Monday, December 31, 2012

Featured Paper: Quis Custodiet Ipsos Custodes?

I'd like to highlight a new student paper by Craig Roush, a law student at Marquette University Law School. The full title is: Quis Custodiet Ipsos Custodes? Limits on Widespread Surveillance and Intelligence Gathering By Local Law Enforcement After 9/11. Craig analyzes the changes in intelligence and surveillance gathering after 9/11 and in particular, the way in which local law enforcement has become intricately involved in the process. He goes on to identify the implications of such practices on civil liberties, and concludes by offering suggestions for protecting civil liberties through legislative methods. I've read a lot of student papers while on law review (this is my 3rd year), and I have no problem saying this is one of the best papers I have read. The abstract is below:
In the decade since the terrorist attacks of September 11, 2001, local law enforcement has become the front line in the nation’s counterterrorism strategy. This involvement has not come without controversy. As part of these counterterrorism efforts, police departments have begun to establish widespread surveillance and intelligence-gathering networks to monitor Muslim and other ethnic neighborhoods in the hopes of stopping the next terrorist attack at its source. Such surveillance does not necessarily run afoul of the Constitution, and both our political environment—in which voters demand that the government stop terrorism at all costs—as well as unprecedented levels of federal funding to fight terrorism have made these surveillance programs an attractive option for local law enforcement. But the same programs risk compromising citizens’ civil liberties and damaging police relationships with ethnic communities. This Comment analyzes whether and how a balance might be struck between national security and individual civil liberties interests, and offers a model statutory solution drawn from police surveillance in a non-terrorism- related context as one possible way forward.

11th Circuit finds reasonable a 25-day delay in submitting warrant application to search computer

In United States v. Laist, the Eleventh Circuit held that a government delay of 25 days from the defendant's revocation of consent to search a computer until a search warrant application was submitted did not violate the Fourth Amendment.

The distribution of child pornography was tracked to the defendant's home, and law enforcement went to search. Upon arrival, the defendant admitted to possession of child pornography and signed a consent form allowing the search and seizure of his computer. A week later, the defendant withdrew his consent by letter. The search warrant application was submitted 25 days later, and the application was approved six days after submission. The defendant was ultimately convicted of multiple child pornography related crimes.

At trial and again on appeal, the defendant argued that the evidence should have been suppressed because the 25-day delay was an unreasonable seizure under the Fourth Amendment. "Laist argued that he had a substantial possessory interest in the items; that after he revoked his consent to their search, the FBI continued to hold them only on the basis of probable cause; and that the subsequent delay in obtaining a search warrant was unreasonable and therefore violated his Fourth Amendment rights."

The Eleventh Circuit disagreed, holding that although the interference with the defendant's possession was "not insubstantial," it was diminished as he had been given the opportunity to copy documents he needed for school off the computer prior to the seizure, and he had admitted to possession of child pornography and shown such an image to law enforcement. Nonetheless, the government was still required to "diligently obtain[] a warrant," which the Eleventh determined happened in this case. The 25-day delay was reasonable due to the amount of time needed to prepare the warrant and how busy the office was at the time.
The government's efforts here were sufficiently diligent to pass muster under the Fourth Amendment. While a 25-day seizure based solely on probable cause is far from ideal, and we have found shorter delays unreasonable under different circumstances, see Mitchell, 565 F.3d at 1352 (21-day delay), the totality of the circumstances in this case demonstrate the reasonableness of the government's actions.

Friday, December 28, 2012

$299 software allows decryption of volumes with FireWire attack or the computer's hibernation or memory dump file

Software developer Elcomsoft has released a $299 software package claiming to be able to decrypt BitLocker, PGP, and TrueCrypt volumes. The software is able to obtain encryption keys from the computer's hibernation file or memory dump file and can also perform a FireWire attack if the encrypted volume is mounted.

Here's their description of how the keys are obtained:
Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.
If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.
If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition....
Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump.... Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
This is nothing new but is simply a easy way to hack a well-known flaw. In order to properly protect your encrypted system when you're away from it, you simply cannot use sleep or hibernate mode on your computer.

ElcomSoft, based in Moscow, "helps law enforcement, military, and intelligence agencies in criminal investigations with its wide range of computer forensics products."

Thursday, December 27, 2012

Vermont Supreme Court upholds search warrant conditions requiring screening in computer search

The Vermont Supreme Court has held that a judge may attach ex ante conditions to a search warrant in an attempt to protect privacy of those searched. The judge issuing the warrant had specified that a search of electronic devices had to be conducted through a third party and restricted evidence of crimes unrelated to the specified crime of identity theft from being shared with investigators. The court did, however, strike down a condition prohibiting the use of the plain view doctrine. In re Application for Search Warrant (2010-479), 2012 VT 102.

An IP address obtained during an identity theft investigation led police to a Vermont address. The resident had set up an unsecured wireless network, and after the resident gave law enforcement permission to access it, the officer determined that a neighbor had accessed the network several times over the previous month. An application was made to search the address, and it was noted that several people lived at the address. The judge granted the search, but placed several restrictions on it including one forbidding police form relying on the plain view doctrine and another requiring a third party to perform a search of computers and forbidding them from sharing evidence of other crimes with investigators or prosecutors. The state filed a motion with the Vermont Supreme Court to have the restrictions removed.

The court held that the plain view doctrine restriction was inappropriate. The later requirements related to the sharing of other evidence removed the need for the provision. But further, "it is beyond the authority of a judicial officer issuing a warrant to abrogate a legal doctrine in this way."

With regard to the requirement of a third party to search the computers and withhold evidence of other crimes from investigators, the court upheld the restriction, finding that the broad search request coupled with "a legitimate privacy interest" allows a judge to provide "instructions on how a search will be conducted."

The court also upheld limitations on techniques of the search as well as instructions concerning "the copying, return, and destruction" of the property acquired in the search.

A concurring and dissenting opinion by Justice Burgess argued that the use of a third party to screen the evidence "does not protect actual privilege or privacy, does not further a Fourth Amendment privacy interest, and does not lend further particularity to the search."

Read Professor Kerr's analysis of the decision here and his 2010 article on the issue here.

Wednesday, December 26, 2012

Fifth Circuit strikes down Mississippi law making "non-harmful" caller ID spoofing illegal

In Teltech Systems, Inc. v. Bryant, No. 12-60027 (5th Cir. 2012), the Fifth Circuit held that a Mississippi law making it illegal to spoof caller ID information was preempted by a federal law which only made spoofing for harmful purposes illegal.

In 2010, Mississippi enacted the Caller ID Anti-Spoofing Act which made it a misdemeanor for a person to spoof the identity or phone number of a caller. A federal law enacted later that year made it illegal to spoof such information "with the intent to defraud, cause harm, or wrongfully obtain anything of value." 47 U.S.C. § 227(e)(1). Thus, the Mississippi law prohibits all spoofing, but the federal law prohibits only harmful spoofing. The plaintiffs argued that Congress therefore intended to protect "non-harmful spoofing." Looking at the legislative history of the federal statute, the court agreed, finding that Congress intended to protect legitimate spoofing.

Many websites and smartphone apps allow users to spoof caller information. Many such apps also allow the user to disguise their voice and record the phone conversation.

Jones II: District court holds that SCA's lack of suppression remedy and the good faith exception allows admission of CSLI

In the continuing saga of the case against Antoine Jones, the DC district court has held that the use of Jones's cell site location information does not violate the Fourth Amendment. United States v. Jones, No. 05-0386 (D.D.C. 2012). In January, the Supreme Court ruled that location information acquired as a result of law enforcement placing a GPS device on Jones's car could not be used at trial as it violated the Fourth Amendment.

During the initial investigation, law enforcement obtained both GPS data and cell site data but only sought to use the GPS data at trial. After the Supreme Court's determination that such data could not be used, the government sought to have CSLI introduced at Jones's retrial. The four months of cell site information had been obtained from Cingular Wireless under a 2703(d) order pursuant to the Stored Communications Act in 2005.

Jones's first motion to suppress argument was that prospective CSLI data (that which is acquired by the phone company after the order is issued rather than seeking "historical" data already obtained) cannot be obtained under the SCA without probable cause. The court held that a majority of courts have agreed, but the argument is irrelevant because the SCA does not provide a suppression remedy. Thus, regardless of a successful argument, the data would still be admissible under the SCA.

Of course, Jones's second argument was under the Fourth Amendment, which if successful would allow for suppression. The court thoroughly examined the different approaches for analyzing the Fourth Amendment's application to orders to obtain CSLI. However, the court declined to decide the issue, finding that the good-faith exception would apply, reasoning that at the time the order was obtained, the officers had no way of knowing how future courts would rule on prospective CSLI, and even today, the issue is not settled.

Thursday, December 20, 2012

Maryland appellate court applies good faith exception to GPS use because of prior adoption of Knotts rationale

The Court of Special Appeals of Maryland recently held that the good faith exception to the exclusionary rule from Davis applies to pre-Jones GPS use because of the state's adoption of the Supreme Court's decision in Knotts. Kelly v. State, Nos. 2479 & 2679 (Md. Ct. Spec. App. 2012). In case you're in need of a criminal procedure refresher, I'll go over what all of that means.

First, we know that the Fourth Amendment generally requires a probable cause search warrant in order to conduct a search. Thus, we have to know what is considered a "search." In 1983, the Supreme Court decided United States v. Knotts, in which police placed a beeper device in a container which was later given to the defendant and used to track his location. This act, according to the Court, was not a search.

The Knotts opinion has been applied to other technologies including global positioning systems (GPS). As law enforcement began using GPS devices on vehicles without search warrants, courts readily okayed the act, finding that it was not a Fourth Amendment act. Until the DC Circuit decided this issue in Maynard, each circuit deciding the issue had held that GPS use was not a search. The Supreme Court took the issue in United States v. Jones and held in January 2012 that it was, in fact, a search.

One of the issues that has developed from the Jones decision is whether GPS use prior to the Jones decision violates the Fourth Amendment. This is where things get a little more complicated.

Violations of the basic constitutional rule that searches require search warrants often results in any evidence acquired as a result of the violation to be excluded from trial under the exclusionary rule. However, there are several rules that allow for the evidence to be used regardless - one of them known as the good faith exception. There are several ways that the exception applies - one of them decided by the Supreme Court in Davis v. United States, which held that when there is "binding appellate precedent" that made it legal for law enforcement to do what it did, the evidence will be admissible.

Therefore, applying Davis, law enforcement in the Ninth Circuit could use GPS devices to track suspects prior to Jones because they had binding appellate precedent. Some courts have applied the principle more loosely, holding that a general consensus across the country allows the good faith exception to apply. Conversely, many courts have held that the exception does not apply because no appellate court had addressed the GPS issue. (There are exceptions to each of these and other decisions, too.)

Now, back to the Maryland case. Maryland didn't have binding precedent on GPS use specifically. The Court of Special Appeals didn't take the general consensus approach, but instead took one substantially more broad. Because, the court reasoned, the state "had recognized and applied the rationale of Knotts, the good faith exception would apply. As the court understood it, Davis "does not require there to be a prior appellate case directly on point, i.e., factually the same as the police conduct in question."

Federal courts in the Eleventh Circuit have held similarly, applying a 1981 beeper case.

Wednesday, December 19, 2012

WI Governor calls for GPS tracking of individuals with domestic violence restraining order against them

Since we talk a lot about GPS tracking, I thought this was an interesting proposal. As the article states, the recent Azana Salon shooting here in Wisconsin was committed by an estranged husband with a domestic violence restraining order in place. With the rash of recent shootings here in Wisconsin (Azana Salon and Sikh temple shooting), as well as the tragedy in Newtown, it appears politicians have been compelled to act. The question always remains, does the legislation or proposal alleviate the issue it is trying to achieve, or is it an overreaction to the current social and political environment.

In this case, I'm not sure that having a GPS monitor on the Azana Salon shooter's leg (or wherever) would have prevented the shooting - by the time an alert went out, he would have likely been already done shooting. Additionally, to provide notification to potential victims that an individual is getting near to them, the person who sought the restraining order would need to be constantly tracked as well. I'm sure there are a variety of ways of achieving this that might be less intrusive to either party, but the practical realities have yet to be seen. The bigger question is - does a restraining order against you trump your Fourth Amendment rights. And because you do not have to actually commit a crime to have a restraining order against you, is there sufficient justification on the say of another person, alone, to allow such monitoring. Perhaps it would only be allowed for individuals who actually committed a DV related crime.

Scott Walker states, in the article that:
Nothing's foolproof, so I'm cautious to say anything would prevent anything for sure," he said. "But in the case of Brookfield, if that guy had a bracelet on, she got a text or a phone (call) to say he was close . . . and (she) immediately called the police, you can't guarantee anything, but I don't think it's a leap of assumption to say they might have arrived fairly rapidly and potentially would have prevented him from gaining access or at least from attacking as many people as he did.
Very interesting, and I'm interested to see how this plays out.

The article can be found here: Walker: GPS monitoring needed for those with restraining orders

Tuesday, December 18, 2012

WSJ releases study of website user data sharing with third parties

The Wall Street Journal has compiled a list of 70 popular American websites that require registration and analyzed them based on how they share user data. For each entry, they report whether the user's e-mail address, name, username, age, and zip code are shared and to which website(s) that information is given. Each entry also contains a response from the website as well as the recipient websites if they company responded to the WSJ's inquiry.

In the study, they learned that the Wall Street Journal itself was sharing e-mail addresses and names with four companies, and users' ages or birth years with nine. In response to the investigation, the newspaper noted that many of these transmissions were done in error, and the company "is working to close that hole."

Two years ago, the Journal released a similar study related to data shared by mobile apps.

Eighth Circuit holds testimony that adults rarely seek actual minors online can be impeached, affirms conviction

In United States v. Grauer, No. 11-3852 (8th Cir. 2012), the Eighth Circuit affirmed the conviction of a man for enticement of a minor and possession of child pornography over multiple arguments from the defendant.

As part of an ICAC investigation, an Iowa deputy sheriff, pretending to be a 14-year-old girl, engaged in multiple instant messaging conversations with the defendant. The conversations were often of a sexual nature and involved the defendant sending pornography to the "girl," and the two ultimately decided to meet. The defendant was arrested, his home searched, and child pornography found. Charges for the child pornography possession and attempted enticement of a minor followed, and he was convicted.

At trial, the defense presented a witness who argued that adults often used chat rooms to engage in "age-play" online, where one of the participants pretends to be a "schoolgirl," but both are actually adults. As such, it was likely that the defendant actually believed the 14-year-old girl was an adult (he actually lied about his age - saying he was 49 rather than his actual age of 58). The doctor-witness testified that "it's either rare or nonexistent" for adults to actually seek minors online. The prosecutor then asked the witness if he was aware of multiple cases involving that activity, and he acknowledged hearing of them. The first wasn't objected to, the defense objected to the second and it was overruled, and an objection to a third and fourth case were sustained. On appeal, the defendant argued the questioning was improper and intended to inflame the jury, but the court disagreed as it was necessary to disprove the assertion.

The defendant also argued that the evidence presented on the child pornography charges was insufficient because "the government presented no evidence as to how the images came to be on his computer or when they were accessed." However, at trial, the defendant's wife testified that the laptop was used in his home office and "that no one else used his laptop regularly." Evidence was also shown that the multiple images were stored on folders created manually on the computer, and several of them had been sent over instant messaging to the "girl." As such, the Eighth Circuit found the evidence to be sufficient.

A sentencing enhancement was applied for "misrepresentation[s] ... made with the intent to persuade, induce ... the travel of, a minor to engage in prohibited sexual conduct." The defendant argued that despite his misrepresentations of his name and age, it was not made with the requisite intent. However, the Eighth affirmed the application of the enhancement, finding that the district court "was in the best position" to decide the issue, and it "was [not] clearly erroneous."

Monday, December 17, 2012

Anonymous announces plans to "destroy" Westboro Baptist, releases personal contact information for members

Hacktivist group Anonymous announced today the start of an attack on Westboro Baptist Church with the release of e-mail addresses, phone numbers, home addresses, and more for over fifty of the church's members. The announcement is in response to Westboro's announced plans to picket funerals in the wake of Friday's school shooting in Newtown, Connecticut.

In a video released along with the contact information, the group announced:
Since your one-dimensional thought protocol will conform not to any modern logic, we will not debate, argue, or attempt to reason with you. Instead, we have unanimously deemed your organization to be harmful to the population of The United States of America and have therefore decided to execute an agenda of action which will progressively dismantle your institution of deceitful pretext and extreme bias and cease when your zealotry runs dry. We recognize you as serious opponents and do not expect our campaign to terminate in a short period of time. Attrition is our weapon, and we will waste no time, money, effort, and enjoyment in tearing your resolve into pieces as with exposing the incongruity of your distorted faith.

What are your thoughts? Is Anonymous's release of personal contact information justified? Or should Westboro's free speech rights protect them from such privacy violations?

Thursday, December 13, 2012

Fifth Circuit surprises no one with decision that accessing another's text messages on their cell phone doesn't violate SCA

In Garcia v. City of Loredo, Texas, No. 11-41118 (5th Cir. 2012), the Fifth Circuit held that a person accessing text messages and images on the cell phone of another does not violate the Stored Communications Act (SCA). Those of you who have ever studied the SCA are certainly not surprised.

Garcia worked as a police dispatcher, and the wife of a coworker took Garcia's phone from her locker at work. After finding text messages and photos that showed department policy violations, the coworker's wife set up a meeting with the deputy assistant city manager and the interim police chief. The images and texts were shown, the videos were copied off of the phone, and Garcia was fired. Garcia later filed suit, and summary judgement was granted with regard to her SCA claim.

Her argument before the Fifth Circuit was that her cell phone was a "'facility' in which electronic communication is kept in electronic storage in the form of text messages and pictures stored on the cell phone." The Fifth cited a variety of district court cases, a law journal article by Professor Kerr, and the legislative history to back up its holding that devices such as cell phones are not facilities under the act.

The court also held that even if the cell phone was a "facility," the text messages and images certainly do not fit into the SCA's definition of "electronic storage." A common sense definition might make one think that would be the case, but we are, of course, dealing with statutes. Under the SCA, data is only in electronic storage when it "has been stored by an electronic communication service provider." If you want to know what that means, click here.

Thus, the Fifth affirmed the district court's grant of summary judgment, dismissing Garcia's SCA claim.

Tuesday, December 11, 2012

FBI job applicant fails polygraph, admits to CP possession, and asks if it would slow his application. It did.

Working for the Federal Bureau of Investigation is a dream of many Americans. The famed agency has - rather understandably - a difficult hiring process including a polygraph. I'm assuming questions concern possible crimes the job candidate has committed as well as generally making sure they are not a threat to national security.

When Dominick Pelletier appeared for a job interview with the FBI, he was escorted to the polygraph room where the types of questions were explained to him. Pelletier became nervous about the potential for questions about sex crimes as he had done research on child pornography in a different country. He was assured that the questions would only concern whether he possessed or distributed child pornography, and the test was administered.

Much to his dismay, he failed the polygraph. Explaining the situation, he said that he had seen child pornography images as part of his research. The FBI agent remained calm, and Pelletier continued to think he was in consideration for the position. FBI agents continued to ask him questions, and he admitted to possession of "child erotica" at home.

After refusing to allow FBI to accompany him to his home, Pelletier ultimately signed a consent form after being told they would just get a search warrant anyway. He remained at the office, never asked to leave or to speak with an attorney, and apparently still thought he would be considered for the job. Unfortunately for him, he didn't get the job, and more than 600 images of child pornography were found on his computer.

Pelletier was ultimately convicted of possession, and he appealed, arguing that "he was entitled to Miranda warnings and did not receive them" and that his consent to search was involuntary.

The Seventh Circuit held that Miranda rights were not necessary as Pelletier was not in custody. The lengthy time at the office, encounters with armed agents, and security measures were all a part of the job application process - and were not a result of his suspected criminal activity. "Pelletier was friendly and talkative throughout the day ... and asked at the end of the interview whether his possession of child pornography would slow his job application process."

The court also did not address the consent issue as they determined probable cause allowed for a search warrant which protects the evidence under the inevitable discovery doctrine.

As a side note, it is always a pleasure to read a Seventh Circuit opinion. Judge Kanne began the opinion:
Federal investigative agents will tell you that some cases are hard to solve. Some cases require years of effort—chasing down false leads and reigning in flighty witnesses. Others require painstaking scientific analysis, or weeks of poring over financial records for a hidden clue. And some cases are never solved at all—the right witness never comes forward, the right lead never pans out, or the right clue never turns up.
This is not one of those cases.
I'm always a little appreciative of a judge (and a clerk, of course) willing to be a little creative with their legal writing.

The case is United States v. Pelletier, No. 12-1274 (7th Cir. 2012).

Monday, December 10, 2012

Austrian Tor node operator's home searched in child pornography investigation

An Austrian man's home was recently and his computers seized in an investigation related to child pornography distribution. His involvement concerned the operation of Tor on his computer, which allowed others to hide their Internet activity by having their data encrypted and transmitted through others' computers.  Mr. Weber, likely to be charged with child pornography crimes, never actively possessed such files if this is true, though they may have been sent through his computer.

In the Tor network, files are transferred along a randomized path, ultimately becoming unencrypted at the last node just before making it to the intended destination. As such, it would appear to investigators as though the files actually originate from that exit node though the computer operator has no knowledge of the files or their content.

In a blog post, Weber explained that he runs Tor in order "to make it possible for the not so privileged folks to have uncensored access to the internet, without fear of government prosecution."

Firearms and marijuana were also found and taken after Weber was asked to open his safe and he complied.

Friday, December 7, 2012

Weindl: Why the court got it right, and the FBI agent/father shouldn't be viewed as a government agent

You'll have to forgive my co-blogger and me for turning our blog into a blog almost entirely about this Weindl case (United States v. Weindl, No. 1:12-CR-00017 (D.N.M.I. 2012), but as you're probably well-aware by now, it's an important case on the issues presented - and one likely to be appealed to the Ninth Circuit after the trial.

It's not often that Justin and I disagree. But in this case, while I find noble his attempt to argue for strengthened privacy rights under the Fourth Amendment, I cannot say that I find his reasoning compelling (see his previous posts here, here, and here). Justin argues that FBI Agent Auther left eBlaster on the computer intentionally because he suspected Weindl of "questionable activities," which apparently means that Auther knew that not only would Weindl fail to return the computer to the proper place, but that he would also watch child pornography on it. Perhaps Auther's training and experience gives him a sixth sense about such things, but it just doesn't seem likely. What is more likely is that he simply thought eBlaster had been deleted (after all, he did try to have all data removed twice), and he returned the computer as he was supposed to have done. Does law enforcement always comply with the Fourth Amendment? No. Does this seem like a case of an agent trying to circumvent the Fourth? Not really.

The issue that Justin and many others are raising and focusing on is the fact that Auther is an FBI agent. Yes, he is that, but he's also a parent, and as a parent, he should have the right to protect his children from content he doesn't think they should be viewing. That was his intent in installing eBlaster on the computer (unless it was an elaborate attempt to catch the principal beginning months before he even knew the computer would be returned). Who cares if he didn't own the computer? The school shouldn't be allowed to give students computers, and then tell parents that they're not allowed to attempt to prevent their children from viewing pornography, learn how to make meth, or whatever else kids do on computers nowadays. If Auther didn't want his son doing illicit activities, and this was the method he chose to make sure that didn't happen, then good for him. The point is that he didn't install it because he worked for the FBI nor did he install it for the purpose of wiretapping or searching Weindl's activities - he did it because he felt it was the best method for protecting his son.

So let's suppose Auther wasn't an FBI agent. "New Auther" is a grocery store manager, a father of three, happily married for 16 years. Semi-religious, and though not entirely opposed to the viewing of pornography, he thinks that his oldest son (in his mid-teens) is too young to be viewing it. He asks a co-worker what he can do, and the co-worker suggests eBlaster. He then downloads it and installs it on the computer where it sends him reports for the next few months. When New Auther is transferred to a grocery store in another state, he asks his computer friend/co-worker to remove all of his son's files. The co-worker is unsuccessful. He takes it to a computer store where they "reimage" it, making him think the computer has received a fresh start, free of eBlaster and everything else. He then returns the laptop to the school's principal, an acquaintance (not buddies, but something above Facebook friends). A couple weeks later, New Auther gets four eBlaster reports showing that the computer is now being used to view child pornography.

Those are essentially the same acts of real Auther, and those are the reports that the court refuses to suppress. After that point, Auther's actions do arguably cross the line into a government search. But those actions of a concerned parent that looked at the e-mails he received - those actions could have come from anyone - FBI agent or not. It is irrelevant that he opened all of the e-mails he received  - even if there were four of them. This was a mistake by someone who happens to also have a full-time job as a government agent, as opposed to a government agent who happens to make a mistake (and even that doesn't always warrant suppression thanks to good faith and other exceptions). This was not the case of Big Brother installing spyware on everyone's computers in order to capture our Internet activity (as if they actually need to go through that much trouble!).

Justin also argues that Weindl "certainly was not doing anything illegal." The computer loan program was a federally funded program to give students laptops for educational purposes. My guess is that under the terms of the grant, each laptop had to be accounted for at all times, and they probably are not allowed to just loan the computers out to anyone. By policy, they were only given to students and were never given to faculty. Anyone - especially the principal of the school - should have known that it went against the terms of the grant for a non-student to take possession of the laptop. My guess is that Weindl is smart enough to know that in taking possession of property purchased with federal government money and choosing to use it for personal purposes (especially viewing child pornography!), he's probably violating some sort of law for that possession.

There is something that my co-blogger and I agree on - I absolutely agree that the installation of eBlaster onto a person's computer without their knowledge and permission is a wiretap, in violation of the federal Wiretap Act. Where Justin and I would differ, however, is whether Auther's actions were intentional (as the Act requires). He thinks Auther intentionally left eBlaster on the computer in order to intercept Weindl's activity. I, however, would likely come down on the other side.

And... done. Are we finished talking about Weindl? Maybe.

Wednesday, December 5, 2012

Weindl (FBI agent's spyware vs. principal) - Why the court got it wrong

In this second post, I will explain my reasons for believing the court's reasoning in Weindl was flawed. The Weindl case, as a quick recap, involved a principal (Weindl) who was caught with child pornography after using a laptop assigned to the son of an FBI agent (Auther); the laptop was returned by Auther with spyware on it. For my original write-up of the facts of the case, see: Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression. I also wrote a quick follow-up post about the coverage and misinformation regarding the case after I wrote about it. That can be found here: Weindl - FBI agent spyware v. principal attracts attention and misinformation.

First, let me address the "smell test." It seems extremely odd that when Auther took the computer to the FBI and asked "fellow agents for advice on how to wipe it clean" they "tried to remove all the files but were unsuccessful." Two things: (1) the FBI investigates a significant number of "cyber" cases using forensics techniques to recover deleted files and search through hard drives, uncover steganography, and analyze complex network traffic. Yet, they can't wipe a hard drive - something that a simple Google search will tell you how to do? Also, (2) Auther paid for and installed the spyware, knew the "hot-keys" to access the information it collected, and set it up to email him reports. Yet, once again, he could not uninstall that program, the most cognizable change he made to a machine he did not own?

In addition, he took it to a computer store to wipe all of the files, with a service order showing "reimage" and "clean out files" as the work to be done. I accept that a local service may not have been aware of the spyware to look for it in the first place, but reimage means just that, start all over again.  And, more interestingly, Auther did not even mention that he installed spyware on the computer to the computer shop. Wouldn't that program be the first thing you would mention when cleaning up a computer?

Also, the court seemed to be quite deferential to Auther when it accepted the argument that he was more concerned about leaving than investigating the principal. Perhaps that is true, but is it not equally likely that he suspected the principal of questionable activities and, before leaving, wanted to confirm his suspicions? After all, the FBI agent did say that he was aware of the Sandusky case and that what happened at Penn State motivated some of his later actions. That coupled with the two-time failure to remove the spyware smells funny.

But lets assume that all of the facts are true - just as the court did. I find it questionable that the court omitted any discussion regarding the license agreement of eBlaster, which requires you to agree to "use [eBlaster] only on a computer you own," an agreement Auther clearly violated when he installed it on a school-loaned laptop. The court also breezes over the likelihood that Auther violated policies of the school or the PSS laptop loaner program. I point this out because Auther is permitted to walk all over policies and procedures carte blanche, but Weindl's use of the laptop in likely violation of the rules of the loaner program was sufficient to wipe out his expectation of privacy completely. More on that later.

I think one of the most glaring errors of the court is the reasoning that opening the first four emails was not a search and instead was inadvertent conduct not under the color of law.  First, the court found that the search was only the activity of the spyware program collecting the data, and did not include the person on the other end viewing that information. I am not convinced you can draw such a black and white line. The Fourth Amendment (and by proxy the protection of privacy) has been held to protect against the intrusion of the process of a search as well as the discovery of the information it provides. If the latter were not an aim, the Fourth Amendment would never have been extended outside of property notions, as it was in Katz.

Thus, Auther's decision to open an email with a subject line that clearly indicated the email regarded information collected after he had returned the PC should have been held a search. Moreover, knowledge that the email could not regard his own or his son's activity does not make opening the email inadvertent. The definition of inadvertent is: "not focusing the mind on a matter : inattentive." The case indeed indicated that Auther recognized that the emails were providing information they should not have been because he believed the program had been removed and the computer was no longer in his possession. An example is illustrative: If I move into a new house on Royal Avenue on Tuesday, and on Friday I get a package addressed to "our lifelong neighbors on Royal Avenue," opening that package would not be inadvertent. I clearly know that I do not constitute the "neighbor" the package was intended for, since I moved in three days prior. Auther's opening of the email is no different. The subject line contained prima facie evidence that it was not intended for him and arose from improper means. Thus, the only reason he could have to open it would be to pry.

I am willing to concede, however, that one might reasonably argue that opening the first email would be inadvertent. Maybe he wasn't paying attention to the subject line. But, after reading the first, he should have known something was awry. To open the other three emails, after reading the first, would indicate one very important thing: that he was now acting as an officer of the law because of the information the email contained (evidence of someone accessing child pornography). To go back to my example, if I opened the first package without paying particular attention to the address line that said "to our lifelong neighbors on Royal Avenue," it may be reasonable to say I was just careless (or it was inadvertent). However, if inside that box are pictures of a family that I don't know, then when three more packages arrive addressed the same way and similar in appearance, a reasonable person would not open them. They would instead return them to whomever delivered them. Or, in Auther's case, contact the principal or the PSS program and indicate that the spyware he installed without authorization from either the school program or the software author was in fact still installed and had generated an email to him. An interesting question raised by the case is: if the spyware email hadn't contained evidence of CP access, would he have called the school to raise the flag on the spyware? One would think so.

The last significant problem with the case is the court's decision to deny standing to Weindl on the reasonable expectation of privacy issue. The court stated:
Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.
Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. 
The court justifies the last paragraph on two reasonable expectation of privacy cases: one involving a stolen computer (Wong), and one involving a computer obtained by fraud (Caymen). The court then states that "Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer." I find the comparison to Wong and Caymen to be ill-advised. In both cases, the individual had either been convicted, or charged with obtaining the device by illegal means. Weindl did nothing of the sort, here. Additionally, in Caymen, where the defendant obtained the laptop by fraud, the court based its holding on cases from sister circuits regarding stolen cars. There is a theme here: stolen. Weindl did not steal, nor obtain anything by fraud. While he may not have had permission, he certainly was not doing anything illegal.

The Caymen court pointed out that a person who has stolen something lacks the property interests an owner has (the bundle of sticks) that define property ownership. Can the same be said for the laptop, here? Arguably, no. Weindl was permitted to have constructive possession of the laptop - something a thief would never have. Also, if the laptop had been stolen from the FBI agent's son and then recovered, it would likely have been returned to the principal (or someone under his authority). Granted, he lacked other property rights like the right to sell, but to analogize the computer to stolen property is off target.

Lastly, I believe the court was correct, technically, about the application of the Federal Wiretap Act: namely, that suppression is only for wire and aural communications in criminal cases. However, I find it fantastical to argue that placing spyware on an individual's computer isn't wiretapping. That the court had to cite to a 1978 case in support of this part of the holding is a clear illustration of the lack of coverage in this area. I hope that these facts present an opportunity for the 9th Circuit to directly address the issue and clarify that a "wire" communication should include such conduct. (Although maybe it is a legislative task, since to include what could be characterized as "electronic communications" within "wire communications" would arguably construe the civil portion of the law addressing "electronic communications" superfluous, something courts are reticent to do).

I am excited to see how the 9th Circuit handles this case. The facts of Weindl illustrate, as many other technologically centered cases do, the "play in the joints" of the law. And, with respect to the Wiretap Act, reflects the anachronistic nature of some federal statutes as applied to emerging technologies.

Tuesday, December 4, 2012

District court upholds CSLI order with erroneous phone number, finds defendant doesn't have standing

In United States v. Cannon, No. 6:11-cr-02302 (D.S.C. 2012), the court held that a typographical error did not violate an order for cell site data and that the defendant's failure to prove he had an interest in the phone removed his ability to challenge the search for lack of standing.

The defendant had been charged with multiple crimes related to the distribution of drugs. As part of the investigation, law enforcement obtained GPS data from his cell phone company. He filed a motion to suppress, arguing that the data was obtained in violation of his constitutional rights.

In challenging the use of the data, the defendant argued that the court order was invalid because it contained a phone number different than the one that information was provided for. The court found the argument to be without merit, holding, "Mere typographical errors do not undermine a finding of probable cause and do not invalidate a warrant." Because the correct number was used elsewhere, it was clear that it was a mistake.

The government argued that the defendant did not have standing because he was not the owner or authorized user of the phone. The defendant was unable to prove that he had any interest in the phone, and thus could not challenge any potential Fourth Amendment violation.

Monday, December 3, 2012

Weindl - FBI agent spyware v. principal attracts attention and misinformation

Since I wrote about United States v. Weindl on November 28th, Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression, the story was picked up by Kashmir Hill at Forbes (by way of Eric Goldman), An FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn Searches, and from there spread like wildfire to various other sites.

Today, Robert X. Cringely, on his Infoworld blog "Notes from the field" highlighted the story as well - School for scandal: FBI spyware nabs pervy principal. In the story, he states:
When spooks spy on their kids -- and happen to ensnare adults doing things they shouldn't -- isn't that illegal spying? I asked cyber lawyer Jonathan Ezor, Director of the Touro Law Center Institute for Business, Law and Technology in Islip, New York. 
Though Ezor cautioned that he is not a criminal attorney, he says Auther's discovery of Weindl's dark deeds probably falls under the "in plain sight" exception for evidence. If you open the door for the cops and they see a big pile of cocaine sitting on your coffee table, they have every right to break down the door, then seize you and the drugs, no warrant required. 
The more important issue, says Ezor, was what the feds told Weindl when they sat down with him in his office and whether they read him his rights. That might have a greater bearing on whether his Fourth Amendment rights were violated. 
On the other hand, Justin P. Webb of the CyberCrime Review blog says the court was wrong across the board (though he's saving his reasons why for a future blog post).
Two things:

(1) With all due respect to Jonathan Ezor, he clearly did not read the case. As I stated in my write-up, the court expressly dismissed the plain view exception to the warrant requirement. You cannot argue for plain view when you are somewhere you weren't authorized to be. Further, and as the case states specifically, Weindl was not read his rights" when [the the two FBI agents] sat down with him in his office." Most importantly: the significant implications of the case, which Weindl's attorney assured me will reach the the 9th Circuit, do not revolve around the interrogation, but the search.

(2) Cringely is correct to note that I believe the Weindl opinion was wrong across the board. While my post on that issue is not up yet, it will be within 48 hours.

Cal. Court: Sex offender registration for CP but not statutory rape does not violate Equal Protection

In People v. Gonzales, No. E054886 (Cal. Ct. App. 2012), the Court of Appeals of California held that it is not a violation of the Equal Protection clause to require sex offender registration for child pornographers but not statutory rapists.

The defendant pleaded guilty to possession of child pornography. The defendant had argued that the sex offender registration requirement violated the Equal Protection Clause because it did not require those convicted of statutory rape to register. The motion was denied during sentencing, and he was ordered to register.

On appeal, the defendant revived his argument:
Defendant argues that the present distinction between possession of child pornography and statutory rape is ... irrational, because a person who actually engages in voluntary sexual intercourse with a child is not subject to the mandatory registration requirement, yet a person who merely possesses a photo of that act is.
The court, predictably, shot down the argument, finding many significant differences. First, the fact that child pornography can be duplicated so easily makes it different because a statutory rape charge is "a single act" (each act should be brought as separate charges). Second, child pornography involves children of any age, but special crimes apply to sex with children under a certain age which do require sex offender registration. Finally, statutory rape is "characteristically voluntary on the part of the child." Therefore, in order for the Equal Protection Clause to apply, the defendant would have to show he is being treated differently from a person "who has committed the forcible rape of a child," which he has not shown.