Monday, April 30, 2012

Dissenting judge in CP case argues that "sexual predator" label for 17 yr old offender, as applied, was cruel and unusual punishment

In In re Welfare of: J.E.M., 2012 Minn. App. Unpub. LEXIS 326, a 17-year-old's conviction for possession  of child pornography was upheld; that's not the main story, though. Judge Randall, concurring specially, made an impassioned argument that under the facts of this case, which were somewhat tenuous, applying the sexual predator label to a 17-year-old (for ten years) who hadn't actually had anything to do with their production or distribution, but had merely looked at them, "begs a constitutional challenge on the grounds of 'arbitrary and capricious, and cruel and unusual punishment.'"

The facts of the case are interesting in that the basis for the conviction was on circumstantial evidence, tied with an analysis of the thumbs.db file. Thumbs.db is created when images are opened in thumbnail view, or in full. The file has essentially mini-images of the files within the directory that were opened/looked at/viewed in thumbnail. The defendant was alleged to have looked at 54 images of child pornography, by way of their inclusion in the thumbs.db. When doing forensic analysis, sometimes it is hard or impossible to tell whether someone viewed a file in a large enough form to prove that they knew it was child pornography. Thumbs.db is created if the images are icon size or full gallery view.

Tied with the thumbs.db was the time of access, which was nailed down to when the defendant had possessed the computer and logged in with a password. The court essentially deferred to the determination of the jury with respect to fact-finding and appeared to give deference to the agent who had testified regarding whether or not the defendant had actually viewed the files.

In my opinion, a conviction of a 17-year-old under this factual scenario may be somewhat harsh - given the mandatory 10-year "sexual predator" label and the lack of concrete evidence of how the defendant viewed the images, or if he did so repeatedly (or whether they just loaded as part of a page he did not view in totality). But, I am of the opinion that the jury was in the best position to make this determination and to assess the veracity of the evidence, so upholding the conviction was proper.

Judge Randall, in his concurrence, first describes the mandatory label as something that should not be slapped on without a determination of context. He then goes on to lament the effect such a label would have on an individual over the course of that 10-year period - that it wouldn't just be for those ten years, but would essentially be a life sentence, and that it would prevent the individual from obtaining a large swath of occupations. He states, colloquially, that:
A man or woman with the label "predatory offender" applies for an advertised job at a loading dock and passes the basic fitness and aptitude tests and now there are 10 qualified applicants for five openings. What does the foreman/boss say behind closed doors, "for  ___ sake, dump that assaulter, pedophile, sexual deviant, or whatever the hell he is!"
He then makes what I believe to be a strange argument - that the fact that the Internet is filled with porn is reason to excuse the defendant's behavior to some degree; that it was just part of being on the Internet. He opines that "[t]he figures vary, but approximately 60% to 80% of worldwide computer Internet is pornography. If you cannot find it on your computer, you do not even know how to read your email."

Judge Randall then begs the question of why there is what I would call an "offensiveness gap" between pictures of 17-year-olds vs. 18-year-olds:
Minors are supposed to make it so terribly more offensive?! If you have scantily clad or naked 17-year-olds "doing time" in the "Caymans?" why is that so much more offensive than naked or partially clad 18-year-olds "doing time" in the "Caymans." 
I understand the argument, but I think this distinction is an inevitable part of drawing a line at what age pictures of individuals constitute child pornography. Also, it is nearly impossible (without knowing about the individual in a picture beforehand) to determine what the exact age of a person is in a pornographic image.  When you search (as a forensic investigator) a computer for CP, you are operating under the "I'll know it when I see it" credo - which typically pushes that age at which you would call something child pornography below even 17. But regardless, this argument is fruitless here because the pictures the defendant was alleged to have looked at were of a 9-year old girl. 

Judge Randall concludes by reiterating that the Minn. statute that requires the mandatory predator label for life (essentially) without a judicial assessment of the context of the situation "is an unconstitutional denial of due process, and is so arbitrary and so capricious and so damaging that it is cruel and inhumane punishment as applied in this case."

I believe this to be a constitutional overreach by the judge given the substantial interest the government has in preventing child pornography, as well as protecting the community from individuals who have exhibited behavior consistent with that equated with sexual offenders. Additionally, its hard to see where a case like this fits within juvenile 8th Amendment cases such as Roper v. Simmons, 543 U.S. 551 (2005) - but more importantly, cases where juveniles have been tried as adults. However, Judge Randall does gain a modicum of support from the Ohio Supreme Court - in In Re C.P., 2012 Ohio 446 (2012), the court held that a juvenile, not tried as an adult, was subject to cruel and unusual punishment when he was required to register as a sex offender for life. But there, it was key that he was tried within the juvenile system. This case can clearly be distinguished.

I am sympathetic to the argument that kids do make mistakes and this is quite a harsh punishment. I just don't think sympathy is enough.

Sunday, April 29, 2012

Last week's tweets from @CybercrimeRev

Don't forget to follow Cybercrime Review on Twitter (@CybercrimeRev). Here are some of the stories we've tweeted about in the past week that we didn't discuss on the blog.
  • 92-year-old WWII vet sends bootlegged movies to American soldiers abroad
  • Germany's high court holds that phishing victims' losses are their own fault
  • Justice Department clears Google in Wi-Fi sniffing scandal
  • How to wipe your hard drive DoD-Clean
  • Employee snooping in IRS database: it’s like looking people up on Google or Facebook
  • The political effects of conflating separate meanings of "cybersecurity"
  • Facebook announces more than 901 million users
  • India now world's leading spam source

Saturday, April 28, 2012

6th Circuit finds probable cause to search camera for evidence of underage drinking, one judge disagrees

The Sixth Circuit recently affirmed the denial of a motion to suppress in United States v. Westerlund, 2012 FED App. 0440N (6th Cir.). In the case, a 15-year-old boy was found drunk by his parents. He and his girlfriend claimed that Westerlund gave them alcohol. The boy's older brother (age 16) told police that he had also been given alcohol and marijuana by Westerlund before and that "a camera had been used at some of their parties and pictures had been taken but he thinks most of them were deleted."

On this information, law enforcement requested a search warrant to find "evidence relating to alcohol, marijuana, and devices used to photograph, record, and store images of minors without clothes or using alcohol or controlled substances." The district court found that no probable cause existed to search for child pornography, but a search for evidence of providing alcohol to minors was allowed including a search of digital cameras. Subsequently, photographs of unclothed minors and minors consuming alcohol were found. The Sixth Circuit affirmed the denial of the motion to suppress.

In a concurring opinion, Judge Cole agreed that probable cause existed to search for evidence of providing alcohol to minors, but suggested that it did not extend to searching cameras. Still, he concurred because of the "ever-widening Leon good-faith exception jurisprudence (an exception that will surely soon, if it has not already, swallow the rule)."

Cole argued that the only evidence suggesting that Westerlund had photographic evidence was a quote from the teenager saying that pictures had been taken but were deleted. The statement did not specify that Westerlund was the one who had taken them or that he was still in possession of them. Cole found this "disturbing" and suggested that it would allow a search warrant to be applied to nearly every person there because they likely had cameras on their cell phones.
[T]here would be a similarly "fair" probability that their devices would contain photos depicting criminal activity. To presume that there is a "fair probability" that photos of criminal activity would be found at Westerlund's home based on this statement alone requires an understanding of the word "fair" that I do not have.
 Judge Cole continued:
The district court latched onto the latter clause of W.J.'s statement, which referred to the photos being deleted, to note that photos may be resurrected from the trash folder on a computer, so their deletion should pose no bar to obtaining a search warrant. But such an argument puts the cart before the horse; it is not the photos' ability to be seized that is at issue, but whether the photos may be sought at all. Similarly, the majority opinion erroneously applies the "plain view" exception to justify the police officers' seizure of the photographs, while what is actually at issue is whether the police were able to look for any photos. As Westerlund makes clear, the photos that were immediately incriminating were not laying around in plain view; the government underscores this by noting that "[i]n the course of reviewing the pictures, other photographs were found that clearly and immediately appeared to be evidence of other crimes . . . ." Given that the officers had no authority to rifle through the photos in the first place, it cannot be reasonably stated that the incriminating photos were in plain view. To say otherwise would obviate any need for a search warrant to specifically list the items sought.
While Judge Cole's argument certainly brings up an important issue in the case, it does also seem reasonable that even without the testimony about pictures being taken, an officer would be able to search a camera for the evidence. The fact that alcohol was in Westerlund's house does not alone provide evidence of providing alcohol to teenagers. Something more was needed, and pictures that might have been taken are certainly a great source. Regardless, Cole's acknowledgment of the ever-expanding good faith rule is well-received - at least by this author.

Friday, April 27, 2012

Tech Watch: Onion Browser for iPhone allows encrypted browsing, Tor traffic tunneling

Onion Browser, an app just released for the iPhone and iPad, uses the Tor network to allow users to access the Internet with encryption and anonymity. The app, which is not made by the Tor Project, is available for $0.99 in the iTunes store.

The website lists the following features and benefits of the browser:
  • Internet access is tunneled through the Tor network: traffic is sent through an encrypted tunnel and over several "onion router" machines before reaching the destination.
    • Websites do not see your actual IP address.
    • Web browsing activities are protected from eavesdropping by ISPs or other users of your wireless or wired network
    • Freely access the entire internet from behind restrictive firewalls.
    • Access to the "dark net" of hidden services (".onion" web sites) not accessible via the regular internet
  • Ability to spoof HTTP User-Agent header.
  • Ability to change cookie storage policy (Allow All / Block Third Party / Block All)
  • “New Identity” button clears cookies, history, and cache and requests a new IP address in one quick step.
  • Startup page contains a list of well-known, stable .onion sites.
Tor software is, however, officially available for Android. According to Tor's website, the software, called Orbot, "allows mobile phone users to access the web, instant messaging and email without being monitored or blocked by their mobile internet service provider."

1st Circuit affirms sentence despite erroneous calculation in presentence report

In United States v. Roman-Portalatin, 2012 U.S. App. LEXIS 8393 (1st Cir. 2012), the First Circuit upheld a sentence for persuading a minor to engage in unlawful sexual conduct and possession of child pornography despite the defendant's argument that an enhancement was erroneously applied.

The enhancement of USSG § 2G2.1(b)(6)(B)(ii) is applied for the use of a computer to "solicit participation with a minor in sexually explicit conduct for the purpose of producing sexually explicit material or for the purpose of transmitting such material live." It doesn't apply to direct communications with the victim, however, but instead only when the communications are with a third party. § 2G2.1(b)(6)(B)(i) is applied when the act is directly with the victim. Either way, it's a two-level enhancement.

The issue arose when the enhancement was suggested in the presentence report and a range of 168-210 months was established. Despite the defendant's plea agreement recommending 135 months, the sentencing judge imposed a 145-month sentence. On appeal, the defendant argued that the erroneous enhancement (which he had not objected to at sentencing) prejudicially affected him as the judge was calculating the sentence.

The First Circuit (in an opinion by Justice Souter, sitting by designation) held that even if the error had been preserved, it did not appear to affect the district court's decision as the defendant's plea admitted to the same level enhancement under § 2G2.1(b)(6)(B)(i). Also, a claim of ineffective assistance failed because at most, the attorney's act "would have resulted in substituting '(i)' for '(ii)'.

Thursday, April 26, 2012

District court denies restitution to child pornography victim because government failed to prove damages

A federal district court has denied an award of restitution to "Cindy," an individual depicted in child pornography. United States v. Veazie, 2012 U.S. Dist. LEXIS 57772 (D. Maine 2012). In the past, Cindy has been awarded restitution twelve times with awards ranging from $1,000 to $5,000, and she is seeking to recover approximately $71,000 total.

The court first determined that the defendant was the proximate cause of Cindy's harm. However, "[j]oint and several liability is inappropriate" because he did not cause all of her injuries, and it is possible that it can't be "imposed upon defendants in separate cases." The government did not present any specific evidence of damage caused by the defendant. "[T]he Government [has not] shown that Veazie even viewed one image of Cindy or compared the conduct of Veazie with the conduct of the defendants in the twelve other cases involving restitution awards to Cindy."

Because the government did not provide a method for determining damages caused by the defendant, the court was unable to award restitution. "[C]ourts may not speculate, and the Court cannot do so here."

For a more detailed look at how courts award restitution in child pornography cases, click here.

FBI seizes server used to anonymize e-mail

The FBI recently seized an entire server that was used to anonymously make bomb threats against the University of Pittsburgh. The server was running Mixmaster, an anonymous remailer service, that was predominantly used by many civil and human rights groups. The shutdown of the server took out 300 email accounts, 50-80 email lists, and several websites. The organizations behind these accounts are not suspected of any wrongdoing.

“The FBI is using a sledgehammer approach, shutting down service to hundreds of users due to the actions of one anonymous person,” said Devin Theriot-Orr, a representative for one of the groups.

Here's a description of how the server works:
Anonymous remailers are used to send email anonymously, or pseudonymously. Like other anonymizing services such as the Tor network, these remailers are widely used to protect the identity of human rights activists who place themselves and their families in grave danger by reporting information about abuses. Remailers are also important for corporate whistle blowers, democracy activists working under repressive regimes, and others to communicate vital information that would otherwise go un-reported. 
The Mixmaster software is specifically designed to make it impossible for anyone to trace the emails. The system does not record logs of connections, details of who sent messages, or how they were routed.
As long as that's true, it makes you wonder why the FBI bothered to seize the server. In the meantime, these groups are doing a good job of making it seem like nothing more than an attack on free speech. You can read more about the seizure, the groups affected, and how the server works on Riseup Networks' website.

Wednesday, April 25, 2012

Missouri appellate court finds search unconstitutional, affirms conviction

In State v. Sachs, the Missouri Court of Appeals considered whether pictures of a computer's screen introduced at trial were improperly obtained. 2012 Mo. App. LEXIS 571. Law enforcement had tracked child pornography activity to the defendant's home. They arrived to talk with him without a search warrant, and the defendant admitted downloading child pornography. When the defendant stepped outside to call his parents, the detective began opening programs on the computer and taking pictures of the screen.

On appeal, the defendant argued that the search of the computer without a warrant was unconstitutional and the evidence should have been suppressed. The court found that "using a mouse and/or keyboard to shuffle between files that are not plainly visible" is a search. The prosecution argued that an exigent circumstance existed because shutting down the computer would have cleared the RAM. The court disagreed, finding that an officer could have remained with the computer until the search warrant was obtained and that an "inconvenience for the officers and Appellant's roommates" is irrelevant.

The state argued the evidence was admissible under inevitable discovery. The court held:
The State has failed to explain, nor do we perceive, how access to the active files on the computer to view and take pictures of the active programs was inevitable. Detective Anderson testified to his intent to turn off, unplug, and remove the computer from the premises prior to applying for a warrant. Thus, the record reflects that, as a result of Detective Anderson's own actions, the ability to view and photograph the active programs would not have existed by the time a warrant could be obtained for a lawful search to have been conducted. Admission of the pictures of the active computer screens or Detective Anderson's testimony related to his access of the active programs could not be justified by the inevitable discovery doctrine.
Of course, the solution was getting the search warrant prior to unplugging the computer. An officer should have remained with the computer until a warrant was obtained, and then the search of the active files could have occurred and photographs could have been taken.

The court ultimately held that although the photos and testimony should not have been admitted, the properly admitted evidence of the defendant's guilt was overwhelming, and the conviction was affirmed.

Court finds evidence of counterfeiting and giving minors drugs admissible in CP trial

In United States v. Stringer, 2012 U.S. Dist. LEXIS 56458 (W.D. Mo. 2012), the court held that evidence of a defendant's possession of counterfeit currency and giving methamphetamine to minors is admissible in his trial for possession of child pornography.

The defendant had entered a guilty plea for the counterfeiting charge, and evidence of that crime was found on the same computer as the child pornography. He argued that it was immaterial and would be unfairly prejudicial. The court ruled it admissible "if offered to prove Defendant's possession and control of the computer containing child pornography."

Also held admissible was evidence that the defendant gave minors methamphetamine "to make them willing to pose for pornographic pictures."
[T]he question is whether the Government may introduce evidence that the Defendant supplied G.R. and A.K. with methamphetamine in the hope that it would lower their inhibitions and make them more amenable to taking explicit pictures. The Court holds it may. It is well-established, and no expert testimony is needed, to prove that individuals frequently give drugs, such as alcohol or methamphetamine, to others in the hope that it will lower their inhibitions.

Tuesday, April 24, 2012

Search validated based on results of the search, rather than the method

The recent case of United States v. Johnston, 2012 U.S. Dist. LEXIS 53323 (E.D. Cal.), raised some thought-provoking questions. Essentially, it is a run of the mill CP motion to suppress - with one twist. The defendant had used his email address to register for a CP website, and an e-mail giving him access was “intercepted.” A search warrant was obtained and during the first search of the defendant’s hard drive plenty of CP was found, and a search for relevant communications turned up “some ‘emails of interest’ and chat logs.”

A second search nearly five years later revealed more emails and CP. On the third search, an agent claimed he did some keyword searches for typical terms related to CP again, but failed to do one important thing – keep a record of what he was doing. As an aside, typically you are taught that when conducting forensics investigations of computers, you record every command that you use to examine the drive (or have a program do that for you), so that you can retrace your steps (and essentially assert that you were remaining within the scope of the warrant). The agent admittedly did not do that here.

The defendant argued in his motion that the searches exceeded the warrant, requiring suppression. Additionally, he argued that the agent’s failure to keep track of his actions were fatal because “it is not possible to determine clearly that the agent acted only within the bounds laid out by the warrant's terms.”

The defendant equated this to “the government[] ‘rummaging’ indiscriminately through [the] defendant's computer in violation of the Fourth Amendment.” (I loved the “rummaging” part). In clearer terms, the defendant is arguing that failure to take those steps turned the particularity of the warrant on its head and the search became a dragnet-type search. The Court reviewed two previous cases that were semi-analogous, and then summed up the review of precedent:
Because "[t]he difficulties of examining and separating electronic media at the scene are well known," a warrant's authorizing "seizure of intermingled materials that are difficult and time-consuming to separate on-site" is reasonable and permissible. The intermingled nature of materials, however, does not justify a detailed examination of the entire content of those materials in the form of "an investigatory dragnet."
The court found no precedent supporting the defendant’s argument that failure to leave investigatory “crumbs” would be fatal to the government’s case. The court denied the motion to suppress, stating that all of the searches that were made by the agent were in furtherance of the goal of obtaining evidence of CP but seemed to base this conclusion merely on the results of the search, and not how they were conducted. Essentially, while the search occurred, they stumbled upon other leads that took them elsewhere. The court analogized such leads under the plain view doctrine to some extent but concluded more importantly:
any information [the agent’s] searches returned that was not limited precisely to possession or receipt of images of child pornography was located by searching only for this kind of material. As in Giberson, although the government here did not seek an additional warrant after the agent discovered the travel information and the chats, the agent continued his search by looking only for evidence of child pornography. There is no indication that he ever diverted his search to areas of inquiry outside the scope of the warrant, conducting the kind of "investigatory dragnet" operation that would violate the Fourth Amendment. (emphasis added)
There is no evidence of diversion, because the government failed to collect the evidence in a forensically sound way, and that failure provided the defendant with no argument and no evidence to prove his version of the facts. While this certainly isn’t a case worth appealing on its particular facts, I could think of one that would be.

Suppose the exact same facts except the evidence of a crime obtained during the third search was wholly unrelated to CP and was, for example, related to federal tax evasion. In that circumstance, the suppression motion should be granted for failure to stay within the scope of the warrant. Here’s why: in Johnston, all of the information that was revealed was ultimately related to the same subject, pedophilia, and was likely to be intermingled – also, it was the target of a child porn investigation. Thus, string searches for words such as “lolita,” “child porn,” “pedo,” etc., are likely to reveal this type of information. But in the federal tax evasion case, would the same be true? Herein lies the conundrum.

The failure of the agent to disclose his steps to discover that information in the third search should be fatal to the government’s case in this hypothetical. Without evidence of the steps of the searches, and what commands were issued during the search, there could be no proof that the government wasn’t using a dirty word list that included phrases outside the scope of the crime they were investigating. The assumption would then be pushed to a “dragnet”- type search – say searching for CP words plus “money laundering,” “cocaine,” “botnet.” Because of the amount of information on a computer hard drive, we have to expect that we retain privacy to some degree in that information. Obviously the Ninth Circuit’s precedent reveals this to some extent, but the cases have not really delved into the Fourth Amendment intricacies of hard drive mechanics and data storage.

Additionally, can plain view even really be applied in these types of situations? Or, more specifically, who is to determine how that works on a hard drive? Under the Wong test used here to analyze plain view, one of the requirements is that the “items incriminating nature was ‘immediately apparent.’” In Johnston, the court is making the assumption that this is true based on the agent’s testimony; however, a court would likely defer to such testimony of plain view by the agent, regardless of whether they know he is telling the truth. Once again, failure to record his actions makes this deference shaky. Also, I’m sure most people would agree that child porn is “immediately apparent” in the sense that you’ll know it when you see it. Can the same be true of evidence of tax evasion? I don’t think I would know tax evasion was staring me in the face from string-based searches of a hard drive.

In sum, it must be decided if a warrant allows anything to be done to a hard drive, or are there strictures? What if it was a shared computer in a family? In my view, the Johnston case (maybe) and surely the hypothetical would be analogous to the cops looking for a hidden gun in your house, but stopping to read your daughter’s diary. We’re essentially confronted with a line-drawing problem. The court has escaped the “dragnet” trap here because of the interrelatedness of the crimes and the ability to draw a conclusion not from a strong footing of evidentiary sufficiency but a favorable factual outcome. But that trap isn’t avoidable forever. When you are conducting a search for evidence of an alleged crime, you are searching for relevant evidence of that crime - not all crimes. The only way to determine if this has been followed is to know what steps the government took to get where they ended up. This case was properly decided, but I think the court should not have given such short shrift to the evidentiary failings because the facts fell in line.

Pre-Jones GPS data not subject to suppression in 7th, 8th, and 9th Circuits due to good faith exception

In United States v. Amaya, 2012 WL 1188456 (N.D. Iowa 2012), a motion to suppress GPS data because law enforcement obtained it in good faith prior to the Supreme Court's decision in Jones.

The defendant is facing multiple drug charges. After Jones was handed down in January, Amaya was given the opportunity to file a motion to suppress GPS evidence in the case. Law enforcement had used GPS devices on multiple vehicles without a warrant for periods of time ranging from one to four months.

In considering the motion to dismiss, the judge found that even if the use of the GPS devices violated the Fourth Amendment, suppression is not required because under Davis v. United States, the good faith exception would apply. Since the Eighth Circuit had ruled that no warrant was required for the use of GPS (Marquez, 605 F.3d 604), the investigators were acting in good faith based on binding precedent because Jones had yet to be decided.

Prior to Jones, the Seventh, Eighth, and Ninth Circuits had all determined that a search warrant was unnecessary for the use of GPS devices, which could lead to the good faith application in 19 states for data that has already been acquired. Last month, a California district court also held the good faith exception to be applicable (United States v. Nwobi, 2012 WL 769746 (C.D. Cal. 2012)).

In Amaya, the prosecution had also failed to disclose the use of GPS surveillance during discovery, and the court considered if suppression or other sanction was appropriate. The use originally came out during trial, and a mistrial was declared. The judge found that the failure to disclose was in bad faith, but "the prejudice to Amaya has largely been remedied." While the judge decided not to require suppression, a hearing was scheduled to determine a proper sanction including the possibility of "taking away the prosecution's peremptory strikes and/or closing rebuttal argument."

Monday, April 23, 2012

Social networking actions lead to crimes, but is it anything new?

A disagreement over a Facebook relationship status recently ended with gunshots being fired into the air outside a Georgia Waffle House. In February, a husband and wife unfriending someone on Facebook ended with that person's father shooting the couple.

As these events happen, they get a great deal of news coverage. The stories are somewhat unique as they involve a specific element that hasn't existed before. They seem to demonize social networking websites as the cause of such evil, but is that really fair? Relationships and friendships have always had highs and lows despite technology. The only thing different today is that those changes can be easily broadcast to hundreds or thousands of your closest friends.

The question is whether social networking is creating new issues. Would the couple mentioned above still be alive if the friendship had just faded without such a conclusive end? Is the nature of Facebook changing our emotions and reactions? Or would these same people have wound up feuding as a result of a telegram or letter sent by carrier pigeon? My fear is that social networking is making these types of interactions more common. What are your thoughts?

Friday, April 20, 2012

11th Circuit affirms use of chat transcript and virus scanner file list in CP case

In United States v. Rubinstein, 2012 U.S. App. LEXIS 7890 (11th Cir. 2012), the Eleventh Circuit upheld convictions for transporting and possessing child pornography. On appeal, the defendant argued that online chat transcripts and a list of files generated by the computer's antivirus program should not have been admitted into evidence. The investigation began with connecting the defendant's screen name to his ISP and residence, and then searching his home. His computer and DVD contained hundreds of images of child pornography.

The Eleventh Circuit found that the chat transcripts "were relevant because they show that child pornography was exchanged and the sexual comments about children help establish that Rubinstein knowingly exchanged the illicit images." Additionally, testimony about how the program operated and how the list was created properly authenticated it.

With regard to the virus scanner list, the court found it to be relevant "because some file names on the list were suggestive of child pornography, tending to show that Rubinstein knowingly possessed child pornography."

The use of the file list is a little troubling, though two things are important to note: (1) actual images of child pornography were found, and (2) most people are not likely to name non-CP images with names that suggest CP content. But suppose I created a document on my computer called "how_I_hacked_the_government.doc". Should that name alone be used against me in a prosecution for hacking? It could be a fictional story - you can't know without the content. It just seems that this file list was unnecessary and should not be admissible in a case where the files are not actually recovered.

Wednesday, April 18, 2012

FBI replaces Bin Laden on Most Wanted list with child pornographer

The FBI has finally replaced Osama bin Laden on its Ten Most Wanted list, replacing him with Eric Justin Toth, an alleged producer of child pornography. Toth was a third-grade teacher, and images of child pornography were found on a school camera that he had been using. It is thought that he has traveled to Virginia, Illinois, Indiana, Wisconsin, Minnesota, and Arizona while on the run.

The top ten list produced by the FBI is not ranked so Toth's inclusion is not meant to imply that he and Bin Laden are equals. Toth is the fourth person placed on the list for crimes related to child pornography (others - 1, 2, and 3). The FBI also has separate wanted lists for Cyber Crimes and Crimes Against Children.

Tuesday, April 17, 2012

3rd Circuit remands challenge of porn industry record-keeping requirements

In Free Speech Coal. v. Attorney General of the United States, 2012 U.S. App. LEXIS 7543 (3rd Cir. 2012), the Third Circuit remanded a case challenging the constitutionality of 18 U.S.C. § 2257 and § 2257A, a record-keeping requirement for the pornography industry, after the court granted the government's motion to dismiss. On remand, the district court must consider the plaintiff's First and Fourth Amendment arguments.

The statute requires the producer to keep identifiable records of each performer and to have the records available for inspection by the attorney general "at all reasonable times."

With regard to the First Amendment claim, the Third Circuit found that the statute is content neutral (not an attempt to regulate content, but to protect against child pornography) and is subject to intermediate scrutiny. The court found that the standard was met, but it remanded to allow the plaintiffs "to conduct discovery and develop the record regarding whether the Statutes are narrowly tailored." They also concluded that the government's limiting instructions were likely insufficient.

The Fourth Amendment claim suggested that the statute and related regulations "unreasonably authorize the government to conduct warrantless searches and seizures. The court found that further development on the record is necessary to determine whether a violation of Jones or Katz has occurred and if the administrative search exception is applicable.

A concurring opinion by Judge Rendell concluded that more facts are necessary to determine the application of Jones, but that the administrative search exception cannot be justified.
Tellingly, neither the government nor the District Court has explained why the government's goal of ensuring compliance and deterring the fabrication of records would not be served by warrants issued on short notice as part of a regular, administrative enforcement scheme.

Monday, April 16, 2012

Why Nosal’s dissent is surprisingly persuasive

Judge Silverman wrote an interesting dissent in United States v. Nosal, 2012 WL 1176119 (9th Cir. 2012) in which Judge Tallman joined. First off, let me be clear that Chief Judge Kozinski was accurate in his majority opinion that the Computer Fraud and Abuse Act (CFAA), when enacted, contemplated hackers and not necessarily violations of acceptable use policies or corporate internet policies. That being said, and giving Kozinski his well-deserved due deference, viewing the case in an as-applied fashion, as the dissent does, the following quote is quite persuasive:
This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.
At the heart of the case lies a successful attempt by an ex-employee to exfiltrate data from his former company for unjust enrichment. While the CFAA is surely meant to address hackers and their attempts to exploit protected computers, the critical conundrum is: should it be cabined so narrowly as to exempt a situation such as this? The implication is not that any violation of an acceptable use policy or the like is a federal crime, what it really boils down to is the nature of the crime and how the information is used. Judge Kozinski appropriately tries to counter this by stating the following:
Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
However, Judge Kozinski bases this assertion on the idea that “[m]inds have wandered since the beginning of time and the computer gives employees new ways to procrastinate.” Is that judicial acceptance of the fact that shirking employment duties is to be expected, and just because that type of behavior is widespread, we should not pursue efforts to criminalize it? Does an employee not owe a contractual obligation (and possibly a duty of loyalty to the employer) to focus on their job, and not on match.com?

These are very interesting questions, and I think the antiquated CFAA shows it stripes when confronted with novel cases like this that push its open texture to the extreme limit. No matter where you come out on this case (I tend to agree with Kozinski that there is a potential for OVER enforcement of this, because its an easy route for employers to nail employees committing acts that are by nature non-criminal, but contractually questionable) one cannot help but be convinced by the following quote from the dissent:
The majority’s opinion is driven out of a well meaning but ultimately misguided concern that if employment agreements or internet terms of service violations could subject someone to criminal liability, all internet users will suddenly become criminals overnight. I fail to see how anyone can seriously conclude that reading ESPN.com in contravention of office policy could come within the ambit of 18 U.S.C. § 1030(a)(4), a statute explicitly requiring an intent to defraud, the obtaining of something of value by means of that fraud, while doing so “knowingly.” And even if an imaginative judge can conjure up far-fetched hypotheticals producing federal prison terms for accessing word puzzles, jokes, and sports scores while at work, well, . . . that is what an as-applied challenge is for.
In the end, I believe the disagreement in the Ninth Circuit is not one of statutory interpretation as the opinion paints it to be, but more of a call to legislators to refine laws that were enacted when the internet was merely in its crib. It’s all grown up now and should be treated as such.

Saturday, April 14, 2012

2nd Circuit holds theft of computer code not covered under National Stolen Property Act

The Second Circuit has joined a list of courts in finding that the National Stolen Property Act does not criminalize the theft of "purely intangible property." United States v. Aleynikov, 2012 U.S. App. LEXIS 7439 (2d Cir. 2012).

Aleynikov encrypted and uploaded 500,000 lines of code to a server on his last day of work before beginning a new job. He later downloaded the source code onto his home computer, was arrested nearly a month later, and was charged with violations of the CFAA and NSPA. The CFAA charge was dismissed because he "was authorized to access the Goldman computer and did not exceed the scope of his authorization."

The NSPA criminalizes when a person "transports, transmits, or transfers in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud." The statute does not define the terms, and the Second Circuit determined that requiring "the taking of a physical thing 'comports with the common-sense meaning of the statutory language.'" The conviction was reversed as the code is intangible and the theft did not "deprive its owner of its use."

The Tenth Circuit (finding that "purely intellectual property is not within the category" of the NSPA (United States v. Brown, 925 F.2d 1301, 1309 (10th Cir. 1991)), Seventh Circuit (codes are "information" and not "goods" (United States v. Stafford, 136 F.3d 1109 (7th Cir. 1998)), and the First Circuit (United States v. Martin, 228 F.3d 1 (1st Cir. 2000)) have held similarly that intangible property is not covered.

All of the circuits addressing the NSPA have dealt with intellectual property. In finding that property is essentially either physical or intellectual, the courts appear to have ignored the possibility of virtual property. Though the concept of property in virtual worlds hasn't become a hot topic in American courts, many European courts have recognized such rights (see, for example, this article detailing a Dutch conviction for theft of a virtual  world amulet and shield).

Friday, April 13, 2012

Facebook: New information available for download; Study addresses use by children under 13

Minor Monitor
Facebook has added new information to its "Download Your Information" feature, now including previous names, friend requests you've made, and IP addresses you logged in from. The additions were announced on Facebook's "Facebook and Privacy" page. The service was first introduced in 2010 (read more here).

Also, a recent survey of 1,000 U.S. parents revealed that 38% of all kids on Facebook are under the age of 13, a violation of Facebook's policy. Even more disturbing - .4% of the children were under age six. The study also addressed parental concerns, cyberbulling, and parental monitoring. Click here for the info graphic from Minor Monitor.

Colorado court reverses convictions of child luring, sexual exploitation

The Court of Appeals of Colorado has reversed convictions for state crimes of Internet luring of a child and Internet sexual exploitation of a child after a finding of insufficient evidence. People v. Douglas, 2012 Colo. App. LEXIS 549. The defendant had communicated with "Marsha," the alleged mother of a nine-year-old girl who would "make [her] daughter available ... for sex." Ultimately, the defendant traveled from Pennsylvania to Colorado where he was arrested.

To be convicted of Internet luring of a child, one must actually communicate about sexual conduct with a person "under fifteen years of age" and "make[] a statement persuading or inviting the person to meet [them]." The defendant here communicated with a person he thought was a 28-year-old woman about a child, which fails the requirements.

Internet sexual exploitation of a child criminalizes when a person "importunes, invites, or entices ... a person whom the actor knows or believes to be under fifteen ... to" expose their "intimate parts" or to "observe the actor's intimate parts." Again, there was no direct contact between the defendant and a person who was thought to be under fifteen. An argument of complicity (arguing the defendant was "accountable for a criminal offense committed by [the mother]") was also struck down.

Convictions for enticement of a child and solicitation were upheld.

Thursday, April 12, 2012

Arhndt's reference to Jones, and what Jones means in the context of wireless networks

This is the final post of a four-part series from Cybercrime Review on the Ninth Circuit's Ahrndt decision and the important legal issues concerning wireless networks.

The most interesting portion of the 9th Circuit’s Ahrndt decision may be this line: “[t]he court should also evaluate whether a search occurred in light of Jones, 132 S. Ct. 945, decided after the district court’s original ruling.” Notably, this is the second to last line in the decision but is the most intriguing and ripe for analysis. First, it raises the question of whether that line was thrown in as an afterthought, to acknowledge Jones as possibly pertinent, but ultimately punting the issue back to the district court to delay addressing Jones at this juncture. (The probable answer to this question is “yes”). Second, and more importantly, it is unclear whether this line is subsumed in the court’s discussion of a person’s reasonable expectation of privacy (which is directly above it and pervades the text) or is an independent statement made as part of the overall decision’s conclusion. I will elaborate on the former possibility first, and then address the latter possibility second.

If the Ahrndt decision’s reference to Jones implicates a person’s reasonable expectation of privacy, then the court cannot be referring to Justice Scalia’s majority opinion in Jones, which is not rooted in the Katz line of cases, but in 18th century trespass. This is fascinating because it would be explicit recognition by a federal circuit of Justice Alito and Sotomayor’s concurring opinions (which resolve Jones within Katz) as having precedential force. Let me restate the implication just to be clear: a federal circuit is asking, on remand, that a district court analyze a factual situation involving no obvious (or typical) physical trespass, in light of Jones – a case which held a search occurred because of a physical trespass concomitant with the intention of obtaining information. Simply put, Justice Sotomayor’s words are crystalline here:
Nonetheless, as Justice Alito notes, physical intrusion is now unnecessary to many forms of surveillance. . . . In cases of electronic or other novel modes of surveillance that do not depend upon a physical invasion on property, the majority opinion's trespassory test may provide little guidance. But ‘[s]ituations involving merely the transmission of electronic signals without trespass would remain subject to Katz analysis.’ . . . As Justice Alito incisively observes, the same technological advances that have made possible nontrespassory surveillance techniques will also affect the Katz test by shaping the evolution of societal privacy expectations.
While Scalia did not shoot down Katz, but merely supplemented Fourth Amendment jurisprudence with yet another test, it should be noted that Jones is already causing confusion in the lower courts.

Should the Ninth Circuit's reference to Jones implicate trespass, as portrayed by Justice Scalia in Jones, it would be a sea change in jurisprudence in this area. The key underpinnings of essentially all reservations of privacy post-Katz (involving non-trespassory/property invasions) have been examined through a different looking glass – the reasonable expectation of privacy. For example, Amy Peikoff stated “[Justice] Stewart, like Brandeis and Douglas before him, want[ed] to disengage the notion of a Fourth Amendment ‘search’ from any remnant of the trespass doctrine. He, too, want[ed] to keep as many options open as possible, with respect to what does or does not constitute a search.” If the Ninth Circuit is invoking Jones to examine the current situation, based on property notions, we are either taking a step back, or taking a step far to the side. See my earlier post on WiFi as physical trespass as evidence of this side-step.

Wednesday, April 11, 2012

Ninth Circuit en banc adopts narrow reading of CFAA

In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit adopted a narrow reading of the Computer Fraud and Abuse Act, finding that violating an employer computer policy or a website's terms of service is not a violation of federal law.

Nosal quit his job and soon thereafter encouraged his former coworkers to send him confidential information from the company. The employees had access to the database but were not allowed to disclose the information. Nosal was charged under the CFAA "for aiding and abetting the ... employees in 'exceed[ing their] authorized access' with intent to defraud," and he filed a motion to dismiss, arguing that the statute doesn't cover this type of act. The district court agreed and dismissed most of the charges (United States v. Nosal, 2010 WL 934257 (N.D. Cal. 2010)). A Ninth Circuit panel reversed, finding that an employee does violate the CFAA by violating an employer's restrictions (Nosal, 642 F.3d 781 (2011)). The Ninth Circuit reviewed the decision en banc.

In Judge Kozinski's opinion, he acknowledged that the CFAA was written "to address the growing problem of computer hacking" and found that an argument that "exceeds authorized access" applied to hacking as well is "perfectly plausible." The court emphasized that to interpret the statute as encompassing policy violations would  mean that "millions of unsuspecting individuals would find that they are engaging in criminal conduct." Further, "minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate." The result being that a prohibition of Facebook use at work could land someone in prison for breaking the rule if the broad interpretation were adopted. "[S]udoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars."

Likewise, a broad reading would also criminalize letting a friend check your e-mail or providing inaccurate or misleading information on a dating website as those acts likely violate the service's terms. "[D]escribing yourself as “tall, dark and handsome,” when you’re actually short and homely, will earn you a handsome orange jumpsuit."

The Ninth Circuit's decision is contrary to decisions of other circuits - United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010);  United States v.  John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Ninth wrote that "[t]hese courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens. We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead."

Tuesday, April 10, 2012

Ahrndt considerations on remand and cordless ≠ WiFi

This is the third of a four-part series from Cybercrime Review on the Ninth Circuit's Ahrndt decision and the important legal issues concerning wireless networks.

The Ahrndt case is rapt with analogies – “When a person shares files on LimeWire, it is like leaving one's documents in a box marked "free" on a busy city street. When a person shares files on iTunes over an unsecured wireless network, it is like leaving one's documents in a box marked "take a look" at the end of a cul-de-sac.” What is missing from these analogies is a step-by-step analysis of what accessing someone’s wireless and looking at their iTunes library entails, and the legal implications. Below, I will discuss the process to gain access, how it fits within the precedent that the trial court attempted to ground its decision in, and ultimately I conclude that the trial court erred by mistakenly equating intercepting cordless telephone audio with the capabilities and technological realities of WiFi.

Here are the pertinent steps that JH took to discover, during her private search, the CP:
  • JH loses her internet connectivity, and her computer connects to a non-secured wireless network (JH’s volition – she allows connections to unsecured wireless networks automatically)
  • That wireless network’s configuration allows a DHCP address to be handed out to JH’s computer, effectively allowing it to communicate with Ahrndt’s router, all other hosts on the intranet, and the internet. (at this step, by using the internet, even if to make a DNS request, is theft of service without authorized access)
  • JH’s iTunes library sends out a broadcast packet, looking for any other iTunes libraries that exist on the intranet and Ahrndt’s library responds
  • JH’s iTunes library incorporates Ahrndt’s library as a browsing option
  • JH browses the library and discovers child pornography (under United States v. Jones, 132 S.Ct. 945 (2012) could one say that this was a trespass?)
After viewing the steps above, a few things should become apparent. One is that analogies to California v. Greenwood, 486 U.S. 35 (1988) are misplaced. Leaving a wireless network unsecured is not akin to leaving your trash at the street for all eyes to see – that analogy only holds water if you actually bring your computer and wireless access point outside for all to interact with and give up property right to the items. While your unsecured wireless extends outside of your home, Greenwood does not stand for the proposition that anything external to your house is “trash,” and devoid of privacy rights, nor on its face does it contemplate unauthorized access to devices within the home.

To clarify, it is also important to point to volitional acts and their necessary consequences. Let's change the analogy to a new one – you find a car KEY FOB sitting in a parking garage, which contains the buttons “unlock,” “lock,” “trunk,” and “alert.” Obviously the person has misplaced this item, forgotten about it, or discarded it not understanding its full capabilities. You, as JH, find this FOB and decide that you’re going to “check it out” (let's disregard for a second whether merely picking up the FOB is a trespass in and of itself). You press the lock button twice, and a car a few steps away beeps. Because you are having issues with your car, and are hoping to find a pair of jumper cables in the trunk, you hit the trunk button, which allows you to look inside and see what the trunk contains. When you look into the trunk, you observe that there is a car repair kit, which intrigues you – you figure there must be good stuff in there. You open this further, and inside, instead of jumper cables, you find child pornography. How is this distinct from Ahrndt?
  1. There is a volitional act that initiates the connection – the connection to the wireless network vs. picking up the remote, pressing the lock button twice, and identifying the car
  2. There is a volitional act to usurp another’s property or services – use of the network of another for financial gain (internet service, iTunes, etc.) vs. popping the trunk and examining the trunk for a beneficial device. As a caveat – these are arguably both physical trespasses – in the former case, you are changing the memory on the router, which is a physical process, and in the latter, you are opening the trunk.
  3. There is a trespassory intrusion upon another’s property – opening another’s iTunes library vs. opening a car repair kit
In Ahrndt, all of the actions above were completed by law enforcement, or by JH, acting as an agent of law enforcement: (steps 1 & 2) - “Officer McCullough duplicated the steps that JH had used to access Dad's Limewire Tunes,” 2010 U.S. Dist. LEXIS 7821 (D. Or. 2010), and (step 3) “Officer McCullough . . . asked JH to open one of the files. JH opened the file briefly and the two saw a photo of a minor engaged in sexually explicit conduct.” Id. JH can readily be called a state agent because she “acted together” with law enforcement, Lugar v. Edmonson Oil Co., 457 U.S. 922, 937 (1982); United States v. Jacobsen, 466 U.S. 109, 113 (1984) (a private citizen is an agent of the police if he or she “acts with the participation” of law enforcement), and completed a task at their behest. See, e.g., United States v. Reed, 15 F.3d 928, 931 (9th Cir. 1994).

In the analogy, clearly a search has occurred as soon as the trunk has been opened AND a person views the contents – it’s sound constitutional law that one has a reasonable expectation of privacy in the contents of their car, especially places not freely visible. But how does that translate to the wireless transmittal of data?

The district court in Ahrndt relies heavily on Tyler v. Berodt, 877 F.2d 705 (8th Cir. 1989) for the concept that communications that can be intercepted have a “diminished” expectation of privacy. In Tyler, a cordless phone signal was able to be intercepted at a neighbors house; the neighbor heard suspected criminal activity and contacted the police. Id. at 706. The police listened as well, and subsequently charged the individual who was overheard with crimes related to the illegal activity. Id.

To equate Ahrndt to Tyler is a failure to understand the difference in technology. A cordless phone, or any other radio transmitter, does just that – transmits information that (in theory) can be overheard – but the communication is not bi-directional (unless licensed). This is similar to FM radio, ham radio, and other VHF closed systems. To make it illegal to intercept this or listen to it would be absurd. Listening to another’s cordless conversation, the radio, or a police scanner are all passive activities, requiring merely the receipt of radio waves. I am sure that the holding in Tyler would have been different, however, had the police transmitted something back (say, by joining the conversation); similarly, while it is of no legal consequence to listen on your police scanner to local law enforcement, it would be a much different situation if you picked up a radio and joined that conversation. You have turned the passive conduct of listening into the active conduct of transmitting and participating. This is a fundamental difference in kind between Tyler and the case at hand.

The TCP/IP protocol and various wireless handshaking protocols all require that the receiving device transmit data back to the wireless access point, or router. There is active interaction, continuously. The TCP/IP protocol requires that the initiator send a SYN packet, the receiver send back a SYN/ACK packet, and then the original initiator send back an ACK. So, by connecting to someone’s wireless network, you are directly interacting with it – you are affecting the possessory interest of property contained within another’s house; each connection made necessarily forces data to be stored on the access point and the router, affecting that devices’ memory, and changing it physically. To exempt that from Fourth Amendment protection seems unwise – the text of the Fourth Amendment is clear that the people have a right to be free from unreasonable searches in their “houses” and “effects.”

Just to be clear, this interpretation merely states that a person reasonably expects that their wireless network, secured or unsecured, would not be interfered with by another through unauthorized connection – a non-passive activity. The key there is unauthorized. No search can occur if you have given consent to the search. And, merely observing networks around you, whose SSID (Service Set Identification), aka “name” is being broadcast, affects no interest and is no search, as well.

Viewed in this light, it makes no difference what was done after the connection to the wireless network, because the connection itself was a search. Additionally, any argument to the Limewire case, United States v. Ganoe, 538 F.3d 1117, 1119, 1127 (9th Cir. 2008), is irrelevant, because there, the defendant had already consented to Limewire facilitating connections between his computer and the internet. The same is not true, here. Ahrndt did not consent to anyone other than himself connecting to the network. By leaving it unsecured, there may be an argument of implied consent, but leaving your car unlocked does not imply consent to open it up and see what you find. Further, any argument that states that the computer connected to the wireless network automatically does not defeat this argument – a computer only does what you tell it to do, and failure to change default settings is no defense.

Examination of the technology involved in Ahrndt

This is the second of a four-part series from Cybercrime Review on the Ninth Circuit's Ahrndt decision and the important legal issues concerning wireless networks.

Understanding the technology involved in the Ahrndt decision is essential. As I've covered in previous posts (here), the case involved a neighbor's use of Ahrndt's unsecured wireless network. She didn't have permission to use it, but she could freely connect because of her proximity to his router. Once connected, she opened iTunes, noticed Ahrndt was sharing media files, and connected to his computer when she noticed some files appeared to be child pornography.

Wireless Networks
Thus, the first technology issue is the unsecured wireless network. The court emphasized that Ahrndt had no subjective expectation of privacy because of his knowledge of computers and employment with Hewlett Packard. Though this may be less applicable to him, setting up a secured wireless network is not the easiest task. It requires understanding how to enter the IP address into a browser and choosing between a variety of security options, knowledge that isn't common even among frequent computer users. The subjective expectation aside, the Ahrndt trial court would have found that no objective expectation of privacy existed because no security was enabled on the network.

Click the image for a larger view.
iTunes Sharing
The sharing of files in iTunes is the second issue. The feature allows iTunes users to share their media files with others on the same network. Each computer sharing files is listed within the iTunes program (shown in the image to the left). Users simply click on the computer name and can begin to browse that user's iTunes library. Once connected, the user can play music and watch videos (depending on the settings). They cannot, however, download those files to their computer. It's a use-only license. The feature, now called "Home Sharing," enables users to connect from other computers, iPods, iPhones, and iPads on the network.

Since Apple added the feature to the iTunes application, it has required users to enable the share feature. They must enter the program settings and select "Share my library on my local network" (shown in the images to the right). Users can then restrict the types of files that are shared and even require a password for accessing their media library.

What was Ahrndt thinking?
It's very likely that Ahrndt didn't realize he was sharing child pornography with his neighbors. Assuming it wasn't intentional, what are the possibilities for explaining this?
  • Wireless routers' signals have various strengths and can be picked up across varying distances. Perhaps he did not realize the signal would go as far as his neighbor's home (his had a 400 foot range, and the neighbor lived 150 feet away).
  • It's very possible that he did not enable the sharing. If he had not done so, there would have been no way of knowing without often checking the settings to ensure it was disabled.
  • Ignorance is another option. He may not have thought a neighbor would attempt to connect. He might have actually used the iTunes share feature to connect it to his iPod. And, yes, he worked for HP, but that doesn't mean he is an expert about wireless routers and Apple software.
Whatever he might have been thinking, he was obviously wrong in thinking it.

Monday, April 9, 2012

Maryland passes bill to prohibit employers from requesting Facebook account information

The Maryland General Assembly has approved a bill prohibiting employers from requesting or requiring any online account information for current of prospective employers. The bill (SB 443/HB 894) comes after a firestorm of criticism related to news that the Maryland Department of Corrections required job applicants to turn over that information for their Facebook accounts.

An amendment to the bill specifies that employees "may not download [sic] unauthorized employer proprietary information or financial data to an employee's personal website, an internet web site, a web-based account, or a similar account." Further, employers are not prohibited from investigating violations of this provision. This entire amendment strikes me as odd as it seems to deal with an entirely different issue - theft of intellectual property - and not personal privacy. It essentially allows employers to obtain account information for all employees' email accounts if they hear that some information has been stolen.

I added "sic" to the text of the amendment because they used the word "download" when they actually meant "upload." Files are uploaded to a website and downloaded from a website.

If the governor signs the bill, Maryland will be the first state to address the issue by statute.  California, Illinois, Massachusetts, Michigan, and Minnesota have pending bills to do the same.

Ninth Circuit remands case involving CP found on an unsecured wireless network

This is the first of a four-part series from Cybercrime Review on the Ninth Circuit's Ahrndt decision and the important legal issues concerning wireless networks.

In United States v. Ahrndt, 2012 U.S. App. LEXIS 6976 (9th Cir. 2012), the Ninth Circuit reversed and remanded the denial of Ahrndt's motion to suppress evidence obtained from his unsecured wireless network. The court found the record was missing important facts necessary to reach the conclusion that Ahrndt had no reasonable expectation of privacy in files shared on his wireless network. The court identified several questions that should be addressed on remand.

Ahrndt's neighbor's computer allegedly connected to his unsecured wireless network without her permission. She then opened iTunes and saw that someone on the network was sharing media files - some of which appeared to be child pornography. She contacted law enforcement, and they asked her to show them the images (she had not opened them in her private search but did so at the officer's request). A search warrant was then obtained for police to access the network so as to ascertain the IP address. They were then able to track the account to Ahrndt, and a second warrant was obtained to search his home. At trial, Ahrndt argued for suppression of all evidence, suggesting the initial viewing violated the Fourth Amendment, and evidence found later was fruit of the poisonous tree.

The issue, as determined by the trial court, was "whether the Fourth Amendment provides a reasonable, subjective expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network." United States v. Ahrndt, 2010 U.S. Dist. LEXIS 7821 (D. Or. 2010).

Ahrndt "argued that a wireless network should be given no less protection than a hardwired network under the Fourth Amendment," but the court found that "different communications hardware and technologies carry different reasonable expectations of privacy. As an example, the Eighth Circuit has held that wireless phones are distinct from wired phones in terms of privacy. The court then found that wireless phones and wireless networks should be treated equally because "they transmit data over radio waves." The judge concluded:
As a result of the ease and frequency with which people use others' wireless networks, I conclude that society recognizes a lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network. Society's recognition of a lower expectation of privacy in unsecured wireless networks, however, does not alone eliminate defendant's right to privacy under the Fourth Amendment. In order to hold that defendant had no right to privacy, it is also necessary to find that society would not recognize as reasonable an expectation of privacy in the contents of a shared iTunes library available for streaming on an unsecured wireless network.
The court then found that no reasonable expectation of privacy existed in the shared iTunes files. The government argued that the sharing was similar to peer-to-peer file sharing, but Ahrndt said it was akin to "having a conversation behind a closed, but unlocked door." The trial court disagreed, finding that
[w]hen a person shares files on LimeWire, it is like leaving one's documents in a box marked "free" on a busy city street. When a person shares files on iTunes over an unsecured wireless network, it is like leaving one's documents in a box marked "take a look" at the end of a cul-de-sac. I conclude that iTunes' lesser reach and limit on file distribution does not render it unlike LimeWire in terms of its user's reasonable expectation of privacy.
An argument that the iTunes files were protected under the ECPA was also struck down "because the wireless network and iTunes software were configured so that the general public could access them."

Finally, Ahrndt had no subjective expectation of privacy because he should have been aware that his wireless network was unsecured and his iTunes files were shared. He worked for Hewlett-Packard, had "an intermediate level of computer knowledge," and should have known how to protect his network or turn off iTunes sharing.

The questions identified by the Ninth Circuit to be answered on remand are:
• As a technical matter, is sharing files over a wireless network accurately characterized as a "broadcast" of the contents of those files, such that JH's computer simply intercepted Ahrndt's images outside Ahrndt's home? Or, alternatively, did the act of connecting to Ahrndt's network, accessing his library and opening the image involve sending wireless signals into Ahrndt's home to communicate with his router and computer? 
• Did Ahrndt intentionally enable sharing of his files over his wireless network? If not, did he know or should he have known that others could access his files by connecting to his wireless network? 
• Was the image in "Dad's LimeWire Tunes" library that JH and McCullough opened accessible over the Internet by Limewire users at the time JH and McCullough accessed the files, or at any time prior? 
Please visit Cybercrime Review for more coverage of the Ahrndt decision in the coming days as we discuss the legal arguments, the technological issues, and other peculiarities with this decision.

Sunday, April 8, 2012

Cybercrime Review adds new author

Cybercrime Review began nearly six months ago, and I am very grateful to all of my loyal readers and supporters for making it so successful. The blog has been read in every state (Maine took a while, but it finally came around!) and over 100 countries.

To further the important work that has already begun, I am proud to announce that Justin Webb, a 3L at Marquette University Law School, will be joining me in authoring the blog beginning this week. Justin is a graduate of UCLA, serves on the Marquette Law Review as Technology Editor, and recently interned for the Seventh Circuit with the Honorable Diane S. Sykes. In addition to being a Security Analyst at Marquette, he also holds many GIAC certifications - in computer forensics, incident response, and web defense. And be sure to check out his recently published note that analyzes the D.C. Circuit’s decision in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), which ended up in front of the Supreme Court as United States v. Jones, 132 S. Ct. 945 (2012).

Please join me in welcoming Justin to the blog, and be sure to visit us often to see the great dialogue that is certain to come.

Vermont Supreme Court reverses in camera review of images of CP by newspaper

In Rutland Herald v. City of Rutland, 2012 VT 26, the Vermont Supreme Court reversed a trial court's decision concerning the Public Records Act. The court had ordered disclosure of certain documents to a newspaper and in camera review of possible images of child pornography in an investigation of a city police officer.

The Herald had obtained a copy of a search warrant showing that pornography had been viewed on police department computers. An officer had been placed on administrative leave, and the newspaper discovered that the officer had allegedly viewed child pornography. The Herald sought related records under Vermont's Public Records Act, and unable to acquire them, they filed a lawsuit.

The trial court found that the records from the investigation should be released as the investigation was complete, and review of the records "allowed the people to determine if the police department was properly managed." Additionally, names of the officers and suspension dates were not redacted as suggested by the city. The 121 images of possible child pornography, however, were not disclosed but could be reviewed by The Herald "in chambers with its counsel and a law enforcement expert present. The court did not identify the purpose of such review, nor did it cite any legal authority in support of its decision to allow the Herald to view these documents."

On appeal, the Supreme Court reversed with respect to most of the documents. On remand, the trial court was to examine more closely certain exceptions to the Public Records Act and possibly order redaction. Because there is "no legal basis for" the in camera viewing of the images of child pornography by the newspaper and there is "no support for this approach in the PRA," the viewing was also reversed.

Saturday, April 7, 2012

Comic illustrator loses appeal after accidentally giving images of CP to a funeral home

A Connecticut family, suffering the loss of their father, compiled an assortment of family photos to use in a slide show at the funeral home. After the photos were copied to a thumb drive, a family member took the drive to the funeral home. Once there, an employee opened the drive and found child pornography. Someone had moved the images to the trash on a Mac, but those images were easily accessible in Windows.

The funeral home reported the images to law enforcement and turned over the drive. During the investigation, 153 images and videos of child pornography were found on the a family member's computer.

Appealing his conviction for possession of child pornography, Rivera argued that the thumb drive was illegally seized, but the court quickly struck that argument down under the private search exception in Jacobsen.

The case is State v. Rivera, 2012 Conn. Super. LEXIS 732 (2012). Rivera is an accomplished comic book illustrator.

Friday, April 6, 2012

Massachusetts court finds warrant necessary for CSLI

A Massachusetts appellate court has joined the list of courts requiring a search warrant for cell site location information. Commonwealth v. Pitt, 2012 Mass. Super. LEXIS 39. (Please forgive the block quotes, but the court's language, though familiar, is worth reading.)
[T]he Fourth Amendment's warrant requirement cannot protect citizens' privacy if a court determines whether a warrant is required only after the search has occurred, and the incursion into a citizen's private affairs has already taken place. The Fourth Amendment would offer but hollow protection indeed if government agents were free to embark on random forays into a citizen's historical location at will, constrained only by the possibility that the fruits of their endeavor would be suppressed if they happened to verge into a citizen's home or other "private" location. ... 
A ping off a cell phone tower in the vicinity of the meeting house of the local chapter of the NAACP, the Right to Life Foundation, the Gay and Lesbian Advocates and Defenders, or Fathers4Justice, at the times those organizations hold meetings, could suggest participation. Repeated pings, obtained from several uses of CSLI, would strongly indicate membership. There is no principled basis in current Fourth Amendment law to conclude that no warrant is required for a single use of CSLI, but that a warrant would be required as repeated use of that technology becomes more invasive. Accepting the Commonwealth's argument that no warrant is required to access CSLI because there is no expectation of privacy in that information would permit repeated examinations of a range of location data without a warrant just as readily as it would permit the single discrete examination of that data here. ... 
Consistent with this statement of social policy, and with the authorities discussed above, this court concludes that a warrant was required before the FBI, acting on behalf of the Commonwealth accessed the defendant's CSLI, and that the failure to secure one contravenes the Fourth Amendment in a manner that requires suppression.

The court began the discussion on CSLI by quoting some text from Smith v. Maryland that I had not noticed before - "All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills." Perhaps the argument is out of date today because of understandings with regard to basic understandings on this issue, but my cell phone bills have never included a list of phone calls I have made. Could that lead a reasonable person to think that phone companies do not keep a record of that information?