Several countries have recently introduced laws allowing the police to hack into suspects’ computers. Legislators recognize that police hacking is highly intrusive, e.g., to personal privacy, but consider it justified by the increased use of encryption and mobile computing—both of which challenge traditional investigative methods. Police hacking also exemplifies a major challenge to the way legal systems deal with, and conceptualize, privacy. Existing conceptualizations of privacy and privacy rights do not always adequately address the types and degrees of intrusion into individuals’ private lives that police hacking powers enable. Traditional privacy pillars such as the home and secrecy of communications do not always apply to computer-based police investigations in an era of mobile technologies and ubiquitous data.
In this Article, we conduct a comparative legal analysis of criminal procedure rules in the United States, Germany, Italy, the Netherlands, and the United Kingdom to see which privacy frameworks law-makers and courts apply when regulating policy hacking. We show that while classic privacy frames of inviolability of the home and secrecy of communications remain adequate for some forms of police hacking (observation and interception), they fail to capture novel and fundamentally different ways in which the most intrusive forms of police hacking (covert online searches and remote surveillance) impact privacy in twenty-first-century society. Our analysis shows the emergence of two new frameworks that have the potential to begin filling this void: 1) a container-based approach, focusing on the computer as protection-worthy in itself—or the “informatic home,” and 2) a content-based approach, focusing on the protection of data—or “informatic privacy.” Since both approaches have valuable benefits and potential drawbacks, we propose that a complementary application of the two might work best to capitalize on their advantages over traditional privacy frameworks to regulate police hacking.