Federal Court Awards Immunity To Sheriff Who Searched An Officer’s Private Dropbox Account Without A Warrant

from the wrong-but-apparently-a-new-way-of-being-wrong dept

Law enforcement officers are more used to violating rights than having theirs violated, so this case — brought to us by Courthouse News Service — is something of an anomaly.

But it is a good discussion of some issues that don’t receive a lot of attention. Like, how is “reasonable” defined in terms of searches when both the searcher and the searchee are government employees? And how do company IT policies apply to searches of private accounts when the company is actually the government… and the private account is linked to a government email account?

The plaintiff is a government employee who perhaps got a little bit too carried away helping out the people producing a law enforcement-oriented TV show. From the decision [PDF]:

Plaintiff Steven Bowers was a sergeant for the Taylor County sheriff’s department. In 2017, the department started working with a television show called Cold Justice, a true-crime series that investigates unsolved crimes. The department gave the crew members access to one case file, but Bowers began sharing other case files with them, even though he didn’t have permission to do so. After Bowers admitted what he had done, Sheriff Bruce Daniels directed IT director Melissa Lind (formerly Melissa Seavers) to try to access Bowers’ Dropbox account, where Daniels believed that Bowers had stored the files. Lind was able to do so because the Dropbox account was linked to Bowers’s work email. Lind changed Bowers’s account password, accessed the account, and found the case files.

Bowers sued the IT director and the sheriff, alleging violations of his Fourth Amendment rights via the warrantless search of his private Dropbox account.

The court says a lot of things go into its determination that 1) rights were violated, but 2) immunity still applies, starting with this list:

The general rule is that a warrant is required for searches of private property. But there are more lenient standards involving some searches conducted by government employers. The Dropbox account was Bowers’s personal account, and it wasn’t stored on county servers, factors tending to support Bowers’s contention that a warrant was required. But other factors point the other way, including that Bowers linked the account to his work email and he placed work files taken from a work computer into the account. The account was password protected, but Bowers had shared access with several others.

The court notes the Supreme Court hasn’t exactly produced a wealth of case law that applies to cases like these, where both parties work for the government. Complicating things are choices Bowers did (like share documents using the account) that made his account perhaps a bit less private than accounts only accessible by their owners.

The defendants claimed the county’s IT policy gave it the unilateral right to do what they did, given that employees agreed to clauses stating they had no expectation of privacy when using department computer equipment. The court isn’t quite as charitable in its reading of the policy.

The policy states that employees have no expectation of privacy for material “on Taylor County equipment,” but it’s undisputed that Bowers’s Dropbox account was stored on the cloud, not on county servers. Defendants also point to the language that the county may “access any electronic communications at any time.” But Bowers’s Dropbox account wasn’t an electronic communication, so that provision doesn’t apply either.

This leaves the IT policy provision that gives the county the right to “monitor all information technology usage.” Defendants emphasize the word “all,” contending that it extends beyond the county’s own equipment. But that’s not a reasonable interpretation, as it suggests that the county could monitor its employees on any personal electronic device anytime, anywhere, and for any purpose. The more reasonable interpretation is that the policy applies to technology use that is either done while on the job or on a county device.

The fact that Bowers shared files from this Dropbox account also doesn’t weigh against his expectation of privacy… at least not as much as the defendants would like it to.

Linking the account to his work email blurs the boundary between his work and private spaces, but the county’s IT policy says nothing about monitoring private accounts that are linked to work email. In the absence of a clearer notice from the county, Bowers was entitled to assume that a private account was private.

As for sharing the account with the TV crew members and a friend, that doesn’t mean that Bowers was inviting anyone to view his account. By way of comparison, homeowners don’t forfeit a reasonable expectation of privacy against intrusions by the police if they invite friends to stay with them.

That last paragraph takes a pretty big swipe at the Third Party Doctrine, which assumes (nearly) anything shared with private companies to utilize goods and services can be obtained without a warrant. This statement makes it clear this court does not believe people give up any expectation of privacy just because they’ve shared information with others.

The court also discusses the terms of service Dropbox users agree to, which says Dropbox may access files at any time. Again, the court says assumptions made by the defendants about privacy expectations are wrong. And, although the court goes out of the way to point out this part is not a discussion about the Third Party Doctrine, it still seems pretty applicable.

Bowers’s claim is about restricting access to his account, not protecting the particular files at issue or preventing third parties from sharing the files. One can lose a right to keep information private by disclosing it to the public, but that doesn’t mean the government can force entry into someone’s home on the ground that the home contains public documents. As another example, if someone sends an email to a friend, the Fourth Amendment won’t prevent the friend from sharing the contents of the email with the police, but that doesn’t mean the police are entitled to hack an email account because all the emails are being shared with a third party.

This is a very good discussion of issues that are likely to resurface repeatedly as more storage of personal information and files moves to the cloud and away from local drives. But it’s only the beginning of this discussion — one being made without much assistance from precedential decisions. And that means the participants in the Fourth Amendment violations are immunized from this lawsuit.

But whatever the limitations of defendants’ authority, Bowers cannot prevail by showing that defendants have failed to disprove his claim. It is his burden to show that the law was clearly established. And the bottom line is that Bowers hasn’t cited Supreme Court or Seventh Circuit law clearly establishing that he retained a reasonable expectation of privacy against intrusions by the county despite his linking the account to his work email, putting confidential work files from a work computer in the account, and sharing access to the account with others. The precedential authority he relies on provide the general principles that provide the foundation for his claim. But that case law doesn’t show that the contours of the law were so well defined that it would be clear to a reasonable officer in defendants’ position that Bowers had a reasonable expectation in keeping his Dropbox account private from the county. In the absence of such a showing, defendants are entitled to summary judgment on the basis of qualified immunity.

And that means Bowers won’t have any luck suppressing this evidence in his criminal case. He’s charged with misconduct in public office and, presumably, the evidence against him was generated by this search of his Dropbox account. If the defendants can obtain immunity here, the trial court will likely find (if it hasn’t already) that even if the Fourth Amendment was violated, the violation was done in good faith.

That being said, it’s a well-written decision that’s willing to discuss issues that have somehow — despite it being 2022 — haven’t generated much precedent. And, at least in this court, the Third Party Doctrine isn’t nearly as expansive as the government believes it is, which will make it a handy decision to refer to in future litigation dealing with these issues.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Federal Court Awards Immunity To Sheriff Who Searched An Officer’s Private Dropbox Account Without A Warrant”

Subscribe: RSS Leave a comment
Whoever says:

Working backwards

including that Bowers linked the account to his work email and he placed work files taken from a work computer into the account.

A fact that was not known until the IT department hacked into his account, hence should not affect any determination of whether a warrant was required. Do judges not understand the concept of cause and effect? Or how time works?

Nathan F (profile) says:

And here I thought Qualified Immunity was for those instances law enforcement had to act with only a moments notice because to do other wise would have the situation end badly in some way. Did Ms. Lind have to rapidly and with little time to spare about the legality of what she was doing log into the account, do a password change request and search the Dropbox before the other guy could finish hitting delete?

OGquaker says:

So? A Rent-A-Cop stepped out of his job description

The Sheriff is a separately elected County official, his “Job” has responsibility to the electorate. The Police are hired by the municipality, generally, and their “Job” is responsible to a city manager or governing board/council.

Thus, when Daryl Gates had served as Chief Of Police for a decade too long, the Elected Sheriff had his ass in his hands. Sadly, with unpublished protection rackets between law enforcement, Sherman Block was nowhere to be found.

Anonymous Coward says:

Buncha lessons here:

  • Pay attention to your employer’s data policies, and don’t exceed your authority regarding sharing. Accidents make privacy incidents or worse.
  • if you want to do something special (like set up a Dropbox account) with work data, get it approved by your employer – preferably in writing – or don’t do it.
  • Never, never, never do private business on your employer’s hardware; nor over their network if you can avoid it (including: don’t have your personal phone link to your employer’s wifi).
  • Never hand your keys (crypto or otherwise) to someone else and expect the locked thing to remain private.
Anonymous Coward says:

too simple!

this is a case where the blue lies mafia criminal used an account/ device/ etc. for government work use. thus making it a WORK unit subject to government employee searches!
this is similar to a government worker using a personal cell phone to take a picture/ video of a 1A auditor. that device is now considered open to search without warrant and is subject to open records.
so…. bottom line! DON’T USE USE personal devices/ accounts for work!

tom (profile) says:

Wonder if this case: https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
will wind up being cited at some point in this trial?
Would seem to be on point on Bowers sharing of the extra case files. Not so much on point for what the IT worker did in accessing Bowers files but could be an issue in how Bowers gets charged for sharing the files.

Should be a warning to all to keep a hard line between work accounts and devices and personal accounts and devices.

Bergman (profile) says:

Safe deposit boxes

This case missed a trick, that might have given it a different outcome.

Dropbox is a digital file locker – it stores files, keeps them secure, and makes them available to anyone with a key who is on the access list. That is exactly the model that safe deposit boxes in banks operate on, though with less convenience.

If Dropbox can be accessed without a warrant under the third party doctrine despite being paid to be a secure storage facility, then any secure storage facility operated by a third party wouldn’t need warrants either.

On The Internet does not create terra incognita in the law when the situation is otherwise identical to long-settled legal scenarios off the internet, but for those three words.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...