Court: No, You Don’t Have a Reasonable Expectation Of Privacy With Your PSN Account

Image courtesy of ibraheem kurdieh

How do you communicate with most of the folks in your life, these days? Is it face-to-face, or is it digital communication over someone else’s private service? If it’s the latter, there’s a recent court ruling from a federal court in Kansas that should remind you about where you should — and shouldn’t — reasonably expect your data to remain private.

This particular case revolves around a PlayStation 3 user who came to Sony’s attention by repeatedly spamming others in the PlayStation Network (PSN) asking about child pornography. Other PSN members, annoyed by being on the receiving end of gross spam, flagged and reported the messages. That led to Sony reviewing the offending account, and — surprise — the account was indeed hosting child pornography.

Sony reached out to the National Center for Missing and Exploited Children with the account information and images and the NCEMC, in turn, contacted the FBI for assistance. They got subpoenas for the email address and IP address of the user in question, which led them to get a search warrant for his home.

When law enforcement ran their search, they did indeed find materials exploiting children on his PS3, and arrested and prosecuted the user over it.

That brings us to the court, and is where this ruling [PDF] comes in.

The defendant argued in federal court that the evidence found in his PSN account before the warrant was issued and on his PS3 console after the warrant was executed was inadmissible.

His argument centered on the Fourth Amendment — that’s the one prohibiting unreasonable search and seizure and requiring law enforcement to use search warrants based on probable cause.

Using a PlayStation requires you to create a PlayStation Network account, the defendant argued, and the PSN is an electronic, online service where communications users exchange are functionally like emails. Sony, a private entity — not federal law enforcement — conducted the initial search of the user’s account after other subscribers flagged content it was sending.

The defense has argued that Sony was acting as a government agent when it conducted the search, even though it’s a private company. But the government countered that there was no Fourth Amendment-based search and that its legal standard did not apply, because a private entity (Sony) searched its own stuff.

The court sided with the feds. Previously, “our circuit has not addressed whether electronic service providers, like Sony, act as government agents when they monitor their users’ activities on their servers,” the judge wrote. But other circuits have, and they’ve pretty consistently found that private companies scanning the materials that they hold and that transit their servers for illegal material — specifically, child pornography — are not acting on behalf of the government.

The law under which Sony is governed, the judge continues, doesn’t require it to proactively monitor all user accounts or review their downloads — and it doesn’t. Sony, under the law, only has to file a report “if it learns of facts that suggest an incident of child abuse,” which, in this case, it did.

Thus, the court finds “Sony acted to protect its own interests in a safe online gaming community when it reviewed the messages and attachments” referenced in the first reports about the defendant.

Moreover the PSN terms of service specifically says that users agree not to “take any action, or upload, post, stream, or otherwise transmit any content” that Sony, “in its sole discretion, finds offensive, hateful, or vulgar.” In other words: users were warned that Sony could monitor their stuff if it dang well pleased.

In fact, the court’s opinion concludes, the user in question was not entitled to a reasonable expectation of privacy with his PSN data because he sent the messages that other users then flagged and reported. The defendant “lost any reasonable expectation of privacy in his messages once they were delivered to the recipient,” the judge wrote, and therefore the Fourth Amendment doesn’t apply to any of the messages sent.

The images downloaded onto the console are a legally thornier matter, the judge continued, but ultimately fall under the same umbrella.

The defendant argued that the Terms of Service are an “adhesion contract” — a take-it-or-leave it deal with no middle ground, and that therefore he should not have had the diminished expectation of privacy. But basically, the court concluded, it’s not the law’s fault if you don’t read the fine print that “explicitly nullified its users reasonable expectation of privacy.”

For the defendant, the full ruling means he loses his motion to suppress the evidence gathered on him, and it can be part of his trial. For the rest of us, though, it’s the precedent that’s important.

A whopping 98% of users — so, basically all of us — don’t actually read the terms of service for most of the sites and services we use.

Privacy policies, meanwhile, are surrounded by as much myth as reality, and are a major pain in the butt for most users to read without some assistance or at least helpful color-coding.

That leaves users at a disadvantage: legal protection and privacy expectations are clearly outlined in documents most users say they’ve agreed to, but have never actually read. And rights about where you can and can’t maintain a reasonable expectation of privacy are a complicated patchwork of unconnected laws, applying to some industries and information, but not others.

So remember: always read the terms of service. And if they say the company can bust you for doing illegal things on their service, don’t be surprised if you get caught.

[via Ars Technica]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.