I’m guessing we all know that you don’t have a reasonable expectation of privacy in photographs that you post on the public Internet. Government investigators don’t violate privacy rights by looking at photos posted on the web for all to see. But what about the metadata embedded in those photographs? And what if it’s a website only accessible using the TOR browser?

In a case handed down last week, United States v. Post, a district court held that the Fourth Amendment still offers no protection. The decision was authored by Judge Gregg Costa, a recent nominee to the U.S. Court of Appeals for the Fifth Circuit.

Post is interesting not just for its holding but also for its facts. Investigators discovered a website devoted to child pornography. The website was viewable only using the TOR browser, much like the Silk Road website that was used to trade illegal narcotics. We don’t know the entirety of the investigation, but in at least one instance the agents tried to retrieve the location metadata embedded in an image of child pornography they found on the site.

By way of background, when you take a photo using a cell phone with the location services feature set to “on,” it automatically records where you took the photograph using the cell phone’s GPS capability. The camera then stores that information in the image file. A cellphone user can turn the location services feature off before taking a picture, but many users have no idea the feature even exists.

The investigators in Post used publicly-available software to scan the discovered photo for its geolocation information. The technique worked, and agents obtained precise GPS coordinates where the photo had been taken. When agents went to the home that matched the coordinates, the homeowner told them that a registered sex offender lived nearby — within 100 feet, the margin of error of the phone’s geotagging feature. Investigators then visited the home of the registered sex offender, Donald Post. Post spoke to the officers and admitted that he had taken the photographs and posted them on the web.

When criminal charges followed, Post moved to suppress the geolocation information obtained from the photographs:

In his suppression motion, Post acknowledges that he had no expectation of privacy in the image that he uploaded to the website, but contends that he did retain a privacy interest in the embedded metadata because he did not realize he was releasing that information and he intended to remain anonymous. In other words, he would split the image into two distinct parts, one of which the government could obtain because it was placed in the public domain and one of which it could not.

Judge Costa disagreed:

[Post] gave up his right to privacy in that image once he uploaded it to the internet, and that thing he publicly disclosed contained the GPS coordinates that led agents to his home. There is no basis for divvying up the image Post uploaded into portions that are now public and portions in which he retains a privacy interest.

He added the following analogy:

Assume a defendant left an article of his clothing at a crime scene in 1981. At the time, the defendant had no idea that years later crime labs would be able to conduct DNA analysis of hairs present on that clothing. And in leaving the clothing, he certainly intended to do so “anonymously.” On those grounds, would the defendant be able to suppress the results of the DNA analysis? Of course not, because he left the clothing in a public place and lost any expectation of privacy he had in it, regardless of how he contemplated that clothing could be used. The same would have been true if in an earlier age a defendant had tried to argue that he meant to leave a cigarette butt in a public space, but had not intended to leave his latent fingerprint that law enforcement used to identify him. And the same is true for the image that Post uploaded to the website: once it was left in a public place, he no longer had a Fourth Amendment privacy interest in it.

The fact that the website was only viewable using TOR created no privacy rights because “that browser is available for any internet user to utilize and is the only barrier that would prevent someone from accessing the website.”

Clearly correct, in my view. And a well-written opinion, too.

Incidentally, I think the same rule should apply in the context of criminal law under the Computer Fraud and Abuse Act, which is the issue being litigated in United States v. Auernheimer. If you post information on the web for all to see, anyone can view it even if you didn’t know that information was exposed or hoped it wasn’t accessed. If a private party collects the information, it’s not an unauthorized access. And if the government collects the information, it’s not a Fourth Amendment search.