Thursday, June 20, 2013

Featured Paper: Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense

Volume 8, Issue 1 of the University of Maryland Journal of Business & Technology Law published a rather interesting article on active defense policy. Adequate Attribution: A Framework For Developing A National Policy For Private Sector Use of Active Defense was authored by Shane McGee, General Counsel and Vice President of Legal Affairs at Mandiant, Randy V. Sabett, Counsel with ZwillGen PLLC, and Anand Shah, Staff Attorney at Mandiant and Technology Fellow at ZwillGen PLLC.

The article is very timely, as it follows on the heels of a recent IP Commission Report  that recommended the government investigate how active defense measures might be appropriately utilized by the private sector. Specifically,  the IP Commission Report recommended that "new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited." The Report suggested that "[s]tatutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers."

With momentum gaining in support of active defense strategies, McGee, Sabett, and Shah argue that national policy in active defense should avoid the "unrealistic" goal of "absolute identification of a cyber attacker" and should instead begin with a "national dialog" on what would define "adequate attribution."

This is a great read for those interested in the concept of active defense.  An excerpt appears below, with footnotes redacted (follow the link above for the full article):
Once primarily the domain of the federal government and a few specialized defense contractors, “active defense” has become an increasingly common topic even in unclassified circles due to (a) much more media exposure, (b) a general relaxing of attitudes toward offensive cyber behavior and, to some extent, (c) a frustration with the ability for companies to protect themselves with a purely defensive posture. Whether called active defense, standing your cyber ground, or hacking back, the notion of offensive use of cyber capability continues to gain considerable attention. As we ponder the implications of publicly-reported cyberattacks with a kinetic component (e.g., America’s alleged involvement in Stuxnet and the appearance of Flame), we also need to determine if other broad attacks (e.g., Duqu and Shamoon) should be viewed as significant steps forward in attack vectors or simply more annoying distractions in the cyber landscape. In any event, no one can deny that offensive operations must be considered as a possible device in the cyber toolkit. The logic seems valid — the right of self-defense has existed for hundreds of years in the physical realm; it should have a corresponding construct in the cyber world. Unfortunately, a lack of clarity in current law and policy has not allowed that to happen.
. . . .
The nagging question involves picking the level of certainty required by a victim of cyberattack in the identity of the attacker before responding. At one extreme would be absolute knowledge of the identity of the attacker. However, several scholars agree that significant difficulty exists in attaining 100% certainty of an attacker’s identity and that even identifying an attacker beyond a reasonable doubt is “bordering on impossible.” At the other extreme would be a policy where little, if any, diligence would be required prior to attacking back. Richard Clarke provides perhaps the most accurate answer by stating that it will “depend upon the real-world circumstances at the time.” In this paper, we will lay out an argument that, since absolute identification of a cyber attacker is unrealistic, a national dialog should occur around what constitutes adequate attribution.We will then provide a normative framework for use by the private sector when contemplating the use of active cyber defense.

Tuesday, June 18, 2013

Massachusetts high court holds passenger has standing to challenge GPS tracking

In a recent Massachusetts Supreme Judicial Court opinion, the high court held that both a driver and passenger had standing to challenge the use of GPS surveillance on a vehicle. Commonwealth v. Rousseau, Commonwealth v. Dreslinski, Nos. SJC-11227, SJC-11228 (Mass. 2013).

The case involves the appeals of two defendants, each arguing that the use of GPS tracking over a thirty-one day period violated the Fourth Amendment because it was not supported by probable cause and was overly broad. One defendant was the owner and operator of the vehicle; the other was a "mere passenger." At trial, the court found that the driver had no standing because the infringement of his privacy was minimally invasive. Further, the passenger had no standing because he had no reasonable expectation of privacy in the defendant's driveway or truck.

With regard to the driver, the court found:
whether we characterize the government's intrusion as a "seizure" under [Massachusetts case] Connolly or a "search" under Jones, by attaching a GPS device to his vehicle and tracking its movements, the government invaded Dreslinski's property and "controll[ed] and use[d]" it for its own purposes.
As to the passenger, however, no Fourth Amendment protection was found. However, applying state constitutional law, the court held:
We conclude that under art. 14, a person may reasonably expect not to be subjected to extended GPS electronic surveillance by the government, targeted at his movements, without judicial oversight and a showing of probable cause.
Ultimately, the defendants failed. The court found that there was sufficient evidence to support probable cause, and the convictions were upheld.

Monday, June 17, 2013

Texas enacts statute preventing law enforcement from getting electronic data without search warrant

Be sure to check out Texas's new law, signed and made effective this past Friday, which prevents state and local law enforcement from obtaining stored customer data without a search warrant.

Here is part of the new law:


(a) This section applies to a warrant required under Section 4 to obtain electronic customer data, including the contents of a wire communication or electronic communication.

(b)  On the filing of an application by an authorized peace officer, a district judge may issue a search warrant under this section for electronic customer data held in electronic storage, including the contents of and records and other information related to a wire communication or electronic communication held in electronic storage, by a provider of an electronic communications service or a provider of a remote computing service described by Subsection (h), regardless of whether the customer data is held at a location in this state or at a location in another state. An application made under this subsection must demonstrate probable cause for the issuance of the warrant and must be supported by the oath or affirmation of the authorized peace officer.

(c)  A search warrant may not be issued under this section unless the sworn affidavit required by Article 18.01(b) sets forth sufficient and substantial facts to establish probable cause that:
(1)  a specific offense has been committed; and
(2)  the electronic customer data sought:
(A)  constitutes evidence of that offense or evidence that a particular person committed that offense; and
(B)  is held in electronic storage by the service provider on which the warrant is served under Subsection (i).
(d)  Only the electronic customer data described in the sworn affidavit required by Article 18.01(b) may be seized under the warrant.

Friday, June 14, 2013

Watch the Terms and Conditions May Apply documentary trailer

If you haven't seen it yet, be sure to check out this trailer for Terms and Conditions May Apply which "examines the cost of so-called 'free' services and the continuing disappearance of online privacy. People may think they know what they give up when they click 'I Agree' on companies like Facebook and Google. They're wrong."

Thursday, June 13, 2013

State appellate court rules on Facebook message authentication and hearsay arguments

In Smith v. State, No. 2012-KA-00218-COA, the Mississippi Court of Appeals addressed authentication and hearsay arguments regarding social networking messages in a case of first impression. The court ultimately found the messages to have been properly admitted.

The defendant was convicted of capital murder for the death of his stepdaughter, a seventeen-month old girl. At trial, the prosecution was allowed to use as evidence Facebook messages sent between the defendant and his wife.

On appeal, the defendant argued that the Facebook messages should not have been admitted because they were not properly authenticated and were hearsay. As to the issue of authentication, the court found the messages to be properly authenticated because the wife testified that the printouts were "Facebook messages between her and Smith."

On the hearsay issue, there were two types of messages before the court. One was an e-mail notification produced automatically by Facebook notifying the wife of a new message which contained the content of the message itself. The other was a printout of wall postings from the defendant on the wife's page. The court found that because the e-mail was "a fully automatic process, ... [it] may not be considered as hearsay." Comparing the case to one a federal court opinion, the court reasoned:
The court noted that when someone forwards an email, he or she has made an out-of-court assertion as to what someone else said. Id. There, however, a person forwarded the message. Thus, there was an assertion and a declarant. Here, an automatic process sent each message. As a result, in this case there was neither an assertion nor a declarant. The email notification, which contained the Facebook message, is not within the definition of hearsay.
The court then found that the defendant's statements were admissions by a party-opponent and therefore not hearsay. The wife's statement "could be hearsay" and no exception was offered by the state, but the error was considered harmless.

Monday, June 10, 2013

Mississippi Law Journal publishes eight articles on technology and search and seizure

Be sure to check out these articles published recently in the Mississippi Law Journal related to technology and the Fourth Amendment, including two on United States v. Jones.
Outgoing Editor-in-Chief of the Mississippi Law Journal Emily Stedman stressed the importance of publishing this biennial book, noting that it addresses "fairly common issues faced by the Supreme Court."

The Journal also publishes an annual book on Fourth Amendment law following the National Center for Justice and the Rule of Law's Fourth Amendment Symposium, organized each year by Professor Thomas Clancy.

"Ultimately, I think it is the hope of the Mississippi Law Journal to remain at the forefront of offerings in this area," concluded Stedman.

Be sure to browse the Journal's archive for previous editions of both publications. 

Friday, June 7, 2013

The Verizon FISA Court Order, the PRISM Program, And a Whirlwind Of Commentary: A Look Back At An Eventful Two Days

Late Wednesday night, news from The Guardian broke of a leaked top secret order from the Foreign Intelligence Surveillance Court (FISC), which granted the National Security Agency (NSA) “on going daily” access to all "call detail records" (or “telephony metadata”) in the possession of Verizon Business Network Services for a three-month period. Thursday evening, The Washington Post released presentation slides detailing the NSA and FBI’s PRISM Program, a top-secret program that enabled these government entities the ability to extract mass amounts of stored data maintained by nine major US internet companies. Through source materials, commentaries, and the articles themselves, I've attempted to chronicle the events over the past two days.

Wednesday, June 5, 2013

The FISA Court Order Breaks . . .
Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, The Guardian: Greenwald reports of a leaked FISA Court Order, which grants the NSA  3-month access to Verizon Business Network Services' daily phone metadata. The FISA Court Order is authorized under the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. 1861 (better known as Section 215 of the USA PATRIOT Act).
Responses To The Greenwald Article Begin . . .
Andy Greenberg, NSA's Verizon Spying Order Specifically Targeted Americans, Not Foreigners, Forbes: Greenberg provides some of the first commentary on the leaked FISA Order, explaining the significance of the NSA specifically targeting Americans.
Charlie Savage & Edward Wyatt, U.S. Is Secretly Collecting Records of Verizon Calls, The New York Times: Savage and Wyatt comment on the FISC Order, explaining that the “TOP SECRET//SI//NOFORN” mark on the Order refers to "communications-related intelligence information that may not be released to noncitizens . . . mak[ing] it among the most closely held secrets in the federal government."
Orin Kerr, Is Verizon Turning Over Records of Every Domestic Call to the NSA?, The Voloch Conspiracy: Professor Kerr, Professor at George Washington University and computer crime expert, comments on the Leaked FISA Court Order, calling it "potentially a huge story," and provides some doctrinal points as to the scope of Section 1861.
Thursday, June 6, 2013 
Responses To Greenwald's Article Continue . . .
Marc Ambinder, U.S. Responds to NSA Disclosures, The Week: Ambinder provides the talking points released by a "senior government official" in response to the leak of the FISA Court Order. The comments refers to the Orders as "classified," but states that the information described in Greenwald's article "has been a critical tool in protecting the nation from terrorist threats to the United States."
From the Desk of Randy Milch, Verizon Policy Blog: While Verizon has been generally silent since the leak, Verizon's Policy Blog releases a letter from Randy Milch, Verizon's Vice President and General Counsel, claiming "no comment" while referencing the Order's "nondisclosure requirement."
Chairman Dianne Feinstein (D-Calif.) & Vice Chairman Saxby Chambliss, Feinstein, Chambliss Statement on NSA Phone Records Program, Press Release: Senate Intelligence Committee Chairman Dianne Feinstein and Vice Chairman Saxby Chambliss release a joint statement commenting on Greenwald's article, claiming that "[t]he executive branch’s use of [its authority under the Foreign Intelligence Surveillance Act] has been briefed extensively to the Senate and House Intelligence and Judiciary Committees, and detailed information has been made available to all members of Congress prior to each congressional reauthorization of this law."
Representative Jim Sensenbrenner (R-Wis 5th), Letter to Attorney General Eric Holder: Rep. Sensenbrenner, considered the Republican author of the PATRIOT Act, writes a letter to the Attorney General stating that the FISA Court Order is "extremely disturbing." Rep. Sensenbrenner would go on to state that he does not believe the Order "is consistent with the requirements of the [PATRIOT] Act."
Andy Greenburg, Senators Grill Attorney General Holder On Whether Verizon Surveillance Targeted Them, Too, Forbes: Greenburg reports that, while testifying before Congress on budgetary matters, Attorney General Eric Holder is questioned on the leak. Senator Mark Kirk (R-Ill.) is reported as asking the Attorney General, “Can you assure us no members of the Capitol building were monitored?” The Attorney General responds by saying he "wouldn’t be able to answer that question in an 'open forum.'"
Stewart Baker, The FISA Court Order Flap: Take a Deep Breath, Skating on Stilts Blog: Baker defends the legality of the FISA Court Order, explaining that to get such an order, "[t]he government had to persuade up to a dozen life-tenured members of the federal judiciary that the order [was] lawful." Baker additionally provides multiple scenarios as to why such an order would be so sweeping and so broad.
The PRISM Program Breaks . . .
Barton Gellman & Laura Poitras, Documents: U.S. Mining Data From 9 Leading Internet Firms; Companies Deny Knowledge, The Washington Post: In a story that looks to be released in tandem with another Guardian article, Gellman and Poitras provide a "top-secret document" that details "PRISM," a NSA and FBI program that allows these government entities access "into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track one target or trace a whole network of associates." The companies include Google, Facebook, Microsoft, Yahoo, Skype, YouTube, and Apple. 
Responses Continue To The PRISM Program & FISA Court Order . . .
Orin Kerr, NSA and FBI Have Real-Time Access to Major U.S. Internet Companies to Track Individuals Outside U.S., The Volohk Conspiracy: Professor Kerr comments on the PRISM Program. In his comments, Professor Kerr provides an important "caveat," stating that "the NSA only pulls out the data when  . . .  a preponderance of the evidence indicates that the person is outside the United States."
Director James R. Clapper, DNI Statement on Recent Unauthorized Disclosures of Classified Information, Press Release: Director of National Intelligence James Clapper (who will likely need to make another statement now that PRISM has been disclosed) issues a press release in light of the FISA Court Order leak. Director Clapper states that "[t]he unauthorized disclosure of a top secret U.S. court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation."  
Amir Efrati, Jessica E. Lessin & Jennifer Valentino-Devries, Tech Firms' Data Is Also Tapped, The Wall Street Journal; Following on the heels of Director Clapper's statements, Efrati, Lessin, and Valentino-Devries confirm that the White House "acknowledged the existence  . . . of a secret National Security Agency program dubbed Prism." The article claims that the disclosure was by a "senior administration official" who clarified that the Program "targets only foreigners and was authorized under U.S. surveillance law." 
Hopefully this post will provide you with some of the key developments of yesterday's PRISM Program and FISA Court Order leaks. The true impact that these stories may have, however, will most assuredly take longer than two days to develop.

[Author's Note: Speaking of developments  . . . Later amendments to Gellman's article and disclosures by these internet companies indicate that the accessed company data was (or is) not "direct." This post has been edited to reflect the adjustment.]