EFF Sues FBI For Records About Paid Best Buy Geek Squad Informants

The Electronic Frontier Foundation is suing the FBI for records "about the extent to which it directs and trains Best Buy employees to conduct warrantless searches of people's devices." The lawsuit stems around an incident in 2011 where a gynecology doctor took his computer for repairs at Best Buy's Geek Squad. The repair technician was a paid FBI informant that found child pornography on the doctor's computer, ultimately resulting in the doctor being charged with possessing child pornography. From the EFF's report: A federal prosecution of a doctor in California revealed that the FBI has been working for several years to cultivate informants in Best Buy's national repair facility in Brooks, Kentucky, including reportedly paying eight Geek Squad employees as informants. According to court records in the prosecution of the doctor, Mark Rettenmaier, the scheme would work as follows: Customers with computer problems would take their devices to the Geek Squad for repair. Once Geek Squad employees had the devices, they would surreptitiously search the unallocated storage space on the devices for evidence of suspected child porn images and then report any hits to the FBI for criminal prosecution. Court records show that some Geek Squad employees received $500 or $1,000 payments from the FBI. At no point did the FBI get warrants based on probable cause before Geek Squad informants conducted these searches. Nor are these cases the result of Best Buy employees happening across potential illegal content on a device and alerting authorities. Rather, the FBI was apparently directing Geek Squad workers to conduct fishing expeditions on people's devices to find evidence of criminal activity. Prosecutors would later argue, as they did in Rettenmaier's case, that because private Geek Squad personnel conducted the searches, there was no Fourth Amendment violation. The judge in Rettenmaier's case appeared to agree with prosecutors, ruling earlier this month that because the doctor consented both orally and in writing to the Geek Squad's search of his device, their search did not amount to a Fourth Amendment violation. The court, however, threw out other evidence against Rettenmaier after ruling that FBI agents misstated key facts in the application for a warrant to search his home and smartphone. We disagree with the court's ruling that Rettenmaier consented to a de-facto government search of his devices when he sought Best Buy's help to repair his computer. But the court's ruling demonstrates that law enforcement agents are potentially exploiting legal ambiguity about when private searches become government action that appears intentionally designed to try to avoid the Fourth Amendment.

Re:The judge should have thrown out evidence...

[quantaman]

But poking around a hard drive is a legitimate part of fixing a computer, and if they inform on criminal activity they've observed as part of their normal activities they're informants.

Unless the customer is asking for recovery of deleted files, please explain the reason for looking for files in unallocated space while performing maintenance.

FTA:

The case began in November 2011 when Rettenmaier, a gynecologic oncologist, took his desktop computer to a Best Buy in Mission Viejo, Calif., because it wouldn’t boot up. The technicians there were able to fix that problem, but not recover Rettenmaier’s data. Court records show that Best Buy sends all of its data recovery jobs to Geek Squad City in Brooks, Ky., outside of Louisville.

The records also show that Rettenmaier signed a form when he first handed over the computer, stating that any child pornography found by Geek Squad technicians will be reported to the authorities. When a technician called Rettenmaier to ask him if he wanted his data restored, including pictures, Rettenmaier said yes on a recorded call. In general, searches performed by private entities do not require a search warrant — only government searches do.

I'm not saying I agree the technician was acting as an informant, but there's legitimate ambiguities at work.

Re:Oh Dear Lord!

[dgatwood]

No. The third-party doctrine only covers information voluntarily given to a third party. The key word in the doctrine is "revelation". Giving a computer to a third party to repair does not constitute revealing all of the data on that computer to that third party, and thus it is not covered by the third-party doctrine. And even with an agreement that gives them the right to inspect files on the system to the extent necessary to effect repairs, that still does not grant them the right to inspect arbitrary, non-software files, which means at no point can it reasonably be considered to be a revelation of the existence of those files, much less of the contents of those files.

It seems prima facie obvious that giving hardware to a third party for repair purposes absolutely does not remove the expectation of privacy for data contained on that hardware. No Best Buy customer goes in for a computer repair thinking, "I'm giving all of my files to Best Buy for their employees' entertainment." You're giving them a computer to repair, with the expectation that your data will remain securely on that computer and will not leave that computer. In much the same way that storing a hard drive in a safety deposit box does not grant the bank the right to open the box without a warranty and give the files to law enforcement, neither can a computer repair grant Best Buy that right.

Additionally, as others have mentioned, there are fundamental chain of custody problems involved when non-law-enforcement personnel inspect a computer, to such an extent that any "evidence" obtained should be considered highly suspect to the point of being circumstantial, and arguably shouldn't even be sufficient to qualify as probable cause for a warranted search of the owner's home/office/email/*. But that issue is only relevant if the person opens up the computer and finds kiddie porn on the desktop, such that seeing it was an inevitable and normal part of the repair process. If the person had to even double-click on a folder called XXX to find the kiddie porn, we're back to fruit of the poisonous tree, and the evidence should be considered inadmissable—doubly so if law enforcement enticed those employees to break the law as part of gathering that evidence.

Terrible SCOTUS decisions set the precedent

[moeinvt]

I think it's a travesty that the government is allowed to violate the Fourth Amendment by using a 3rd party as a proxy. Unfortunately, there is legal precedent for this type of abuse. In Smith v Maryland the SCOTUS ruled that the individual has no expectation of privacy for data turned over to a 3rd party. Government asked the phone company to install a device to trace Smith's calls without seeking a warrant. The criminal court, appeals court & SCOTUS all ruled that this was legal & the evidence was therefore admissible. There was another terrible decision where the court ruled that government can get your bank records without a warrant, claiming that the records are the property of the bank & not your private papers.

This case seems to contain a new wrinkle because the FBI was paying people to go on fishing expeditions rather than targeting a specific person. I hope the courts will conclude this was an illegal search, but I think that's unlikely.

One of the great flaws in The U.S. Constitution is that government is allowed to be the arbiter of its own power.

Re:So many wrongs...

If there is Protected Health Information on his computer, he probably shouldn't be bringing it to Best Buy. Otherwise he's basically begging to be hit with HIPAA violations.

Unless Geek Squad is qualified to handle PHI. But I would be surprised if they are.