilson to notify him of the change made to his company's account. The supplier provided Wilson with the IP address of the user who accessed Jersey Diesel's account. Wilson then contacted the ISP, Comcast, who refused to disclose the identity of the user without a subpoena. Suspecting Reid because she was the only employee who knew the company's username and password, Wilson reported the occurrence to the Lower Township Police Department on August 27.

Comcast revealed Reid to be the subscriber a week after being served with a subpoena duces tecum by the Lower Township Municipal Court on September 7. On the basis of that information, Reid was arrested on October 9 and indicted for second-degree computer theft on February 22, 2005.

Procedural history
Upon her indictment, Reid filed a motion to suppress the evidence obtained by means of the municipal subpoena on grounds that the subpoena was an unconstitutional violation of Reid's "right to be free from unreasonable searches and seizures." The trial court granted this motion.

The New Jersey Superior Court Appellate Division affirmed, finding the subpoena invalid for three reasons: 1) it was issued without connection to any judicial proceeding; 2) it was returnable the day it was issued; and 3) the Municipal Court did not have the jurisdiction to issue subpoenas related to an indictable offense. Though the Appellate Division found a protected privacy interest in ISP subscriber information, it did not set a clear standard for the judicial process by which such information could properly be obtained by law enforcement.

The State appealed the Appellate Division's ruling to the New Jersey Supreme Court.

Opinion of the Court
The court held: 1) ISP subscribers do have a reasonable expectation of privacy regarding their subscriber information; 2) law enforcement officials seeking to access that information must obtain a grand jury subpoena based on a finding of relevance; and 3) protected information gathered without following the proper judicial procedure must be suppressed under the exclusionary rule.

I. New Jersey Privacy Law
Before proceeding to the factual analysis, the court laid out the current state of privacy law in New Jersey as it relates to subscriber information. Though it acknowledged the similarities in language between the Fourth Amendment to the United States Constitution and the equivalent provision in the New Jersey State Constitution, the court clarified that the search and seizure protections in New Jersey are broader. Federal case law does not recognize a privacy interest in information exposed to third parties such as banks, telephone companies, and ISPs; however, New Jersey recognized such in interest in State v. Hunt, where the court held that citizens have a reasonable expectation of privacy in the disclosure of their telephone billing records, and in State v. McAllister, which recognized bank account holders' privacy interest in their bank records.

The New Jersey Wiretapping and Electronic Surveillance Control Act ("Wiretap Act") also provides more expansive protection than federal law, allowing disclosure of ISP subscriber information only when law enforcement obtains a grand jury or trial subpoena or subpoena issued by the New Jersey State Commission of Investigation. However, the statute only provides for the recovery of civil damages and attorney's fees if a subscriber's information is wrongfully disclosed.

II. Privacy Expectation for ISP Subscribers
Rejecting the State's comparison of IP addresses to the unprotected return addresses on envelopes, the court ruled that there is a reasonable expectation of privacy for ISP subscribers regarding their personal information. The difference, the court reasoned, is that return addresses are not required to mail a letter, yet IP addresses are required to go online. Disclosure to third parties, when required to obtain service, does not waive the expectation that the disclosed information not be shared with other individuals or entities.

In its argument that no expectation of privacy exists for ISP subscribers, the State cited State v. Evers as precedent. In Evers, a deputy sheriff in California obtained a search warrant against AOL's corporate headquarters in Virginia to learn the identities of individuals who had emailed him after his undercover infiltration of a pedophilia-themed chat room. The court upheld the validity of the search warrant against the privacy claims of a New Jersey man who had emailed the deputy a pornographic image.

The New Jersey Supreme Court rejected the State's use of Evers as justification for the subpoena issued in the present cases. Distinguishing Evers, the court noted that federal, rather than New Jersey laws, were applied in that case because the warrant was issued by a California police department for the records of a Virginia-based business, with no involvement by New Jersey authorities. Therefore, Evers has no bearing on privacy law in the state of New Jersey.

The court also highlighted the notion that the reasonableness of the expectation of privacy in this case is dependent upon the evolution of technology. Currently, there is no way for an individual to obtain another's ISP subscriber information without contacting the ISP itself, so it is reasonable for one to expect that information to remain private. Though there are websites like Whois that provide IP address locater services, they usually provide only the name and location of the ISP rather than of an individual, because most people obtain their IP address through an ISP. Yet, the court imagined that if a program allowing individuals to identify each other without having to contact ISP providers became widely available, then it would likely no longer be reasonable to expect anonymity in one's online activities.

III. Proper Procedure for Accessing ISP Subscriber Information
Holding that a grand jury subpoena, not a municipal subpoena, is the appropriate means by which law enforcement may gain access to ISP records, the court clarified the Appellate Division's finding that "some means of proper judicial process" is required to force disclosure.

In following the principles laid out in McAllister, which held that a grand jury subpoena is required to obtain bank records in a criminal investigation, the court found "no material difference" between ISP subscriber information and bank records, as both types of records reveal personal information worthy of protection.

Though the defendant and amici curiae, the Association of Criminal Defense Lawyers of New Jersey (ACDL) and the American Civil Liberties Union of New Jersey (ACLU), argued that notice of the subpoena must also be given to the subscriber, the court again deferred to McAllister, where it ruled that notice is not constitutionally required in order for law enforcement to obtain bank records through a grand jury subpoena.

The court also followed McAllister in holding that a showing of relevance, rather than probable cause, is the proper evidentiary standard on which the grand jury subpoena should be based. Noting that a grand jury is an investigative body that must be able to "issue subpoenas to gather information", the court found that requiring a grand jury to have probable cause before issuing a subpoena would defeat the very purpose of its existence.

IV. Consequences of Violating ISP Subscriber Privacy
Citing State v. Lee, the court held that "evidence discovered, directly or indirectly, as a result of a constitutional violation must be suppressed" under the exclusionary rule. Expanding the subscriber rights established in the Wiretap Act, the court held that a subscriber whose records had been wrongfully obtained has the right to bring a motion to suppress.

Though the court held that the suppression of the evidence would be fatal to the indictment in its current form, it found that the State could go forward by moving to dismiss the indictment, re-serving Comcast with a grand jury subpoena, and seeking a new indictment. Unlike the information revealed through coerced confessions, the information contained in subscriber records is not permanently corrupted by police misconduct. As a result, the information may be re-obtained following the proper judicial procedures.

Reactions
Privacy advocates have hailed this decision as yet another in an increasingly long line of New Jersey cases that have provided privacy protections beyond those provided by the U.S. Constitution. New Jersey's version of the 4th Amendment extends protection to bank records, phone records, and ISP records, an approach which, according to computer crime expert Orin S. Kerr, "regulates what needs to be regulated and does so with as much privacy protection as needed but no more."

Though many privacy scholars and advocates were satisfied with the court's decision in this case, some were disappointed that the court did not go a step further by requiring notice to the IP subscriber. Others believe that the requirement of a grand jury subpoena does not go far enough to prevent unreasonable searches and seizures; a few commentators have advocated that the court require law enforcement to obtain a search warrant based on a finding of probable cause before accessing ISP subscriber records.