The Ninth Circuit, in United States v. Dreyer, a divided Court of Appeals case, recently concluded that suppression of evidence pursuant to the exclusionary rule was an appropriate remedy when the actions of a civilian agent of the Naval Criminal Investigative Service (NCIS) violated the Posse Comitatus Act by turning over criminal data to prosecutors revealed by a cyber-search. The case turned on two issues: was there a violation given the civilian status of the agent performing the search, and should the exclusionary rule apply to deter future violations?
The Court was unanimous on the first issue, finding the actions of the civilian agent to be in violation of DoD Posse Comitatus policy provisions, rather than the criminal Posse Comitatus statute (the text of the act only mentions the Army and Air Force). While exceptions exist, those exceptions were held inapplicable when, as here, a search was performed that was broad enough to include anyone in the state of Washington, whether connected with the military or not. However, in the world of cyber security, this type of application may present a dilemma. Can the scope of cyber searches be adequately compared to physical searches? The Court made that exact comparison when it rejected the Government’s argument that an exception did apply to the agent’s conduct:
“To accept that position would mean that NCIS agents could, for example, routinely stop suspected drunk drivers in downtown Seattle on the off-chance that a driver is a member of the military, and then turn over all information collected about civilians to the Seattle Police Department for prosecution.”
The Court was divided on the suppression issue. The question on suppression centered on whether the exclusionary rule was needed to deter future violations. In order to make that decision, the Court determined whether the violations were “widespread” and “repeated”. This determination is what split the Court. While the majority felt that the facts before them demonstrated that in this case alone there are apparent widespread and repeated violations, Judge O’Scannlain disagreed. Judge O’Scannlain dissented, failing to find a widespread problem where only four agents were found to have violated the act, three of whom were part of the same investigative team.
This case presents an interesting question for the cyber security world: does the Posse Comitatus Act limit cyber prosecutions based on NSA data?
Since the NSA operates under a military director, the Posse Comitatus Act applies to the actions performed by the NSA. However, the applicability of using the Posse Comitatus Act to regulate the actions of the NSA is qualified on how the NSA’s information is used. Using the same analysis performed by the Dreyer Court, the issue becomes whether the searches performed by the NSA fit within an exception to the Posse Comitatus statute and policy provisions. The exception would take effect depending on whether or not the NSA is performing overly broad searches that target civilians not connected with the military. However, even if the searches are overly broad, a violation of the Posse Comitatus policy provisions or statute exist only if the data is then transferred to state or federal prosecutors for use in executing domestic civilian law.
In addition, it is extraordinary for a suppression remedy to be applied for a statutory violation when the statute does not provide for a suppression remedy (like the wiretap act does). Without Congress providing for suppression in the statute, suppression is a Court-made remedy for Constitutional violations. Generally, statutory violations do not lead to suppression — an example being the “Knock and Announce” statute (18 U.S.C. §3109) for the execution of federal search warrants. The possibility of Constitutional suppression for a violation of a statute comes from the standard of “reasonableness” enshrined in the Fourth Amendment. “How can a search that violates a statute be reasonable?”, some argue. Others argue that Congress should not be able to affect what is Constitutional with just a statute, because by definition a statute is subservient to the Constitution. The Eighth Circuit raised but largely avoided the issue of suppression for a violation of the Posse Comitatus Act during the lengthy litigation over the events at Wounded Knee in the early 1970’s (Bissonette v. Haig). This, too, could have implications for the use of criminal law to affect conduct in cyberspace, given the massive role of the U.S. military in cyber security.
Here is a summary on the United States v. Dreyer decision by the JustSecurity Blog.
Leave a Reply