Wednesday, October 22, 2014

Defamation, Facebook and the Seventh-Graders

This post examines a recent opinion the Court of Appeals of Georgia issued in a civil case:  Boston v. Athearn, 2014 WL 5068649 (2013).  As the court explains,
Alexandria Boston (`Alex’), a minor, through her parents Amy and Christopher Boston, brought this action in the Superior Court of Cobb County against Dustin Athearn, a minor, his parents, Sandra and Michael Athearn, and other defendants. 
Boston v. Athearn, supra. 
In their suit, the Bostons claimed “Dustin defamed Alex” and that his actions also “constituted intentional infliction of emotional distress.” Boston v. Athearn, supra.  The defendants – “`the Athearns’” – “moved for summary judgment”, the trial judge granted their motion, which effectively ended the lawsuit and the Bostons then appealed that ruling.  Boston v. Athearn, supra. 
The Athearns filed their motion for summary judgment under Georgia Code of Civil Practice § 9-11-56(c).  As Wikipedia explains, a judge can grant a motion for summary judgment only if he/she finds that
there are no disputes of `material’ fact requiring a trial to resolve, and in applying the law to the undisputed facts, one party is clearly entitled to judgment.Summary judgment lets courts dismiss lawsuits when the facts alleged would not, even if proven by a preponderance of the evidence, justify a verdict in the plaintiffs’ behalf.   
The Court of Appeals began its opinion by explaining how that in 

early May 2011, Dustin, who was 13 years old, and his friend, Melissa Snodgrass, agreed to have some fun at a classmate's expense by creating a fake Facebook page for that person. Dustin selected Alex, a fellow seventh-grader, as their target, and Melissa agreed. Melissa, posing as Alex, created a Yahoo e-mail account to use to create a new Facebook account, and gave that information to Dustin.

On May 4, using a computer supplied by his parents for his use and the family Internet account, Dustin posed as Alex to create a new Facebook account, using the Yahoo e-mail address and the password Melissa supplied. For the profile photo, Dustin used a photo that he had taken of Alex at school, after altering it with a `Fat Face’ application.

After Dustin created the account, both Dustin and Melissa added information to the unauthorized profile, which indicated, inter alia, racist viewpoints and a homosexual orientation. Dustin and Melissa also caused the persona to issue invitations to become Facebook `Friends’ to many of Alex's classmates, teachers, and extended family members.

Within a day or two, the account was connected as Facebook `Friends’ to over 70 other Facebook users. Dustin and Melissa continued to add information to the persona's profile and caused the account to post status updates and comments on other users' pages. Some of these postings were graphically sexual, racist or otherwise offensive and some falsely stated that Alex was on a medication regimen for mental health disorders and that she took illegal drugs.

Alex soon suspected that Dustin was involved, because she recognized the profile photo as one he had taken at school. Alex's parents, Amy and Christopher Boston, approached the school's principal, Cathy Wentworth, for help. On May 10, 2011, Wentworth called Dustin and Melissa to her office; they admitted their involvement, and each signed a written statement.  

Wentworth assigned them to in-school suspension for two days for their harassment of Alex. She called their parents and also sent home a `Middle School Administrative Referral Form’ to explain the disciplinary action. The Referral Form included the following `Description of Infraction: [Dustin] created a false Facebook page in another student's name, pretended to be that person, and electronically distributed false, profane, and ethnically offensive information.’

Dustin's mother, Sandra Athearn, reviewed and signed the Referral Form the same day, May 10, 2011, and discussed the incident with her husband, Michael. The Athearns disciplined Dustin by forbidding him for one week from seeing his friends after school. The unauthorized profile and page remained accessible to Facebook users until Facebook officials deactivated the account on April 21, 2012, not long after the Bostons filed their lawsuit on April 3, 2012.

During the 11 months the unauthorized profile and page could be viewed, the Athearns made no attempt to view the unauthorized page, and they took no action to determine the content of the false, profane, and ethnically offensive information that Dustin was charged with electronically distributing. They did not attempt to learn to whom Dustin had distributed the false and offensive information or whether the distribution was ongoing. They did not tell Dustin to delete the page.

Furthermore, they made no attempt to determine whether the false and offensive information Dustin was charged with distributing could be corrected, deleted, or retracted.
Boston v. Athearn, supra. 
The court then took up the issues in the case, that, on appeal, the Bostons “contend there are questions of material fact regarding whether the Athearns were negligent in failing to compel Dustin to remove the Facebook page once they were notified of its existence and, therefore, that the trial court erred in granting the Athearns' motion for summary judgment on Alex's claims.”  Boston v. Athearn, supra.  It also noted that, under Georgia law,
liability for the tort of a minor child is not imputed to the child's parents merely on the basis of the parent-child relationship. Parents may be held directly liable, however, for their own negligence in failing to supervise or control their child with regard to conduct which poses an unreasonable risk of harming others.
Boston v. Athearn, supra. 
The Court of Appeals then took up the issues in the case, explaining, initially, that when
liability is based on parents' alleged failure to supervise or control their child, a key question is the foreseeability of the harm suffered by the plaintiff, that is, whether the parents had knowledge of facts from which they should have reasonably anticipated that harm to another would result unless they controlled their child's conduct. Hill v. Morrison, 160 Ga. App. 151, 286 S.E.2d 467 (Georgia Court of Appeals 1981) (`[T]he true test of parental negligence vel non is whether in the exercise of ordinary care he should have anticipated that harm would result from the unsupervised activities of the child and whether, if so, he exercised the proper degree of care to guard against this result’). . . .

The level of care that is due necessarily depends on the circumstances, which may involve an inherently dangerous instrumentality, a commonly-available object that only becomes dangerous if it is intentionally used to cause harm or is handled in an improper and dangerous manner, or no instrumentality at all.

Whether parents failed to use ordinary care in supervising or controlling their child is generally a question for the jury when the circumstances support an inference that the parents were on notice that, absent their intervention, injury was likely to result from the child's conduct.
Boston v. Athearn, supra. 
The court then applied these standards to the facts in this case, explaining that
it is undisputed that Dustin used a computer and access to an Internet account improperly, in a way likely to cause harm, and with malicious intent. The Athearns contend they had no reason to anticipate that Dustin would engage in that conduct until after he had done so, when they received notice from the school that he had been disciplined for creating the unauthorized Facebook profile. Based on this, they contend they cannot be held liable for negligently supervising Dustin's use of the computer and Internet account.

The Athearns' argument does not take into account that, as Dustin's parents, they continued to be responsible for supervising Dustin's use of the computer and Internet after learning that he had created the unauthorized Facebook profile. While it may be true that Alex was harmed, and the tort of defamation had accrued, when even one person viewed the false and offensive postings, it does not follow that the Athearns' parental duty of reasonable supervision ended with the first publication.

Given the nature of libel, the original tortious conduct may continue to unfold as the false and injurious communication is published to additional readers or the defamatory content persists in a public forum without public correction or retraction. With regard to the instant action, we conclude that a reasonable jury could find that, after learning on May 10, 2011, of Dustin's recent misconduct in the use of the computer and Internet account, the Athearns failed to exercise due care in supervising and controlling such activity going forward.

Given that the false and offensive statements remained on display, and continued to reach readers, for an additional eleven months, we conclude that a jury could find that the Athearns' negligence proximately caused some part of the injury Alex sustained from Dustin's actions (and inactions). Accordingly, the trial court erred in granting the Athearns' motion for summary judgment in part.
Boston v. Athearn, supra (emphasis in the original).
The Court of Appeals went on to note that the Bostons argued that
`[i]n addition to their legal duty as parents, the [Athearns] had a duty as landowners to remove the defamatory content that existed on their property[,]’ citing the dissenting opinion of Presiding Judge Quillian in Southern Bell Telephone & Telegraph v. Coastal Transmission Svc., 167 Ga. App. 611, 307 S.E.2d 83 (Georgia Court of Appeals 1983).

In that case, Presiding Judge Quillian cited with approval Restatement (Second) of Torts § 577(2) (1977, updated June 2014), which provides that `[o]ne who intentionally and unreasonably fails to remove defamatory matter that he knows to be exhibited on land or chattels in his possession or under his control is subject to liability for its continued publication.’ Further, `when, by measures not unduly difficult or onerous, he may easily remove the defamation, he may be found liable if he intentionally fails to remove it.’ Id., Comment p. See Southern Bell Telephone & Telegraph v. Coastal Transmission Svc., supra, Presiding Judge Quillian, dissenting.
The gist of this provision of the Restatement is that
`passing on defamatory matter, i.e., republication, is publication for purposes of liability. Thus, except as to those who only deliver or transmit defamation published by a third person, one who repeats or otherwise republishes defamatory matter is subject to liability as if he had originally published it.’

(Punctuation and footnotes omitted.) Malla Pollack, `Litigating Defamation Claims,’ 128 Am. Jur. Trials 1 (2013, updated May 2014). Georgia defamation law embraces this principle regarding republication. . . .
Boston v. Athearn, supra. 
The Court of Appeals then found that
[s]etting aside the novel and abstract questions the Bostons' argument raises regarding where Internet content is `exhibited,’ the Bostons failed to identify any evidence that, apart from exercising their parental power to control Dustin's conduct, they had the ability to remove the defamation.

The only evidence on the subject in the record is that, when the Bostons contacted Facebook, company officials responded that only the user who signed up for the password-protected account had the authority to remove the page from the forum.

There is no evidence that the Athearns unilaterally had the ability to take down the unauthorized Facebook page by virtue of the fact that it was created on a computer in their home, because it was created using an Internet service they paid for, or otherwise. See Mullinax v. Miller, 242 Ga. App. 811,, 531 S.E.2d 390 (Georgia Court of Appeals 2000) (In the context of our libel laws, `[p]ublication entails the ability to control the libel.’) (citations and punctuation omitted; emphasis in original).

Because there is no evidence supporting this theory of recovery, the trial court did not err in granting the Athearns' motion for summary judgment in part.
Boston v. Athearn, supra (emphasis in the original). 
If you are interested in more information about the case, check out the news stories you can find here, here and here.  The story you can find here says Melissa Snodgrass and her father did not respond to the suit, “and thus were found in default.”  If you are interested, Wikipedia explains what a default judgment is. 

Monday, October 20, 2014

The Federal Reserve, the Virtual Private Network and the Zeus Trojan

This post examines an opinion a U.S. District Court Judge who sits in the U.S. District of Minnesota recently issued in a civil suit:  State Bank of Bellingham v. BancInsure, Inc., 2014 WL 4829184 (2014) (“State Bank v. BancInsure”).  She begins the opinion by explaining that the bank is a Minnesota
`state bank with five employees and one location in Bellingham, Minnesota.’ . . . [BancInsure] is an insurance company . . . incorporated in Oklahoma. . . . In October 2010, [BancInsure] issued Financial Institution Bond No. FIB0011607 (the `Bond’) to Bellingham Corporation, with coverage effective from October 17, 2010, to October 17, 2013. . . [State Bank] is a named insured on the Bond. . . . Under the Bond, [BancInsure] agrees to indemnify [State Bank] in various circumstances, collectively referred to as `Insuring Agreements,’ including-relevant to this case-in the case of `computer systems fraud.’
State Bank v. BancInsure, supra.  Essentially, the Bond covered “[l]oss resulting directly from a fraudulent . . . entry of Electronic Data or Computer Program into, or . . . change of Electronic Data or Computer Program within any Computer System operated by the insured, whether owned or leased”.  State Bank v. BancInsure, supra. 
The lawsuit involves a “loss” that resulted from “a fraudulent wire transfer.”  State Bank v. BancInsure, supra.  At the time the loss occurred, State Bank made wire transfers
through the Federal Reserve's FedLine Advantage Plus system (`FedLine’). . . . State Bank used a desktop computer that was connected to a Virtual Private Network device . . . provided by the Federal Reserve. . . . The VPN was both a modem and an encryptor. . .  It encrypted the information entered on the computer and transmitted it over the internet to the Federal Reserve, where the information was then decrypted. . . . [T]o complete a wire transfer on FedLine, a user had to enter an authorized user name and three passwords. . . . One of the passwords was provided by a security token issued by FedLine that had to be inserted into a USB port on the computer. . . . The other two passwords were typed in by the user. . . . And, although it was not required by FedLine, wire instructions had to be verified by entry of a second user name and set of passwords. . . .

On October 27, 2011, one of [State Bank’s] employees, Sharon Kirchberg, accessed FedLine . . . to complete a wire transfer. . . . Kirchberg's token, password, and pass phrase, as well as the token, password, and pass phrase of another employee, were used to complete the transfer. . . . When Kirchberg left the Bank for the day, she left both tokens in the computer and left the computer running. . . .

On October 28, Kirchberg arrived at work and accessed Fedline's Account Information Management application, which shows [State Bank’s] account balance with the Federal Reserve. . . . At approximately 8:12 a.m. CST, she noticed that $940,000 had been transferred out of the bank using Fedwire Funds, which is part of FedLine. . . . She began investigating the entry and discovered someone had attempted to initiate two wire transfers from a Demand Deposit Account at the bank to two different banks in Poland. . . . The first transfer, to a Citibank account in Warsaw, was in the amount of $485,000 and was initiated at 7:12 a.m. CST. . . . That transfer was completed at 7:25 a.m. CST using the user name and passwords of Kirchberg and one other employee. . . .

However, neither of those employees authorized or verified the transfer or had access to FedLine at the time of the transfer. . . . The second transfer, to an ING Bank account in Katowice, was in the amount of $455,000 and was initiated at 7:21 a.m. CST and completed at 7:25 a.m. CST. . . . The same user names and passwords were used, but, again, neither employee even had access to FedLine at the time of the transfer. . . . Both transferee accounts were in the name of Markus Vorreas. . . .

Kirchberg immediately attempted to reverse the wire transfers using FedLine. . . . However, shortly after 8:00 a.m., [State Bank’s] internet service provider experienced a distributed denial-of-service attack (`DDoS’), which disabled internet service near [State Bank]. . . .  Accordingly,. Kirchberg was unable to electronically request reversal of the transfers. . . .  She then called the Federal Reserve and requested the reversals, but her request was denied. . . .

On October 31, the Federal Reserve notified the two intermediary institutions for the transfers that the transfers were fraudulent. . . . While the intermediary institution for the second transfer was able to revert the transferred funds to [State Bank], the $485,000 that was transferred to the Citibank account in Warsaw has never been credited or reverted. . . .
State Bank v. BancInsure, supra. 
State Bank notified BancInsure of the loss on October 28 . . . by faxing a copy of the transaction details of the two transfers. State Bank v. BancInsure, supra.  On November 3, BancInsure acknowledged receipt of the notice and advised State Bank that the claim had been assigned to Karbal Cohen Economou Silk Dunne (`KCESD’) for investigation. State Bank v. BancInsure, supra.  In a November 9 letter, KCESD reminded State Bank of its obligation to provide BancInsure with “`proof of loss . . . with full particulars’“ within six months of discovering the loss. State Bank v. BancInsure, supra. 
BancInsure received State Bank’s Proof of Loss on December 27, 2011. . . .  State Bank v. BancInsure, supra.  In the `Details of Loss’ section of the form, State Bank stated that “`an unknown individual or individuals gained unauthorized access to the FedLine Advantage Plus service on the State Bank of Bellingham's computer systems and fraudulently authorized two wire transfers.’” State Bank v. BancInsure, supra.  It went on to describe Kirchberg's discovery and attempted reversal of the transfers, and said that, “in addition to the Federal Reserve, it had notified various law enforcement agencies and the FBI had examined” State Bank’s computers but it “was not aware of the status of any investigations.” State Bank v. BancInsure, supra. 
With regard to its security measures, State Bank said that, internally, it followed
standard security procedures with respect to user names and passwords for its systems in accordance with the Federal Reserve Banks' Password Practice Statement. All systems on the internal network have Symantec Small Business Endpoint Protection 12.5, with not only antivirus and antispyware features but a desktop firewall and intrusion detection/protection. This security suite is centrally managed by the network server for definitions and threat management and updates automatically. Additionally, the native Windows firewall is activated on computers on the internal network and the computers are configured to limit the software that can be installed on the device.

As for external threats, the Bank uses a Sonic WALL NSA 240 firewall. The firewall has Gateway Antivirus and Gateway Anti–Spyware inspecting all traffic before passing through the gateway and uses Gateway Intrusion Protection. This security suite likewise is updated automatically on a daily basis, meaning no user accesses or modifies the firewall or the settings of the software overall.
State Bank v. BancInsure, supra. 
On May 15, BancInsure’s counsel told State Bank “that it had retained forensic computer specialist Mark Lanterman of Computer Forensic Services, Inc.” (CFS) to work on investigating the crime.  State Bank v. BancInsure, supra.  On June 20, State Bank told BancInsure’s lawyer it had the “hard drive in the condition it was in at the time of the loss” and agreed to “provide the hard drive to Lanterman for examination under certain conditions”.   State Bank v. BancInsure, supra.  Lanterman “received the hard drive on August 8, and issued his report on October 10.” State Bank v. BancInsure, supra.  His report said the analysis
identified an email message, sent to the address `bellinghambank’, which contained a hyperlink to a malicious webserver. CFS further determined that this email had been read and the embedded link clicked on. . . .

The user's action of clicking on the hyperlink ultimately lead to the download of multiple files associated with the Zeus virus.
State Bank v. BancInsure, supra. 
The CFS report also explained that the analysis showed the Zeus virus was detected
on October 13, 2011. Given [Symantec's] settings, it is more likely than not that Symantec notified the user of the infection. The analysis revealed [Zeus] was quarantined on October 18, 2011 but the infection was never completely removed by Symantec Antivirus. Given [its] settings, it is more likely than not that Symantec notified the user of the quarantine. . . . Once [Zeus] executed, it remained resident, ultimately downloading a rash of subsequent infections that resulted in the unauthorized ACH transactions. The continued use of the computer after receiving multiple virus warnings is contrary to generally accepted computer security practices.

Three additional malicious executable files, downloaded automatically by [Zeus], still reside on the system. There is no evidence these files were detected by Symantec. [One] resulted in the download of . . . a virus. [It] . . . was downloaded and launched on October 26, 2011 [and] is considered directly responsible for the unauthorized wire transfers. . . .

Further, Symantec `Proactive Threat Protection’ was disabled due to the fact that it was last updated July 30, 2008. This left the system vulnerable to viruses created after 2008. . . .  Generally accepted security practices would include daily virus scans and ensuring the virus definitions are current. . . .

[T]he system was previously compromised on August 8, 2011. Symantec Antivirus . . . successfully removed that infection. This demonstrates the computer has a history of vulnerabilities due to user activity. The user(s) was also aware of this compromise after receiving Symantec's alert. . . .

CFS reviewed email activity on the system and was able to identify the specific message containing the malicious hyperlink. Other messages within the Outlook Express inbox also suggest that the email application was being used for purposes other than FedLink. For instance, the email account was used to order and track company purchases. This is contrary to generally accepted security practices. The use of email on a computer that's purpose is to initiate FedLink transactions resulted in that system's compromise.

Additionally, CFS determined that messages in the spam folder had been opened or read. Spam is a typical vehicle for malware.

CFS recovered and analyzed nearly one million URLs from Internet browser histories on the system. . . . Much of the history was found to relate to activity other than banking. For example, the user `FedLine’ multiple times, with and without private browsing activated, before and after the initial infection. . . .This is contrary to generally accepted computer security practices.

CFS also determined that the administrator user accounts, `Administrator’ and `FedLine’, were not password protected. This would have allowed the virus to execute itself as an administrator without the need of a password. This is contrary to generally accepted computer security practices.
State Bank v. BancInsure, supra. 
As a result of this investigation and other factors, BancInsure denied coverage and State Bank then filed suit against BancInsure, “asserting a claim for breach of contract.”  State Bank v. BancInsure, supra.  BancInsure responded by asserting three counterclaims, one of which asserted that it “owe[d] no duty” to provider coverage for the bank’s losses and another of which asserted a cause of action for breach of contract based on State Bank’s “alleged failure to provide a complete and accurate Proof of Loss and its alleged failure to cooperate with” BancInsure.  State Bank v. BancInsure, supra. 
Both sides eventually filed motions for summary judgment on their respective behalves. As Wikipedia explains, in U.S. law, a court can award summary judgment before
trial, effectively holding that no trial will be necessary. Issuance of summary judgment can be based only upon the court's finding that:
  1. there are no disputes of `material’ fact requiring a trial to resolve, and
  2. in applying the law to the undisputed facts, one party is clearly entitled to judgment. . . .
A `material fact’ is one which . . . could lead to judgment in favor of one party, rather than the other.
The District Court Judge began her analysis of BancInsure’s argument, in its summary judgment motion, BancInsure argued, in part, that the policy’s exclusions for a loss
`caused by an Employee’ . . ., `. . .  resulting directly or indirectly from theft of confidential information’ . . . and `. . . resulting directly or indirectly from mechanical failure . . . [or] gradual deterioration” of a computer system . . . preclude coverage of [State Bank’s] claim. As for the employee exclusion, [BancInsure] argues that `Bank employees caused the loss by intentionally disregarding Bank policies, Federal Reserve policies, and good banking practices.’ . . . [It] points to the employees' downloading of the Zeus virus through spam email, [their] continued use of the computer after it detected a virus, the employees' failure to enable and update antivirus software, the employees' failure to password-protect the FedLine user accounts, Ms. Kirchberg's use of another employee's password and token to complete a transfer on the day preceding the loss, and Ms. Kirchberg's failure to remove the tokens from the computer or shut down the computer on the day preceding the loss. . . .

According to [BancInsure], `[t]hese actions caused the loss by opening the door for cyber thefts.’ . . . As for the theft of confidential information exclusion, [it] argues that the employees' passwords and pass phrases were confidential, that those passwords and pass phrases were used to make the transfers, and, therefore, that `[t]he theft of [the] passwords and pass phrases caused the loss.’ . . .

Finally, as for the mechanical failure or gradual deterioration exclusion, [BancInsure] asserts that, because Proactive Threat Protection was disabled and its definitions not updated, the computer's antivirus software gradually deteriorated and allowed malware to be downloaded, which led to the unauthorized transfers. . . .

[State Bank] argues that none of these exclusions were triggered by the circumstances of the loss, but that even if they had been, [BancInsure] cannot satisfy its burden under Minnesota's concurrent causation doctrine of establishing that an excluded cause was the `overriding’ cause of the loss. . . .  
State Bank v. BancInsure, supra. 
The judge agreed with” State Bank.  State Bank v. BancInsure, supra.  She noted that
[w]hen there are multiple causes of an insured's loss, one of which is a `covered peril’ and the other of which is an `excluded peril,’ Minnesota's concurrent causation doctrine provides that the availability of coverage or the applicability of the exclusion depends on which peril was the `”overriding cause” ‘ of the loss. Friedberg v. Chubb & Son, Inc., 691 F.3d 948 (U.S. Court of Appeals for the 8th Circuit 2012) (quoting Henning Nelson Constr. Co. v. Fireman's Fund Am. Life Ins. Co., 383 N.W.2d 645 (Minnesota Supreme Court 1986)).
State Bank v. BancInsure, supra.  (This case was in federal court not because it involved any issues of federal law, but because the parties are “diverse,” i.e., are from different states.  As Wikipedia explains, the Constitution gives federal courts jurisdiction to hear such cases.  And as Wikipedia also explains, the U.S. Supreme Court has held that in diversity jurisdiction cases, the federal court applies the law of the relevant state.)        
Here, the District Court Judge applied Minnesota law and found that the computer systems
fraud was the efficient and proximate cause of [State Bank’s] loss. But for the hacker's fraudulent conduct, the $485,000 would not have been transferred. Conversely, neither the employees' violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer's antivirus software was the efficient and proximate cause of [its] loss.

Assuming all of these circumstances existed as [BancInsure] argues, it was not then a `foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus, even if those circumstances `played an essential role’ in the loss, they were not `independent and efficient causes’ of the loss. In other words, without the fraudster's actions, there would have been no loss even if all of the other circumstances [State Bank’s] loss.
State Bank v. BancInsure, supra.  
She therefore held that because BancInsure presented
no set of facts from which a reasonable jury could find that one of the excluded perils -- and not the computer systems fraud -- was the overriding cause of [State Bank’s] loss, [it] is entitled to summary judgment on its claim for breach of contract and on [BancInsure’s] claim for a declaratory judgment that it is not liable for coverage. Accordingly, [BancInsure] owes [State Bank] $480,000 under the Bond, which is the amount of the loss less the $5,000 deductible.
State Bank v. BancInsure, supra.  More precisely, the judge held that State Bank was “awarded the principal amount of $480,000 under the Bond, with prejudgment interest of $140,187.36, for a total of $620,187.36.”  State Bank v. BancInsure, supra. 

The judge’s opinion also addresses the legal issues raised by BancInsure’s motion for summary judgment, which she denied, but I am not addressing them, or the detailed analysis the judge conducted of State Bank’s motion for two reasons:  This post would be very long if I did that and the summary above, I think, explains why she ultimately found in favor of State Bank.  You can, if you are interested, find the full opinion here.

Friday, October 17, 2014

GPS Tracking, the 4th Amendment and the Exclusionary Rule

After a federal grand jury indicted Henry Stephens “for being a felon in possession of a firearm on May 16, 2011, in violation of 18 U.S. Code § 922(g)(1)”, he filed a motion to suppress certain evidence.  U.S. v. Stephens, 764 F.3d 327 (U.S. Court of Appeals for the 4th Circuit 2014).  The motion to suppress targeted evidence police obtained by using Global Positioning System (GPS) technology: 
In 2011, federal and state law enforcement officers in the Baltimore area were investigating Stephens for possible drug and firearms crimes. The investigation began as a result of information provided by a registered confidential informant, and it was spearheaded by Officer Paul Geare, . . . Geare was also deputized as an ATF agent and assigned to a `High Intensity Drug Trafficking Area’ (`HIDTA’) task force unit, which was `a hybrid unit of federal agents as well as city police officers’ operating pursuant to Baltimore City and HIDTA guidelines. . . . The HIDTA joint task force is `organized to conduct investigations into drug and gun violations of both federal and state law, and its investigations indeed [lead] to both federal and state prosecutions, determined on the basis of the facts uncovered.’ U.S. v. Claridy, 601 F.3d 276 (U.S. Court of Appeals for the 4th Circuit (2010). . . .

On May 13, 2011, Geare -- acting without a warrant -- installed a battery-powered Global-Positioning-System device under the rear bumper of Stephens' vehicle, which was parked in a public lot in Parkville, Maryland. Geare had information that Stephens was a convicted felon, would be working security at a nightclub known as `Club Unite’ on the evening of May 16, and usually carried a firearm when he worked there. With this knowledge, Geare -- in conjunction with other officers -- implemented a plan to detain Stephens and search him on May 16 at Club Unite.

During the evening of May 16, Geare used the GPS to locate Stephens' vehicle at an area school. Geare and another city police officer (Sergeant Johnson) observed and followed Stephens as he drove the vehicle to his residence. Before Stephens left . . . to drive to Club Unite, Geare and Johnson saw Stephens, who was standing outside his vehicle, reach around to the back of his waistband. They interpreted this . . . as being a check for a weapon. Based on this and other information they had previously obtained, the officers `had at least reasonable suspicion, if not probable cause, that [Stephens] was armed and was on his way to work at Club Unite.’ . . . 

When Stephens drove away from his residence, Geare alerted other officers who had been briefed on the plan to go to Club Unite. Using visual observation and a portable laptop computer to monitor the GPS, Geare and Johnson followed Stephens' vehicle as he drove on public roads to Club Unite. Upon Stephens' arrival at Club Unite, the officers who had been alerted approached him and conducted a patdown, which revealed an empty holster in the middle of his back. Within a matter of minutes, a Baltimore city police officer arrived and conducted a canine inspection of the vehicle exterior. After the canine alerted, the officers searched the vehicle and found (among other things) a loaded pistol.

The officers then arrested Stephens and charged him with one or more state-law crimes. Stephens remained in state custody for approximately three months, until a federal grand jury indicted him for illegal firearm possession by a convicted felon. See 18 U.S. Code § 922(g)(1). After the federal indictment, the state charges were dismissed. . . .
U.S. v. Stephens, supra (emphasis in the original).
The Court of Appeals explains that, while this case was pending in the trial court – the U.S. District Court for the District of Maryland – the U.S. Supreme Court decided U.S.v. Jones, 132 S.Ct. 945 (2012).  U.S. v. Stephens, supra. In Jones, the Court held that the government’s installation
`of a GPS device on a target's vehicle, and its use of that device to monitor the vehicle's movements, constitutes a “search”’ within the meaning of the 4th Amendment. Because the officers in Jones did not have a valid warrant authorizing the GPS usage, the search -- i.e., GPS usage -- violated the 4th Amendment. 
U.S. v. Stephens, supra.  Since the officers in the Jones case had not gotten a warrant that authorized the installation and use of the GPS device, the search violated the 4th Amendment.  U.S. v. Stephens, supra.  
Relying on the Supreme Court’s decision in Jones, Stephens moved to suppress the
firearm and other evidence seized on May 16. Following a hearing, the district court denied the motion. The court concluded that in light of Jones, Geare's warrantless use of the GPS on Stephens' vehicle was an unconstitutional search that led to the seizure of the challenged evidence. However, the court held that the exclusionary rule does not apply because Geare used the GPS in good faith. . . . Stephens entered a conditional guilty plea, reserving the right to appeal the suppression order. See Rule 11(a)(2) of the Federal Rules of Criminal Procedure.
U.S. v. Stephens, supra.  
The Court of Appeals then took up the issue in the case:  whether the government could use the evidence obtained as a result of using the GPS technology. U.S. v. Stephens, supra.  It began by explaining that for
purposes of this appeal, we accept the district court's ruling that Geare's use of the GPS to locate and follow Stephens in May 2011 was an unreasonable search under the 4th Amendment that led directly to the seizure of the evidence from Stephens' vehicle and his arrest. Starting from this premise, we must decide the separate question of whether the exclusionary rule renders the evidence inadmissible. Because the facts are not disputed, this question involves a pure legal conclusion, and we review the district court's ruling de novo. . . .
U.S. v. Stephens, supra.  
It then turned to the exclusionary rule, explaining that the U.S. Supreme Court
created the exclusionary rule `to safeguard against future violations of 4th Amendment rights through the rule's general deterrent effect.’ Arizona v. Evans, 514 U.S. 1 (1995). The exclusionary rule `generally prohibits the introduction at criminal trial of evidence obtained in violation of a defendant's 4th Amendment rights,’ Pennsylvania Bd. of Prob. & Parole v. Scott, 524 U.S. 357 1998), but the `sole purpose’ of the rule `is to deter future 4th Amendment violations,’ Davis v. U.S., 131 S.Ct. 2419 (2011), and its application `properly has been restricted to those situations in which its remedial purpose is effectively advanced,’ Illinois v. Krull, 480 U.S. 340 (1987). As the Court has recently made clear, the exclusionary rule is not a “strict liability regime,” Davis v. U.S., supra,  and exclusion of evidence has`always been [the] last resort, not [the] first impulse.’ Hudson v. Michigan, 547 U.S. 586 (2006).
U.S. v. Stephens, supra.  
It went on to note, though, that
`[e]xclusion exacts a heavy toll on both the judicial system and society at large,’ because it `almost always requires courts to ignore reliable, trustworthy evidence bearing on guilt or innocence,’ and `its bottom-line effect, in many cases, is to suppress the truth and set the criminal loose in the community without punishment.’ Davis v. U.S., supra. In order for the exclusionary rule `to be appropriate, the deterrence benefits of suppression must outweigh its heavy costs.’ Davis v. U.S., supra. 

`Police practices trigger the harsh sanction of exclusion only when they are deliberate enough to yield meaningful deterrence, and culpable enough to be worth the price paid by the justice system.’ Davis v. U.S., supra. Therefore, the exclusionary rule is applicable `[w]hen the police exhibit deliberate, reckless, or grossly negligent disregard for 4th Amendment rights, [and] the deterrent value of exclusion is strong and tends to outweigh the resulting costs.’ Davis v. U.S., supra.
U.S. v. Stephens, supra.  
But as the Court of Appeals also noted,
`when the police act with an objectively reasonable good-faith belief that their conduct is lawful, or when their conduct involves only simple, isolated negligence, the deterrence rationale loses much of its force, and exclusion cannot pay its way.’ Davis v. U.S., supra. The `pertinent analysis of deterrence and culpability is objective, not an inquiry into the subjective awareness of arresting officers,’ and the `good-faith inquiry is confined to the objectively ascertainable question whether a reasonably well trained officer would have known that the search was illegal in light of all of the circumstances.’ Herring v. U.S., 555 U.S. 135 (2009).
U.S. v. Stephens, supra.  
It then explained that in conducting the good faith inquiry, the Supreme Court has
found the exclusionary rule to be inapplicable in a variety of circumstances involving 4th Amendment violations. See, e.g., U.S. v. Leon, 468 U.S. 897 (1984) (police conducted a search in reasonable reliance on a warrant later held invalid); Illinois v. Krull , 480 U.S. 340 (1987) (police conducted a search in reasonable reliance on subsequently invalidated state statutes); Arizona v. Evans, 514 U.S. 1 (1995) (police reasonably relied on erroneous information in a database maintained by judicial employees); Herring v. U.S. supra (police reasonably relied on erroneous information in a database maintained by police employees).

Our precedent makes it clear that application of the good-faith inquiry is not limited to the specific circumstances addressed by the Supreme Court. For example, in U.S. v. Davis, 690 F.3d 226 (U.S. Court of Appeals for the 4th Circuit 2012), we held the exclusionary rule did not apply where officers engaged in an unconstitutional search by extracting and testing the defendant's DNA sample during a murder investigation without a warrant. We explained that the Supreme Court's `recent decisions applying the exception have broadened its application, and lead us to conclude that the 4th Amendment violations here should not result in application of the exclusionary rule.’  U.S. v. Davis, supra.  
U.S. v. Stephens, supra.  
The Court of Appeals then took up the issue as to whether the good faith exception to the exclusionary rule should apply in this case.  It began by explaining that in May, 2011,
before Jones, neither the Supreme Court nor this Court had expressly approved or disapproved of warrantless GPS usage. However, in 1983, the Supreme Court held in U.S. v. Knotts, 460 U.S. 276 (1983), that the use of a beeper to track a vehicle was not a search under the 4th Amendment. In doing so, the Court explained that `[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another,’ and noted that the beeper simply conveyed to the public what was evident from visual surveillance.  U.S. v. Knotts, supra.

Knotts is not exactly on point with the facts of this case, but it is the legal principle of Knotts . . . that matters. See South Dakota v. Opperman, 428U.S. 364 (1976) (“in all 4th Amendment cases, we are obliged to look to all the facts and circumstances of this case in light of the principles set forth in . . . prior decisions’). . . . [W]e reiterate that in conjunction with the general legal landscape that existed before Jones, `Knotts was widely and reasonably understood to stand for the proposition that the 4th Amendment simply was not implicated by electronic surveillance of public automotive movements,' U.S. v. Sparks, 711 F.3d 58 (U.S. Court of Appeals for the 1st Circuit 2013) and it was the `foundational Supreme Court precedent for GPS-related cases,’ U.S. v. Cuevas–Perez, 640 F.3d 272 (U.S. Court of Appeals for the 7th Circuit 2011).

After Jones, we know such an interpretation of Knotts is incorrect. Without the benefit of hindsight, however, and with no contrary guidance from the Supreme Court or this Court, we believe a reasonably well-trained officer in this Circuit could have relied on Knotts as permitting the type of warrantless GPS usage in this case. See U.S. v. Aguiar, 737 F.3d 251 (U.S. Court of Appeals for the 2d Circuit 2013) (in declining to apply the exclusionary rule, the court stated `sufficient Supreme Court precedent existed at the time the GPS device was placed for the officers here to reasonably conclude a warrant was not necessary’). 
U.S. v. Stephens, supra.  
The Court of Appeals therefore held that “[b]ased on the foregoing, we find no basis to set aside the order denying Stephens' suppression motion. Accordingly, we affirm the conviction.” U.S. v. Stephens, supra.  
One of the judges dissented, pointing out that the good-faith exception “requires officers to `act with an objectively ‘reasonable good-faith belief’ that their conduct is lawful’” and arguing that Geare did not do that. U.S. v. Stephens, supra.   She also pointed out that
at the time the warrantless search was conducted in this case, the District of Columbia Circuit, neighboring the District of Maryland where the warrantless search here occurred, had determined that a warrantless GPS search violated the 4th Amendment. See U.S. v. Maynard, 615 F.3d 544 (U.S. Court of Appeals for the D.C. Circuit 2010), aff'd in part sub nom. U.S. v. Jones, 132 S.Ct. 945 (2012). In fact, at the time the warrantless search was conducted in this case, Maynard had been accepted for argument before the Supreme Court, further undercutting the Government's position here that the issue was generally settled.

Additionally, the Maynard case illustrates that as early as 2005, similarly situated officers were obtaining warrants for GPS searches such as the one performed in this case. Nonetheless, officers in this case did not `take care to learn’ what was required of them by 4th Amendment precedent under these circumstances. Davis v. U.S., supra.
U.S. v. Stephens, supra.  
The dissenting judge also noted that “Detective Geare testified that he did not seek advice from any legal authority regarding the constitutionality of such a search, even though there was no exigent circumstance preventing him from doing so.”  U.S. v. Stephens, supra.  And she explained that
[i]nstead, Geare testified that in utilizing the GPS device in this case, he relied simply on his own past conduct using GPS devices in prior cases that had resulted in convictions. Geare testified it was his `understanding’ that a warrant was not required when attaching a GPS device on a target's vehicle, and his `belief’ that as long as the vehicle was in a public area attaching a GPS device `was fine.’ . . . . He certainly did not receive such guidance from the United States Attorney's Office because, per his own testimony, he did not bother to ask.

U.S. v. Stephens, supra.  She, therefore, would have reversed the judgment of the District Court.  U.S. v. Stephens, supra.