Tuesday, December 26, 2006

Give Up Your Encryption Key or Go to Jail

I've been reading about the British government’s plans to implement a provision of the Regulation of Investigatory Powers (or RIPA) Act.

RIPA was enacted in 2000, but the government has held off on implementing Part 3 of the Act. Under British law, Part III must be activated by a ministerial order before it goes into effect.

Part 3 of RIPA gives police the authority to order someone to give their encryption key to the police. If the person refuses to hand over the key, it is a crime.

Section 53 of RIPA makes it an offense, punishable by up to two years in prison, to knowingly refuse to surrender an encryption key after having been directed to do so by police.

The only defense the person can raise under the provisions of RIPA is that they did not have the key at the time they were ordered to turn it over. If they raise that defense, then the prosecution has to prove beyond a reasonable doubt that they did, in fact, have the key when they were ordered to produce it.

The possibility the British government will implement Part III apparently has many concerned, especially, according to one article, those in the financial industry. The author of that article quotes various sources as saying that bankers and others in the financial industry would be concerned about bringing master encryption keys into the United Kingdom, for fear they would be seized by police, for whatever reason.

Under Part III of RIPA, to get an order requiring disclosure of an encryption key police only need believe “on reasonable grounds” that the key is in the possession of a specific person and that its disclosure is “necessary” (i) in “the interests of national security,” (ii) for the purpose of preventing or detective crime” or (iii) “in the interests of the economic well-being of the United Kingdom.” (I assume (iii) goes to investigating possible economic espionage.)

The British police claim they need the ability to require the production of encryption keys to be able to effectively investigate terrorism, child abuse and other serious crimes. One detective was quoted as saying police had “over 200 PCs” containing encrypted data “sitting in property cupboards,” the inference being that the encrypted data includes evidence of crimes (or terrorism). So, police argue that unless they have the power to obtain encryption keys any clever criminal or terrorist can stymie an investigation by encrypting critical evidence.

There is no statutory analogue of Part III of RIPA in the United States, for what I think is a very good reason: the Fifth Amendment privilege against self-incrimination. The Fifth Amendment protects individuals (not corporations or other artificial entities) from being “compelled” to be a “witness against” themselves. The Supreme Court has construed this as meaning that you cannot be compelled to testify against yourself, but you can be compelled to give up physical evidence – samples of your blood, hair, etc.

The Supreme Court’s reasoning is that witnesses “testify,” so the historical meaning of the Fifth Amendment is rather narrow: You can’t be forced to testify against yourself, but you can be forced to cooperate with an investigation as long as you don’t have to testify.

In the U.S., police have no way to force someone to give up an encryption key – they can ask for it, but if the person refuses to give up the key, that’s that. A prosecutor can, however, use a grand jury subpoena (state or federal) to compel someone to give up an encryption key. If the person does not give up the key in compliance with the subpoena, they will be held in civil contempt and incarcerated until they do. (Think Judith Miller, the NY Times reporter who refused to identify a source when ordered to by a grand jury, and who then served time in jail for contempt.)

Could you take the Fifth and refuse to give up your encryption key if a grand jury issued a subpoena ordering you to do so? You can if giving up the key is “testimony,” but you can’t if it’s only the act of producing physical evidence (like handing over a gun).

If you have memorized the key (which is unlikely), then providing it to law enforcement should clearly be testimony. The dynamic would be as follows: The grand jury issues a subpoena ordering you to appear before the grand jury and give them the key. You show up on the date and time ordered. The prosecutor asks you what the key is and you recite it. I don’t think anyone would dispute that this would be testimony, which means you could invoke the Fifth and refuse to comply.

But what if, as is far more likely, you have recorded the very long and complicated key somewhere? Now instead of reciting it you’d be handing it over. That could be dicey. Under the Supreme Court’s interpretation of the Fifth Amendment privilege, you can take the Fifth for the act of handing over evidence to the government if, in doing so, you “tell” them something they don’t know. You can’t take the Fifth if they already know you have the thing; here, you’re not “telling” them anything.

Much as I’d like to say that you could take the Fifth and refuse to hand over the recorded key, I’m not sure that’s true. The government wouldn’t be asking for it if they didn’t know it existed and didn’t know you have it . . . so it doesn’t seem you tell them much if you hand it over. Now, I suppose you could argue that you do “tell” them something, in that you give them the data – the characters – the constitute the key. A prosecutor would respond to that argument by pointing out that you already “testified” to that information when you recorded it – you’re not, as in the previous instance, being asked to “speak” the information. You’re merely being asked to hand over information you wrote – information you “spoke” – at an earlier time. If a court buys that argument, then we would have, in effect, the same result in the U.S. as will exist if and when Part III of the RIPA goes into effect in Britain.

It’s a very difficult set of issues. On the one hand, encryption is an essential component in preserving privacy in an increasingly-automated world. On the other hand, what the British police said is quite true: criminals and terrorists can use encryption to put data outside the reach of law enforcement.

This may be a transient issue. I understand U.S. intelligence agencies are able to break even very sophisticated encryption. If and when that ability migrates to local police, they won’t need the power to coerce someone into giving up their encryption key . . . at least not unless and until someone comes up with a mode of encryption that cannot be broken or with some other way of securing data in an unbreakable way.

Tuesday, December 12, 2006


Last time I wrote about online stalking.

Today I want to write about a related issue: online imposture. Basically, online imposture consists of going online and pretending to be someone else.

It can be relatively harmless; I remember reading about ten years ago about an expert on online culture. She was puzzled when she got emails from people complimenting her on comment she'd made in a chat room the other night. Problem was, she had not been in the chat room. It seems someone had simply taken her identiy out for a ride -- had a good time pretending to be her and pontificating online for a bit.

That was harmless online imposture. It can also be harmful, and that is the kind I want to address.

I’m going to begin by summarizing a couple of incidents to illustrate what harmful online imposture is and how it occurs. Then I’ll talk a bit about the legal issues online imposture raises.

Let’s start with the incidents:
  • The following facts come from an article in the Milwaukee Journal-Sentinel. (Lisa Sink & Linda Spice, Man Charged with Defamation, Milwaukee Journal Sentinel (June 7, 2000), 2000 WLNR 3077063.) After his boss fired him, David Dabbert went to the “`Sex on the Side’” website, which “features `attached’ women who are seeking sexual encounters `on the side’”. Dabbart posted an ad on the site that purportedly came from his former boss, using her real name and email address. The ad “described her chest size and hair color and, in part, said: `I'm highly stressed out. . . . I've only been with my hubby. He's gone at work 24 hours at a time . . . I want someone to make me their slut for the night’”. The woman received many responses to the ad, which left her frightened and embarrassed.
  • Here’s another case reported by the same newspaper. (Lisa Sink, Family Therapist Investigated in Internet Complaint, Milwaukee Journal Sentinel (March 14, 2000), 2000 WLNR 3057614.) According to the article, a family therapist “posed as his former wife's new husband and posted an ad on an Internet site for swingers, asking interested men to call the couple.” It gave “the ex-wife's body measurements and home phone number and said: `Wife and I desire 3some with a male." The ad “prompted a slew of calls to the woman and her new husband”, which, again, left them frightened and embarrassed.
If we assume, as I do, that the facts were correctly reported in both stories, then we have two instances of online imposture: cases in which person A goes online and pretends to be person B.

Before we deal with the legal issues, let’s just consider this as a phenomenon. Online imposture has several dimensions: In these cases , it seems the imposture was undertaken for vindictive purposes – to embarrass the person who was the object of the imposture. Now one can embarrass another person – offline or online – by publishing discreditable information about them. So if someone (hypothetically) went online and published an allegation that I am a drug addict, that allegation would embarrass me, whether it was true or not.

If the allegation were true (and I assure you it is not), then the embarrassment would result from the dissemination of true information. The publisher of the information would in effect have invaded my privacy by revealing that which I chose to keep secret.

If the allegation were not true (as I assure you it is not), then the embarrassment takes on a different tone. Now it is not merely an invasion of privacy – the revelation of true information I am trying to conceal – but a misrepresentation that casts me in a “false light” . . . that depicts me as being something I am not, something that is disreputable.

The distinction between publishing true discreditable information and not-true discreditable information gets us into the first legal issue we need to deal with. In either of the above scenarios, I would certainly be angry about the publication of the (again, purely hypothetical) allegation that I am a drug addict. If I were like most people, I would probably want some kind of redress – some kind of vindication/revenge/all that. So I might decide to sue the person who published this allegation (if, of course, I can identify who published the allegation).

If the allegation were true, then I would probably not have a case for defamation. The basic rule in this country is that truth is a defense to an action for defamation. So, think about that: if I decide to sue the person who published the allegation that I am a drug addict, I will in essence have to prove in court that I am not, never have been, a drug addict. Now, I may be able to prove that quite easily . . . but I would still have to go through the embarrassing process of having to prove I am not a drug addict, something I used to be able to assume people know. (I might also have to deal with the possibility that, even if I won, some people would always wonder if the allegation was true . . . . )

If the allegation were not true and I could prove that, then I should be able to win in my defamation suit against the person who published it. Now, though, we come to a practical problem. Most of the people I know – probably most of the people you know – don’t have a lot of money. So what good is m civil suit if the person who published the allegation doesn’t have thousands and thousands (millions and millions) of dollars to pay me and my lawyers when I win? If the person I want to sue clearly doesn’t have enough money to pay a judgment and attorneys’ fees, then most lawyers won’t want to take my case unless I can show, up front, that I can pay the very large sum of money it will cost to litigate and win. I don’t have that much money, so even though I would have the legal basis for a defamation suit, in practice that’s really not an option. I assume it was not an option for the victims in the online imposture cases I described earlier.

I might try to deal with the defendant-who-has-no-money problem by suing the operator of the website on which my tormentor published the false allegation that I am a drug addict . . . but that raises another problem.

Historically, those who published defamatory material could be held civilly liable for their role in defaming someone. This is not true for online publication: A section of the Communications Decency Act, “overrides the traditional treatment of publishers. . . . ‘such as newspapers, magazines or television and radio stations, all of which may be held liable for publishing . . . defamatory material written or prepared by others.’” Batzel v. Smith, 333 F.3d 1018, 1026 (9th Cir. 2003). Concerned about lawsuits inhibiting free speech online, Congress added Section 230(c)(1) to title 47 of the U.S. Code. It states that “[n]o provider or user of an interactive computer service shall be treated as the publisher . . . of any information provided by another information content provider.” 47 U.S. Code § 230(c)(1). The effect of this provision is to immunize those who post content that is provided by someone like the hypothetical individual who posted the (quite false) allegation that I am a drug addict. The result is that my attempt to seek civil redress for the embarrassment I suffer from having that false allegation published will fail because (a) the person who posted the false information has no assets to pay a judgment or attorney’s fees and (b) the website operator is immune from suit.

In the Dabbart case, the local district attorney’s office prosecuted him for criminal defamation . . . and won. (Lisa Sink, Man Convicted Of Posting Ex-Boss' Name On Sex Site Defamation Case Believed To Be County's First Such Internet Prosecution, Milwaukee Journal Sentinel (August 11, 2000), 2000 WLNR 3037734.) Dabbart wound up pleading no contest to a misdemeanor defamation charge; he was sentenced to serve 15 days in jail, to two years on probation, to pay $1,280 in restitution and to perform 100 hours of community service. According to this new story, the victim urged Wisconsin lawmakers to “find new ways to charge individuals who pose as others over the Internet for lewd purposes.” (Sink, Man Convicted Of Posting Ex-Boss' Name On Sex Site Defamation Case, supra.)

This is an issue I explored in a long law review article I wrote recently. Criminal defamation (criminal libel) is very seldom used in this country – indeed, does not even seem to be a crime in many states. The reason is that our state criminal law was very much influenced by the Model Penal Code – a template of state criminal law that was drafted about fifty years ago. The Model Penal Code did many great things in terms of modernizing what had been a patchwork of criminal law derived from English common law.

It departed from English common law, though, in basically rejecting the notion of treating defamation as a crime. The drafters of the Model Penal Code (who said this was the most difficult decision they made) decided that defamation was better handled civilly than criminally.

I think they were probably right when they made that decision, about fifty years ago, but the landscape has since changed dramatically. When the drafters of the Model Penal Code decided defamation should not be a crime, they assumed that defamatory material would be published on television, in a newspaper, in a magazine – in the mainstream-media, in other words. And that was true when they wrote – if you think about it, fifty years ago someone with a grudge could not simply publish the kind of claims involved in the two cases I described at the beginning of this post. If they took that material to a newspaper or a magazine, they would have been sent packing.

The drafters of the Model Penal Code therefore implicitly assumed that someone injured by the publication of defamatory material would be able to find a deep-pocket to sue . . . someone with assets to pay attorneys’ fees and a judgment. As I’ve explained, that is no longer true: With online publication, anyone can pretend to be someone else and publish information that casts them in a seriously embarrassing light. The person who has been embarrassed cannot sue the individual who published the defamatory material unless that individual has enough assets to pay a judgment and attorneys fees (or unless the injured party does). The person who has been embarrassed may not even be able to identify the individual responsible for publishing the material, because it is so easy to be anonymous online. And, as I explained earlier, the operator of the website on which the material was published is, unlike conventional mainstream-media outlets, immune from suit for publishing the material.

So, maybe we should reconsider criminalizing defamation.

Sunday, December 03, 2006

Stalking a School

In 1999, a new and bizarre kind of stalking occurred in a small town, as is described in detail by Boston Globe reporter Michele Kurtz. (The “Stalker” Who Stayed at Home: A Town Terrorized Over the Internet, Boston Globe (Sept. 2, 2001)).

Twenty-year old Christian Hunold, who lived in Smithville, Missouri, stalked the students and faculty of the Hawthorne Brooke Middle School in Townsend, Massachusetts.

Hunold, a high-school athlete and honor student, was seriously injured in a 1995 auto accident. He recovered from most of his injuries but lost the ability to walk. According to Michele Kurtz, his disability left Hunold “seething” . . . and bored. She says he turned to the Internet, where he could become someone else: “Someone physically strong, someone living thousands of miles from Smithville. In the cyber world, no one would know the difference.” (Kurtz, The “Stalker” Who Stayed at Home).

He apparently met students from the Hawthorne Brooke Middle School in a chat room devoted to Limp Bizkit, and struck up a friendship with the eighth graders, who invited him to join them in a private chat room.
Hunold decided to pretend he was one of them, and to show them a thing or two about the real world.

By studying the kids' Internet profiles, Hunold was able to learn some of their birth dates, addresses, and hobbies. He created a computer file where he detailed what he knew about each student. Every online conversation with one of the kids contained another helpful nugget about someone else.

`When he talked to these kids, he knew specific things, like where they lived, what their house looked like, if they had a dog, what table they sat at at lunch,’ says Townsend Police Sergeant Cheryl Mattson, who investigated the case.

Within a few weeks, the banter between Hunold and the Townsend kids became more threatening. Hunold bragged he was a serial rapist and would come after them. He pointed students to child pornography online, including pictures of a 5-year-old girl being raped.

(Kurtz, The “Stalker” Who Stayed at Home).

It became increasingly difficult for him to sustain the pretense that he was a Hawthorne Brooke student. The students began challenging him, a “loss of control that infuriated him.” (Kurtz, The “Stalker” Who Stayed at Home). He responded by telling them he was going to blow up the school and then by posting a website that depicted
Hawthorne Brook Middle School seen through the crosshairs of a rifle scope. There was a picture of the school principal, made to look like he was bleeding through bullet holes in his head and chest. And there were references to Columbine, which had shocked the nation only five months before. . . .
(Kurtz, The “Stalker” Who Stayed at Home). He posted a “hit list” that contained the first names of 24 students and the last names of 3 Hawthorne Brooke teachers. Underneath the list he wrote: `You lucky individuals will go home with more holes in your body than you came with.’” (Kurtz, The “Stalker” Who Stayed at Home).

Hunold was halfway across the country, had no weapons and no intention of carrying through on this threats. For him, it was a game – he was manipulating the students (and, indirectly, their teachers and their families) for his own amusement – to boost his ego. (Kurtz, The “Stalker” Who Stayed at Home).

Not surprisingly, the Hawthorne Brooke teachers, students and parents were terrified. They knew the person who was sending the threats “had to be” local because he knew so much about the students. They assumed he was a Hawthorne Brooke eighth-grader; Hunold encouraged this by identifying himself as a particular eighth-grader, who was harassed because of that.

Parents whose children were on the “hit list” didn’t know what to do – whether to send the children to school or keep them at home. Police brought in bomb-sniffing dogs to patrol the hallways and classrooms of the school. Teachers searched student bags and other possessions, and some parents considered arming themselves to protect their children and themselves.

The Massachusetts State Police traced some of the mysterious person’s Internet activity to Missouri. At first they assumed the person was in Townsend and was routing his messages through Missouri, but they rather quickly figured out that the person was in Missouri. (Kurtz, The “Stalker” Who Stayed at Home). Massachusetts and Missouri officers collaborated in searching Hunold’s computer and interviewing him; he readily confessed to what he had done.

In October, 2000, Hunold pled guilty in Missouri to three felony counts of attempted promotion of child pornography and one misdemeanor count of harassment. (Similar charges were filed in Massachusetts but dismissed on the grounds that Massachusetts law did not criminalize the use of computer technology to distribute child pornography.) He was sentenced to 15 years in prison and served 120 days.

For some reason, the Hunold case reminds me of the Twilight Zone episode “The Monsters Are Due on Maple Street.” In that episode, space aliens (who look a lot like humans) manipulate electricity and a few other things to create paranoia in the good citizens of a pleasant suburb. The locals decide aliens are among them and turn on each other. As one source puts it, “total madness breaks out.”

It reminds me of that Twilight Zone episode because there really was no danger to the students or anyone else in Townsend, but Hunold was able to make everyone believe there was. My sense, from speaking to people familiar with the case, is that a little bit of the Twilight Zone episode began to happen in that no one knew who to trust. The mysterious person sending the threats might have been one of the students, might have been a teacher, might have been a staff person . . . might have been anyone. Hunold’s activities are a great example of how someone can use online imposture to break down the trust we assume, and rely on, in our everyday lives.

What I find most chilling about the Hunold episode is not what happened in Townsend, but what might have happened after. When police searched Hunold’s computer, they found evidence that led them to believe he was planning to do the same thing to a school in Georgia. I suspect he would have done an even better job of cultivating paranoia and inculcating terror the second (or third?) time around. What he did in Townsend seems to have been pretty much an accident, something that evolved as he developed an online relationship with the eighth-graders, whom he sought to control. The next time his efforts would have been more calculated and therefore, I think, even more devastating.

In terms of today’s law, Hunold could also have been charged with cyberstalking, which basically means someone used computer technology to engage in a course of conduct that inflicted serious (or substantial) emotional distress on another person. It can also encompass threatening someone with death or serious bodily injury. So I see no reason why Hunold could not have been charged with stalking, at least under current law. What I see as interesting is that he did not merely stalk. He played with the lives of people in Townsend just as the fictive Twilight Zone aliens played with the people in that suburb. Somehow, that seems more than stalking.

Sunday, November 26, 2006

Vigilantes & Deputies: Lesson from the Past

It is increasingly clear to those of us who study cybercrime that conventional law enforcement, alone, simply cannot handle the problem, for several reasons.

As I have said elsewhere, cybercrime challenges even the best law enforcement agencies because it demands resources they do not have (and we cannot supply), because it is so easy to be anonymous online, because it is committed on an expansive scale and because it is so often transnational in character.

This means we need to develop a modified approach, one that improves our ability to deter and therefore control cybercrime.

One solution is to involve the private sector in the battle against cybercrime.

The FBI and the U.S. Secret Service are doing this with their Infragard and Electronic Crime Task Force programs, both of which bring federal and state law enforcement officers together with individuals and entities from the private sector. The general purpose is to facilitate information-sharing about attacks and threats; a subsidiary function, at least in some instances, is to enhance the resources available to law enforcement.

That’s a good solution, I think. Another ad hoc approach is evolving – online vigilantism, which takes various forms: Artists Against 419 and Perverted Justice are two examples. I’m essentially agnostic about the Artists Against 419; I know that some of the things they do violate the law, but I just can’t manage to be indignant about the harassment of 419 scammers.

I am, though, distinctly not a fan of Perverted Justice, not on its own terms and especially not when they team up with MSNBC to broadcast their depressing stings. I know the people they catch are scum, but I still don’t like how they do it; I particularly don’t like the broadcast stings in which (and I have only seen a little bit of these) the MSNBC guy seems to take delight in demonstrating precisely how stupid these guys are. I also don't like the fact that the Perverted Justice people are sometimes deputized, and that they are paid for their efforts by MSNBC. I heard a police officer refer to this arrangement as "law enforcement for profit."

Enough venting. My goal here is not to go off on a tangent about Perverted Justice. I actually have a larger point I want to make.

I just finished a novel the events of which take take place ninety-some years ago, during the Spanish Influenza pandemic. In reading the novel, I learned about an organization I had never heard of: the American Protective League.

The American Protective League was “a voluntary association of patriotic citizens acting through local branches which were established in cities and counties throughout the country”. It was created in March of 1917, two weeks before the U.S. entered World War I. It was created as an auxiliary to the Bureau of Investigation of the Department of Justice (the precursor to the FBI), though military intelligence also seems to have been involved in its creation. Members carried a badge and membership card which showed they “were connected with the Department of Justice.” They were, in essence, federal deputies.

The APL had “twelve hundred units functioning across America, all staffed by business and professional people. It was a genuine secret society . . . . Membership gave every operative the authority to be a national policeman.” APL members investigated (and apparently coerced) “seditious and disloyal” citizens, checked on who had bought Liberty Bonds, rounded up “draft evaders,” broke strikes and generally seem to have harassed anyone they regarded as German sympathizers or “Reds.” They seem to have routinely violated civil rights and, as one source notes, they “burgled, vandalized, and harassed I.W.W. members and their offices.” And as that source notes, the Wilson administration supported the APL even though many of their activities were illegal.

In describing the APL’s activities to Congress, the Attorney General said, “[i[t is safe to say never in history has this country been so thoroughly policed.”

The APL has been a revelation to me. I have done some thinking and writing about how we could bring representative of the private sector into the battle against cybercrime. I have talked to others about this, and have heard the argument that corporate entities or at least certain of their employees should be deputized to give these private citizens more authority to investigate cybercrime and even to pursue cybercriminals. In a short piece I speculated a bit about how this would work in practice, wondering if it would be possible to actually deputize private citizens on a continuing basis and encourage them to “go after” cybercriminals.

Historically, vigilantes – like the Wild West vigilantes we in the U.S. always think of when we hear the term – have emerged when law enforcement was lacking or was perceived as ineffective. Vigilantes have, therefore, been a substitute for law enforcement, instead of an adjunct to law enforcement . . . or so I thought until I heard about the APL.

The APL saga makes me really concerned about the idea of formally bringing private sector personnel into law enforcement, either as adjuncts or as APL-style “deputies.” I know we’re a lot more sensitive to civil rights now than people were ninety-some years ago, and I might agree that the investigation (and even apprehension) of cybercriminals is not likely to create opportunities for the kinds of abuses the APL members inflicted early in the last century.

I think, though, I’m really hesitant about blurring boundaries – about formally bringing laypeople into the battle against cybercrime (or any other kind of crime, for that matter).

I still think we need to figure out an approach that allows us to utilize private-sector resources (personnel, equipment, money) to improve law enforcement’s ability to deal with cybercrime. I just think we need to be very, very careful how we do this.

(Oh, the photo is A. Mitchell Palmer, Attorney General during much of the time the American Protective League was operating.)

Wednesday, November 22, 2006

Civil Suits for Hacking, Malware, etc.

The basic federal cybercrime statute is 18 U.S. Code § 1030.

Section 1030 criminalizes various types of hacking (unauthorized access to computers), denial of service attacks, distributing malware and using computer technology to commit extortion or fraud. When it was originally enacted in 1984, §1030 only addressed conduct that targeted computers used by the federal government and a limited category of private computers, such as those used by financial institutions.

As computers became more common, it became apparent that the statute needed to be expanded in scope to give federal authorities the ability to pursue criminals who attacked purely “civilian” computers. So in 1996 the statute was expanded to criminalize a variety of conduct that is directed at “protected computers.”

Section 1030(e)(2) defines a “protected computer” as a computer that is either
  • (a) used “exclusively” by a financial institution or the federal government “or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government;” or
  • (b) “is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States”. The second definition essentially gives federal authorities over any computer located in the United States (especially if it is linked to the Internet) AND gives them the ability to apply the provisions of §1030 extraterritorially, i.e., to conduct occurring outside the territorial United States.
The statute therefore gives the Department of Justice and federal law enforcement agents wide latitude to pursue those who engage in criminal activity directed at federal or civilian computers. But today, for a change, I don’t want to write about criminal matters. Instead, I want to point out another aspect of §1030.

Section 1030(g) creates a private civil cause of action for anyone who has been injured by a violation of the criminal provisions of the statute. In other words, if a cybercriminal hacks your computers, infects you with a virus or worm, launches a DDoS attack at you, uses a computer to extort money or property from you or uses a computer to defraud you, you can bring a civil suit against that person under §1030(g).

Specifically, §1030(g) says that “[a]ny person who suffers damage or loss by reason of a violation of [§1030] may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” The civil action can be brought if the conduct
  • (a) violated one of the criminal provisions of the statute AND
  • (b) caused loss aggregating at least $5,000 in one year OR the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals OR physical injury to any person OR a threat to public health or safety OR damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security”.
Damages for a violation causing only financial losses aggregating at least $5,000 in a one-year period are limited to economic damages. In Creative Computing v. Getloaded.com LLC, the Ninth Circuit Court of Appeals held that loss of business and loss of business goodwill constitute “economic damages under the statute.

And the Third Circuit Court of Appeals held, in P.C. Yonkers, Inc. v. Celebrations The Party and Seasonal Superstore, 428 F.3d 504 (2005), that the statute’s limitation to “economic damages” to mean that “if one who is harmed does seek compensatory damages based on such conduct, . . . then those damages will be so limited. That is, compensatory damages for such conduct will be awarded only for economic harm.” This court found that nothing in the sentence quoted above prevents a court from also providing injunctive relief against someone who has been shown to be in violation of the statute.

Section 1030(e)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service”. So all of these can be factored into the calculation of economic damages in a suit under §1030(g).

An injured party must file an action under §1030(g) “within 2 years of the date of the act complained of or the date of the discovery of the damage.” No action can be brought under §1030(g) “for the negligent design or manufacture of computer hardware, computer software, or firmware.”

I did a quick Westlaw search to see how many reported cases deal with suits brought under §1030(g) and found around 50. That seems a good number, given that most of the people who violate the criminal provisions of §1030 tend to be what we in the law call “judgment-proof,” i.e., without assets that could be used to pay off a civil judgment if a plaintiff were fortunate enough to prevail.

The theory behind provisions like §1030(g) is that private citizens act essentially as “adjunct Attorneys General.” That is, private citizens who bring suits under a statute like this are presumed to enhance the effectiveness with which the statute deters criminal violations, since the private suits also act as a sanction against those who violate the statute. I don’t know that anyone has actually conducted empirical research to see how well that works in practice, but it’s a reasonable theory.

Sunday, November 19, 2006

Border Wars

I've done several posts on the legal issues that arise from airport searches and seizures of laptop computers.

A Minnesota federal district court just issued an opinion in an airport laptop search case.

N. Furukawa, who is being prosecuted federally for possessing child pornography, moved to suppress the evidence seized from his laptop and statements he made during the laptop search at the airport.

The district court's opinion describes what happened, in detail, and I thought you might find it interesting. United States v. Furukawa, 2006 WL 3330726 (District of Minnesota, November 16, 2006).
United States Customs and Border Protection Officer Jeffrey R. Schmidt was on duty at Minneapolis/St. Paul International Airport during the afternoon hours on April 20, 2006. . . . Officer Schmidt . . . was conducting baggage searches when he encountered defendant Furukawa at approximately 1:30 p.m. Mr. Furukawa was being processed through United States customs upon arrival on an international Northwest Airlines flight from Tokyo, Japan. He was waiting in line for a routine inspection after being been referred from passport screening to "baggage control secondary" based upon a computer screen alert indicating that he may have purchased access to a Internet site that contained child pornography. The referral was made by Customs Officer Bulov.

Officer Schmidt first obtained the defendant's travel documents, including his passport and a customs declaration. Defendant indicated that he was returning to his office in New York following a business trip to the Philippines. After examining the defendant regarding any customs declarations, the officer obtained a binding declaration. Officer Schmidt was not aware of any particular reason for defendant's referral for baggage search until he checked the computer screen after obtaining the binding declaration. The officer then proceeded to examine Mr. Furukawa's checked and carry-on luggage and found that the defendant was carrying a laptop computer and an external hard drive. Officer Schmidt promptly opened the laptop, booted up the computer, and asked the defendant to sign in and enter his password. The officer designated the Windows 2000 operating system and the defendant entered his screen name and password without objection.

After gaining access to the designated program, Schmidt began a search for video and picture files which are construed as merchandise for customs purposes. The officer discovered a file list and thumbnail photos which included materials that were suspected to be pornographic. At that time he took the computer to his supervisor's office so that the screen would not be open to public viewing. Upon further examination of the files Officer Schmidt observed photos which appeared to be pictures of pre-teen girls engaged in acts of a sexual nature. He also found materials that were on the computer in violation of copyright protections and those materials were deleted or destroyed on site. The officer then closed the laptop computer and called his duty supervisor. In addition, agents from Immigration and Customs Enforcement were contacted. The laptop was seized along with 14 other items. Officer Schmidt's search lasted approximately one-and-a-half hours.

ICE Special Agent Paul Nichols arrived at the airport customs area at approximately 3:00 p.m. There he met with Special Agents Lang, Boyle and Yira. . . .The agents found and reviewed images on the laptop computer which were determined to be representations of child pornography. Meanwhile, Special Agent Lang, a computer forensics specialist, examined the external hard drive containing approximately 30,000 files and discovered numerous additional file names that suggested the existence of pornography.

Special Agent Nichols thereafter met with the defendant and identified himself. The agent read aloud the Miranda rights from a written U.S.I.C.E. Statement of Rights form . . . . The defendant stated that he understood each of his rights as they were read to him, and he himself read the rights. Mr. Furukawa printed his name and signed and dated the express waiver of rights contained on the bottom of the Statement of Rights form. The signature was witnessed in writing by Special Agent Nichols and Yira. At that time the defendant had not been placed under arrest and was not in handcuffs, though he was not free to leave. The defendant and the agents were located in a corner in the secondary inspection area which is not open to the public.

Defendant Furukawa stated that he was willing to answer questions and that his occupation was Internet business consulting. He indicated that his occupation involved searching the Internet for pornography and that he sometimes encountered child porn as an incident to the occupation, particularly as part of a mass download of pornographic materials, but that his clients were not producers of child pornography. The defendant acknowledged that he owned the laptop and the external hard drive that were examined by customs agents. He was cooperative and provided appropriate answers to questions posed by agents, but he did not himself ask any questions, and he declined to answer certain questions. The interview lasted approximately one hour and there was no request that questioning cease and no request for the assistance of an attorney.

During the interview the defendant was provided water on request and no threats were made to induce cooperation. He was advised that the reason for his detention was the discovery of child pornography on his computer. . . . In addition to the oral interview questions, the defendant provided written answers to some but not all of the written questions that were presented to him on a typed DHS/ICE Computer Forensics form. . . . The questions and answers on the form related to defendant's computer ownership, operating systems, and user and sign-on names and passwords. Mr. Furukawa described himself as an "expert user" in response to a question on the forensics form, and he provided a list of e-mail addresses.
The district court denied Furukawa's motions to suppress the evidence and to suppress the statements he made to the ICE officers.

Tuesday, November 14, 2006

Who Can Consent to a Search of Your Computer?

A recent federal case from the Eighth Circuit Court of Appeals -- United States v. Hudspeth, 459 F.3d 922 (8th Cir. 2006) – illustrates the issues that can arise when one person consents to law enforcement’s searching a computer owned/used by someone else.

In 2002, “as part of an investigation into the sale . . . of pseudoephedrine-based cold tablets, the Missouri State Highway Patrol . . . executed a search warrant at Handi-Rak Service, Inc.

As the officers searched the Handi-Rak office computers for evidence within the scope of the warrant, e.g., "papers and/or documents" related to the "inventory of pseudoephedrine based cold tablets”, they ran across a “homemade CD with a handwritten label.” When one officer opened a folder on the CD, he saw child pornography. The Sergeant in charge stopped the officers from searching further and called the U.S. Attorney’s office “for guidance.”

While that was going on, Hudspeth (a) consented to the search of his office computer, in writing and orally and (b) refused to consent to a search or seizure of his home computer. The officers then arrested Hudspeth, believing they had probable cause to believe he possessed child pornography.

They also believed they would find child pornography on his home computer, so they went to his home. The officers introduced themselves to Mrs. Hudspeth, told her they had arrested her husband and asked for consent to search the home computer. She asked “what would happen if she did not consent” and the officer in charge told her “he would leave an armed uniformed officer at the home to prevent destruction of the computer and other evidence while he applied for a search warrant.” After trying unsuccessfully to contact her attorney, Mrs. Hudspeth told the officers they could take the computer. They seized it, took it to their offices, obtained a warrant to search it and found more child pornography on the home computer.

Hudspeth moved to suppress the images found on his home computer, arguing that his refusal to consent to the seizure of his home computer trumped his wife’s subsequent consent to the seizure. To understand his argument, we need to examine consent for a moment.

Consent is an exception to the 4th Amendment’s requirement that police have a warrant to search or seize property. Consent is essentially a waiver of one’s 4th Amendment rights. The Supreme Court held, in United States v. Matlock, 415 U.S. 164 (1974), that co-users of property can each consent to the search or seizure of that property. So here, if Mrs. Hudspeth was a co-user of the home computer, she had the authority to consent to the search or seizure of that computer.

The Matlock Court held that the authority to consent derives not only from sharing ownership of property (thought that works, too), but also from sharing the use of property. Since it seems likely that Mrs. Hudspeth was both a co-owner and a co-user of the property, she had the authority to consent to the seizure of the home computer, which means her consent to the seizure would have been valid . . . had Mr. Hudspeth not refused to consent to that seizure earlier.

A year or three ago, his refusal might not have been important. It’s very likely that, a year or three ago, the Eighth Circuit would have held that Mrs. Hudspeth was a co-owner/co-user of the home computer and so could consent, in her own right, to its seizure. That’s where the law had been. The understanding was that as long as A co-owner/co-user of property consented to a search/seizure of the property, the consent (and the resulting search/seizure) was valid, even though the other owner/user of the property had refused to consent.

That changed, though, earlier this year when the Supreme Court decided Georgia v. Randolph, 126 S.Ct. 1515 (2006). The Randolph Court held that “a physically present inhabitant's express refusal of consent to a police search is dispositive as to him, regardless of the consent of a fellow occupant.” More precisely, Supreme Court held that the consent Scott Randolph’s estranged wife, Janet, gave to the search of the home she still shared with Scott was invalid because her consent came after Scott had refused to consent. (Essentially, the officer asked Scott to consent to a search of the home and, when Scott refused, “turned to Janet Randolph for consent to search, which she readily gave.”)

The Supreme Court held that a co-owner’s/co-user’s consent cannot overrule another “physically present” co-owner’s/co-user’s refusal to consent. In other words, the Court held that police cannot play one "physically present" owner/user off against another, obtaining consent from one in the face of another’s denial.

The Hudspeth Court applied the Randolph holding to the facts before it even though Mr. Hudspeth was not “physically present” when his wife was asked to consent to the search he had rejected. The Eighth Circuit found there are reasons to enforce the refusal to consent of an absent co-owner/co-user, as well as of one who is physically present when the issue of consent is raised and resolved. It therefore held that Mrs. Hudspeth’s consent to the seizure of the home computer was invalid under the 4th Amendment, which may result in the suppression of evidence obtained from that computer.

Bottom line:

• If you give others access to your computer (as well as to your other personal possessions or your home or your car), you have assumed the risk they will consent to allow law enforcement officers to search the property in your absence (and, inferentially, when you have not refused to consent to the search). (Since only owners and co-owners can consent to the seizure of property, you assume this risk only if you jointly own the property with someone else, who is present when you are not.)

• If you follow the Eighth Circuit’s rationale, police cannot obtain valid consent from a co-owner/co-user of the property in your absence if you have already refused to provide consent. . . even though you are not "physically present" where the computer is.

• If you read the Randolph Court’s holding strictly – as some will do – then the fact that you have refused to consent may not matter if you refused when you were not physically proximate to the property they want to search. It MAY be (and I emphasize “may”) that the Randolph Court’s holding only applies when you have two co-owners/co-users of property confronting each other, one consenting and one refusing to do so.

What do you think?

Wednesday, November 08, 2006

Seeking the Return of Seized Computers

In my last post, I talked about the provision in Rule 41 of the Federal Rules of Criminal Procedure which requires that a search warrant be “executed” within 10 days of being issued. Today I want to talk about a related issue: seeking the return of computer equipment that has been seized pursuant to a search warrant.

The usual dynamic under the Fourth Amendment for computer equipment is that law enforcement officers (a) get a warrant to seize and search computer equipment, (b) seize the equipment, analyze it and find evidence that is used to prosecute the owner for various crimes and (c) the owner moves to suppress that evidence on the grounds that the seizure and/or search of the computer somehow violated the Fourth Amendment. This is the dynamic we’re all used to: the operation of the Fourth Amendment’s exclusionary rule.

There is another, less well-known dynamic, one that arises under Rule 41(g) of the Federal Rules of Criminal Procedure. Rule 41(g) says that someone “aggrieved by an unlawful search and seizure of property or by the deprivation of property may move for the property's return.” If the party filing the motion shows good cause for the property’s being returned, the court will enter an order to that effect.

Motions for return of property are filed when the property at issue is, like computer equipment, not itself contraband but has been seized because it contains contraband (child pornography, say) or evidence of a crime (identity theft, extortion, hacking, etc.) The premise behind filing a Rule 41(g) motion in this context is that the computer was seized so the government could search it and find the evidence it contained; it has now been searched, the government has found and acquired the relevant evidence, so the computer should be returned to its owner.

This was the basis of a motion to return filed by a law firm in Massachusetts some years ago. As reported in Commonwealth v. Ellis, 10 Mass. L. Rptr. 429, 1999 WL 815818 (Mass. Super. 1999), law enforcement officers executing a search warrant at the firm’s office seized computers, back-up tapes and a printer to be searched off-site. After some time had passed, the law firm moved for the return of the seized property, arguing that the searches had been completed. The court denied the motion because it found that the government’s retaining the equipment was “reasonable” under the circumstances, the primary circumstance being that it had been (allegedly) used in the commission of crimes.

In People v. Lamonte, 61 Cal. Rptr. 2d 810 (Cal. App. 1997), on the other hand, the appellate court held that the defendant’s motion for the return of his computer should have been granted. This court explained that though the computer “may have” been used in committing a crime, it was not contraband, i.e., it itself was “not illegal to possess.”

These cases illustrate the traditional process of moving for return of seized property – a scenario I will call the “zero-sum seized property scenario.” In this scenario, the government has seized someone’s tangible property and, by retaining it, is completely depriving them of its possession and use. Only the government or the owner can have a computer, not both.

A new scenario – a non-zero sum seized property scenario – has emerged over the last few years. This scenario arises when, as is common, the government makes a copy, a mirror image, of a computer hard drive or other storage media and uses the copy for its analysis. What happens when the owner of the computer hard drive files a motion for the return of the copy of the hard drive?

This happened, for example, in Florida earlier this year. In the Matter of the Application of the United States for a Search Warrant, U.S. District Court – Middle District of Florida (Case No. 05-3113-01). Federal agents executed a search warrant at a business and made mirror images of the data contained in 3 laptop computers, 4 CPUs, two servers and 3 RAID drives. They took the copies away to be analyzed and, after some time had passed, the business moved for the return of all the data on the copies that was not relevant to the criminal investigation.

This is quite common; given the complexity and capacity of computer storage devices, they can contain a great deal of information that is irrelevant to the criminal investigation being conducted. And, as the business pointed out in this case, the irrelevant data is not within the scope of the warrant that justified the making and seizure of the copies; since it is not within the scope of the warrant, it seems its retention by the government would violate the Fourth Amendment.

That is what the business argued in the Florida case. The government’s response was that it should be allowed to retain the mirror images – in their entirety – “indefinitely” so they could be used to “authenticate seized information” and to conduct further searches, if necessary. An expert informed the court that the government should not need to retain the mirror images for authentication purposes, because a hash analysis of the mirror images could be used for that purpose. The government countered that, “for the last several years” it had been the practice among at least some U.S. Attorneys’ offices to retain mirror images of hard drives and other media “throughout the investigation and prosecution of the case.”

The District Court for the Middle District of Florida disagreed. It held that “the United States cannot, consistent with the Fourth Amendment, retain computer storage devices that contain data outside the scope of a search warrant after a search is completed, unless the computer storage devices have themselves been seized as instrumentalities or evidence of a crime or as contraband. . . . The United States should not, therefore, continue to take the cavalier attitude that it may retain computer storage devices throughout an investigation and prosecution without specific court authorization to do so.”

So this court, anyway, said the government cannot retain copied data that is not within the scope of the warrant used to copy computer storage media unless that data is relevant to an investigation. It also indicated that the owner of the seized computer storage media can seek the return of the data before the investigation has been completed, presumably after the government has been given a “reasonable” amount of time to analyze the seized copies.

I tend to agree with this court, but I suspect other courts may disagree. One of the reasons I find this issue of particular interest is because of a proposal I was asked to review last year. The author of this proposal advanced a system for collecting the data on all storage media copied by the government, pursuant to computer search warrants, and depositing it into a central data base. It would then be used for data mining, i.e., to conduct searches intended to identify criminal activity as to which the government was otherwise quite ignorant.

I argued that this was impermissible, that even though the government lawfully copied the data on the seized computer storage media, it cannot use that data for purposes unrelated to the investigation that justified the issue of the warrant authorizing the seizure and copying of the media. It was a rather difficult argument to make, since we have not historically had to deal with this non-zero-sum seized property scenario

traditional justification for seeking the return of tangible property is that you need it – you need to use the seized computer in your business or the seized car in your personal life. When the government takes a copy, this argument becomes more difficult, because they can keep the copy without interfering with your ability to use the computer media from which the data was copied.

I still think I’m right, and hope the proposal I note above does not become a reality.

Monday, November 06, 2006

Timely Execution of Search Warrants

A case from New Hampshire – United States v. Syphers, 426 F.3d 461 (1st Cir. 2005) – illustrates the issues that arise from a federal provision which requires the timely execution of search warrants, including computer search warrants. It also illustrates what seems to be a loophole, for lack of a better word, in the federal provision.

In November, 2001, a Concord police officer obtained a warrant to search Sypher’s home; the warrant was based on probable cause to believe Syphers had sexually assaulted two girls, who were 14 and 15 at the time. The officers seized a Gateway computer, among other evidence, and subsequently sought – and obtained – a separate warrant that authorized them to search the Gateway for child pornography. There seems to be no contention that this warrant was not supported by probable cause or otherwise met the procedural requirements of the Fourth Amendment.

The glitch arises with regard to the time the police were given to execute the warrant, i.e., to actually search the computer. The child pornography warrant issued on November 28, 2001. On the same day it was issue, the prosecutor moved that police should have an additional 12 months to complete the search “due to an `overwhelming backlog in similar computer crimes.’ The state court granted the extension.

In January, 2002, Syphers pled guilty to a reduced state charge of simple assault. He then asked for his computer, which seemed reasonable since the plea apparently resolved the investigation. New Hampshire authorities objected to returning the computer to Syphers on the ground that they needed additional time to complete their search of its contents (including, apparently, 64,000 “newly de-encrypted images” on it). They also said they needed additional time to be able to share what they found with the local U.S. Attorneys Office. The state court denied Syphers’ motion for the return of his computer, the state police completed their analysis of its contents and then shared what they had found with the FBI. Syphers is then indicted on one federal charge of possessing child pornography; the charge was based on what the New Hampshire police found on his computer.

At the federal district court level and then again at the federal court of appeals level, Syphers challenged the state court’s giving New Hampshire police an additional year to conduct the search of the computer. He based his challenged on Federal Rule of Criminal Procedure 41(e)(2)(A), which states that a search warrant must “command” the officer to whom it is issued to “execute the warrant within a specified time no longer than 10 days.” Syphers pointed out, quite correctly, that the government had been given far longer than 10 days to execute the warrant authorizing the search of his computer.

Federal authorities argued that the 10-day period incorporated in Rule 41 did not apply in this case because the search was conducted by state authorities, who are not bound by the rule. Syphers argued that the state authorities should be bound because they were executing the search for the benefit of the state authorities; Syphers, after all, had already plead guilty in state court.

The First Circuit Court of appeals rejected Syphers’ challenge. It said “the computer search that yielded evidence later used in a federal prosecution was conducted by state law enforcement pursuant to a state court search warrant. There is no evidence that federal agents participated in the state investigation, procurement of the warrant, or request for extension. Therefore, the investigation was not federal in character, and the ten-day stricture of Rule 41 does not apply.”

I decided to write about this case for two reasons: One, the more obvious reason, is this holding. On its face, it seems to mean that if federal authorities let state authorities handle the analysis of seized computers, they can avoid the requirements of Rule 41 (which I will examine in a minute). That seems fair if the state authorities are searching the computer in order to obtain evidence for use in a state proceeding, but I think it seems quite problematic if, as was the case here, the state authorities are not longer interested in using the evidence for a state prosecution. In that instance, they are, inferentially, anyway, analyzing the computer solely to find evidence that can be used by “someone else” – logically, the federal authorities. That seems an end run around the language of Rule 41.

Now, I don’t think it would be an end run around Rule 41 if the state authorities were searching the computer for their own investigation and, in so doing, found evidence that could be used to bring federal charges. I think the scenario would be more problematic if the state authorities and the federal authorities were working jointly on an investigation and the state authorities’ search of the computer found evidence that could be used by the federal authorities.

But the real issue I want to discuss is the 10-day time limit. It has become a bone of contention in the federal system, because agents and prosecutors point out – just as the state prosecutor did in Syphers – that because there is a tremendous backlog of seized computers, analysts simply cannot process a computer within 10 days from the time it is seized. The problem is being exacerbated by the increasing size of hard drives and other storage media.

Some federal agents and prosecutors argue the 10-day rule only applies to the seizure of the computer, that if they seize the computer (or other storage media) within 10 days from the time the warrant issues, they’re fine. The validity of that argument probably depends on why the federal rule (and many state rules, as well) incorporates the 10 day period.

I did some research on that a while back, and traced the 10-day period to a Prohibition-era statute, a statute that was involved in a case that went to the Supreme Court. In that case, the Court held that evidence obtained when a warrant was issued after the 10 day period had elapsed could not be used in court. The Supreme Court explained, as did the Syphers court, that the purpose of the 10-day rule is to ensure that the probable cause supporting the warrant does not become “stale.”

For example, assume federal agents get a warrant to search for and seize drugs that are located in a garage at the edge of town. They have probable cause to believe the drugs are there because an informant has told them the drugs are being stored there until they are shipped out of town. The officers obtain the warrant, but take two weeks (three?) to execute it. The 10-day rule incorporates the common sense principle that just because you have probable cause to believe evidence is in a particular place NOW, you do not have probable cause to believe the evidence will ALWAYS be there. It imports a temporal limitation into the probable cause-search warrant analysis.

The Syphers court also held that he loses on his Rule 41 argument “because there is no showing that the delay caused a lapse in probable cause.” That’s no doubt true, since the computer had been in the hands of law enforcement since it was seized; the law enforcement’s possession of the “container” of the evidence at least arguably stabilized the situation and sustained the existence of probable cause.

There’s another issue, though, that comes up with regard to the Rule 41 10-day period, and that is someone’s right to have their property – Syphers’ computer in this instance – returned to them after law enforcement has seized it and has had a “reasonable” opportunity to analyze it. I’ll talk about that in another post.

Wednesday, November 01, 2006

Cyberterrorism: FUD or . . . ?

Last week I was in Europe speaking at a workshop on cyberterrorism. When I started to prepare my presentation, I decided to focus on the whole issue of cyberterrorism – on whether it exists as a valid source of concern or is, as some say, merely FUD.

FUD stands for “fear, uncertainty and doubt” and refers to what some consider hype spread by computer security professionals who use the “myth” of cyberterrorism to generate business. Those who take this view tend to deny that cyberterrorism exists as a distinct threat category.

So I thought about that, about why there might be a divergence of views on this issue and about why some seem to deny the very possibility of cyberterrorism. I could not – can’t – understand the latter position because it seems to me computer technology is a tool, and I can’t understand why any tool can’t be used in some fashion to facilitate an act of terrorism. Cars can be turned into IEDs, and in 1994 Ramzi Yousef used Casio digital watches to assemble a bomb he planted, and detonated, on Philippine Airlines Flight 434. If cars, watches and other mundane devices can become tools of terrorism, why can’t computers?

As I thought about it, I decided that the divergence of views may be due to imprecise definitions – to the fact that one person’s conception of cyberterrorism may be very different from another person’s conception of the same phenomenon. It seemed, and seems, to me that maybe we need some definitional clarity here. Maybe we need to reflect on how cyberterrorism should be defined.

It seems to me that the definition of cyberterrorism needs to have two components: (i) semantic; and (ii) operational. The first goes to the legal concept – to the “harm” this hypothesized type of conduct inflicts. The second goes to the processes used to inflict that hypothesized “harm.”

I’m going to try to keep this relatively short (out of self-interest, if nothing else, as I am still jet-lagged), so let me briefly run through both dimensions.

Semantic definition: Cyberterrorism consists of using computer technology to advance terrorists’ goals. We can divide the goals into two arenas: primary goals and secondary goals.

Primary goals are the terrorists’ pursuit of their ideological agenda because terrorism is, after all, the use of certain methods in an effort to advance an ideological message or strategy. A federal criminal statute defines terrorism as using certain proscribed means (inflicting death, physical injury, damage to/destruction of property) in an effort to coerce a government or influence a civilian population for ideological purposes). So, regardless of whether the terrorists are white supremacists, jihadists or the labor terrorists that posed a problem in the nineteenth century U.S., the goal is to use violence and the threat of violence to demoralize governments and populations and thereby advance the terrorists’ agenda. This definition of primary goals holds for all types of terrorism, but I am, of course, focusing only on cyberterrorism.

Secondary goals are the terrorists’ use of certain methods to sustain their pursuit of the primary goals. Secondary goals go to issues such as recruiting and retaining members of the terrorist group, fundraising, propaganda, communication and coordination of activities, etc.

Operational definition: Here, I want to focus only on the operational definition of cyberterrorists’ primary goals. I think we need to divide this definition into three categores – three types of (forgive me) WMD: weapon of mass destruction; weapon of mass distracton; and weapon of mass disruption.
  • Weapon of mass destruction: This, I think is the primary source of FUD – the notion that a cyberterrorism attack will be a “digital Pearl Harbor,” or a “digital 911” – that it will be analogous to flying planes in the World Trade Center. I don’t think that is true; I think this notion, to the extent it exists, misunderstands how terrorists can use computer technology. I do not think that cyberterrorism – the use of computer technology to pursue an ideological agenda by those we regard as terrorists – can ever have the kind of visceral, demoralizing effect we experienced in 911. Indeed, I suspect that may be one reason why we have so far not, at least to my knowledge, seen any real instances of cyberterrorism.
  • Weapon of mass distraction: Here, computer technology is used to demoralize a civilian population (and undermine faith in government and other essential processes) by inflicting psychological “harm.” A few years ago, a federal official who worked in the area of terrorism/public security told me he got a call from the local authorities, in a very large American city. The local authorities said, “we have to evacuate the city.” The federal fellow asked why, and was told that “there’s a suitcase nuclear device” on a train in the subway system. He asked how they knew this, and the answer was uncertain; they had “heard” it. He asked if any subway train operator had described the rather unique appearance of a subway nuke, and was told none had. He pursued the matter in some more detail, and ultimately convinced the local authorities not to evacuate the city which, as he pointed out, would have done about as much damage – given the panic that would ensue – as a suitcase nuke. Point being: Misinformation, cleverly disseminated, can be used to sow chaos and confusion, which will in turn cause injury and property damage – the net effect being to undermine faith in our systems, our leaders and perhaps even our ideology.
  • Weapon of mass disruption: Here, computer technology is used to achieve a similar effect but the direct target is systems, not psychology. The U.S. Secret Service and Department of Homeland Security ran an exercise earlier this year – CyberStorm – in which a loosely linked set of domestic terrorist groups attacked various systems in the U.S. They interfered with the operation of air traffic control systems (thanks to help from a disgruntled FAA employee), did the same for some commuter trains, attacked at least one news website, altered balances in some accounts, went after power grids, etc. – a kind of smorgasboard of systemic attacks. To the extent that attacks such as this work, they would undermine our faith in our reality – in the stability of the systems we rely on to conduct our lives. That, of course, results in the demoralization of a civilian population which is, as I said before, a primary goal of any terrorist group.
I could write a lot more, but I think (hope?) this is enough to get my point across. The point is, simply, that we must not think of terrorists using computer technology in ways that are directly analogous to their use of IEDs and other traditional instruments of violence. Violence, I submit, is not what cyberterrorism is/would be about. It’s a much more subtle, and therefore perhaps more dangerous phenomenon, because it works on our minds and on our reality.

Wednesday, October 25, 2006

Recent Encrypted Laptop Issues

You may have seen the stories – they ran about a week ago – about Joseph Edward Duncan III’s plea bargain with state prosecutors on charges arising out of his killing three people so he could kidnap a little girl and her brother.

The little girl was eventually rescued, but Duncan apparently murdered the boy.

I’ve read a number of these stories, and I’m still somewhat confused about the nature of the plea bargain.

The stories all say Duncan originally wanted to give up the key to encrypted files on his laptop in exchange for getting a pass on the death penalty. State prosecutors apparently rejected that offer, but have accepted a plea bargain under which the encryption key will be revealed, but only to Duncan’s defense lawyer.

Prosecutors are apparently interested in the encrypted files because they may contain a journal that provides information about the crimes with which he has been charged (and maybe others, as well). Duncan is being prosecuted both by federal and state officials, for different crimes arising out of the murders and kidnappings I noted above. Both jurisdictions intend to seek the death penalty.

What I found interesting about some of these stories, anyway, is that they say federal computer experts have spent a year trying to crack the encryption, have been unable to do so. Duncan is reported as saying that it would take “at least 30 years” for technology to emerge that would let law enforcement crack the encryption. I don’t know. I have been told that there are federal experts who could crack the encryption now, but then they would probably have to explain how they did it – in court – and that is not something the government wants to do.

In an earlier post, I speculated about what would happen if someone entering or leaving the United States with a laptop were ordered to give Customs Officials the encryption key needed to access encrypted files on that laptop. Duncan is not going that route – he’s apparently less concerned about giving up incrementally incriminating information than he is about saving his neck (which may or may not work, since it doesn’t seem either the federal or state prosecutors are interested in that particular deal).

A couple of weeks ago, I got a letter from a man who was arrested at an airport when he was trying to return to the U.S. from a business trip abroad. He was carrying a laptop with encrypted files on it, among which there apparently were some child pornography files. Customs Officers stopped him, looked through his belongings, tried to review the files on the laptop but could not because the hard drive was encrypted.

According to him, they ordered him to give them the encryption key and he complied because he didn’t know he had a choice. He says the officers then took the laptop away for some time, searching it, and came back after finding child pornography. He was then arrested, and has been in jail since. (He has dual citizenship and so is considered a flight risk).

I gather the Customs Officers say they did not coerce him, that he voluntarily gave up the encryption key. If that is true, then he waived any hope of invoking his Fifth Amendment privilege against self-incrimination. The Supreme Court has held that, when it comes to the Fifth, you either invoke it or lose it. In other words, if you answer questions or give up an encryption key, you’re toast. You cannot object to the use of the evidence on the basis that it was obtained in violation of the Fifth Amendment.

The man’s story makes me wonder about several things: I wonder what actually happened to him, though I tend to suspect that here, as is usually the case, the truth lies somewhere between his version and the Customs Officers’ version of what happened.

I wonder if this happens to other people and if they, too, give up the encryption key, not being aware that they have (may have) an alternative.

I wonder what would happen if someone adamantly refused to give up their encryption key – would the Customs Officers simply arrest them, for failing to cooperate with U.S. Customs procedures?

I rather doubt that, because I once did a presentation on the border search exception and the Fifth Amendment to a group of federal prosecutors, nearly all of whom said that if someone adamantly refuses to give up the encryption key, the Customs Officers would let them go . . . not “go” in the sense of passing through Customs and boarding a plane, but “go” in the sense that they could decide they did not really want to fly that day, and would instead abort the trip.

I’m not all that sure Customs Officers would want to let someone walk away who refuses to give them an encryption key. Obviously, the officers would not ask for it unless they thought there was some reason to search the files (since I assume they are far too busy to search every laptop they see). If they had “reasonable suspicion” – a lower level of probable cause to believe a crime has bee committed – they might be able to hold the person while they seek some alternative way to resolve matters, not that I’m sure what that would be.

I actually have two trips abroad this fall, but I won’t be taking a laptop either time, so I won’t have the occasion to check all this out. If I really needed a laptop on either trip, it might be an interesting experiment, to see if mine got flagged for a check (or maybe not . . . . ).

MMORPGs and the Government

I recently read a blog post that vividly described how online games – MMORPGs – can take over someone's life. That motivated me to do a quick Google search for the notion that online games are addictive.

I found a lot of comments, stories, etc. to that effect.

One website said the addiction rate for MMORPGs “appears to be about twice that of crack Cocaine.”

As you probably know, stories (and probably rumors) about the consumingly addictive nature of MMORPGs has generated some government efforts to control the (alleged) addiction. China has reportedly opened a game addiction clinic that uses electroshock and psychotherapy to treat those who are seriously addicted to online gaming. And it seems to me I have read other stories about governments either cracking down on online gaming or threatening to do so.

I find that notion interesting, because it looks to me like there COULD be a move to treat immersive online games in a fashion analogous to the drugs we outlaw. Why do we outlaw certain drugs? Think about it: The drugs we outlaw tend to take people away from reality, in good or bad ways. PCP and some other violence-inducing drugs take people away in a fashion I, anyway, would submit is not desirable or acceptable, given the high risk of harm the user poses to others.

But my understanding is that many of the drugs we outlaw – marijuana, heroin and other opium-derivatives, LSD, etc. – are anything but violence-inducing. (Some may argue that LSD is, and they may be right; I read a book a few years ago, which persuaded me that it is not.) Many of them (think marijuana) tend to induce a very passive state, one that is pretty much the antithesis of how people behave on alcohol (which tends to make us more aggressive), which is still legal in most of the US, anyway.

Why outlaw drugs that alter out relationship with reality that, in effect, blur the edges of physical reality? I really do not know. One argument, I do know, is that people who become addicted to these drugs cease to be productive citizens, and consequently tend to commit crime, become dependent on society, neglect their children, etc. If that is true, if certain drugs inevitably result in those behaviors, then outlawing them makes sense for reasons that are analogous to those which, I submit, support outlawing PCP and similar drugs.

I also read, some years ago, that it is possible to function quite well on certain kinds of drugs (like heroin) as long as one has an adequate supply of the drug. If that is true, and let’s assume for the sake of argument that it is true, then why would we outlaw these drugs? Is it because we believe physical reality is a given that we must confront without the palliative effects of drugs that blur our experience with that reality? If that is so, then I wonder why we believe this. (I’m not sure I believe this.)

There is a view that the current aggressively-anti recreational drug stance in the US is a product of lobbying by Harry Anslinger, who basically created US anti-drug policies in the 1930s. According to this view, Anslinger, who had been a high-level bureaucract in the Bureau of (Alcohol) Prohibition, worked to develop an aggressive federal anti-drug program to give himself job security by essentially transforming that Bureau into the foundation of a federal anti-drug agency.

I don’t know if that is true or not, but from what I have read Anslinger did sometimes play fast and loose with the truth about certain drugs in order to advance his ends. (I read somewhere that when Congress was holding hearings on criminalizing marijuana he told them a story about a “Mexican” who used marijuana, went psychotic and killed one, two, three, I forget how many people. I also read that he used the same story when Congress was considering criminalizing LSD.)

Anyhow, I digress. For some reason – historical, functional, logical, illogical, who knows – we outlaw drugs that blur the edges of physical reality.

Now we have MMORPGs, which take us away from physical reality into realities that are limited only by our imaginations. I’m not a gamer, but I can certainly understand why people might want to spend time away from the aggravations and limitations of their real, physical lives. And I can understand why that experience might become “addictive,” in the sense that we want to repeat it.

But are MMORPGs really addictive . . . in the way “bad” drugs are addictive? I can’t imagine that anyone would say they’re physically addictive, but that probably doesn’t resolve the question. Gambling is often described as addictive, too, and no one, I assume, would say it is physically addictive.

I’m sure people can become overly immersed in MMORPGs. I’ve fooled around a bit in Second Life, know people who spend a lot of time there, and I can understand why. It’s fun, it’s creative, it frees them from the constraints and aggravations of their real-life (not being in charge of things, bosses, traffic, financial issues, relatives, etc.).

What’s wrong with that? What’s wrong with escaping from our physical reality for a while? Why can’t that be a good thing? Why can’t that be a coping mechanism – something that lets us put our real-life experiences in perspective and maybe deal with them in a better way than we would otherwise?

Is it just that government feels the need to step in and control certain kinds of behaviors? I may be wrong (it’s been known to happen), but I don’t see how the crack addict kinds of justifications work in this context. Is anyone really going to go out and commit crimes to get money to be able to keep participating in a MMORPG? And if that is not likely, then what possible justification could there be for restricting – even, perhaps, ultimately outlawing – MMORPGs?

I could see a future Harry Anslinger arguing to Congress that we need to outlaw MMORPGs (or restrict access to them) because someone – the twenty-first century’s version of the “Mexican” he used seventy years ago – spent so much time in World of Warcraft they became acclimated to violence and killed five people in the real-world (probably using a virtual sword).

Sorry – I seem to be on a soapbox this morning.

And on a somewhat related but probably more rational note, you may have seen that Congress is considering taxing “virtual economies.” I wonder what effect taxation would have on the “take us away from reality” effect of MMORPGs.