Whitney Merrill, a Class of 2009 Public Policy and Law major, graduated this spring from University of Illinois College of Law, cum laude. At Illinois, Whitney was the Managing Editor of the University’s Law Review and the President of the Internet & Technology Law Association. She is now pursuing a Masters in Computer Science at the University of Illinois Urbana-Champaign where she is an Illinois Cyber Security Scholar. This April, Whitney successfully argued before the Seventh Circuit Court of Appeals, which rendered a decision creating a circuit split. To learn more about Whitney’s accomplishments and studies on the legal issues involving cyber security, I spoke with her about everything she has been working on since she came to Trinity.
What made you want to be a Public Policy & Law major?
I originally thought I was going to major in Political Science or Economics, and I even considered doing a science or International Studies. Then I took PBPL 201 and fell in love. I thought, “this is the major for me.” The main case we studied in 201 was Michigan v. EPA. That was going on in the Supreme Court at the time, and we talked a lot about that.
Many students wonder how their undergraduate education actually prepares them for the post-grad world. Is there anything in particular that you studied at Trinity that was especially helpful for you to know after graduation?
I went on to be a paralegal for two years in New York City and so having familiarity with cases was helpful. I took two different Constitutional Law classes at Trinity, one with Professor Fulco. Her Constitutional Law class is the most like law school in the amount of work you have to do, the cases you read, and her requirements of the students to talk about cases. Exposure to legal terminology really helped because I had already seen the lingo. When I went to law school, I was one of the few students who had read a legal case before; most had not. I actually used a lot of my Constitutional Law briefs to help me prepare for my Constitutional Law class my 1L year. It helped lift the stress of 1L year off my shoulders. In that sense, I was thrilled to have seen the cases before and everything was almost a refresh. I also Bluebooked my senior thesis, which is the citation format used for legal papers. That really helped because formatting in Bluebook style isn’t taught until law school.
If you could go back and do anything differently at Trinity, what would it be?
I would have gotten a double major in Computer Science. I loved Public Policy but I knew I wanted to go into tech stuff as an undergraduate. I loved tech and computer stuff in high school, and I don’t know what I was thinking when I didn’t do Computer Science. Coding and Computer Science will continue to grow in importance in the future. Even if you don’t become a Computer Science major, learning to code or write in a language like C++ is very valuable later in life, especially if you go into any kind of law that involves some technology. If you’re a tech-oriented person, a CS degree (or other science degree) also opens the door for patent law. But now, I’m pursing Computer Science . . . just a little bit later.
You chose to work as a paralegal and a legal intern before enrolling in law school, which seems to be a fairly popular track for Public Policy & Law graduates. Would you recommend getting legal experience in the workplace before attending law school?
Yes. It was something I thought about for a really long time, and I consulted with Professor Fulco at length about whether I should take time off. If you can go work either as a paralegal or in any sort of field before law school, it is an extremely valuable opportunity. Taking time after college to work (most in a first full time job) gives you an advantage in your career in the long term. I think it makes you a better law student or graduate student to take time off because you bring with you life experience. Working in a legal related job before entering law school is also valuable. That way, if you work in a legal field and decide you hate it, you’ve spared yourself a large expense. The more sure people are about entering law school, the happier they will be in law school and in their legal careers.
While interning at the Electronic Frontier Foundation and studying at the University of Illinois College of Law, you focused on many of the legal issues involving cyber security, information privacy, and hacking. What originally made you interested in these issues?
It was a slow progression in that direction. I wrote my undergrad thesis on free speech online and pornography. I wrote about how the government has attempted to use protecting children as the means of restricting adult free speech rights online, specifically involving pornography. Professor Fulco was the first person to recommend that I check out the Electronic Frontier Foundation when I started my research, and I fell in love with them. I knew this was the type of work I wanted to do. I got an internship with them after my 1L year, and attended for the first time a conference in Las Vegas called DEF CON, and it is one of the largest information security and hacker conventions in the world. I went and fell in love with the community, information security, and legal issues surrounding the type of research presented at DEF CON. The laws governing these areas are antiquated. I decided that this is where I wanted to narrow my interest. Things kind of fell in place from there. I started writing papers on topics involving civil liberties, technology, and encryption, and now it has become my focus.
The field of technology and information security is fairly specialized, and I assume it includes a lot of jargon and knowledge about software. Do you find it difficult discussing these matters with men and women who went to college writing papers on typewriters?
Some people will never be tech savvy and that’s a problem, especially in the legal world, but the individuals who want to better understand technology, regardless of their age, will teach themselves. Some of my mentors are the best attorneys in the field; they took the bar exam before the internet was the Internet and the age of the personal computer. But, they attend information security/hacker conventions as well and have excelled in keeping apprised of new technology and the possible legal issues. When it comes to advocating for your client, understanding technology is advantageous because more and more legal issues are affected by rapidly changing technology.
Many tech-minded civil liberties advocates welcomed the Supreme Court’s decision in Riley v. California. Do you think this ruling is a sign for future Supreme Court rulings regarding digital privacy rights?
Yes. I was in a Supreme Court seminar that was kind of similar to Professor Fulco’s, but we did individual cases before the Supreme Court instead of studying individual justices. We studied and conducted mock oral arguments for several of the major cases before the Supreme Court this past term and discussed how we thought they would or should turn out. Riley was the one that I was the most passionate about. I actually thought it would be a 6-3 decision, so I was surprised when it was 9-0 and included some very broad and favorable dicta. However, there is a case out of the Ninth Circuit called U.S. v. Cotterman, which narrowed the border-search exception to the Fourth Amendment. The border-search exception allows the government to search persons and containers (including electronic devices) crossing the border into or out of the United States without a warrant. Cotterman held that reasonable suspicion was required to conduct a forensic investigation of an electronic device. I did a talk on it at a convention in April, and I said that the fact that the Supreme Court denied cert (i.e. decided not to hear the appeal from the Ninth Circuit) in Cotterman signaled as to how the Court would rule in Riley. I thought the fact that the Supreme Court left that heightened suspicion in the Ninth Circuit indicated that they would not uphold the search-incident-to-arrest exception to cell phones in Riley. But, now that the case been decided, I think that if the opportunity presented itself, the Court would grant cert on a border search exception case and narrow the border search exception. Additionally, even though Riley only applies to cell phones, it probably (and hopefully) will not be long before the Court applies the same rationale to other electronic devices. I think the Court is starting to realize that technology can’t be treated like previous containers, it’s different; it’s special. That’s why all of the technology civil liberty cases handed down by the Court now are some of the most important. They have a massive impact on the rights of individuals and the government.
Do you think the law is finally starting to catch up with the rapid evolution of technology?
I think law is reactionary to begin with, so it is always going to be a little bit behind, but there is already a lot of catching up to do. Sadly, I don’t think it will ever catch up. The computer crime statute is antiquated. The Computer Fraud and Abuse Act was written in 1986 in response to the movie War Games with Matthew Broderick, without consulting with computer scientists, and the Stored Communications Act was written to work with how email functioned in the 1980s. So now we are left with a computer crime law that can be used to put all sorts of people in jail over situations that the drafters of the law probably did not intend to be crimes, and the law governing the disclosure of stored communications (e.g. email) holds vital a distinction regarding electronic stored communications that does not accurately reflect how these communications are stored now. Lawmakers, judges, and lawyers should hire/listen to individuals or educate themselves about how the Internet, computers, and technology work. This will help create better laws that can adapt to rapidly advancing technology.
What impediments do you see for lawmakers crafting adequate legislation for information and computer security?
I think people, including lawmakers, are fearful of the term hacking. Many information security professionals also refer to themselves as hackers. ‘Hackers’ is not a bad term. Lawmakers are just scared of the potential destruction hackers could do that they are not really looking at what benefits they can also bring. A hacker is generally a very brilliant individual who likes to understand how things work; they enjoy finding and fixing security vulnerabilities. I think we need more individuals like that. Data breaches occur almost weekly because so many companies have ignored information security for so long. There needs to be a more open dialogue between information security professionals/hackers and those who are forming the law to understand what would be a better benefit for all. Companies should encourage hackers to find and fix vulnerabilities and responsibly disclose them; it will help create better, more secure environment for data. Google and Facebook, for example, have bug bounty programs. If a hacker finds vulnerability or a bug, they can report it directly to the company. If the company, like Google, finds that it is worthy (or falls under the program), they will pay them upwards of $20,000 to reward the individual for finding and disclosing the vulnerability. In a situation like that, the hacker, the company, and the users all benefit. Generally, there needs to be better protections for the hackers who try and make security better.
What do you make of the recently popularized concept of ‘The Right to be Forgotten?’ Is the European Union crazy, or are they up to something?
I think the thought behind it is good: that people should have the ability to disappear or start over. Prior to the Internet, it was much, much more difficult to search for an individual’s name in every major publication. Previously, if a newspaper published an article about you, people would throw away their newspapers and a year later it would be almost impossible to find, except in a handful of libraries. I have this odd feeling that the right to be forgotten will not last. It denies people a right and access to information. If the right to be forgotten existed in the United States, it would most likely violate various First Amendment rights. I think the right to be forgotten was created in good spirit, but it’s not the answer.
How do you think our generation will play a role in this? I feel that our generation is more attuned to online privacy rights, however, we are also used to growing up where we post so much online that we almost care less about what is searchable about us. Do you think once our generation is in positions of power, our peers will demand change to the status quo of what’s able to stay online?
As our generation grows older, hopefully they will remember what it is like to grow up and make mistakes. One day, when I have to hire someone, I don’t think a mistake from when the individual was eighteen or so is going to completely stop that person from getting the job. I know what it is like to have grown up in a world where almost everything can be posted and disclosed online, and where one wrong post can ruin an individual’s life. I am afraid at the same time, however, that once our generation grows into our thirties and forties, we will forget that the only difference between us and the generation before us is that our generation was recorded the entire time. But, I think it will change. However, people have to actively decide and remember that those who have something embarrassing online about them doesn’t mean that the individual will not be a productive employee or a valuable member of society.
What do you think will be the next big legal technology issue that most people are not aware of yet?
The thing that I am researching and studying most right now is encryption technology and the law. I recently gave a talk on the government’s ability to force an individual to disclose a password, decrypt a computer or electronic device, or hand over a decrypted version of documents. The Fifth Amendment protects you from self-incrimination. A part of the right against self-incrimination includes the document production doctrine, which protects the act of producing documents if, among many other factors, by producing the documents the individual admits that the documents exist, that they are authentic, and that the documents are in the individual’s possession or control. If the government already knows any of those things from another outside source, it could be found to be a “foregone conclusion” and then the individual is no longer admitting anything.
When you encrypt a blank hard drive with no information on it, the encrypted data looks identical to an encrypted hard drive with substantial data on it. So by decrypting, are you saying yes these documents exist, yes I have possession of them, and yes they are here? And, at what point does the foregone conclusion doctrine apply? The analysis is extremely fact specific, but it is a hot area to watch and will definitely be an issue in the future as more people use encryption.
In April, you successfully argued in front of the Seventh Circuit Court of Appeals, which came to the decision that, “magistrates are not permitted to accept guilty pleas in felony cases and adjudge a defendant guilty.” How did you come to be involved in this case?
At school last May I was reading an email that advertised an opportunity to work on an appeal to the Seventh Circuit. I was one of two students in the class. Attorneys from the Federal Public Defender of Central Illinois supervised us as we navigated the appeals process. The other student and I worked together to draft the appellate brief, reply brief, and argue before the Seventh Circuit panel of judges. It was a fantastic opportunity and wonderful learning experience. Overall, we are very pleased with the Court’s decision and are looking forward to obtaining the best possible outcome for our client.