Monday, October 20, 2014

The Federal Reserve, the Virtual Private Network and the Zeus Trojan

This post examines an opinion a U.S. District Court Judge who sits in the U.S. District of Minnesota recently issued in a civil suit:  State Bank of Bellingham v. BancInsure, Inc., 2014 WL 4829184 (2014) (“State Bank v. BancInsure”).  She begins the opinion by explaining that the bank is a Minnesota
`state bank with five employees and one location in Bellingham, Minnesota.’ . . . [BancInsure] is an insurance company . . . incorporated in Oklahoma. . . . In October 2010, [BancInsure] issued Financial Institution Bond No. FIB0011607 (the `Bond’) to Bellingham Corporation, with coverage effective from October 17, 2010, to October 17, 2013. . . [State Bank] is a named insured on the Bond. . . . Under the Bond, [BancInsure] agrees to indemnify [State Bank] in various circumstances, collectively referred to as `Insuring Agreements,’ including-relevant to this case-in the case of `computer systems fraud.’
State Bank v. BancInsure, supra.  Essentially, the Bond covered “[l]oss resulting directly from a fraudulent . . . entry of Electronic Data or Computer Program into, or . . . change of Electronic Data or Computer Program within any Computer System operated by the insured, whether owned or leased”.  State Bank v. BancInsure, supra. 
The lawsuit involves a “loss” that resulted from “a fraudulent wire transfer.”  State Bank v. BancInsure, supra.  At the time the loss occurred, State Bank made wire transfers
through the Federal Reserve's FedLine Advantage Plus system (`FedLine’). . . . State Bank used a desktop computer that was connected to a Virtual Private Network device . . . provided by the Federal Reserve. . . . The VPN was both a modem and an encryptor. . .  It encrypted the information entered on the computer and transmitted it over the internet to the Federal Reserve, where the information was then decrypted. . . . [T]o complete a wire transfer on FedLine, a user had to enter an authorized user name and three passwords. . . . One of the passwords was provided by a security token issued by FedLine that had to be inserted into a USB port on the computer. . . . The other two passwords were typed in by the user. . . . And, although it was not required by FedLine, wire instructions had to be verified by entry of a second user name and set of passwords. . . .

On October 27, 2011, one of [State Bank’s] employees, Sharon Kirchberg, accessed FedLine . . . to complete a wire transfer. . . . Kirchberg's token, password, and pass phrase, as well as the token, password, and pass phrase of another employee, were used to complete the transfer. . . . When Kirchberg left the Bank for the day, she left both tokens in the computer and left the computer running. . . .

On October 28, Kirchberg arrived at work and accessed Fedline's Account Information Management application, which shows [State Bank’s] account balance with the Federal Reserve. . . . At approximately 8:12 a.m. CST, she noticed that $940,000 had been transferred out of the bank using Fedwire Funds, which is part of FedLine. . . . She began investigating the entry and discovered someone had attempted to initiate two wire transfers from a Demand Deposit Account at the bank to two different banks in Poland. . . . The first transfer, to a Citibank account in Warsaw, was in the amount of $485,000 and was initiated at 7:12 a.m. CST. . . . That transfer was completed at 7:25 a.m. CST using the user name and passwords of Kirchberg and one other employee. . . .

However, neither of those employees authorized or verified the transfer or had access to FedLine at the time of the transfer. . . . The second transfer, to an ING Bank account in Katowice, was in the amount of $455,000 and was initiated at 7:21 a.m. CST and completed at 7:25 a.m. CST. . . . The same user names and passwords were used, but, again, neither employee even had access to FedLine at the time of the transfer. . . . Both transferee accounts were in the name of Markus Vorreas. . . .

Kirchberg immediately attempted to reverse the wire transfers using FedLine. . . . However, shortly after 8:00 a.m., [State Bank’s] internet service provider experienced a distributed denial-of-service attack (`DDoS’), which disabled internet service near [State Bank]. . . .  Accordingly,. Kirchberg was unable to electronically request reversal of the transfers. . . .  She then called the Federal Reserve and requested the reversals, but her request was denied. . . .

On October 31, the Federal Reserve notified the two intermediary institutions for the transfers that the transfers were fraudulent. . . . While the intermediary institution for the second transfer was able to revert the transferred funds to [State Bank], the $485,000 that was transferred to the Citibank account in Warsaw has never been credited or reverted. . . .
State Bank v. BancInsure, supra. 
State Bank notified BancInsure of the loss on October 28 . . . by faxing a copy of the transaction details of the two transfers. State Bank v. BancInsure, supra.  On November 3, BancInsure acknowledged receipt of the notice and advised State Bank that the claim had been assigned to Karbal Cohen Economou Silk Dunne (`KCESD’) for investigation. State Bank v. BancInsure, supra.  In a November 9 letter, KCESD reminded State Bank of its obligation to provide BancInsure with “`proof of loss . . . with full particulars’“ within six months of discovering the loss. State Bank v. BancInsure, supra. 
BancInsure received State Bank’s Proof of Loss on December 27, 2011. . . .  State Bank v. BancInsure, supra.  In the `Details of Loss’ section of the form, State Bank stated that “`an unknown individual or individuals gained unauthorized access to the FedLine Advantage Plus service on the State Bank of Bellingham's computer systems and fraudulently authorized two wire transfers.’” State Bank v. BancInsure, supra.  It went on to describe Kirchberg's discovery and attempted reversal of the transfers, and said that, “in addition to the Federal Reserve, it had notified various law enforcement agencies and the FBI had examined” State Bank’s computers but it “was not aware of the status of any investigations.” State Bank v. BancInsure, supra. 
With regard to its security measures, State Bank said that, internally, it followed
standard security procedures with respect to user names and passwords for its systems in accordance with the Federal Reserve Banks' Password Practice Statement. All systems on the internal network have Symantec Small Business Endpoint Protection 12.5, with not only antivirus and antispyware features but a desktop firewall and intrusion detection/protection. This security suite is centrally managed by the network server for definitions and threat management and updates automatically. Additionally, the native Windows firewall is activated on computers on the internal network and the computers are configured to limit the software that can be installed on the device.

As for external threats, the Bank uses a Sonic WALL NSA 240 firewall. The firewall has Gateway Antivirus and Gateway Anti–Spyware inspecting all traffic before passing through the gateway and uses Gateway Intrusion Protection. This security suite likewise is updated automatically on a daily basis, meaning no user accesses or modifies the firewall or the settings of the software overall.
State Bank v. BancInsure, supra. 
On May 15, BancInsure’s counsel told State Bank “that it had retained forensic computer specialist Mark Lanterman of Computer Forensic Services, Inc.” (CFS) to work on investigating the crime.  State Bank v. BancInsure, supra.  On June 20, State Bank told BancInsure’s lawyer it had the “hard drive in the condition it was in at the time of the loss” and agreed to “provide the hard drive to Lanterman for examination under certain conditions”.   State Bank v. BancInsure, supra.  Lanterman “received the hard drive on August 8, and issued his report on October 10.” State Bank v. BancInsure, supra.  His report said the analysis
identified an email message, sent to the address `bellinghambank’, which contained a hyperlink to a malicious webserver. CFS further determined that this email had been read and the embedded link clicked on. . . .

The user's action of clicking on the hyperlink ultimately lead to the download of multiple files associated with the Zeus virus.
State Bank v. BancInsure, supra. 
The CFS report also explained that the analysis showed the Zeus virus was detected
on October 13, 2011. Given [Symantec's] settings, it is more likely than not that Symantec notified the user of the infection. The analysis revealed [Zeus] was quarantined on October 18, 2011 but the infection was never completely removed by Symantec Antivirus. Given [its] settings, it is more likely than not that Symantec notified the user of the quarantine. . . . Once [Zeus] executed, it remained resident, ultimately downloading a rash of subsequent infections that resulted in the unauthorized ACH transactions. The continued use of the computer after receiving multiple virus warnings is contrary to generally accepted computer security practices.

Three additional malicious executable files, downloaded automatically by [Zeus], still reside on the system. There is no evidence these files were detected by Symantec. [One] resulted in the download of . . . a virus. [It] . . . was downloaded and launched on October 26, 2011 [and] is considered directly responsible for the unauthorized wire transfers. . . .

Further, Symantec `Proactive Threat Protection’ was disabled due to the fact that it was last updated July 30, 2008. This left the system vulnerable to viruses created after 2008. . . .  Generally accepted security practices would include daily virus scans and ensuring the virus definitions are current. . . .

[T]he system was previously compromised on August 8, 2011. Symantec Antivirus . . . successfully removed that infection. This demonstrates the computer has a history of vulnerabilities due to user activity. The user(s) was also aware of this compromise after receiving Symantec's alert. . . .

CFS reviewed email activity on the system and was able to identify the specific message containing the malicious hyperlink. Other messages within the Outlook Express inbox also suggest that the email application was being used for purposes other than FedLink. For instance, the email account was used to order and track company purchases. This is contrary to generally accepted security practices. The use of email on a computer that's purpose is to initiate FedLink transactions resulted in that system's compromise.

Additionally, CFS determined that messages in the spam folder had been opened or read. Spam is a typical vehicle for malware.

CFS recovered and analyzed nearly one million URLs from Internet browser histories on the system. . . . Much of the history was found to relate to activity other than banking. For example, the user `FedLine’ multiple times, with and without private browsing activated, before and after the initial infection. . . .This is contrary to generally accepted computer security practices.

CFS also determined that the administrator user accounts, `Administrator’ and `FedLine’, were not password protected. This would have allowed the virus to execute itself as an administrator without the need of a password. This is contrary to generally accepted computer security practices.
State Bank v. BancInsure, supra. 
As a result of this investigation and other factors, BancInsure denied coverage and State Bank then filed suit against BancInsure, “asserting a claim for breach of contract.”  State Bank v. BancInsure, supra.  BancInsure responded by asserting three counterclaims, one of which asserted that it “owe[d] no duty” to provider coverage for the bank’s losses and another of which asserted a cause of action for breach of contract based on State Bank’s “alleged failure to provide a complete and accurate Proof of Loss and its alleged failure to cooperate with” BancInsure.  State Bank v. BancInsure, supra. 
Both sides eventually filed motions for summary judgment on their respective behalves. As Wikipedia explains, in U.S. law, a court can award summary judgment before
trial, effectively holding that no trial will be necessary. Issuance of summary judgment can be based only upon the court's finding that:
  1. there are no disputes of `material’ fact requiring a trial to resolve, and
  2. in applying the law to the undisputed facts, one party is clearly entitled to judgment. . . .
A `material fact’ is one which . . . could lead to judgment in favor of one party, rather than the other.
The District Court Judge began her analysis of BancInsure’s argument, in its summary judgment motion, BancInsure argued, in part, that the policy’s exclusions for a loss
`caused by an Employee’ . . ., `. . .  resulting directly or indirectly from theft of confidential information’ . . . and `. . . resulting directly or indirectly from mechanical failure . . . [or] gradual deterioration” of a computer system . . . preclude coverage of [State Bank’s] claim. As for the employee exclusion, [BancInsure] argues that `Bank employees caused the loss by intentionally disregarding Bank policies, Federal Reserve policies, and good banking practices.’ . . . [It] points to the employees' downloading of the Zeus virus through spam email, [their] continued use of the computer after it detected a virus, the employees' failure to enable and update antivirus software, the employees' failure to password-protect the FedLine user accounts, Ms. Kirchberg's use of another employee's password and token to complete a transfer on the day preceding the loss, and Ms. Kirchberg's failure to remove the tokens from the computer or shut down the computer on the day preceding the loss. . . .

According to [BancInsure], `[t]hese actions caused the loss by opening the door for cyber thefts.’ . . . As for the theft of confidential information exclusion, [it] argues that the employees' passwords and pass phrases were confidential, that those passwords and pass phrases were used to make the transfers, and, therefore, that `[t]he theft of [the] passwords and pass phrases caused the loss.’ . . .

Finally, as for the mechanical failure or gradual deterioration exclusion, [BancInsure] asserts that, because Proactive Threat Protection was disabled and its definitions not updated, the computer's antivirus software gradually deteriorated and allowed malware to be downloaded, which led to the unauthorized transfers. . . .

[State Bank] argues that none of these exclusions were triggered by the circumstances of the loss, but that even if they had been, [BancInsure] cannot satisfy its burden under Minnesota's concurrent causation doctrine of establishing that an excluded cause was the `overriding’ cause of the loss. . . .  
State Bank v. BancInsure, supra. 
The judge agreed with” State Bank.  State Bank v. BancInsure, supra.  She noted that
[w]hen there are multiple causes of an insured's loss, one of which is a `covered peril’ and the other of which is an `excluded peril,’ Minnesota's concurrent causation doctrine provides that the availability of coverage or the applicability of the exclusion depends on which peril was the `”overriding cause” ‘ of the loss. Friedberg v. Chubb & Son, Inc., 691 F.3d 948 (U.S. Court of Appeals for the 8th Circuit 2012) (quoting Henning Nelson Constr. Co. v. Fireman's Fund Am. Life Ins. Co., 383 N.W.2d 645 (Minnesota Supreme Court 1986)).
State Bank v. BancInsure, supra.  (This case was in federal court not because it involved any issues of federal law, but because the parties are “diverse,” i.e., are from different states.  As Wikipedia explains, the Constitution gives federal courts jurisdiction to hear such cases.  And as Wikipedia also explains, the U.S. Supreme Court has held that in diversity jurisdiction cases, the federal court applies the law of the relevant state.)        
Here, the District Court Judge applied Minnesota law and found that the computer systems
fraud was the efficient and proximate cause of [State Bank’s] loss. But for the hacker's fraudulent conduct, the $485,000 would not have been transferred. Conversely, neither the employees' violations of policies and practices (no matter how numerous), the taking of confidential passwords, nor the failure to update the computer's antivirus software was the efficient and proximate cause of [its] loss.

Assuming all of these circumstances existed as [BancInsure] argues, it was not then a `foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer. Thus, even if those circumstances `played an essential role’ in the loss, they were not `independent and efficient causes’ of the loss. In other words, without the fraudster's actions, there would have been no loss even if all of the other circumstances [State Bank’s] loss.
State Bank v. BancInsure, supra.  
She therefore held that because BancInsure presented
no set of facts from which a reasonable jury could find that one of the excluded perils -- and not the computer systems fraud -- was the overriding cause of [State Bank’s] loss, [it] is entitled to summary judgment on its claim for breach of contract and on [BancInsure’s] claim for a declaratory judgment that it is not liable for coverage. Accordingly, [BancInsure] owes [State Bank] $480,000 under the Bond, which is the amount of the loss less the $5,000 deductible.
State Bank v. BancInsure, supra.  More precisely, the judge held that State Bank was “awarded the principal amount of $480,000 under the Bond, with prejudgment interest of $140,187.36, for a total of $620,187.36.”  State Bank v. BancInsure, supra. 

The judge’s opinion also addresses the legal issues raised by BancInsure’s motion for summary judgment, which she denied, but I am not addressing them, or the detailed analysis the judge conducted of State Bank’s motion for two reasons:  This post would be very long if I did that and the summary above, I think, explains why she ultimately found in favor of State Bank.  You can, if you are interested, find the full opinion here.

Friday, October 17, 2014

GPS Tracking, the 4th Amendment and the Exclusionary Rule

After a federal grand jury indicted Henry Stephens “for being a felon in possession of a firearm on May 16, 2011, in violation of 18 U.S. Code § 922(g)(1)”, he filed a motion to suppress certain evidence.  U.S. v. Stephens, 764 F.3d 327 (U.S. Court of Appeals for the 4th Circuit 2014).  The motion to suppress targeted evidence police obtained by using Global Positioning System (GPS) technology: 
In 2011, federal and state law enforcement officers in the Baltimore area were investigating Stephens for possible drug and firearms crimes. The investigation began as a result of information provided by a registered confidential informant, and it was spearheaded by Officer Paul Geare, . . . Geare was also deputized as an ATF agent and assigned to a `High Intensity Drug Trafficking Area’ (`HIDTA’) task force unit, which was `a hybrid unit of federal agents as well as city police officers’ operating pursuant to Baltimore City and HIDTA guidelines. . . . The HIDTA joint task force is `organized to conduct investigations into drug and gun violations of both federal and state law, and its investigations indeed [lead] to both federal and state prosecutions, determined on the basis of the facts uncovered.’ U.S. v. Claridy, 601 F.3d 276 (U.S. Court of Appeals for the 4th Circuit (2010). . . .

On May 13, 2011, Geare -- acting without a warrant -- installed a battery-powered Global-Positioning-System device under the rear bumper of Stephens' vehicle, which was parked in a public lot in Parkville, Maryland. Geare had information that Stephens was a convicted felon, would be working security at a nightclub known as `Club Unite’ on the evening of May 16, and usually carried a firearm when he worked there. With this knowledge, Geare -- in conjunction with other officers -- implemented a plan to detain Stephens and search him on May 16 at Club Unite.

During the evening of May 16, Geare used the GPS to locate Stephens' vehicle at an area school. Geare and another city police officer (Sergeant Johnson) observed and followed Stephens as he drove the vehicle to his residence. Before Stephens left . . . to drive to Club Unite, Geare and Johnson saw Stephens, who was standing outside his vehicle, reach around to the back of his waistband. They interpreted this . . . as being a check for a weapon. Based on this and other information they had previously obtained, the officers `had at least reasonable suspicion, if not probable cause, that [Stephens] was armed and was on his way to work at Club Unite.’ . . . 

When Stephens drove away from his residence, Geare alerted other officers who had been briefed on the plan to go to Club Unite. Using visual observation and a portable laptop computer to monitor the GPS, Geare and Johnson followed Stephens' vehicle as he drove on public roads to Club Unite. Upon Stephens' arrival at Club Unite, the officers who had been alerted approached him and conducted a patdown, which revealed an empty holster in the middle of his back. Within a matter of minutes, a Baltimore city police officer arrived and conducted a canine inspection of the vehicle exterior. After the canine alerted, the officers searched the vehicle and found (among other things) a loaded pistol.

The officers then arrested Stephens and charged him with one or more state-law crimes. Stephens remained in state custody for approximately three months, until a federal grand jury indicted him for illegal firearm possession by a convicted felon. See 18 U.S. Code § 922(g)(1). After the federal indictment, the state charges were dismissed. . . .
U.S. v. Stephens, supra (emphasis in the original).
The Court of Appeals explains that, while this case was pending in the trial court – the U.S. District Court for the District of Maryland – the U.S. Supreme Court decided U.S.v. Jones, 132 S.Ct. 945 (2012).  U.S. v. Stephens, supra. In Jones, the Court held that the government’s installation
`of a GPS device on a target's vehicle, and its use of that device to monitor the vehicle's movements, constitutes a “search”’ within the meaning of the 4th Amendment. Because the officers in Jones did not have a valid warrant authorizing the GPS usage, the search -- i.e., GPS usage -- violated the 4th Amendment. 
U.S. v. Stephens, supra.  Since the officers in the Jones case had not gotten a warrant that authorized the installation and use of the GPS device, the search violated the 4th Amendment.  U.S. v. Stephens, supra.  
Relying on the Supreme Court’s decision in Jones, Stephens moved to suppress the
firearm and other evidence seized on May 16. Following a hearing, the district court denied the motion. The court concluded that in light of Jones, Geare's warrantless use of the GPS on Stephens' vehicle was an unconstitutional search that led to the seizure of the challenged evidence. However, the court held that the exclusionary rule does not apply because Geare used the GPS in good faith. . . . Stephens entered a conditional guilty plea, reserving the right to appeal the suppression order. See Rule 11(a)(2) of the Federal Rules of Criminal Procedure.
U.S. v. Stephens, supra.  
The Court of Appeals then took up the issue in the case:  whether the government could use the evidence obtained as a result of using the GPS technology. U.S. v. Stephens, supra.  It began by explaining that for
purposes of this appeal, we accept the district court's ruling that Geare's use of the GPS to locate and follow Stephens in May 2011 was an unreasonable search under the 4th Amendment that led directly to the seizure of the evidence from Stephens' vehicle and his arrest. Starting from this premise, we must decide the separate question of whether the exclusionary rule renders the evidence inadmissible. Because the facts are not disputed, this question involves a pure legal conclusion, and we review the district court's ruling de novo. . . .
U.S. v. Stephens, supra.  
It then turned to the exclusionary rule, explaining that the U.S. Supreme Court
created the exclusionary rule `to safeguard against future violations of 4th Amendment rights through the rule's general deterrent effect.’ Arizona v. Evans, 514 U.S. 1 (1995). The exclusionary rule `generally prohibits the introduction at criminal trial of evidence obtained in violation of a defendant's 4th Amendment rights,’ Pennsylvania Bd. of Prob. & Parole v. Scott, 524 U.S. 357 1998), but the `sole purpose’ of the rule `is to deter future 4th Amendment violations,’ Davis v. U.S., 131 S.Ct. 2419 (2011), and its application `properly has been restricted to those situations in which its remedial purpose is effectively advanced,’ Illinois v. Krull, 480 U.S. 340 (1987). As the Court has recently made clear, the exclusionary rule is not a “strict liability regime,” Davis v. U.S., supra,  and exclusion of evidence has`always been [the] last resort, not [the] first impulse.’ Hudson v. Michigan, 547 U.S. 586 (2006).
U.S. v. Stephens, supra.  
It went on to note, though, that
`[e]xclusion exacts a heavy toll on both the judicial system and society at large,’ because it `almost always requires courts to ignore reliable, trustworthy evidence bearing on guilt or innocence,’ and `its bottom-line effect, in many cases, is to suppress the truth and set the criminal loose in the community without punishment.’ Davis v. U.S., supra. In order for the exclusionary rule `to be appropriate, the deterrence benefits of suppression must outweigh its heavy costs.’ Davis v. U.S., supra. 

`Police practices trigger the harsh sanction of exclusion only when they are deliberate enough to yield meaningful deterrence, and culpable enough to be worth the price paid by the justice system.’ Davis v. U.S., supra. Therefore, the exclusionary rule is applicable `[w]hen the police exhibit deliberate, reckless, or grossly negligent disregard for 4th Amendment rights, [and] the deterrent value of exclusion is strong and tends to outweigh the resulting costs.’ Davis v. U.S., supra.
U.S. v. Stephens, supra.  
But as the Court of Appeals also noted,
`when the police act with an objectively reasonable good-faith belief that their conduct is lawful, or when their conduct involves only simple, isolated negligence, the deterrence rationale loses much of its force, and exclusion cannot pay its way.’ Davis v. U.S., supra. The `pertinent analysis of deterrence and culpability is objective, not an inquiry into the subjective awareness of arresting officers,’ and the `good-faith inquiry is confined to the objectively ascertainable question whether a reasonably well trained officer would have known that the search was illegal in light of all of the circumstances.’ Herring v. U.S., 555 U.S. 135 (2009).
U.S. v. Stephens, supra.  
It then explained that in conducting the good faith inquiry, the Supreme Court has
found the exclusionary rule to be inapplicable in a variety of circumstances involving 4th Amendment violations. See, e.g., U.S. v. Leon, 468 U.S. 897 (1984) (police conducted a search in reasonable reliance on a warrant later held invalid); Illinois v. Krull , 480 U.S. 340 (1987) (police conducted a search in reasonable reliance on subsequently invalidated state statutes); Arizona v. Evans, 514 U.S. 1 (1995) (police reasonably relied on erroneous information in a database maintained by judicial employees); Herring v. U.S. supra (police reasonably relied on erroneous information in a database maintained by police employees).

Our precedent makes it clear that application of the good-faith inquiry is not limited to the specific circumstances addressed by the Supreme Court. For example, in U.S. v. Davis, 690 F.3d 226 (U.S. Court of Appeals for the 4th Circuit 2012), we held the exclusionary rule did not apply where officers engaged in an unconstitutional search by extracting and testing the defendant's DNA sample during a murder investigation without a warrant. We explained that the Supreme Court's `recent decisions applying the exception have broadened its application, and lead us to conclude that the 4th Amendment violations here should not result in application of the exclusionary rule.’  U.S. v. Davis, supra.  
U.S. v. Stephens, supra.  
The Court of Appeals then took up the issue as to whether the good faith exception to the exclusionary rule should apply in this case.  It began by explaining that in May, 2011,
before Jones, neither the Supreme Court nor this Court had expressly approved or disapproved of warrantless GPS usage. However, in 1983, the Supreme Court held in U.S. v. Knotts, 460 U.S. 276 (1983), that the use of a beeper to track a vehicle was not a search under the 4th Amendment. In doing so, the Court explained that `[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another,’ and noted that the beeper simply conveyed to the public what was evident from visual surveillance.  U.S. v. Knotts, supra.

Knotts is not exactly on point with the facts of this case, but it is the legal principle of Knotts . . . that matters. See South Dakota v. Opperman, 428U.S. 364 (1976) (“in all 4th Amendment cases, we are obliged to look to all the facts and circumstances of this case in light of the principles set forth in . . . prior decisions’). . . . [W]e reiterate that in conjunction with the general legal landscape that existed before Jones, `Knotts was widely and reasonably understood to stand for the proposition that the 4th Amendment simply was not implicated by electronic surveillance of public automotive movements,' U.S. v. Sparks, 711 F.3d 58 (U.S. Court of Appeals for the 1st Circuit 2013) and it was the `foundational Supreme Court precedent for GPS-related cases,’ U.S. v. Cuevas–Perez, 640 F.3d 272 (U.S. Court of Appeals for the 7th Circuit 2011).

After Jones, we know such an interpretation of Knotts is incorrect. Without the benefit of hindsight, however, and with no contrary guidance from the Supreme Court or this Court, we believe a reasonably well-trained officer in this Circuit could have relied on Knotts as permitting the type of warrantless GPS usage in this case. See U.S. v. Aguiar, 737 F.3d 251 (U.S. Court of Appeals for the 2d Circuit 2013) (in declining to apply the exclusionary rule, the court stated `sufficient Supreme Court precedent existed at the time the GPS device was placed for the officers here to reasonably conclude a warrant was not necessary’). 
U.S. v. Stephens, supra.  
The Court of Appeals therefore held that “[b]ased on the foregoing, we find no basis to set aside the order denying Stephens' suppression motion. Accordingly, we affirm the conviction.” U.S. v. Stephens, supra.  
One of the judges dissented, pointing out that the good-faith exception “requires officers to `act with an objectively ‘reasonable good-faith belief’ that their conduct is lawful’” and arguing that Geare did not do that. U.S. v. Stephens, supra.   She also pointed out that
at the time the warrantless search was conducted in this case, the District of Columbia Circuit, neighboring the District of Maryland where the warrantless search here occurred, had determined that a warrantless GPS search violated the 4th Amendment. See U.S. v. Maynard, 615 F.3d 544 (U.S. Court of Appeals for the D.C. Circuit 2010), aff'd in part sub nom. U.S. v. Jones, 132 S.Ct. 945 (2012). In fact, at the time the warrantless search was conducted in this case, Maynard had been accepted for argument before the Supreme Court, further undercutting the Government's position here that the issue was generally settled.

Additionally, the Maynard case illustrates that as early as 2005, similarly situated officers were obtaining warrants for GPS searches such as the one performed in this case. Nonetheless, officers in this case did not `take care to learn’ what was required of them by 4th Amendment precedent under these circumstances. Davis v. U.S., supra.
U.S. v. Stephens, supra.  
The dissenting judge also noted that “Detective Geare testified that he did not seek advice from any legal authority regarding the constitutionality of such a search, even though there was no exigent circumstance preventing him from doing so.”  U.S. v. Stephens, supra.  And she explained that
[i]nstead, Geare testified that in utilizing the GPS device in this case, he relied simply on his own past conduct using GPS devices in prior cases that had resulted in convictions. Geare testified it was his `understanding’ that a warrant was not required when attaching a GPS device on a target's vehicle, and his `belief’ that as long as the vehicle was in a public area attaching a GPS device `was fine.’ . . . . He certainly did not receive such guidance from the United States Attorney's Office because, per his own testimony, he did not bother to ask.

U.S. v. Stephens, supra.  She, therefore, would have reversed the judgment of the District Court.  U.S. v. Stephens, supra.  

Tuesday, October 14, 2014

Hard Drives, "Containers" and Private Searches

The 4th Amendment to the U.S. Constitution gives citizens a right to be free from “unreasonable searches and seizures”.  As I have explained in prior posts, and as Wikipedia also explains, the standard the Supreme Court has established for determining whether there has been a “search” is the one it articulated in Katz v. U.S., 389 U.S. 347 (1967).
Under Katz, you have a “reasonable expectation of privacy” in a place or thing if (i) you have as exhibited an actual (subjective) expectation of privacy in that place or thing and (ii) society is prepared to recognize that this expectation is (objectively) reasonable.  If you are interested, you can read more about how the Katz standard is applied in the post you can find here.
This post examines a 4th Amendment privacy search issue that arose in People v. Evans, 2014 WL 4947060 (California Court of Appeals 2014).  Michael Shawn Evans, was “charged with possession of material depicting a person under the age of 18 engaging in or simulating sexual conduct, a felony”, in violation of California Penal Code § 311.11(a).  People v. Evans, supra. He moved to suppress certain evidence and, when the judge denied his motion, pled guilty. People v. Evans, supra. The judge “suspended imposition of sentence and placed [Evans] on probation for three years subject to specified terms and conditions.”  People v. Evans, supra.
On appeal, Evans raised only one issue: that “the trial court erred in denying his motion to suppress video files found in a search of his computer because the warrantless search conducted by the police exceeded the scope of a prior private search and therefore violated `a subjective expectation of privacy that society recognizes as reasonable.’”  People v. Evans, supra.
The Court of Appeals begins its analysis of that issue by explaining how the case arose:
On September 27, 2011, [Evans] brought his computer to Sage's Computer in Fort Bragg for servicing. In the course of working on the computer, Sage Statham viewed images on the computer of what appeared to him `to be underage girls engaged in sexual activity.’ Statham felt it appropriate to call the Fort Bragg Police Department to inquire whether these materials were `something that they should be looking at.’

Officer Brian Clark, who responded to the phone call and viewed the files at Statham's computer repair shop, stated that although the girls in the photos he viewed were posing in a sexual manner, none of them were nude or `engaging in sexual activity or simulating any sexual activity.’ Indicating he did not consider the images pornographic, Clark asked Statham whether he `could search through and look at’ anything else in the computer.

After further examining [Evans’] computer files, Statham found video files he had not previously noticed. When directed by Clark to open these files, Statham tried to but was unable to do so. Statham was . . . able to put the video files on a USB flash drive, which he gave to Clark. Clark took the flash drive to the Fort Bragg Police Department. When he was unable to open the files on his own computer, Clark gave the flash drive to Sergeant Lee, who was able to open and view the videos it contained. Lee informed Clark that he considered the videos `juvenile pornographic material.’ Clark, who also viewed the videos, described them as depicting `[f]emale juveniles engaged in sexual activity.’ The next day [Evans’] computer was seized by Officer Lopez.
People v. Evans, supra.
In his motion to suppress, Evans sought suppression of the evidence and also demanded that the prosecution “produce at the suppression hearing `any and all search warrants and arrest warrants relied upon by the prosecution to justify the searches of [his] property.’” People v. Evans, supra.  The prosecutor argued that the motion to suppress should not be granted “`for two independent reasons.’” People v. Evans, supra.
First, the evidence was not obtained by [Statham] illegally, and hence the 4th Amendment does not apply. Second, [Evans’] expectation of privacy was destroyed once Statham as a private citizen[ ] made the search and revealed his findings to the police; hence any additional investigation by the police of additional ‘folders' on that same computer was not the `fruit of any poisonous tree.’ At no time prior to the challenged searches of Evans’ computer had the police obtained a search warrant.
People v. Evans, supra.
In denying Evans’ motion to suppress, the trial judge considered whether Statham would
`be justified in calling Officer Clark over to view the entire contents of Evans computer? Put another way, does a person completely forfeit their [sic] expectation of privacy in the contents of their computer when they take it to the store to get repaired?’ The trial judge stated the answer to his rhetorical question lay in the fact that Evans only had a reasonable expectation of privacy in the contents of his computer's hard-drive. Evans did not create a confidential relationship with Statham akin to an attorney-client relationship when he entrusted his computer to Statham. Thus, any reasonable expectation of privacy [he] had in the content of his hard-drive would be eroded in proportion to any legitimate suspicion arising from what Statham discovered in the course of working on the computer. If all Statham found were images of kids riding a pony at a birthday party, it would be reasonable for Evans to expect the content of his computer would not be shared with law enforcement.’

`However, this expectation is not so reasonable when the images are such as to cause Statham to believe . . . he has discovered child pornography. Nor is it reasonable for Evans to demand that Statham conclusively determine the images meet the legal definition of child pornography before involving the police. . . . There is no requirement that citizen informants validate their suspicions of criminal conduct before reporting them to the police. By turning his computer over to Statham, Evans diminished the scope of his reasonable expectations to privacy. Figuratively, he was ‘hanging his dirty laundry out to dry’ by handing it over to a third party he knew was going to take a look at it. The discovery of the sexually charged images of children only further eroded his expectation of privacy. Under these circumstances, it was not unreasonable for Statham to involve law enforcement.’
People v. Evans, supra (emphasis in the original).
As this post explains, the 4th Amendment does not apply to the actions of private citizens unless the private citizen has become an “agent” of law enforcement, i.e., has decided to search property to “help out” the police. Basically, the judge was arguing that the private search doctrine applied to all of the searches of Evans’ computer, not just to Statham’s search of its contents.  Like other Constitutional protections, such as the 5th Amendment and the 6th Amendment right to counsel, the 4th Amendment only protects citizens from government actions that violate the protections it provides for them.
So, if a private citizen searches your computer and finds evidence of a crime, he or she can turn that evidence over to the police and nothing in what happened would violate the 4th Amendment because law enforcement was not involved either in the search or in the private person’s turning the computer over to the police.  And if the private person took your computer without your permission, that would be a 4th Amendment “seizure,” but you could not use the 4th Amendment to suppress the evidence because the police were not involved in the seizure. 
Here, the trial judge, relying on the reasoning outlined above, therefore denied Evans’ motion to suppress because he found that
`Clark's searches of the videos (both when he first met with Statham, and later at the [Fort Bragg Police Department]), were simply more thorough searches of the hard-drive ‘container’ that Statham had already opened. Evans' expectation of privacy in his hard-drive, which included the video files, had already been frustrated when he turned his computer over to Statham. Such searches are not in violation of the 4th Amendment, and thus, suppression of the videos is not mandated.’
People v. Evans, supra. 
The Court of Appeals did not agree, explaining that before Statham contacted the police,
[he] saw photographic images on [Evans’] computer that Clark determined were not pornographic. . . . Statham did not examine the materials he placed on the flash drive at any time prior to or after contacting the police. A warrantless police search certainly cannot be undertaken under the 4th Amendment where, as here, the private searcher had not determined the illicit character of any images and, further, was unable to view the materials stored in a computer even after police directed him to open those files and to place them on a USB flash drive. Accordingly, the subsequent search of the flash drive by Officers Clark and Lee clearly exceeded Statham's prior private search.
People v. Evans, supra.  If the Clark and Lee searches exceeded the scope of Statham’s prior search(es), they would not fall within the private search doctrine, and consequently would violate the 4th Amendment.
But as the Court of Appeals pointed out, the trial judge concluded that the
materials placed by Statham in a USB flash drive were contained in the `hard-drive’ of [Evans’] computer, and treated that hard drive as the functional equivalent of, or analogous to, a closed container. On these grounds, the trial court reasoned that `[Officer] Clark's searches of the videos . . . were simply more thorough searches of the hard-drive “container” Statham had already opened. Evans' expectation of privacy in his hard-drive, which included the video files, had already been frustrated when he turned his computer over to Statham. Such searches are not in violation of the [4th] Amendment, and thus, suppression of the videos is not mandated.’
People v. Evans, supra. 
Again, the Court of Appeals did not agree, noting that the
fundamental flaw in the trial court's ruling relates to its assumption that a computer hard drive can properly be considered a `closed container,’ as that term is sometimes used in applying the 4th Amendment. . . .

Noting that a `container’ has been defined as `”any object capable of holding another object,”’ the U.S. Supreme Court has recently observed that `[t]reating a cell phone as a container whose contents may be searched incident to an arrest is a bit strained as an initial matter. . . . But the analogy crumbles entirely when a cell phone is used to access data located elsewhere, at the tap of a screen. [This] is what cell phones, with increasing frequency, are designed to do by taking advantage of `”cloud computing.”’

`Cloud computing is the capacity of Internet-connected devices to display data stored on remote servers rather than on the device itself. Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference.’ . . . Riley v. California, 134 S.Ct. 2473 (2014). . . .   The Court further stated: `Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans “the privacies of life”’. . . . The fact technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought. Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple -- get a warrant.’

Because, as the Supreme Court observed, cell phones `are in fact minicomputers’, Riley v. California, supra, and the search of a computer hard drive implicates at least the same privacy concerns as those implicated by the search of a cell phone, there is no reason to think conventional computers can any more reasonably be characterized as containers than cell phones. Indeed, `[c]omputers are relied upon heavily for personal and business use. Individuals may store personal letters, e-mails, financial information, passwords, family photos, and countless other items of a personal nature in electronic form on their computer hard drives.’ (U.S. v. Mitchell, 565 F.3d 1347 (U.S. Court of Appeals for the 11th Circuit 2009), [describing `the hard drive of a computer, which “is the digital equivalent of its owner's home, [as] capable of holding a universe of private information”’]).  
People v. Evans, supra. 
The Court of Appeals therefore found the trial judge erred in describing the hard drive
of [Evans’] computer as a closed container. Moreover, even if . . . the flash drive may be deemed a `closed container,’ . . . the record reflects and the trial court found Statham did not view the materials he placed in the flash drive before he was `directed’ by Officer Clark to conduct a more thorough search than the one that led him to contact the police. In placing the video files in the flash drive, Statham unquestionably `intended to assist law enforcement’ and Officer Clark `knew of and acquiesced in’ the `private’ search Statham undertook at Clark's direction.
People v. Evans, supra. 
It therefore held that the
factual findings made in this case, which are uncontested, indisputably establish that the government authorities have used information in which [Evans’] expectation of privacy was not frustrated by Statham's private search. Accordingly, the conclusions upon which the trial court based its ruling -- namely, that Officer Clark's and Officer Lee's searches `were simply more thorough searches of the hard-drive “container” Statham had already opened,’ and that [Evans’] `expectation of privacy in his hard-drive, which included the video files, had already been frustrated when he turned his computer over to Statham’ -- are wholly untenable. The fact that neither Statham, a computer specialist, nor Clark were able to open the video files strongly suggests [Evans] took precautions to maintain his privacy with respect to these materials.
People v. Evans, supra (emphasis in the original).
The Court of Appeals therefore reversed the trial judge’s order denying Evans’ motion to suppress and remanded the case to the trial judge “with directions to vacate its ruling denying [Evans’ motion to suppress and to grant the motion.”  People v. Evans, supra.  

(I am doing this post without adding a photo because I am in a hotel in DC and the wireless netwok simply will not let me add a photo.)