Saturday, February 25, 2006

Online vigilantes: where we may be going

When you think about it, Superman is a vigilante, along with most (all?) of the other superheroes. Like other superheroes, he helps law enforcement by getting "bad guys;" and like other superheroes, he does this on his own, having no official ties to law enforcement.

This distinguishes Superman and the superhero crowd from the kind of vigilante I talked about in my last post: vigilantes who have, historically, emerged when there was a law enforcement vacuum. Traditional vigilantes were a substitute for law enforcement, rather than an enhancement for an effective law enforcement presence.

Cyberspace creates a mixed environment: There is a law enforcement presence in cyberspace but, as I said in an earlier post, it cannot be as effective in controlling online crime as it is with regard to real-world crime. The already-perceived inefficacy of traditional law enforcement is giving rise to a new kind of vigilante: the superhero-as-adjunct-to-law-enforcement-vigilante.

I talked a little about that kind of vigilante in my last post, when I described how the Perverted Justice staff is now working increasingly closely with law enforcement. At least three federal courts of appeals have had occasion to consider how, if at all, these adjunct-to-law-enforcement vigilantes fit into our criminal procedure law. More precisely, the issue that came up in these cases was whether the Fourth Amendment prohibition on unreasonable searches and seizures applies to the activities of these vigilantes.

The first of these cases came from Alabama: In 2000, Captain Murphy of the Montgomery, Alabama Police Department received an email from The email said that the author had found a child molester in Montgomery, that the writer knew the child molester's name (Brad Steiger), address, telephone number, "Internet account" and could "see when he was online." See United States v. Steiger, 318 F.3d 1029 (11th Circuit Ct. Appeals, 2003). Murphy responded, asking for more information and Unknownuser (as he/she came to be known) sent images showing Steiger and a young girl in varying states of dress and undress; Unknownuser also sent Steiger's checking account and "identified specific folders where pornographic pictures were stored on Steiger's computer."
See United States v. Steiger.

Unknownuser, a self-described pedophile hunter, was able to do all of this because he/she had installed a Trojan horse program on Steiger's computer. According to Unknownuser, he/she had uploaded the program to a news group patronized by pedophiles and waited as it installed itself on various computers; in his email correspondence with Murphy, he/she claimed to have caught 2000 child pornographers with the Trojan horse.
See United States v. Steiger. He/she refused to speak with Murphy by phone or in person; Unknownuser claimed to be a Turkish hacker "with a family". "He" also claimed "he" would jeopardize his family and job if "he" revealed "his" identity. See United States v. Steiger. Despite the fact that Unknownuser's activities have been the subject of several federal court decisions and one state appellate court decision, we still have no idea who he/she was or where he/she was located. As an officer said when I used this case in law enforcement training a year ago, "he could have been in Peoria, for all we know."

Murphy contacted the FBI; FBI agents used the information he got from Unknownuser to get a warrant to search Steiger's home and computer. As Unknownuser predicted, the agents found child pornography on Steiger's computer. He was indicted for possessing and creating child pornography, among other things. Steiger argued that the evidence aganst him should be suppressed because even though the police obtained his computer and the evidence on it by conducting a search pursuant to a lawful warrant, the search warrant was based on evidence obtained by Unknownuser's Trojan horse. Steiger claimed that Unknownuser, a civilian, had been acting as an agent of the police when he/she used the Trojan horse to search Steiger's computer.
See United States v. Steiger.

The Fourth Amendment, and other constitutional protections, only apply when there is state action. So, if Unknownuser was acting as a private citizen (of whatever country), the Fourth Amendment was not implicated by his use of the Trojan horse; if, however, he had been acting as an agent of the police, then the Fourth Amendment would apply to his use of the program, and the evidence it elicited would have been obtained unconstitutionally. Steiger would win on his motion to suppress, which would effectively gut the case against him.

The district court denied the motion to suppress, and the Fifth Circuit Court of Appeals affirmed that decision.
See United States v. Steiger, 318 F.3d 1029 (11th Circuit Ct. Appeals, 2003). A civilian becomes an agent of the police only if two conditions are met: (i) the person acted with the intent to help law enforcement; and (ii) the government knew of person's activities and either acquiesced in or encouraged them. See United States v. Steiger. Unknownuser's purpose was to benefit law enforcement, so the first requirement was met. The Fifth Circuit held, however, that Unknownuser was not acting as a state agent when he/she searched Steiger's computer because the government was completely unaware of what he was doing and therefore could not have either acquiesced in or encouraged his/her activity. This holding was clearly correct.

On December 3, 2001, Captain Murphy received an email from Unknownuser which said he/she had found another child molester named Jarrett who lived in Richmond, Virginia. See United States v. Jarrett, 229 F. Supp.2d 503 (E.D. Va. 2002), reversed 338 F.3d 339 (4th Circuit Ct. of Appeals 2003). Unknownuser asked Murphy to put him/her in touch with the FBI in Richmond, so they could pursue Jarrett. Murphy did, and over the next several months an FBI agent had an email correspondence with Unknownuser about the Jarrett investigation.

In her emails, this agent repeatedly assured Unknownuser that the U.S. government would not prosecute him for "hacking" because he/she was outside the U.S., so our laws would not apply to his/her activities. This is, first of all, not true; section 1030 of Title 18 of the U.S. Code, which is the basic federal cybercrime provision, makes hacking a crime and gives the U.S. jurisdiction to prosecute when hacking involves the use of a computer located outside the United States. There is also the uncertainty as to precisely where Unknownuser actually was; if he/she was, in fact, in Peoria, it would not have been necessary to invoke extraterritorial jurisdiction to prosecute him/her.

The agent also repeatedly told Unknownuser that while she could not ask him to "search out" cases like the Steiger and Jarrett cases (because then he would be "hacking" at the behest of the U.S. government), "if you should happen across such pictures as the ones you have sent to us and wish us to look into the matter, please feel free to send them to us."
See United States v. Jarrett. She told him she "admired" him and repeatedly told him federal prosecutors had not desire to prosecute him for his activities in seeking out those involved with child pornography.

Jarrett was prosecuted for possessing child pornography based, again, on evidence derived from Unknownuser's Trojan horse, which had installed itself on Jarrett's computer. Jarrett, like Steiger, moved to suppress the evidence, making the same argument Steiger had. The district court granted the motion to suppress; in a lengthy opinion, it detailed the contacts between the FBI and Unknownuser and concluded that in the Jarrett investigation the FBI had encouraged Unknownuser's efforts, so he became an agent of the state. That being the case, the evidence he/she obtained from Jarrett's computer was elicited unconstitutionally, in violation of the Fourth Amendment. The Fourth Circuit Court of Appeals disagreed, reversing the ruling suppressing the evidence. Though the Fourth Circuit found that the FBI had "operated close to the line in this case," it ultimately held that the agent's communications with Unknownuser were not sufficient to transform him/her into a state agent under the standard given above.
See United States v. Jarrett, 338 F.3d 339 (4th Circuit Ct. of Appeals 2003).

I think the Fourth Circuit erred in this respect, but my concern is not with Steiger or Jarrett. What I find interesting about these cases is that Unknownuser was acting as the new kind of vigilante I described above --
the adjunct-to-law-enforcement-vigilante.

When vigilantes substitute for law enforcement, it is relatively easy to find that their actions were "outside" the law, and therefore "criminal." When vigilantes "help out" law enforcement, the analysis becomes more difficult, as the Steiger and Jarrett cases demonstrate.

The Steiger and Jarrett cases are not the only ones to consider the legality of the activities of an
adjunct-to-law-enforcement-vigilante; the same issue came up in a case that went to the Ninth Circuit Court of Appeals. In United States v. Kline, 112 Fed. Appx. 562 (2004), the Ninth Circuit reversed a district court's order suppressing evidence obtained by Brad Willman, a Canadian who used a Trojan horse program to find child pornography on a computer used by a judge in Orange County, California. The district court suppressed for essentially the same reasons as the district court in the Jarrett case; the Ninth Circuit reversed for essentially the same reasons the Fourth Circuit reversed in the Jarrett case.

There are only a few reported cases on this issue, so far, but my sense is that we will be seeing more and more of the
adjunct-to-law-enforcement-vigilante. Our current law enforcement model is, as I argued in an earlier post, not particularly effective in dealing with online crime. It is not so ineffective that we have a law enforcement vacuum online, but law enforcement's effectiveness in controlling crime is seriously eroded online.

I do not think that is a transient state of affairs. Indeed, I think the challenge law enforcement currently faces in the online context will be exacerbated by the almost-exponentially increasing evolution of technologies. I believe, therefore, that we will need to develop new strategies for dealing with online crime, in whatever form it takes.

Unknownuser, Willman and the Perverted Justice staffers may represent the beginnings of a new approach to controlling crime online . . . one that emphasizes police-citizen cooperation instead of making crime control the exclusive province of a professional police force. If that does come to pass, we may have to reconsider the rules that govern civilian participation in the policing process.

No comments: