Power Point and the Plain View Doctrine

The plain view doctrine is a 4^th Amendment principle that lets an officer seize an item without first obtaining a search warrant, as long as the seizure comports with certain requirements. As Wikipedia explains, the requirements are that

The officer is lawfully present at the place from which he/she can plainly see the evidence;

The officer must be able to lawfully access the item to be seized; and

The incriminating character of the object must be `immediately apparent.’

Courts have found that the “immediately apparent” element means that the officer must have probable cause to believe the object is evidence of a crime. Probable cause exists when “the facts and circumstances within [the officer’s] knowledge and of which [he] had reasonably trustworthy information [are] sufficient in themselves to warrant a man of reasonable caution in the belief’ that the object is evidence of a crime. Brinegar v. U.S. 338 U.S. 160, 175-176 (U.S. Supreme Court 1949).

In Texas v. Brown, 460 U.S. 730, 738-739 (1983), the U.S. Supreme Court said the plain view doctrine is best “understood . . .not as an independent `exception’ to the 4<sup>th</sup> Amendment’s warrant clause, but simply as an extension of whatever the prior justification for an officer's `access to an object may be.”

When I cover the plain view doctrine in class, I use this example to illustrate how it works: Officers are executing a warrant to search John Doe’s home for stolen TV sets. As they walk into the living room of the house – which could contain the stolen TV sets, not all of which have been found yet – they see a transparent bag lying on the coffee table. As the officers look at the bag, they see it contains what they immediately recognize – based on their training and professional experience – as illegal drugs (e.g., marijuana, crack cocaine). Their looking at the bag doesn’t violate the 4^th Amendment because their search warrant authorizes them to be in Doe’s living room searching for the stolen TV sets. Since the illegal drugs are “in plain view,” looking at them is not a search under the 4^th Amendment; as the Supreme Court said in Katz v. U.S., 389 U.S. 347 (1967), “whatever a person knowingly exposes to public view, even in their own home or office, is not private” under the 4^th Amendment.

All the plain view doctrine does is to let the officers seize the drugs without first getting a warrant authorizing them to do so. As the Supreme Court noted in Texas v. Brown, it is

grounded on the recognition that when a police officer has observed an object in `plain view,’ the owner's remaining interests in the object are merely those of possession and ownership. . . . Likewise, it reflects the fact that requiring police to obtain a warrant once they have obtained a first-hand perception of . . . or incriminating evidence generally would be a `needless inconvenience’. . . that might involve danger to the police and public. . . . [O]ur decisions . . . reflect the rule that if, while lawfully engaged in an activity in a particular place, police officers perceive a suspicious object, they may seize it immediately. . . .This rule merely reflects an application of the Fourth Amendment's central requirement of reasonableness to the law governing seizures of property.

And that brings me to U.S. v. Jefferson, 571 F.Supp.2d 696 (U.S. District Court for the Eastern District of Virginia 2008). The search at issue arose from the indictment that charged William J. Jefferson, a Member of the U.S. House of Representatives, with “a variety of crimes including bribery, conspiracy, wire fraud, foreign corrupt practices, money laundering, obstruction of justice and racketeering.” U.S. v. Jefferson, supra.

As part of the investigation. . . [FBI] agents . . . went to defendant's residence . . . in New Orleans . . . to execute a search warrant. . . . Schedule B to the search warrant listed items to be seized . . . in four general categories: (1) records and documents related to various corporate entities, (2) records and documents related to specific correspondence or communications between certain individuals, (3) records and documents related to travel to Ghana and/or Nigeria by certain individuals, and (4) records and documents related to appointments, visits, and telephone messages to or for defendant.

U.S. v. Jefferson, supra. By the end of the seven and a half-hour search, the agents had seized 1.400 pages of documents plus “high-resolution photographs of thirteen separate items” and notes of the contents of documents they neither seized nor photographed. U.S. v. Jefferson, supra. Jefferson only moved to suppress the photographs and the agents’ notes. The agents relied on the plain view doctrine as their justification for taking the photographs and making the notes; they said they were told to only seize evidence that was “directly responsive to the list of items” in Schedule B. They said they took the photographs and the notes “in an effort to comply with the prosecutors’ instructions while still giving effect to the plain view doctrine.” U.S. v. Jefferson, supra.

We’re only concerned with one of the thirteen items the seizure of which was apparently not “directly responsive” to the list of items in Schedule B:

The sixth item at issue is a power-point presentation regarding an enterprise known as E-Star. The warrant did not authorize seizure of documents or records relating to E-Star, and nothing else in the power-point presentation made it responsive to Schedule B. The government nevertheless contends that the power-point presentation was appropriately seized under the plain view doctrine.

U.S. v. Jefferson, supra. I’m not sure how the FBI agents “seized” the PowerPoint presentation. In its opinion the federal district court initially says they took photographs of some of the 13 items and took notes on the others. Later in the opinion, though, the court describes item #6 as “[a] printout of a power-point presentation entitled `E-Star Wireless Broadband Network Business Opportunity.’” U.S. v. Jefferson, supra.

It really doesn’t matter how they seized it. The point is that they seized the presentation, which wasn’t directly responsive to the list of items they were supposed to be searching for and seizing . . . so the only justification for seizing it was the plain view doctrine.

Jefferson argued that “all evidence seized in the search should be suppressed because the FBI agents' decision to photograph and take notes of documents that were not (in defendant's view) subject to seizure under the terms of the search warrant transformed the search into an impermissible general search of the sort prohibited by the Fourth Amendment.” U.S. v. Jefferson, supra. The federal district court judge did not agree:

Because the agents were lawfully in defendant's house and . . . were authorized to conduct a cursory inspection of documents they found to determine whether those documents were subject to seizure, the plain view analysis with regard to the power-point presentation . . . turns on whether its incriminating character was apparent on its face. Here, agents had probable cause to believe that the power-point presentation was evidence of a crime. The investigation into defendant's activities that had led to the search at issue focused on a number of schemes by which defendant had allegedly solicited payment in return for the performance of official acts. Agents Horner and Thibault testified that many of these alleged schemes involved telecommunications ventures. According to Agent Horner, the E-Star power-point presentation, which detailed a telecommunications venture, closely resembled similar presentations involving iGate, Inc. that had been provided to the FBI by cooperating witness Lori Mody. Because the agents were familiar with defendant's receipt of bribes in return for his performance of official acts on behalf of iGate, the similarity between the iGate venture and the venture described in the E-Star power-point presentation gave rise to a reasonable belief that the power-point presentation was evidence of another illegal scheme, and warrantless seizure of the power-point was appropriate under the plain view doctrine.

U.S. v. Jefferson, supra.

In a later portion of the opinion, the federal district court judge also rejected Jefferson’s argument that the agents “flagrant disregard for the terms of the warrant” transformed the search into a constitutionally impermissible general search, i.e., rummaging through everything without regard to whether it fell within the scope of the search warrant or an exception such as the plain view doctrine.

[T]he majority of evidence seized by way of photograph and written note during the . . . search was seized legally pursuant to the search warrant or the plain view doctrine. Only two items were improperly seized -- the 1991 calendar and appointment book and the Moss Creek documents. Nor does the record indicate that the improper seizures were a result of any flagrant disregard for the terms of the warrant; to the contrary, in each case there is evidence that the seizing agents acted in good faith. Because this was not a general search based on flagrant disregard for the terms of the warrant, blanket suppression is unwarranted.

U.S. v. Jefferson, supra.

I think the judge was correct in applying the plain view doctrine to the seizure of the PowerPoint presentation. What I find interesting about this case is the use of the plain view doctrine to seize this kind of intangible evidence. I haven’t run across any other plain view seizure of PowerPoint presentations, but I suspect this won’t be the last one we see.

Finally, I'd like to note that the judge and, apparently, the prosecution and defense lawyers in this case all assumed that by printing out the Power Point slides or photographing them (whatever the agents did to obtain the contents of the presentation) the agents "seized" the Power Point presentation. In my last post, I argued that copying data is a seizure under the 4th Amendment, notwithstanding the fact that one federal district court opined otherwise. Everyone involved in this case seems to have assumed that copying is, in fact, a 4th Amendment seizure.

Copying as a Seizure (Again)

I’m going to revisit an issue I addressed in a post I did several years ago. The issue is whether copying data files is a seizure under the 4^th Amendment.

As I’ve noted in earlier posts, the 4^th Amendment prohibits unreasonable searches and seizures. As I’ve also noted, a “search” violates a reasonable expectation of privacy under the test the Supreme Court announced in Katz v. United States, 389 U.S. 347 (1967); and as the Supreme Court held in Soldal v. Cook County, 506 U.S. 56 (1992), a “seizure” interferes with our possession and use of our property.

I think the issue of whether or not copying data is a 4^th Amendment seizure is an important one because if copying is neither a search (which I don’t think it is) nor a seizure, then it’s completely outside the scope of the 4^th Amendment. If copying is completely outside the scope of the 4^th Amendment, then officers can copy data without getting a warrant authorizing them to do so and/or relying on an exception to the warrant requirement as their authorization for doing so.

Why don’t I think copying is a search? As I noted, searches violate – intrude on – a reasonable expectation of privacy under the 4^th Amendment. Let’s assume, for the sake of analysis, that someone has a legitimate 4^th Amendment expectation of privacy in the data stored on their computer. To really reinforce that assumption, we’ll also assume that this person lives alone and so doesn’t share the computer with anyone else and doesn’t give anyone else access to it, whether in person or remotely. The contents of that hard drive are, therefore, protected by the 4^th Amendment’s guarantee of privacy.

Assume a police officer equipped with the appropriate forensic software makes a copy of the hard drive. We’ll also assume the officer’s being in the home to make the copy didn’t itself violate the 4^th Amendment because I want to focus on the specific act of copying the data. If, as I believe is usually true, the officer doesn’t observe the contents of the data during the copying process, then I do not see how we can characterize the copying as a search.

He hasn’t looked at the data; no human being has looked at it. The computer and software he’s using have, in a literal sense, “looked at it” because both have had some level of access to the data. I, however, do not see that as a true 4^th Amendment search, if only because the 4^th Amendment was clearly intended to protect the privacy of our places and things from observation by people (law enforcement officers specifically).

We could construe the act of copying the data as a search under at least two theories: One theory is the one I noted above, i.e., that the implements have in a sense “looked at” the data and we’ll impute their “observations” to the law enforcement officer. The other theory is that the copying by the equipment is essentially the first step toward this officer’s viewing the contents of the hard drive, so it is the beginning of a search. We could also have a third theory if and when the programs officers use to copy data have attained a level of artificial intelligence; at that point, we still wouldn’t have a human being observing the data but an entity with a level of intelligence would be doing so. We could then, I suppose, impute the artificial intelligence’s viewing the data to the officer.

I concede that copying data COULD be construed as a search under these, and perhaps other, theories. I really don’t think that’s the way to go, though, because I think we really have to torture the notion of “search” to apply it to the non-observational copying of data.

I think it makes much more sense to treat copying data as a seizure. Copying data is, of course, not a traditional, zero-sum seizure. A traditional, zero-sum seizure is analogous to traditional, zero-sum theft: In both, the possession and use of property passes entirely from one person (the rightful owner) to another (the officer seizing the property or the thief stealing it). Zero-sum seizures are the only kind of seizures that are possible with tangible property, i.e., property that exists only in the physical world.

Zero-sum seizures are therefore the only kind of seizures the drafters of the Bill of Rights were thinking about when they wrote the 4^th Amendment. That, though, does not mean we have to limit the applicability of the 4^th Amendment to zero-sum seizures. After a few false starts, the Supreme Court recognized that unless it construed the 4^th Amendment broadly -- to encompass changing technologies -- the 4^th Amendment would become increasingly irrelevant to modern life. Since the 4^th Amendment is the closest thing the Constitution has to a guarantee of privacy and security in the possession of property, we do not want it to become a pretty-much-dead letter.

Expanding the traditional, zero-sum conception of seizure to encompass non-zero-sum seizures is consistent with the approach the Supreme Court took in holding that tapping phone conversations is a 4^th Amendment “search.” In 1928, in Olmstead v. U.S., 277 U.S. 438, the Supreme Court held it was not a search for federal agents to use wiretaps on the phone lines outside Olmstead’s home to listen to what he said when he making calls from his home phone. (Olmstead had argued it was a search because the officers were able to hear what he said when he was in his home, the home being the most private of all 4^th Amendment enclaves.)

Because many members of that Court were conceptually mired in the nineteenth century, they said the eavesdropping didn’t violate the 4^th Amendment because the officers never physically entered Olmstead’s home. They were construing the 4^th Amendment to reach only the evil it was originally designed to address: officers kicking down someone’s door, forcing themselves into the home and rummaging through the contents of the house. In his dissent, Justice Brandeis pointed out that

[s]ubtler and more far-reaching means of invading privacy have become available to the government. . . .The progress of science . . . is not likely to stop with wire tapping. Ways may . . . be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and . . . expose to a jury the most intimate occurrences of the home. . . . Can it be that the Constitution affords no protection against such invasions of individual security?

Olmstead v. U.S., supra (Brandeis dissenting). In 1967, in the Katz case, the Supreme Court reversed its Olmstead decision and said wiretapping is a search. In so doing, the Court moved beyond a literal interpretation of the 4^th Amendment and into one that can encompass advances in technology. I think we should do essentially the same thing with how we define 4^th Amendment seizures.

At the moment, the only case I can find in which a judge specifically rules on the copying-as-seizure issue is U.S. v. Gorshkov, 2001 WL 1024026 (U.S. District Court for the Western District of Washington 2001). As you may know, in the Gorshkov case FBI agents copied data from a computer Gorshkov used in Russia, without first obtaining a search and seizure warrant. Gorshkov argued that copying the data constituted a 4^th Amendment search, but the federal district judge disagreed:

[C]opying the data on the Russian computer was not a seizure under the Fourth Amendment because it did not interfere with Defendant's . . . possessory interest in the data. The data remained intact and unaltered. It remained accessible to Defendant. . . . The copying of the data had absolutely no impact on his possessory rights.

U.S. v. Gorshkov, supra. I vehemently disagree.

When officers copy data, a transfer takes place. Before officers copy the data on John Doe’s hard drive, Doe is the only person who had possession of it. After they copy it, both the officers and Doe have a copy of the data. Doe has not, as the Gorshkov judge correctly noted, entirely lost possession of the data. He has, I argue, lost a quantum of his possessory interest in the data.

In an earlier post, I wrote about an Oregon case in which the defendant was charged with using a computer to commit theft after he copied a password file belonging to his employer. The defendant claimed he didn’t commit theft because the employer still had the password file; he just had a copy of it. If we apply the Gorshkov judge’s approach to defining a seizure of property to this defendant’s argument, then he’d win; the Oregon court would have had to have dismissed the theft charge against him because the employer had not “entirely lost possession of the data.”

That, though, isn’t what the Oregon court did. It noted that “theft” is defined as taking someone’s property without being authorized to do so and that “property” is defined as “anything of value.” The court found that the evidence showed the passwords had “value,” which meant they were “property.” It then held that the defendant committed theft because he deprived his employer of exclusive possession of the passwords, which deprived the employer of property because much of the value of passwords lies in the fact that no one else knows what they are.

If copying data is theft, I think it also has to be a seizure, a non-zero sum seizure. Any time someone copies my data without permission, I “lose” something; more precisely, I lose part of my exclusive possession and control of the data. Even if my data doesn’t consist of passwords, much of its value lies in the fact that it’s mine and I, alone, control it. I think, therefore, that the loss of the ability to exercise sole control over one’s data justifies defining copying as a non-zero sum 4^th Amendment seizure . . . which would not mean law enforcement officers couldn’t copy data. It would mean they’d need to have a warrant or an exception to the warrant requirement (e.g., consent or the existence of exigent circumstances) to be able to copy the data without violating the 4^th Amendment.

Disagreement????

Controlling Child Pornography

This post is about a Pennsylvania statute that seems to create a fifth child pornography crime. As I’ve noted, there are – or I’ve assumed there are – four child pornography crimes: manufacturing child pornography, distributing child pornography, possessing child pornography and accessing (looking at) child pornography. The Pennsylvania statute adds what MAY be a fifth option: controlling child pornography.

The case is Commonwealth v. Diodoro, 970 A.2d 1100 (Supreme Court of Pennsylvania 2009). It began when on “November 20, 2003, the Ridley Township Police Department obtained a search warrant for appellant Anthony Diodoro's personal computer and seized the computer from his residence in Delaware County.” The forensic examination of the computer revealed that it “contained approximately 340 images of suspected child pornography and thirty additional images that were known to be child pornography.” Commonwealth v. Diodoro, supra. Diodoro was arrested and charged with 30 counts of child sexual abuse by violating 18 Pennsylvania Consolidates Statutes § 6312(d).

Section 6312(d) provides as follows: “Any person who knowingly possesses or controls any book, . . . photograph, film, videotape, computer depiction or other material depicting a child under the age of 18 years engaging in a prohibited sexual act or in the simulation of such act commits an offense.” As the Pennsylvania Supreme Court noted, “under Section 6312(d), a defendant may be convicted of sexual abuse of children for the mere knowing control of child pornography.” Commonwealth v. Diodoro, supra.

Diodoro pled not guilty and went to trial. At trial, Pennsylvania Trooper Peter Salerno

testified to the specifics of his forensic examination of appellant's computer. Trooper Salerno explained that he searched the images and web history on appellant's hard drive using forensic software, which revealed . . . web pages pertaining to child pornography websites, and 370 images relating to child pornography that were stored in the cache files or unallocated space of the hard drive. . . . Salerno testified that finding the images of child pornography stored in the cache files indicated that someone accessed the child pornography websites and by clicking the “next” button or a specific image, accessed and viewed the various images. . . . Salerno also noted that because of the large quantity of images stored in the cache files, it would have taken an individual a considerable amount of time to go through the images.

Commonwealth v. Diodoro, supra. The prosecution and defense stipulated that the images (i) depicted “female children engaged in prohibited sexual acts” and (ii) “were viewed by [appellant] on his computer while he was searching the World Wide Web for images of females under age [sixteen].” Commonwealth v. Diodoro, supra.

Diodoro was convicted and appealed, arguing that the evidence was not sufficient to support his conviction. His primary argument seems to have been that the evidence did not show he “controlled” the images. The first appellate court to consider his argument

focused its . . . analysis . . . on the term `control’. . . . [It] determined that the `ordinary, everyday meaning’ of the term . . . was: `. . . . [The ability to exercise a restraining or directing influence over something.’ . . . The [court] held that, in addition to . . . seeking out and viewing child pornography, `[h]is actions of operating the computer mouse, locating the [websites], opening the sites, displaying the images on his computer screen,’ at which time he had the ability to download, print, copy or e-mail the images, `and then closing the sites were affirmative steps and corroborated his . . . control over the child pornography.’ The majority found additional evidence of appellant's control . . . [in] Officer Salerno's testimony, wherein he explained that the sheer volume of child pornography stored in appellant's `cache files indicate[d] that someone, after accessing the particular [websites], had to click the “next” button on the screen to view successive images.’ Thus, [it] concluded that the totality of the circumstances was sufficient to support the jury finding that appellant's conduct constituted knowing control of child pornography under Section 6312(d).

Commonwealth v. Diodoro, supra. The Pennsylvania Supreme Court agreed to review the lower court’s decision. In his argument to that court, Diodoro claimed that “for the Commonwealth to establish that he had the power and intent to exercise control over the images of child pornography found on his computer, [it] was required to prove that he had knowledge of the existence of those images on his computer.” He also argued that because the statute did not define “control,” he was not on notice that “intentionally accessing and viewing child pornography via the internet-sans the intent to download, copy or send the images-constitutes `control’ of such material under Section 6312(d).” Commonwealth v. Diodoro, supra.

In analyzing his arguments, the Pennsylvania Supreme Court explained that the statue creates two crimes: “the Commonwealth need not establish that a defendant possessed child pornography to prove a violation of Section 6312(d) if the Commonwealth can prove that a defendant knowingly controlled child pornography”. So controlling child pornography is different from possessing child pornography.

The Pennsylvania Supreme Court analyzed the arguments of the two sides and the evidence in the case, and then held that Diodoro “controlled” the images:

An individual manifests . . . control of child pornography when he purposefully searches it out on the internet and intentionally views it on his computer. . . . [T]he viewer has affirmatively clicked on images of child pornography from different websites and the images are therefore purposefully on the computer screen before the viewer. Such conduct is clearly exercising power and/or influence over the separate images of child pornography because the viewer may, inter alia, manipulate, download, copy, print, save or e-mail the images. It is of no import whether an individual actually partakes in such conduct or lacks the intent to partake in such activity because intentionally seeking out child pornography and purposefully making it appear on the computer screen -- for however long the defendant elects to view the image -- itself constitutes knowing control. The use and operation of computers are not the novelty they once were. Control via a computer is little different from the control one exercises by viewing a book or a magazine-whether one purchases the tangible image or not. . . . Section 6312(d) should not and cannot be read to allow intentional and purposeful viewing of child pornography on the internet without consequence.

Commonwealth v. Diodoro, supra.

Based on the court’s analysis, it seems pretty clear that Pennsylvania’s “controlling child pornography” crime is the accessing child pornography crime I wrote about in an earlier post. As I explained in that post, the federal child pornography statute was amended to add accessing child pornography as one of the crimes it encompasses.

In an earlier post, I noted that a bill had been introduced into the Nevada legislature that would add an accessing crime to that state’s child pornography statutes. The bill passed the legislature and on June 9 the Governor signed it, so it’s presumably gone into effect by now.

Nevada’s new statute defines the access crime as follows: “Any person who, knowingly, willfully and with the specific intent to view any . . . visual presentation depicting a person under the age of 16 years engaging in or simulating sexual conduct, uses the Internet to control such a film, photograph or other visual presentation is guilty of” a felony. Nevada Assembly Bill 88, 2009 Nevada Laws Ch. 471.

Another part of the Nevada bill creates a civil cause of action for someone who was used to make child pornography. Such a person can sue anyone who promoted the child pornography, possessed it or used “the Internet to control the film, photograph or other visual presentation, with the specific intent to view the film, photograph or other visual presentation.” Nevada Assembly Bill, supra. I’m not sure what the rational of this provision is. I assume children used in child pornography can already sue those who created it and distributed it, under some theory, so this section must be meant to spread the liability net wider. I’m not sure how effective the cause of action against people who viewed the child pornography is going to be, though.

Getting back to the Pennsylvania statute, I’m not sure why the legislature went with “control” instead of “access” (or “view”). Logically, “control” implies a greater level of involvement than does “access,” so maybe that notion was part of the reason why they focused on control. If the Pennsylvania legislature had gone with “access,” it might have made things simpler; it would have been impossible, or at least much more difficult, for Diodoro to argue that he hadn’t “accessed” the images than it was for him to claim he hadn’t “controlled” them.

So if any state legislators are considering adding the fourth child pornography crime to their criminal code, I’d respectfully suggest they go with the access or view option.

Interception and Device

This post is about a recent decision from a federal court in Wisconsin that deals with email interception in violation of 18 U.S. Code § 2511(1)(a). The case is U.S. v. Szymuszkiewicz, 2009 WL 1873657 (U.S. District Court for the Eastern District of Wisconsin 2009) and here is the government’s version of the facts:

[D]efendant, a revenue officer with the IRS, created a `rule’ on his supervisor Nella Infusino's computer, which auto-forwarded to defendant all of Infusino's e-mails. The government presented testimony from Infusino and another IRS employee, Theresa Memmel, that . . . while Memmel was training Infusino on the use of `Outlook’-the e-mail program utilized by the IRS-the two came upon the rule on Ifusino's computer. Memmel and Infusino were shocked . . . and called the computer support department. Infusino . . . did not create the rule or intend for defendant to receive her e-mails. IRS computer specialist David Tietz . . . responded to Infusino's call and viewed the rule, which was active, on her computer. Tietz . . . disabled the rule, then deleted it. Tietz testified that defendant never advised him that he was receiving Infusino's messages, nor did he learn that from his co-workers in tech support.

William Taylor, an investigator with the Treasury Department's Inspector General's Office, testified that he looked into the matter after Infusino discovered the rule. Taylor reviewed data on the IRS's Outlook server, looking for e-mails auto-forwarded by rule, pursuant to which he recovered twenty-one e-mails forwarded from Ifusino to defendant. Taylor also checked defendant's computer hard drive, where he located 116 additional e-mails auto-forwarded from Infusino, all of which had been opened and some of which had been moved to different folders within defendant's Outlook program. . . .

Infusino . . . supervised defendant from 2001 to 2005 or 2006. . . . [and] . . . used a laptop computer, which she carried with her when she visited the officers under her supervision. Infusino never saw defendant access her computer (and she did not provide him with her password), but . . . at times she left the computer unattended in the Racine office where defendant worked. Infusino . . .testified that in 2003 and 2004 issues with defendant's work performance arose. . . .

U.S. v. Szymuszkiewicz, supra.

Szymuszkiewicz was charged with 3 counts of violating § 2511(1)(a), which makes it a federal crime to intercept the contents of electronic communications. He went to trial and moved for an acquittal before the case went to the jury; the judge reserved decision on his motion and sent the case to the jury. After the jury convicted Szymuszkiewicz, he renewed his motion, which the federal judge then considered.

In ruling on the motion, the judge began by noting that to convict Szymuszkiewicz,

the government had to prove (1) that defendant intercepted an electronic communication; and (2) that he did so intentionally. The term `intercept’ means to acquire the contents of any electronic communication through the use of any electronic, mechanical or other device. An `electronic, mechanical, or other device’ means any device or apparatus which can be used to intercept a wire, oral or electronic communication. Finally, . . . `intentionally’ means to act deliberately and purposefully; that is, defendant's act had to be the product of his conscious objective rather than the product of a mistake or an accident.

U.S. v. Szymuszkiewicz, supra. Szymuszkiewicz argued that the government had failed to prove beyond a reasonable doubt either that “he used a `device’ to intercept Infusino’s e-mails” or that he “intercepted” the emails.

In his first argument, Szymuszkiewicz contended that § 2511(1)(a) “requires use of a device separate and distinct from the drive and server upon which the communication was received.” U.S. v. Szymuszkiewicz, supra. In making his argument, he relied on two opinions issued in civil suits under the Wiretap Act, of which § 2511 is a part. The federal judge found neither case was relevant here because “both concerned defendants who received information directed by the sender to them; in neither case did the defendants take any action to re-direct to themselves a communication addressed to another.” U.S. v. Szymuszkiewicz, supra. The judge said the defendants in these cases engaged in “passive receipt” of communications, rather than intercepting them.

In the present case, the government did not rely solely on defendant's passive receipt of Infusino's e-mails on his own IRS computer via the IRS server. Rather, the government claimed that he used a device, i.e. Infusino's computer, to create the rule to intentionally effectuate re-direction/interception. He then used his own computer to receive and read the re-directed e-mails.

U.S. v. Szymuszkiewicz, supra. Since Szymuszkiewicz had not cited any cases holding that using two computers to intercept communications does not satisfy the requirements of § 2511(1)(a), the judge held that the government had carried its burden of proving the “use of device” element of the § 2511(1)(a) charges. U.S. v. Szymuszkiewicz, supra.

As I noted earlier Szymuszkiewicz’s other claim was that the government “failed to prove `contemporaneous’ interception of the e-mails.” That argument raises an issue a number of courts have dealt with. The issue arises because § 2511(1)(a) is part of the Wiretap Act, which dates back to 1968. The Wiretap Act was adopted to implement the Supreme Court’s holding, in U.S. v. Katz, that eavesdropping on phone calls is a search under the 4^th Amendment. Congress adopted the Wiretap Act to implement the Katz decision and to add even more requirements than the 4^th Amendment now imposes on wiretapping.

As I’ve noted, about ten years later the Supreme Court held, in Smith v. Maryland, that the 4^th Amendment does not apply to the numbers we dial on our phones or to any other information we share with third parties. The Smith Court relied on an earlier decision in which the Court essentially held that by sharing information with third parties, like banks and phone companies, we lose any expectation of privacy in that information.

So the Katz and Smith cases create the emphasis on “contemporaneousness” when it comes to “intercepting” electronic communications. The issue doesn’t arise for phone calls because the only way you can capture the contents of a phone conversation is to listen in or record it as it occurs. It arises for emails for at least two reasons: One is that we tend to leave read and unread emails stored with our ISP, which suggests they are governed by the Smith rule. The other reason is that unlike phone conversations, emails are not a simultaneous, unitary communication. As the Szymuszkiewicz court explained, they move as discrete packets, each of which is stored by computers as it travels to its final destination, where the packets “are reassembled to form the e-mail message”. U.S. v. Szymuszkiewicz, supra.

Courts have therefore struggled with what it means to “intercept” emails. Some courts have found that the temporary, intermediate storage involved in transmitting an email is enough to take the emails outside the scope of the Wiretap Act. In other words, they’ve held these emails are governed by Smith, not Katz. Szymuszkiewicz’s problem was that in U.S. v. Councilman, 418 F.3d 67 (U.S. Court of Appeals for the First Circuit 2005) (en banc), a federal court of appeals held that “the Wiretap Act applies to e-mail messages in the `transient electronic storage that is intrinsic to the communication process for such communications.’” While that decision was not binding on this federal district court, the judge agreed with the Councilman court’s logic:

Defining . . . `intercept; to generally require contemporaneousness, . . . would permit courts to maintain a distinction between prospective interception at the time of transmission and one-time access to information already received and in storage. . . . Such construction would avoid eliminating the protections of the Wiretap Act based on the transient storage incidental to e-mail communication.

U.S. v. Szymuszkiewicz, supra. The judge then found that the evidence was sufficient to establish that Szymuszkiewicz intercepted the emails that were the basis of the charges:

[He] did not access Infusino's messages on her computer after receipt. Rather, the messages destined for Infusino were auto-forwarded to defendant as soon as they were received on the IRS e-mail server. Further, . . . the e-mails relating to the three counts . . . reflect that they were sent to Infusino and defendant at the same time (accounting for a time zone difference). With respect to Exhibit 57 in particular, Agent Taylor testified that the e-mail was submitted to the server at 2:23:58, a version created for defendant at 2:23:58, and the version so created delivered to defendant at 2:23:58. Thus, the government demonstrated contemporaneous interception.

U.S. v. Szymuszkiewicz, supra. So Szymuszkiewicz lost.

I like this judge’s idea of striking a flexible balance between transmission and storage rather than relying on “a rigid storage/transit dichotomy”. My only concern is the potential uncertainty of a standard that is predicated on “generally” requiring contemporaneousness.

Mules

You’ve probably seen the news stories about the Ukrainians who extracted $415,000 from a Kentucky bank, courtesy of a Trojan horse program.

If you haven’t seen the stories, here’s a brief recap: Ukrainian hackers used a Trojan horse program to acquire access to and authentication authority over bank accounts belonging to Bullitt County, Kentucky. The Trojan gave the hackers access to the County Treasurer’s computer, according to the stories I read, and to the email account of the judge who had to approve wire transfers from the County’s account. They created accounts in the names of fictitious employees and then transferred $415,000 to those accounts.

Posing as the Fairlove Delivery Service, the Ukrainians had earlier hired people to edit text for them, primarily fixing the English from what I gather. They then approached at least some of these people, telling them the company had trouble getting funds to its clients oversees and asking if the employees would help them with their problem. Those who agreed accepted wire transfers of funds ($9,900) into their bank accounts, took part of the money (say, $500) as their “commission” and then wired the rest to a bank account in the Ukraine.

This post isn’t about the theft of the funds from the Bullitt County government’s bank account, as such. It’s clear that the Ukrainians who are responsible for the theft committed a variety of federal cybercrimes: unauthorized access to computers (the Treasurer’s and judge’s computers, at the very least), transmitting a program, code or information and causing damage (the Trojan horse program) and maybe accessing a computer without authorization to further a scheme to defraud (if we decide this was fraud, not theft). As I’ve explained, the general federal cybercrime statute – 18 U.S. Code § 1030(a) – criminalizes each of these acts: Section 1030(a)(5)(B) makes it a crime to gain unauthorized access to a computer and cause damage (which is defined as impairing the integrity or availability of data); section 1030(a)(5)(A) makes it a crime to transmit a code, program or information and cause damage; and section 1030(a)(4) makes it a crime to access a computer without authorization to further a scheme to defraud. (To make what they did fraud, we’d have to figure out someone who was defrauded into letting them have the money in the accounts. I’m not sure that one will work.) We’d also have conspiring to violate § 1030 in violation of 18 U.S. Code § (b), and a host of other federal crimes.

Okay, the perpetrators are easy. If they’re ever caught, there are plenty of crimes they can be charged with and, I’m sure, easily convicted of.

I want to focus on the mules . . . the people who received the initial transfers of funds from the County’s account at the banks and wired most of what they received to the account in the Ukraine. I’ve seen no indication that anyone intends to prosecute them for their role in the scam, but it’s still early in the investigation; and even if they aren’t actually prosecuted, I think the issue warrants exploring.

Since the mules didn’t play any role in the actual execution of the theft of the funds, they can’t be charged as actual perpetrators of any of the crimes outlined above. Their role essentially came after the theft had been committed; they helped the Ukrainians move the funds out of the U.S. and into their own, home account.

There are two possible ways a prosecutor could hold the mules liable for the theft of the funds. One is what’s called the Pinkerton doctrine. In Pinkerton v. U.S., 328 U.S. 640 (1946), the U.S. Supreme Court held that, as far as federal cases are concerned, one member of a conspiracy can be held liable for the substantive crimes the other members of the conspiracy commits. They become each other’s agents, in effect. In the Pinkerton case, two brothers were making liquor and selling it in violation of federal revenue laws. Daniel got caught, convicted and was serving time in jail when Walter committed some further violations of federal revenue laws. Daniel and Walter were both charged with committing those crimes, on the theory that they had conspired to violate federal revenue laws, which meant Daniel was responsible for what Walter did, even when Daniel wasn’t there. The Supreme Court accepted that theory, and held Daniel liable.

We could conceivably use that in this case, since I’m assuming federal charges, but for Pinkerton liability to apply, the person has to have joined the conspiracy the object of which is to commit the target crime – here, theft – before the crimes were committed. The crimes have to be a foreseeable consequence of the conspiracy the person joined, and occur after they joined the conspiracy. Since I’m assuming the theft was complete – more on that in a minute – I don’t think Pinkerton would work here. Even if the mules entered into a conspiracy to dispose of the funds, that couldn’t be used to hold them liable to taking the funds, IMHO.

So let’s try the obvious choice: aiding and abetting, or what the Model Penal Code calls accomplice liability. As I explained in an earlier post, an accomplice is someone who helps another person commit a crime – they “aid and abet” the crime. Here, the mules helped the Ukrainians get the money out of the country, which definitely constituted aiding the commission of the theft. To be liable as accomplices, though, the mules had to have acted with the purpose of aiding and abetting the crime (the theft) and the crime must not have been completed before they provided their assistance.

As a federal district court noted recently, the intent to aid and abet “must be formed prior to or during the commission of the offense.” Pickles v. Adams, 2009 WL 789904 (U.S. District Court for the Eastern District of Michigan 2009). “Thus aider and abettor liability is established if the getaway driver forms `the intent to facilitate or encourage commission of the robbery prior to or during the carrying away of the loot to a place of temporary safety.’" Pickles v. Adams, supra. We’re not dealing with a getaway driver, but the principle is the same: Like the driver, the mules helped the thieves get the loot to a place where it was safe.

At this point, I’m assuming, for the purpose of analysis, that the mules did have the intent to aid and abet the thefts; I’ll get to whether that was true or not in a minute.

So, assuming that they acted with the intent to aid and abet the theft of the Bullitt County government’s money, did they form that intent during the commission of the crime itself? The answer seems to be a little tricky. Some of the cases I read said that if you only provide assistance after the crime itself has been committed – which, for theft, seems to mean that the thieves have taken the property from the rightful owner’s possession, so the owner has been divested of it – you can’t be an accomplice because you can’t aid and abet a crime that’s already been committed. If we go with that theory, then it seems the mules can’t be liable as accomplices, or aiders and abettors.

Some courts expand that out a little, especially in the area of theft crimes, and use the theory quoted above, i.e., that if the accomplice forms the intent to facilitate the commission of the theft either while it’s being committed or while the thieves are in the process of getting away with the loot, that’s enough to make them an accomplice. If we go with this theory, then it might be possible to prosecute the mules as aiders and abettors because they did help the Ukrainians get away with their loot. The Ukrainians had gotten it out of the Bullitt County bank but not out of the U.S. and into the Ukraine; I can see a good argument that part of the crime – the asportation of the stolen property – was still in process when the mules did what they did. And since what they did directly facilitated the Ukrainians’ getting the money out of the country, it should qualify as aiding and abetting.

There is, though, that residual but very important issue of intent. Law has traditionally required that to be an accomplice to a crime, you must purposely aid and abet its commission. So for the mules to be held liable as accomplices, the prosecution would have to prove beyond a reasonable doubt that their purpose in accepting the initial transfers of funds and then in sending most of the funds to the Ukrainian account was to abet the crime of theft.

Several of the stories I’ve read about the case say that the two mules who have talked to the investigators say they were duped. They seem to have believed it was a legitimate transaction, at least initially. One said she became suspicious and didn’t wire all of the money; the other one seems to have gone along with no suspicions.

A prosecutor, of course, might not believe their claims that they had not idea there was anything wrong with the transaction. In situations like this, prosecutors can use certain facts to support the inference that the mule – while claiming innocence – actually knew what was going on and acted with the intent to facilitate the underlying crime. One factor here that might be used to infer intent is the amount the mules were being paid. One story I read said they were told they’d receive $9,900 and should keep $500 before wiring the rest to the Ukrainian account. That seems like a pretty good commission to me; excessive payments can indicate illegal activity and might be used in inferring intent. A prosecutor might also point to the use of an offshore, Ukrainian account as the place to which the funds were going, but the employer said they were for offshore clients, so maybe that wouldn’t be particularly compelling. If the mules had kept doing this, over and over, that, too, might be a circumstance from which intent could be inferred.

Am I arguing that the mules in this case should be prosecuted? No, at least not on the basis of what I’ve seen so far. The rationale for punishing mules who do act with the intent of aiding and abetting a crime like this is to make it more difficult for Ukrainian hackers to find someone to do this in the future. Aside from holding these people liable, such a prosecution could publicize the scam and help ensure that others don’t fall for it.

And, of course, the mules are here, which means we can easily prosecute them, if we get over the hurdles I’ve noted above. As to the Ukrainian perpetrators, I suspect prosecuting them is unlikely.

File-sharing and Child Pornography: Two Views

I’ve done a couple of posts on police officers using file-sharing software like Limewire or Kazaa to find child pornography on people’s computers. The issue I was dealing with in those posts was whether law enforcement’s using Limewire or Kazaa to access files on someone’s hard drive is a search under the 4^th Amendment.

This post is also about file-sharing software and child pornography, but it focuses on a different issue: whether putting child pornography into a folder that can be accessed via file-sharing software in and of itself constitutes “distributing” child pornography.

As I explained in an earlier post, most countries that outlaw child pornography use 3 crimes to do so: possessing child pornography, distributing child pornography and manufacturing child pornography. Section 2252A(a)(1) of Title 18 of the U.S. Code makes distributing child pornography a crime:

Any person who knowingly transports . . . using any means or facility of interstate or foreign commerce or in or affecting interstate or foreign commerce by any means including by computer or mails, any visual depiction, if . . . such visual depiction involves the use of a minor engaging in sexually explicit conduct; and such visual depiction is of such conduct.

The mental state – the mens rea – of the crime is therefore “knowingly,” which means “the defendant realized what he/she was doing and was aware of the nature of his/her conduct, and did not act through ignorance, mistake or accident.” Federal Criminal Jury Instructions of the U.S. Court of Appeals for the Seventh Circuit 4.06. The issue that has come up in the U.S. and the U.K. is whether putting images of child pornography into a folder that is accessible via file-sharing software constitutes “knowingly” distributing child pornography. I’m going to compare how courts in each country dealt with this issue.

We’ll start with the U.K. In R. v. Dooley, [2005] EWCA Crim 3093 (Court of Appeal 2005), Dooley was charged with violating the Protection of Children Act of 1978 by having images of child pornography in his possession “with a view to their being distributed . . . by himself or others”. Protection of Children Act of 1978 § 1(1)(c). Under § 2 of the Act, a person is “regarded as distributing an indecent photograph or pseudo-photographs if he parts with possession of it to, or exposes or offers it for acquisition by, another person”. The case arose after police searched Dooley’s home and seized a computer, on which they found Kazaa and “many thousands of indecent images of children, many of which he had obtained via Kazaa.” R. v. Dooley, supra. The Court of Appeals noted that “only six of the images” were found in Dooley’s “My Shared Folder.”

The prosecution argued that by putting images into that folder, Dooley violated § 1(1)(c) of the Protection of Children Act. Dooley’s lawyer said he didn’t violate it because

downloading of images from KaZaA will often take many days. . . . Rather than just download a few images, the appellant would download a very substantial number of images. The images . . . could not effectively be accessed by others until . . . the `My Shared Folders’ had the completed image. . . . [I]t was his `specific intention’ to remove the . . . image from the `My Shared Folder’ to some other part of his computer, where it could not be seen by others. Because of the large number of images that were downloaded, it took him time to do that.

R. v. Dooley, supra. The prosecution said the images had been in the folder for 10 days, and the court found this meant “they were available to be accessed” by those who were using Kazaa and were so inclined. The trial court found that because Dooley used Kazaa (and in effect joined “a computer club knowing its purpose is to make material downloaded by you accessible to all members”), he downloaded the images “with a view to” their being distributed by others. R. v. Dooley, supra.

Dooley appealed, arguing that the prosecution had to prove that one of the reasons he left the images in the folder was “to enable others to access” them; since the trial court apparently did not apply this standard, the Court of Appeals vacated the conviction. The trial court had commented that “if a person charged with this offence did not know that as a result of using the particular software there was a likelihood of the image . . . in the `My Shared Folder’ being accessed by others then he would have a good defence” to the charge. R. v. Dooley, supra. On appeal, Dooley’s lawyer said that since this wasn’t made clear to Dooley, he pled on the premise that the prosecution didn’t have to show he knew that by leaving images in the file he was violating § 1(1)(c) of the Act. The Court of Appeals found that Dooley’s plea was no good because it was based on a misunderstanding of what the prosecution had to prove to convict him.

Here’s how an American court dealt with a similar issue: Derek Schade was charged with distributing child pornography under § 2252A(a)(1). Like Dooley, Schade used file-sharing software (Bearshare); police got a warrant and searched his computer after an undercover officer “downloaded a child pornography video file through the Bearshare network in part from Schade’s compute.” U.S. v. Schade, 2009 WL 808308 (U.S. Court of Appeals for the Third Circuit 2009). Police found “numerous child pornography files on the computer, both movies and still images”. U.S. v. Schade, supra.

Schade went to trial and was convicted of “transporting . . . a visual depiction of a minor engaging in sexually explicit conduct in violation of” § 2252A(a)(1). He appealed, claiming the evidence at trial was not sufficient to establish the charge because “there is no way of knowing which portion of the downloaded file was contributed by his computer, and thus whether that portion actually depicted a minor engaged in sexual conduct.” U.S. v. Schade, supra.

I actually think that’s a pretty interesting argument in and of itself, but the Court of Appeals dismissed it because Schade was charged with transporting child pornography and with aiding and abetting the transport of child pornography. The court therefore held that the argument failed because “at the very least Schade is liable as an aider and abettor. His computer contributed some part of a video that showed a minor engaging in sexual activity.” The Court of Appeals found that it would be “eminently reasonable for the jury to have concluded that Schade aided and abetting the transportation of a visual depiction of a minor engaged in sexual activity by making the child pornography file available” on his computer, where it could be utilized “by another user of Bearshare seeking to download the complete video.” U.S. v. Schade, supra.

Now we get to the knowledge issue, which is similar to the issue the Dooley case. Schade also argued that “there was insufficient evidence to show that he knew the child pornography files on his computer could be downloaded by other Bearshare users.” U.S. v. Shade, supra. Since § 2252A(a)(1) makes it a crime to “knowingly” distribute child pornography, he could not have been lawfully convicted if the prosecution didn’t prove beyond a reasonable doubt that he knew the child pornography in his shared files could be downloaded by other Bearshare users. Not surprisingly, the Court of Appeals rejected this argument, as well:

[T]here was evidence . . . showing Schade was notified while downloading the software for Bearshare that it would allow others to upload files from his computer, and he even changed the default settings for file-sharing. Furthermore, Schade testified that he himself used Bearshare for file-sharing. . . . [W]e cannot conclude that the jury was unreasonable in determining from this evidence that Schade intentionally kept child pornography files in the `My Downloads’ folder and knew that doing so would allow Bearshare users to access and upload them.

U.S. v. Schade, supra. The prosecution had presented evidence that when he installed the Bearshare software, Schade was “shown a screen notifying him that he would be sharing files located in that folder and had left that setting in place, while changing the default setting regarding the sharing of partial files.” U.S. v. Schade, supra.

A Texas court reached a similar conclusion. Ruben Wenger was convicted of distributing child pornography via file-sharing software. Wenger v. State, 2009 WL 1815781 (Texas Court of Appeals 2009). He appealed, claiming the evidence at trial didn’t prove beyond a reasonable doubt that he “knowingly disseminated the files in question.” Wenger v. State, supra.

He lost for two reasons: One is that in a recorded interview with police, Wenger said he “knew Shareaza shared his files: he said he assumed users downloaded files from him and that the purpose of Shareaza was to allow users (like Detective Ried) to `pull files from members’” like himself. Wenger v. State, supra. The other reason is that at trial a detective with computer forensics expertise testified that at some point, Wenger had “change[d] the default Shareaza settings so that the program did not automatically share” his files. Wenger v. State, supra. That rebutted a claim Wenger made in the recorded interview with police: that he didn’t know how to `share and not share” files. The court therefore found that a jury could reasonably infer that Wenger knew “knew Shareasa was sharing his downloaded files and knew how to prevent” it from doing so.

Privacy in the Virtual World

I usually write about privacy in the context of the police searching places and seizing evidence. That is, I usually write about privacy in the context of the 4^th Amendment’s prohibition of “unreasonable” searches (and seizures). This post is about privacy in a different context.

Last week I went to a talk by a law professor who specializes in online privacy law. The crux of his talk was that the privacy we’ve had in the real-world is being eroded there and online by what people post online.

One of the examples he used is the Korean woman who didn’t pick up after her dog made a mess on a subway train. As you may know, someone took a cell-phone photo of her and posted it online. The photo went viral; people tracked down her name and address and posted that information online, along with more information about her. As I recall, she was a student at the time.) People altered the original photo and basically had a lovely time making her look ridiculous. As I recall from what I read at the time, she was humiliated by all the attention and wound up leaving school.

Another example he used is the “Star Wars kid.” As you may know, a Canadian high school student videotaped himself playing at being a Jedi knight, using a golf ball retriever as a light-saber. From what I read, he left the videotape in the recorder, where some other students found it and posted it online, where it really went viral. People made variations, complete with Star Wars adversaries and authentic light-sabers, etc. Instead of enjoying the publicit,, the boy in the video was humiliated. As I recall, he dropped out of high school and finished his studies with a tutor.

If you’d like to read more about these and other, similar stories, you might check out my article on Online Defamation. There’s a link to it on the right-hand site of the blog.

In this professor’s view, we’re creating an accelerating erosion of privacy that threatens to seriously diminish if not destroy privacy, at least as we think about it. He therefore believes we must take steps to mitigate or end this erosion, and he believes there are two ways we can go about doing this.

One is to simply accept the phenomenon . . . on the premise it will either run its course and result in a backlash that resuscitates privacy or produce a world in which privacy is negligible and therefore not valued. The other option he outlined is to take affirmative steps to preserve privacy online. One of these, for example, would be to eliminate the immunity 47 U.S. Code § 230(c)(1) creates for those who operate websites but do not exercise any editorial control over what is posted on the sites. Eliminating that immunity would essentially make the operator of such a site a “publisher” who can be held liable for what people post on the site.

The law professor had a great deal more to say about privacy but this, I think, gives you an idea of the focus of his remarks. Since I have great respect for this gentleman, I am perfectly willing to accept his sincerity and erudition when it comes to privacy law and policy. I cannot, though, agree with him, at least not entirely.

Where I take issue with the views of this professor and other privacy mavens who share his views about the nature and magnitude of the effect cyberspace is having on privacy is the foundational assumption on which his analysis is implicitly predicated.

They seem to assume the privacy that existed in various countries during some or much of the twentieth century has ALWAYS existed . . . in every nation-state, city-state, empire and tribe. One of the things he talked about is that using cyberspace can reveal intimate information about our private lives. That is, of course, true . . . whatever I buy online is recorded and stored in databases. If a man buys Viagra or a woman buys birth-control pills, the information about those transactions is recorded, stored in databases and can come to light. The same is also true of transactions in the real-world when we use a credit card or a loyalty/discount card or any other device that leaves traces of what we’ve done. It is also true of other things we do online: the websites we visit and join, what we post on our MySpace or Facebook pages, etc., etc. Unless we somehow anonymize our activities, they create a digital trail that is recorded and stored in various databases.

When someone says this state of affairs is problematic because it represents an erosion of the privacy we enjoyed prior to the rise of cyberspace and related technologies, they are assuming that in the past all of this information was private, i.e., no one would know what medications, food, alcohol, sex toys or other items I was purchasing for my own use. I think that assumption is valid to some extent, depending on the historical period and the cultural context in which the activities occurred, but invalid in other respects.

Let’s start in reverse order: From what I’ve read, the original social unit was the tribe (not the family because collective activity gives humans an advantage in dealing with the challenges they encounter in their respective environments). I’ve read some about what life was like in prehistoric tribes (I think I even saw a movie about that?); based on that and simple common sense, I can say with a fair degree of confidence that there wasn’t much of what we’d call privacy in those groupings. I’m sure people tried to keep some information from others (the head of a family’s being ill, for example), but I’m also sure that most of what went on was well known to everyone in the tribe.

I can’t trace all of history here, but the tribes evolved into larger groups, which evolved into city-states, empires, etc. I cannot imagine that there was much of what we’d call privacy when people lived in villages that were part of an empire or even when they lived in one of the empire’s urban centers. Wealthy people may have been able to shield at least part of their activities from the masses, but I’m guessing everyone knew a lot about each other at every level of the society. All of those societies depended on face to face interaction and face to face transactions, so unless you wore a mask or came up with some other way to disguise yourself, people knew what you were buying (and selling) and probably knew if you were abusing your spouse or children.

Even when people lived in large cities, they tended to stay in their neighborhood, primarily because it wasn’t as easy to travel then as it is now . . . no cars, no subway, etc. So the neighborhoods were a lot like the villages the rest of the population lived in, and I cannot imagine there was much in the way of personal privacy in ancient and medieval villages.

What do I base that on? I base it on what I’ve read about villages and small towns in the U.S. in the nineteenth and early twentieth centuries. Think about it: There was probably one general store (maybe two) where you bought everything you needed . . . in a face to face transaction. So if you were one of the people who got hooked on over the counter medications containing opium, the owner and staff of the store would know that. After all, how many colds can you have? The same was true for all of your other transactions, for your attendance at church, for whether you fought with your spouse, whether your spouse was abusing you and the kids, whether your spouse was a drunk or just “odd”, etc. etc. I’m not saying people didn’t have some privacy; they could go home and close their doors and – if they didn’t start yelling at each other or do other things that leaded into the public domain – they could keep some things private.

I don’t, though, think they were as exercised as we are about privacy. The purpose of the 4^th Amendment was to prevent police from breaking into someone’s home and going through their “stuff.” As the Supreme Court noted early last century, the 4^th Amendment was not intended to create a general right to privacy; it’s become the focus of much of our privacy law because it’s the amendment that is the most concerned with privacy.

I digress: I think the foundational assumption I outlined above is a product – perhaps a somewhat exaggerated product – of a type of information control that essentially arose during the twentieth century. When I think of that type of control I imagine someone who lived in Manhattan in, say, the 1960s or 1970s. If you lived in an apartment, did not interact with your neighbors, bought your food and other supplies at various stores and did not interact with the staff of those stores, you could come pretty close to realizing the type of privacy the foundational assumption is based on. The staff of those stores would know what you bought, but the staff might rotate so you wouldn’t deal with the same people over a period of time. That would reduce their knowledge of your long-term buying habits. More importantly, since they didn’t know you and probably didn’t live anywhere near you, they didn’t care what you bought.

My point is that I think the kind of privacy the foundational assumption relies on has existed, but only on a small scale. . . and maybe only in certain places at certain times. If we’re not embedded in a community, what we do may be visible to others, but their lack of interest means they will probably pay little or no attention to what we do. Our privacy is a function of our disconnectedness and mutual disinterest in the details of each other’s lives.

I suspect that kind of privacy has existed at a very small scale in the history of human society. Throughout history, and today, many people still live in small villages and neighborhoods where everyone knows a lot about their lives. They may like that.

That brings me to my final point: The Korean woman who didn’t clean up after her dog would have gotten away with that fifty, forty, even thirty years ago because even if someone had taken a picture, they wouldn’t have been able to circulate it. Information about that episode would therefore have remained with a disparate group of individuals, none of whom knew her or cared anything about her except for her negligence in dealing with her dog.

Now, what she did can be distributed online to a community that transcends spatial constraints. Everyone who rides a subway who walks along a street can empathize with the people on the subway: And that community can do what communities have always done: express displeasure at her behavior in a way that shames her and, I’m guessing, means she won’t do that again.

My point is that privacy isn’t a unitary concept. It’s a complex, fluid phenomenon that changes as our environment changes. I’m personally very much in favor of our having as much privacy as possible. My purpose in writing this post is to point out that while cyberspace and related technologies can erode our expectations of privacy, we should not assume that every use of these technologies represents a threat to privacy.

MySpace Assault Case

A law dictionary defines “assault” as the “threat or use of force on another that causes that person to have a reasonable apprehension of imminent harmful . . . contact; the act of putting another person in reasonable fear . . . of an immediate battery by means of an act amounting to an attempt or threat to commit battery”. Black’s Law Dictionary (8th ed. 2004). It defines “battery” as the “use of force against another, resulting in harmful or offensive contact.” We’ll get back to assault in a minute.

This post is about a Tennessee case involving what was, in effect, a MySpace assault. The facts in the case are a little complicated (and a little bizarre):

[In] February of 2007, [Wesley Carroll] was browsing the internet on his home computer at approximately 3:00 or 4:00 a.m. He . . . was having trouble sleeping and was `looking through profiles; on . . . www.MySpace.com. . . [Brandon’ Medley knocked on his door and appeared intoxicated. . . . Medley stepped into his home with [Thomas] Tucker, whom he had not met. . . . Medley asked if Carroll wanted to buy . . . or trade prescription pills for marijuana. Carroll responded that he did not want any marijuana. . . . Medley asked to use his computer to access his MySpace account but that . . . was unable to operate the computer. Medley then asked Carroll to log him into his account, and Mr. Carroll complied. . . .

[W]hile he was interacting with Medley near his computer, Carroll noticed he had left his wallet lying on a table near where Tucker was sitting. . . . [and then] noticed [it] had been taken from the table. He . . . `hurried over to where [his] wallet was and Tucker was sitting.’ . . . Tucker had the wallet and was taking money from it. Carroll asked Tucker, `[D]o you mind getting your hand out of my wallet?' Tucker then rushed toward Mr. Carroll, struck him in the jaw, and placed him in a `choke hold.’

Carroll . . . asked Medley to stop Tucker. . . . Medley walked behind him and he heard Medley and Tucker whispering behind his back. Carroll . . . overheard Tucker say, `I thought you told me to,’ and that Medley responded inaudibly. . . .Tucker said, `. . . . I am going to give you your money back, and don't swing on me when you get up. I am going to get out of here. I am going to walk away.”. . . Tucker released [Carroll] and threw his money on the floor. Tucker left while Medley remained in the home. Carroll . . . stared at Medley `with hate in [his] eyes’. . . . Medley then left.

[About five minutes after they left, Carroll] counted the money Tucker had thrown on the floor and noticed he was missing approximately $80 from the $300 in his wallet. After discovering Medley had failed to log off his MySpace account, Carroll decided to `get even’ with Medley. Carroll `wrote all kinds of vulgar, derogatory statements’ alleging that Medley was a homosexual. Carroll changed the password for Medley's MySpace account so that he could no longer access his MySpace profile. . . .

[B]etween 2:30 and 3:00 a.m. on March 19, 2007, [Carroll] was at his home playing a video game and falling asleep when he heard `[a] kick, a boom’ at his door. Upon hearing another, louder kick, Carroll awoke and stood up. . . . [A]fter . . . a third kick, his door opened and that Medley came through the door. . . . [A] man wearing a mask accompanied Medley. . . . [T]he second man later removed the mask, and [Carroll] identified him as Tucker. . . .

Medley. . .` beat [Carroll] with the stick.' . . . . Carroll . . . fell on his back and Tucker held his feet as Medley . . . `reared back’ to punch him. . . . Medley was `ranting’ about what Carroll did to his MySpace profile. Carroll testified that, after he `reared back,' Mr. Medley apparently decided not to strike him again and let him stand. . . .

Carroll ran toward his bedroom to find his portable telephone. . . . Tucker pulled off his mask and said, `Hold on. . . . Let's search this place.’ Carroll `just froze” and observed Tucker remove a .25 caliber handgun from Carroll's desk. . . . [T]he pistol . . .was very old. [Carroll] did not know whether the gun functioned. Tucker pulled back the slide . . . and observed. . . .a .22 caliber rimfire bullet, although the pistol was a .25 caliber center-fire weapon. . . . Tucker . . . struck [Carroll] with the gun and `jabb[ed]’ the knife in his direction several times. . . .

Carroll . . . hit the `page button on . . . his cordless telephone to determine the location of the telephone's portable receiver. He heard [it] beeping in his bathroom, and fought with Medley to get to the receiver. . . . Carroll managed to emulate dialing 9-1-1. . . . [Medley and Tucker left]. . . . Tucker took the pistol with him when he left.

State v. Medley, 2009 WL 1676051 (Tennessee Court of Criminal Appeals 2009). Police arrived and took Carroll to the hospital. He “received three or four stitches on his face, eight or nine stitches on his ear, and . . .his head was `busted.’” State v. Medley, supra.

Medley told police he came to the house to talk to Carroll about Carroll's changing his MySpace password. Medley said the fight resulted from that and denied he or Tucker hit Carroll with anything. State v. Medley, supra. Medley was charged with and convicted of aggravated robbery; Tucker was charged with and convicted of facilitating aggravated robbery. State v. Medley, supra.

On the facts, I think it’s clear Medley could have been charged with assault: He used force against Carroll and, in so doing, put Carroll in reasonable apprehension of further harmful contact. That, though, is not all Medley and Tucker did: They also, according to Carroll and the prosecutor, took Carroll’s gun . . . and that is a another crime, robbery.

Tennessee defines robbery as the intentional "theft of property from the person of another by violence or putting the person in fear.” Tennessee Code § 39-13-401(a). The prosecutor in this case, though, didn’t just charge Medley with robbery: He charged him with aggravated robbery. Aggravated robbery is robbery that is “[a]ccomplished with a deadly weapon” and in which “the victim suffers serious bodily injury”. Tennessee Code § 39-13-403. Tennessee law defines “serious bodily injury” as “bodily injury involving `substantial risk of death,` `[p]rotracted unconsciousness,’ `[e]xtreme physical pain’ [or] `[p]rotracted or obvious disfigurement’”. State v. Medley, supra. Carroll suffered “extreme pain for three weeks” after the incident, had “periodic headaches” for months and “displayed scarring from the incident.” State v. Medley, supra.

As I noted, Medley was convicted of aggravated robbery. He appealed, claiming the evidence was “`highly circumstantial’” and therefore, I’m guessing, insufficient to support the conviction. State v. Medley, supra. (The court points out that the brief Medley's lawyer submitted on appeal says the evidence “in the record is insufficient as a matter of law to sustain a conviction for the offense of Forgery”, which suggests the lawyer didn’t read the brief very carefully.)

As I explained in an earlier post, there’s nothing wrong with circumstantial evidence, as long as it meets the requirements to be admissible in court. And as I noted, convictions are often based purely on circumstantial evidence. The Court of Criminal Appeals rather summarily rejected Medley’s argument as to the insufficiency of the evidence; as you can see from the quoted passages above, it went into great detail summarizing what was proven at trial. The court therefore held that the jury “acted within its province” I convicting Medley of aggravated robbery.

There aren’t any novel or interesting legal issues in this case. I find it interesting that changing a MySpace password (and posting “vulgar, derogatory comments”) resulted in one person being beaten and two others going to jail. Says something, I guess, about how much our online lives mean to us.

(I'm posting this a little earlier than I usually do, because I'm out of the country and don't have internet access all the time.)

Incrimination and Encryption -- UK Style

I’ve done a couple of posts about the 5th Amendment privilege against self-incrimination’s applicability to encryption keys. I’ve analyzed whether US officers can compel someone to give up their encryption key without violating the privilege.

This post is about how that issue is handled – or has been handled – under UK law. I am indebted to Professor Ian Walden of the School of Law, Queen Mary, University of London for the case I’m going to write about.

The case is R. v. S and A, [2008] EWCA Crim. 2177 (Court of Appeal – Criminal Division 2008). Here are the facts that led to the charges:

H was made the subject of a control order under the Prevention of Terrorism Act 2005 . The order obliged him . . . not to leave his home address without the consent of the Secretary of State for the Home Department. [S and A] are alleged to have conspired . . . with H and others, to breach that order. The objective . . . was to assist H to abscond from his address in Leicester and to convey him to a new, secret address in Sheffield. On 9 September 2007 S collected H and drove him there. Shortly after their arrival in Sheffield the police entered the premises. H was in one room and S was in another

alone [with] a computer. The key to an encrypted file appeared to have been partially entered. He was arrested, and . . . made no comment. . . . [H]is home in London was searched. The search revealed computer material. Various documents had been deleted from the computer hard drives, but when retrieved, they provided the basis for charges . . . under section 58 of the Terrorism Act 2000, that is, possessing documents or records . . . likely to be useful to a terrorist or potential terrorist. However without the encryption keys . . ., the encrypted files could not be accessed and their contents examined.

R v. S and A, supra.

S and A were charged with conspiracy to breach the control order imposed on H. S was arrested; after refusing to answer questions, was charged under § 58 of the Terrorism Act. He was then served with a notice under § 53 of the UK Regulation of Investigatory Powers Act 2000. Under § 53, officers can order someone to give up their encryption key; it is a crime to comply with such an order.

The disclosure notice identified the purpose of seeking the key as the “investigation of protected electronic information”; it explained that S was legally obliged to comply and that refusing to do so constituted a crime. R v. S and A. supra. It then read as follows:

I hereby require you to disclose a key or any supporting information to make information intelligible [T]he information to which this notice relates is: the full encryption key in order to access the encrypted volume of the laptop computer that is exhibited as exhibit AM/1 under file path: C:\ Documents and Settings\Administrator\My Documents\My Videos, within a file called Ronin.wma. This was found in the room where you were arrested. . . .’

R. v. S and A, supra. The notice explained the “circumstances in which the” encryption key implicated the “interests of national security and the detection of crime.” It said S could comply by providing the information in “verbal or written” form. S did not comply, claiming that requiring him to disclose the encryption keys violated the privilege against self-incrimination. The judge who ruled on that claim rejected it, so S appealed.

In the US, the 5th Amendment creates the privilege against self-incrimination. In the U.K., the privilege arises under Article 6 of the European Convention on Human Rights. Article 6 doesn’t mention the privilege, but it creates a right to a fair trial in criminal cases. In a 1996 case from the U.K., the European Court of Human Rights held that Article 6 implements the privilege against self-incrimination:

Although not specifically mentioned in Article 6 . . ., the right to remain silent . . . and the privilege against self-incrimination are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6. . . . By providing the accused with protection against improper compulsion by the authorities these immunities contribute to . . . securing the aims of Article 6.

Murray v. United Kingdom, 22 Eur. H.R. Rep. 29 (1996). S, then, has the privilege against self-incrimination under U.K. law. The issue is whether he can invoke it.

In ruling on the issue, the Court of Appeal began its analysis by noting that under prior cases, the issue was whether the constituted a “statement” S was being compelled to make or a “piece of information with an existence separate from his `will’”. If it was a separate piece of information, S could not claim the privilege; it had to be a statement.

The court found that while the key had an existence separate from S’s will, the analysis was not that simple. It noted that if police learned S had the key in his possession, their knowledge of that was incriminating evidence. So the court found “the privilege against self-incrimination may be engaged by a requirement of disclosure of knowledge of the means of access to protected data under compulsion of law”. R. v. S and A, supra. In this, it disagreed with the lower court, which essentially found that since the key had an independent existence, it did not come within the scope of the privilege.

That was not the end of the matter. The court noted that while S’s knowledge of the

means of access to the data may engage the privilege . . ., it would only do so if the data itself - which . . . exists independently of the will of [S] and to which the privilege . . . does not apply - contains incriminating material. If that data was neutral or innocent, the knowledge of the means of access to it would . . . be neutral or innocent. . . . [I]f the material were, . . . incriminatory, it would be open to the trial judge to exclude evidence of the means by which the prosecution gained access to it. Accordingly the extent to which the privilege against self-incrimination may be engaged is indeed very limited.

R. v. S and A, supra. The Court of Appeals then addressed an issue that does not arise under the US version of the privilege against self-incrimination:

[T]he question which arises, if the privilege is engaged at all, is whether the interference with it is proportionate and permissible. . . . The material which really matters is lawfully in the hands of the police. Without the key it is unreadable. That is all. The . . . material in the possession of the police will simply be revealed for what it is. To enable the otherwise unreadable to be read is a legitimate objective which deals with a recognised problem of encryption. The key . . . is . . . a fact. It does not constitute an admission of guilt. Only knowledge of it may be incriminating. . . .The requirement for information is based on the interests of national security and the prevention and detection of crime. . . . [T]he requirement to disclose extends no further than the provision of the key . . . or access to the information. No further questions arise. . . . Procedural safeguards . . . are addressed . . . in the powers under section 78 of the 1984 Act to exclude evidence in relation, first, to the underlying material, second, the key or means of access to it, and third, an individual defendant's knowledge of the key or means of access, remain.

R. v. S and A, supra. The Court of Appeals therefore upheld the lower court’s order requiring S to give up the encryption key, which meant S would be charged with refusing to comply with a disclosure notice. In closing, it noted that if S were to give up the key, “we suspect the prosecution would be disinclined” to pursue the charge and, if it did, the judge “would take a merciful view when addressing sentence”. R. v. S and A, supra.

I disagree with the Court of Appeals (and the lower court) on the first issue – whether the privilege applies to turning over an encryption key. As I explained in an earlier post, under the 5th Amendment you can take the privilege against self-incrimination only as to “testimony,” which is essentially a communication. To constitute a communication, you must use the contents of your mind to express a fact (the key) or to express thoughts or feelings. You can’t take the 5th as to non-communicative physical evidence, like blood or a gun or a key. You CAN, however, take the 5th Amendment if the act of handing over evidence is itself a testimonial act; as I explained in that earlier post, the US Supreme Court has held that producing evidence is a testimonial act when it tells the government that (i) you have it, (ii) it’s in your possession or control and (iii) what you’re handing over is what the government asked for. For more on that, see the prior post.

In the US we don’t have anything like the “proportionate and permissible” intrusion principle, which apparently provides a loophole when someone successfully invokes the privilege against self-incrimination. In the US, if you successfully invoke the privilege, that’s the end of the matter . . . unless, as I noted in that prior post, the government gives you immunity from prosecution. As I think I noted in that post, the rationale is that since immunity means the government can’t prosecute you, you no longer need the privilege.

My disagreement on the first issue is a function of the fact that I take a very different view of the scope of the privilege than this court and the US federal court I wrote about in the earlier post. As to the “proportionate and permissible” principle, I don’t like the idea of a loophole in the rule (5th Amendment or the UK rule). Maybe that’s because I’m an American and I’m used to the fact that our version of the privilege is impenetrable. Seems to me that’s the point.

Private Prosecution

As I’ve noted here and elsewhere, law enforcement officers are having a very difficult time battling cybercrime. They’re having a very difficult time for several reasons: one is that cybercrime is a quantum of new crime that’s added to the old, real-world crime they still have to deal with. Another reason is that because cybercrime can be automated, it can involve the commission of lots and lots of crimes; the expanded scale also makes law enforcement’s life more difficult.

Yet other reasons are the greater ability to commit crime anonymously in a virtual environment; the technical and legal complexity of many cybercrime cases; and the fact that cybercrime is often international, which means suspects may have to be extradited and/or evidence obtained from another country.

The obvious way to solve this problem is to pour millions (billions?) of dollars into expanding law enforcement’s resources – personnel, technology, etc. That is a logical option but not a practical one; in a world dealing with recession and other problems, countries simply cannot afford to pour massive funds into beefing up law enforcement. And I don’t know if we want countries to massively expand the size and capacities of law enforcement. Although it would be done with the best of motives, you can get mission creep, which can lead to adverse consequences.

The other way to solve the problem is to somehow bring civilians into the process of combating cybercrime. When I speak on this issue, people often suggest using civil liability, as in suing the cybercriminal. That, too, is a logical option but not a practical one. The Computer Fraud and Abuse Act, 18 U.S. Code § 1030(g), creates a civil cause of action for “[a]ny person who suffers damage or loss by reason of a violation” of the CFAA. The injured party can seek “compensatory damages and injunctive relief” from the person responsible for the violation. There are several reasons why this option is not a viable one, at least not in most cases. One is that most cybercriminals are likely to be what the law calls judgment-proof; that is, they won’t have the assets to be able to pay an award of civil damages. This option also suffers from many of the same problems as the law enforcement option: anonymous perpetrators; perpetrators in other countries; cases that are complicated and complex to investigate and litigate. So while this option works sometimes, it’s not likely to be particularly important in combating cybercrime.

I’m in London, and a conversation I recently had with a British lawyer made me think about a third option, one that combines the law enforcement strategy and the notion of private civil litigation against the cybercriminal(s).

England, unlike the United States, allows private prosecutions. As Wikipedia explains, the term “private prosecution” refers to criminal proceedings that are “initiated . . by an individual or private organisation instead of a public prosecutor who represents the Sovereign State”, the U.S. or England or Japan, etc.

Chapter 23, Part I § 6 of the United Kingdom’s Prosecution of Offences Act 1985 authorizes private prosecutions: “Subject to subsection (2) below, nothing in this part [of the Act] shall preclude any person from instituting any criminal proceedings or conducting any criminal proceedings to which the Director [of Public Prosecution]’s duty to take over the conduct of the proceedings does not apply.” Section 6(2) says the Director of Public Prosecutions can take over such proceedings “at any stage.”

According to the guidelines for Private Prosecutions issued by The Crown Prosecution Service, the Crown Prosecution Service “should only take over a private prosecution when there is a particular need to do so on behalf of the public”. The private prosecutor is not under a duty to inform the CPS that he/she has begun a private prosecution. The private prosecutor can, however, ask the CPS to take over the case, which they will do if they think prosecution is warranted. The CPS – represented by the Director of Public Prosecutions – will take over a private prosecution on its own and discontinue it if (i) “[t]here is no case to answer” or (ii) public interest factors against prosecution outweigh those in favor” of prosecution. The CPS guidelines give these examples of cases in which it would be appropriate for the CPS to take over a private prosecution and discontinue it: malicious prosecutions (i.e., prosecutions brought out of spite); a stale minor offense; the defendant is either too ill to stand trial or is terminally ill; or where the defendant has been given immunity from prosecution by the CPS.

As to how someone starts a private prosecution, this is what Wikipedia says:

[T]o initiate a private prosecution an individual or organization other than the state-funded prosecutor goes to the local court of appropriate jurisdiction . . . and gets in line to see a Justice of the Peace or a Judge to swear on oath in an attempt to convince the Justice or Judge that there is enough evidence to demonstrate a reasonable probability of conviction.

Once the Justice or Judge has been convinced of such, he or she will issue an `information’ which is a form telling the name and occupation of the informant (the person swearing to the Justice or the Judge) the name and address of the alleged offender, and the description of the alleged Offence.

The Justice or Judge will sign the `information’ form and issue a summons to the defendant with a date to appear in court. The informant then delivers the summons to the defendant in the prescribed manner and court proceedings are commenced.

The date of First Appearance the defendant is to plead guilty or not guilty and the trial date is set if the defendant pleads not guilty, or if a plea of guilty is given the courts can deal with the matter right away by registering a conviction and sentence.

As to what penalties the defendant gets if he pleads or goes to trial and convicted, they’re the same penalties that are imposed in a prosecution brought by the CPS. I found a news story from 1996 about the first English private prosecution for rape. The defendant was convicted and sentenced to 14 years in prison, which a Court of Appeal later reduced to 11 years. That private prosecution was initiated and conducted by two prostitutes whom the man had raped.

I’d heard of private prosecution before, but it wasn’t until I chatted with this British lawyer that it occurred to me this might (and I emphasize “might”) be an option for dealing with cybercrime. Since law enforcement and prosecutors’ offices simply don’t have the resources to deal with all (or even most) cybercrimes, we could (again, I emphasize “could”) create the possibility of bringing private prosecutions in at least some cybercrime cases. The option would, of course, only be available if the official, public prosecutor who would have jurisdiction to pursue the case chose not to do so.

Since I, as an American, find the whole motion of private prosecution to be more than a little scary, I don’t think we would want to go down this path unless we determine that using private prosecutions could really be an effective way to supplement our ability to pursue cybercriminals. And that brings us back to the same issues that arise with regard to public prosecutions and private civil suits against cybercriminals.

Private prosecutions of cybercriminals would still present the legal and logistical issues I noted above, i.e., extraditing foreign defendants and/or obtaining evidence from abroad, investigating and litigating cases that can be factually and legally complex, etc. They might be a useful alternative in cases in which both the defendant and the victim(s) are in the same jurisdiction – the United States, say – and the effects of the cybercrime (the “harm” inflicted) occurred in the U.S. If we decided private prosecution might be a useful alternative in domestic cybercrime cases, we could implement it – subject to strict requirements and standards – and perhaps use it to ease some of the burden on law enforcement officers, freeing them to concentrate more on the legally and/or logistically challenging cases.

One advantage private prosecution offers over the option of bringing a civil suit against a cybercriminal is that success is not predicated on the plaintiff’s/prosecutor’s being able to recover damages from the defendant. In a private prosecution, the private prosecutor – as I understand it – recovers nothing but the satisfaction of seeing the defendant held liable for his/her crimes and punished for them by being fined and/or incarcerated.

As I said, I’m not arguing for instituting a system of private prosecution of cybercrimes. The notion of private prosecution is so strange to me I tend to be very leery about adding it to the repertoire of actions available in the United States. I’m also concerned that if we were to do so, it might produce an explosion or frivolous or otherwise untenable cases, which would only further burden the court system. And I can see another problem with pursuing this so-far purely hypothetical strategy: If we went down this path, we’d have to have someone – U.S. versions of the Crown Prosecution Service – would be able to intervene when a private prosecution is malicious or otherwise unjustifiable. That, in turn, would mean we would either have to add a lot of prosecutors who would be assigned to this task or we would have to divert time from people who are already overworked so they can review prosecutions brought by people who are not trained in law and litigation.

There’s also yet another problem: Who would arrest the defendant and see that he/she remains in the jurisdiction while the private prosecution works its way toward a plea or a trial and conviction? It looks like the English system works because the defendants tend to hang around to plead or go to trial, but that very well might not be true when it came to private cybercrime prosecutions. The perpetrators might take off for Canada or Mexico or other points abroad. And we absolutely cannot – IMHO – give private citizens or any private agency the authority to arrest and detain suspected cybercriminals. That opens up many opportunities for abuse.

Overall, I think private prosecution is probably not a viable way to improve our ability to apprehend and sanction cybercriminals. . . . but maybe some version of it might be useful.

Exigent Circumstances Letters

This post is about one of the ways officers can get information about someone from the person’s ISP. Before we get to the law, I need to outline the facts in U.S. v. Beckett, 544 F.Supp.2d 1346 (U.S. District Court for the Southern District of Florida 2008) as described by the court.

On July 12, 2007, Palm Beach Sheriff's Office Detective Collins received a cybertip that a Palm Beach County child victim, identified . . . as `J.H.,’ was being sexually solicited by an adult through the use of a computer over the internet. The information included the victim's name and the screen name of the subject. Boynton Beach Detective Athol also received the information, as well as information about a second child victim, identified as . . . as `C.L.,’ who appeared to have been solicited by the same subject.

The subject contacted the victims . . . on MySpace representing himself to be a 17 year old girl looking to engage in sex. . . . The subject sent a picture of a nude girl to the victims and solicited nude pictures from the victims in response. The subject obtained the victims' addresses and phone numbers. Then the subject revealed that `she’ was in fact a male seeking to engage in oral sex with the victim. The subject threatened the victim with exposure by publishing their nude photos if they did not comply.

Detective Collins testified that it takes at least 3 days to get a subpoena issued to a service provider . . . under these circumstances. Because she believed these or other victims were in imminent danger, on July 12 she and Detective Athol sent `exigent circumstance’ letters to MySpace, AOL, and Comcast to get subscriber information, notably the subject's address, for the internet account used by the subject. . . . After the subject called child victim C.L. on July 13, the detectives sent `exigent circumstance’ letters to AT & T and T-mobile. . . . TIMOTHY WAYNE BECKETT, was the owner of the cell phone from which the July 13, 2007, phone call to child victim C.L. was made.

The terms and conditions of the internet and phone providers had clauses prohibiting child pornography, stalking and harassment, and reserving the right to investigate, take legal action, and cooperate with law enforcement.

On July 17, the detectives obtained a search warrant for the defendant's address, allowing the search for and seizure of computers, data storage devices, and records or data produced in various forms, such property constituting evidence of Computer Crimes, Transmission of Pornography by Electronic Device, Transmission of Material Harmful to Minors by Electronic Device, Threats and Extortion, and Prohibition of Sale or Other Distribution of Harmful Materials to Persons under 18 years of age. . . .

On July 18, Detective Collins executed the search warrant at the . . . . The defendant confessed to the scheme and to having child pornography on his computer. . . .

U.S. v. Beckett, supra. (I apolotize forr not indenting the quote -- I`m abroad and using a computer that's not very cooperative.)

Beckett was indicted by a federal grand jury on what the opinion calls “sex crimes,” which obviously included possessing and distributing child pornography. He moved to suppress “the evidence received from the Government's `exigent circumstance’ letters to MySpace, AOL, Comcast, AT & T and T-mobile, as [having been obtained] in violation of . . . 18 U.S.C. Sections 2702 and 2703.” He argued that under “those statutes law enforcement needs a search warrant, court order or subpoena to obtain customer information”. U.S. v. Beckett, supra.

Why, you may ask, didn’t he move to suppress under the 4th Amendment? As I noted in an earlier post, in the 1979 Smith v. Maryland case the U.S. Supreme court held that we have no 4th Amendment expectation of privacy in information we voluntarily share with telephone companies and other businesses. Under Smith, the information the officers sought from the ISPs and phone companies was not protected by the 4th Amendment.

Concerned about the implications this holding has in an era of digital communication, Congress adopted the Electronic Communications Privacy Act (ECPA) in 1986. ECPA imposed statutory restrictions on law enforcement’s ability to get the kind of third-party information that is not protected by the 4th Amendment (as long as the Smith decision remains good law_. It’s a complicated set of statutes, so I’ll just note that, as Beckett argued, 18 U.S. Code § 2703(c) says that a government entity can “require a provider of electronic communication service . . . to disclose a record or other information pertaining to a . . . customer . . . (not including the contents of communications) only when the government” does one of the following: gets a search warrant; uses a subpoena or court order; or “has the consent of the . . . customer to such disclosure”.

Beckett, then, argued that the detectives violated ECPA when they used the “exigent circumstance” letters to get his subscriber information. It’s a good argument, on its face, but it didn’t work for two reasons.

One is that the detectives relied on another provision of ECPA in utilizing the exigent circumstance letters: 18 U.S. Code § 2702(b)(8) says an ISP service provider can give information “to a governmental entity, if the provider . . . believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”. The difference between § 2703 and § 2702 is that § 2703 deals with law enforcement’s ability to compel an ISP to provide subscriber information, while § 2702 sets out the conditions under which an ISP can voluntarily share such information.

The opinion doesn’t quote the letters sent in this case, but I’m sure they simply asked the ISPs to provide the information the detectives sought. (If you’d like to see examples of exigent circumstance letters used for a while by the FBI, you can find them here.) If the letters simply asked for the information, then they were not compelling the ISP’s to do anything; the dynamic seems to be that the letters simply trigger the provisions of § 2702(b)(8), letting the ISPs provide the information voluntarily.

The other reason Beckett lost is that his goal was to suppress the evidence the detectives obtained from the ISPs, but suppression is usually a remedy only for constitutional violations. Statutory schemes like ECPA can make suppression of evidence obtained in violation of their requirements a remedy available to the victim of such a violation. But if the statutory scheme does not explicitly do this, suppression of improperly obtained evidence is not available as a remedy.

ECPA does not make suppression a remedy for violations of its requirements. Section 2708 of Title 18 of the U.S. Code says that “[t]he The remedies and sanctions described in [ECPA] are the only judicial remedies and sanctions for . . . violations of [ECPA}.” The only remedy ECPA provides is a civil action for damages under 18 U.S. Code § 2707. Under § 2707(a), an ISP’s customer who is “aggrieved by any violation” of ECPA “in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity. . . which engaged in that violation such relief as may be appropriate.” Section 2707(b) says that the relief available under this statute includes damages, attorney’s fees and litigation costs and injunctive relief, if appropriate.

So the federal district judge denied Beckett’s motion to suppress the evidence. If Beckett thinks he has a cause of action under § 2707, he can try suing the detectives who used the exigent circumstances letters to get his ISP information, but I suspect he won’t be doing that. First, as I noted above, it looks like the letters didn’t violate ECPA; if they didn’t, then he has no cause of action under § 2707. And even if he did, would you be interested in pursuing probably expensive, time-consuming civil litigation while you’re facing the prospect of spending 90 years in jail?

(If you’re wondering about the picture, Beckett was a 20-year-old Pizza Hut manager when he was arrested, as this site explains. As it also explains, he was convicted and sentenced to 15 years in prison.)

Pyrrhic Tactic

As I assume we all know, a Pyrrhic victory is essentially winning a battle but, in so doing, putting yourself in a situation that is ruinous for your hopes of winning the war.

This post is about two provisions in the Senate Bill 773 – the Cybersecurity Act of 2009 -- which was introduced in the Senate on April 1, 2009. Nothing seems to have happened with it since then.

Section 18 of the proposed Act gives the President the power to do two things I find particularly interesting: One is to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network”. The other is to “order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security”. Cybersecurity Act of 2009 § 18(2) & (3). In discussing these options, I’m going to refer to the first one as “shutdown” and to the second one as “disconnect.”

The bill doesn’t define “cybersecurity emergency” or “critical infrastructure information systems or networks”. Some construe the references to “Federal Government or United States” critical infrastructure information systems or networks as limiting the President’s authority to taking only federal systems offline. I can see that interpretation, but if that’s what the drafters of the bill meant, why didn’t they just say Federal Government critical infrastructure systems or networks, instead of throwing in the “United States” part? It seems to me the inclusion of United States clearly means both provisions apply (i) to Federal Government computer systems AND (ii) to “United States” systems, which I interpret as meaning any systems in U.S. territory (and maybe systems outside U.S. territory that are owned by U.S. citizens) that qualify as “critical infrastructure information” systems. If that interpretation is correct, then this bill would give the President a lot of power.

I can’t find any legislative history or other information that tells me what each of these options is intended to cover (e.g., what would justify the President’s exercising the power bestowed on him by either provision and what, exactly, does it mean to order the shutdown of Internet traffic and/or the disconnection of systems from the Internet?). I assume they’re intended to implement some kind of cyber-duck and cover response to a massive cyberattack, of whatever type (crime, terrorism, warfare) . . . a triage reaction designed to prevent further damage by taking systems offline.

If that’s what it’s intended to be, then it seems a cyber-version of military tactics like an army’s (Army A’s) retreating across a bridge and blowing up the bridge so the enemy (Army B) can’t follow them. That can make sense in a real-world battle, especially if it isn’t important for Army A to use the bridge to go back to the other side of the river.

I’m trying to figure out if a version of that tactic makes sense in the cybersecurity context. I’m going to speculate a bit about that here. I’m afraid it’s going to be pretty uninformed speculation given the lack of definitions and standards in the bill. I assume they’ll be added as it makes its way through Congress. . . . if it does.

In trying to figure out if this tactic makes sense in the cyber context, I’m going to use my blowing up the bridge scenario as a source of analogy. Blowing up the bridge works, as I noted earlier, as long as Army A doesn’t need to recross the river to attack Army B, help out some friendly forces that are being attacked by Army B on the other side, etc. In other words, it’s effective only if it deprives the retreating army, Army A, of something it that doesn’t need at all or doesn’t need enough to preserve it. Whether Army A needs the bridge enough to preserve it depends, of course, on the nature of that need: If Army A only “needs” the bridge in order to go back and attack Army B, then it’s probably not sacrificing much by blowing it up (since we’re assuming Army A was losing in the original battle). If Army A has some other need for the bridge – like using it to reunite with other forces on its side or using it to get to supplies it dearly needs – then the decision to blow up the bridge will be more complicated.

The officer in charge will very carefully have to weigh the advantages and disadvantages of doing so. In weighing those factors, this officer will also have to consider whether Army A has a viable alternative; even if there is a good reason not to blow up the bridge, blowing it up may be the only way Army A can avoid actual or operational annihilation.

And that brings us to the shutdown and disconnect options. While I don’t understand the parameters of either option, I think they probably involve conduct that differs in type and magnitude. Since I don’t really know what those differences are, I’m not going to try to analyze each option separately. Instead, I’m going to speculate about the advisability of using a blow-up-the-bridge strategy in the cybercontext.

To answer that question, we have to resolve the two issues noted above: The first issue is what we lose by doing a shutdown or disconnect. If we don’t lose anything we need, then it at least theoretically becomes a viable option. If we don’t lose anything we really need, then it is still potentially a viable option; if we lose something we really need, then I don’t see how it can be a viable option.

What would we lose if the President did a shutdown or disconnect? We’d lose all or part of our Internet connectivity. Internet connectivity differs from the bridge in the scenario I analyzed above in at least one respect: After Army A crossed the bride and left Army B behind, Army A had no need for the bridge anymore, at least in my original scenario; it had done what it was needed for. I could be missing something, but I don’t think Internet connectivity is like the bridge in the original scenario.

Unlike the bridge, the Internet has many uses, some bad (like the potential for launching cyberattacks), most good. That means we would eliminate some bad (the online equivalent of preventing Army B from using the bridge to catch Army A) but would also eliminate some, maybe a lot of good (using the Internet for all kinds of legitimate uses). I say “maybe a lot of good” because I’m assuming the nature of an attack that justifies a shutdown or disconnect response would already have substantially impaired legitimate uses of the Internet. If the attack had seriously or completely compromised Internet access, then it becomes more and more like the bridge, which could be sacrificed without great loss to Army A.

That brings us to the second issue: Do we have viable alternatives to doing a shutdown or disconnect? As I noted above, even if blowing up the bridge is a costly option, it may be Army A’s only option; if that is the case, then Army A will have to blow up the bridge and live with the consequences of that action.

Since I don’t know what type of scenarios the shutdown and disconnect options are intended to address and/or the scope of a shutdown or disconnect response, I can’t really do much with this issue. It seems like we should have other alternatives, but maybe I say that because I want to believe we do, however pessimistic I tend to be about the current state of cybersecurity.
I think I’m having trouble buying shutdown and disconnect because they remind me of another historical military tactic: the siege. Siege warfare has been around for a long time, but was particularly popular in the Middle Ages. Seems like a good idea: you wall yourself up in a fortress of some kind, hoping your attackers can’t get in before they lose interest and abandon the whole thing. It looks to me like shutdown and disconnect are intended to extrapolate the siege concept to the world of cyberattacks.

When we’re hit with an attack of the appropriate severity, we’ll shut down or disconnect our computer systems and seal ourselves away in our virtual fortress . . . to do what? Wait until the attackers get bored and leave (“leave” virtually, of course)?

That tactic could work when you were sealed in a physical fortress with (you hoped) all the food and water and other supplies you needed to wait out an attacker. I don’t see how it can work in a world in which we depend on networked computer systems for all kinds of things, many of which are essential to our survival. If shutdown and disconnect are intended to extrapolate siege warfare to the cybercontext, then I think they represent a very flawed strategy.

Staleness

This post is about the nature of the information police officers rely on to get a magistrate to issue a search warrant.

As I’ve explained, the 4th Amendment’s default position is that to be “reasonable” a search (and seizure) must be conducted pursuant to a search (and seizure) warrant.

And as I noted in an earlier post, to get a warrant, officers must present the magistrate who an issue the warrant with information that establishes probable cause to believe evidence of a specific crime will be found in a particular place -- the place to be searched. If they do that, then the magistrate will issue the warrant.

As I may have noted, probable cause is less than the beyond a reasonable doubt standard of proof used in criminal cases, and eve lower than the preponderance of the evidence standard used in civil cases. That makes sense because applications for and the issuance of search warrants takes place in a context that’s a lot more fluid than a civil or criminal trial. Police are investigating to see if they can bring criminal charges the validity of which will then be determined at a trial.

The purpose of probable cause is to curb an officer’s discretion. As I may have noted, the 4th Amendment was adopted to abolish general warrants, a device British officers used in the colonial era. A general warrant was basically a blank check; it let an officer search anywhere just because he was so inclined. The colonists hated general warrants because they were easily abused. The 4th Amendment therefore requires that an officer get a search warrant – based on probable cause to believe evidence of a specific crime will be found in a specific place – before he can search that place. Requiring probable cause was not intended to prevent police officers from doing their jobs; it was intended to ensure that they could not search someone’s property on a whim.

This post is a about a case that raised an issue related to probable cause: U.S. v. Silva, 2009 WL 1606453 (U.S. District Court for the Western District of Texas 2009). On May 5, 2008, federal agents obtained a search warrant for Fernando Silva’s home; they executed the warrant on May 6, seizing a computer, hard drives and thumb drives, among other things. On March 19, 2009, Silva was charged with possessing child pornography, and moved to suppress the evidence seized in the May 6 search.

Silva argued the evidence should be suppressed because the “warrant lacked probable cause because the information relied upon was stale.” U.S. v. Silva, supra. The staleness principle adds a temporal element to the probable cause requirement. As one court noted, “[u]nder the staleness doctrine, `information supporting the . . . application for a warrant must show that probable cause exists at the time the warrant issues.’” U.S. v. Meryl, 2009 WL 943574 (U.S. Court of Appeals for the Eleventh Circuit 2009).

The staleness doctrine is a matter of common sense: If an informant tells an officer that “a year ago they were selling drugs out of the house at 344 Brown Street, and I bought drugs from them”, that information probably can’t be used in establishing probable cause to search 344 Brown Street for drugs today. Because someone was selling drugs out of the house a year ago does not mean they’re selling drugs there today; to get a warrant to search 344 Brown Street, officers have to show probable cause to believe that drugs are being sold there now. Silva essentially claimed they hadn’t done that in his case.

In analyzing the staleness issue, we start with the information the federal agents used to get the warrant. Here’s how the federal district court summarized what they had:

Immigrations and Customs Enforcement (ICE) Special Agent Butler provided the Magistrate Judge a sworn affidavit. The affidavit stated that in April 2006, ICE began Operation Flicker, investigating a website known as the `Home Collection.’ The investigation revealed this organization was responsible for numerous commercial child pornography websites. Individuals would pay . . . $79.95 or $99.95 a month to gain access to the restricted websites. . . . [O]n January 18, 2007, the Defendant paid $99.95 to a PayPal account for Video Shop CD1, ID 1159. . . . The subject identifier 1159 refers to a child exploitation member restricted website known as `Video Shop CD 1.’ ICE agents purchased access to this member restricted website on February 12, 2007 and March 19, 2007. On these two occasions, the transaction was either identified by the subject identifier Video Shop CD1 or Item 1159. . . .

[O]n May 18, 2007, a summons was prepared and served on Time Warner requesting subscriber information for the Defendant's identity and residence. Time Warner confirmed that the Defendant was the subscriber and still had an active account. . . .

[O]n August 23, 2007, a Federal Grand Jury Subpoena was prepared and served on Wells Fargo Bank Texas, N.A., the financial institution responsible for issuing the check/debit card (# xxxx74013491xxxx) [redacted] to checking account number xxx-xxxxxxx. [redacted] On April 30, 2008, the account number was verified as belonging to the Defendant. The statement revealed that a check card purchase in the amount of $99.95 was debited by PayPal to Defendant's account. There was no information provided by Wells Fargo Bank that there had been any evidence of suspected fraud, identity theft, unauthorized use, or wrongful charges related to he purchase in question. A comparison of Webtrace records indicated the Defendant purchased access to a child pornography website on January 18, 2007. . . .

[A]gents in another investigation titled Operation FALCON identified Defendant as possibly . . . accessing suspected child pornography website on April 26, 2003 and May 20, 2003. The email account used to purchase access to the Operation FALCON website was the same account used to purchase access to the Video Shop CD 1 website. Defendant's current address was also identified by Operation Falcon at the time.

U.S. v. Silva, supra. The search warrant remember, issued on May 5, 2008. Silva said since “473 days had elapsed from when the illegal activity was discovered to the day the search warrant was issued,” the evidence was stale. U.S. v. Silva, supra.

In ruling on Silva’s argument, the judge to whom the case is assigned pointed out that whether evidence used to obtain a warrant is stale is “not merely an exercise in counting the days or even months between the facts relied on and the issuance of the warrant.” U.S. v. Silva, supra. As the judge noted, the “age of inculpatory information” is only one facts in determining if a warrant was based on stale evidence:

Staleness is to be determined on the facts of each case. A finding of staleness . . .can depend upon the nature of the unlawful activity, and when the information of the affidavit clearly shows a long-standing, ongoing pattern of criminal activity, even if fairly long periods of time have lapsed between the information and the issuance of the warrant. Information a year old is not necessarily stale as a matter of law, especially where child pornography is concerned.

U.S. v. Silva, supra. The judge found the evidence used in this case was not stale, and therefore could be used to establish probable cause for the warrant:

[A]n investigation of child pornography involves a multitude of websites, companies, and individuals whose common goal is to elude detection. Given the complicated nature of a child pornography investigation, the evidence may take several months or years to accrue, and . . . may consist of bits and pieces from several camouflaged sources. It would frustrate the Fourth Amendment[] . . . to force those tasked with investigating child pornography to hastily charge an individual based upon incomplete and uncorroborated information because of fear that a more complete investigation would consume too much time, rendering some information stale and unable to support a search warrant. . . . [I]t is better [to give investigators] a reasonable amount of time so [they] may acquire as much corroborated information concerning the suspect and the alleged activity before taking the next step of entering his home or residence.

U.S. v. Silva, supra. In finding the evidence wasn’t stale, the judge also relied on the premise that information

is less likely to be stale where the items sought in a search are of the type which could reasonably be expected to be kept in a particular location for long periods of time. At least one circuit has found that computer files are of a type that could be expected to be kept for long periods of time in the place to be searched.

U.S. v. Silva, supra. He also noted that evidence is “unlikely to be stale if it `clearly shows a long-standing, ongoing pattern of criminal activity”. U.S. v. Silva, supra.

The judge found the evidence showed Silva purchased child pornography in 2007 and was “possibly purchasing child pornography” in 2003. U.S. v. Silva, supra. He also found that the information submitted in support of the warrant showed that the evidence being sought was of a type that could be expected to be kept for a long time:

[T]he affidavit provided by Special Agent Butler . . . stated that persons involved in pornography and pedophilia tend to keep for long periods of time extensive pornography collections. This observation supports the conclusion that the more than a year gap between receipt of the information and issuance of the warrant is not excessive.

U.S. v. Silva, supra.

As a matter of common sense, I suppose the judge is right. As he and other judges have noted, if the information law enforcement has shows someone is a collector of something, it’s reasonable to infer that they will hold on to that thing (or things of that types), even for a long time. And it probably makes sense to give law enforcement some latitude in investigations that involve concerted attempts to conceal online activity so they can satisfy the 4th Amendment’s requirements, instead of putting them in the position of having to act on inadequate information.

Ghosts, Contraband and Seeking the Return of Seized Property

I’ve done several posts about trying to get the government to return computers and computer storage media it seized while executing a search warrant or pursuant to an exception to the 4th Amendment’s warrant requirement.

As I explained, someone whose computer equipment was seized can file a motion for return of property to try to get it back. The motion can be filed by someone who was never charged with a crime or by someone who was charged based on evidence found in the seized property. When a person who was never charged files a motion for return of property, he’s essentially saying the government is holding onto his stuff for no reason. In other words, if there’s no criminal case, the government doesn’t need it.

Someone who is being prosecuted based on evidence found in property seized from him usually begins by moving to suppress the evidence found in that property because his primary goal is to make it as difficult as possible for the prosecution to convict him. But those who have been charged can also file motions for the return of their property; they usually do this when the criminal case seems to be at an end, i.e., when the defendant has pled guilty or been convicted and has been sentenced. The rationale for the motion is that while the government needed the property while the case was pending, the case is over and the government’s authority to retain it has been exhausted.

One more bit of preface and we’ll get to the case this post is about: As I noted in a recent post, whether seized property will be returned to its owner depends to a great extent on whether it’s “evidence” or “contraband.” If it’s evidence, you have a chance at getting the property back because, as I noted above, the government is only authorized to keep evidence as long as it has some need for it, i.e., while the case is pending. But if the property is contraband (child pornography, say), you have no chance of getting it back because it’s illegal to possess that kind of property.

This brings us to Genao v. U.S., 2009 WL 1033384 (U.S. District Court for the Southern District of New York 2009). In 2005, a jury convicted Ismael Genao of “advertising child pornography in interstate commerce in violation of 18 U.S. Code § 2251(c) and transporting child pornography in interstate commerce in violation of 18 U.S. Code § 2252A(a)(1).” U.S. v. Genao, 224 Fed. Appx. 39 (U.S. Court of Appeals for the Second Circuit 2007). The criminal case began when, on the morning of March 6, 2003, Agent

Andrews of the [FBI] . . . used a computer in her office to access a chat room on the Internet Relay Chat. While on the IRC, Agent Andrews went to a chat room named `100reTeenGirlSexPics’ that she knew from her experience was dedicated to child pornography. Upon going to that chat room, Agent Andrews saw that file servers. . . had posted advertisements seeking to exchange child pornography.

U.S. v. Genao, supra. Andrews stayed online investigating two servers that seemed to be offering child pornography; she signed off after she “download[ed] seven images of children engaged in sexually explicit conduct” from one of them. U.S. v. Genao, supra. Andrews traced the images to an account owned by Genao and on “April 14, 2003, the FBI executed a search warrant” at his apartment in Yonkers, “where agents seized Genao’s computer and multiple computer hard drives.” U.S. v. Genao, supra.

Genao was convicted on both counts, sentenced and appealed his conviction to the Second Circuit Court of Appeals; on March 16, 2007, the Court of Appeals upheld the conviction. On September 1, 2008, he filed a motion seeking the return of property the FBI seized from his home. The property he sought fell into several categories, but we’re only concerned with three of them: “(1) one computer with two hard drives, (2) two separate external hard drives, (3) 118 compact discs”. Genao v. U.S., supra. In ruling on Genao’s motion, the federal district judge noted that Genao and the FBI agreed that

the hard drives . . . are contraband, in that they contain encrypted files containing child pornography. The government contends that the three CDs (numbered QNY31, QNY 33 and QNY 34) seized by the FBI contain what were described at trial as Ghost Image files, which would allow a user to restore encrypted information from the hard drives. The Government argues . . . that . . . the CDs numbered QNY31, QNY33, and QNY 34, cannot be returned to Plaintiff because they are contraband.

Genao v. U.S, supra. As to the Ghost Image files, the judge noted that they are

`used to copy a partition or hard drive into one huge file so it can be restored. If a hard drive should go bad or if a partition should go bad, the operating system or whatever it was on, that partition can be restored rather quickly.’ There were password protected Ghost files on several of the CDs but not the password for the encrypted material.

Genao v. U.S., supra. Genao responded to the FBI’s contraband claim by claiming

evidence at trial showed (1) that the FBI has cracked the password on the Ghost files . . . on some of the CDs and (2) that an FBI agent testified that `no contraband was found in said Ghost files.’ Plaintiff asks the Court to order the Government to produce FBI Agent Friesen and Assistant United States Attorney Collins . . . to testify at a hearing that the FBI opened and checked each Ghost file found on . . . the CDs and found no such contraband. Plaintiff further requests that he participate in the hearing by telephone.

Genao v. U.S., supra. The FBI opposed Genao’s request for a hearing: “First, the Government contends that it is reasonable to assume that the Ghost Image Files may indeed contain child pornography, and second, it would take the FBI two or three years conduct this particular forensic examination in preparation for the proposed hearing by Plaintiff.” Genao v. U.S., supra. And the FBI won:

Agent Friesen did testify . . . that someone . . . had cracked the password on the some of the encrypted Ghost Image Files and provided the password to him. However, he also testified that when representatives of the Government tried this password on files that were encrypted by PGP (`Pretty Good Privacy’), they could not open the files. Thus, the Court has been presented with no trial testimony . . . that these encrypted CDs do not contain contraband. Since the encryption would only serve to hide an illegal activity, there is a strong presumption that the encrypted CD's are contraband.

Furthermore, in his complaint, [Genao] acknowledged that the hard drives containing the encrypted material . . . should not be returned to him. Since the CDs containing encrypted materials (QNY31, QNY33, and QNY34) can be used to restore the images encrypted on the hard drives . . . there is strong circumstantial evidence that the encrypted Ghost Image Files on CDs QNY31, QNY33, and QNY34 contain images [he] encrypted in an attempt to hide his alleged activity. The Court finds that the CDs contain contraband, and since [Genao] has offered no evidence to show that the encrypted materials on CDs QNY31, QNY33, and QNY34 do not contain pornographic materials, denies [his] demand for a hearing and dismisses [his] claim for return of those CDs.

Genao v. U.S., supra.

So Genao lost because he couldn’t prove the encrypted data on the CDs did not include child pornography. I find that interesting because according to the leading expert on 4th Amendment law, when someone moves for the return of property AFTER the criminal case is over (as it was here), the government has the burden of proving that the property should not be returned because it’s contraband. Wayne R. LaVafe. Search and Seizure: A Treatise on the Fourth Amendment § 11.2(i) (4th ed. Thomson West 2008). He cites a couple of U.S. Court of Appeals cases which held that once the criminal case is over, the person from whom the property was seized is presumed to have a right to its return; to overcome that presumption, the government has to prove, by a preponderance of the evidence, that it cannot be returned because it’s contraband.

Did the government do that here? The federal judge seems to have relied on another presumption – the presumption that the only reason to use encryption is to hide illegal activity – to find that it did. I don’t know what I think of that result.

It’s an interesting issue: If the government seizes my property and I move to have it returned, either because I haven’t been charged or because I’ve been charged and convicted, can the government justifiably defeat my motion by showing that there are encrypted files on the computer and that, inferentially, the only reason to encrypt files is to conceal evidence of illegal activity? Do I have to give up the encryption key and let the government examine the files to prevail on my motion and get my property back?

Loss, Aggregation and Multiplicity

This post is about an opinion a federal judge issued a little less than a year ago. It deals with some interesting issues involving the application of the general federal computer crimes statute: 18 U.S. Code § 1030.

The case is U.S. v. Lanam, 2008 WL 2705514 (U.S. District Court for the Eastern District of Michigan 2008), and this is how it arose:

In March 2006, [Kirk] Lanam was indicted on six counts of unauthorized computer intrusion in violation of 18 U.S.C. § 1030(a)(5)(A) (i). The government later voluntarily dismissed three of the six counts.

The remaining three counts asserted that Lanam: (1) accessed the computer system of Total Mortgage Corporation (`Total’) without authorization and entered `ping flood’ commands that rendered Total's telephone system inoperative; (2) accessed Total's computer system without authorization and disabled the `firewall,’ thereby rendering the system vulnerable to subsequent attacks via the Internet; and (3) accessed the computer system of Air Source One, Inc. without authorization in order to gain access to Total's computer system.

U.S. v. Lanam, supra. Lanam went to trial and was convicted on all three counts.

After being convicted, he “move[d] for relief pursuant to” 22 U.S. Code § 2255, which is the federal habeas statute. As Wikipedia explains, habeas corpus “is an action often taken after sentencing by a defendant who seeks relief for some perceived error in his criminal trial.” In his habeas petition, Lanam asked for a new trial based on any or all of three reasons: his attorney was ineffective; the evidence was not sufficient to support the convictions; and the indictment was multiplicitous. We’re not concerned with the first argument; we’ll focus on the other two.

To understand Lanam’s second argument, I need to review the prior and current versions of 18 U.S. Code § 1030(a)(5). Until last September, § 1030(a)(5)(A)(i), the statute Lanam was convicted under, required (i) that the defendant have launched a DDoS attack on a computer system or accessed the system without being authorized to do so AND (ii) that by doing either or both he caused “loss to 1 or more persons during any 1-year period (and . . . loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value”.

Section 1030(a)(b) was revised last September, and one of the revisions eliminated the $5,000 requirement, which means it doesn’t apply to cases brought after September 26, 2008. Lanam, though, was indicted prior to September 26, 2008, so he was charged under the earlier version of the statute, which means that the caused “loss to 1 or more persons” provision applied to him. In challenging his conviction he initially argued “that the evidence adduced at trial was not sufficient to support the statutory loss element of $5,000 for any of the three counts on which he was convicted.” U.S. v. Lanam, supra.

The federal judge, though, found that § 1030(a)(5) “does not require a $5,000 loss stemming only from the conduct underlying each individual count of unauthorized intrusion. Rather, the statute requires only a total loss of $5,000, which may be aggregated based on the conduct charged and any related course of conduct during a one-year period. U.S. v. Lanam, supra. Lanam subsequently conceded that §1020(a)(5) only required aggregate loss totaling at least $5,000, but then argued that “the indictment was drafted in such a way that the government was required to prove a $5,000 loss stemming from each particular count.” U.S. v. Lanam, supra.

The federal judge didn’t agree. The judge began by noting that Count One of the indictment against Lanam read as follows:

On or about March 1, 2005 in the Eastern District of Michigan and elsewhere, Kirk Lanam . . . did knowingly cause the transmission of a computer command, and as a result . . . intentionally caused damage without authorization, to a protected computer, by accessing the computer system of Total Mortgage Corporation, which computer was used in interstate commerce, and entering commands that rendered Total Mortgage's telephone system inoperative that caused costs to be incurred . . . over $5,000, all in violation of Title 18, United States Code, [Section] 1030(a)(5)(A)(i).

U.S. v. Lanam, supra. The judge then noted that the other counts were phrased in an essentially identical manner.

The indictment is vague in that it does not explicitly state that the $5,000 loss may be aggregated from a related course of conduct. However, Lanam cites no law to support his contention that the sort of inartful drafting evident in this indictment may work to redefine the statutory elements of a crime.

U.S. v. Lanam, supra. The judge found Lanam was not entitled to a new trial based on this claim because there was “no suggestion that the indictment failed to charge an essential element of the crime or to provide Lanam with fair notice of the charges against him.” U.S. v. Lanam, supra.
Since the judge found the losses resulting from the charges in the indictment “and any related course of conduct during a one-year period” could be aggregated, he rejected Lanam’s second argument for a new trial.

As I noted above, Lanam’s third and final argument was that the counts in the indictment were multiplicitous. As I explained in a post I did last year, multiplicity is an error in the structure of a charging document, such as an indictment. Multiplicity is often described, in a phrase I like, as “impermissibly fractionating a single course of conduct into multiple offenses.” It means the prosecution breaks what is really one crime up into pieces, and charges the pieces in different counts of an indictment. So when a prosecutor creates a multiplicitous indictment, the effect is to multiply the criminal liability the defendant faces in a manner that’s inconsistent with the level of “harm” he or she actually caused.

The federal judge summarily disposed of Lanam’s multiplicity argument:

Lanam . . . argue[s] that if the loss element may be aggregated based on the conduct charged and any related course of conduct within a one-year period, the indictment is multiplicitous and violates . . . the Fifth Amendment. The . . . rule against multiplicity is properly invoked where a single illegal act is charged under more than one count, such that the defendant may be punished twice for the same crime. . . . Lanam's argument . . . is meritless because, although the losses from his conduct may be aggregated, each count of the indictment charged Lanam with committing a separate and discrete act of unauthorized intrusion.

U.S. v. Lanam, supra. It looks like Lanam ultimately decided this issue was a lost cause. Last September, he filed a motion to appeal the judge’s ruling on the ineffective assistance of counsel issue (only); last September the federal district court granted him a Certificate of Appealability, which a defendant must obtain in order to appeal a federal district court’s ruling on a claim in a habeas petition. Since Lanam didn’t include the multiplicity argument in the issues he intends to appeal, he presumably thought he didn’t have a chance of winning on that issue.

I suspect he didn’t. While I can see the argument that if the government can aggregate the loss resulting from all 3 crimes to satisfy the $5,000 requirement as to each crime, it’s essentially breaking a single crime (which would consist of the sum total of the actions that inflicted the $5,000+ loss) into parts, the argument doesn’t work in the end. The reason it doesn’t work is that when Congress revised 18 U.S. Code § 1030 in 1986, it added a jurisdictional damage requirement of $1,000 to limit the use of the statute:

The [Senate Judiciary] Committee believes this threshold is necessary to prevent the bringing of felony-level charges against every individual who modified another’s computer data. Some modifications or alterations, while constituting `damage’ in a sense, do not warrant felony-level punishment, particularly when almost no effort or expense is required to restore the affected data to its original condition

U.S. Senate Report No. 99-432, 1986 U.S. Code Congressional and Administrative News, pp. 2479-2496 (1986). Since the $1,000 (later $5,000) requirement was simply a threshold requirement for establishing federal jurisdiction to prosecute a person for one of the § 1030(a)(5) crimes, it wasn’t one of the elements of those crimes and therefore couldn’t support a multiplicity claim.

And as noted earlier, last September Congress eliminated any possibility of basing a multiplicity claim on the government’s aggregating the “loss” resulting from a series of crimes to satisfy the jurisdictional requirement by revising § 1030. One revision moved the “loss . . . aggregating at least $5,000 in value” provision that had been in § 1030(a)(5) to 18 U.S. Code § 1030(c). It’s now a sentencing provision; section 1030(c)(4)(A), one who gains unauthorized access to a computer can be sentenced to a fine and/or imprisonment for “not more than 5 years” if the crime caused loss “during any 1-year period” that aggregated “at least $5,000 in value”.

Why did Congress do that? I can’t say for sure. The revision clearly eliminated any possibility that a defendant could use the multiplicity argument if the government decided to aggregate loss across the counts of an indictment in order to establish the $5,00 loss requirement. Prior to the revision, some argued that the placement of the $5,000 requirement in the part of the statute that defined the unauthorized intrusion and DDoS crimes did, in fact, transform it into an element of the offense. I don’t really buy that argument because it’s clear the loss requirement was added, originally, to limit the use of the statute, which makes it a jurisdictional provision, not an offense element.

Anecdotally, I’ve heard Congress eliminated the $5,000 requirement as a condition for bringing a prosecution in order to give federal prosecutors the ability to use § 1030 against people who gain unauthorized access to computers and/or hit them with DDoS attacks but do not cause $5,000 in loss, not even in the aggregate. I think that’s the real reason Congress made this change; in other words, Congress reversed the position it took in 1986, when it revised the original, 1984 version of § 1030.

Because § 1030 now CAN be used against defendants who violate its provisions but don’t cause $5,000 in loss, does that mean we’ll see it being used a lot more often? I doubt it; I don’t think Congress meant to create the opportunity for a flood of § 1030 prosecutions. I think the goal was to give federal prosecutors the ability to use the statute in particular cases where, in their opinion, circumstances other than the amount of loss inflicted justified bringing a federal prosecution. I suspect they’ll use the new latitude they have carefully. Does that mean a federal prosecutor couldn’t abuse that latitude to prosecute someone under § 1030 when the nature of the “harm” – the loss – really doesn’t justify it? No, it doesn’t. Federal prosecutors have a great deal of discretion in deciding what cases they want to pursue, so such a scenario is at least conceivable. I, though, think it’s unlikely.

"Creates a Digitized Image"

In a sense, this post is about the need for -- and difficulty of -- drafting criminal statutes that define crimes with precision while still addressing the "harm" to be outlawed,

As you may have noticed, I seldom do posts on child pornography or child exploitation cases . . . not because the “harm” involved isn’t important, but because the defendants tend to be so inept (to put it kindly) that the legal issues just aren’t novel or complex.

This post is about an Indiana defendant who appealed his conviction for child exploitation and a related charge, and won . . . by successfully challenging the substance and application of the statutes at issue. The case is Salter v. State, 2009 WL 1409484 (Indiana Court of Appeals 2009), and here are the facts that led to the charges:

In the fall of 2006, the Indianapolis Police Department received information from Delaware authorities that Salter had been having communications of a sexual nature with M.B., a girl in Delaware who was under . . . eighteen. On October 23, IPD officers obtained and executed a search warrant at Salter's house. . . . [They] seized computer towers, CDs, DVDs . . . and miscellaneous documents. Upon searching . . . two of the CDs, officers discovered thirty-eight images of M.B., fully or partially nude, eight images of other nude `prepubescent’ children, and five images of Salter's genitals. In addition, Delaware State Police found the images of Salter's genitals on M.B.'s computer.

State v. Salter, supra. Salter was charged with 46 counts of child exploitation plus 5 counts of disseminating matter harmful to minors. The child exploitation charges were brought under Indiana Code § 35-42-4-4(b)(1), which provides as follows:

A person who knowingly or intentionally . . ., exhibits, photographs, films, videotapes, or creates a digitized image of any performance or incident that includes sexual conduct by a child under eighteen (18) years of age . . . commits child exploitation, a Class C felony.

The disseminating material harmful to minors charge was brought under Indiana Code § 35-49-3-3((a)(1), which provides as follows: “[A] person who knowingly or intentionally . . . disseminates matter to minors that is harmful to minors . . . commits a Class D felony.” To constitute material harmful to minors, the material disseminated must (i) be obscene, (ii) be child pornography or (iii) the person who sent the material must have sent it to “ a child less than eighteen (18) years of age believing of intending that the recipient is a child less than eighteen (18) years of age.” Indiana Code § 34-49-3-3(b).

Salter was tried by a judge, not a jury, and convicted on 35 of the 46 counts. The counts he was convicted of included both child exploitation and disseminating material harmful to minors. State v. Salter, supra. As I may have mentioned, defense attorneys often go with a bench trial (trial by a judge) instead of a jury trial when the charges involve issues a jury is likely to find distasteful and the defense is based primarily on legal issues. My guess is that this is why Salter went with a bench trial, instead of a jury trial.

On appeal, Salter challenged the legal sufficiency of the charges under both statutes. That means he isn’t challenging the facts; instead, he’s basically saying, “even if I did what you claim I did, it wasn’t a crime” (or maybe, more precisely, “it wasn’t the crime you charged me with”). If the charge is invalid, then the conviction can’t stand.

As to the child exploitation charge, Salter argued that “the State's attempt to include downloading an electronic image and saving it on a CD in the definition of `creates a digitized image’ exceeds the permissible scope of the child exploitation statute.” State v. Salter, supra. In response, the prosecution argued that “a person who uses a computer to download an electronic image and save it on a CD `creates a digitized image’ as that phrase is used in Indiana Code subsection 35-42-4-4(b).” State v. Salter, supra.

In deciding which argument was correct, the Court of Appeals reviewed the history of Indiana Code § 35-42-4-4(b). The version of the statute that was originally adopted in 1978 created only one crime, which it defined as follows: “A person who knowingly or intentionally photographs, films, or videotapes a child under sixteen (16) years of age while the child is performing or submitting to” sexual intercourse or other sexual activity “commits child exploitation, a Class D felony.” The Court of Appeals noted that the current version of the statute creates two crimes: child exploitation (which is defined above); and possession of child pornography. State v. Salter, supra. The court found that the legislature’s addition of the second offense indicated that it had “for good reason, decided to punish the production and distribution of child pornography more broadly -- extending to matter portraying sixteen and seventeen year olds -- and more severely -- Class C felony -- than mere possession of child pornography, which concerns only children under sixteen and is a Class D felony.” State v. Salter, supra.

The Court of Appeals then looked at two cases from other states – a New Jersey case and a Maryland case – that dealt with essentially the same issue. Both of those courts held that “a person who prints an image from a computer or who downloads an image onto a computer does not `create’ the image. The image was already created. All the person is doing is saving a copy of the image.” The Indiana Court of Appeals therefore reached the same conclusion in the Salter case, noting that someone

who opens an e-mail and saves an attached picture to his computer or a CD `creates’ something. He `creates’ a new unit of data on the computer or a file on a CD that was not there before. But is that what our legislature meant by `creates a digitized image of’?

To answer that question, we need look no further than the original statute, which was written to punish the photographing, the filming, and the videotaping of sexual activity involving a child. . . . [T]his was . . . aimed at eliminating the initial creation of these images, i.e., the original act of recording. Until the late 1990s, the only way to do so was to use a camera along with film or tape. But. . .`modern digital cameras do not use any kind of film, but record real-life images directly in digital form.’ . . . Because people who digitally record a performance or incident are not technically photographing, filming, or videotaping, our legislature acted to close a possible loophole for users of modern digital devices. As technology evolved, so did the statute. . . .

[T]he aim of statutes like ours . . . is the same: to stop the creation of child pornography. Here, Salter did not `create’ any of the images underlying Counts 1-46; M.B. created the thirty-eight pictures of herself, and some unknown person created the eight images of the other children before they were posted on the nudist websites visited by Salter. By downloading the images . . . and burning them onto CDs, Salter only saved copies of them, i.e., he possessed them.

Salter v. State, supra. The Court of Appeals therefore reversed Salter’s convictions on the child exploitation counts. It also addressed the possibility of charging him with possession of child pornography:

As for the images of M.B., he has committed no crime. The State concedes M.B. was sixteen when she took the pictures of herself, and Indiana's possession of child pornography statute only extends to children under sixteen. . . . The children in the other eight images all appear to be under sixteen, but the State might implicate Indiana's Successive Prosecution Statute if it chooses to charge Salter with possession of child pornography based on those images. . . .

State v. Salter, supra. As to the 8 images of children that appear to be under 16, the court is saying that the State probably has a double jeopardy problem here, i.e., it prosecuted him for SOME crimes based on those images, and that probably means he cannot be prosecuted for other crimes based on the same images.

Finally, Salter argued that the charges for disseminating material harmful to minors were void for vagueness and therefore unconstitutional. As the Court of Appeals explained, under the constitutional guarantee of due process established by the 14th Amendment,

a penal statute is void for vagueness if it does not clearly define its prohibitions. . . . A penal statute must give a person of ordinary intelligence fair notice that his . . . conduct is forbidden so no man shall be held criminally responsible for conduct which he could not reasonably understand to be proscribed.

State v. Salter, supra. Salter’s argument here was based on this Indiana statute: “A person at least eighteen . . . who, with a child . . . less than sixteen . . ., performs or submits to sexual intercourse commits” what is usually known as statutory rape. Indiana Code § 35-42-4-9(a). Salter did not deny

that he disseminated or displayed `matter’ to M.B. or that M.B. was a `minor’ for purposes of the statute. Rather, he contends that `[n]o person of ordinary intelligence would think that he could legally have sexual relations with another person, but could not send that same person an electronic image of his genitals. We understand Salter's argument to be that he had no way of knowing that pictures of his genitals would be considered `harmful’ to M.B., given that, under Indiana law, he could have been naked in front of M.B. and had sex with her without violating any law.

State v. Salter, supra. The Court of Appeals agreed:

Such sexual activity could involve varying degrees of nudity and necessarily involves some exposure of the genitals. By setting the legal age of consent at sixteen, the Indiana legislature has made an implied policy choice that in-person viewing of another person's genitals is `suitable matter’ for a sixteen- or seventeen-year-old child. That being so, how could Salter have known that a picture of his genitals would be `harmful’ . . . for M.B.? . . . [I]f such images are harmful to sixteen- and seventeen-year-old children, then why would our legislature allow those children to view the same matter in-person, in the course of sexual activity? These questions reveal the flaw in Indiana Code section 35-49-3-3 as applied to Salter: it did not provide him with fair notice that the State would consider pictures of his genitals harmful to or unsuitable for a sixteen-year-old girl.

State v. Salter, supra. The Court of Appeals therefore reversed the convictions on the disseminating material harmful to minors charges, as well.

Privacy and the Cloud

This is another post about how technology can make it difficult to decide if something is or is not "private."

I’m going to speculate about cloud computing and the 4th Amendment’s protecting us from “unreasonable” searches and seizures. The issue briefly came up at a meeting I attended last week, as one of the so-far unresolved issues evolving technology raises.

As I’ve explained in earlier posts, the 4th Amendment protects us from “unreasonable” searches and seizures; as I’ve also explained, the 4th Amendment’s guarantees only apply to state action, i.e., to searches and seizures conducted by law enforcement officers or other agents of the government. It follows, then, that the 4th Amendment doesn’t apply (i) if there isn’t a “search” or a “seizure;” or (ii) if the search or seizure is carried out by a private citizen, not an agent of the government.

As I’ve explained, a “search” violates what the U.S. Supreme Court calls a reasonable expectation of privacy. Under the Supreme Court’s decision in Katz v. U.S., 389 U.S. 347 (1967), I have a reasonable expectation of privacy in a place or thing if (i) I think it’s private and (ii) society agrees that it’s private. So in the Katz case, the Court held that Katz had a reasonable expectation of privacy in the content of calls he made from a phone booth; he thought his calls were private, and the Court found that society (at least in 1967) agreed.

A reasonable expectation of privacy is just that; it’s not a PERFECT expectation of privacy (though a perfect expectation of privacy would be a reasonable expectation). A perfect expectation of privacy would require that you do something to put the information you want to protect completely beyond the government’s reach; encrypting your data with a very secure encryption system would presumably create a perfect expectation of privacy.

The Supreme Court, however, has never imposed such a demanding and unrealistic standard because it would create a truly adversarial relationship between citizens and the government; that is, I would not be able to assume privacy based on my taking reasonable steps (like keeping my laptop in my home) to prevent the government from gaining access to my property or communications. As 4th Amendment law stands now, if we make a good-faith (reasonable) effort to keep our property or communications private, that’s enough; once we establish a 4th Amendment expectation of privacy in, say, a laptop, the government’s accessing the laptop becomes a search, which means the government has to get a search warrant or be able to rely on an exception to the warrant requirement (such as consent) to get into the laptop.

As I’ve explained before, a seizure of property occurs when the government interferes with my possession and use of that property (by, say, taking it from me). As I’ve noted before, my favorite 4th Amendment seizure case is Soldal v. Cook County, 506 U.S. 56 (1992). In Soldal, the Cook County Sheriff and some of his deputies helped the owner of a trailer park tow the Soldals’ mobile home from where it had been parked on a lot in a mobile harm park. The owner of the park claimed she had the right to evict the Soldals – which involved evicting their mobile home – and relied on the law enforcement officers to keep Mr. Soldal from interfering.

The Soldals brought a civil rights suit, claiming that towing away their mobile home was an unlawful seizure under the 4th Amendment. It was clear there was state action (the Sheriff and his deputies), but for some reason the issue as to whether towing the mobile home was a 4th Amendment seizure went all the way to the U.S. Supreme Court. Sure enough, the Court said it was a seizure; how it could have been anything else is beyond me. If you tow away someone’s home, you’ve clearly interfered with their right to possess and use that property.

All right, enough 4th Amendment context. Let’s talk about cloud computing. Specifically, let’s talk about whether I would have a 4th Amendment expectation of privacy in data I store in the cloud.

As I explained in a law review article, the 4th Amendment was developed at a time when the only privacy was spatial privacy; for something to be private, I had to keep it IN my home or office (and maybe in a locked chest), which both made it difficult for law enforcement officers to gain access to it and symbolically invoked my right to assume they wouldn’t gain access to it. (In other words, I could assume privacy.)

As I explained in that article, our lives have already moved far beyond spatial privacy; I talked about the 4th Amendment’s application to the contents of emails and what we do online -- arguing that it should apply to both, but noting that courts so far do not tend to agree. I think cloud computing will take this analysis to the next level.

Currently, courts treat data containers – laptops, cell-phones, Blackberries, etc. – as “closed containers” analogous to a locked chest or, as one court said, a footlocker. Under the 4th Amendment, we’ve always have a constitutional expectation of privacy in containers, including opaque containers we carry around with us; a police officer cannot, for example, demand that you open your briefcase so he can look through it. Since you have a 4th Amendment expectation of privacy in the briefcase (a closed container), he has to get a search warrant or your consent to look through it.

As I’ve explained in several posts, courts tend to analogize what we do online to our use of the U.S. mail; I think that analogy is valid to some extent because like sending a letter, emailing and surfing the web involve sending information via a third-party party. One problem I see with the analogy is that the U.S. mail is operated by the government, which means we’re sharing whatever information or property we send with agents of the government. When I email or do other things online, I share information with a privacy company, which I think differentiates online activity from the use of the mail, but so far no court has bought that proposition.

Actually, courts tend to rely on two analogies in analyzing what we do online: One is, as I noted, our use of the mails; as I explained in an earlier post, in a nineteenth-century decision, the Supreme Court held that sealed letters and packages are protected by the 4th Amendment, but postcards are not. Sealed items are protected because we have made an effort to protect their contents from postal employees; they are, in effect, “closed containers.” The other analogy derives from the 1979 Smith v. Maryland case, in which the Court held that we have no 4th Amendment expectation of privacy in the numbers we dial from our telephones, even our home phones, because we voluntarily give that information to the phone company. According to the Smith Court, by giving that information to the phone company, we assume the risk the phone company will give it to the government, which means any expectation of privacy we have in it isn’t reasonable.

What about privacy in an era of cloud computing? If I store my data in a cloud, is the data in a “closed container” and therefore private under the 4th Amendment? Or is putting data in a cloud analogous to giving the numbers I dial on my phone to the phone company? If courts decide the latter analogy is the correct one, then by putting data in a cloud I lose any 4th Amendment expectation of privacy in it unless and until the Supreme Court takes up this issue and holds otherwise. I can also see prosecutors making a third argument as to why cloud data is not protected by the 4th Amendment: They can say that data I store in a cloud is analogous to a postcard; that is, they can say that by giving the data to a third-party, I assume the risk that employees of the cloud computing service will access it and share it with law enforcement.

I don’t think the third argument works: It think putting data in a cloud creates a bailment relationship between the cloud computing company (and its employees). As I explained in an earlier post, in a bailment relationship, I give my property to someone so they can hold onto it for me (a storage service, say) or transport it for me (Fed Ex, say). As I noted in that post, in a bailment I transfer possession of the property for a specific purpose and a limited time; I still retain ownership of the property, and the bailor (the person who has taken possession of it) doesn’t have the right to sell it or access it if I haven’t specifically authorized that.

I also think the validity of the third argument depends on the extent to which the data I store in a cloud is secure from the cloud computing company and its employees. If they can read the contents of the data I’ve stored with them, then I can’t have a 4th Amendment expectation of privacy in that data; it’s essentially the equivalent of sending a postcard through the mail (only worse, because I’m leaving it with the cloud computing service for a lot longer than it takes a mail to travel from sender to recipient).

I don’t think putting data in a cloud is the equivalent of sharing the numbers I dial on my phone with the phone company because to use the phone company’s service, I HAVE to give it those numbers. The phone company’s systems can’t connect my calls if I don’t let them know what phone number I’m calling and what phone number I’m calling from. Since all I’m doing in cloud computing is storing data on a system, I don’t see that I’m sharing it with the owner of the cloud computing service and its employees, unless, of course, the data isn’t encrypted or otherwise sealed in a virtual “closed container.” If it’s in a sealed, functionally-opaque container, then the neither the owner of the system nor its employees can read my data; it again is analogous to sending a sealed letter.

My point is that even under current 4th Amendment law, I can make what I think are valid arguments as to why the 4th Amendment should apply to data stored in a cloud (as long as the appropriate conditions exist). I really think, though, that we shouldn’t be using cases that were decided thirty years ago or a hundred and thirty years ago to set the standard for 4th Amendment privacy in an era of advancing technology. As I argued in that law review article, I think we need to move beyond a purely spatial approach to privacy to approaches that encompass both spatial and non-spatial privacy.

Bailments and Border Searches

Last year, I did a post (one of several I’ve done) on border searches, i.e., on the exception to the 4th Amendment’s warrant requirement that encompasses searching the luggage – and laptops – of people entering or leaving the United States.

In that post, I talked about a new policy – the Policy Regarding Border Search of Information – that had just been adopted by U.S. Customs.

As I noted in that post, the policy implements the border search exception but carves out exceptions (exceptions to the exception, I guess) for certain kinds of information:

The policy then includes sections dealing with particular types of data, such as business information (trade secrets, etc. . . . try to prevent unauthorized disclosure), attorney-client privileged information (try to preserve the privilege) and sealed letters (can’t be searched without first getting a search warrant, because mail is protected under another 4th Amendment principle).

Crossing Borders (August 4, 2008). A few days ago, someone posted this comment on what I said in that post:

I note you mention 'sealed letters' as mail being protected from search as a person crosses the border.
Does it seem like there would be some sort of angle where placing a laptop inside a large envelope, addressing it and stamping it would give it some protection from a search?

Anonymous (May 30, 2009).

Anonymous raises a really good point which, I’m afraid, won’t work. It’s a perfectly logical argument, but sometimes law isn’t logical – or, more accurately, law doesn’t seem to be logical because there are so many complementary and interacting rules it’s difficult to apply straight logic to issues, sometimes.

I posted a brief response to Anonymous’ comment. In this post, I’m going to try to explain why the option he/she suggests won’t work in practice.

Let’s start with the 4th Amendment and mail. As I explained in an earlier post, in 1877, in a case called Ex parte Jackson, the Supreme Court held that we have a 4th Amendment expectation of privacy in sealed letters (not postcards) and packages we send through the U.S. mails, which means police have to get a search warrant to open a letter or package while it’s in transit.

Jackson applies to searches of mail traveling within U.S. borders. Later cases raised the issue of whether it trumps the border search exception, which would mean officers would have to get a search warrant to open and read mail traveling into or out of the United States. The Supreme Court dealt with this issue in U.S. v. Ramsey, 432 U.S. 606 (1977). Customs Inspector George Kallnischkies was inspecting a sack of incoming

international mail from Thailand [when he] spotted eight envelopes that were bulky and which he believed might contain merchandise. The envelopes, all of which appeared . . . to have been typed on the same typewriter, were addressed to four different locations in the Washington, D. C., area. . . . Kallnischkies, based on the fact that the letters were from Thailand, a known source of narcotics, and were `rather bulky,’ suspected the envelopes might contain . . . contraband rather than correspondence. He took the letters to an examining area . . . and felt one of the[m]: It `felt like there was something in there. . . . It was not just plain paper that the envelope is supposed to contain.’ He weighed one of the envelopes, and found it weighed . . . some three to six times the normal weight of an airmail letter. Inspector Kallnischkies then opened that envelope [and found heroin].

U.S. v. Ramsey, supra. Federal agents arrested Ramsey, the intended recipient of the envelopes; he was subsequently indicted for drug smuggling. He moved to suppress the heroin found in the envelopes under Ex parte Jackson; that is, Ramsey claimed the Customs Inspector needed a warrant to open the envelopes. The Court of Appeals for the D.C. Circuit agreed, and the case went to the Supreme Court.

The Supreme Court did not directly address the constitutional issue. It held that the search of the envelopes was lawful under 19 U.S. Code § 482(a) which says that the officers who are

authorized to . . . search vessels may stop, search, and examine . . . any vehicle . . . or person, on which or whom he or they shall suspect there is merchandise which . . . shall have been introduced into the United States in any manner contrary to law . . . and to search any trunk or envelope . . .in which he may have a reasonable cause to suspect there is merchandise which was imported contrary to law.

The Ramsey Court held that since Kallnischkies had “reasonable cause” to believe contraband was in the envelope, the “search, therefore, was plainly authorized by the statute.” U.S. v. Ramsey, supra. The Court had this to say about the 4th Amendment:

Since the search . . . was authorized by statute, we are left simply with the question of whether the search, nevertheless violated the Constitution. . . . [W]e need not decide whether Congress conceived the statute as a necessary precondition to the validity of the search or whether it was viewed, instead, as a limitation on otherwise existing authority of the Executive. Having acted pursuant to, and within the scope of, a congressional Act, Inspector Kallnischkies' searches were permissible unless they violated the Constitution.

U.S. v. Ramsey, supra. What the Court is saying in this paragraph is that the statute might be implementing the 4th Amendment (which means the search was valid under both the statute and the 4th Amendment) or it might be giving us more protection than the 4th Amendment, in which case the search would still be valid.

As I may have mentioned, constitutional provisions like the 4th Amendment set the baseline of protection – the absolute minimum of protection – for privacy and other rights. Congress can give us more privacy (or more protection for other rights) by adopting statutes and implementing federal regulations. If, in enacting 19 U.S. Code § 482, Congress gave us more protection than we get under the 4th Amendment, then the search could not have been unconstitutional. If Congress meant for the statute to simply implement what the 4th Amendment requires, then Ramsey still could not complain AND we know that mail searches do not fall automatically under the border search exception.

Under our current understanding of the law, an officer can conduct a routine border search of luggage merely because he wants to; the Customs agent doesn’t have to show he had probable cause or reasonable cause to believe there was contraband inside the luggage. If § 482 implements the 4th Amendment, an agent can’t search mail just because he wants to; he has to have reasonable cause to believe there’s contraband inside.

It’s been 32 years since the Court decided Ramsey, and we still don’t know if § 482 implements the 4th Amendment or goes beyond it. To makes things more complicated, § 145.3(b) of Title 19 of the Code of Federal Regulations provides as follows:

No Customs officer or employee shall open sealed letter class mail which appears to contain only correspondence unless prior to the opening:

(1) A search warrant authorizing that action has been obtained from an appropriate judge of United States magistrate, or
(2) The sender or the addressee has given written authorization for the opening.

Section 145.3(c) of Title 19 of the Code fo Federal Regulations imposes the same restrictions on a Customs officer’s reading “any correspondence contained in letter class mail”. The Ramsey Court cited both of these regulations, but didn’t seem to find that they had any particular bearing on the case, presumably because there’s regulations and § 482 is a federal statute (or maybe for some other reason – I don’t claim to be an expert on federal postal regulations).

So where does that leave us with the original question, i.e., whether sealing a laptop in an addressed, sealed and stamped envelope would protect it from a border search. To implicate the application of the border search exception to mail issue, we have to have “mail.” Mail is “[a]nything sent through the postal system”. If you’re carrying it, then it’s not “mail”, it’s luggage, and the border exception applies with full force to luggage.

As I noted in my response to Anonymous’ comment, the Ex parte Jackson holding is based on the fact that mail – like FedEx and other transactions – is a bailment. In a bailment one person transfers possession – but not ownership – of property to another, usually for a limited purpose. If you’ve ever left a bag with a bellman while you’re in a meeting, that’s a bailment; the bellman has possession of the bag till you get back, but that doesn’t entitle him to open it or sell it or give it away.

When we send things through the mail, that’s a bailment. The Postal Service has my letter; I do not. In Ex parte Jackson, the Supreme Court applied the 4th Amendment to the bailment that results when we mail a letter or a package. If I’m carrying a laptop in a sealed, addressed and stamped envelope, that isn’t a mail bailment because I haven’t turned the laptop over to the Postal Service. So Ex parte Jackson doesn’t apply; as I noted earlier, the laptop is luggage and the border search exception applies to it.

Saucy Jack

This post is about a case that doesn’t raise any interesting legal issues. It’s just really creepy, so I decided to write about it.

The case is Thompson v. State, 2009 WL 1382020 (Court of Appeals of Texas – Houston 2009). Earl Thompson appealed his conviction for stalking (and for unlawfully carrying a weapon in a liquor-licensed premises, but we’re not interested in that one), which arose from these facts:

On October 25, 2006, [Thompson] began sending Suzi Hanks, a Houston radio personality, a series of strange and threatening emails. The emails included references to guns, Jack the Ripper, and a bronze chariot; they also contained sexual innuendos. In the emails, [Thompson] used the names Earl Thompson, Mystery Knight, Knights Elite, Saucy Jack, Black Jack, and Jack Porns. These emails made Hanks `very afraid,’ and she told her supervisor about them and reported the situation to the Pasadena Police Department. Hanks did not respond to any of the emails, which prompted [Thompson] to make numerous unsuccessful attempts to telephone her at the radio station where she worked.

On October 31, 2006, Hanks's radio station planned a live broadcast from Vito's Deck House to promote a Halloween costume contest. When Hanks arrived, she told the promotion workers who were already there about the emails, and let them know that she was nervous about the situation. When she walked in, she saw a man in a booth dressed in black, and he `immediately made eye contact with [her] and got kind of very excited.’ Concerned, Hanks told the promotion workers there was a `guy sitting in the booth’ and asked them to keep an eye on her.

As they broadcasted, people came by to pick up . . . promotional items. Eventually, [Thompson], who indeed was the `guy sitting in the booth,’ approached the table and introduced himself as `Jack Porns.’ Hanks was `petrified.’ She gave him a t-shirt and tried to get him to leave. After [Thompson] walked away, Hanks was so frightened that she went out to her car to get her gun, for which she had a concealed-handgun license. In the parking lot, she saw a bronze Lincoln Town Car in a handicapped parking space and was reminded of the email references to a bronze chariot. At that point, Hanks realized the emails from Jack Porns and Earl Thompson were from the same person.

Hanks called 911, and while she was speaking to the dispatcher, she saw a police car and flagged it down. As she was talking to the police officer, the promotion workers came outside and handed her a threatening note that [Thompson] had given them. While they were talking, a waitress came out and handed them a note she had found in the restroom, which was a poem about Jack the Ripper.

The officer called for assistance, and when the other officers arrived, they detained [Thompson]. [He] had a concealed-handgun permit, and officers found a loaded Derringer handgun in his pocket. The officers arrested [him] for unlawfully carrying a weapon inside a bar, and handcuffed him with his hands behind his back. [Thompson] requested that he be handcuffed in front, but his request was denied. Later, at the jail, officers discovered that [he] had concealed a second handgun in a `pouch that covered his crotch.’ Additionally, in a black bag [Thompson] had with him, police found a pair of rubber gloves and a steak knife.

Thompson v. State, supra.

As I said, Thompson was charged with stalking Hanks. The Texas stalking statute provides as follows:

(a) A person commits an offense if the person, on more than one occasion and pursuant to the same scheme or course of conduct that is directed specifically at another person, knowingly engages in conduct, including following the other person, that:

(1) the actor knows or reasonably believes the other person will regard as threatening:
(A) bodily injury or death for the other person; . . .
(2) [omitted]; . . . [or]
(3) would cause a reasonable person to fear:
(A) bodily injury or death for himself or herself;
(B) bodily injury or death for a member of the person's family or household; or
(C) that an offense will be committed against the person's property.

Texas Penal Code § 42.072(a).

For some reason I cannot fathom, Thompson pled not guilty and went to trial on the stalking charge. At trial, he

took the stand in his defense, and, although he stated that he did not intend the emails to be threatening, he admitted that he sent them to Hanks and that he `kept calling’ her at the radio station. He also admitted that he asked someone at Vito's to hand Hanks the threatening note referencing Jack the Ripper, and that he had a handgun with him when he went to Vito's.

Thompson v. State, supra.

After being convicted, he appealed his conviction on two grounds, both procedural. In one, he claimed the trial court judge made “an incorrect statement of law to the jury venire during the voir dire process.” Thompson v. State, supra. As Wikipedia notes, the venire is the jury pool, the group of potential jurors from whom the jurors who will decide a case are chosen. As Wikipedia also notes, voir dire is the process of choosing trial jurors from the venire. Thompson pointed out that the trial judge told the venire that if someone had been convicted of prostitution, they were disqualified from serving as a juror. That apparently was an error, but the Court of Appeals held that since Thompson did not raise the issue at trial, he was foreclosed from raising it on appeal.

The other issue was that one of the officers who arrested Thompson testified that he said nothing about the second gun (the one in his crotch) during the 30-45 minute drive to the station. Thompson pointed out that commenting on a defendant’s post-arrest silence violated both the Fifth Amendment and the comparable provision of the Texas state Constitution. Thompson v. State, supra.

The Texas Court of Appeals rejected this argument because the trial judge immediately instructed the jury to disregard what the officer said. At that point, Thompson moved for a mistrial, which the trial judge denied. On appeal, he claimed the judge should have granted his motion for a mistrial, but the Court of Appeals disagreed. It found that the instruction was adequate and was given promptly and “nothing . . . suggests that the trial court’s instruction was not adequate” to ensure that the jurors did not consider what the officer had said. The Court of Appeals also found that the error was not reversible error because “the State’s case against appellant was overwhelming.” Thompson v. State, supra. It reviewed the facts outlined at the beginning of this post – all of which were proved at trial – and the testimony Thompson gave, in which he basically admitted doing all of it. The court therefore upheld his conviction.

As I said, there aren’t any novel or interesting legal issues in this case, just a really creepy set of facts.

I also find it interesting that Mr. Thompson – who apparently idolizes Jack the Ripper – seems to have missed the fact that the Ripper was never caught because he managed to maintain a very low profile. Makes you wonder if Thompson was trying to get caught.

File this one under amazingly inept cybercriminals.

"Access" as Over-inclusive

I recently exchanged several emails with Lokkju Brennr, Lokkju brought up an interesting issue about the way law approaches the crime of gaining unauthorized access to a computer (often generically referred to as “hacking” a computer). Before I get to that issue, I want to review how law deals with this crime.

In a post I did a couple of years ago I explained that lawyers usually analogize the crime of gaining unauthorized access to a computer to the crime of criminal trespass: In each instance, you’re doing something you’re not supposed to do and, as a result, are “harming” the owner of the computer/property in some respect.

The “harm” resulting from trespass on physical property seems to be an amalgam of privacy (if you come onto my property without my permission, you’ve violated my privacy) and my right to exclusive possession of the property. The “harm” resulting from unauthorized access to a computer system is . . . a little murkier. I think it definitely encompasses the second “harm” that justifies criminalizing physical trespass, i.e., you’re violating my exclusive right to possess and access my property (my computer/computer system, in this context). And it probably also encompasses the first “harm,” as well, because if you get into my computer system you are in a sense violating my privacy (or at least have acquired the capacity to violate my privacy by getting into the data I don’t want anyone else to know about).

I think the unauthorized access-criminal trespass analogy is far from perfect, but it’s pretty much all we have. It’s difficult, if not impossible, to develop analogies that symmetrically track digital and physical “harms” with any precision. That, however, is not the issue Lokkju Brennr raised. That issue, I think, is both more interesting and more difficult to resolve. Here it is:

The majority of the time when you do an activity, such as a sending an email, you don't know whether or not you have the authorization to do so. For instance, when I sent my initial email to you, even without going into the underlying protocol issues, I did not know if I had authorization to access your email server or not. Now, I could make an educated guess that since you published your email address, it was permissible to contact you - but I did not have any specific authorization.

Lokkju also pointed out that given this state of affairs, unauthorized access statutes effectively criminalize “all normal use of the Internet.” That’s an interesting point; I’m going to use this post to speculate a bit about Lokkju’s point and about how the law deals with it . . . and maybe even how the law might change how it deals with it.

Let’s start with an unauthorized access crime statute. The federal statute is remarkably straightforward: “[Whoever] intentionally accesses a protected computer without authorization and, as a result of such conduct, recklessly causes damage” commits a federal crime. 18 U.S. Code § 1030(a)(5)(B). As I noted in an earlier post, the federal statute does not define “access”, but a number of state statutes do.

Most states define it as “to instruct, communicate with, store data in, retrieve data from or otherwise make use of any resources of a computer, computer system or network.” Arizona Statutes § 13-2301(E)(1). California’s definition is similar but a little more elaborate: “`Access’ means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.” California Penal Code § 502(1).

Okay, U.S. states (and the criminal codes of other countries) define access. But do they define what it means to gain access “without authorization”?

Surprisingly, a few states do. Here’s how Colorado defines it: “`Authorization’ means the express consent of a person which may include an employee’s job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this [statute.]” Colorado Revised Statutes § 18-5.5-101(1). And here’s how Hawaii defines it: “`Without authorization’ means without the permission of or in excess of the permission of an owner, lessor, or rightful user or someone licensed or privileged by an owner, lessor, or rightful user to grant the permission [to access the computer or computer system].” Hawaii Revised Statutes § 708-890. Minnesota has a slightly different and rather interesting approach to defining authorization:

`Authorization’ means with the permission of the owner of the computer, computer system, computer network, computer software, or other property. Authorization may be limited by the owner by:

(1) giving the user actual notice orally or in writing;
(2) posting a written notice in a prominent location adjacent to the computer being used; or
(3) using a notice displayed on or announced by the computer being used.

Minnesota Statutes § 609.87(2a). And New Hampshire throws in a new element that expands the scope of authorization:

`Authorization’ means the express or implied consent given by a person to another to access or use said person's computer, computer network, computer program, computer software, password, identifying code, or personal identification number.

New Hampshire Revised Statutes § 638:16(II). A few other states also have statutory provisions that define authorization, but they all tend to resemble one of more of these statutes.

So where does that leave us in terms of the issue Lokkju raised? When I send an email to you – to someone who didn’t email me first and whom I don’t know in the real world – how do I know if I’m accessing their email server (or, more accurately, I think, the email server that handles their email) with or without authorization?

As a matter of fact, I don’t. As a matter of fact, I simply assume I have authorization to access that server. All of the statutes quoted above define authorization as acting with the consent/permission of the owner of the computer system (the server); in so doing, they implicitly assume that the person KNOWS they are acting with the permission or consent of the owner of the system (server). Logically, I could argue that they assume (also or in the alternative) that it’s sufficient if I believe I have permission or consent to access the computer. I don’t think a subjective belief (however accurate or erroneous) works here, though, because I think the language of most of the statutes incorporate a higher standard, i.e., I think they predicate authorization as your having obtained some signal, some indication, from the owner of the system that it’s okay for you to access it. (But I could be wrong.)

The New Hampshire statute broadens that by adding “implied consent.” The other statutes expressly or (I would argue) implicitly require that there have been express consent from the owner of the system for access to be authorized. That’s why I believe they require a much higher standard than simple belief (“I thought it was ok, really I did”).

The New Hampshire statute doesn’t tell us how implied consent arises. Pennsylvania’s computer crime statute does shed a little light on this issue. It defines authorization as including “express or implied consent, including by trade usage, course of dealing, course of performance or commercial programming practices.” This language appears in a statute entitled “defense.” Here is the statute in its entirety:

It is a defense to an action brought pursuant to Subchapter B (relating to hacking and similar offenses) that the actor:

(1) was entitled by law or contract to engage in the conduct constituting the offense; or
(2) reasonably believed that he had the authorization or permission of the owner, lessee, licensee, authorized holder, authorized possessor or agent of the computer, computer network, computer software, computer system, database or telecommunication device or that the owner or authorized holder would have authorized or provided permission to engage in the conduct constituting the offense. As used in this section, the term `authorization’ includes express or implied consent, including by trade usage, course of dealing, course of performance or commercial programming practices.

18 Pennsylvania Consolidated Statutes § 7605(2). Connecticut has a similar defense to a charge of unauthorized access statute. Like the Pennsylvania statute, it bases the defense on the fact that the defendant “reasonably believed” that the owner of the computer system or the owner’s agent had authorized the access. Connecticut General Statutes § 53a-251(b)(2). The Connecticut statute, though, throws in another option: It’s also a defense if the person charged with gaining unauthorized access to a computer “reasonably could not have known that his access was unauthorized." So this statute essentially puts the risk on the owner of the system; the owner must make it "reasonably" clear access is not authorized unless you do something, have something, etc.

So where does that leave us? It’s pretty clear that U.S. law, anyway, doesn’t address the issue Lokkju raised, i.e., the problem of letting someine know whether their access is authorized prior to their act of accessing a system. It looks like a few U.S. states (New York has a statute similar to the Pennsylvania defense statute) deal with this issue by giving someone charged with unauthorized access the ability to use their belief that they were authorized to use the system as an affirmative defense. In U.S. criminal law, when someone raises an affirmative defense to a charge, they admit they committed the crime but use the defense to argue that they shouldn’t be convicted. Self-defense and insanity are affirmative defenses; someone charged with murder can concede that they killed the victim but argue that they are not guilty of murder because they acted in self-defense or were insane at the time.

Does that approach seem reasonable? If not, any alternatives?