
    UNITED STATES of America, v. YUDONG ZHU, Defendant.
    No. 13 Cr. 761.
    United States District Court, S.D. New York.
    Signed May 27, 2014.
    
      Christian R. Everdell, U.S. Attorney’s Office, New York, NY, for United States of America.
    Maurice H. Sercarz, Sercarz & Riopelle, L.L.P., Robert M. Baum, Federal Defenders of New York Inc., New York, NY, for Defendant.
   DECISION AND ORDER

VICTOR MARRERO, District Judge.

By Indictment dated October 10, 2013, a grand jury charged defendant Yudong Zhu (“Zhu”) with conspiring to commit honest services fraud in violation of 18 U.S.C. § 1341, 18 U.S.C. § 1343, 18 U.S.C. § 1346, and 18 U.S.C. § 1349; conspiring to receive bribes in violation of 18 U.S.C. § 666(a)(1)(B) and 18 U.S.C. § 371; commercial bribery conspiracy in violation of 18 U.S.C. § 1952(a)(3) and 18 U.S.C. § 371; honest services fraud in violation of 18 U.S.C. § 1341 and 18 U.S.C. § 1346; receipt of bribes in violation of 18 U.S.C. § 666(a)(1)(B); commercial bribery in violation of 18 U.S.C. § 1952(a)(3); and falsification of records in violation of 18 U.S.C. § 1519. (Dkt. No. 20.) Zhu moved to suppress evidence seized from his laptop computer and the fruits of such evidence. (Dkt. No. 28.) For the reasons set forth below, Zhu’s motion is DENIED.

I. BACKGROUND

On October 27, 2008, Zhu — an expert in magnetic resonance imaging (“MRI”) — began work as an assistant professor in the radiology department at the New York University School of Medicine (“NYU”). In 2010, Zhu applied, through NYU, for a grant from the National Institutes of Health (“NIH”) to conduct MRI research, and NIH awarded the grant in May 2011. All grant funds were to be the property of NYU, and NYU would become the owner of all equipment purchased with the funds. (Deck of Anthony Cama in Opp’n by USA as to Yudong Zhu, dated Apr. 8, 2014 (“Carna Decl.”), Dkt. No. 36, at 4.)

In August 2011, Zhu ordered a laptop using funds provided by the NIH grant. Upon its arrival, Zhu configured the laptop, created several levels of passwords, and encrypted the hard drive. Between its arrival and May 2013, Zhu used the laptop for both personal and professional matters. Zhu did not leave the laptop overnight in his office; he brought it home with him at the end.of each day.

. In early 2013, NYU began investigating Zhu regarding the current charges, and on May 8, 2013 Zhu met with NYU lawyers and an NYU vice president to discuss the investigation. At this meeting, Zhu turned over his laptop to NYU but refused to provide his passwords. Following this meeting, NYU reported Zhu to the Department of Justice, which prompted the FBI and the United States Attorney’s Office to commence a criminal investigation. On May 19, 2013, the Government filed a criminal complaint against Zhu.

As part of the Government’s investigation of Zhu, NYU provided Zhu’s laptop to the FBI. On June 27, 2013, Annette Johnson, general counsel of the NYU Medical Center, signed a “Consent to Search Computer(s)” form, authorizing the FBI to search the laptop. Without obtaining a warrant, the FBI decrypted the laptop and searched its contents.

Before beginning his employment with NYU in 2008, Zhu had signed two documents regarding NYU’s computer use policies. One document was entitled “Policy Statement on Privacy, Information Security, and Confidentiality,” and stated, among other things,

I understand that the confidential information and software I use for my job are not to be used for personal benefit or to benefit another unauthorized institution. I also understand that my institution may inspect the computers it owns, as well as personal PCs used for work, to ensure that its data and software are used according to its policies and procedures.

(Deck of Nicole Delts in Opp’n by USA as to Yudong Zhu, dated Apr. 7, 2014 (“Delts Deck”), Ex. C at ¶ 13, Dkt. No. 35) (emphasis in original). Zhu signed this doeument, affirming that he understood its contents, on October 20, 2008.

The second document, also signed on October 20, 2008, concerned the Staff Handbook and the Code of Conduct Handbook. Zhu signed this document confirming that he had received the handbooks and acknowledging that he was “responsible for reading, understanding and conforming to the policies and procedures stated in both handbooks.” (Delts Deck, Ex. B.) The Staff Handbook began by delineating to whom the Staff Handbook applied: “[A]ll Medical Center employees, other than members of the Faculty (Id., Ex. A., at 4.)

The Staff Handbook contained various policies concerning the use of NYU property. Among other things, the policy entitled “Use of Computer Systems” stated that “[c]omputers, e-mail systems, and electronic communications and equipment are the sole property of NYU Hospitals Center and/or NYU School of Medicine, and staff should not have any expectation of privacy.” (Id., Ex. A, at 42.) Further, it asserted that NYU “reservefs] the right to conduct spot audits and/or examinations of any Hospital- or School-owned computer ... equipment, including those used at home ....” (Id.) Finally, the policy concerning “Lockers, Desks, Personal Computers and Offices” stated that “[a]ll personal computers ... remain the property of NYU Medical Center. Accordingly, the Medical Center may inspect a ... personal computer ... at any time, with or without cause or notice.” (Id., Ex. A, at 17.)

II. LEGAL STANDARD

“A defendant seeking to suppress the fruits of a search by reason of a violation of the Fourth Amendment must show that he had a ‘legitimate expectation of privacy' in the place searched.” United States v. Hamilton, 588 F.3d 162, 167 (2d Cir.2008) (quoting Rakas v. Illinois, 439 U.S. 128, 143, 99 S.Ct. 421, 58 L.Ed.2d 387 (1978)). “This inquiry involves two distinct questions: first, whether the individual had a subjective expectation of privacy; and second, whether that expectation of privacy is one that society accepts as reasonable.” Id.

In the workplace context, the Supreme Court has recognized that “employees may have a reasonable expectation of privacy against intrusions by police.” O’Connor v. Ortega, 480 U.S. 709, 716, 107 S.Ct. 1492, 94 L.Ed.2d 714 (1987) (citing Mancusi v. DeForte, 392 U.S. 364, 88 S.Ct. 2120, 20 L.Ed.2d 1154 (1968)). In Mancusi, the Supreme Court held that an employee, despite the fact that he shared his office with other employees, had a reasonable expectation of privacy in the office sufficient to challenge the warrantless search of that office. Mancusi, 392 U.S. at 369, 88 S.Ct. 2120.

Once a defendant successfully shows that he had a reasonable expectation of privacy in the place searched, the burden shifts to the Government to prove either that the search was conducted pursuant to a valid warrant or that the war-rantless search fell within one of the “few specifically established and well-delineated exceptions” to the warrant requirement. Katz v. United States, 389 U.S. 347, 357, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967). One of the well-delineated exceptions is a search that is conducted pursuant to valid third-party consent. See Schneckloth v. Bustamonte, 412 U.S. 218, 219, 93 S.Ct. 2041, 36 L.Ed.2d 854 (1973). In order to satisfy the burdens imposed upon it by the third-party consent principle, the Government must prove by a preponderance of the evidence that the consent was valid. United States v. Buettner-Janusch 646 F.2d 759, 764 (2d Cir.1981).

Consent may be given by a third party “who possesses] common authority over or other sufficient relationship to the premises or effects sought to be inspected.” United States v. Matlock, 415 U.S. 164, 171, 94 S.Ct. 988, 39 L.Ed.2d 242 (1974). The Second Circuit in United States v. Davis articulated a two-part test concerning third-party consent: such consent is valid if “first, the third party had access to the area searched, and, second, either: (a) common authority over the area; or (b) a substantial interest in the area; or (c) permission to gain access.” United States v. Davis, 967 F.2d 84, 87 (2d Cir.1992). As expressed by the Supreme Court in Matlock, “[cjommon authority is, of course, not to be implied from the mere property interest a third party has in the property. [It] rests rather on mutual use of the property by persons generally having joint access or control for most purposes .... ” Matlock, 415 U.S. at 171 n. 7, 94 S.Ct. 988.

III. DISCUSSION

While the Court is convinced that Zhu had a reasonable expectation of privacy in the contents of the laptop, the FBI’s search of the laptop was constitutional based on NYU’s valid third-party consent.

A. REASONABLE EXPECTATION OF PRIVACY

The Government does not contest that Zhu exhibited a subjective expectation of privacy in the laptop’s contents by encrypting the laptop and establishing several layers of passwords, which he ostensibly did not share with others. See United States v. Ziegler, 474 F.3d 1184, 1189 (9th Cir.2007). It does dispute whether Zhu’s expectation of privacy was reasonable.

The Court is persuaded that Zhu’s expectation of privacy in the laptop’s contents is one that society would accept as reasonable. Zhu took many steps to restrict third-party use and access to the computer, which weighs in favor of finding a reasonable expectation of privacy in its contents. For example, only Zhu had use of the laptop; he did not share it with any co-workers. See Mancusi, 392 U.S. at 369, 88 S.Ct. 2120 (finding employee had reasonable expectation of privacy in his office even though he shared the office with coworkers); Ziegler, 474 F.3d at 1190 (finding a reasonable expectation of privacy in an employee’s office based in part on the fact that the office was not shared); United States v. Reeves, Crim. No. 11-520, 2012 WL 1806164, at *8 (D.N.J. May 17, 2012) (considering defendant’s sole use of her work computer as a factor in favor of finding reasonable expectation of privacy in the computer).

In fact, not even NYU’s computer-system administrators had access to Zhu’s computer — he both ordered and configured the laptop himself. Cf. Leventhal v. Knapek, 266 F.3d 64, 73 (2d Cir.2001) (reasonable expectation of privacy even though technical staff could access employee’s computer unannounced); Brown-Criscuolo v. Wolfe, 601 F.Supp.2d 441, 449 (D.Conn.2009) (reasonable expectation of privacy in work computer where both employee and computer-system administrator knew the computer’s password).

Further, Zhu had a private office at NYU and took the laptop home with him in the evenings. See Leventhal, 266 F.3d at 73 (deciding that defendant’s private office was a factor in favor of finding reasonable expectation of privacy in office computer’s contents); United States v. Slanina, 283 F.3d 670, 676 (5th Cir.2002) (same).

Zhu’s use of passwords and encryption weighs in favor of finding a reasonable expectation of privacy. See Reeves, 2012 WL 1806164 at *8 (finding employee had reasonable expectation of privacy in password-protected work computer); Brown-Criscuolo, 601 F.Supp.2d at 449 (finding that employee had reasonable expectation of privacy in work computer where only she and the computer-system administrator knew the password); see also Ziegler, 474 F.3d at 1190 (that defendant could lock his office with a key weighed in favor of finding a reasonable expectation of privacy).

The Government’s reliance on the O’Connor line of cases is misplaced because O’Connor concerned a search conducted by a governmental employer, while the search here was a law enforcement search. The government cites O’Connor for the principle that an employer’s computer policy permitting employer monitoring vitiates an employee’s expectation of privacy. Because the search in O’Connor was performed by a governmental actor, it implicated Fourth Amendment concerns. 480 U.S. at 716, 107 S.Ct. 1492 (“Searches and seizures by government employers or supervisors of the private property of their employees, therefore, are subject to the restraints of the Fourth Amendment.”) (emphasis added); see also United States v. Angevine, 281 F.3d 1130 (10th Cir.2002) (state university’s search of a professor’s computer); Leventhal, 266 F.3d at 66 (New York State Department of Transportation’s search of employee’s computer); United States v. Simons, 206 F.3d 392 (4th Cir.2000) (CIA search of a CIA employee’s computer).

In contrast, this case concerns a law enforcement search conducted with the consent of a private employer. As such, it more closely resembles Mancusi, where a private-sector employee challenged a government search of his office. 392 U.S. at 365, 88 S.Ct. 2120. The Court in Mancusi acknowledged that an employee may have different expectations of privacy regarding a search by an employer versus a search by the government. Id. at 369, 88 S.Ct. 2120. The Court decided that the defendant had a reasonable expectation of privacy in relation to a police search of his office even though his employer could have consented to a search, implying that the employer could have searched the office itself. Id. (“DeForte still could reasonably have expected that only those persons [employees with whom DeForte shared the office] and their personal or business guests would enter the office, and that records would not be touched except with their permission or that of union higher-ups.”); see also O’Connor, 480 U.S. at 717, 107 S.Ct. 1492 (“Indeed, in Mancusi itself, the Court suggested that the union employee did not have a reasonable expectation of privacy against his union supervisors.”).

The Court in O’Connor highlighted this difference between employer searches and police searches: “The operational realities of the workplace, however, may make some employees’ expectations of privacy unreasonable when an intrusion is by a supervisor rather than a law enforcement official.” 480 U.S. at 717, 107 S.Ct. 1492 (emphasis in original). Therefore, the holding of O’Connor that “[p]ublic employees’ expectations of privacy in their offices desks and file cabinets ... may be reduced by virtue of actual office practices and procedures, or by legitimate regulation”, and that holding’s extension to employees’ work computers in Angevine, Leventhal, and Simons, applies to searches by employers, not to searches by law enforcement. This is not-to say that an employer’s computer policy may not play some role in the determination of an employee’s expectation of privacy, but the policy is not determinative as it was in Angevine, Lev-enthal, and Simons.

In this case, NYU’s computer policy does not weigh strongly toward a finding that Zhu lacked a reasonable expectation of privacy regarding a law enforcement search. The NYU Staff Handbook contained strong language warning staff of their lack of an expectation of privacy in their NYU-owned computers. Based on the Staff Handbook, “staff should have no expectation of privacy” in NYU computers (Delts Deck, Ex. A, at 4), and NYU reserved the right to search such computers at any time, without notice, even including computers used at home (Id.; id., Ex. A., at 17). Importantly, though, the Staff Handbook did not apply to Zhu, who was a member of the. faculty, not the staff. (See id., Ex.' A, at 4 (“The information in this handbook applies to all Medical Center employees, other than members of the Faculty ....”).)

Thus, the only NYU computer policy that applied to Zhu concerns the form he signed acknowledging that NYU had the right to “inspect the computers it owns, as well as personal PCs used for work, to ensure that its data and software are used according to its policies and procedures.” (Id., Ex. C.) Zhu’s authorization granted NYU only the right to search his computer; it did not contain a disclaimer of any expectation of privacy such as appeared in the Staff Handbook, and it did not state that NYU could inspect Zhu’s computer at any time, without notice. This is not the type of pervasive policy that could vitiate Zhu’s expectation of privacy vis-á-vis law enforcement. Cf. Angevine, 281 F.3d at 1134 (professor lacked a reasonable expectation of privacy where University maintained right to search work computers at any time, and computer users were notified by a “splash screen” each time they opened the computer that they had no expectation of privacy in any emails); Leventhal, 266 F.3d at 74 (finding defendant had a reasonable expectation of privacy from public employer search of his computer where employer neither “had a general practice of routinely conducting searches of office computers [n]or had placed [defendant] on notice that he should have no expectation of privacy in the contents of his office computer”); Simons, 206 F.3d at 398 (deciding that CIA employee lacked a reasonable expectation of privacy where the policy stated that the employer would monitor the internet usage of all employees, “including all file transfers, all websites visited, and all email messages, as deemed appropriate”).

B. ACTUAL AUTHORITY

While Zhu had a reasonable expectation of privacy in relation to the FBI’s search of his laptop, the Court is persuaded that the search here was performed with NYU’s valid, third-party consent. To find NYU’s consent to be valid, the Government must show first that NYU “had access to the area searched,” and next that NYU had either “(a) common authority over the area, (b) a substantial interest in the area, or (c) permission to gain access to the area.” Davis, 967 F.2d at 87.

NYU had “access” to Zhu’s computer as required under Davis, based on the authorization Zhu signed acknowledging that NYU could inspect its own computers to ensure that “its data and software are being used according to its policies and procedures.” (Delts Deck, Ex. C.) This authorization granted NYU legal access to Zhu’s laptop, which was purchased with NIH funds granted to NYU and therefore property of NYU. (Carna Deck at 4.) As Zhu correctly notes, “[c]ommon authority is not to be implied from the mere property interest a third party has in the property.” Matlock, 415 U.S. at 171 n. 7, 94 S.Ct. 988. But while NYU’s property interest in the laptop was not sufficient on its own to grant it access to Zhu’s laptop, Zhu’s signed authorization permitted NYU to access the laptop in order to ensure that Zhu had not violated NYU’s policies and procedures.

Zhu argues that Davis requires physical access to satisfy its first prong, and that because Zhu had encrypted his laptop and protected it with passwords, NYU cannot claim to have had access to the laptop.. In United States v. McGee, the Second Circuit found this argument — that the first Davis prong requires physical access and not just legal access — to be unavailing. See 564 F.3d 136 (2d Cir.2009). In McGee, the defendant argued that his girlfriend’s consent to a police search of his house was not valid because the girlfriend had no property interest in the house, and the defendant had locked her out of the house and taken away her key. The defendant thus argued that his girlfriend lacked “access” to the house as required by Davis. The Second Circuit disagreed, writing that “[wjhether a so-called ‘third party’ ... has access to a premises depends on the understandings communicated by the titular owner to that person. The presence or absence of locks on doors can be helpful to the court’s discernment of that understanding, but does not directly answer it.” Id. (emphasis in original).

In this case Zhu, while not its titular owner, had immediate possession of the laptop, and had communicated by his signed authorization that NYU could inspect it. So while the laptop’s passwords and encryption weigh against finding that NYU had access, similar to locks on a door, the laptop’s security measures are not determinative. More important is Zhu’s written authorization, which communicated the understanding that NYU could inspect the laptop. See also Ehrlich v. Town of Glastonbury, 348 F.3d 48 (2d Cir.2003) (“[W]e have.never adopted as the clear law of this circuit plaintiffs strict view that access must mean physical access and not legal access.”). Zhu’s argument, if accepted by the Court, would have significant implications that could not reasonably have been contemplated either by Zhu or by NYU under the circumstances this case presents. In essence, enabling Zhu to withhold the passwords to the computer would grant him a unilateral means to avoid performing an obligation mutually and consensually agreed to, thus violating an employer policy by which he undertook to be bound, and rendering the employer’s security measures, and the expectation it has of its employees’ compliance with them, entirely meaningless.

NYU also satisfied the second Davis prong in each of the three possible respects: it exercised common authority over the laptop, it had a substantial interest in the laptop, and it had permission to access the laptop. NYU’s ownership of the laptop meant that it both exercised common authority over and had a substantial interest in the laptop. United States v. Abiodun, 04 Cr. 1316, 2005 WL 3117305, at *5 (S.D.N.Y. November 22, 2005) (“Third Avenue clearly had common authority over the Unit and a substantial interest in it. Third Avenue owned the storage facility and leased the Unit to Abiodun on a month-to-month basis.”) As discussed above, Zhu’s signed authorization gave NYU permission to search the laptop. McGee, 564 F.3d at 141 n. 3.

Because both prongs of the Davis test are met in this case, NYU’s consent to the FBI search of Zhu’s laptop was valid, and therefore the search did not violate Zhu’s Fourth Amendment rights.

IV. ORDER

For the reasons discussed above, it is hereby

ORDERED that defendant Yudong Zhu’s motion to suppress evidence seized from his laptop computer and the fruits of such evidence (Dkt. No. 28) is DENIED.

SO ORDERED. 
      
      . Except where otherwise explicitly noted, the factual summary below is derived from the following documents: Memorandum of Law in Support of Defendant Yudong Zhu's Motion to Suppress Evidence Seized from Laptop Computer and the Fruits of Such Evidence, dated Mar. 14, 2014 (Dkt. No. 31); Government's Memorandum of Law in Opposition to Defendant’s Pretrial Motion to Suppress, dated Apr. 11, 2014 (Dkt. No. 34); and Reply Memorandum in Support of Defendant Yudong .Zhu’s Motion to Suppress Evidence Seized from Laptop Computer and the Fruits of Such Evidence, dated Apr. 18, 2014 (Dkt. No. 38).
     