9th Circuit orders hard drive reformatting just in case hard drives contained encrypted files

The Ninth Circuit recently upheld an order allowing the government to reformat the hard drives on a computer before returning them because the drives might have contained encrypted files, and those encrypted files might have violated the defendant's supervised release. (United States v. Spink, No. 12-30068 (9th Cir. 2013)).

The defendant had been accused of violating the terms of his supervised release by use of his computer by possessing images of bestiality or zoophilia (he had previously owned at least 52 such websites). However, it appears as though the computers had either been erased, or the defendant had encrypted files on the computer. As no evidence was apparently found (from the little facts in the opinion), the computers had been ordered to be returned.

However, after the order, the government argued that they should be able to erase the hard drives in case there were files encrypted on the drive that would violate the defendant's release.

The government professed that it could not determine whether the computers' hard drives appeared to be blank because they had been erased or because they contained encrypted information that the government could not access.

The Ninth Circuit affirmed the decision to allow the hard drives to be erased, holding:

If the hard drives have been erased, there is no harm to Spink from the government wiping the hard drives again before it returns the computers. However, if there is encrypted data, Spink presumably has the ability to access those materials, and he has not offered to access the files in the presence of the Probation Office. Moreover, if the hard drives contain encrypted materials, those materials are likely to be the type of materials that Spink is prohibited from possessing under the conditions of his supervised release.

As I've argued many times before, I think the assumption that encryption is only used to do illegal or improper acts is erroneous and a very harmful idea for courts to consider. Does a locked door to your house imply that you are hiding illegal items in your home?

Read More

1st Circuit holds that cell phone searches incident to arrest violate the 4th Amendment

In United States v. Wurie, No. 11-1792 (1st Cir. 2013), the First Circuit held that the search of a cell phone incident to arrest categorically violates the Fourth Amendment. As a result, the court reversed the defendant's motion to suppress, vacated the conviction, and remanded the case.

While performing routine surveillance, a Boston police officer observed a man conducting what appeared to be a drug sale. The man was then stopped, and crack cocaine was found in his pocket. He was arrested, and upon arriving at the police station, two cell phones were confiscated from his person.

The phone soon thereafter received several calls, each displaying "my house" on the screen as the incoming caller. Police opened the call log and obtained the phone number for "my house." The number was entered into an online white pages directory, and officers then went to that location to "freeze" it while a search warrant was obtained. A large amount of drugs were seized from the home.

Before trial, the defendant moved to suppress the evidence obtained from his person and home, and the district court held that "[t]he search of Wurie's cell phone incident to his arrest was limited and reasonable." On appeal, the defendant reasserted his motion.

Having not yet dealt with the issue, the First Circuit extensively evaluated the potential effect of making cell phones searchable under the search incident to arrest exception. Here are a couple excerpts:

• [Data stored on a phone] is the kind of information one would previously have stored in one's home and that would have been off-limits to officers performing a search incident to arrest.
• Just as customs officers in the early colonies could use writs of assistance to rummage through homes and warehouses, without any showing of probable cause linked to a particular place or item sought, the government's proposed rule would give law enforcement automatic access to "a virtual warehouse" of an individual's "most intimate communications and photographs without probable cause" if the individual is subject to a custodial arrest, even for something as minor as a traffic violation.

As to whether the search was necessary to prevent destruction of evidence on the phone by remote wiping, the court discussed three methods for preserving the data and concluded:

Indeed, if there is a genuine threat of remote wiping or overwriting, we find it difficult to understand why the police do not routinely use these evidence preservation methods, rather than risking the loss of the evidence during the time it takes them to search through the phone. Perhaps the answer is in the government's acknowledgment that the possibility of remote wiping here was "remote" indeed.

Ultimately, the First found it necessary to create a uniform rule governing the search of cell phones incident to arrest, holding that "[a]llowing the police to search that data without a warrant any time they conduct a lawful arrest would, in our view, create 'a serious and recurring threat to the privacy of countless individuals.'"

The court did leave open the possibility for using the exigent circumstances exception in order to search a cell phone without a warrant, for example when there is a "compelling need to act quickly" such as to "locate a kidnapped child or to investigate a bombing plot or incident."

In a dissent, Judge Howard suggested a variety of reasons why the majority was incorrect, including that the caller from "my house" might have otherwise destroyed evidence in the home.

Read More

Featured Paper: Hacking Speech: Informational Speech And The First Amendment (Update)

The Northwestern University Law Review's newest issue (a special edition recognizing Northwestern Law faculty member Martin Redish) offers an interesting piece by Andrea M. Matwyshyn titled "Hacking Speech: Informational Speech And The First Amendment." Dr. Matwyshyn is an assistant professor of legal studies and business ethics at the University of Pennsylvania’s Wharton School, a faculty affiliate of the Center for Technology, Innovation and Competition at the University of Pennsylvania School of Law, and an affiliate Scholar of the Center for Internet and Society at Stanford Law School. The abstract appears below:

The Supreme Court has never articulated the extent of First Amendment protection for instructional or “informational” speech—factual speech that may be repurposed for crime. As technology advances and traditional modes of speech become intertwined with code speech, crafting a doctrine that expressly addresses the First Amendment limits of protection for informational speech becomes pressing. Using the case study of “vulnerability speech”—speech that identifies a potentially critical flaw in a technological system but may indirectly facilitate criminality—this Article proposes a four-part “repurposed speech scale” for crafting the outer boundaries of First Amendment protection for informational speech.

Author's Update: I recently contacted Dr. Matwyshyn to expand a bit on her recent article for our readers. Here is what she had to say:

My goal with the article was to highlight existing gaps in the Supreme Court's jurisprudence that will present challenges as courts face future cases dealing with instructional/informational speech and technology. I also sought to propose one possible model for these judicial determinations. As vulnerability exploit markets, 3D printer drivers and other controversial categories of code become more prevalent, it is inevitable that a case of the type considered in the article will end up before the Supreme Court. The Court will then need to decide when, if ever, code crosses the line from protected speech into a regulable commodity and when, if ever, a release of code later used as part of a criminal enterprise constitutes a basis for criminal prosecution. I hope to reinvigorate the legal conversation around these topics.

Read More

7th Circuit dismisses CFAA civil claim for failure to satisfy $5,000 loss requirement

This case focuses a bit more on the civil side of the Computer Fraud and Abuse Act (CFAA). In Modrowski v. Pogatto, the Seventh Circuit Court of Appeals demonstrates the importance of the value requirement of a civil suit under the CFAA. 18 U.S.C. § 1030(g) states, in relevant part, that

[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages . . .

Thus, a claimant who wishes to bring a civil suit under § 1030(c)(4)(A)(i)(I), as the plaintiff did in this case, must show that a CFAA violation resulted in the “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Now, under the CFAA, “loss . . . aggregating at least $5,000 in value” may seem quite easy. The CFAA broadly defines “loss,” 18 U.S.C. § 1030(e)(11), as

any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

As Modrowski demonstrates, the $5,000 loss requirement is essential to a civil claim under the CFAA, specifically § 1030(c)(4)(A)(i)(I). Leon Modrowski was fired as the property manager for TAQ Properties and Capps Management in 2008. During his employment, Modrowski had merged his personal and business Yahoo! email accounts. When Modrowski was terminated, the employer “locked” Modrowski out of his account, thus preventing Modrowski from accessing his personal e-mails. When access was finally granted, “Modrowski discovered that several years’ worth of his personal correspondence had vanished.” As a result, Modrowski filed numerous claims, including a civil suit under the CFAA.

The district court granted the defendant’s motion for summary judgment after Modrowski failed to amend his complaint “to elaborate on the economic harm caused by the defendant’s actions.” The district court found that Modrowski failed “to offer ‘any evidence in response to defendant[‘s] motion, let alone evidence sufficient to raise a triable issue of fact.’”

On appeal Modrowski argued that “his obligation to point to evidence in his favor was never triggered, because the defendants failed to meet their initial burden of production.” The court notes that the defendants did not attempt to provide “affirmative evidence that negates an essential element of [Modrowski’s] claim,” but were attempting, successfully, to “following a ‘somewhat trickier’ path to summary judgment by asserting that the “[Modrowski’s] evidence [was] insufficient to establish an essential element of [Modrowski’s] claim.” The court’s focus on a “representative element of Modrowski's claims,” the $5,000 loss requirement, attempts to highlight the shortcomings of Modrowski’s argument

To prevail on his Computer Fraud and Abuse Act claim, Modrowski would have had the burden of proving that the defendants' actions “caused [a] loss . . . during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). Were the defendants aiming affirmatively to negate that element—say, by asserting that the evidence irrefutably showed Modrowski's injury totaled only $2,500—the absence of citations to the evidence on record would be problematic. But that was not the defendants' strategy. They asserted that, if the case went to trial, Modrowski would be unable to produce evidence sufficient to meet his burden of proving that his injury exceeded $5,000. Modrowski counters that he was under no obligation to conduct formal discovery, and this is certainly true. See Praxair, Inc. v. Hinshaw & Culbertson, 235 F.3d 1028, 1032 (7th Cir. 2000) (“Discovery is costly and in cases in which the stakes are small, or there is a clearly dispositive legal argument, forbearing to conduct discovery is not negligence.”). But once the defendants pointed out the gap that they believed existed in Modrowski's case, he was obliged to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Modrowski could have come forward with affidavits from would-be business partners who were unable to contact him while he was locked out of his account; he could have submitted receipts reflecting the fees he paid to procure duplicates of lost financial and billing records; or perhaps he might have contented himself with a personal affidavit attesting to the number of hours he devoted to recovering his emails. See Butts v. Aurora Health Care, Inc., 387 F.3d 921, 925 (7th Cir. 2004) (court may consider self-serving affidavits at summary judgment if they are based on personal knowledge and set forth specific facts). Instead, he rested exclusively on his complaint, and this was plainly inadequate.

The $5,000 loss requirement for civil claims under the CFAA is a relatively broad requirement. However, as Modrowski highlights, a prospective claimant should be prepared to have some evidence that his or her loss can be valued at $5,000.

Interesting Note: Modrowski also brought a claim under the Stored Wire and Electronic Communications Act (18 U.S.C. § 2701) and the Federal Wire Tapping Act (18 U.S.C. § 2511). However, both were dismissed with prejudice by the district court because “Modrowski acknowledged that he voluntarily linked his personal account with the defendants' business account.”

Author's recommendation: Don't do that.

Read More

DOJ obtained Associated Press phone records; AP demands return and destruction of data

The Associated Press announced today that the Justice Department obtained two months of telephone records from more than twenty AP office telephones just over a year ago. The DOJ notified the AP of the investigation on Friday. AP's President and CEO has "demanded the return of the phone records and destruction of all copies."

According to the AP, the process for obtaining records from news organizations is "strict."

A subpoena can be considered only after "all reasonable attempts" have been made to get the same information from other sources, the rules say. It was unclear what other steps, in total, the Justice Department might have taken to get information in the case. 

A subpoena to the media must be "as narrowly drawn as possible" and "should be directed at relevant information regarding a limited subject matter and should cover a reasonably limited time period," according to the rules....

News organizations normally are notified in advance that the government wants phone records and then they enter into negotiations over the desired information. In this case, however, the government, in its letter to the AP, cited an exemption to those rules that holds that prior notification can be waived if such notice, in the exemption's wording, might "pose a substantial threat to the integrity of the investigation."

The full guidance from the DOJ is available in the department's United States Attorneys' Manual.

The investigation involves an attempt to find the source of a leak of classified information to the media.

Read More

Former Romney/Ryan intern charged with cyberstalking and internet extortion denied bail

In United States v. Savader, 13-MJ-359 (E.D.N.Y. May 7, 2013), Magistrate Judge Gary R. Brown denied bail to Adam Savader because of the nature of his crimes (cyberstalking and internet extortion) and due to the "weaponized" nature of the cache of compromising pictures the defendant possesses. The court's reference to weaponization derived from the fact that the images of the 15 victims were in cloud storage, and thus "the cache of compromising photos, [could] be accessed from any Internet- enabled device on the planet," allowing Savader to perpetrate additional crimes or antagonize his victims further.

The Savader case was well publicized when it hit the news; see:

Politico, Adam Savader, ex-Romney intern, arrested for blackmail
New York Daily News, Former Romney campaign intern busted in nude-pics blackmail scheme

From the Politico article (to summarize):

A former intern for the 2012 Republican presidential ticket of Mitt Romney and Paul Ryan and for Newt Gingrich’s presidential campaign was charged with cyberstalking young women and blackmailing them into sending nude photos in federal court on Tuesday.
Adam Savader, a 21-year-old from Great Neck, N.Y., obtained nude photos of 15 different women and threatened to publish the photos unless the women sent him even more naked pictures, according to a criminal complaint. Some of the victims were Savader’s high school and college classmates.

The complaint was originally under seal, but was unsealed on April 23, 2013 by order of the court. The complaint plus additional documents from the E.D. of Michigan (where the charges were filed), can be viewed here:

Savader Docs (Complaint, Arrest Warrant, Docket, etc.)

While Savader was charged in Michigan, he lives in New York, hence the reason why the detention order (and reasoning) emanated from the Eastern District of New York. In beginning his determination, the EDNY Magistrate considered whether it was even proper to make a bail determination in New York instead of Michigan. In the end, the court held that the amended Rules of Criminal Procedure allowed the court to proceed, and indeed it makes sense to hold a bail hearing in the defendant's home district, where Savader could more easily provide information relevant to the bail hearing; namely, his community ties, etc.

As to the merits, the court noted that the case "present[ed] novel factual issues as well as the kind of legal challenges that often arise when applying traditional legal concepts to cases emanating from digital technology." I think that is the interesting part of this otherwise routine part of criminal procedure. What should the standard be for individuals charged with internet crimes, where access to a computer might be the only thing needed to perpetrate additional crimes, modify evidence, or in this case, antagonize victims further with compromising photos?

In this case, the court referred to it as a close call, but ended up siding with detention. I don't necessarily agree it was close. As the court noted: there were 15 victims, the defendant showed some acumen for technology (not enough to know Google Voice numbers can be tied to your IP address...), and the defendant held specific animus for some of the victims. Moreover, because the fruits of his alleged crimes were stored out on the internet, the temptation for him to access that material (for any reason at all, nefarious or otherwise), might have been too great (notwithstanding his family's assurances otherwise).

I will note that I think the analysis regarding bail should be different in hacking cases, where systems have been adequately secured and there is no further chance the defendant could reoffend. However, here, I don't think you can convincingly argue future crime/tampering/sexual gratification related to the cache of material is a non-issue.

Because I haven't seen much related to bail considerations for electronic crimes, I reproduce in full the court's reasoning, below:

Because the offenses charged do not appear to constitute crimes of violence as defined in the Bail Reform Act, see 18 U.S.C. §3156,3 the Government is limited to seeking detention under § 3142(f)(2)(B), to the extent it can establish that the defendant “presents a serious risk that [he] . . . will . . . threaten, injure, or intimidate, or attempt to threaten, injure, or intimidate, a prospective witness.” Thus, the determination turns on whether the defendant may attempt to threaten or intimidate potential witnesses, which, in this case, means the complaining victims. 

Precise prediction of future human conduct represents an impossible task. Here, however, we can look at several indicators. First is the defendant’s capacity to threaten or intimidate the victims, both identified and unidentified. According to the Government’s proffer, agents uncovered evidence of an Internet cloud storage account that included files bearing names of the victims, presumably containing the photograph files used as part of the extortion. Notwithstanding the seizure of computer hardware from the defendant, the existence of this cloud storage suggests that, based on the information currently available, the defendant has possession of the cache of compromising photos, which can be accessed from any Internet- enabled device on the planet. Though electronic files do not generally constitute dangerous materials, in the context of this highly-unusual case, the defendant effectively “weaponized” these items, presenting a significant risk. Given the defendant’s demonstrated facility with computer technology, it would be all but impossible to fashion terms and conditions that would eliminate defendant’s access to these materials. Hence, like an individual with access to a secret cache of weapons, the defendant certainly maintains the capacity to intimidate or further injure the victims until these materials can be definitively located and secured. 

The second factor is the defendant’s willingness to employ these materials to cause further harm to the victims. Of course, that he has done so in the past is one consideration. At the hearing, his counsel argued, persuasively, that the defendant would be a fool to violate a court directive contained in a release order, as it would mean almost certain return to jail. In addition, the mere exposure of the scheme may well make the defendant reticent to engage in additional similar conduct. As Justice Brandeis famously observed, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” However, the Government has presented evidence showing that this defendant – largely for reasons that are as yet undiscovered – maintained an animus against some of these victims for many years. Though the defendant is now 21, he has managed to hold a grudge against several victims since high school. This demonstrated drive on the part of the defendant forces me to conclude that there remains a serious risk that he will attempt to intimidate or further injure the victims, as long as those photos remain in his control. 

Having concluded there is such a risk, the question is whether there are conditions which can remediate that risk. The Court notes that, at the bail hearing, defendant demonstrated substantial ties to the community. A large number of family members appeared at the bail hearing, representing three generations of his family, all of whom appeared willing and eager to assist in ensuring that the defendant will not engage in further wrongful conduct. According to his attorney, family members were willing to accompany him to school, attend classes with him, and take any other steps necessary to secure his release. Because of the unique circumstances of this case, I find that this support, though an important consideration, cannot overcome the serious risk of danger to the victims. As such, I directed the defendant be detained pending removal to the Eastern District of Michigan. 

That said, I note that this was a close call, which could have easily resulted in a different outcome. As described above, these decisions must be made with deference to the charging district, which will have access to better information concerning the status of the compromising photographs, input from the victims, and the nature of the evidence. That court, therefore, will be in a far better position to evaluate the risk presented by the defendant, and should accord little weight to this determination.

Read More

NSA releases 642-page Internet research guide

The National Security Agency recently released a 642-page guide titled "Untangling The Web: A Guide To Internet Research" under a Freedom of Information Act request. As the major purpose of the guide is to "help you understand how to use the Internet more efficiently," there isn't much in the document worth noting - perhaps made clear by the fact that the 642 pages are almost entirely unredacted.

There are sections about "Uncovering the 'Invisible' Internet" and "Internet Privacy and Security," but most of this information is common knowledge or significantly out of date (the guide was produced in 2007). However, the section on "Google Hacking" is interesting. Google hacking is "using clever but legal techniques to find information that doesn't belong on the public Internet." Here's one of the tips:

[S]earch by file type, site type, and keyword: many organizations store financial, inventory, personnel, etc., data in Excel spreadsheet format and often mark the information "Confidential," so a Google hacker looking for sensitive information about a company in South Africa might use a query such as:

[filetype:xls site:za confidential]

I wouldn't suggest spending time reading the whole thing, but it was worth a couple minutes. Maybe.

Read More

Breaking: Fed. judge denies motions to suppress in Rigmaiden; 4th Amendment, SCA case with Stingray use by FBI (Updated)

In United States v. Rigmaiden, No. 2:08-cr-00814-DGC (D. Ariz. May 8, 2013), a federal district judge in Arizona denied all of the defendant's motions to suppress. The motions were related to searches, the FBI's use of Stingray, access to stored communications and IP addresses, etc. It is long, but worth the read. An excerpt (relating to the Fourth Amendment argument):

Given the unique circumstances of this case and the case law discussed above, the Court concludes that Defendant did not have a legitimate expectation of privacy in the aircard, laptop, or apartment procured through fraud. Defendant acquired these items by invading the privacy of the persons from whom he stole names, social security numbers, credit cards, and driver’s license numbers. Having utterly disregarded the privacy rights of Travis Rupard, Steven Brawner, and Andrew Johnson, not to mention the many other names used in his scheme, Defendant cannot now credibly argue that he had a legitimate expectation of privacy in the devices and apartment he acquired through the fraudulent use of their identities.

An excerpt (relating to the SCA argument):

Courts have rejected Defendant’s arguments that historical cell-site records cannot be obtained under the SCA. See, e.g., In re Application of U.S., 620 F.3d 304, 313 (3rd Cir. 2010) (holding that cell-site location information “is obtainable under a § 2703(d) order”); United States v. Graham, 846 F.Supp.2d 384, 396 (D. Md. 2012) (“It is well established that Section 2703(c)(1)(B) of the Stored Communications Act applies to historical cell-site location data.”); see also United States v. Skinner, 690 F.3d 772, 777 (6th Cir. 2012) (holding that locating defendant through a phone’s cell-site records is not a Fourth Amendment search). Contrary to Defendant’s arguments, federal courts consistently rely on Smith and Miller to hold that defendants have no reasonable expectation of privacy in historical cell-site data because the defendants voluntarily convey their location information to the cell phone company when they initiate a call and transmit their signal to a nearby cell tower, and because the companies maintain that information in the ordinary course of business. See United States v. Ruby, No. 12CR1073 WHQ, 2013 WL 544888, at *6 (S.D.Cal. February 12, 2013); Jones, 2012 WL 6443136, at *5 (D.D.C. 2012); Graham, 846 F.Supp.2d at 397-401; United States v. Madison, No. 11-60285-CR, 2012 WL 3095357, at * 8-9 (S.D.Fla. July 30, 2012).

...

Defendant argues that the government was able to use the cell-site information to effectively track his aircard from June 10 to July 18, 2008, a period of 38 days, and that this “prolonged surveillance” implicated his reasonable expectation of privacy. Doc. 824 at 215- 17. Defendant relies on United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), and United States v. Jones, 132 S.Ct. 945 (2012), but those decisions are inapposite. They do not address orders under the SCA, and the Supreme Court in Jones did not adopt the privacy theory advanced by Defendant.

...

In this case, a government agent, working in his office with the historical cell-site information and using mathematical and triangulation techniques, was able to calculate a general location for Defendant’s aircard during a 38-day period. The calculation narrowed the location of the aircard to one-quarter of a square mile. The Court cannot conclude that such use of cell-site information, obtained from a third party under the SCA, is tantamount to attaching a GPS device to a person’s vehicle. Calculations made from the historical cell- site information did not provide minute-by-minute intelligence on Defendant’s precise movements as did the GPS device in Maynard. The calculations merely identified a general area where the aircard was located – and stationary – for 38 days. The information was not used surreptitiously to track Defendant’s movements over an extended period without a warrant. 

For some background, see:

--Kim Zetter, Wired, Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

--Vanessa Blum, The Recorder, Emails Detail Northern District's Use of Controversial Surveillance

Update 1:

--Here is the EFF/ACLU Amicus Brief in the case

Update 2:

--Kim Zetter's new post is up: Judge Allows Evidence Gathered From FBI’s Spoofed Cell Tower

Update 3:

--Orin Kerr has his take up, here: District Judges Divide on Long-Term Cell Phone Tracking Under the Fourth Amendment (he also discussed Powell another SCA/4th Amendment case)

Read More

Featured Paper: Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow

Stephanie K. Pell has posted a new paper on SSRN entitled: "Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow." Hat-tip to Chris Soghoian for mentioning it on Twitter. The article abstract is below:

While the Jones Court held unanimously that the government’s use of a GPS device to track Antoine Jones’ vehicle for 28 days was a Fourth Amendment search, the Justices disagreed on the facts and rationale supporting the holding. Beyond the very narrow trespassed-based search theory regulating the government’s attachment of a GPS device to Jones’ vehicle with the intent to gather information, the majority opinion does nothing to constrain government use of other tracking technologies, including cell phones, which merely involve the transmission of electronic signals without physical trespass. While the concurring opinions endorse application of the Katz reasonable expectation of privacy test to instances of government use of tracking technologies that do not depend on physical trespass, they offer little in the way of clear, concrete guidance to lower courts that would seek to apply Katz in such cases. Taken as a whole, then, the Jones opinions leave us still jonesing for a privacy mandate. As of the writing of this Article, Congress has not been successful in passing legislation that would regulate government use of tracking technologies. A third regulator of government power has emerged, however, in the form of technology itself, specifically in new(ish) methods an individual or group of individuals can use to make it more difficult, in some cases perhaps impossible, for law enforcement to obtain the information it seeks. While waiting for more definitive action from the courts and Congress, such “privacy enhancing” anonymization and encryption technologies can provide a temporary “fix” to the problem of ever-expanding police powers in the digital age, insofar as they make law enforcement investigations more difficult and expensive, thereby forcing law enforcement to prioritize some investigations and, perhaps, de-emphasize or drop others. Moreover, at a time when cybersecurity is a national security priority and recommended “best practices” include the use of encryption technologies to protect, among other things, US intellectual property, law enforcement is likely to face continued instances of “Going Dark” as it attempts to intercept communications in the face of the increasing availability and use of encryption technologies. As Congress considers possibilities for expanding law enforcement interception capabilities, it will be forced to accommodate the complex dualistic properties of technologies that, on one hand, bolster our national security against certain kind of threats while, on the other, they limit or thwart law enforcement’s ability to fulfill its traditional public safety function of investigating crimes.

Read More

"Revenge porn" website owner offers to close site if he raises $200,000

There was a time when people ended a relationship and moved on with their lives. Nowadays, with digital cameras and the Internet, it is much easier to seek revenge for all of the wrongs you experienced. For those of you unaware, "revenge porn" is the term applied when a person posts nude images of someone they know on the Internet - often doing so after the end of a relationship. 

Several revenge porn websites have come and gone, but one website owner has recently made headlines by offering to shut down his websites after he raises $200,000. According to Betabeat.com:

Mr. Brittain has devised a new scheme to flout the desires of victims who want him to take down their intimate photos. He and Is Anybody Down co-owner Chance Trahan have launched an Indiegogo campaign with a goal of $200,000, claiming that if they hit their goal they will officially shut down both sites. And they’ve named their campaign after revenge porn victim Holly Jacobs’ victim resource hub, End Revenge Porn.

Here are a few related links:

• 'I'm tired of hiding': Revenge-porn victim speaks out over her abuse after she claims ex posted explicit photos of her online
• Criminalizing “revenge porn” - discussion of what different groups and legislatures are doing to try to shut it down
• Revenge porn: the fight against the net's nastiest corner

Read More

Defendant argues WI child porn law unconstitutional; if you're texted CP and open it, are you guilty of possessing CP?

Could someone texting you child porn, a text you unwittingly open, get you charged with a felony? Also, is it fair to charge adult males with child porn possession but not the underage females that texted the images to them, if they both technically possess child pornography? The case below raises both issues.

In State v. Perino, No.'s 2012-CF-0217, 2012-CM-0116 (Wis. Cir. Ct. filed Jan. 18 & Feb. 23, 2012) the defendant is charged with two counts of possessing child pornography (2012-CF-0217 - link has case history) and two counts of sex with a minor over age 16 (2012-CM-0116). In March of 2013, the defendant filed three motions to dismiss based on the following: (1) that the charged statute (Wis. Stats. § 948.12, see infra) is unconstitutionally vague and overbroad, as applied; (2) that the images are not "lewd" as required by the statute; and, (3) that the prosecutor is selectively prosecuting the case.

Copies of the Wisconsin Circuit Court documents:

1. Defendant's Motions
2. Prosecutor's Responses

The defendant was later indicted in federal court, as well, where he was "charged . . . with one count of producing child pornography and [the indictment] refers to two victims A and B. Four other counts appear to refer to the same former student in the state charges, and a sixth count seeks forfeiture of Perino's computers and cellphone." (Vielmetti, infra). You can find the indictment, here: E.D. Wisconsin Perino Indictment

State of Wisconsin Case

Wis. Stat. § 948.12 states:

948.12  Possession of child pornography.
(1m) Whoever possesses, or accesses in any way with the intent to view, any undeveloped film, photographic negative, photograph, motion picture, videotape, or other recording of a child engaged in sexually explicit conduct under all of the following circumstances may be penalized under sub. (3):
     (a) The person knows that he or she possesses or has accessed the material.
     (b) The person knows, or reasonably should know, that the material that is possessed or accessed contains depictions of sexually explicit conduct.
     (c) The person knows or reasonably should know that the child depicted in the material who is engaged in sexually explicit conduct has not attained the age of 18 years.

Bruce Vielmetti has a good synopsis of the case in his Journal-Sentinel article - Lawyer wants girl charged for nude photos she sent to teacher:

The attorney for a former Hales Corners teacher facing charges he had sex with a female student has asked a judge to charge the girl with distributing child pornography - for sending nude photos of herself to the teacher.
...
Craig Perino was charged in Racine County in January 2012 with two counts of sex with child 16 or older, both misdemeanors. According to the complaint, he and the girl had encounters last year at his home in Waterford that involved drinking and intercourse.
A month later, prosecutors added two counts of possession of child pornography, both felony offenses, after nude photos of the girl were found on Perino's phone and computer. He has pleaded not guilty to all the charges.
…
Perino's attorney, John Birdsall, has moved to dismiss the child pornography charges on several grounds. He argues the statute is unconstitutionally vague and overbroad because it makes anyone who might open and view an unsolicited texted or emailed image of child pornography subject to criminal prosecution. 

Birdsall also argues that the texted photos, while nude, are not "lewd" under the statute. 

Finally, Birdsall asks that the charges be dismissed because they represent selective prosecution. His motion notes that the girl was 17 when she reported her sexual encounters with Perino and is 18 now. If the prosecutors believe the images amount to child pornography, the girl should be charged as an adult with producing, distributing and possessing them, the motion states.
…
Refusing to charge the girl, Birdsall argues, amounts to an admission by prosecutors that the images are not in fact lewd under the Wisconsin statute and therefore don't support the child porn charges against Perino.
…
In his responses to Birdsall's motions, Assistant District Attorney Robert Repischak argued that the issues were raised too late, that the question of whether the photos are lewd is one a jury should decide, and that Perino's constitutional challenge relies on hypothetical situations that differ from his own. 

"The defendant seemingly forgets" that he told an investigator he had stored images on his employer's computer and deleted them once he learned of the investigation and that he "clearly . . . was not an unwitting recipient of the images at issue," Repischak said in his written response to the motions.

Read More

Part 1 (The Facts): CFAA case to test the EFF's proposed reform language

In this first post I will outline the relevant facts of the Fidlar case and how the facts present an interesting issue for the proposed CFAA reform language of the EFF (and Rep. Lofgren). At the end of this post, I note EFF Attorney Hanni Fakhoury's initial take on the case. 

In the second post I will offer my own take. I will then propose some changes to the reform language that would clarify the issue. I will conclude by taking a step back and opining on whether the CFAA should even apply to this kind of contractual dispute, and if so, in what circumstances. Spoiler - I will propose a presumption.

A case in the federal District Court for the Central District of Illinois is worth keeping an eye on if you are interested in the evolution of the CFAA from an anti-hacking statute to one used to enforce terms of service agreements, employee disloyalty, and also contractual disputes.

First, as a point of reference, consider the EFF's proposed language to amend the CFAA (emphasis added):

(6) The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.  

The term “without the express or implied permission” does not include access in violation of a duty, agreement, or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer.

This language was adopted in some form in Rep. Lofgren's CFAA reform bill. For Orin Kerr's take on these proposals, see here: Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples, and here: Drafting Problems With the Second Version of “Aaron’s Law” from Rep. Lofgren.

Back to the case at hand, here is the alleged offense in the complaint from Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 4:13-cv-4021 (C.D. Ill. Mar. 13, 2013) (emphasis added):

17. In or around 2012, LPS created one or more computer programs, the sole purpose of which were to mimic the interface between Fidlar’s user-interface software and Fidlar’s server software. The mimicked program allowed LPS to fraudulently present itself to Fidlar’s server software as though it had gained access through the Laredo user-interface, but without the attendant user controls. 

18. Fidlar’s server software programs are designed to prevent Fidlar’s customers from accessing those servers by any means other than through Fidlar’s software. 

19. Fidlar does not train, promote, or explicitly publish, nor intend to publish the techniques necessary to access Fidlar’s server software directly and circumvent the Fidlar user-interface software of Laredo or Tapestry. 

20. Specifically, LPS created mimic software that allowed Defendant to fraudulently obtain documents electronically and search at a higher rate and volume than would otherwise be possible. 

21. This mimic software program that LPS created, allowed Defendant to gain fraudulent access to Fidlar’s server software and bypass user controls embedded in the Laredo program. In this manner LPS fraudulently obtained documents that Fidlar server software had retrieved from governmental databases. 

Later in the complaint, Fidlar alleges that LPS's use of this mimicked interface allowed LPS to access documents that they would normally have to pay for; caused a burden on Fidlar's servers that damaged their operations; prevented Fidlar from being able to track LPS's use; and, caused damages in excess of $80,000. Relating to damages, the complaint states: "As a result of Defendant’s unauthorized use of Fidlar’s computers and computer servers, Fidlar has been damaged in excess of $5,000 in the past calendar year. . . . To date, Fidlar has incurred economic damages in excess of $80,000 in attempting to determine the extent of Defendant’s fraudulent invasion of its computers and computer servers, and those damages are ongoing and increasing."

Fidlar’s complaint does not allege what specific section of 18 U.S.C. § 1030 LPS violated, but the language in the complaint reiterates the phrase "without authorization" (i.e. "Defendant has engaged in a pattern of unauthorized access of Fidlar’s computers and computer servers, in order to intentionally obtain information from Fidlar’s computers"); thus "without authorization" will be the focus of the analysis in my next post.

After reading the complaint, the next logical question is whether any language in the license agreement directly applies; it can be found here: Exhibit A - Fidlar Technologies Laredo End User Agreement. In my opinion it doesn't say much that is helpful to this dispute. The bulk of the agreement relates to Fidlar's protection of its intellectual property; I do not see any limiting language on how a customer may access the database. Feel free to correct me.

Unsurprisingly, LPS's side of the story is quite different. Its Motion to Dismiss for Failure to State a Claim (filed Apr. 8, 2013) (emphasis added & internal cites omitted, except where relevant) states:

Fidlar’s CFAA claim fails for two reasons: 1) LPS was authorized to access Fidlar’s computers, and 2) Fidlar does not allege that it suffered “damage” or “loss” as those terms are defined by the CFAA.

a. LPS was authorized to access Fidlar’s computers. 

Fidlar’s complaint explicitly concedes that LPS has been a customer of Fidlar “since at least 2009 using the Laredo program and has installed the Laredo program on its own computers.” The complaint further admits, “LPS has purchased Laredo licenses in 76 counties where Fidlar has provides [sic] access to documents.” In other words, LPS had paid for and was granted authorization to access the data on Fidlar’s servers relating to those counties.

Even though LPS was authorized to access Fidlar’s servers, Fidlar complains that LPS went about it the wrong way. Specifically, LPS did not employ an individual to manually review the documents one at a time. Instead, LPS employed a computer program that allegedly circumvented controls that Fidlar claims were in place to “prevent customers from electronically capturing and downloading documents” instead of paying for copies. 

As a matter of law, these allegations do not constitute “intentionally access[ing] a computer without authorization.” The term “without authorization” means “without any permission at all.” AtPac, Inc., 730 F. Supp. 2d at 1179 (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009)). On this issue, the decision in State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009) is particularly instructive. There were two defendants in State Analysis: the first was alleged to have accessed the plaintiff’s website using usernames and passwords that did not belong to it and to which it had never been given lawful access, while the second was alleged to have misused the passwords with which it had been entrusted. The court allowed the CFAA claim to proceed against the first defendant, but granted the second defendant’s motion to dimiss, explicitly holding that while use of an unauthorized password to access password- protected content may constitute a CFAA violation, a mere allegation that a defendant “used the information [which it had been given lawful authority to access] in an inappropriate way” did not state a claim for relief. 

Fidlar wrongly contends that authorized access becomes unauthorized if the user violates contractual or embedded limitations on the use of the data (i.e., saves the images rather than printing them out). This is not the law. . . .

The logic here is simple. By its terms, the CFAA only addresses access to electronically stored data as opposed to the use of that data. . . . [FN1]

[FN1] - The only Seventh Circuit decision LPS could find that touches on the definition of “authorized access” is International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir.2006), but it is inapposite. In that case, the Court held that an employee’s authority to access his employer’s computers ceases when he decides to leave his job, go into competition against his employer, and abandon his duty of loyalty.

In short, LPS had authority to access Fidlar’s database of public records and Fidlar’s claim to the contrary is not plausible. LPS did not violate the CFAA merely by saving images of those public records instead of printing them. In fact, this conduct is not even a breach of Fidlar’s user agreement that a Laredo user must accept before accessing a county’s records through Laredo. A true and correct copy of a Fidlar user agreement is attached as Exhibit A, and the Court may consider it on a Rule 12(b)(6) motion because it is referenced in the complaint and Fidlar’s user agreement is central to Fidlar’s claim. . . . Nothing in the User Agreement prohibits any of the conduct alleged in the complaint. Thus, even if Fidlar attempted to rely on the User Agreement to argue that LPS lacked authorization to access the data in the manner that did, it would still not violate the CFAA. 

b. Fidlar does not allege damage or loss under the CFAA.

... 

Fidlar’s complaint does not even attempt to allege it suffered “damage.” Fidlar’s complaint only alleges that it became “aware of a strange usage pattern” related to LPS’s licenses, and as a result, “audited several LPS accounts to determine account activity.” Notably, Fidlar alleges that LPS’s conduct only “continues to threaten to overload those servers” and “continues to be able to disrupt Fidlar’s operations.” There is no allegation that LPS’s conduct actually caused Fidlar’s servers to crash, overload, or otherwise malfunction. Indeed, it is the lack of activity recorded on Fidlar’s servers that underlies its complaint. 

Thus, Fidlar may only maintain a civil action for CFAA violations if it suffered a “loss.” As the statutory definition makes clear, its claim for unpaid printing charges is not recoverable. Lost revenue and consequential damages are only losses if they were caused by an interruption in service. 18 U.S.C. §1030(e)(11).

The only allegations in Fidlar’s complaint that even approach the definition of loss relate to its investigation into LPS’s access. This investigation, however, was not into an interruption in service, destruction of data, or impairment of a program. Instead, it was an investigation into unpaid printing charges and unmonitored usage. The cost of this type of investigation does not meet the statutory definition of loss. 

The court has not yet ruled on LPS's motion to dismiss. There have been counterclaims, motions for temporary restraining orders, and issues related to discovery. If the MTD is denied (which seems likely), or granted before I get the next post up, I will pass that on immediately.

As stated above, I mentioned this case to Hanni Fakhoury, Staff Attorney at the Electronic Frontier Foundation. Here are his comments (emphasis added):

I read the complaint and the MTD portions re: the CFAA claim . . . sounds very much to me like Nosal (re: use v. access) and Facebook v. Power Ventures (https://www.eff.org/cases/facebook-v-power-ventures). 

I think the issue comes down to whether LPS violated a code-based restriction on access to that data or a contractual restriction, and the complaint and MTD don't really shed much light on that point (other than to claim it wasn't a violation of the contractual terms of service). Interesting case and a good find. It also provides an opportunity for the court to decide whether Citrin applies beyond the employment context.

Assuming that the End User Agreement (Exhibit A) is the only document governing the relationship between Fidlar and LPS, I can't see how this comes down to a contractual dispute in isolation (or if that guides the court's decision much, except to say that the contract is void of informative language). Therefore, I see this as being forced under the CFAA and hence why the case should be interesting to watch.

Last note (if you didn't read the complaint in its entirety) - The other causes of action in the complaint are a violation of the Illinois Computer Tampering Statute and common law trespass to chattels.

Read More