Thursday, August 30, 2012

7th Circuit analyzes staleness in computer searches, holds the doctrine should apply "only in the exceptional case"

In United States v. Seiver, No. 11-3716 (7th Cir. 2012), in an opinion by Judge Posner, the Seventh Circuit analyzed the issue of staleness as it relates to a finding of probable cause to search a computer. Noting that "modern computer technology and the usual behavior of its users" support the position that the probable cause was not stale, the conviction was affirmed.

The case concerned a search warrant for child pornography on the defendant's computer. A 13-year-old girl had uploaded a pornographic video of herself to the Internet, and the defendant later discovered and downloaded that video. He then uploaded stills from the video to a photo-sharing site and sent an album link to the girl's stepmother who alerted police. Law enforcement tracked the IP address to the defendant, but there was a seven month gap between the upload and the search of his home.

On appeal, the defendant argued "that there was no reason to believe that seven months after he had uploaded child pornography there would still be evidence of the crime on his computer." Here's a summary of the points of Judge Posner's opinion (which in itself is a well-condensed opinion and difficult to summarize):

  1. The traditional issue with staleness is whether the defendant was a collector of child pornography and was "likely to have 'retained' or 'maintained' rather than 'destroyed' the ... images." However, this concern alone "reflects a misunderstanding of computer technology."
  2. Posner then goes into great detail in discussing deleted files, overwriting data, and file recovery.
  3. "'Staleness' is highly relevant to the legality of a search for a perishable or consumable object, like cocaine, but rarely relevant when it is a computer file. Computers and computer equipment are 'not the type of evidence that  rapidly dissipates or degrades (internal citations omitted).'"
  4. After a file has been deleted, "it is possible that the deleted file will no longer be recoverable" ... [or] the computer will have been sold or physically destroyed." Despite these possibilities and the time interval, however, "rarely will they be so probable as to destroy probable cause ... for probable cause is far short of certainty."
  5. "[I]t appears that few consumers of child pornography ... understand well enough how their computer’s file system works to grasp the importance of wiping or overwriting their deleted pornographic files or encrypting them securely if they want to avoid leaving recoverable evidence ... after they've deleted it." Though software to perform these tasks is readily available, its use "is surprisingly rare."
  6. "[A]fter a very long time, the likelihood drops to a level at which probable cause ... can no longer be established." However, "seven months is too short."
  7. Possession requires knowing possession, and images being in slack space may prevent the knowledge element. However, that does not eliminate probable cause "unless the statute of limitations on possession ha[s] expired."
  8. "Only in the exceptional case should" staleness be used to strike down a search of a computer for child pornography.
  9. "[F]uture changes in computer technology may alter" the staleness inquiry, "and judges as well as law enforcers must be alert to that possibility as well.

Tuesday, August 28, 2012

DOJ seizes domain names involved in illegal distribution of Android apps

The Department of Justice announced last week that they had seized three website domains that were involved in illegally distributing copyrighted Android apps. This was the first time domains had been seized in relation to smartphone apps.

The domains are, and and visitors are now greeted with the seizure banner (at right) often associated with other takedowns.

“Criminal copyright laws apply to apps for cell phones and tablets, just as they do to other software, music and writings. These laws protect and encourage the hard work and ingenuity of software developers entering this growing and important part of our economy. We will continue to seize and shut down websites that market pirated apps, and to pursue those responsible for criminal charges if appropriate,” said U.S. Assistant Attorney General Breuer.

Kentucky district court grants suppression of CP evidence

In United States v. Kinison, No. 12-57-JBC (E.D. Ky. 2012), the district court granted a motion to suppress evidence in a child pornography case due to lack of probable cause at the time of the warrant.

The defendant's girlfriend told police that the defendant had sent text messages to her phone describing child pornography and sexual activity with children. Police reviewed the text messages and used them to obtain a search warrant to search defendant's home. The girlfriend told police that his home computer had been used to view the child pornography. Using Kentucky's property valuation system, police determined that the defendant owned the home they were to search.

In a motion to suppress, the defendant argued that the warrant was not supported by probable cause. The district court agreed as the officer "performed no investigation to corroborate his informant's suggestion that the other party to the text messages in the affidavit was actually [defendant]." Also, the officer did not seek to verify that the defendant was the sender of the messages, taking the girlfriend's "assertions at face value." Law enforcement could, of course, have verified this easily by subpoena.

Thus, the affidavit failed "to supply any justification ... for the investigators' unquestioning reliance on [the girlfriend's] statements" and "to establish a nexus between the alleged evidence and the property to be searched."

Friday, August 24, 2012

Fifth Circuit reverses lifetime term of supervised release in CP case

In United States v. Alvarado, the Fifth Circuit vacated and remanded a lifetime term of supervised release as part of a sentence for receipt of child pornography because the trial judge "never considered the possibility of anything less than lifetime supervision." No. 11-40771 (5th Cir. 2012).

The defendant appealed the sentence, arguing that it was procedurally and substantively unreasonable. The Fifth Circuit found the 170-month prison sentence to be reasonable but held otherwise for the lifetime term of supervised release under a plain error standard of review.

At trial, the judge noted, "I've never given, never not given, since it was authorized, a lifetime, a lifetime supervision in child pornography." Thus, as the Fifth Circuit understood it, she "never considered the possibility of anything less than lifetime supervision.... And where a judge admits to the automatic imposition of a sentence, without regard for the specific facts and circumstances of the case or the range provided for in the statute, then it seriously affects the fairness, integrity, and public reputation of judicial proceedings."

The sentencing guidelines allow for a range of three years to a lifetime term of supervised release for sex offenses.

Wednesday, August 22, 2012

8th Circuit judge writes of concern with CP guidelines

An Eighth Circuit judge has joined the group of members of the judiciary opposed to the federal child pornography guidelines. In a recent opinion before the court, Judge Bright wrote a concurrence to suggest that the sentence was "excessive." United States v. Zauner, No. 12-1007 (8th Cir. 2012).

The defendant had been charged with production of child pornography after she took sexually explicit photos of her children at the urging of a man she met online. The two met on a ridesharing website. She was sentenced to 18 years in prison and 15 years of supervised release, and restitution of $20,000 was ordered. On appeal, she argued that the sentence was substantively unreasonable, but the Eighth Circuit affirmed.

Judge Bright, concurring, noted that the court owes a substantial deference to the district court, but wrote:
In this area, the guidelines routinely place defendants near or over the statutory-maximum sentence, eliminating any meaningful distinction between the least and most culpable offenders. This case is a great example.... Yet looking at Zauner's offense conduct alone, she does not rank among the worst child pornography offenders deserving of the statutory-maximum sentence. She was a first-time offender and her conduct did not trigger several of the possible enhancements under U.S.S.G. § 2G2.1. There is also nothing in the record to indicate the pictures were distributed beyond those people directly involved in the offense conduct. On the facts of this case, I do not believe any reasonable judge would have sentenced Zauner to the recommended sentence under the guidelines. The district court apparently agreed, exercising its prerogative to depart downward to sentence Zauner to eighteen years in prison—three years above the mandatory minimum. And where the guidelines are out of line and increasingly disregarded by sentencing judges, the mere fact of a downward departure should not insulate the district court's sentence from any type of meaningful review. In addition, in cases such as this, where the guidelines obviously do not fit, a sentencing judge should give careful assessment to the sentencing requirements of § 3553(a) and state the judge's reasons and conclusions on the record. 
I also write separately because I personally believe the sentence was excessive.
Several other judges have had similar disagreements as discussed earlier on this blog - here, here, here, and here.

Tuesday, August 21, 2012

Kentucky Court of Appeals criticizes attorneys' lack of knowledge on technological issues

In Crabtree v. Commonwealth, the Kentucky Court of Appeals criticized trial counsel's failure to properly understand the technology involved in a child pornography case. No. 2011-CA-000452-MR (Ky. Ct. App 2012). The defendant had used a peer-to-peer networking service to download the files. On appeal, the conviction was affirmed.

The case concerned a college student who took his computer to be repaired, and while there, the technician discovered file names identifying them as child pornography. The computer was turned over to the police. When the defendant went to the police station to get his computer, he acknowledged in writing that he had  viewed child pornography on the computer but that it "sickened him." The files had been downloaded using Limewire, and their filenames clearly expressed their content as child pornography. The defendant was convicted on 65 counts of possession.

On appeal, the defendant argued that the evidence was insufficient to support the conviction, but the court readily concluded that the computer files and the confession were all that was needed. The court carefully explained how the technology works and did so in clarity rarely seen by any court. The court of appeals also wrote:

We note that this case demonstrates a need for technical training among legal professionals.  There were several instances during the trial when it appeared that counsel for each party attempted to elicit testimony from the experts but failed because of confusion of technical terms.  In this particular case, the evidence of guilt was overwhelming, but we anticipate that this communication gap could be damaging in cases with weaker evidence.
The court's suggestion is one to which few people would object. Technology issues are becoming so common in the courtroom today, yet many practicing attorneys are not properly trained to deal with them. Many organizations exist to train prosecutors how to deal with such cases, but many of them and nearly all defense attorneys are not exposed to such assistance.

The defendant also argued that the defense of "temporary innocent possession" should have been put in the jury instructions. The defense 'is available when a person has taken “possession of a controlled substance without any unlawful intent.'" The court, however, held that the defense was not available here as the filenames, confession, and images show that the possession was not, in fact, innocent.

Monday, August 20, 2012

Reminder: Register for Wednesday's webinar on encryption

Don't forget to sign up for our webinar on encryption, taking place this Wednesday, August 22 at 1:00 Eastern. Justin will cover encryption technology and software as well as forensics issues, and I will address the relevant case law on forced disclosure of passwords for encrypted files.

Click here to register. The webinar will be approximately thirty minutes, and we will stick around afterward for any questions you may have. Feel free to share this information as this webinar is open to anyone with an interest in the subject. CLE credit is not available for this webinar.

Hotels present concerns for guests' security, technology

For many of us, hotels often become a second home. And relying on technology like we do, we carry all of our important devices with us. However, it's not always feasible to take your laptop with you to dinner or your cell phone to the pool. But to what extent should you worry about it?

Spying on the staff
Several months ago, I met Canadian privacy scholar Christopher Parsons at the Privacy Law Scholars Conference in D.C. He does a lot of interesting work in the privacy and surveillance area and also writes a blog on those interests.

I've never been a terribly paranoid person - that is until I met Christopher. I wouldn't define him as being paranoid, either. Rather, he is just smart and inquisitive. He travels a great deal and stays in many hotels. Over time, he has developed a survey of sorts concerning hotel security, testing the housekeeping staff. By carefully placing cell phones, laptops, and other items around the room, he is able to see where the staff checks for such things and what they do with them. One interesting bit of information he has learned is that a do not disturb sign often acts as an invitation to search the room.

"Most hotel staff are, of course, excellent and trustworthy. This said, having heard stories from family members who have worked in hotels - such as how their colleagues would routinely violate room occupants' privacy when rooms were unattended - and others who are well versed in contemporary fraud techniques, I try to take precautions to ensure that my data, and the data of others, is as safe and secure as it can be," said Christopher. "Just one of those precautions involves testing staff in hotels to ascertain - typically with 'dummy' or wiped equipment - whether they are activating devices, trying to log in to them, and so forth."

Since Christopher and I met, I have only stayed in one hotel, but I had no luck with his methods unfortunately. Do not disturb signs were honored, and none of my personal belongings were touched. Do any of you have similar approaches? Have you learned anything interesting? Please share in the comments.

Hotel employees not the only fear
Certainly one fear is that hotel employees will take our items or for some reason attempt to get our data. They can easily get key card access to our rooms. Another concern, as recently demonstrated by a hacker, is the ease in which others can obtain access to your room.

At the recent Black Hat conference, a software developer demonstrated how $50 of materials and a little programming make it possible to obtain access to over four million hotel rooms. He has since released how the hack works.

Unfortunately, the only way to fix the problem is to change each lock, and Onity, the developer, insists that the hotels foot the bill for the replacement.

Creating a workaround
The fact that your home-away-from-home is not quite as secure as you'd like can be terrifying. And certainly there are many issues beyond securing your technology at issue here. However, since this is a technology blog, let's address that issue. What ways do you use to secure your technology when traveling? Share your tips for our other readers.

Friday, August 17, 2012

DarkComet RAT Update: Pro-Syrian regime use continues

The EFF is reporting that DarkComet has been seen in a new malware campaign targeted at Syrian dissidents - the article can be found here: Pro-Syrian Government Hackers Target Activists With Fake Anti-Hacking Tool.

Our multi-part series on the hacking tool and its legal and moral implications can be found here.

Thursday, August 16, 2012

Seventh Circuit holds warrantless search of digital storage devices after private "search" did not violate Fourth Amendment

In Rann v. Atchinson, __ F.3d __ (7th Cir. 2012), the Seventh Circuit held that a law enforcement search of two digital storage devices for child pornography which were handed over by the defendant/offender's wife and daughter, respectively, did not violate the Fourth Amendment. The defendant was arguing ineffective assistance of counsel (by way of federal habeas), based on his lawyer's failure to attempt to suppress the child pornography evidence obtained from the digital devices when the police searched them without a warrant.

After the victim (age 15) reported sexual assault by her biological father to the police and was interviewed, she returned home and obtained a digital camera memory card and returned it to the police. The card contained images of her own sexual assault. Subsequent to this, the mother of the victim turned in a zip disk with additional images of her daughter being sexually assaulted, along with images of her other daughter being assaulted as well. According to the police, neither individual was prompted to bring these digital devices to them, nor were any law enforcement offers present when each individual retrieved the devices.

The defendant's main contention was that:
when the police searched the digital storage devices and viewed the images on them, they exceeded the scope of the private search conducted by [the victim] and her mother. Since the subsequent search by the police exceeded the scope of the initial private search, so his argument runs, the police needed a warrant to “open” the digital storage devices and search them because the record contains no evidence that [the victim] or her mother knew the digital storage devices contained images of child pornography prior to the police viewing. Since the police did not obtain a warrant prior to opening the digital storage devices and viewing the images, he claims their doing so constituted an unconstitutional warrantless search in violation of the Fourth Amendment.
Now, I'm going to stop here for a second. The court states that the defendant and mother conducted a "private search."  By this, I would argue, one would assume that such a search would include viewing the files on the digital devices to determine if they did in fact contain child pornography. However, there is no indication anywhere in this case that such a search took place. Granted, there is an assumption made that they would not have turned in the devices if they did not know there was CP on the devices, but I just want to point out that nowhere is there evidence that either individual described to the police what exactly was on the devices (or described a single picture contained on them).

Back to the case - the court states that private searches are not subject to the Fourth Amendment, and police do not need to "avert their eyes" to the evidence obtained from such searches. However, police cannot exceed the scope of the original private search to obtain evidence. The standard from Jacobsen relating to private searches is "individuals retain a legitimate expectation of privacy even after a private individual conducts a search, and 'additional invasions of privacy by the government agent must be tested by the degree to which they exceeded the scope of the private search.'"

The question of how to handle police searches of digital devices searched privately, first, was one of first impression for the court. However, the court adopted the Fifth Circuit's approach in Runyan, a 2001 case with similar factual circumstances. Runyan held that "a search of any material on a computer disk is valid if the private party who conducted the initial search had viewed at least one file on the disk." The Fifth Circuit "analogiz[ed] digital media storage devices to containers" and "ruled that 'police exceed the scope of a prior private search when they examine a closed container that was not opened by the private searches unless the police are already substantially certain of what is inside that container based on the statements of the private searches, their replication of the private search, and their expertise.'" In Runyan, multiple digital devices were turned over to the police, not all of which had been looked at by the personal who was the "private searcher," so only those devices that the searcher had looked at one or more files on, were admitted.

Here, the court held that the victim and mother essentially had to know what was on the disks when they turned them in, and thus the police could be substantially certain what they contained. The court held this over the objection of the defendant that there was no direct evidence of this, and it was purely conjecture:
[The defendant] argues that the Illinois Appellate Court relied on conjecture when it found that [the victim] and her mother knew the contents of the devices they delivered to the police, pointing to the Illinois Appellate Court's finding that “[a]lthough no testimony exists regarding how the images on the zip drive came to be there, it seems highly likely that [the victim's] mother [compiled] the images on the zip drive herself, downloading them from the family computer.” Rann argues that this is conjecture, yet he offers nothing but conjecture and speculation in its place.
The court justified its holding by stating that "the contrary conclusion—that [the victim] and her mother brought digital media devices to the police that they knew had no relevance to [the victim's] allegations—defies logic."

The court went on to state that:
even if the police more thoroughly searched the digital media devices than S.R. and her mother did and viewed images that S.R. or her mother had not viewed, per the holding in Runyan, the police search did not exceed or expand the scope of the initial private searches. Because S.R. and her mother knew the contents of the digital media devices when they delivered them to the police, the police were “substantially certain” the devices contained child pornography.
I've seen some chatter on Twitter that this case is #Troubling. I agree and disagree. I disagree, in that Easterbrook wrote this opinion, in a typical judicially restrained manner - cabining it to the particular circumstances of this case, and especially to the fact that the victim and the mother only turned in two devices, both of which were assumed to have CP (whereas in Runyan, many devices were turned in, in a sort of "grab bag" of evidence.")

I agree that it is troubling because I can't see how you can use the analogy of a container with respect to digital devices. Sure, it is easy when it comes to camera memory cards, but how about hard drives? If the wife had turned in the entire computer hard drive, could the police have searched the entire thing, if she said she had opened a single picture and found CP?

Another very good point to be made in regards to this case is this - what would have been so challenging about getting a warrant to search these devices, based on the information provided by the mother and victim?

Lastly, I put "search" in the title in quotations, and had an aside above about the lack of explicit evidence of the mother or victim viewing the files on the digital device because I think a flaw in the case is the absence of any elaboration on how turning those devices in was the search.

Facebook friends may give government access to view other's page, use doesn't violate Fourth Amendment

Though it is not likely to be news to readers of this blog, a federal trial court in New York has ruled that the government obtaining access to a defendant's Facebook page through one of his Facebook friend's cooperation does not violate the Fourth Amendment. United States v. Meregildo, No. 11 Cr. 576 (S.D.N.Y. 2012).

The defendant sought to suppress evidence, arguing against the method the government used to collect evidence to support a determination of probable cause. The government had gotten one of his Facebook friends to give them access to his Facebook profile.

"When a social media user disseminates his postings and information to the public, they are not protected by the Fourth Amendment," held the court. "Where Facebook privacy settings allow viewership of postings by 'friends,' the Government may access them through a cooperating witness who is a 'friend' without violating the Fourth Amendment."

The case has gotten a bit of attention, including stories from NY PostGigoam, Gizmodo.

Wednesday, August 15, 2012

Sixth Circuit holds that "pinging" cell phone to obtain GPS location is not a search; opinion confuses everyone

In United States v. Skinner, a Sixth Circuit panel held that repeatedly pinging a cell phone in order to obtain its GPS coordinates (or something like that) was not a Fourth Amendment search and thus does not necessitate evidence suppression. No. 09-6497 (6th Cir., Aug. 14, 2012). In a concurring opinion, one judge argued that obtaining the data was a search, but the good faith rule saves the evidence from suppression.

The defendant was suspected of being involved in drug trafficking, and participants in the exchange were known to use pay-as-you-go cell phones equipped with GPS technology. Agents obtained the defendant's phone number and  "pinged" it in order to discover its location as the defendant traveled. They tracked him to his motorhome, and a K-9 dog alerted officers to the presence of narcotics. Over 1,100 pounds of marijuana were found.

Before trial, the defendant sought to suppress the search, arguing that the "use of GPS location information emitted from his cell phone was a warrantless search that violated the Fourth Amendment." The evidence was not suppressed, and he was found guilty on multiple counts.

On appeal, the Sixth Circuit concluded that no reasonable expectation of privacy existed "in the data given off by [the] voluntarily procured pay-as-you-go cell phone." The court continued:
If a tool used to transport contraband gives off a signal that can be tracked for location,  certainly the police can track the signal.  The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools.... It follows that Skinner had no expectation of privacy
in the context of this case, just as the driver of a getaway car has no expectation of privacy in the particular combination of colors of the car’s paint.
The court considered this situation simply an advancement of the Supreme Court's 1983 decision in Knotts as it is law enforcement adapting to technological change. They also distinguished the case from Jones because no physical intrusion occurred in Skinner. "Skinner himself obtained the cell phone for the purpose of communication, and that phone included the GPS technology used to track the phone’s whereabouts." Further, the court noted that Justice Alito's concurrence also does not apply. Alito suggested that "relatively short-term monitoring" of movements may not violate the Fourth Amendment, and Skinner was only tracked for three days (opposed to 28 days in Jones).

In a concurring opinion, Judge Donald argued that Skinner did have a reasonable expectation of privacy in the GPS data, making the act by law enforcement here a search. However, she also noted that the Leon good faith exception would prevent the need for suppression "because the officers had probable cause to effect the search in this case and because the purposes of the exclusionary rule would not be served by

If my analysis of the technology doesn't make sense, it's because the facts in the opinion leave a lot to be desired. This might be about cell site location data. The fact that Skinner was tracked to his home would make you think it was GPS data due to the accuracy, and the court called it GPS throughout. The court also referenced agents pinging the phone. No one - including the court, apparently - is really sure what was happening here. Check out Professor Kerr's discussion of this issue here (and the reader comments).

UPDATE: Professor Kerr dug into the case a little more. Be sure to read what he came up with on Volokh Conspiracy.

Tuesday, August 14, 2012

EFF files amicus in D.C. Circuit Court against use of CSLI in remanded Jones case

Back in April, Jeffrey wrote that Antoine Jones wasn't off the hook for his crimes because of the ruling in United States v. Jones, 132 S. Ct. 945 (2012). Rather, instead of using the GPS tracking data they had collected (illegally), the police decided to use Cell Site Location Information (CSLI). Jeffrey's previous article can be found here - Jones II: This time, the government seeks to use cell site location information.  If you're looking to read more on the subject, we have additional content that can be found, here.

On Monday, the Electronic Frontier Foundation filed an amicus brief in favor of Antoine Jones, arguing that six months worth of CSLI should not be obtainable without a warrant. The EFF drew parallels between this situation and the GPS tracking that occurred in the original instance. Additionally, the EFF forwards an argument in the brief that could not be used in the context of GPS tracking - that CSLI could actually provide information about occurrences inside the home. This is important because courts have tended to give the most Fourth Amendment protection to the confines of a private home - see, for example, Karo or Kyllo.

The EFF's brief also addresses third-party doctrine, the Stored Communications Act, and even CALEA.


The EFF also has a story, here: Government Faces New Warrantless Surveillance Battle After Losing Landmark GPS Tracking Case

Ninth Circuit takes second look at Pineda-Moreno, denies suppression of evidence

The Ninth Circuit has revisited United States v. Pineda-Moreno, No. 08-30385 (9th Cir., Aug. 6, 2012) after remand from the Supreme Court and has upheld the use of GPS evidence in the case due to the Davis good faith rule.

Pineda-Moreno was one of the three leading circuit cases prior to Jones to hold that a GPS device could be used by law enforcement without a search warrant - the Ninth's reasoning was that the installation and use was not a search. After the Supreme Court held the use to be a search in Jones, Pineda-Moreno appealed to the Supreme Court where the conviction was vacated and remanded.

Following the general pattern of such cases, the exclusionary rule does not apply because law enforcement acted on then-binding circuit precedent. The Ninth Circuit had held prior to Pineda-Moreno that "placing an electronic tracking device on the undercarriage of a car was neither a search nor a seizure under the Fourth Amendment." United States v. McIver, 186 F.3d 1119, 1126-27 (9th Cir. 1999).

Friday, August 10, 2012

In Paypal DDOS case, government reprimanded for failure to analyze and return data in a timely fashion

If you recall, I wrote earlier about the E.D.N.Y holding that the government's failure to examine data after 15-months was a seizure under the Fourth Amendment - see: Federal court holds that 15-month delay in reviewing electronic evidence was an unlawful seizure. Well, it appears the government continues to have issues in this regard.

In United States v. Collins, 2012 U.S. Dist. LEXIS 111583 (N.D. Cal. Aug. 8, 2012), the government's motion to reconsider an order to return evidence was denied. The evidence was data that "fell outside the scope of the 27 warrants by which over 100 of the defendants'computers and other digital devices (including storage media) were seized."

The defendant, Collins, is part of a large group of people that were rounded up last year after the DDOS attack on Paypal. The attack was allegedly perpetrated by Anonymous, and used the Low Orbit Ion Cannon to achieve its goal. You can see the DOJ announcement, here: Prosecution of Internet Hacktivist Group "Anonymous," and some of the proceedings of the case, here (including a description of what allegedly occurred, and the criminal charges).

The facts are somewhat similar to Metter (the case my article above is on), in that in an extraordinary amount of time the government failed to deal with seized data. In the courts words:
almost a year and a half after presenting the warrants, the government has yet to take any meaningful steps to isolate non-targeted from targeted data
The government's arguments for reconsideration of the order on March 16, 2012 (nearly 5 months ago, and many months after the original seizure) are that:
(1) identifying non-targeted data might be difficult; (2) certain non-targeted data might be useful in understanding data that is clearly targeted; and (3) disaggregating non-targeted from targeted data might be unduly burdensome and expensive; (4) allowing only the defendants to keep a complete copy of the seized data might deprive the government the ability to challenge exculpatory non-targeted data and thus would be unfair.
The court was unconvinced by the governments justifications, and essentially chided the government for arguing a position that would essentially allow them to keep data they were not authorized to seize (possibly indefinitely) and which would nullify the government's pledge in search warrants to return such data. In the courts words:
If separating non-targeted data from targeted data and devices lawfully retained as criminal instrumentalities is too hard here, it presumably is too hard everywhere. In what case where a storage device is seized lawfully could a defendant or other subject of a search warrant ever secure return of data that the government had no right to take? Just about every storage device can be searched more easily with automated scripts than manually. Just about every storage device has non-targeted data that might prove useful to understanding the data that was targeted. Just about every storage device has deleted files in unallocated space. If the government's argument were accepted here, so that it need not return even one bit of data that is clearly outside the scope of the warrant, the court thus would render a nullity the government's pledge in just about every search warrant application it files in this district that it will return data that it simply has no right to seize. 
To me, it's hard not to wonder if there is a systemic problem going on with how the government is handling cybercrime cases and the plethora of evidence that they tend to produce - according to this transcript, there were at least 9 terabytes of data that had to be analyzed.  That is certainly a lot of data, but as the court in Metter stated, there has to be a line drawn somewhere when retention of data transforms from investigatory to a violation of the Fourth Amendment.

Illinois Supreme Court classifies images of minor during legal, sexual activity to be child pornography, dissent applies Stevens

In People v. Hollins, Docket No. 112754 (Ill. 2012), the Illinois Supreme Court held that images taken of a 17-year-old during sexual activity were to be classified as child pornography. A dissenting opinion argued that the Supreme Court's decision in Stevens requires otherwise as the sexual activity was legal under Illinois law.

The defendant, a 32-year-old man, was convicted of violating the Illinois child pornography statute after taking photographs of his 17-year-old girlfriend while the two were engaged in sexual activity. The girlfriend's mother found the images and reported them to police.

On appeal, the defendant argued that because the age of consent for sexual activity in Illinois is 17, the child pornography statute extending until the child turns 18 does not protect children such as his girlfriend from sexual exploitation or abuse. The court, however, found held:
[T]here are rational, reasonable arguments in support of having a higher age threshold for appearance in pornography than for consent to sexual activity. The consequences of sexual activity are concrete, and for the most part, readily apparent to teenagers.... The dangers of appearing in pornographic photographs or videos are not as readily apparent and can be much more subtle.
The defendant also argued that the statute violates due process because it does not provide fair notice of this "illogical inconsistency." The court, however, held that "ignorance of the law is no defense," and regardless, the defendant is a convicted sex offender and "has prior experience with the legal system and sex offenses in particular."

Another argument presented was that the law violates equal protection as it prohibits "the sex partners of such people from photographing such otherwise lawful, private, sexual activity." Again, the court found that only a rational basis is required and that one exists here.

In a dissent, Justice Burke wrote that the Supreme Court's 2010 decision in United States v. Stevens (click here for a casenote on Stevens) held "that there is no first amendment exception for child pornography, per se." Stevens found unconstitutional a statute banning the creation of depictions of cruelty to animals, primarily targeting "crush videos."

Thus, applying Stevens, Burke argued that because the defendant's sexual conduct was legal, the photographs should be deemed legal as well and not classified as child pornography.

Thursday, August 9, 2012

New nation-state malware named Gauss discovered

Kaspersky has put out a report on what I would refer to as a "child analogue" of the Stuxnet, Duqu, and Flame malware, dubbed "Gauss." For a condensed synopsis of the report, head here: Gauss: Nation-state cyber-surveillance meets banking Trojan. The trojan attempts to gather as much information from the computer as possible, and also attempts to steal banking credentials (which is a relatively unique feature of the malware). Gauss is most prevalent, so far, in Lebanon, and its financial credential thievery appears to be targeted at specific Lebanese banks. It has also been found in Israel and Palestine, but is surprisingly absent from Iran. Per the Kaspersky report:
Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:
► Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.
► Collecting information about the computer’s network connections.
► Collecting information about processes and folders.
► Collecting information about BIOS, CMOS RAM.
► Collecting information about local, network and removable drives.
► Infecting USB drives with a spy module in order to steal information from other computers.
► Installing the custom Palida Narrow font (purpose unknown).
► Ensuring the entire toolkit’s loading and operation.
► Interacting with the command and control server, sending the information collected to it, downloading additional modules.
I find it very interesting that a nation-state sponsored piece of malware would exfiltrate financial data, simply for the reason that it would be impossible to limit the scope of the malware to only target malicious actors (or whomever the malware was actually intended for). Then again, everything else the trojan does is criminal under US (and most international) law (data exfiltration, unauthorized access, etc.), so tacking on international banking fraud probably doesn't matter at this point.

Georgia court applies good faith to warrantless GPS use based on 1981 beeper case

A few months ago, I mentioned that an Alabama federal district court denied the suppression of GPS evidence because a 1981 circuit ruling allowed "the warrantless installation of an electronic tracking device ... to the exterior of a vehicle parked in a public place ... where the agents possess reasonable suspicion." United States v. Michael, 645 F.2d 252, 256-59 (5th Cir. 1981) (en banc). A Mississippi court refused to uphold the use of GPS under the same case.

In United States v. Nelson, 2012 U.S. Dist. LEXIS 103944 (S.D. Ga. 2012), a Georgia magistrate denied a motion to suppress after applying Michael and the Davis good faith rule. The GPS device had been placed on the defendant's vehicle on January 14, 2012 - just weeks before the Supreme Court's decision in United States v. Jones. The court held:
The record in this case establishes that when Agent Klarer installed the GPS device on Nelson’s vehicle he relied upon established FBI policy that conformed with binding Eleventh Circuit precedent. Even assuming that reasonable suspicion was a necessary predicate for the warrantless installation of the device, (and it is not clear that even reasonable suspicion was required under then-existing Eleventh Circuit precedent), Nelson did not dispute the government’s assertion at the hearing that the agents reasonably believed that Nelson was involved in the kidnappings at the time they placed the tracker on his vehicle. In any event, the Court finds that the agents had developed sufficient information to furnish reasonable suspicion that Nelson was involved in the kidnappings: he had ties to Marshlick (having dated Marshlick’s wife’s niece), he was the first person Downs encountered after his release by the kidnappers, he knew details about the Downs kidnapping that Downs had not revealed to him during their brief encounter, and he was a suspect in numerous other crimes (including the assault of his former girlfriend and the torching of her mother’s home). Because Agent Klarer acted in compliance with binding appellate precedent when he attached the GPS locator to Nelson’s vehicle, the exclusionary rule has no application in this case.
Michael was decided prior to the modern day Eleventh Circuit's creation, making it binding authority on today's Fifth and Eleventh Circuits.

Wednesday, August 8, 2012

Cybercrime Review to conduct webinar on encryption technology and legal issues

Two weeks from today, Justin and I will conduct the first of what we hope to be many webinars on cybercrime related topics. In our initial presentation, Justin will cover encryption technology and software as well as forensics issues, and I will address the relevant case law on forced disclosure of passwords for encrypted files.

Date: Wednesday, August 22
Time: 1:00-1:30 Eastern

Click here to register. The webinar will be approximately thirty minutes in length, and we will stick around afterward for any questions you may have. Feel free to share this information as this webinar is open to anyone with an interest in the subject. CLE credit is not available for this webinar.

Tuesday, August 7, 2012

Carnegie Mellon study on Silk Road

You may recall that in May I wrote a post about what Bitcoins could buy you in the criminal underground, appropriately titled "What Bitcoins can buy you in the criminal underground."

In that post I mention Silk Road - a site that is pretty much an illicit drug bazaar. To follow up on that, I'd like to draw attention to a new study that has come out, authored by Nicolas Christin, which details the revenue made by the site, and other usage statistics - including a very high satisfaction rate with the transactions.

The study can be found here:

Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace

H/T to Forbes: Black Market Drug Site 'Silk Road' Booming: $22 Million In Annual Sales

Hacking victim details how he lost his email account and everything on his computer

Be sure to read "How Apple and Amazon Security Flaws Led to My Epic Hacking" from Wired writer Mat Honan detailing how hackers were able to delete his entire Google Account, take over his Twitter account, and remotely erase his iPhone, iPad, and MacBook. It's important to read the whole thing - on the last page, he explains why you should not enable the Find my Mac feature in iCloud.

It's enough to scare any sensible person into seeking ways to better protect themselves online. Several websites have made suggestions for doing so including this one from Lifehacker.

One important step is to enable two-factor authentication in both your Google Account and Facebook. Enabling this will require you to enter a code sent to your phone via text message before you can access these accounts on an unfamiliar computer. Thus, even if a hacker is able to change your Gmail account's password, they still won't be able to access it without obtaining the code sent to your phone. There is a special procedure for authenticating on certain types of devices so be sure to follow the directions carefully.

Apple responded, "Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password, in this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected."

Fifth Circuit affirms illegal gambling convictions for use of sweepstakes software

In United States v. Davis, 2012 U.S. App. LEXIS 15875 (5th Cir. 2012), the Fifth Circuit affirmed the defendants' convictions for illegal gambling after they used computer software to allow users to participate in a sweepstakes in violation of federal and Texas law.

The defendants were charged with conducting an illegal gambling business under 18 U.S.C. § 1955 for their actions in a sweepstakes promotion at three Texas Internet cafés. Under the statute, the act must "violate[] the law of the state in which it is conducted." The relevant issue was whether the defendants operated an "electronic gambling device" in violation of Texas law. If participants paid consideration for the privilege of playing, it would be considered such a device.

Software running on computers at the Internet cafés allowed users to participate in the sweepstakes in three ways: (1) purchasing Internet time - $1 = 100 entries, (2) requesting entries in person, up to 100 per day, or (3) requesting entries by mail, up to 100 per day. Winning entries were predetermined, and participants could discover whether they won by asking an employee, swiping their card, or playing games on the computers.

Thus, the defendants argued that since entries were received without purchase or free with the purchase of Internet time, there was no consideration. The Fifth Circuit, however, held:
[T]he consideration element in the Texas gambling statutes can be fulfilled without an explicit exchange of money for the opportunity to participate in a sweepstakes.... Here, as in Jester, there is legally sufficient evidence from which a reasonable fact-finder could infer that the sale of Internet time at the defendants’ cafés was an attempt to legitimize an illegal lottery.
The court also struck down an argument that the defendants were entitled to a mistake of law defense. The defendants argued they had read opinions from the Texas Attorney General prior to the sweepstakes which supported their plan. Because the federal statute criminalizes what is illegal under state law, a defense should be available based on mistake of state law. The Fifth Circuit, however, found that the defendants did not "reasonably rely on any 'official statements'" because more recent opinions would have shown the act was illegal.

Therefore, the convictions for illegal gambling and conspiracy to commit illegal gambling were affirmed (though a money laundering conviction was reversed).

Monday, August 6, 2012

Cybercrime Review launches site redesign

For those of you not reading via RSS feed, you probably noticed that we launched a new layout over the weekend. We'd love to hear your thoughts - either in the comments or by e-mail.

It's hard to believe that Cybercrime Review began ten months ago. Over 300 posts later, we're still going strong. Thank you for your readership, tips, and arguments along the way!

District Court denies motion to suppress cell site data

In United States v. Madison, 2012 U.S. Dist. LEXIS 105527 (S.D. Fla. 2012), the district court denied a motion to suppress cell site location information as the application contained facts asserting that the defendant was an associate of - and lived near - a known participant.

A 2703(d) order was obtained to get historical cell site records for the defendant after a shooting and other related crimes. To prove specific and articulable facts, law enforcement presented facts concerning the gunman they caught near the scene. They connected the defendant to the gunman with the following facts:
m. Sources have identified Bobby Ricky Madison as a person possibly involved in the armored car robbery that occurred on October 1, 2010. Madison is also a known associate of Moss and Moss's other associates. From document[s] regarding a prior arrest of Madison, the FBI has learned that Madison uses a cellular telephone assigned the number 754-234-7001. 
n. Madison lives in the Opa Locka area near where Moss resides. In May 2010, officers in the same Coconut Creek area from which the two stolen vehicles used in the October 1, 2010, robbery were stolen attempted to perform a traffic stop of a vehicle Madison was driving. He lead the officers on a high-speed car chase before eventually being apprehended. The car he was driving was reported stolen from that same Coconut Creek area at approximately the same time of day as the two vehicles used in the October 1, 2010, robbery.
Thus, the "specific and articulable facts" were that the defendant was a known associate and lived in the area (approximately eight miles away).

The court agreed that the application was sufficient. It presented facts surrounding the armed robbery, the defendant's ties to another participant, and his "skill set and modus operandi for stealing cars." Further, it alleged that at least three others were involved in the act, though only one had been found. As it was reasonable to believe the defendant's cell site data would be relevant and material to the investigation, the 2703(d) order was proper.

Sunday, August 5, 2012

Craigslist wins $233K in case against optimization site

In Craigslist, Inc. v. Kerbel, 2012 U.S. Dist. LEXIS 108573 (N.D. Cal. Aug. 2, 2012), the Northern District of California granted default judgment for Craigslist against for violations of the CFAA, Lanham Act, California hacking statute, California fraud statute, and DMCA. Kerbel and his website exploited the CAPTCHA function of craigslist, and sold credits for "campaigns" that would blast out posting all over the country ("24/7"), circumventing the Terms of Use specified by Craigslist. As the court described it, the "[d]efendant's activities burden craigslist's systems and cause it to incur expenses to increase server capacity, provide additional customer service and support for its legitimate customers, and investigate and enforce its policies." The defendant also used trademarks of Craigslist without authorization.

With regard to the CFAA claims, the court stated:
Plaintiff alleges that Kerbel's conduct was both knowing and intentional because it was designed to circumvent craigslist's security features and Defendant had to agree to the TOU with no intention of complying with it. Kerbel also continued said conduct despite receiving cease and desist letters. His conduct caused harm to craigslist of over $5,000 per year, including increased costs associated with the burden on Plaintiff's servers, investigation and enforcement costs to maintain the legitimacy of posts to the site, loss of goodwill, and the need for increased customer service and support. Thus, the Court finds Plaintiff is entitled to default judgment on its CFAA claims.
Kerbel was also dinged for violations of California's hacking statute - California Penal Code §§ 502(c)(1)-(7).  Additionally, he was hit for statutory damages under the DMCA equaling 200K, which was at the low end of the spectrum. The high end, according to the court, would have been 1.7 million dollars. Keep in mind that the owner of the site made only 33 thousand dollars. That amount was tacked on to the judgment for trademark infringement, making the total judgment ~$233,000.

If nothing else, this reinforces the binding force of TOU on websites.

Thursday, August 2, 2012

Analysis of cybercrime cost estimates

ProPublica recently analyzed the often cited estimate of the cost of cybercrime to be around $1 trillion. The director of the National Security Agency recently referred to this amount as "our future disappearing in front of us."

Click here for the story.