Wednesday, October 31, 2012

Forget the theoretical - what hacking back looks like in the real world

There have been many posts and links on Cybercrime Review discussing the legal implications of hacking back - see my collection of those posts, here: Hacking Back - are you authorized?  A discussion of whether it's an invitation to federal prison or a justified reaction/strategy?. What is lost in these discussions is a strong foothold in real world examples. Well, now we have a recent, real life "hack back" to look upon - the Republic of Georgia's counter-espionage hack of a supposed Russian perpetrator who was propagating malware for the purposes of espionage against Georgia. This is a must read.

Here's the story from IT world: Irked by cyberspying, Georgia outs Russia-based hacker -- with photos

And here is the Georgia CERT report: CYBER ESPIONAGE -- Against Georgian Government - (Georbot Botnet)

A quick summary for those who don't want to follow the links -- Georgia had been getting attacked and mined for information from a botnet, and this included infiltration of government entities. Fed up with this, the Georgian government decided to take action:  (taken from a ZDNET article about the same):
In order to lay the bait after the attacks increased in severity over the course of 2011, Georgia allowed a computer to be infected on purpose. Placing a ZIP archive named "Georgian-Nato Agreement," once opened, the investigator's own malware was installed. 
While the alleged hacker was being photographed, his computer was rapidly mined for sensitive documents. One Word document contained instructions on who and how to hack particular targets; as well as website registration data linked to an address within Russia.
As mentioned above, there are pictures of the Russian hacker in the report - part of the malware the hacker had been propagating (against Georgia) enabled webcams and took photographs. Georgia CERT experienced sweet revenge when this functionality was turned on the hacker himself.

Does this example change your opinion of "hacking back?"

Ohio state court forbids use of GPS evidence obtained without warrant; Florida district court holds otherwise

In State v. Henry, 2012 Ohio 4748 (Ohio Ct. App.), the court of appeals reversed and remanded the case because the GPS device had been installed without a search warrant. Ohio had no binding precedent on the issue, preventing a successful good faith argument by the government. In a recent Florida case, the district court upheld the use of the GPS evidence, finding that the Eleventh Circuit had binding precedent on the issue. United States v. Lewis, No. 12-60011-CR (S.D. Fla. 2012).

In Henry, the defendant had recently been released from prison and was known by police to have been involved in stealing cars from car dealerships. Upon the defendant being arrest for an outstanding traffic warrant, the officer went to the lot where the defendant's car had been towed to install a GPS device on the car, a vehicle which was not owned by the defendant. One night, the defendant was tracked to a convenience store and was seen unloading truck tires from the trunk of the car, and he was arrested.

At trial, the court overruled the defendant's attempt to suppress the GPS evidence (which was ordered prior to Jones), and he was convicted of receiving stolen property and possession of criminal tools.

On appeal, the Court of Appeals of Ohio reversed and remanded, finding that the motion to suppress should have been granted. No binding authority existed, and therefore there was no good faith reliance that would hold up under Davis. The court, interpreting Justice Alito's opinion in Davis, held:
[I]t is clear that the holding in that case, upon which the State relies in this case, has no application in a situation, like the one before us, where the jurisdiction in which the search was conducted has no binding judicial authority upholding the search.
As noted previously on this blog, most decisions outside the Seventh and Ninth Circuits, which had precedent authorizing warrantless use of GPS devices, require suppression after Jones. Courts in those circuits, however, typically apply the good faith exception under Davis and allow the evidence to be admitted.

One major exception to that general rule is one playing out in the old Fifth Circuit (today's Fifth and Eleventh Circuits). An en banc case from 1981 held that installation of a beeper on a car did not require law enforcement to first obtain a search warrant. The Lewis opinion applies this precedent to allow admission of the evidence under the Davis good faith. An Alabama district court has applied the same logic, but a Mississippi judge did not.

Related Case: In United States v. Robinson, No. S2-4:11CR00361AGF (E.D. Mo. 2012), the Eastern District of Missouri also refused to apply good faith to pre-Jones GPS use without a warrant. The motion to suppress was denied on other grounds, however.

Tuesday, October 30, 2012

When in doubt, try mosaic theory?

In United States v. Mohamud, 2012 U.S. Dist. LEXIS 151430 (Or. Oct. 22, 2012) the defendant was charged with attempt to use a weapon of mass destruction. He argued two things: (1) that evidence from an alleged date rape investigation by Oregon State Police (OSP) should be suppressed because the consent was not voluntary and the police exceeded the scope of consent, and (2) that because the OSP evidence was poisoned, the FBI's use of that evidence (since they were participating with OSP) was fruit of the poisoned tree.

The case has a number of interesting elements (I would recommend reading it), but a lot of missing info due to national security concerns. To quickly provide a synopsis of the outcome, the FBI essentially provided evidence that it would not be using any of the information from the OSP investigation against the defendant in the national security case.

Here's where it gets interesting - the defendant argued that even if the FBI wasn't going to use any evidence from OSP, what the FBI learned by participating in the OSP evidence "must have [had an effect] on the direction of the investigation, requiring suppression of all evidence obtained after an illegal search or seizure." To support this argument, the defendant attempted to invoke mosaic theory in a hail mary attempt. The defendant interviewed witnesses about mosaic theory, who explained the basics:
[T]he mosaic theory, ... the concept that while some information in specific [documents] may appear harmless to disclose when read in isolation, such information may be very valuable as part of a mosaic of information gleaned from various sources, including multiple [documents] prepared over time. The Supreme Court endorsed the mosaic theory in Sims
The only problem with this tactic is that mosaic theory, to the extent it has been injected in Fourth Amendment cases at all, has been used in analyzing individual's reasonable expectation of privacy, see e.g. Maynard (Orin Kerr has an upcoming Michigan Law Review article on mosaic theory and its place (or lack of a place) in Fourth Amendment jurisprudence). To the defendant's credit, mosaic theory has been used in the national security context, but to my knowledge, most often by the government to argue against disclosure of information under the Freedom of Information Act (FOIA) (even National Reporters Committee offers the defendant no support). The attorney get's an A for effort, but the court did not buy it:
The mosaic theory is not the standard, however, when deciding if tainted evidence must be suppressed. The mosaic theory is generally discussed in cases involving the state secrets privilege or the Freedom of Information Act ("FOIA") exemptions for intelligence sources and methods. In analyzing whether evidence is tainted, I will employ the standard explained in Smith, 155 F.3d 1051.
Thus, I must consider whether anything the FBI seized from the OSP investigation, or any leads it gained there, tended "significantly to direct" the national security investigation toward all evidence the FBI collected...
 My guess is that with all the attention mosaic theory has received, it was just a matter of time before it would be tried in other Fourth Amendment cases.

Monday, October 29, 2012

When does one start to have a legitimate privacy interest in one’s phone records?

In McGreal v. AT & T Corp., 2012 WL 4356683 (N.D. Ill. Sept. 24, 2012), a federal district court held that a phone owner did not have standing to bring a Fourth Amendment unreasonable search and seizure violation as she did not have a legitimate expectation of privacy in the previous owner’s usage records of the phone.

The plaintiff alleged a Fourth Amendment unreasonable search and seizure violation against the Village of Orland Park and some of its employees (The Village defendants). In October 2010, the Village of Orlando Park requested a subpoena for the phone records at issue during the arbitration of the plaintiff’s son’s termination as an Orland Park police officer. The subpoena was issued for the months of February and March of 2010. The phone number for which the subpoena was issued belonged to the plaintiff’s son from May 2009 through March 26, 2010. When the plaintiff’s son was ordered to produce his phone records for February and March 2010, he was unable to provide them because he closed the phone account on March 26, 2010 and transferred it to the plaintiff.

At trial, the plaintiff argued that her status as owner of the cell phone number when the subpoena was issued gave her ownership of the entire record associated with the number.

The District Court dismissed the defendant’s argument and noted that the subpoena mostly sought after “records that were created . . .  before her ownership of the number.” The court stated that for one to have a legitimate privacy interest as to confer standing to object to a search and seizure, one must have some amount of possession and control over the “object” of the search. The court frowned against the transfer of ownership by the plaintiff’s son to the plaintiff and deemed it a bad faith attempt to evade production of the records.

It is not exactly clear how much weight the court gave to the factual circumstances that surrounded the termination and transfer of the phone account. In the absence of bad faith, one may wonder if the holding would be the same.

While the court held that the plaintiff did not have standing to bring a search and seizure violation in regards to the entire phone record, the court held that the plaintiff did have standing pertaining to the phone records of March 26, 2010 through March 31, 2010. This was a period where she had ownership and complete dominion of the phone record. Thus, the Village defendants’ motion to dismiss the Fourth Amendment violation claim for lack of standing was granted in part and denied in part. 

Sunday, October 28, 2012

Cybercrime Review welcomes Emil Ovbiagele as guest writer

I am excited to welcome Emil Ovbiagele as a guest writer for Cybercrime Review. Emil, a 2L at Marquette University Law School, will post (as his busy schedule permits) as a guest writer between now and the end of the year. Emil's first post on the blog with appear tomorrow morning. He plans to formally join Cybercrime Review as a permanent author at the beginning of 2013. See below for a description of Emil's impressive credentials.

Emil is currently a 2L at Marquette University Law School pursuing a a joint J.D./M.A. in Law and International Affairs.  In 2011, he received his B.A. in International Affairs from Marquette University with a focus on the politics of developing countries. Emil is currently interning at the U.S. District Court for the Eastern District of Wisconsin for Chief Judge Charles Clevert. He previously interned with the Honorable Justice Patrick Crooks of the Wisconsin Supreme Court.

With a passion for writing, Emil has worked as a columnist for The Marquette University Tribune and as a blogger for an online millennial-centered magazine. In his downtime, he enjoys writing poetry, playing soccer and traveling.

Friday, October 26, 2012

Oregon appeals court reverses CP possession convictions as state failed to prove possession or control of cached images

In State v. Tilden, No. A146914 (Or. Ct. App. 2012), the Oregon Court of Appeals reversed a conviction on 101 counts related to child pornography possession as the state had not proven that the images found in the defendant's cache were ever possessed or controlled by the defendant.

The defendant was charged and convicted of 101 counts of encouraging child sexual abuse under an Oregon statute, one count for each image of child pornography found on his computer. A forensic analysis of the computer revealed that the images appeared on the defendant's computer after he "accessed [the] website by clicking on a link in an e-mail." The images were stored in his cache, which was later deleted but recovered from unallocated space.

At trial, the state argued the defendant possessed the images. No evidence was presented to show the "defendant actually did anything with the images other than view them on the website," though the forensic examiner testified as to the defendant's capability to do more, such as explaining that the images could be saved to a CD or thumb drive. A jury instruction noted that no evidence had been presented to show such actions had occurred, but in his closing argument, the prosecutor said:

″[The forensic examiner] talked about [defendant’s] ability to control each one of those digital images. He controlled whether they could be printed, transmitted, saved, downloaded. He talked about saving and downloading some—same thing. The fact that [defendant] didn’t do that doesn’t negate the fact that he had control over whether that happened. And interestingly enough he talked about, ’Well, hey, I didn’t download it and I didn’t print—or transmit it,’ excuse me. So he knew he could, he knew he had control of it.
On appeal, the defendant argued that the evidence was insufficient to prove possession or control of the images. The state argued that the claim was not properly preserved at trial, and the court agreed, reviewing for plain error. The court of appeals held that because the state failed "to offer evidence that defendant had done something more than view the images on a website," there had been no proof of possession or control. As such, the convictions were reversed.

Thursday, October 25, 2012

Nevada district court applies good faith to GPS evidence, denies standing to one-time driver

In United States v. Smith, No. 2:11-cr-00058-GMN-CWH (D. Nev. 2012), the district court found that the defendants were not entitled to suppression of GPS evidence and that one of the defendants did not have a legitimate expectation of privacy in the car which he had driven on at least one occasion.

Law enforcement had placed a GPS device on defendant Smith's vehicle in May 2010, and Smith sought to suppress the evidence obtained from the device under the 2012 Supreme Court decision in Jones. Defendant Merritte sought similar protection though the car did not belong to him.

The court found that Merritte was not entitled to suppression because he did not have a legitimate expectation of privacy in the vehicle. He was not the owner and had only been seen driving the car by police on one occasion as he was usually a passenger. Further, he presented no information that he had permission from Smith to drive on that one occasion or on any other. He argued that an Eighth Circuit case should apply, but the court acknowledged it was not binding nor factually similar. In that case, the defendant had a set of keys to the car and drove it multiple times per week.

With regard to Smith, the court found that the good faith exception applies as the Ninth Circuit's decision in Pineda-Moreno was binding at the time the device was installed. The application of the good faith exception has been extensively discussed on this blog.

Related Case: The same standing rule the court used to decide Merritte's argument also came up in a recent federal case in South Dakota. In United States v. Clinton, 2012 U.S. Dist. LEXIS 150171 (D. S.D.), the court held that the defendant's possession of a cell phone, "without more, is insufficient to establish a Fourth Amendment right to privacy in its contents." He was not the owner or registered as a user, and he did not provide evidence that he had permission to use the phone.

Wednesday, October 24, 2012

Kansas magistrate adopts Warshak, strikes down warrant applications for not meeting particularity requirements

In In re Applications for Search Warrants, No. 12-MJ-8119-DJW (D. Kan. 2012), a magistrate judge adopted the Sixth Circuit's Warshak view that electronic communications are subject to a reasonable expectation of privacy and held that search warrants for such information should be sufficiently limited to the relevant crime(s) and should address limits for reviewing the data.

The government had applied for two search warrants to obtain electronic communications from Yahoo! and UnityFax. In the application, they alleged that the account holder had been spamming individuals in an attempt to defraud them.

In deciding whether the Fourth Amendment applies to electronic communications, the judge relied heavily on the Sixth Circuit's decision in Warshak (Kansas is in the Tenth Circuit).
The Court finds the rationale set forth in Warshak persuasive and therefore holds that an individual has a reasonable expectation of privacy in emails or faxes stored with, sent to, or received thorough an electronic communications service provider. Accordingly, the Fourth Amendment protections, including a warrant "particularly describing" the places to be searched and communications to be seized, apply to a search warrant seeking such communications.
But here, of course, the government was already seeking the communications by a search warrant (under
18 U.S.C. § 2701(b)(1)(A) & (c)(1)(A)), rather than a 2703(d) Order. The court found that the applications did not meet the particularity requirements of the Fourth Amendment.

First, the judge found that a warrant ordering disclosure of "all email or fax communications" was "too broad and too general." The requests must "limit the universe" to information related to "the specific crimes being investigated." Second, the applications "fail to set out any limits on the government's review of the potentially large amount of electronic communications."
The Court finds the breadth of the information sought by the government's search warrant for the either the fax or email account—including the content of every email or fax sent to or from the accounts—is best analogized to a warrant asking the post office to provide copies of all mail ever sent by or delivered to a certain address so that the government can open and read all the mail to find out whether it constitutes fruits, evidence or instrumentality of a crime. The Fourth Amendment would not allow such a warrant.
The judge's suggestions for alleviating these issues included limiting the search to keywords or communications between certain individuals or to appoint a special master or filter group to review the information.

Tuesday, October 23, 2012

Fifth Circuit shows forensic acumen in CP case; defendant preserves important question for appeal

In United States v. Pelland, __ F.3d __ (5th Cir. 2012), the Fifth Circuit held that circumstantial evidence could be used to prove the interstate commerce requirement of the federal CP statute. The case is noteworthy for two reasons: (1) the court, in holding as it did, discussed the forensic details accurately and succinctly (which often does note happen) and (2) the defendant preserved an interesting statutory interpretation problem which the court punted on for good reason.

This case is relatively run of the mill in terms of facts - the defendant was caught with child pornography on a computer and a zip drive, and convicted. On appeal, he asserted that the government had failed to produce sufficient evidence to sustain the conviction because they had not proven, for each file, that the interstate commerce requirement was met.

In a thoughtful and technologically accurate opinion, the court held that circumstantial evidence of internet use, coupled with file creation dates, and the defendant's own admissions, were sufficient to sustain the conviction. In the court's holding, which I encourage you to read, it deals with IRC chat rooms, file creation dates with respect to downloading and copying, and a few other technical issues. Their analysis was spot on, and an encouraging sign that the courts are becoming better equipped to handle these issues. Here is a small excerpt:
Pelland's child pornography files—both charged and uncharged—had creation dates ranging from May 2008 to March 31, 2009. As Cummings testified, a creation date can be the date a file was downloaded from the Internet or the date it was transferred from another device. Pelland contends that the creation dates reflect the dates on which he transferred pre-existing files onto the thumb drive and desktop, not the dates on which they were originally downloaded. The jury could have reasonably concluded, however, that Pelland would not have transferred the files in a piecemeal fashion on many separate dates, and that Internet downloading on separate dates was more plausible.
If, as Pelland urges, creation dates reflected the dates that pre-existing files were transferred (and not download dates), none of the files on the thumb drive or desktop could have had creation dates earlier than November 2008—the date Poisson gave these devices to Pelland, and thus the earliest date he could have transferred files onto them. Because some of the uncharged files have creation dates going back to May 2008, however, the jury could have reasonably inferred that the creation dates reflected download dates, not file transfer dates. 
The defendant also argued that for one particular count the court was relying on an erroneous decision in United States v. Dickinson, 632 F.3d 186 (5th Cir. 2011) which allows the commerce clause requirement to be met by "producing" child pornography on a device that was involved in interstate commerce. The error, the defendant asserts, is that the Fifth Circuit held in Dickinson that copying files from one device to another is "producing" child pornography, and that is clearly erroneous. The court, because the evidence tying the defendant to the internet was sufficient to sustain all counts, punted on the issue.

The statute in question is 18 U.S.C. § 2252A(a)(5)(B), which states in pertinent part:
Any person who . . . knowingly possesses, or knowingly accesses with intent to view, any . . . material that contains an image of child pornography . . . that was produced using materials that have been mailed, or shipped or transported in or affecting interstate or foreign commerce by any means . . . .
The Fourth, Seventh, Ninth, and Tenth circuits have also held that a defendant copying files from one media to another has "produced" child pornography. The language in question from Dickinson is as follows:
Dickson's arguments are as unpersuasive to us as similar arguments were to the Fourth, Seventh, Ninth, and Tenth Circuits. First, "producing" is broadly defined as "producing, directing, manufacturing, issuing, publishing, or advertising." 18 U.S.C. § 2256(3). Congress could have left "producing" undefined, thereby giving it its ordinary meaning. But by defining "producing" using the term itself plus other closely related terms, Congress intended the statute to cover a wider range of conduct than merely initial production. Excluding copying from our interpretation of "producing" would be too restrictive a reading.
The defendant in Pelland argued that Dickson was wrongly decided, arguing that the statutory definition of "producing" was construed too broad and that copying was never meant to be within the statute's reach. The Fifth Circuit denied to address the issue:
Pelland's argument respecting the definition of "produced" is moot because, as we have discussed, the trial evidence was sufficient to prove the government's primary interstate commerce theory. . . . In any event, because Dickson has not been overruled or superseded by a decision of the Supreme Court or this court sitting en banc, we cannot overturn it. . . . Pelland recognizes that we must follow Dickson, and raises this argument only to preserve it for further review.
It is my hope that the defendant requests an en banc review, or if such review is denied, appeals to the Supreme Court. I have a hard time pulling "copying" from "producing." More fundamentally, I think it is tenuous to rest federal jurisdiction on copying to a device that came from interstate commerce - the previous activity of the device seems to be irrelevant for the current activities. In cases where the internet is used as the jurisdictional hook, at least data is contemporaneously being transferred between interstate elements (be it CP related or not). I think this is overstepping by Congress, compounded by judicial expansion of a statute beyond its plain meaning. Stay tuned.

Monday, October 22, 2012

Arkansas Supreme Court upholds murder conviction over argument that text messages were improperly obtained by a prosecutor's subpoena

In Gulley v. State, 2012 Ark. 368 (Ark. 2012), the Supreme Court of Arkansas held that the defendant's argument that text messages obtained by a prosecutor's subpoena violated the federal Stored Communications Act and Fourth Amendment would not be considered because the objection was not made at trial, and the defendant did not argue on appeal that the prosecutor had abused the subpoena power.

The defendant had been convicted and sentenced for capital murder and attempted capital murder, and three text messages were presented at trial which had been obtained through a prosecutor's subpoena. One included that the victim's child is "going to be left without any parents," and another containing "dat b**** gonna pay, it's just a matter of time." At trial, counsel argued:
DEFENSE COUNSEL: If I send a text message out it is digitally transmitted through the air wave just like a telephone call is. There is no difference. The fact that they maintained it and printed it out is what the difference is but there is a reasonable expectation of privacy. It may have been subject to a warrant but not to a subpoena.
. . .
DEFENSE COUNSEL: You do not expect the telephone company is going to take it upon themselves to give it to a third party based on a subpoena. It has to be probable cause to get it not just carte blanche you issue a subpoena and go get it. That is what happened here. It may otherwise be something that could be used if a Judge says it but not by a Prosecutor just exercising its own subpoena. 
PROSECUTOR: I respectfully disagree, Your Honor, with regard to the Prosecutor's subpoena. Like I say, it is just like a grand jury, it's a quasi-magisterial function and it is a power that is conferred upon the office of the Prosecuting Attorney, same as grand jury in the State of Arkansas.
The judge denied the motion, finding that there could not be an expectation of privacy because the messages "can be picked up by a scanner with the proper device." Defense counsel also argued the messages should not be admitted on the basis of relevancy, juror confusion, hearsay, and rule 403. The court limited admission to three text messages.

On appeal, the defendant argued that the use of the subpoena to acquire the text messages violated the SCA and the Fourth Amendment. However, because he did not make an SCA-related objection at trial and did not argue on appeal that the prosecutor abused the subpoena power, the court refused to consider the issue.

The defendant also appealed the admission of the messages as evidence, arguing they were hearsay and not properly authenticated. The supreme court disagreed on both issues.

Friday, October 19, 2012

Wyoming Supreme Court reverses sexual abuse convictions due to improper CP website testimony and court instruction

The Supreme Court of Wyoming recently reversed and remanded convictions of sexual abuse because of the admission of certain testimony concerning child pornography websites the defendant had allegedly visited and an improper comment by the district court upon evidence. Mersereau v. State, 2012 WY 125 (Wyo. 2012)

At trial, the state sought to admit images of child pornography found on websites that had allegedly been visited by the defendant in order to show a sexual attraction to children. The court found the images to be overly prejudicial, but agreed to allow testimony by an agent as to the content of those websites. On appeal, however, the supreme court found that the agent testifying as to the content of the websites had not actually visited the websites. Further, there was no proof that the websites contained images of actual child pornography. These factors considered - and the fact that the jury was left to assume the images were of small children as the alleged victim was, the testimony prevented the defendant's fair trial.

Also, prior to the forensic examiner testifying as to the contents of the defendant's computer, the court told jurors they were "about to hear evidence that there were child pornography websites on the defendant's computer." On appeal, the defendant argued that this instruction "injected the district court's opinion regarding the weight or quality of the evidence at the trial," and because the argument had not been raised at trial, it was examined for plain error. The supreme court held that the lower court "invaded the province of the jury" with the statement as there was no admissible evidence "that the appellant went to child pornography websites on his computer." As such, the statement by the court was plain error.

For these reasons and others discussed in the opinion, the conviction was reversed, and a new trial was ordered.

Thursday, October 18, 2012

Third Circuit rules that district courts must view CP videos prior to ruling on their admissibility at trial

In United States v. Cunningham, No. 10-4021 (3rd Cir. 2012), the Third Circuit held that it is substantive error for a district court to rule on a Federal Rules of Evidence 403 motion concerning the showing of child pornography videos at trial without the court first viewing the videos to determine their probative value.

Pennsylvania police had discovered child pornography being shared on Limewire and tracked it to the defendant's home where a search revealed those same files on the defendant's computer. Before trial, the defendant argued that FRE 403 prevented showing the jury videos of child pornography because he was willing to stipulate that the videos were of child pornography, thus decreasing their probative value. The court agreed to allow the videos without sound, but did not agree to review the videos prior to a decision on the 403 motion or being shown to the jury. The defendant was convicted for receipt and distribution of child pornography.

On appeal, the defendant argued that the court erred by not viewing the videos prior to ruling on their admissibility or presenting them to the jury and by not, over defendant's motion, providing potential jurors with details about the videos during voir dire (jury selection).

The Third Circuit held that unless the potential prejudice is obvious, district courts should review the evidence prior to making a 403 ruling. Because the court did not do that, the judgment was vacated and remanded for a new trial.

Here's the wording of the Third Circuit's rule:
[U]nless the Court determines that, considering the potential of unfair prejudice, the probative value of a proposed video excerpt is so minimal that it need not watch that excerpt, the Court must view the proposed video excerpts to not only assess their probative value and potential for unfair prejudicial impact but also to appropriately evaluate their admissibility in light of Rule 403's concern with redundancy.
With regard to the voir dire argument, the court determined that a decision to describe the types of content jurors may see in a child pornography case is within the discretion of the district court.

Tuesday, October 16, 2012

Hacking Back - are you authorized? A discussion of whether it's an invitation to federal prison or a justified reaction/strategy?

The concept of hacking back has continued to gain attention as cyber-attacks continue. I'd be remiss if I didn't point readers to the Volokh Conspiracy and its latest coverage on the issue. The contenders in this argument, which has gone back and forth for 4 days so far, are Stewart Baker, a Partner at Steptoe & Johnson, with experience working for DHS, and Orin Kerr, Fred C. Stevenson Research Professor of Law at The George Washington University.

As an initial matter, Jeffrey and I did a back and forth on this in June. Our posts can be found here:

Justin's take - The Illegality of Striking Back Against Hackers
Jeffrey's argument in the alternative - An Attempt to Make the Case for "Hacking Back"

In a generalized way, it appears I side with Orin Kerr, whereas Jeffrey's argument in the alternative (which is not necessarily his view) is more favorable to Stewart Baker. Here are the posts from the Volokh Conspiracy, in chronological order:

October 13th, Stewart Baker, RATs and Poison: Can Cyberespionage Victims Counterhack?
October 14th, Stewart Baker, RATs and Poison II — The Legal Case for Counterhacking
October 15th, Orin Kerr, The Legal Case Against Hack-Back: A Response to Stewart Baker
October 16th, Stewart Baker, The Legality of Counterhacking: Baker Replies to Kerr

I will update if the back and forth on the VC continues.

Update Oct. 16th, 12:53pm CST: Kerr just responded in another post
October 16th, Orin Kerr, More on Hacking Back: Kerr Replies to Baker

Update Oct. 16th, 5:00pm CST: Baker's final response
October 16th, Stewart Baker, The Legality of Counterhacking: Baker’s Last Post

Update Oct. 17th, 6:18pm CST: Kerr's final post
October 17th, Orin Kerr, A Final Post on Hacking Back

Monday, October 15, 2012

South Carolina Supreme Court finds no SCA protection for read e-mails left in user's account

In Jennings v. Jennings, No. 27177 (S.C. 2012), the South Carolina Supreme Court held that e-mails simply left in a user's account after being read are not in "electronic storage" and thus not protected by the federal Stored Communications Act (SCA). The statute, enacted in 1986, addresses unlawful access to stored communications and prescribes criminal and civil penalties for such access.

The alleged SCA violation arose after Mrs. Jennings discovered that her husband had been having an affair. A friend obtained access to Mr. Jennings's personal e-mail account by guessing the answers to his security questions and printed e-mails between Jennings and his paramour. He filed suit alleging a violation of the SCA, and the lower court granted summary judgment to the defendants. The South Carolina Court of Appeals reversed, holding that the e-mails were in "electronic storage." Jennings appealed to the state supreme court.

At issue on appeal was whether the e-mails were in electronic storage. The court of appeals had held they were because they "were stored for 'purposes of backup protection,'" relying on the Ninth Circuit's Theofel case (which found that leaving an e-mail on the server was electronic storage). However, the supreme court disagreed. 
We decline to hold that retaining an opened email constitutes storing it for backup protection under the Act.  The ordinary meaning of the word "backup" is "one that serves as a substitute or support."
Therefore, because the e-mails were not protected by the SCA, the statute does not provide a remedy for Jennings. The court emphasized, however, that their decision "should in no way be read as condoning [such] ... behavior."

Under the SCA, "electronic storage" is defined as:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;
Many courts have determined that e-mails may be protected if they fit into either subsection A or B, despite the use of the word "and" between them. The majority opted not to decide the issue, noting that "[w]hatever doesn't make any difference, doesn't matter," but the chief justice argued that both are required in a concurring opinion. The distinction matters because if both are required, once "the recipient opens [an] e-mail, ... [it] is no longer in electronic storage."

Thursday, October 11, 2012

Eleventh Circuit finds multiple images of CP in single photography session allow for multiple production counts

In United States v. Fee, No. 11-15356 (11th Cir. 2012), the Eleventh Circuit held that the production of multiple images of child pornography during a single photography session allows for multiple counts of production.

The defendant was convicted on eight counts of production of child pornography, and she argued on appeal that the multiple counts were multiplicitous.

However, the Eleventh Circuit held that the convictions were not multiplicitous as each involved an act "of sexually explicit conduct to produce separate visual depictions of that conduct." The statute punishes the production of "any visual depiction" which should be interpreted as Congress's intent to punish "each discreet visual depiction."

Wednesday, October 10, 2012

If I read your emails, change your password, and use your emails against you in a divorce proceeding, am I cyberstalking you?

If you said "yes" to the question posed in the title of this post, you may have some difficulties in Florida. In Young v. Young, 2012 Fla. App. LEXIS 15112 (Sept. 28, 2012), a Florida appellate court said "no" to that question, holding that cyberstalking, per Florida statute, requires "electronic communications by [a person] of "words, images, or language . . . directed at" another individual (the person allegedly getting stalked).

In Young, the husband allowed his wife to use his computer password to install a multi-user licensed anti-virus program. Under these facts, I'm not exactly sure why she needed the password, but the case does not clarify. The husband, in my estimation, was operating under good faith because at the time of disclosure, the couple was either at, or still amidst, their dissolution proceeding.  (At this point I'd like to stop and offer what should be obvious advice at this point - short of a court order, never disclose your password to anyone, for anything, at any time. Including your wife. I can't think of many stories I have heard that open with "so I gave her/him my password" and end happily.)

The wife, without the husband's consent, then "used the password to read his email and then changed the password so that he could no longer gain access to his account." Subsequently, she "filed a paper in the divorce proceeding that contained extensive personal information taken from the emails." The husband filed for a domestic violence injunction, which was granted by the lower court after interpreting that the wife's actions "amounted to cyberstalking."

The court of appeals overturned the injunction, stating that reading your emails, changing your password, and using the information discovered in your email account are not electronic communications directed at another, and therefore fall outside the purview of the statute.

In my common understanding of stalking in general, but also cyberstalking, I was never under the impression that stalking had to include some sort of communication to the "stalkee." Isn't part of stalking doing so by use of stealth? Indeed, one online dictionary defines it as:
1. To pursue by tracking stealthily.
2. To follow or observe (a person) persistently, especially out of obsession or derangement.
To me, this is an odd outcome - but, it is more a failing of statutory drafting than a mistake by the court. The husband may also have other remedies (computer intrusion statutes at the state level), however those will certainly not be sufficient to obtain a DV injunction. The larger question is this, does the wife's behavior give rise to the husband's belief that he was in imminent danger of domestic violence, which is the DV injunction standard in Florida. That's a high bar to meet, but one would need to know the content of the emails to know just how angry she might have been. As a public policy matter, I think a DV injunction here wouldn't be a bad thing.

Ninth Circuit holds that storing CP in shared folder is distribution, FBI must disclose EP2P software to defendants

In United States v. Budziak, No. 11-10223 (9th Cir. 2012), the Ninth Circuit held that storing child pornography in a shared folder for peer-to-peer networking without proof of distribution can, nonetheless, be considered distribution. The decision echoes that of three other circuits' opinions - United States v. Chiaradio, 684 F.3d 265, 281-82 (1st Cir. 2012); United States v. Shaffer, 472 F.3d 1219, 1223 (10th Cir. 2007); and United States v. Collins, 642 F.3d 654, 656-57 (8th Cir. 2011).

The Ninth held "that the evidence is sufficient to support a conviction for distribution under 18 U.S.C. § 2252(a)(2) when it shows that the defendant maintained child pornography in a shared folder, knew that doing so would allow others to download it, and another person actually downloaded it."

On appeal, the defendant argued that he had disabled sharing in the software, but he had presented no such evidence at trial. The government, however, had presented evidence to the contrary.

Budziak did sufficiently argue that the trial court improperly denied him access to the FBI's EP2P software used to find child pornographer sharers on the Limewire network. As a result, the case was remanded for the district court to determine if discovery could have affected the outcome.

Tuesday, October 9, 2012

En banc Fifth Circuit continues circuit split with CP restitution, holds proximate cause not required for loss calculation

The Fifth Circuit recently decided en banc to continue a circuit split concerning restitution to child victims of images of child pornography. In re Amy Unknown, No. 09-41238 (5th Circuit 2012) (en banc). As discussed previously on this blog, the Fifth Circuit was the odd man out on the issue, with a panel having held that the statute's allowance for losses is not limited to those proximately caused by the defendant. In light of conflicting opinions in other circuits, the Fifth took up the case en banc.

Other circuits have held that 18 U.S.C. § 2259's "proximate result" requirement limits awards to losses that are a proximate cause of the defendant's acts. Therefore, a defendant who has only viewed the images may only be found liable for the damage he proximately caused the victim.

The Fifth's decision, however, allows courts to award restitution in the full amount of the victim's losses (including medical services, therapy, child care, lost income, attorney's fees, and other expenses). The victim in this case (the "Amy series") has previously been determined to be entitled to approximately $3.4 million. The appeals court held that the district court must order restitution in the full amount.

Thus, the district court decision was vacated and remanded.

A concurring/dissenting opinion of four judges argued that district courts should be given discretion in the amount and not be required to impose the full amount when multiple violators contributed to the victim's losses.

For other posts related to this issue, visit our restitution label.

Monday, October 8, 2012

Wiretap Act and sniffing Wi-Fi - new Michigan Law Review note

The newest issue of the Michigan Law Review has arrived, and within it is a very interesting note on the intersection of the federal wiretap act and wi-fi sniffing. It's a topic we have touched upon here a few times, and I think the article does a good job of highlighting the uncertainty in the area. Indeed, that word is used in the abstract. The article, by Mani Potnuru, can be reached here: Limits of the Federal Wiretap Act’s Ability to Protect Against Wi-Fi Sniffing, and the abstract is below:
Adoption of Wi-Fi wireless technology continues to see explosive growth. However, many users still operate their home Wi-Fi networks in unsecured mode or use publicly available unsecured Wi-Fi networks, thus exposing their communications to the dangers of "packet sniffing," a technique used for eavesdropping on a network. Some have argued that communications over unsecured Wi-Fi networks are "readily accessible to the general public" and that such communications are therefore excluded from the broad protections of the Federal Wiretap Act against intentional interception of electronic communications.
This Note examines the Federal Wiretap Act and argues that the current Act's treatment of Wi-Fi sniffing might protect unsecured Wi-Fi communications under some circumstances, but that any such protections are incidental, unsystematic, and uncertain. This Note further argues that the current statute's "readily accessible to the general public" language should be interpreted in a way that addresses concerns about Wi-Fi sniffing and users' expectations of privacy. Users' current expectations stem from their limited understanding of the underlying Wi-Fi technology and the accompanying security risks and, more importantly, from the fact that private communications cannot be intercepted without specialized tools and knowledge not readily available to the general public. Finally, this Note advocates for amending the Federal Wiretap Act to remove uncertainty regarding protections against Wi-Fi sniffing. Clear protections against Wi-Fi sniffing would avoid the private and social cost of data theft resulting from sniffing and could close the gap between users' theoretical ability to protect themselves by using security mechanisms and their reduced practical ability to take any such protective measures.

Friday, October 5, 2012

FTC decision puts spy software manufacturers on notice

The Federal Trade Commission recently settled with several companies regarding software that allowed the companies to spy on the computer's users by capturing screenshots, logging keystrokes, and taking pictures through the computer's webcam. The software was used by rent-to-own companies to track buyers when they became delinquent on payments. In addition to the rent-to-own companies, the FTC complaint also included the software manufacturer, Designware.

The software, PC Rental Agent, was installed on an estimated 420,000 computers in the United States, Canada, and Australia and marketed exclusively to businesses who rent computer equipment. The manufacturer recommended that companies notify customers of the software, but it was not required, and users could not detect the software's presence on their own.

In their complaint, the FTC argued that the software's "collection and disclosure to third parties of private and confidential information about consumers, including both those who rented the computer and
those who are merely using it, causes or is likely to cause substantial harm to consumers." As the manufacturer provided the means for the rental companies to engage in "unfair acts or practices," they had violated the FTC Act. It is the mission of the FTC "[t]o prevent business practices that are anticompetitive, deceptive, or unfair to consumers."

The settlement between Designware and the FTC prohibits the company from continuing to license or sell the software. This order is what one of this blog's readers calls the "biggest unfairness decision in the history of the FTC" because it extends beyond a direct business practice but also to the licensing of software the FTC deems "unfair."

Software manufacturers have been creating similar spying software for a long time, and this decision is likely to have put them on notice that the FTC's tolerance for the genre is soon to end. Of course, the FTC's authority would only extend to a business that is using the software to track consumers; thus, consumer or business-to-employee use would not be under their authority. However, the creation of software that is sold to a business in order to track a consumer could bring the creator under the wrath of the FTC.

Designware, which did not admit fault in the settlement, has filed for bankruptcy. The filing lists the Florida and California AG's offices as creditors, suggesting those offices may be considering further legal action.

Related Links:
News Release

Wednesday, October 3, 2012

Analysis of Fifth Circuit CSLI oral argument: Government likely to win on Fourth Amendment issue

The Fifth Circuit heard oral argument yesterday on the oft-discussed cell site data case. The Fives are the second federal court of appeals to consider this issue; the Third Circuit addressed cell site data in relation to the Fourth Amendment in 2010.

The issues presented in this case are two-fold: first, whether the Constitution requires a warrant based on probable cause (rather than a court order issued under a lesser standard provided by § 2703(d) of the Stored Communications Act) when the Government wants cell phone providers to turn over data showing the location of the cell phone. In other words, the issue is whether the Government needs to have probable cause to turn cell phones into semi-specific tracking devices. The second issue is, assuming that cell site data is not protected by the Fourth Amendment, whether the magistrate judge has discretion to deny the Government’s § 2703(d) application for this data and insist upon a showing of probable cause.

The argument in this case was an hour long, much longer than the customary forty minutes usually allotted to parties arguing before the Fifth Circuit. The extra time may have been a result of the truly bizarre procedural posture of this case. According to the Government, it presented “specific and articulable facts” pursuant to § 2703(d) of the Stored Communications Act that the cell phone numbers of three people were pertinent to criminal investigations. The magistrate judge, however, never granted or denied the Government’s § 2703(d) applications; and, instead, ruled that this data was protected by the Fourth Amendment and that the Government needed probable cause to obtain it. Thus, the Government’s argument was presented by Nathan Judish, an attorney from the Department of Justice. There was no traditional appellee represented at oral argument; the people whose cell site data the Government was trying to obtain are anonymous, so there was no one with a direct, personal interest in the outcome of this case advocating for Fourth Amendment protection. Instead, Professor Susan Freiwald and Hanni Fakhoury (EFF) presented the arguments of the “Fourth Amendment and the people,” whatever that means.

The three-judge panel appointed to hear oral arguments were Fifth Circuit Judges Thomas Reavley, Edith Clement, and James Dennis. Interestingly enough, this was a liberal-majority panel in a notoriously conservative circuit. Judge Reavley was appointed by the Carter administration, and Judge Dennis was appointed by the Clinton administration. A liberal-majority panel on the Fifth Circuit is like the Loch Ness Monster: there are reports of people seeing it happen, but I have always figured that it was a myth propagated by circus conductors and the ACLU.

When I saw the membership of the panel, my first instinct was that the panel would render a 2-1 decision holding that cell site data is protected by the Fourth Amendment. I figured that Judges Reavley and Dennis would make up the majority, and Judge Clement would be the lone dissenter. After hearing oral argument, I do not think my prediction could be more wrong. I think the majority of the panel will hold that this data is not protected by the Fourth Amendment, Judge Reavley (and possibly Judge Dennis) siding with Judge Clement.

Why do I think this?

First, the judges struggled to understand the technology. When I read the briefs, I was astounded that they were not written with the understanding that these judges were not going to have an innate understanding of rather complicated cell phone technology. The judges on the panel ranged in age from sixty-four to ninety-one. I think it is safe to assume that they know how to use a cell phone, or at least, they have seen one of their law clerks use a cell phone at some point. Any imputed knowledge beyond that, i.e., the definition of a femtocell, is ludicrous. A number of the panel’s questions were geared toward trying to understand basic cell site technology, and I can see why. The Government’s brief does not define “cell site data” until page seven. Then, once you get to page seven, the Government defines cell site data as “the antenna tower and sector to which the cell phone sends its signal.” Now, imagine you are speaking to your grandmother and that is how you explain the concept of cell site data to her. Is she going to have any idea what you are talking about? I think not. I would offer the non-scientific estimate that at least a third of the questions during oral argument related to the basic tenets of the technology involved. These questions should have been addressed within the first five pages of the parties’ briefs; yet I doubt whether the panel understands the technology and the type of information being produced, even after oral argument. Ultimately, the real shortfalling is on the amici who were trying to convince the court that revelation of this data to the Government amounted to a significant intrusion into privacy. If the court cannot understand how cell phone technology works and why consumers have a privacy interest in this data, the Fifth Circuit cannot hold that cell site data is protected by the Fourth Amendment.

Second, there was no definite explanation about what kind of data would be produced as a result of these § 2703(d) applications. Judge Reavley told the parties, “It is critical to know exactly what information is being obtained in these . . . cases.” Yet, he received two different answers during oral argument. The Government mumbled something about call-times and cell phone towers; Professor Susan Freiwald and Hanni Fakhoury painted a picture that was positively Orwellian with the Government determining location of the cell phone within fifty feet, even when the cell phone was turned off. It is clear that the court did not have access to the § 2703(d) applications prior to oral argument and has no understanding whatsoever what type of data will be revealed if the applications are granted. Perhaps things will be clearer after an over-worked, under-paid law clerk receives the applications along with the case record after oral argument. But, as of oral argument, it is clear that only the Government was privy to this information, and the Department of Justice was less than forthcoming.

Third, the panel asked no questions during the time the parties were discussing the Fourth Amendment. This generally indicates a lack of interest. Also, Judge Reavley stated during oral argument, “I just don’t see us announcing a law that you have to have a probable cause showing from a magistrate under this statute. Period.”

One thing I found very interesting about argument was the judges’ constant questions to the parties about how they can avoid the Fourth Amendment issue altogether. Judge Clement raised a very good point during oral argument asking the Government whether the issue in the case was moot. The Government filed these § 2703(d) applications in 2010. Although the Government’s attorney assured the court that the criminal investigations were ongoing, I think Judge Clement found this doubtful. To my knowledge, however, the Fifth Circuit has no way of assuring that this case is not moot, and the Government is still pursuing these criminal investigations. Ultimately, the Fives’ continued jurisdiction over this matter rests upon the Government’s pinky swear that these criminal investigations abide. Oy vey.

Although the Government is likely to win the Fourth Amendment argument, I think the Fifth Circuit will hold that it is within a magistrate judge’s discretion to reject an application for cell site location information which would therefore impose a probable cause requirement to obtain the data. This is the result reached by the Third Circuit, and the judges seemed hesitant to create a circuit split.

So, my trepidatious prediction, based on oral argument, is that the parties will split the baby: cell site data, at least in its current iteration, is not protected by the Fourth Amendment, but there are certain situations where a magistrate judge can insist upon a showing of probable cause when considering a § 2703(d) application. If the case does reach the Fourth Amendment issue, I would not be surprised that there are some subsequent rumblings about an en banc vote.

Cybercrime Review welcomes Marielle Dirkx as guest writer

I am proud to welcome Mariëlle Dirkx as a guest writer for Cybercrime Review. Mariëlle, a former Fifth Circuit clerk, will join us from time to time to write about cybercrime issues including her post today on the Fifth Circuit's CSLI case.

Mariëlle graduated valedictorian of her class at the University of Mississippi School of Law and received a certificate in criminal law. During law school, she served on the Mississippi Law Journal and the Journal of Space Law and published on subjects as diverse as space-law contracts and Title IX. Her interest in cybercrime results from an internship she did with the National Association of Attorneys General and her law school coursework. After graduation, she clerked for the Honorable E. Grady Jolly on the United States Court of Appeals for the Fifth Circuit, and, currently, she is working on an appellate project at the Innocence Project. Mariëlle is licensed to practice law in both Mississippi and Tennessee.

Tuesday, October 2, 2012

Oral argument posted in Fifth Circuit cell site case

Below is a link to the oral arguments in the Fifth Circuit cell site location information case I blogged about on Monday. Arguments were presented by Nathan Judish from the DOJ, Professor Susan Freiwald, and Hanni Fakhoury of the EFF. We'll have analysis of the arguments soon.

Map shows cyber attacks in real-time

Be sure to check out this real-time map that shows cyber attacks throughout the world. Red dots represent the location of attackers, and a ticker at the bottom lets you see their location and IP address.

The data is collected by The Honeynet Project whose mission is "[t]o learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned."

Monday, October 1, 2012

Fifth Circuit to hear cell site data case Tuesday

Tomorrow, the Fifth Circuit will hold oral arguments for its much anticipated case on cell site location information. A magistrate judge denied the government's 2703(d) request for 60 days of location data, holding that a search warrant was needed. The district court judge agreed, and the government appealed.

The predominant issue in the case is whether CLSI is protected by the Stored Communications Act alone or also by the Fourth Amendment. If it's only the former, law enforcement need only show "specific and articulable facts," rather than the higher standard of probable cause required by the Fourth Amendment. Because, the government argues, the data is held by a third party, the Fourth Amendment does not apply.

The case is In Re: Application of the United States of America for Historical Cell Site Data (No. 11-20884).

Here's a list of court filings in the case:
And here are a commentary links on the case:
I'll post a link to the oral argument once the recording is available.