fourthamendment

Bad Beat: Iowa Gambling Probe Allegedly Violated Student Athletes’ Constitutional Rights with Warrantless Geofence

/ Washington Journal of Law, Technology & Arts / Leave a comment

By: Sam William Kuper

“I hope all of these athletes at Iowa (UI) and Iowa State (ISU) take the State of Iowa to the cleaners.” UI men’s wrestling coach Tom Brands did not mince words describing the recent fallout from actions taken by the Iowa Division of Criminal Investigation (DCI) against student athletes. Last year, over a dozen student athletes and students at UI and ISU were criminally charged and some were suspended by the NCAA under suspicion of illegal sports gambling. However, a recent motion by defendant Isaiah Lee, a former ISU football player, alleges that the  charges were a result of an unconstitutional “warrantless search.”

Initial Investigation

Back in May of 2023, the DCI initiated an investigation of UI and ISU student athletes suspected of sports gambling in violation of state and NCAA rules. 25 current or former UI and ISU athletes and student managers were charged because of the investigation. Many for “tampering with records”—an aggravated misdemeanor that carries a maximum sentence of up to two years in prison—for allegedly falsifying personal electronic sports wagering records by utilizing the accounts of others to place sports bets. 16 pleaded guilty, with most pleading guilty to the lesser charge of underage gambling. Some of those charged were subsequently suspended by the NCAA, with different punishments depending on whether their wagers were on their own games or that of other sports or schools. For example, Isaiah Lee faced permanent ineligibility for placing a bet against his own team in a game where ISU beat Texas 30-7.

Alleged “Warrantless Search”

Isaiah Lee’s January 22nd Motion to Compel outlines his version of the facts. First, it is important to understand that gambling companies such as FanDuel and DraftKings must verify the location of their mobile users to make sure they are in a jurisdiction where sports gambling is legal. They do so via the company GeoComply, who act as the “custodians of data and processing” on behalf of their customers.

In December of 2022, Special DCI Agent Brian Sanger was given access to GeoComply’s data visualization and data analytics tool, Kibana. He used the software tool to place a “Geofence”—a virtual fence on a desired geographic area that reveals data of users within that area—around an athletic facility at UI where access is restricted to athletes, coaches, and support personnel. After he found gambling apps were opened inside the geofence, he requested subpoenas to obtain identifying account and bet information—leading to criminal charges for the student athletes.

According to the motion, Sanger did not remember why he initiated the search, but that he was “concerned about things such as people infiltrating Iowa’s sports team to gain insider information or match fixing.” However, he apparently did so without “warrant[s], tips, complaints, or evidence that illegal gambling was occurring.” The purpose of the discovery motion is to compel the State to disclose the circumstances and communications surrounding how and why Sanger and the DCI came to be in use of Kibana, and the types of searches he performed with it. For context, GeoComply’s website states they only comply with data requests from law enforcement if it is “legally binding and valid.”

What is a Fourth Amendment regulated search?

The Fourth Amendment of the U.S. Constitution protects people from unreasonable searches and seizures by government actors (like Sanger). The modern “reasonable expectation of privacy” or “REP” test as to whether Fourth Amendment protections apply was stated in Justice Harlan’s concurrence in Katz v. United States (1967): (1) the person must have exhibited an actual (subjective) expectation of privacy; and (2) that expectation must be one that society is prepared to recognize as “reasonable.” If these requirements are met, then the Fourth Amendment applies and the government needs a warrant based on probable cause to search.

However, under the “third-party exposure doctrine,” a person has no legitimate expectation of privacy in what they knowingly expose to the public or third parties. For example, the Supreme Court has held that there is no REP in garbage left on the curb of your home for pickup. But this standard has been heavily controversial in the digital age, as modern consumers often “reveal a great deal of information about themselves to third parties”—such as Google, Facebook, and their cell phone providers. In the landmark case Carpenter v. United States (2018) a 5-4 court declined to extend this doctrine to tracking cell-site location information for longer than seven days—suggesting that users have a reasonable expectation of privacy in their location history despite its disclosure to parties like Google. In addition, the court held in Kyllo v. United States (2001) that “[w]here . . . the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a ‘search’ and is presumptively unreasonable without a warrant.” There, the government unconstitutionally used a thermal imaging device to scan the defendant’s home for heaters used in growing marijuana without a warrant. 

Did the student athletes have a REP?

The question of whether student athletes like Isaiah Lee are protected by the Fourth Amendment is complicated. While the first prong of the REP test is uncontroversially met, the second prong, along with the third-party exposure doctrine, raises many questions.

For example, what kind of location data was used? GeoComply’s website says they collect GPS, GSM, Wi-Fi, and IP Address data from the user’s device to verify location accuracy. Many universities, like UW, have a policy of turning over evidence of illegal activities on their network as soon as possible after detection. Thus, one would likely not have a REP of illegal activities while on UW’s network (however, UI does appear to have a greater level of privacy protection). But if, by chance, GeoComply only used GPS data, and the students were using solely their cellular network to access the gambling applications, there would likely be a stronger argument in favor of a REP.

With the alleged facts we have as of now, this case resembles Kyllo. The government used “a device that is not in general public use” (geofence software Kibana) “to explore details of the home that would previously have been unknowable without physical intrusion” (whether mobile phones in dorms and athletics facilities accessed gambling apps) without a warrant supported by probable cause. The debate is whether a public school’s dorms and athletics facilities should carry the same level of protection as a home.

What would be the remedy?

If the court finds Sanger’s use of the geofence software to be unconstitutional, the remedy would be the “exclusionary rule.” This would prevent the government from using the evidence gathered, along with any evidence gathered because of the original evidence (such as the identifying account information gathered because of the original geofence) in criminal prosecution. Thus, all the currently pending UI and ISU cases would likely be dismissed. But could the students then bring a civil action against Sanger under 42 U.S.C. 1983 for compensatory damages (such as lost wages from being suspended by the NCAA)? That is an entirely different question.

Remote Test Scans Expose Larger Privacy Failures

/ Washington Journal of Law, Technology & Arts / Leave a comment

By: James Ostrowski

In a major challenge to pandemic remote learning practices, the court in Ogletree v. Cleveland State University ruled that scanning students’ rooms violates the Fourth Amendment’s prohibition against unreasonable searches. While this decision is a definitive rebuke of a widely used practice, the case also reveals systemic flaws in university privacy practices. This blog will build off Ogletree to strike a balance between test integrity and privacy rights. 

Covid Acceleration 

For technology companies, the coronavirus pandemic was an accelerant. Startups rushed out messaging apps, video platforms, and ecommerce sites to thaw a populace frozen by a blizzard of lockdowns. There was perhaps no greater market capture for technology companies than in education. Colleges moved entirely online, deploying previously known but relatively new technologies, such as Zoom, on an unprecedented scale. Legions of students attended class from their kitchen tables and bedrooms. Professors, intent on maintaining their in-person standards in a remote world, relied on proctoring tools, many of which required room scans from students who had little choice but to comply. Now, two years later, hundreds of programs still record students throughout remote tests. 

Remote Test Scans Ruled Unconstitutional 

In February 2021, a student at Cleveland State University, Aaron Ogletree, was sitting for a remote chemistry exam when his proctor told him to scan his bedroom. He was surprised. Ogletree assumed the room scan policy had been abolished, until, two hours before the test, Cleveland State emailed him that he would have to scan his room. Ogletree responded that he had sensitive tax documents exposed and could not remove them. Like many students, Ogletree had to stay home due to health considerations, and he could only take exams in the bedroom of his house. Faced with the false choice of complying with the search or failing the test, he panned his laptop’s webcam around his bedroom for the proctor and all the students present to see. 

Ogletree sued Cleveland State for violating his Fourth Amendment rights. The Fourth Amendment protects “[t]he right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures.” 

Ohio District Court judge J. Philip Calabrese decided in favor of the student because of the heightened Fourth Amendment protection afforded to the home, the lack of alternatives for Ogletree, and the short notice. Calabrese conceded that this intrusion may have been minor, but cited Boyd v. United States to support the slippery slope argument that “unconstitutional practices get their first footing…by silent approaches and slight deviations.” 

The facts of this case are a symptom of a larger problem. The university failed its students and its professors when it did not consistently apply its online education technology. 

Arbitrary Application and Lack of Policies 

Cleveland State provides professors with an arsenal of services to administer online classes. These tools include a plagiarism detection system that faculty can use to see students’ IP addresses, a proctoring service that records students and uses artificial intelligence to flag suspicious behavior, and, of course, pre-test room scans.

The school leaves it entirely to the discretion of faculty members—many of whom are not experts in student privacy—to choose which tools or combinations of tools to use. Cleveland State’s existing policies offer no guidance on the tradeoffs of using any one method. This is tantamount to JetBlue asking its pilots to fly through a whiteout without radar.

Toward a Unified Policy

What may have been an understandable oversight in the early pandemic whirlwind cannot be considered so now. The tension between privacy and security is well-known. Only by careful balancing of students’ privacy rights and university interest in test integrity will we find a workable solution. Schools across the country should take heed of the Ogletree ruling. University leadership holds the responsibility to balancing those interests and impart clear guidance to test administrators. To foster this progression, we offer two recommendations: 

  1. Cost-Benefit Guidance: The university should score tools on privacy interests involved and the expected benefit of its application. This should include guidance on whether a method can be easily circumvented. As individual teachers are not necessarily savvy on the legal implications of certain remote test policies, the university must provide clear analysis and guidance. An example entry may read, “Blackboard provides student location data. Though location tracking is a relatively common practice, students must be made aware of it. This tool can ensure that students are where they say there are, which is not usually relevant for test integrity. If students wished, they could easily evade this using a low-cost VPN.” 
  1. Test Policy Clearly Outlined in Syllabi: Professors should provide guidance within their course descriptions on what technologies and methods are used to administer tests, and students could sign an acknowledgment form. For example, a professor would delineate applications they use to administer exams, information about whether the exams are proctored, and recourse for not following a policy. This way, students can make affirmative decisions about their privacy exposure by choosing a course that aligns with their interests rather than be blindsided by heavy-handed policy in the final weeks of a semester. This way, professors will not have to worry about future disagreements because their students knowingly consented to the course’s policies.

The university must balance policy considerations around security and privacy rights. A failure to balance these conflicting pursuits can cause student anxiety, unnecessary privacy violations, and poor test integrity.

The Fourth Amendment’s Third-Party Exposure Doctrine in the New Age of Data

/ Washington Journal of Law, Technology & Arts / Leave a comment
Photo by Markus Spiske on Pexels.com

By: Kyle Kennedy

The Fourth Amendment protects US citizens from unreasonable searches and seizures by creating an administrative barrier between citizens and investigating authorities. In addition to the Fourth Amendment, the lack of government resources also serves to protect individual privacy because investigative authorities can neither afford nor validate surveillance of citizens past a certain cost-benefit tradeoff. Together, the intended effect of these protections is to sufficiently guard against invasions of citizen’s privacy by government authorities in pursuit of evidence. However, the interaction of modern-day technology and the increased availability of data as a result of the Third-Party Exposure Doctrine leaves US citizen’s personal information exposed to the government in unprecedented ways.

The Supreme Court has held that the Fourth Amendment provides protections to citizens based on a reasonable expectation of privacy. However, the Third-Party Exposure Doctrine states that information willingly revealed to third parties is not subject to Fourth Amendment protections. As an example, in U.S. v. Miller, the Supreme Court held that there is no reasonable expectation of privacy for information shared in bank records. However, in the landmark case of Carpenter v. United States, the Supreme Court limited the Third-Party Exposure Doctrine by holding that collecting seven days worth of cell phone location information was a violation of the Fourth Amendment. However, it is worth noting that the holding in Carpenter was cabined to its facts, therefore leaving significant questions about the application of the Third-Party Exposure Doctrine to consumer data and electronic records unanswered.  

In addition to the privacy protections afforded by the Fourth Amendment, the Stored Communications Act (SCA) protects against searches of electronically stored information. Under the SCA, the government can access content information of emails that have been unopened and in storage for over 180 days or of email that have been opened and undeleted with a mere administrative subpoena or 2703(d) court order. The SCA provides even less protection to non-content data like account information or metadata. The weak protections this statute provides for electronically stored information demonstrates that the statute does not fit the modern state of technology and data privacy and is clearly outdated.

Given the exponential increase in internet use and data creation in recent years, consumer data has never been as plentifully available as it is today. According to Forbes, Americans send 188 million emails, 18.1 million texts, and 4.5 million Google searches every minute. Further, Americans download 390,030 third-party apps every minute, all of which seek consent from the user to collect their data. Under the landmark Carpenter case, the Fourth Amendment protects against the unwarranted collection of seven days of cell phone records. This precedent could ostensibly be extended to consumer data shared on third-party apps. However, the Supreme Court has so far declined to determine whether a shorter period of data collection would be permissible or whether data consensually shared with third-party apps triggers a lower expectation of privacy than automatically collected cell phone records. 

The SCA does not provide any better answers than the current body of case law. Overall, the SCA tends to create a relatively low administrative hurdle for searches of electronic data.  The SCA categorizing of digital records based on content, whether the records are opened, and the time in storage is an ineffective approach to balancing privacy protections against the government’s investigative need. A wide variety of individual data is not cleanly divided by the SCA’s categories of the content or whether it has been opened or deleted.  Furthermore, the efficacy of providing lower protections to older records is reduced by the government’s need for timely investigative data as well as individual’s continued privacy interest in that older data.

The lack of clear Fourth Amendment (or other statutory) protections for electronic data weakens the barrier of privacy between individuals and the government. This barrier is further weakened by the relatively low cost of investigation through the searching of electronic data and records. For example, advanced saliency algorithms and deep learning techniques allow authorities to process visual data and access information at quicker speeds and lower costs than ever before. These same algorithms and techniques are easily applied to non-visual user data generated by third-party applications. Individuals using third-party applications on their personal devices store messages, locational data, and other consumer data on these platforms which potentially exposes this data to the government under the Third-Party Exposure Doctrine.  Although the majority in Carpenter limited the Third-Party Exposure Doctrine as it relates to cell phone data, it remains unclear what level of privacy the Fourth Amendment provides to data shared with third-party applications. Although Carpenter discussed the pervasive nature of cell phones in everyday life, the Court also specifically mentioned that the cell phone data in that case was tracked and recorded without any affirmative action by the user. Data shared through third-party apps often requires the user’s consent to data collection. It could be argued that the user’s consent is a voluntary exposure to a third party, thus leaving room for a distinguishing argument by the government. While the precise nature of the privacy protections provided by the Fourth Amendment to electronic data are unclear, there is a clear tension between the modern state of technological surveillance and the current rule of law protecting US citizens’ individual information. 

The implications of insufficient protection of consumer data are wide-reaching.  For example, there is serious concern that data from third-party apps tracking menstrual cycles or location data could be used in criminal prosecution in states that have recently instituted abortion bans or restrictions. Given the current political climate, the relative powers of the branches of the federal government, and the slow-moving and unpredictable nature of the Supreme Court, the most ideal path forward would be for Congress to pass new nation-wide privacy protection legislation. There are many advantages to a clearcut, nation-wide framework of law which balances the need for privacy with the need for government investigation while providing technologically relevant protection to personal data. A question for future research would be whether Congress’s scope of power would allow it to regulate the use of consumer data by investigative authorities, specifically at the state level. Assuming the power is within their scope, an act of Congress would provide the most effective solution to closing the gap between modern technology and current law. Absent such congressional action, US citizens will be forced to rely upon the legislating bodies of their individual states to provide increased personal data privacy protections.