Tuesday, April 30, 2013

Jury: School principal Weindl not guilty of CP charges; case arose after FBI agent left spyware on son's school laptop

From the Saipan Tribune (2/13/13): Weindl found not guilty:
A federal jury yesterday found former Whispering Palms School principal Thomas Weindl not guilty of charges of accessing child pornography websites using a Public School System-issued laptop.
For those unfamiliar with the case, here is my description from a previous post:
In United States v. Weindl, __ F.Supp __ (D. N.M.I. Nov. 20, 2012), a Northern Mariana Islands federal district court denied suppression of evidence obtained when spyware installed on school-owned laptop (assigned to an FBI agent's son and later used by the principal) sent child pornography (CP) reports (alerts) to the FBI agent - evidence that led to charges against the school principal (two counts of receiving CP and two counts of possession of CP). There are three relevant issues in the case: (1) whether the act of "accidental" failure to remove the spyware resulted in an "inadvertent search" or an intentional one, (2) whether the FBI agent was acting under the color of law when he opened and later investigated the reports he received from the spyware, and (3) whether Weindl had standing to assert a reasonable expectation of privacy in the spyware reports. 
I had a chance to speak via email with Weindl's attorney, David Banes, last night; Banes indicated that he believed the turning point in the case was the testimony of his computer expert. He also mentioned that "we were able to show that the alleged porn sites constantly changed content" making it hard for the prosecution to prove that what Weindl allegedly browsed and viewed (at time A) was the same content when the page was accessed (assumedly by prosecutors) to serve as a basis for the charges (and evidence at the trial) (at time B). Finally, Banes noted that the defense was able to put on convincing evidence that eBlaster reports are not designed to be used as forensic evidence.

My previous posts on the case can be found below:

11/28/2012 - Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression

12/3/2012 - Weindl - FBI agent spyware v. principal attracts attention and misinformation

12/5/2012 - Weindl (FBI agent's spyware vs. principal) - Why the court got it wrong

Jeffrey's differing take can be found here:

12/7/2012 - Weindl: Why the court got it right, and the FBI agent/father shouldn't be viewed as a government agent

Kashmir Hill at Forbes also wrote it up, here:

11/30/12 - An FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn Searches

Featured Paper: Cloud Computing Security and Privacy

Cloud computing has been viewed by many as the next inevitable step towards a more efficient system for information management and storage. However, as our dependence on cloud computing continues to grow, many have started to examine the privacy, security, and legal ramifications that such a system creates. The Center for Applied Cybersecurity Research (CACR), located at Indiana University, has recently released a new white paper, Cloud Computing Security and Privacy, that examines the privacy and security risks associated with cloud dependence, as well as what should be done to create more secure and sustainable cloud-computing systems. The white paper was authored by Drew Simshaw, former information security fellow at CACR and current project manager and policy analyst with the Center for Law, Ethics, and Applied Research (CLEAR) in Health Information. I highly recommend taking a look at this white paper if you at all involved in cloud computing. The abstract appears below:
As the world’s data increase at unfathomable rates, individuals and organizations are seeking more convenient and cost effective ways to store and manage it. Many are turning to the cloud, recognizing its benefits, but failing to understand how it actually works. To confirm that cloud computing is no longer a fringe IT issue, one need look no further than President Obama’s re-election campaign, which was successful thanks in no small part to its utilization of Amazon’s cloud platform for a massive voter database. As cloud computing use continues to increase, security and privacy issues, as evidenced by recent events, should be considered so individuals and organizations can decide how best to store and manage their data. Although these events shed some light on measures that can be taken to reduce risk, they also demonstrate that bigger thinking is needed when it comes to improving security and privacy in the cloud. Therefore, as opportunity in the cloud expands and the stakes continue to rise, individuals, organizations, and cloud service providers must bear in mind the following security and privacy issues:
  • Creating a Bigger Target for Hackers
  • Government Access to Data in the Cloud
  • Data Access and Control in the Cloud
  • Cloud Service Outages and Human Error
  • Authentication
  • Encryption

In addition to being a guest author at Cybercrime Review, Andrew Proia is a research assistant to Professor Fred Cate, Director of the Center for Applied Cybersecurity Research. Andrew is also set to become a CACR Post-Doctoral fellow in information security law & policy later this year. All opinions expressed by the author are solely in his individual capacity.

Monday, April 29, 2013

District court finds CP restitution must be based on number of viewers rather than prior defendants

In United States v. Hollister, the district court held that a determination of restitution to child pornography victims requires the damages to be divided by a count of the total number of viewers of the images as opposed to the common divisor of total number of prior defendants. No. 12-40041 (D. Kan. 2013). The decision is based on the Tenth Circuit's decision earlier this month on the issue.

The defendant had been convicted of distribution of child pornography of the "Cindy," "Vicky," and "Jan-Feb" series of images. As is common with these images, the victims sought restitution from the defendant. (See prior discussions on CP restitution here).

In the Tenth Circuit, like all other circuits except the Fifth, the restitution statute is interpreted to require "a showing that a victim’s losses are proximately caused by the defendant’s conduct." However, unlike other circuits holding similarly, the Tenth recently specified an unusual way to make the calculation for restitution:
In certain situations dividing a victim’s total damages by the number of end-viewers of child pornography may be sufficient to satisfy a proximate cause standard. For instance, a district court may determine that the pool of a victim’s provable losses are roughly equally caused by multiple defendants. However, in this case the district court did not make factual findings as to whether the number of judgments was approximately equal to the number of end-users or whether Benoit caused approximately the same amount of damages as other end-users.
Here, the district court struggled with the Tenth's approach, which was at odds with a citation to a Ninth Circuit case referenced in the Tenth's decision. In order to make a calculation, the court reasoned, the government must show the total number of viewers of the images as opposed to just the total number of defendants. "[U]nder this approach, the number of viewers may be unknowable or so high that any given defendant’s share of the restitution would be meaningless."

Such a calculation does appear to be the best method for making the a fair judgment of restitution, but as the district court reasoned, it makes "the determination of a divisor in the restitution calculation much more difficult."

However, because the victims did not provide information fulfilling the proximate cause requirement, the award of restitution was denied.

Thursday, April 25, 2013

Wisconsin federal court forbids forced production of decrypted data on Fifth Amendment grounds

The District Court for the Eastern District of Wisconsin held last week that compelled production of decrypted data violates the Fifth Amendment because it would require the suspect to admit to having access and control over the devices. In re The Decryption of a Seized Data Storage System, 13-M-449 (E.D. Wis. 2013).

The FBI seized 16 storage devices from the suspect, nine of which were encrypted. After four months of attempts to access the files, the government sought to force the suspect to "assist in the execution" of the search warrant by providing a decrypted copy of the files.

The predominant legal issue in such cases is the Fifth Amendment and whether or not the act of providing the decrypted files would be considered "testimonial." The issue has caused a split in district courts, but only the Eleventh Circuit has decided the issue at the appellate level, holding that forced production does violate the Fifth Amendment.

As distinguished from some other cases, the government here knew the encrypted drives contain files and had evidence to show that some of the filenames indicate they are images of child pornography. Further, the defendant has a computer science degree and works as a software developer, so he "may very well be capable of accessing the encrypted portions of the hard drives."

However, the deciding issue for the court was whether or not the suspect "has access to and control over the ... devices." Because he has not admitted to having access and control, he could not be compelled to provide the decrypted copy.

This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with “reasonably particularity”—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.
Thus, the government's attempt to compel production of the files was denied. Visit our encryption label to read about related cases on encryption and compelled production.

Wednesday, April 24, 2013

Tuesday, April 23, 2013

6th Circuit declines to extend Warshak reasoning to P2P

In a recent unpublished opinion, the Sixth Circuit held that its 2010 opinion in Warshak should not be extended to provide a reasonable expectation of privacy for users sharing files over Limewire. United States v. Conner, No. 12-3210 (6th Cir. 2013).

The defendant was convicted of receipt and possession of child pornography after law enforcement tracked the sharing of child pornography images on Limewire to him. A sheriff's deputy had searched for file names associated with child pornography, and found the defendant's IP address sharing them over the peer-to-peer (P2P) network.

On appeal, the defendant argued that the Sixth Circuit's decision in United States v. Warshak made the "search" of his computer a violation of the Fourth Amendment. In Warshak, the Sixth held that it was a violation of the Fourth Amendment for the government to compel Warshak's ISP to produce his emails without obtaining a search warrant with a showing of probable cause. The e-mails were obtained under the Stored Communications Act, which the Sixth Circuit therefore declared unconstitutional as it relates to this issue.

As for the search conducted on Limewire in the present case, however, the Sixth didn't buy the defendant's argument. The issue was whether P2P sharing "is different in kind from e-mail," and the court decided it was:
Unlike these forms of communication, in which third parties have incidental access to the content of messages, computer programs like LimeWire are expressly designed to make files on a computer available for download by the public, including law enforcement. Peer-to-peer software users are not mere intermediaries, but the intended recipients of these files.
The defendant attempted to argue that he did not know the files would be publicly available, but the court also found that the record proved otherwise. He had made multiple attempts to keep the files private, but the court held that the failure only showed he was "ineffective at keeping [them] ... from being detected" and not that "he was unaware of a risk of being discovered."

Monday, April 22, 2013

Google Glass and the future of privacy

With the expected public release of Google Glass later this year, we must all be wondering about the product's potential effects on privacy. It will be worn similarly to eyeglasses and will provide users with picture, message, and navigation capabilities - just to mention a few.

Jan Chipchase, Executive Creative Director of Global Insights at Frog Design recently wrote about the privacy considerations with technologies like Google Glass:
As a product that is both on-your-face and in-your-face, Glass is set to become a lightning rod for a wider discussion around what constitutes acceptable behavior in public and private spaces. The Glass debate has already started, but these are early days; each new iteration of hardware and functionality will trigger fresh convulsions. In the short term, Glass will trigger anger, name-calling, ridicule and the occasional bucket of thrown water (whether it’s ice water, I don’t know). In the medium term, as societal interaction with the product broadens, signs will appear in public spaces guiding mis/use and lawsuits will fly, while over the longer term, legislation will create boundaries that reflect some form of im/balance between individual, corporate and societal wants, needs and concerns.
Read similar articles from CNNTech, The Guardian, and TechNewsWorld.

Saturday, April 20, 2013

The CFAA on trial - the latest from the Nosal case on remand

Vanessa Blum from The Recorder has been covering the Nosal trial almost in its entirety. Her coverage has been fantastic, and can be found further below. We have also written extensively on the case for over a year. Our previous posts (for reference) can be found here:

9th Circuit Related Posts:

4/11/2012 - Jeffrey Brown, Ninth Circuit en banc adopts narrow reading of CFAA

4/16/2012 - Justin P. Webb, Why Nosal's dissent is surprisingly persuasive

Nosal on Remand Post:

3/13/2013 - Justin P. Webb, Nosal on remand - another reading of CFAA's "exceeds authorized access"; court denies motion to dismiss

Vanessa's ongoing coverage can be found here:

4/5/2013 - Amid Calls for Reform, a Rare Trial of Hacking Law

4/9/2013 - Lawyer Takes Stand in Hacking Case

4/15/2013 - Prosecutors Get Key Testimony From Ex-Lover in Hacking Trial

4/17/2013 - What Does 'Nosal' Mean for Nosal?

4/19/2013 - Korn/Ferry Hacking Case Sent to Jury

Friday, April 19, 2013

Three Virginia teens headed to trial for child pornography crimes for videos made on their cell phones

As the Washington Post reports, three Virginia high school students are being taken to trial for child pornography crimes due to cell phone videos they made during sex.
[Fairfax County Commonwealth’s Attorney Ray Morrogh] declined to discuss the Fairfax County case, but authorities have said two 16-year-olds and a 15-year-old from West Springfield High School were charged with possession and distribution of child pornography in January after they filmed themselves engaging in sex acts with at least six teenage girls. A source with Fairfax County schools said the videos were filmed surreptitiously....
Rodney G. Leffler, an attorney for one of the boys, has said that all of the sex acts were consensual and that the 10 videos at the heart of the case were filmed at parties at the teenagers’ homes beginning in December 2011. He said that all of the girls eventually learned that they were being filmed and that the boys shared the videos among themselves but did not distribute them widely. It is not clear whether the videos were texted, e-mailed or sent by other means.
If convicted, the teens face up to 20 years in prison.

District court holds that lost profits--due to fraudulent bids, not service interruption or degradation--constitute “loss” under the CFAA

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, continues to receive some uneven treatment by the courts. In Yoder & Frey Auctioneers, Inc. v. Equipmentfacts, LLC, No. 3:10 CV 1590, slip op. (N.D. Ohio Apr. 8, 2013), the United States District Court for the Northern District of Ohio ruled that a private claim under the CFAA could proceed even though the harm it alleged did not seem to flow directly from unauthorized access.

Background

The plaintiffs, Yoder & Frey, an equipment auctioneer, and RealTimeBid.Com (RTB), an online auction service provider, are business partners. They alleged that Equipmentfacts, defendant and one-time auction service provider to Yoder & Frey, accessed the company’s new RTB-provided auction portal, first with an old administrative account and then with the “stolen” account of a long-time Yoder & Frey customer. According to the complaint, Equipmentfacts used both of these accounts to post defamatory, negative statements on the auction portal’s built-in message board, and then used the latter to post “false bids” for items up for auction--eventually winning eighteen items for a total of $1,171,074, which it has not paid.

Equipmentfacts disputed the underlying facts, but also moved for summary judgment on the CFAA claim, arguing that the CFAA does not encompass the type of damage alleged, because the harm was not due to the unauthorized access, and on the alleged facts did not even occur until the winning bidder refused to pay. Its argument focused on the disconnect between the alleged unauthorized access and the accrual of harm, arguing that “damages not flowing from an interruption of service are not recoverable under the CFAA.” The court, however, was unimpressed, and focused on the type of harm alleged rather than its nexus to the alleged unauthorized activity. It found that “interruption of service” could be found even when the website and bidding software performed as designed.

Finding "loss" under the CFAA

Civil plaintiffs under the CFAA must plead “loss” of at least $5,000 (or one of a few other narrow requirements, inapplicable here). 18 U.S.C. § 1030(g); 18 U.S.C. § 1030(c)(4)(A)(i)(I). “Loss” is statutorily defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). The court analyzed the language and the legislative history of this provision to conclude that the CFAA claim could withstand summary judgment:
“Whether the alleged action left the system inoperable is too narrow a reading of the statute. An auction's high bidder, by definition, denies the other bidders the right to purchase that item at their bid price. . . . Fake bids deny the entire sale to both the auctioneer and the other bidders; particularly so when the auctioneer cannot discover the falsity of the high bid until the sale is long over. Depriving a business of potential sales is a loss contemplated by the CFAA. E.g., United States v. Schuster, 467 F.3d 614, 617 (7th Cir. 2006) (Affirming a restitution finding that the defendant was liable for the victim's loss of business productivity because he caused a computer attack that rendered the victim's system less available to customers)” (emphasis added).
While few would quarrel with the argument that some lost sales revenue is contemplated by the CFAA (e.g., sales lost during an outage caused by unauthorized access), the court’s analysis broadly implies that any sales revenue lost by an online portal is sufficient to show “loss” under the CFAA. Moreover, it seems to stray from its own citation. In Schuster (a criminal CFAA case that included restitution), the defendant conceded that his actions had impaired the availability of a system to other customers’ and the owner’s detriment, but here Equipmentfacts’ alleged unauthorized access to the bidding portal did not directly cause any harm. As its brief in support of its motion for summary judgment points out, the system remained functional throughout the alleged episode: RTB, in fact, conceded in deposition that there was no interruption in the availability or the integrity of the auction portal’s technical services whatsoever:
Q: So bidders could still place bids at the auction on your technology platform?
A: Yes.
Q: Even though there was someone allegedly placing false bids?
A: Correct.
. . .
Q: And the only thing that went wrong was that someone submitted a bid for which they had no intention of paying, right?
A: Yeah.
Now, this line of questioning by the defense attorney is slightly misleading, because the plaintiffs did not “only” allege that a bid was submitted by someone who never intended to pay; they also alleged that the false bid was submitted using the “stolen identity” of a long-time Yoder & Frey customer, and that Yoder & Frey approved each bidder before allowing them to participate in the auction. These facts might tie the alleged unauthorized access sufficiently closely to the “loss” required by the CFAA, but the court’s analysis does not follow this line of reasoning. Instead, it glosses over the distinction between placing a false bid in an online auction and using a stolen identity to participate in an online auction. The argument that a CFAA claim may be made on allegations of bidding online without intending to pay seems much more tenuous than the argument that a CFAA claim may be made on allegations of using a false identity to participate in an online auction, whether that bidder intended to pay for the items or not. The former claim, based on “false bids,” seems to be nothing more than a fraudulent, electronically concluded contract, which almost certainly falls outside the CFAA. Making such a claim based on falsely assuming the identity of a trusted customer seems much more like the type of conduct to which the CFAA was intended to apply. In a very confusing opinion, however, the court fails to distinguish these two very different issues.

Instead, its analysis seems to rely on its previous finding that the “[d]efendant’s alleged intentional disruption of even a portion of the online auction through surreptitiously submitted false bids interrupted the service of that site.” This portion of analysis considers false bids and bids submitted by means of a false identity (“surreptitiously submitted”) together, but the rest of that opinion seems to indicate that the court’s thinking hewed closer to the more tenuous false-bids analysis: “While the online auction was not totally thwarted, a number of individual online transactions were. As such, the auction website did not provide service to either Plaintiffs or the buyers and sellers in the auction while Defendants allegedly submitted false winning bids.” This line of inquiry requires the court to find that the bidding portal “did not provide service” even though it functioned exactly as designed, without any degradation or impairment of any of its functions.

This broad reading of the CFAA seems to extend “interruption of service” to include any thwarted commercial service--potentially, any electronically but fraudulently concluded contract. While it is possible that the authors of the CFAA contemplated such broad meaning, and, as the court points out, left “interruption of service” undefined, it is unclear why Congress would have intended to allow plaintiffs alleging fraudulent creation of contract to access CFAA remedies if the relevant contract was concluded electronically. And although construction of the CFAA has sometimes been controversial, this decision stands out for eschewing a narrow reading of CFAA liability (more here and here). If the court (and the plaintiff) had focused on illustrating the nexus between the alleged use of a stolen identity, which was trusted by the plaintiffs (and therefore approved as a bidder), and the lost commissions, it could have avoided muddying the waters with its analysis of “interruption of service.” As written, however, the opinion is unclear as to why this auctioneer’s harm had a sufficient nexus to any unauthorized access to warrant CFAA liability.

In addition to the CFAA claim, the complaint included claims based on common law fraud, common law trespass to chattels, and breach of contract. All of them survived the motion to dismiss. It will be interesting to see whether the parties settle, and if not, whether Yoder & Frey and its new service provider RTB can make the CFAA claim stick at trial.

--Brad Edmondson

Thursday, April 18, 2013

Cybercrime Review welcomes Brad Edmondson as a guest writer

I am very excited to announce Brad Edmondson will be joining Cybercrime Review. Brad will begin posting as a guest writer this week and plans to formally join Cybercrime Review as a permanent author over the summer. Please join me in welcoming Brad.

Brad is currently a 2L at Vanderbilt Law School and has developed an educational focus in the area of intellectual property law. Additionally, he is the incoming Senior Technology Editor for the Vanderbilt Journal of Entertainment and Technology Law. In 2008, Brad received his B.A. in Political Science from Tufts University. He also worked in the Tufts IT department in various roles during his undergraduate studies and, after receiving his undergraduate degree, continued working for the university as the Information Security Operations Team Lead. In the summer of 2012, he interned with Autodesk, a computer design software manufacturer and cloud design services provider. In 2013, he will intern with the MITRE Corporation, a nonprofit corporation that manages research and development programs for the federal government. In addition to his work experience, Brad also holds a GIAC certification in Information Security Fundamentals (GISF). 

Brad’s passion in law centers on information security, privacy, technology's interaction with intellectual property, and cybercrime. In his downtime, he enjoys playing soccer, running, reading, and manually pulling espresso.

Wednesday, April 17, 2013

Tallinn Manual applies "international law norms" to cyber warfare

It seems almost every day we see new reports of computer and network “attacks” allegedly perpetrated by nation states. China, Russia, and North Korea have all allegedly been involved in a variety of cyber attacks––and with the evidence mounting as to the now infamous Stuxnet attack, it can be safely assumed that the United States is not absent from this list. What cannot be assumed, however, is how these attacks fit into the complex set of policies, treaties, and international laws that govern national and international conflicts. Can a country use cyber operations to attack or defend another country? If so, to what extent can these cyber operations be used? How do we define a “cyber attack” under international law?

The Tallinn Manual On The International Law Applicable to Cyber Warfare (Cambridge University Press, 2013) attempts to answer these questions and many more just like them. The Tallinn Manual was made at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence and was authored by an “independent, international Group of Experts.” The result is a comprehensive guide that applies various international rules to cyber warfare. The group of experts, led by U.S Naval War College Professor and international law scholar Michael N. Schmitt, developed a set of “ninety-five ‘black-letter rules’” governing cyber warfare.

Contrary to some reports, the manual is by no means the official policy of NATO but is instead, as stated on the Cooperative Cyber Defence Centre of Excellence’s website, “an expression of opinions of a group of independent experts acting solely in their personal capacity.”

Despite such formalities, the manual is an important document for governments, students, and academics alike. The manual’s in-depth analysis provides a foundation for nations to build upon as they being to develop in and adapt to an increasingly cyber-dependent world. And while not an authoritative document, it will be interesting to see how the Tallinn Manual impacts the current discussions revolving around the continued escalation of cyber attacks by nations-states.

For a report on the Tallinn Manual, as well as an interview with one of the manual’s authors, Professor Thomas Wingfield, see Bernhard Warner’s Bloomberg article here.

White House looks for CISPA to address cyber crime reporting

Yesterday, the White House released a Statement of Administration Policy in which the Administration informed the House Permanent Select Committee on Intelligence, and the public, “if [H.R. 624 Cyber Information Sharing and Protection Act (CISPA)], as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.” While many of the White House’s suggestions to improve privacy protections in the Bill have been making headlines, one line in particular caught my attention. In its recommendations on how CISPA should be improved, the White House made the following statement
Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law enforcement agencies, and continue to receive the same protections that they do today.
If Congress takes the President’s above recommendation seriously, it will be interesting to see what kind of language could be added to the bill that would “explicitly ensure” that “victims continue to report” cyber crimes to Federal law enforcement agencies. For more context, I have the entire paragraph below, or feel free to read the entire statement.
H.R. 624 appropriately requires the Federal Government to protect privacy when handling cybersecurity information. Importantly, the Committee removed the broad national security exemption, which significantly weakened the restrictions on how this information could be used by the government. The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable--and not granted immunity--for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information. Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law  enforcement agencies, and continue to receive the same protections that they do today.

Tuesday, April 16, 2013

Antoine Jones denied release after mistrial; fourth trial pending

Judge Orders Man Jailed in Landmark GPS Case 
The Washington man who was at the center of the U.S. Supreme Court’s landmark ruling over GPS tracking will remain locked up pending his fourth trial, a federal judge ruled today. 
U.S. District Judge Ellen Segal Huvelle concluded no condition of release would “reasonably assure” the safety of the public. The defendant, Antoine Jones, has remained in custody since his arrest in late 2005 for his alleged role in a drug trafficking ring.
The full memo opinion/order is here: Jones Detention 

WI med researcher originally accused of espionage (for stealing cancer drug), now indicted under CFAA (full complaint & indictment)

Hua Jun Zhao has been indicted by a grand jury in the Eastern District of Wisconsin for a violation of the CFAA, namely deleting files from a server without authorization. The violation (per the indictment) is of 18 USC 1030(a)(5)(a), 1030(b), and 1030(c)(4)(B). The relevant statutory provisions are:
18 USC § 1030 - Fraud and related activity in connection with computers
(a) Whoever—
    (5)
        (A) knowingly causes the transmission of a program, information, code, or command,               and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; 
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. 
(c) The punishment for an offense under subsection (a) or (b) of this section is—
     (4)
          (B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
                (i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or
               (ii) an attempt to commit an offense punishable under this subparagraph;
 He was also indicted for making materially false statements to a federal agent. The CFAA charge is interesting because the original crime accused in the criminal complaint was economic espionage. (Perhaps, at this time, the CFAA charge was all they could make stick). A summary of the full story is available from multiple media outlets. From the Journal Sentinel in Milwaukee (Medical College of Wisconsin researcher charged with economic espionage: Feds allege anti-cancer compound was stolen for China):
A researcher at the Medical College of Wisconsin has been charged with stealing a possible cancer-fighting compound and research data that led to its development, all to benefit a Chinese university. 
Huajun Zhao, 42, faces a single count of economic espionage, according to a federal criminal complaint, an offense punishable by up to 15 years in prison and a $500,000 fine. 
According to the complaint, Zhao worked as an associate researcher at the college, assisting professor Marshall Anderson by conducting experiments in pharmacology. 
On Feb. 22, Anderson set down three pill bottle-size containers of a cancer research compound called C-25, and later noticed they were missing from his desk. After searching extensively for the bottles, he reported them lost or stolen on Feb. 26. 
On March 1, Zhao met with Anderson, college security and the FBI to go over his computer, hard drive and flash drive, where 384 items related to Anderson's C-25 research were discovered and deleted. He also had some research from another professor in the Hematology/Oncology department, without permission. 
Among Zhao's paperwork, investigators found more C-25 research and a grant application, written in Mandarin, claiming he had discovered the compound and seeking more Chinese funding to continue research. 
Anderson observed the application was identical to one he had submitted years earlier, in English. 
During the same March 1 review, college security informed the FBI that after his suspension on Feb. 27, Zhao had remotely accessed the Medical College servers and deleted Anderson's raw data from the C-25 research, information the college was later able to restore. 
The Journal Sentinel's follow up story on the indictment can be found here: Medical College of Wisconsin researcher indicted, avoids espionage charge.

A few observations: This was a security fail by the Medical College of Wisconsin. While their employees did everything right in seizing the laptop, digging deeper, reviewing surveillance, and getting law enforcement involved, they failed to do one important thing: cut off Zhao's access to particular servers. Thus, after he was escorted off the campus, his login credentials were still viable, and he was able to delete files related to the research and probably files incriminating himself. This will become an important question under the CFAA, since technically Zhao was still "authorized" (because his account was still active). One could convincingly argue that the failure of the college to secure its own files isn't a computer crime, but negligence on the college's part. It'll be interesting to see how this plays out.

Quick Reference to Documents:
1. Complaint
2. Indictment

Monday, April 15, 2013

Google encourages users to plan for "digital afterlife"

Google announced last week the launch of the "Inactive Account Manager," which lets users set an amount of time after which all of their Google Account's data will be deleted after a period of inactivity. The tool allows you to decide "what you want done with your digital assets when you die or can no longer use your account."

Here's a description of the service:
[Y]ou can choose to have your data deleted — after three, six, nine or 12 months of inactivity. Or you can select trusted contacts to receive data from some or all of the following services: +1s; Blogger; Contacts and Circles; Drive; Gmail; Google+ Profiles, Pages and Streams; Picasa Web Albums; Google Voice and YouTube. Before our systems take any action, we’ll first warn you by sending a text message to your cellphone and email to the secondary address you’ve provided.
Visit the Inactive Account Manager to set it up.

Thursday, April 11, 2013

Reddit AMA focuses on CFAA reform and CISPA

Cyber legislation has been a hot topic lately. At the center of the discussion are reforms to the Computer Fraud and Abuse Act, 18 U.S.C § 1030, and the pending House proposal related to cybersecurity, H.R 624: Cyber Intelligence Sharing and Protection Act. Recently, a group of scholars, not-for-profit organizations, and Internet activists hosted two “Ask Me Anything” (AMA) events on Reddit to inform users of the CFAA and CISPA.

The CFAA AMA, which occurred on April 9th, included questions concerning some of the substantive provisions of the CFAA, a recent “discussion draft” of the CFAA making its way around Congress, and some recent high profile CFAA cases. The group conducting the AMA included:
  • Orin Kerr, Fred C. Stevenson Research Professor of Law at George Washington University
  • Mark Jaycox, Policy Analyst and Legislative Assistant at Electronic Frontier Foundation
  • Cindy Cohn, Legal Director at Electronic Frontier Foundation
  • Trevor Timm, Activist and Blogger at Electronic Frontier Foundation
  • David Segal, Executive Director at Demand Progress
  • Josh Levy, Internet Campaign Director at Free Press
  • Tiffiniy Cheng, Co-Founder of Fight for the Future
  • Jennifer Granick, Director of Civil Liberties at Stanford Law School’s Center for Internet and Society
  • Ryan Radia, Associate Director of Technology Studies at the Competitive Enterprise Institute, and
  • Tim Berners-Lee, World Wide Web inventor
Additionally, a CISPA AMA, hosted by the American Civil Liberties Union and the Electronic Frontier Foundation, occurred on April 8th. The AMA included questions concerning the current status of CISPA, the difference between CISPA and 2011’s H.R. 3261 Stop Online Piracy Act (SOPA), and the effect CISPA could have if adopted. The group conducting the AMA included:

  • Michelle Richardson, Legislative Counsel at the American Civil Liberties Union 
  • Mark Jaycox, Policy Analyst and Legislative Assistant at Electronic Frontier Foundation 
  • Trevor Timm, Activist and Blogger at Electronic Frontier Foundation 
  • Adi Kamdar, Activist at Electronic Frontier Foundation, and
  • Rainey Reitman, Activism Director at Electronic Frontier Foundation
While both are worth a look, I recommend paying particular attention to the answers provided by Professor Kerr in the CFAA AMA. Professor Kerr has written extensively on the CFAA and has developed a reputation as being one of the foremost experts on the statute.

Featured Paper: DNA Profiles, Computer Searches, and the Fourth Amendment

I found this interesting note, published recently in the Duke Law Journal on the use of the government's DNA database for certain convicted felons. The note, DNA Profiles, Computer Searches, and the Fourth Amendment, argues that the use is a violation of the Fourth Amendment. It's a pretty interesting read. Here's the abstract:
Pursuant to federal statutes and to laws in all fifty states, the United States government has assembled a database containing the DNA profiles of over eleven million citizens. Without judicial authorization, the government searches each of these profiles one-hundred thousand times every day, seeking to link database subjects to crimes they are not suspected of committing. Yet, courts and scholars that have addressed DNA databasing have focused their attention almost exclusively on the constitutionality of the government’s seizure of the biological samples from which the profiles are generated. This Note fills a gap in the scholarship by examining the Fourth Amendment problems that arise when the government searches its vast DNA database. This Note argues that each attempt to match two DNA profiles constitutes a Fourth Amendment search because each attempted match infringes upon database subjects’ expectations of privacy in their biological relationships and physical movements. The Note further argues that database searches are unreasonable as they are currently conducted, and it suggests an adaptation of computer search procedures to remedy the constitutional deficiency. 
The author, Catherine W. Kimel, is a 3L at Duke.

Wednesday, April 10, 2013

S.D.N.Y. case highlights circuit split on CFAA’s application to “faithless employees”

In JBCHoldings v. Pakter, the United States District Court for the Southern District of New York addressed “whether an employee[’s] misuse of an employer’s information violates the [Computer Fraud and Abuse Act] where that information was obtained from a computer to which the employee was permitted access.” As JBCHoldings highlights, whether the CFAA applies to the “faithless employee” has caused quite a conflict among federal courts.

Janou Pakter and Jerry Tavin owned the executive search firm Janou Pakter Inc., which was later purchased by JBCHoldings NY. After the purchase, JBCHoldings and Pakter entered into an agreement in which Pakter would “continue to participate in the business” and help attract new clientele. However, JBCHoldings alleged that while Pakter was under contract, Pakter and other co-defendants were operating a competing company, Janou Talent Advisory International. Using their association with JBCHoldings, Pakter and her co-defendants allegedly “misappropriated [JBCHoldings'] proprietary information, including client lists, and used these to advance their competing business.” As the court states, JBCHoldings believed that “Janou (or a co-defendant) obtained this information either by (1) copying it to her personal laptop and sharing it with her co-defendants; (2) lifting it from JBC's computers using a flash drive; and/or (3) obtaining it remotely via spyware.” JBCHoldings filed a complaint alleging numerous causes of action, including violations of the CFAA.

The court, like many before it, recognized the complicated issue of interpreting of the CFAA’s use of the terms “without authorization” and “exceeding authorized access.” While “without authorization” is not defined in the statute, “exceeds authorized access” is defined under the statute, 18 U.S.C. § 1030(e)(6), as “access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The statute outlines a number of offenses related to accessing computers and protected computers, but the fundamental question is whether employees, like Janou, are culpable under the statute when they were granted access to company information, but later use that information in an unauthorized way.

The “Broad Construction”
As the court opines, four circuits (the First, Fifth, Seventh, and Eleventh Circuits) have adopted a broad construction of the CFAA. The court states that, while subtly different, “each circuit has held that the statutory terms ‘without authorization’ and/or ‘exceeds authorized access’ are broad enough to reach the situation in which an employee misuses employer information that he or she is otherwise permitted to access.”

The “Narrow Construction”
On the other hand, the court found that two circuits (the Fourth and Ninth Circuits) have adopted a narrow construction of the CFAA. In adopting a narrow construction, these circuits “have held that the statute does not reach the mere misuse of employer information or violations of company use policies.” The Ninth Circuit’s en banc opinion, United States v. Nosal, has been a flagship example of a court’s narrow construction of the CFAA in the faithless employee context (a case that Cybercrime Review has discussed in detail here). After determining that the Second Circuit has not squarely answered this question, the court adopted a narrow approach, finding it “considerably more persuasive.”

JBCHoldings’ Rationale and Application
In applying the plain meaning of the term “without authorization” the court found that “an employee ‘accesses a computer without authorization’ when he does so without permission to do so. This definition plainly speaks to permitted access, not permitted use.” The court also found the CFAA’s statutory definition of “exceeds authorized access” was inherently similar to the plain meaning of “without authorization” stating, “[b]y its plain terms, this definition also speaks to access, not use.” It was this interpretation that formed the basis of the court’s rationale:
[N]owhere in the Amended Complaint is there any allegation that Janou . . . lacked the authority to access this information. Thus, although Janou’s alleged actions violated plaintiffs’ electronic media policy, such misuse does not state a claim under the CFAA, because an employee does not “exceed[] authorized access” or act “without authorization” when she misuses information to which she otherwise has access.
(internal citations omitted). This case is by no means extraordinary in its application of the CFAA. However, the case does have the potential of placing this (clearly troublesome) question in front of the Second Circuit, where it would be an issue of first impression according to the court in JBCHoldings. If nothing else, this opinion provides a good overview of how courts have dealt with the “faithless employee” question thus far and highlights the depth of the circuit split.

Tuesday, April 9, 2013

Cybercrime Review welcomes Andrew Proia as guest writer

I am excited to welcome Andrew Proia as a guest writer for Cybercrime Review. Andrew will post as a guest writer starting this week. He plans to formally join Cybercrime Review as a permanent author sometime mid-summer.

Andrew is a 3L at Indiana University Maurer School of Law and is finishing up his J.D. with a concentration in information privacy and cybersecurity. In 2010, he received his B.S. in Criminal Justice, summa cum laude, from the University of Central Florida. Andrew was part of the 2012 scholarship class at the International Association of Privacy Professional’s 2012 Global Privacy Summit. Currently, he is a research assistant to Professor Fred Cate, C. Ben Dutton Professor of Law at Indiana University Maurer School of Law and Director of the Center for Applied Cybersecurity Research. A Managing Editor on the Indiana Law Journal, Andrew has two notes that will be soon published in the Indiana Law Journal and the University Of Florida Journal Of Law & Public Policy.

Andrew’s passion in law centers on issues related to privacy, technology, constitutional law, and (of course) cybercrime. In his downtime, he enjoys playing golf, reading, and spending time with his fiancĂ©e, Katie, and their dog, Duncan.

You can follow Andrew on Twitter at @andrewproia.

Trial court orders Facebook trash talk ban for divorcing couple; Husband appeals and loses

In a recent divorce case, the Georgia Court of Appeals ruled that it was okay for the trial court to order the parties to not talk disparagingly about either other on Facebook - at least until after the divorce proceedings. The husband appealed the order, arguing that it violated his First Amendment rights.

The trial court had issued an order that "restrained and enjoined [the parties] from posting matters about each other or their current litigation on Facebook or other social networking sites."

On appeal, the Court of Appeals acknowledged that the state Supreme Court allowed orders "to refrain from making derogatory remarks about the other before the children" and also for parties "telephoning the other's workplace or communicating with each other." Both parents had used social media to make "derogatory and disparaging comments about each other" prior to the order, and the appellate court decided the order was appropriate.

The case is Lacy v. Lacy, No. A12A2261 (Ga. Ct. App. 2013).

Monday, April 8, 2013

In CP case, dissenting opinion suggests computer search "not sufficiently connected ... to justify this serious intrusion"

In a recent Ohio case, the Court of Appeals of Ohio held that the search of a computer for evidence related to a rash of eggings that revealed child pornography was properly supported by probable cause (Ohio v. Castagnola, 2013-Ohio-1215 (Ohio Ct. App. 2013). However, a dissenting opinion argued the level of the intrusion made the search improper.

After more than twenty eggings in the small Ohio town of Twinsburg, police had finally found their suspects after viewing several people purchase a large number of eggs from a local grocery store. When confronted, the buyers told the officer that the eggs were for making a cake, but the officer confiscated the eggs anyway. The next day, the group sent the officer a cake.

An informant later showed text messages to the cops sent by one of the egg buyers, Mr. Castagnola, which showed his involvement in the crimes. One of the egging victims, the city's law director, had been hit on the night after he prosecuted Castagnola for the sale of alcohol to minors. Using a wire, the informant engaged Castagnola in conversations discussing the prior eggings. From the conversations, it appeared that Castagnola had used his computer to obtain the law director's home address. A warrant was obtained, and police searched Castagnola's computer for evidence related to the eggings. During the search of the computer, numerous images of child pornography were found, and he was prosecuted and convicted for "pandering sexually oriented matter involving a minor."

On appeal, Castagnola argued that the evidence from the computer should be suppressed because there was no probable cause. Specifically, his argument was that:
[the] affidavit failed to establish that probable cause existed for the seizure of his computer. Specifically, he argues that the fact that one form of technology (i.e. a text message) contains evidence of an individual's wrongdoing does not equate to the conclusion that another form of technology (i.e. a computer) will contain similar evidence.
However, because the detective's evidence showed that "Castagnola used the internet to locate the law director's personal residence,"  there was "a causal link between Mr. Castangola's alleged criminal activities" and the computer. He also argued that because he had only said that the address was not listed, and he had to find the address elsewhere, it was not proper for the detective to assume it was obtained online. The court held otherwise.

Castagnola also argued that the evidence was insufficient because the government did not prove that he knew the images existed as "many individuals used the computer." Because the password was really strong, and it seemed that the only ones who knew the password were Castagnola and his mother, the evidence was not insufficient to prove that he had downloaded the images.

A dissenting opinion argued that there was no probable cause for the computer search.
Even if I could agree that there was a "fair probability" that there would be a computer in the home that would verify that he had searched and obtained the law director's address, that single online search was not sufficiently connected to criminal activity to justify this serious intrusion into the privacy rights of the Castagnola family.... Mr. Castagnola's online search for the law director's address was not illegal activity, nor was it a fruit, contraband, or an instrumentality of any crime. It was a piece of "mere evidence" to connect Mr. Castagnola to the crimes committed at the law director's home....
The police had no reason to search the computers for anything other than verification that Mr. Castagnola had found the law director's address. No facts in the affidavit even suggested that any other evidence would be found on the computer to connect Mr. Castagnola to criminal activity.

Wednesday, April 3, 2013

"Closer call": 1st Cir. upholds pre-Jones GPS tracking for 11 days under Good Faith exception

In United States v. Sparks, No. 11-1134 (1st Cir. March 26, 2013), the First Circuit upheld the denial of suppression of GPS tracking evidence which occurred over the course of eleven days, citing the Good Faith exception articulated in Davis. The GPS installation and tracking were pre-United States v. Jones.

There are a few interesting things about this holding:

1. Associate Justice (Ret.) Souter sat by designation for the case

2. The court relied on precedent from the 80s (Knotts) and 70s (Moore) to justify the holding; both cases involved beepers

3. The opinion stated the decision wasn't perfunctory, but was "certainly a closer question in this circuit than in those that had directly addressed the propriety of warrantless GPS tracking prior to Jones."

4. Orin Kerr's piece on the Volokh Conspiracy got a reference in a footnote (#1) - Does Fourth Amendment Standing Work Differently for Jones Trespass Searches, Traditional Katz Searches, and Long-term Katz Searches?

The court's reasoning, in short:
The closer question is whether Knotts clearly and expressly authorized the subsequent monitoring of the GPS tracker for eleven days. Like the officers in Knotts, the FBI agents in this case used an electronic tracking device to follow the movements of a car. But they did two things differently: they used a GPS unit instead of a beeper, and they tracked the car for eleven days instead of a number of hours. Do either of these differences place the agents' conduct beyond the scope of what Knotts clearly permitted? 
On this record, we think the fact that the device was a GPS tracker rather than a beeper does not render Knotts inapplicable. Certainly, a GPS tracker is more capable than a beeper, "but nothing inheres in the technology to take it out of Knotts's holding."
... 
That brings us to the duration of the monitoring: eleven days here, versus less than a day in Knotts-- not a trivial difference. But Knotts gave scant reason to think that the duration of the tracking in that case was material to the Court's reasoning. Rather, the Court appeared to apply a blanket rule that "[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another"; no such expectation attaches to information that is, like one's public movements, "voluntarily conveyed to anyone who wanted to look."460 U.S. at 281. Knotts did note that abusive "dragnet type" surveillance might be governed by "different constitutional principles," id. at 284, but there was no suggestion in the Knotts opinion that this rather brusque dismissal of the defendant's Orwellian warnings imposed a concrete temporal limitation on the case's apparently unqualified holding. Indeed, at the time of the search in this case, Knotts was widely and reasonably understood to stand for the proposition that the Fourth Amendment simply was not implicated by electronic surveillance of public automotive movements, because the latter was merely a more efficient "substitute . . . for an activity, namely following a car on a public street, that is unequivocally not a search within the meaning of the amendment."
Recognize that the court had to appeal to Knotts and Moore because conceding that those two cases do not allow prolonged GPS monitoring would require getting into the thornier argument of whether precedent outside the circuit (holding such monitoring was constitutionally sound) could be relied on by law enforcement and thus allow the Davis Good Faith exception argument.

Considering that most other courts have upheld pre-Jones GPS tracking under Davis, the holding isn't all together surprising. But, if you have spent a lot of time talking about the anachronism of law when it comes to technology, hearing GPS and "beeper" together again is worth the read (and the shudder). To quote Renee Hutchins, we are still "Tied up in Knotts."

Hacking Back: Why security is important, even for hackers committing felonies (from XyliBox)

If you are going to steal credit card numbers and offer them on your site, try and at least secure admin panel (and the overall site itself) sufficiently that so the email addresses and passwords of your users are not easily accessed. The excerpt below is from Xylibox; the full post can be found here re: VMAdumps - a huge hat tip to XyliBox.

Also, note that Cybercrime Review is merely reporting what has already been published; we in no way condoned this illegal activity, participated in it, supported it, or encouraged it. However, this is the epitome of "hacking back" and why a lot of people have recently argued for it. Our summation post on hacking back can be found here: Hacking Back - are you authorized?

Definitions:
Dumps = credit card dumps
Track1/Track2 = different types of CC information - Track 1 contains more information
Dumps can be written to credit cards via black market devices, and then used to commit fraud in-store
Fullz - CC data + full biographical data - can be used to complete full ID theft (filing fraudulent taxes, opening up additional credit card accounts, etc.)

********************************************************************************
The Details:
Another carder shop, similar to dumpslogs, they sell track2.
vmadumps.cc - 80.82.64.21
Registrant Contact:
none
onofrio castaldi ()
Fax:
via DOMENICO CUCCHIARI nr.60
rome, rome 00159
IT
Creation date: 20 Sep 2012 10:20:00
Expiration date: 20 Sep 2013 07:20:00
And the goods offered on the site vmadumps.cc:


Noticing lax security:

Some weird urls: 
vmadumps.cc/Mail.php
vmadumps.cc/activ.php
vmadumps.cc/PEAR.php
lol:

Fruits of the hack back:
Credit cards being offered:

admins:
Clients:

And the kicker:
3k clients, i've broke ~55% of passwords with a simple brute force and a basic dictionary.You want a copy ? oh... ok.(link excluded)
PHP+SQL, tracks2 and credit cards are not included of courseHappy hunting.

Question on appeal: "Is a cell phone really a pair of trousers?"

In a Texas appellate case, the Electronic Frontier Foundation is arguing that a warrant is required before police search a cell phone being held in a jail's property room. A teenager was arrested at school for a "disturbance" and taken to jail. His cell phone was taken from him and searched, revealing evidence of an unrelated felony (he was arrested for a misdemeanor). The trial court and lower appellate court found that the evidence should be suppressed.

The lower appellate court had framed the issue this way:
Is a cell phone really a pair of trousers? The State argues as much here, at least when both come from someone who has been arrested. We disagree and affirm the trial court's decision to suppress evidence discovered during a warrantless search of an impounded cell phone.
On appeal again before the Texas high court, the EFF and others argue:

The Court’s ruling in this case thus has the potential to affect every Texan who possesses a cell phone and who might someday be arrested and jailed, even briefly, for a misdemeanor offense. Cell phones and smart phones with immense digital memories containing their users’ most private information are now in the pockets of millions of Americans each day. The state contends that a pretrial detainee being held in jail has “no legitimate expectation of privacy” in his inventoried personal effects, including the data stored in personal electronic devices. If the state’s argument in this case were to be accepted, any law officer, even a stranger to the arrest, would be able to enter a jail property room with no warrant, probable cause or exigency
whatsoever, power up any detainee’s stored and inventoried cell phone, and freely rummage through the device, either for mere curiosity or a personal vendetta, or searching for incriminating photographs, emails, texts or other data related to any potential criminal offense. This is not the law, nor should it be. 
In sum, no exception to the warrant requirement applies on these facts, and the appellate court’s decision below, suppressing the evidence obtained from the warrantless search of Anthony Granville’s cell phone, should be affirmed.... 
A cell phone is not a pair of pants.

Monday, April 1, 2013

Metadata from VHS? 8th Circuit upholds VHS tape seizure in child porn case

I couldn't help but mention this case, briefly. The 8th Circuit, in United States v. Hager, No. 12-2074 (Mar. 29, 2013), held that a search warrant for digital devices containing metadata related to the production of child pornography allowed officers to search/seize VHS tapes. Even though the court acknowledged that VHS tapes are analog and contain no such thing. The ruling was bolstered, in part, by the officer's reliance on a computer forensic expert's opinion, as well as an AUSA stating that the VHS tapes were within the scope of the warrant.

I have bolded/italicized/underlined important parts:
During the search of Hager's residence, agents found 747 VHS tapes capable of holding more than 4,400 hours of information when viewed on a television. Litzinger called a computer forensic expert in North Dakota to ask whether the tapes constituted "electronic media." The expert said that they did. Litzinger then called the First Assistant United States Attorney for North Dakota, who said that the VHS tapes were within the scope of the warrant. Agents then seized the tapes. 
Litzinger was unfamiliar with WebTV or how VHS recording devices worked, thinking that WebTV was similar to a modem. Litzinger believed that he would find the Mueller images on the VHS tapes and that the VHS tapes would contain metadata useful to the Mueller case. Litzinger did not know that VHS tapes are analog, not digital, and as such cannot contain metadata; Litzinger saw a USB port on the WebTV box and assumed that the information on the VHS tapes would be the same as if it was saved on a computer.
Litzinger and a non-expert support staff member of the North Dakota HSI reviewed the VHS tapes at the North Dakota HSI office. Neither Litzinger nor the support staff member knew that the VHS tapes could not contain metadata, although a reasonably competent forensic computer examiner would know this. Upon viewing the tapes, Litzinger and the support staff member found child pornography, whereupon they stopped viewing the tapes and sought and obtained an additional warrant.
Now I understand that EXIF data, metadata, and digital signatures might be confusing to detectives/attorneys unfamiliar with the concepts, but letting this one go on the merits, or (as the court argues), alternatively, under the Leon good faith exception, strains credibility. 

Another excerpt is below:
Hager argues that the first search warrant authorized only a search for the metadata of the sexually suggestive images of Mueller's daughters. Accordingly, Hager argues that the agents were not authorized to search for the images on the VHS tapes in his residence because the VHS tapes could not contain metadata. Reviewing de novo, see United States v. Stoltz, 683 F.3d 934, 938 (8th Cir. 2012), we conclude that the agents did not exceed the scope of the warrant. 
In his affidavit in support of the search warrant, Litzinger made clear that he sought to recover "sexually suggestive images depicting known children which were produced by Robert John Mueller in Detroit, Michigan[.]" Appellant's App. 3-4, Litzinger Aff. ¶ 3. Similarly, the warrant authorized a search for and the seizure of "sexually suggestive images depicting [Mueller's minor daughters] wherever they may be stored or found[.]" Appellant's App. 42. In his affidavit, Litzinger averred that Hager had received the Mueller images and that Hager likely possessed hard copies thereof. Although Litzinger undoubtedly sought to examine any metadata from the Mueller images, a fair reading of his affidavit reveals that Litzinger sought to recover the metadata in addition to, and not to the exclusion of, the images themselves. See United States v. Monson, 636 F.3d 435, 441 (8th Cir. 2011)(explaining that "we ordinarily interpret affidavits in a 'common sense' fashion that is not 'hypertechnical'" (quoting United States v. Hudspeth, 525 F.3d 667, 674 (8th Cir. 2008))). 
Hager argues also that the warrant's addendum limited the scope of the search to only metadata. The addendum limited the search of tapes to "Electronically Stored Information that is specifically described in and that is the subject of this warrant." Appellant's App. 43. The warrant, however, authorized a search for "sexually suggestive images depicting [Mueller's minor daughters] wherever they may be stored or found[.]" Appellant's App. 42. When read in conjunction with the warrant's authorization, the addendum limited the search of tapes to the Mueller images and accompanying metadata, that is, "the subject of [the] warrant."See United States v. Fiorito, 640 F.3d 338, 347 (8th Cir. 2011) [12] ("The broad language of the warrant must be given a practical, rather than a hypertechnical, interpretation that is cabined by the purpose for which it issued."). Accordingly, the agents acted within the scope of the warrant when viewing the VHS tapes found in Hager's residence.

Growing squash indoors apparently provides probable cause for search of Kansas home for marijuana

In an attempt to take down marijuana growers, it appears that one Kansas county has decided that having indoor gardening equipment is all it takes to give probable cause for the search of a home. According to a report in the Kansas City Star, the couple told this story:
“This is how we were awakened: banging, pounding, screaming,” the mother, Adlynn Harte, said Friday. “My husband opened the door right before the battering ram was set to take it out.”
The father allegedly was forced to lie shirtless on the foyer while a deputy with an assault rifle stood over him. The children, a 7-year-old girl and 13-year-old boy, reportedly came out of their bedrooms terrified, the teenager with his hands in the air....
Deputies told the Hartes that they had the couple under surveillance for months prior to the raid. But the Hartes “know of no basis for conducting such surveillance, nor do they believe such surveillance would have produced any facts supporting the issuance of a search warrant,” the lawsuit said.
Over the course of the raid, the deputies appeared to get frustrated that they weren’t finding anything, the suit said. The suit also said deputies “made rude comments” and implied their son was using marijuana. After two hours, they brought in a drug-sniffing dog, but still found nothing.
The couple, both former CIA employees, used indoor gardening equipment to grow tomatoes and squash in their basement. After law enforcement refused to provide documents after an open records request, they filed a lawsuit seeking to know why the search warrant was approved.
“This was an egregious overreach, and there was no basis for the search,” [the couple's lawyer] said. “These are highly educated and very patriotic people. They feel very strongly about it.”
In 2001, the Supreme Court held in Kyllo v. United States that the use of a thermal imaging device to find heat often associated with indoor gardening equipment was a search under the Fourth Amendment and therefore required a search warrant to use it.