Friday, August 30, 2013

Professor Danielle Keats Citron on the criminalization of “revenge porn” and a cyber civil rights agenda

A recent CNN opinion by Professor Danielle Keats Citron, a law professor at the University of Maryland Francis King Carey School of Law and an affiliate scholar at the Stanford Center on Internet and Society and Yale Information Society Project, calls for the criminal law to take action in deterring and punishing “revenge porn.” Jeffery defined revenged porn in an earlier post as an individual posting “nude images of someone they know on the Internet - often doing so after the end of a relationship.”  As Professor Citron details, the impact on a victim's future employment opportunities, mental and physical well-being, and the overall impact on his or her daily life is no doubt striking.

The criminalization of revenge porn has captured headlines recently due to the introduction of California’s SB 255, which is the latest attempt to criminalize the act. Under the current language of the Bill,
any person who photographs or records by any means the image of another, identifiable person with his or her consent who is in a state of full or partial undress in any area in which the person being photographed or recorded has a reasonable expectation of privacy, and subsequently distributes the image taken, with the intent to cause serious emotional distress, and the other person suffers serious emotional distress would constitute disorderly conduct subject to that same punishment.
However, as Professor Citron outlines, states have substantially fallen behind on criminalizing revenge porn. New Jersey Code 2C:14-9, one of the only laws of its kind, has specifically criminalized revenge porn activities. Some state laws address the issue of distributing sexually explicit images more broadly, such as Texas Penal Code 21.15(B), which prohibits "visually record[ing] another (A) without the other person's consent; and (B) with intent to arouse or gratify the sexual desire of any person." These laws, however, run into a variety of problems when applied to common revenge porn scenarios, one of which is the likelihood that the victim, while in a relationship with the hypothetical poster, consented to the creation of the visual recording.

Professor Citron has written extensively on the issue and has advocated for a “cyber civil rights” agenda highlighted in this 2009 Boston University Law Review article. This 2009 proposal spawned a 2010 symposium hosted by the Denver University Law Review (Part One, Part Two, and Part Three of this symposium are available at the Denver University Law Review Online).

Some of Professor Citron’s other publications on both “revenge porn” and “cyber civil rights” more generally can be found over at Concurring Opinions. Below are some of her more recent posts on the topic  
Blaming the Victim: Been There Before, Concurring Opinions, Feb. 1, 2013 (a response to Professor Mary Anne Frank’s post on “revenge porn”)

Revenge Porn Site Operators and Federal Criminal Liability, Concurring Opinions, Jan. 30 2013 

The Importance of Section 230 Immunity for Most, Concurring Opinions, Jan. 25 2013 

Revenge Porn and the Uphill Battle to Pierce Section 230 Immunity (Part II), Concurring Opinion, Jan. 25 2013
Professor Citron’s CNN opinion is a great read and I applaud her advocacy on the adoption of a cyber civil rights agenda. Some form of response is sorely needed to combat the more unsavory activities occurring online at the expense of others. I do, however, hope that those who are hesitant to react through regulatory measures in fear that such a response could chill free speech protections continue to take an active role in voicing their concerns. It is only through active and open discussion that the criminalization of discriminatory and abusive activities occurring online can properly conform to the protections of the First Amendment. As cyber civil rights issues continue to take shape throughout the country, such as those associated with the revenge porn debate,  I would advise keeping a close eye on the insightful work of Professor Citron.

Thursday, August 29, 2013

McAfree releases "Threats Report: Second Quarter 2013"

A recent blog post by McAfee, a computer software company and subsidiary of Intel Corporation, introduced readers to the McAfee Labs cyberthreat report for the second quarter of 2013.  McAfee Threats Report: Second Quarter 2013 was prepared by McAfee Lab's personnel Toralv Dirro, Paula Greve, Haifei Li, Fran├žois Paget, Vadim Pogulievsky, Craig Schmugar, Jimmy Shah, Ryan Sherstobitoff, Dan Sommer, Bing Sun, Adam Wosotowsky, and Chong Xu. According to the Report's introduction
McAfee Labs researchers have analyzed the threats of the second quarter of 2013. Several trends are familiar: steady growth in mobile and overall malware. A cyberespionage attack against South Korea and a further increase in worldwide spam are further attention grabbers
Publicly reported data breaches have averaged a relatively flat line for the past three quarters. Outsiders steal data more often than insiders, but this is one threat area in which our data comes from victims, who may not feel like exposing all of their weaknesses. MySQL still leads enterprise databases in the number of reported vulnerabilities.
As detailed in McAfee's blog post, written by Robert Siliciano, the Report found four major areas in which the cybercriminal community is executing its attacks: (1) "Malicious apps on Android-based mobile devices," (2) "Infecting websites to distribute malware" (3) "Holding your devices hostage with ransomware" and (4) "Sending spam promoting fake pharmaceutical drug offers." Both the blog post and the Report provide for a very interesting take on the current state of cybercrime.

Wednesday, August 28, 2013

Website Banner Defeats Numerous Fourth Amendment Objections in CP Case

A federal district judge recently held in a child pornography (CP) case that the website's banner doubly defeated any Fourth Amendment objection to an investigator's use of the site to collect evidence of possession and distribution of CP. The case, United States v. Bode, No. 1:12-cr-00158-ELH (D. Md. Aug. 21, 2013), rests on evidence developed by a government investigator (Burdick) who was granted administrator-level access to a website where the defendant (Bode) was allegedly posting CP. The website in question (which has since been shut down) offered users a real-time chat service, including the ability to send messages and images to public chat rooms, as well as "privately" to individual users. The site logged timestamps, IP addresses, message contents, images, and public chat room history for review by its administrators, though individual users could not see or review their own usage history after a chat session was over. The website also required acceptance of its terms of service before allowing users to post or receive messages. Its terms read:
Posting photos, graphics or cartoons showing persons under 18 years of age is not allowed. Child pornography or other illegal material will immediately be reported to the posters [sic] local authorities. Requesting images of the above nature is not allowed. All posted pictures and conversations, public and private, are logged and supervised. [The websitemay disclose these communications to the authorities at its discretion.
The final sentence (emphasis added) was appended at Burdick's request during his investigation, before the CP images at issue in the case were allegedly posted.

But first, the backstory: Burdick, an agent with the Department of Homeland Security's Immigration and Customs Enforcement (Child Exploitation Investigations Group), heard that users of this website were trading. Without getting a warrant or a court order, he began looking into the site and observed users posting CP using the chat service. Burdick checked with the website's domain name registrar to try to identify its operator and found that its administrator was located in Sweden. Since it is more complicated to serve process on a foreign entity (and it is unclear whether Burdick would have had the authority to do so), he emailed the site operator to ask for cooperation in his CP investigation. The site operator enthusiastically complied, giving Burdick an administrator-level account on the website so he could directly review the site's logs. Burdick used his administrative access to identify users who had been reported by others for (potentially) trading CP, and then began checking the logs generated by those particular users more carefully.

Eventually Burdick checked with an Assistant United States Attorney, who recommended that he ask for changes to the website's terms of service, italicized above. (The US Attorney's office also declined to use any evidence developed before the language was appended.) After the terms of service were changed, Burdick used the administrator function to save logs and images users sent to public chat rooms and as private messages to other users. Burdick collected evidence that a user had posted CP from what turned out to be defendant Bode's IP address. This eventually served as probable cause for a warrant to search his home and computers for CP, which revealed additional CP on Bode's computer.

Suppression Analysis

Bode moved to suppress all of the evidence against him as fruit of the poisonous tree, on grounds that Burdick's initial investigation violated the Fourth Amendment, the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., and the Wiretap Act, 18 U.S.C. § 2510 et seq. The court dealt with the Wiretap Act and SCA claims easily: neither statute includes a suppression remedy for information obtained from "electronic communications" like those here, while the Wiretap Act does include a suppression remedy for information obtained intercepted in real time from "wire or oral communication," at 18 U.S.C. § 2515. This made it easy for the court to conclude that when Congress did not include a suppression remedy for electronic communications, it did so with a specific intent not to create such a remedy. The court therefore declined to find an implied statutory right of suppression.

The constitutional claim, violation of the Fourth Amendment, is more interesting, since it could give rise to a suppression remedy (though somewhat ironically, constitutional suppression is a court-created remedy, see Weeks v. United States, 232 U.S. 383 (1914)). As a preliminary matter, the parties had conceded (for the purposes of the Fourth Amendment analysis in the motion at issue here) that the website had become the government's agent, by granting Burdick administrator-level access and changing the language of its banner at his request. Nevertheless, the court held that the banner to which Bode agreed in order to use the chat service constituted two separate grounds for eliminating any Fourth Amendment objections to Burdick's collection of evidence:

First, the banner defeated any reasonable expectation of privacy, which is a prerequisite for any protectable Fourth Amendment interest under Katz v. United States, 389 U.S. 347 (1967). The Bode court compared the banner's language to other cases in which a reasonable expectation of privacy had been at issue, finding that the added text ("[The website] may disclose these communications to the authorities at its discretion.") put the issue beyond doubt, as the AUSA had hoped: users had given up their expectations of privacy. Under this theory, no protectable privacy interest existed, and no constitutional "search" ever occurred, so there was no Fourth Amendment violation and no reason to suppress the resultant evidence.

Second, the court found that even if a search had occurred, the banner indicated consent to that search. Bode tried to argue that his consent had been limited in scope to investigation by the website operator, not the government, but the court was having none of it, instead finding that there was "no meaningful distinction" between the consent Bode had given (for the website operator to turn over information to the authorities) and what actually happened (the operator creating an administrator account for the investigator). This consent was therefore sufficient to allow Burdick's collection of evidence even if it was a Fourth Amendment search.

The government also argued that the website operator had "common authority" to consent to searches of its logs, but the court did not address this argument, having already found two grounds for denying Bode's motion to suppress. Had the court addressed the issue, it probably would have been able to find the site administrator, which had the right to examine its logs, also had the right to authorize their search under the common authority doctrine of United States v. Matlock, 415 U.S. 164 (1974) (finding common authority over shared room sufficient) and Frazier v. Cupp, 394 U.S. 731 (1969) (finding shared use of a duffel bag sufficient). In fact, since the operator could view the logs while ordinary users could not, I found this to be the government's strongest argument, and I am not sure why the court did not even address it.


In any event, this one banner did quite a bit of work: the court's denial of suppression almost certainly means Bode is out of arguments and will be convicted. And it likely means other users of the site will be (or already have been) prosecuted for similar crimes: one of Burdick's emails thanking the website operator for cooperating with the investigation mentioned that he had found "roughly 25 users" in the United States violating CP laws. So, while the website might be gone, the text of its banner may have even more work to do in the courts.

A Footnote

The Bode court also notes that the website operator who was willing to help with the investigation -- seemingly a decent character -- was later tried, convicted, and imprisoned in the Philippines for sex trafficking.

Tuesday, August 27, 2013

Around the Net: Deleting your Internet presence, More on Silk Road, Credit ratings based on Facebook friends, and more

Here are a few links to some good articles from around the Internet:
  • Find out how to delete all of your data on social networking sites in a one-stop website with this article on Wired.
  • The Economist discusses Silk Road which "allows dealers in drugs and other illegal products to meet online without leaving any trace of their identity." (Read more from Cybercrime Review on Silk Road here.)
  • New companies evaluate credit worthiness based on your Facebook friends. Find out more from CNN Money.
  • Miss Teen USA uses position and personal experiences to help fight cybercrime as a reported by the Today Show.

Friday, August 23, 2013

Featured Paper: Upcoming law review article addresses cell tower dumps and the Fourth Amendment

A recently accepted article in the University of Pennsylvania Journal of Constitutional Law addresses the use of cell tower dumps by law enforcement. A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time (see a prior post about the type of process needed for tower dumps here).

The article by Texas Tech Visiting Assistant Professor Brian Owsley, "The Fourth Amendment Implications of the Government's Use of Cell Tower Dumps in its Electronic Surveillance", is an excellent look at this little-known but widely used technology and the legal issues arising therefrom. Here's the abstract:
Privacy concerns resonate with the American people. Although the right to privacy is not explicitly protected in the United States Constitution, the Supreme Court has found the right to privacy rooted within the Constitution based on various amendments. In the modern era, with rapid advances in technology, threats to privacy abound including new surveillance methods by law enforcement. There is a growing tension between an individual’s right to privacy and our collective right to public safety. This latter right is often protected by law enforcement’s use of electronic surveillance as an investigative tool, but may be done at times inconsistent with constitutional rights.

Recently, the American Civil Liberties Union brought to light the popular use of government surveillance of cell phones, including the gathering of all cell phone numbers utilizing a specific cell site location. Known as a “cell tower dump,” such procedures essentially obtain all of the telephone number records from a particular cell site tower for a given time period: “A tower dump allows police to request the phone numbers of all phones that connected to a specific tower within a given period of time.” State and federal courts have barely addressed cell tower dumps. However, the actions by most of the largest cell phone providers, as well as personal experience and conversations with other magistrate judges, strongly suggest “that it has become a relatively routine investigative technique” for law enforcement officials.

No federal statute directly addresses whether and how law enforcement officers may seek a cell tower dump from cellular telephone providers. Assistant United States Attorneys, with the encouragement of the United States Department of Justice, apply for court orders authorizing cell tower dumps pursuant to a provision in the Electronic Communications Privacy Act of 1986. The pertinent provision poses a procedural hurdle less stringent than a warrant based on probable cause, which in turn raises significant constitutional concerns.

This article provides a brief description of cellular telephone and cell-site technology in Part I. Next, Part II addresses the evolution of Fourth Amendment jurisprudence and argues that the reasonable expectation of privacy standard applies to electronic surveillance such as cell tower dumps. In Part III, the discussion follows the development of statutes addressing electronic surveillance and argues that cell tower dumps request more information than simply just telephone numbers. Part IV analyzes records from both cellular service providers and the federal government to conclude that cell tower dumps routinely occur. Part V assesses the few decisions that even discuss cell tower dumps and argues that the analysis is either non-existent or flawed regarding the use of the Stored Communications Act to permit cell tower dumps. Next, Part VI asserts that cell tower dumps cannot be analyzed pursuant to the Stored Communications Act because the language of the statute is inapplicable and the amount of information sought requires a warrant based on probable cause and concludes by proposing some protocols to safeguard individual privacy rights.

Wednesday, August 21, 2013

New CFAA Complaints - Civil employee disloyalty cases dominate, reinforcing shift away statute's anti-hacking genesis

Cybercrime Review will now be posting, on an ongoing basis, new complaints alleging CFAA violations. This serves two purposes: (1) to make our readers aware of new cases that may be worth following, and (2) to provide a survey of how CFAA litigation has evolved as courts have grappled with the scope and purpose of the statute.

August filings of note:

91. Based on this initial research, Burns and Smith further investigated Defendants' actions prior to and following their resignations. 
92. Burns and Smith quickly discovered additional emails on Clinton Rubin's computer systems and network evidencing Defendants' efforts to divert the Company's valuable confidential, proprietary, and trade secret information, including, but not limited to, Clinton Rubin's financial statements; schedules and related information; business plans and strategy documents; business documents; customer information; contact lists; marketing documents, qualification documents, and sales and marketing information; client planning documents, work products, deliverables and other client information; resumes; affiliation, joint venture and alliance information and contracts; association and membership information; contracts including, but not limited to, client Non-Disclosure Agreements and Confidentiality Agreements, Master Services Agreements, Statements of Work, Subcontractor Agreements and other contractual documents made on behalf of Clinton Rubin; Clinton Rubin account information and passwords; and other Clinton Rubin confidential information, intellectual property, and client owned information. 
93. For example, in an email to Defendant Solak and Sandow, Defendant Pickens wrote the following: “Same with this. Stealing other people's stuff was effective in kindergarten and is effective now!”
129. Defendants, prior to withdrawing, regularly accessed Clinton Rubin's computers, computer network, computer systems, computer files, electronic files and/or email accounts without authorization and/or in a manner that exceeded their authorization. 
130. Defendants also utilized Clinton Rubin's computers, computer network, computer files, computer systems, electronic files and/or email accounts to give instructions to a third-party to obtain Clinton Rubin's information for an improper purpose. 
131. Clinton Rubin's computers, computer network, computer systems, computer files, electronic files and/or email accounts that were used and/or accessed by Defendants prior to and following their withdrawal qualify as “protected computers” under the CFAA, 18 U.S.C. § 1030(e), because they are used in or affecting interstate or foreign commerce or communication. 
132. Without authorization and/or in a manner that exceeded their authorization, Defendants knowingly accessed, or caused another person to knowingly access on their behalf, Clinton Rubin's computers, computer network, computer systems, computer files, electronic files and/or email accounts with the intent to defraud and/or misappropriate Clinton Rubin's valuable confidential, proprietary, and trade secret information, including, but not limited to, Clinton Rubin's intellectual property, customer lists, financial data, marketing data, and client owned data, by forwarding, or causing another person to forward, such information to their personal email accounts in violation of the CFAA, corporate policy and their fiduciary duties as Members of Clinton Rubin. 
133. As a result of Defendants' actions and/or the actions Defendants caused to occur, Defendants furthered their intended fraud and/or misappropriation and obtained Clinton Rubin's valuable confidential, proprietary, and trade secret information and/or caused an impairment to the integrity and/or availability of Clinton Rubin data, programs, systems, or information, including, but not limited to, Clinton Rubin's intellectual property, customer lists, financial data, marketing data, and client owned data which carry a value in excess of $5,000. 
134. Defendants' conduct and/or the conduct Defendants cause to be conducted involved interstate or foreign commerce or communication. 
135. Defendants' conduct and/or the conduct Defendants cause to be conducted constituted a serious breach of loyalty owed to Clinton Rubin as former Members by accessing and misappropriating Clinton Rubin's valuable and protected information for their own personal gain and against the interest of Plaintiff. 
136. In an attempt to disguise their fraud and/or misappropriation, Defendants, with full knowledge and motive to do so, attempted to and did in fact delete relevant emails reflecting their misappropriation of Clinton Rubin's valuable trade secret information and diversion of business opportunities from Clinton Rubin to their newly founded competing venture. 
137. Through Defendants' unlawful access, copying, and alteration of Plaintiffs valuable confidential, proprietary, and trade secret information, Defendants furthered their intended fraud and/or misappropriation of Clinton Rubin's valuable trade secret information. 
138. Defendants' actions violate the CFAA and have caused Clinton Rubin damage. 
139. Plaintiff has no adequate remedy at law and will continue to suffer substantial and immediate irreparable harm unless Defendants are immediately enjoined pursuant to 8 U.S.C. § 1030(g) (“Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”).
15. Following the formation of SOUTH VALLEY BIOLOGY CONSULTING, LLC, its owners and members embarked on a scheme to recruit and hire Plaintiffs staff biologists, and to illegally acquire Plaintiffs confidential work product and intellectual property in order to gain a competitive advantage over Plaintiff. As a result, Defendants NINA E. HOSTMARK, MICHAEL V. PHILLIPS, and PAUL ROSEBUSH left the employ of Plaintiff and joined SOUTH VALLEY BIOLOGY CONSULTING, LLC. 
16. Following the departure of NINA E. HOSTMARK, MICHAEL V. PHILLIPS, and PAUL ROSEBUSH, Plaintiffs managers discovered that its work product and intellectual property, in the form of original copies of its biological reconnaissance data and reports, were missing from the company's files, and that electronic copies of such data and reports had been removed and/or copied from the company's computers. 
17. Soon thereafter, several of Plaintiff's clients advised that existing contracts with Plaintiff were being terminated and given to SOUTH VALLEY BIOLOGY CONSULTING, LLC, and that future work involving biology reconnaissance and reporting would be performed by SOUTH VALLEY BIOLOGY CONSULTING, LLC. These clients include, but are not necessarily limited to Berry Petroleum, Aera Energy, Macpherson Oil, Co., Plains Pipeline, and Occidental. 
18. Around the same time, it was also discovered by Plaintiff that significant portions of Plaintiff's confidential work product and intellectual property relating to biological studies and reports completed by Plaintiff were being utilized by Defendants and incorporated into the reports of SOUTH VALLEY BIOLOGY CONSULTING, LLC, all without the permission of Plaintiff. Data, analysis and report narratives published by SOUTH VALLEY BIOLOGY CONSULTING, LLC, including typographical errors, were identical to the data, analysis and report narratives prepared by Plaintiff. 
19. Plaintiff has also learned that, during 2012 and 2013, the web site and promotional materials for SOUTH VALLEY BIOLOGY CONSULTING, LLC contained copies of confidential work product created by Plaintiff; and that Plaintiffs former employees named in this complaint, now owners, members or employees of SOUTH VALLEY BIOLOGY CONSULTING, LLC were claiming responsibility for, and ownership of, such confidential work product and intellectual property generated by Plaintiff.
21. Plaintiff alleges that Defendants NINA E. HOSTMARK, MICHAEL V. PHILLIPS and PAUL ROSEBUSH within the last two years preceding the filing of this complaint each intentionally, illegally, and without authorization, removed Plaintiffs confidential work product and intellectual property from Plaintiffs computers prior to their leaving Plaintiffs employ. 
22. Plaintiff alleges that Defendants NINA E. HOSTMARK, MICHAEL V. PHILLIPS and PAUL ROSEBUSH each intentionally, illegally, and without authorization, transmitted the confidential work product and intellectual property to SOUTH VALLEY BIOLOGY CONSULTING, LLC and to Defendants JAMES W. JONES, JR. and JASON H. KANG in person or by e-mail transmission. 
23. Plaintiff alleges that Defendants NINA E. HOSTMARK, MICHAEL V. PHILLIPS and PAUL ROSEBUSH, while they were still employed by Plaintiff, intentionally, illegally, and without authorization, communicated by e-mail with existing clients of Plaintiff for the purpose of soliciting such clients and for the purpose of diverting the work covered by Plaintiffs contracts with the existing clients to the benefit of SOUTH VALLEY BIOLOGY CONSULTING, LLC. 
24. At all times, the removal, copying and transmission of confidential work product and intellectual property, and the e-mail communications with competitors, were performed without the knowledge, authorization or consent of Plaintiff. 
25. As a direct and proximate result of the illegal and unauthorized use of Plaintiff's computers by Defendants NINA E. HOSTMARK, MICHAEL V. PHILLIPS and PAUL ROSEBUSH, Plaintiff has sustained economic damages exceeding $5,000.00 over the last one-year period in the form of lost current and future income, has required Plaintiff to expend resources to investigate the adequacy of its computer security systems, and required Plaintiff to expend resources to replace the work product and intellectual property illegally removed from Plaintiffs computers.
1. Pearson is a former Area Manager and Branch Manager for XTRA. This action arises largely out of Pearson's misappropriation of XTRA's confidential, competitively-valuable and trade secret information in connection with his recent resignation from XTRA on July 3, 2013, and his subsequent employment with XTRA's direct competitor, Premier Trailer Leasing, Inc. (“Premier”). 
2. By mid-June 2013, and while Pearson was in active discussions with Premier's President and Vice President to join Premier, Pearson (a) improperly downloaded and copied onto an unapproved HP v125w USB portable electronic device (the “HP Device”) and/or (b) improperly e-mailed to his personal e-mail address, confidential, competitively-valuable and trade secret information pertaining to XTRA's business. Pearson's misconduct continued after he received his June 28, 2013 offer letter from Premier, and further continued after he signed and dated Premier's offer letter on July 1, 2013. Pearson, however, did not tell XTRA he was resigning until July 3, 2013, and his improper copying and downloading of XTRA's confidential and competitively-valuable information onto the HP Device continued until July 3, 2013 - which was his last day of employment at XTRA. 
3. As Branch Manager for XTRA's Allentown, Pennsylvania office, Pearson had no legitimate reason to e-mail to his personal e-mail address or to download and transfer XTRA's confidential information onto the portable HP Device in connection with his departure or possible departure from XTRA and his plan to join Premier. On July 3, 2013, for example, Pearson improperly copied onto his HP Device detailed confidential and trade secret information pertaining to XTRA's business in Chicago, Louisville and Memphis, even though he was Branch Manager only for Allentown. In short, Pearson on information and belief was improperly accessing, downloading, copying onto the HP Device and/or e-mailing to his personal e-mail address significant confidential, competitively valuable and trade secret information of XTRA in order to help him and Premier.
121. Pearson's conduct described above violates the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. Pearson's conduct, at a minimum, violates 18 U.S.C. § 1030(a)(2)(C). 
122. XTRA's XTRALink, databases and servers, as well as Pearson's XTRA company laptop, are “computers” and “protected computers” under 18 U.S.C. § 1030(e)(1) and (2).
123. Pearson was not authorized to access XTRA's XTRALink, databases or servers or his XTRA laptop computer in order to review, download or copy XTRA's confidential, proprietary, competitively valuable or trade secret information to help Premier and/or to help him compete after he joined Premier. Pearson also was not authorized to access XTRA's XTRALink, databases or servers or Pearson's XTRA laptop computer in order to e-mail any such information to his personal e-mail address for such purposes. 
124. Pearson acted without authorization and/or in excess of his authorization in accessing XTRA's XTRALink, databases and servers, and/or Pearson's XTRA laptop computer, in order to review, download or copy and/or e-mail to his personal e-mail address, XTRA's confidential, proprietary, competitively valuable or trade secret information to help Premier and/or to help him compete after he joined Premier. 
125. Pearson's conduct described above has caused XTRA damage and loss. XTRA's damage and loss include, but are not limited to, (a) expenses, fees and costs incurred to uncover and determine the extent of Pearson's computer-related misconduct; and (b) damages and/or losses in an amount not yet determined resulting from the impairment of the integrity of the data and/or information pertaining to Pearson's computer-related misconduct. Such damages and/or losses are already well in excess of $5,000.

Tuesday, August 20, 2013

District court finds government "failed to meet its burden through and through" in child pornography restitution case

In United States v. Loreng, No. 12-132 (D.D.C. 2013), the district court denied an award of restitution to child pornography victims "Amy" and "Cindy" after strongly criticizing the prosecution.

The way in which restitution is awarded in child pornography cases has been addressed by most circuits, including the D.C. Circuit. The predominant issues are whether a defendant is required to have proximately caused harm to the victim and whether the defendant is liable for the entire damages or only a fraction. See my previous posts on the issue for more background.

In Loreng, the court addressed the many issues at length and found issue with many issues, most notably how both parties wanted to calculate restitution.
  • Prosecution: "[D]ivide the total loss (past, present, and future) resulting from the continued viewing of the images by the number of individuals (apprehended or not) who engaged or will engage in the act of viewing an image... [and] deviate upward [as necessary]."
  • Defense: "Loreng would require in each case a victim statement reflecting knowledge of the particular defendant, a psychological report evaluating a victim's response to each defendant, an economic report produced after the defendant's acts, and an expert report from a statistician that takes into account a multitude of factors, including each defendant's offender characteristics.... [T]he court doubts that anything this costly and unworkable is required."
Ultimately, the court denied restitution and concluded:
Regardless of what a perfect record would reveal in this case, the fact remains that the record here is anything but perfect. The government has failed to make a showing as to critical questions. It has failed to establish that Loreng viewed or even possessed an image of either Amy or Cindy; it has failed to support the total economic loss figure for Amy; and it has failed to establish the number of defendants convicted for possessing or distributing Amy's images. For both Amy and Cindy, the government has provided evidence that falls far short of "reasonable certainty" as to the amount of their losses from Loreng's conduct. The government failed to meet its burden through and through—and not for lack of warning by the Court. Accordingly, the Court must award no restitution in this case.

Monday, August 19, 2013

Must Read: Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

Steven M. Bellovin (Columbia), Matt Blaze (Penn), Sandy Clark (Penn), and Susan Landau (Harvard; Sun Microsystems) have posted an incredible paper that was presented at the Privacy Legal Scholars Conference in June 2013. The paper is entitled "Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet"; I have a general aversion to the term "must read," so my use of that term is indicative of the quality of the content.

 The abstract:
For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, though, the changing structure of telecommunications — there was no longer just “Ma Bell” to talk to — and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), which mandated a standardized lawful intercept interface on all local phone switches. Technology has continued to progress, and in the face of new forms of communication — Skype, voice chat during multi-player online games, many forms of instant messaging, etc.— law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, they want changes to the wiretap laws to require a CALEA-­like interface in Internet software.  
CALEA, though, has its own issues: it is complex software specifically intended to create a security hole — eavesdropping capability — in the already-­complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, but time has proven the experts right. The so-­called “Athens Affair”, where someone used the built-­in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system. 
In this paper, we explore the viability and implications of an alternative method for addressing law enforcement's need to access communications: legalized hacking of target devices through existing vulnerabilities in end-­user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable. 
Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are: 
• Will it create disincentives to patching?
• Will there be a negative effect on innovation? (Lessons from the so-­called “Crypto Wars” of the 1990s, and, in particular, the debate over export controls on cryptography, are instructive here.)
• Will law enforcement’s participation in vulnerabilities purchasing skew the market?
• Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role?
• Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals?
• What happens if these tools are captured and re-purposed by miscreants?
• Should we sanction otherwise-­illegal network activity to aid law enforcement?
• Is the probability of success from such an approach too low for it to be useful? 
As we will show, though, these issues are indeed challenging. We regard them, on balance, as preferable to adding more complexity and insecurity to online systems.

Feds decrypt two hard drives in Wisconsin case, defendant arrested on CP charges

Over the past several months, I've written a few times about the ongoing Wisconsin encryption case. Here are the posts for background.
The feds had been unable to break the encryption on the defendant's hard drives, but a major breakthrough last week resulted in the defendant's arrest for child pornography.

According to the Journal Sentinel, the Assistant U.S. Attorney on the case announced that two of the nine hard drives had been decrypted. Those two drives contained "preteen children in images of sexual assault, bondage and bestiality."

The court has yet to decide whether the defendant will be ordered to decrypt the remaining hard drives.

The criminal complaint is available here.

Thursday, August 15, 2013

"The age of narcotics e-commerce has arrived" says Andy Greenberg, demonstrates Silk Road online drug purchase in Forbes article

Andy Greenberg, a Forbes journalist focusing on technology, privacy, and information security topics, authored two startling articles about the online drug market. Both Justin and Jeffery have touched on the increased attention that online drug markets (like Silk Road, the focus of Greenberg's articles) have received over the past year. Greenberg's recent reports, however, provide a new look into the illicit trade, and both articles are a must read.

Meet the Dread Pirate Roberts, The Man Behind Booming Black Market Drug Website Silk Road, Forbes, August 14, 2012
Greenberg's first article provides a rare interview with the self-proclaimed "center of trust" for one of the web's most notorious online drug exchanges, Silk Road. Greenberg's interview with "Dread Pirate Roberts," the site's operator, details how Silk Road has amassed, according to Forbes' estimates, an "annual run-rate of $30 million to $45 million." The interview with Dread Pirate Roberts details how Silk Road uses anonymity software (such as Tor) and open-source cryptocurrency (such as BitCoin) to facilitate the purchases on the site. Even more interesting is Greenberg's take on how, "[a]s with physical drug dealing, a turf war has emerged" in the online drug trade. This article is also set to appear in the September 2, 2013 issue of Forbes.    

Here's What It's Like To Buy Drugs On Three Anonymous Online Black Markets,  Forbes, August 14, 2012
Taking his investigative report on the online drug trade a step further, Greenberg and the team at Forbes actually tested the drug-buying process. Using "the three most well-known online anonymous black markets: The Silk Road, Atlantis and Black Market Reloaded," Greenberg's article describes how he and his team "purchased  . . . small amounts of marijuana." Don't worry, as Greenberg's article explains, the team's lawyer insisted he destroy the "product." This video, released by Forbes, accompanied Greenberg's articles (and documents the "product's'" distruction)

These recent articles by Andy Greenberg and the Forbes team are quite compelling and demonstrate how the drug trade, unfortunately, has started to transform and grow in a digital age.

Tuesday, August 13, 2013

Virginia man pleads guilty after posting Craigslist ads which sent nearly 100 men to victim's house for sex

A 61-year-old Virginia man pled guilty yesterday to stalking and identification fraud charges after having made over 160 posts on Craigslist in order to have men go to his ex-girlfriend's house seeking sexual encounters.

The posts, over 100 of which were made while at his job at the Library of Congress, contained the victim's home address and photograph. According to the United States Attorney's Office for the Western District of Virginia,
Between January and March 2013 more than 100 men appeared at or around the victim’s home seeking sexual encounters with her based upon the ads posted by Kuban. In one instance, a man arrived at the victim’s home with a crowbar in order to pry open an electronic gate the victim had installed to protect herself. The man brought the crowbar at the urging of Kuban, posing as the victim. The threat to the victim’s safety became so great that local law enforcement felt it necessary to post deputies at her home to deter trespassing and harassment.
The defendant faces up to 15 years in prison.

Monday, August 12, 2013

Second LulzSec hacker sentenced in California federal court

According to a press release issued by federal prosecutors on Thursday, August 8, 2013,  Raynaldo Rivera (known online as "neuron") "was sentenced  . . . to one year and one day in federal prison for participating in an extensive computer attack that compromised the computer systems of Sony Pictures Entertainment." According to the release, District Judge John A. Kronstadt with the Central District Court of California ordered Rivera to "13 months of home detention, to perform 1,000 hours of community service and to pay $605, 663 in restitution," in addition to his prison sentence. Rivera is the second member of the "hacking group" to be sentenced for involvement in the Sony Pictures hack, which exposed online the personal information of over 130,000 individuals.

According to a press release by the Federal Bureau of Investigations back on August 28, 2012, Rivera surrendered to authorities after a sealed indictment was issued by a federal grand jury on August 22, 2012. The FBI press release briefly described the indictment, as follows
The indictment alleges that in order to carry out the attack, Rivera allegedly used a proxy server in an attempt to mask or hide his Internet protocol (IP) address. The indictment alleges that Rivera and co-conspirators, including defendant Cody Kretsinger, who was indicted in September 2011 in connection with the same intrusion, obtained confidential information from Sony Pictures’ computer systems using an SQL injection attack against its website. An SQL injection attack is a technique commonly used by hackers to exploit vulnerabilities and steal information. The indictment alleges that Rivera and his co-conspirators distributed the stolen information, including by posting the data on LulzSec’s website, and by announcing the attack via its Twitter account.
Rivera would plead guilty in October 2012 for conspiring to cause damage to a protected computer. As the recent press release details, Kretsinger (known online as "recursion") was sentenced by Judge Kronstadt back in April. Kretsinger's sentence, which was similar to the Rivera order, was also detailed in the recent press release
In addition to [a prison term of one year and one day], Judge Kronstadt ordered Kretsinger to serve one year of home detention following the completion of his prison sentence, to perform 1,000 hours of community service, and to pay $605,663 in restitution.
Author's Note: For a little more information about the Sony Pictures hack by LulzSec (and a great read), I would suggest Parmy Olson 2012 book, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency.

Wednesday, August 7, 2013

Police in Mississippi investigating Twitter parody accounts

Police in a small Mississippi town are investigating the ownership of two parody Twitter accounts. According to the Clarion-Ledger, one of the accounts was created after the city's Chief Administration Officer was fired by the Board of Aldermen and the other after a veto by the mayor was overridden by the board.

The two accounts were supposedly labeled as parodies, but the yet-to-be-discovered account owner(s) could end up facing criminal charges under a 2011 Mississippi law. The statute made it a misdemeanor to impersonate another person on the Internet.
[A]ny person who knowingly and without consent impersonates another actual person through or on an Internet website or by other electronic means for purposes of harming, intimidating, threatening or defrauding another person is guilty of a misdemeanor.
While the statute does not explicitly exempt parody impersonations, is does require that "another person would reasonably believe ... that the defendant was or is the person who was impersonated." Surely labeling the account as a parody would fix that.

The statute punishes the crime with a fine of $250 to $1,000 and/or between 10 days and a year in prison.

Monday, August 5, 2013

Five hackers indicted in New Jersey federal court for "largest known data breach conspiracy"

UPDATE: The title of this article has been edited to avoid any confusion. A grand jury sitting for the District Court of New Jersey returned an indictment against the named defendants. The district court did not itself indict the defendants. My apologies for any who many have misinterpreted the original heading.

The Department of Justice announced last Thursday, July 25, 2013, that a federal indictment has been issued charging five individuals from Russia and Ukraine for one count of conspiracy to commit computer hacking, one count of conspiracy to commit wire fraud, six counts of unauthorized computer access, and three counts of wire fraud. A recent press release by the U.S. attorney's office has called this indictment the “largest known data breach conspiracy" ever prosecuted by the United States.

According to the release, the five defendants, Vladimir Drinkman, Alexandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets, in cooperation with four other co-conspirators, “allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data and other institutions with information they could exploit for profit.” The alleged victims include “NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.” The group is alledged to have stolen “more than 160 million credit card numbers,” resulting in “hundreds of millions of dollars in losses.”

The indictment claims that the defendants utilized sophisticated hacking techniques that compromised users' personal information maintained by the victimized companies.The defendants then sold the information "dumps" to resellers who then, according to the indictment, "sold them either through on-line forums or directly to individuals and organizations ('cashers')."

The indictment itself outlines some of the methods the group is alleged to have used in order to gain access to the companies' information and to conceal their activities. Included in the indictment are allegations that the group used SQL injection attacks (or "methods of hacking into and gaining unauthorized access to computers connected to the Internet") and utilized so-called "bulletproof hosting" ( or "leasing servers from which law enforcement supposedly could not gain access or obtain information"). This will be an interesting case, and definitely one to keep an eye on.

Author's Note: My first thought when reading through the indictment related to extradition (specifically, I wondered how the United States planned to properly prosecute five individuals from Russia and Ukraine). As I believe I might not be the only one with such a question, I thought I should provide a small exerpt from the press release that addresses that issue
Drinkman and Smilianets were arrested at the request of the United States while traveling in the Netherlands on June 28, 2012. Smilianets was extradited Sept. 7, 2012, and remains in federal custody. He will appear in District of New Jersey federal court to be arraigned on the superseding indictment on a date to be determined. Drinkman is in custody in the Netherlands pending an extradition hearing. Kalinin, Kotov and Rytikov remain at large. All of the defendants are Russian nationals except for Rytikov, who is a citizen of Ukraine.
Mystery solved.

2nd Author's Note: Brian Krebs, a former reporter with the Washington Post and current blogger at KrebsOnSecurity, provided some great commentary on the recent indictment here.

Thursday, August 1, 2013

Defense suggests improprieties in Wisconsin encryption case

Several months ago I wrote about an encryption case in Wisconsin where the magistrate had ordered production of the decrypted data, and then the district court judge suspended the order. Since then, several interesting things have happened. First, the prosecution argued that the defendant could forget the password so he needed to provide it, and it could be kept by a third party.

Now, the defense is arguing that prosecutors may have "intentionally or recklessly mislead the court," according to an article published last week by the Journal Sentinel in Milwaukee.

The forced decryption issue is one that continues to develop across the country, and we have yet to see a clear pattern develop in the handful of courts to decide the issue. Visit our encryption label to read about related cases on encryption and compelled production.