Friday, May 30, 2008

Authenticating Evidence (E-mail)

One of the things the prosecution must do in order to be able to introduce items into evidence at trial is to “authenticate” them, i.e., be able to show they are what they purport to be.

A recent Ohio Court of Common Pleas case illustrates the approach one court took to authenticating emails.
The case is State v. Bell, 145 Ohio Misc.2d 55, 882 N.E.2d 502 (2008), and it’s from Clermont County, Ohio.

The defendant, Jaysen Bell, was (and is, I guess) charged with “one count of rape, three counts each of sexual battery and sexual imposition, and one count of gross sexual imposition stemming from alleged improper sexual conduct involving two foster children, T.T. and T.W., between July 2003 and June 2006. “ State v. Bell, supra. He filed a number of motions seeking to prevent evidence from being used at trial; one of the motions was directed at emails and online chats that allegedly occurred between him and one of the victims. State v. Bell, supra.

What the opinion tells us about the evidence involving the emails and chats is this:
During . . . their investigation, police obtained a search warrant for computer equipment located in defendant's home. A search of the seized hard drives uncovered stored pornographic images, e-mail messages, and MySpace chat messages. . . . The state seeks to introduce the images and . . . allegedly incriminating e-mail and chat messages between defendant and the complaining witnesses during trial.
State v. Bell, supra.

As I said, Mr. Bell moved to bar the state from introducing emails and MySpace chats allegedly between him and one of the victims, T.W. He argued, among other things, that the state could not authenticate them. Specifically, he argued that
MySpace chats can be readily edited after the fact from a user's homepage. Furthermore, he points out that while his name may appear on e-mails to T.W., the possibility that someone else used his account to send the messages cannot be foreclosed. Defendant's motion thus raises . . . authentication of those electronic communications offered in printed form during trial.
State v. Bell, supra.

The court explained the standard for authenticating evidence, noting that it is relatively undemanding:
Ohio Rule of Evidence 901(A) provides, `The requirement of authentication . . . as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.’ According to the Twelfth District, the evidence necessary to support this finding is quite low-even lower than the preponderance of the evidence. Burns v. May (1999), 133 Ohio App.3d 351, 728 N.E.2d 19. Other jurisdictions characterize documentary evidence as properly authenticated if `a reasonable juror could find in favor of authenticity.’ See, e.g., United States v. Tin Yat Chin (C.A.2, 2004), 371 F.3d 31, 38.

Mindful of this low standard, the court finds that T.W. may sufficiently authenticate the electronic communications through testimony that (1) he has knowledge of defendant's e-mail address and MySpace user name, (2) the printouts appear to be accurate records of his electronic conversations with defendant, and (3) the communications contain code words known only to defendant and his alleged victims. In the court's view, this would permit a reasonable juror to conclude that the offered printouts are authentic.
State v. Bell, supra.

The court then noted that Mr. Bell’s challenge actually raised a related issue – chain of custody. As Wikipedia explains, chain of custody refers to the need to document
the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering . . . which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is fact related to the alleged crime - rather than, for example, having been planted fraudulently to make someone appear guilty.
The chain of custody requirement, therefore, both protects innocent people from being convicted and helps to ensure that properly obtained convictions can be upheld on appeal.

According to this Ohio court, Bell’s argument was, as I noted, really about chain of custody:
While Ohio courts have had little opportunity to address the issue at hand, this court views defendant's complaints that the communications at issue are incomplete, easily altered, or possibly from an unidentified third party using his account information as akin to issues involving chain-of-custody disputes. Such issues touch upon concerns regarding the weight of given evidence and not its authenticity. `When an item is sufficiently authenticated to be admissible, but the chain of custody remains doubtful, the possibility that the exhibit may be misleading is an issue of weight of the evidence.’ Hall v. Johnson (1993), 90 Ohio App.3d 451, 455, 629 N.E.2d 1066 , . . . Other jurisdictions . . . addressing Defendant's concerns agree that they present issues of evidentiary weight. United States v. Tank (C.A.9, 2000), 200 F.3d 627 (arguably incomplete chat room logs presented issue of weight, not authenticity). . . .
So what the court found is that the evidence could be admitted -- because it had been authenticated – but Mr. Bell could still argue to the jury that it was not credible enough, not reliable enough, for them to rely upon in finding him guilty of the charges against him.

A Nebraska federal district court reached a different conclusion in U.S. v. Jackson, 488 F. Supp.2d 866 (D. Neb. 2007). There, the defendant moved to bar the government from using a “cut-and-paste” document that allegedly recorded online conversations between the Jackson and Postal Agent David Margitz, who had posed online as a 14-year-old girl. Based on alleged chats online chats between Jackson and the person he allegedly believed to be a 14-year-old girl, he was charged using a computer to induce a minor to engage in sexual activity in violation of 18 U.S. Code section 2422(b).

The problem was that the government did not have either printed transcripts of the alleged communications between Margitz and Jackson or access to the hard drive on which they were stored. Margitz had wiped the hard drive at some point, and had not made a back-up copy of its contents; and he apparently never printed out the conversations he allegedly had with Jackson. Instead, Margitz had assembled a “cut-and-paste” synopsis, or set of excerpts, of the conversations; it was this the prosecution wanted to introduce into evidence at trial.

The court held that it was not admissible because it was not authentic:
[T]here are numerous examples of missing data, timing sequences that do not make sense, and editorial information. The court finds that this document does not accurately represent the entire conversations that took place between the defendant and Margritz. The defendant argues that his intent when agreeing to the meeting was to introduce his grandniece to the fourteen-year-old girl. Defendant is entitled to defend on this basis, as it goes to the issue of intent. Defendant alleges that such information was excluded from the cut-and-paste . . . The court agrees and finds the missing data creates doubt as to the trustworthiness of the document. . . . Changes, additions, and deletions have clearly been made to this document, and accordingly, the court finds this document is not authentic as a matter of law.
U.S. v. Jackson, supra.

Like the Ohio court, the prosecutors in the Jackson case cited the decision in U.S. v. Tank, but the Nebraska federal court found it did not apply here because in Tank “the actual computer files were offered as evidence, not a cut-and-paste version of the computer files”. The court therefore granted Jackson’s motion to suppress the evidence (which, as it turned out, was not all that important, since it also dismissed the charges against him because the government had violated his Fifth Amendment right to a speedy trial).

Wednesday, May 28, 2008

Misprision

I recently ran across a case from last year in which a lawyer pled guilty to misprision of a felony for destroying “a laptop containing pornographic images of children”. Alison Leigh Cowan, Lawyer Admits Destroying Evidence of Pornography, New York Times (September 28, 2007).

It’s not a reported judicial opinion; the case resulted in a plea, which the defendant has apparently not contested.

It’s an unusual case, I think, in two respects: One is the misprision of felony charge, which is not all that common. The other is that it was a lawyer who destroyed the evidence and wound up being charged for doing so.

Let’s start with the charge. Misprision of felony, as Wikipedia explains, at common law consisted of not reporting a felony, of which you were aware, to the authorities. The crime still exists, but it’s changed a bit.

The lawyer in this case was charged with the federal version of misprision of felony, under this statute:
Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
18 U.S. Code section 4.

According to a Department of Justice Press Release, here are the facts that resulted in lawyer Philip D. Russell’s being charged with misprision of felony:
RUSSELL is admitted to practice law in Connecticut and has specialized in criminal and civil litigation in state and federal courts. On October 7, 2006, an employee of a church in Greenwich, who at the time was working in the church’s choir program, discovered images of naked boys on a laptop regularly used by Robert F. Tate, who had been the choirmaster and organist at the church for approximately 34 years. On October 8, 2006, church officials sealed and wrapped Tate’s laptop computer, treating it as evidence. RUSSELL represented the church with respect to Tate’s conduct.

On October 9, 2006, RUSSELL and two church officials met with Tate and confronted him about the images found on his laptop computer. Tate acknowledged that the images on the laptop were his, that they were inappropriate, and that they were personal to him. RUSSELL told Tate, words to the effect, that `this is serious business,’ `this is a federal crime that carries a minimum of five years in jail,’ and `you need a lawyer.’ RUSSELL then provided Tate with the name and telephone number of a criminal defense attorney, and Tate said he would resign from the church.

RUSSELL then took possession of Tate’s laptop computer knowing that it contained child pornography and returned to his law office. At his office, RUSSELL told an employee to go outside and RUSSELL then destroyed and concealed Tate’s laptop. RUSSELL failed to report to law enforcement that Tate, who was not his client, had possessed child pornography.
Press Release, supra. (The Times article says Russell “pulverized” the laptop.)

In February of 2007, a federal grand jury indicted Russell for obstructing justice and destroying child pornography. A trial on those charges was set to begin in October, but Russell pled to a new charging document – an information – that charged him instead with one count of misprision of felony.
Press Release,, supra.

On December 17, 2007, the court sentenced Russell to six months of home confinement plus a fine of $250,000 and the requirement that he perform some period of community service. The judge cited his “years of good service” in letting him avoid prison time.


I find the case interesting because I cannot imagine what was in Mr. Russell’s mind. I can’t understand why a lawyer would so egregiously breach his professional and ethical obligations. I can’t understand why he would go to such extreme measures to protect Mr. Tate; and I can’t understand why he would be so foolish as to destroy evidence when a number of people knew it was out there. His behavior is incomprehensible, at least to me, on pretty much every level.

Mr. Tate, by the way, was charged with possessing child pornography, pled guilty and, after spending several weeks at a treatment center for “sexually deviant behavior,” was sentenced to serve 5.5 years in prison. He must also pay a $50,000 fine and participate in sex offender treatment.


Our focus, though, is on Mr. Russell and, specifically, on the misprision charge. When I first heard about the case, I wondered why he was charged with misprision instead of obstruction of justice, which is the usual charge. There are a LOT of obstruction of justice provisions in the federal criminal code, but here’s the one I assume was used in Mr. Russell’s indictment:
Whoever corruptly . . . alters, destroys . . . or conceals a record . . . or other object, or attempts to do so, with the intent to impair the object's integrity or availability for use in an official proceeding . . . shall be fined under this title or imprisoned not more than 20 years, or both.
18 U.S. Code section 1512(c). Here, “corruptly” essentially means “acting with an improper purpose,” i.e., with the purpose of obstructing the proper administration of criminal justice.

So Mr. Russell was charged with obstruction of justice, which, as I said, is the usual charge when someone destroys (or creates) evidence in an attempt to frustrate an investigation or prosecution of federal crime. According to the
New York Times article, he was charged with 2 counts of obstruction of justice in the indictment, which means he would have faced prison if he had been convicted. Also according to that article, probation would not have been an option, and the probable sentence would have been 27-33 months in prison. New York Times, supra.

The sentence he could have gotten for pleading to misprision was 8-14 months but, as I said, the court was lenient because of his “prior service.” He also seems to have accepted responsibility, admitting what he did but saying that he did not “foresee” that law enforcement was going to be involved in the case . . . which kind of answers the questions I posed above . . .

I can’t imagine, though, why a lawyer who had been handling at least some criminal cases and knew enough to tell Mr. Tate what the possible sentence was for possessing child pornography would not have thought law enforcement would get involved here.
Anyway, just a cautionary tale . . . if there is any indication law enforcement is looking into something, don’t destroy anything that could even potentially constitute evidence, not for yourself and not for anyone else.

Monday, May 26, 2008

P2P ID Theft

The use of peer-to-peer file-sharing networks to steal people's identities is not anything new.

A Google search shows people have been writing about it for at least two years.

P2P identity theft has gotten more publicity lately, since the first person to be convicted of using file-sharing networks for identity theft was sentenced by a Seattle federal judge a couple of months ago.

This is how a Department of Justice Press Release describes what Gregory Kopiloff did that got him into trouble:
Using peer to peer programs, including `Limewire,’ KOPILOFF could `search’ the computers of others who were part of the file sharing “network” for federal income tax returns, student financial aid applications, and credit reports that had been stored electronically by other real people on and in their own private computers. KOPILOFF would download those documents onto his own computer, and would then use the identity, and banking, financial, and credit information to open credit accounts over the Internet, in the names of the other real people whose identities he had stolen. KOPILOFF would make fraudulent online purchases of merchandise, have it shipped to various mailboxes in the Puget Sound area, and then would sell the merchandise for about half its retail value.
U.S. Department of Justice, Press Release (March 17, 2008).

The tactics Kopiloff used may have been somewhat outside the norm, but this is one of those instances in which the method used to commit the crime is different, but the crime is not.
Kopiloff was sentenced to serve 51 months in prison after pleading guilty to mail fraud, computer fraud and aggravated identity theft. Only aggravated identity theft could even colorably be described as a new crime. U.S. Department of Justice, Press Release.

Mail fraud has been a crime since 1872. It’s currently codified by 18 U.S. Code §1341. Mail fraud consists of using the mails to execute a scheme to defraud someone or something. When Kopiloff had his fraudulently-purchased merchandise mailed to him, he committed mail fraud. Each time the mail is used for that purpose, it’s a separate crime, so there were probably a lot of mail fraud counts.

He was also charged with computer fraud under 18 U.S. Code § 1030(a)(4). Section 1030 was added to the federal criminal code in 1984, so while it’s not as old as mail fraud, it’s definitely not a new crime. Section 1030(a)(4) makes it a federal crime for someone “knowingly and with intent to defraud” to exceeds the scope of his authorized access to a computer “and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”. According to the facts outlined above, Kopiloff had authorized access to some of the files on his victims’ computers, but he went further, accessing files he was not supposed to be using and stealing information from them. He used that access, and the information he obtained, to consummate fraudulent transactions.

The third charge – aggravated identity theft – is the newest of the three offenses. The crime was created in 2004, when the Identity Theft Penalty Enhancement Act went into effect. The aggravated identity theft statute is 18 U.S. Code § 1028A. Section (a)(1) of 1028A provides as follows:
Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Basically, § 1028A is a sentencing enhancement provision. It means that someone who uses another person’s identity in committing any of over 100 federal felonies, including mail fraud, will be sentenced to an additional prison term of 2 years. So to prove this charge, all the federal prosecutor would have to do is prove Kopiloff committed mail fraud and used someone else’s identification documents in doing so.

Kopiloff apparently victimized over 50 people. After he pled guilty to these charges, the judge – who called him “a highwayman in a virtual world” -- sentenced Kopiloff to serve 4 years in prison and pay over $70,000 in restitution.

As to whether that is “enough” punishment, I don’t know. I’d refer you to my earlier post on how we go about deciding what is enough and what is not. In making that decision, the court had the benefit of testimony from at least some of the victims, one of whom said Kopiloff took out
a credit card in her name and charged nearly $4,000. She said it took weeks working with the banks and credit bureaus to sort it out; in the meantime she worried she wouldn't be able to afford Christmas for her two young children.

I don't have the same trust in people that I used to,’ she said
Mike Carter, Man Gets 4 Years in ID Theft, The Seattle Times (March 18, 2008).

Saturday, May 24, 2008

"Crime" vs. "Cybercrime"

This is a follow-up to Atis’ comments on my last post, the one about the woman who was prosecuted for “computer crime” after she allegedly called into an automated unemployment office system and falsely indicated that she wasn’t working when, in fact, she was. The result was that she, apparently, got unemployment benefits when she should not have.

She was charged with computer crime, as I explained in that last post, to “access” a computer or computer system to commit theft.

I called the post “Computer Crime?” because while I can certainly see that what she did fit within the language of the statute, I don’t see why it was charged as computer crime, instead of plain old, garden variety crime.

As I noted in that post, and as I’ve said before, we have a well-developed repertoire of crimes because we, as a species, have had a lot of experience with crime. Crime, as I’ve explained in a number of law review articles, is an internal threat to social order and, as such, is something societies have to control if they are to survive and prosper.

They control crime – we cannot now, or in the foreseeable future, eliminate it, given human intelligence and the ability it creates to contumaciously refuse to follow rules – by defining certain behaviors and/or results as proscribed – “crimes” – and by defining other behaviors as acceptable. They do the latter through a process of socializing their members into the values and norms of that particular culture, which usually works well enough that only a subset of the populace will commit “crimes.”

Societies control the commission of crimes, as we all know, by having a dedicated, professional force that tracks down people who commit crimes and send them through the justice system, where they are tried, convicted or plead guilty and are then given certain sanctions. I’ve written in recent posts about the varied purposes of imposing those sanctions, so I’m not going to get into that here.

Here I want to elaborate on what I said in response to Atis’ first comment: As I noted above, and in response to Atis, what the defendant in the Colorado case allegedly did clearly fit within the state’s “computer crime” statute: If we accept the facts outlined in the opinion I cited in that last post, we see that the defendant called into the automated system for the purpose of obtaining money to which she was not lawfully entitled. The statute makes it a crime to “access” a computer system to commit theft. Since theft consists of purposely obtaining money or property that doesn’t rightfully belong to you, her alleged conduct qualifies and we have a literal violation of the statute.

My question, though, is “why computer crime?” Why not theft or fraud? Theft I defined above. Fraud is obtaining property from someone by tricking them into giving it to you. It seems to me her alleged conduct fits very nicely into fraud – she used the system to trick the state unemployment agency into giving her money to which she was not lawfully entitled (allegedly). It is true that she did not directly deceive an individual; she instead indirectly deceived the individuals who run the agency, but I don’t really see why that makes a difference.

As I noted in my last post, there was a British case in which the court found that it is not possible to “defraud a machine,” but I don’t think that issue comes up in the U.S. under a basic fraud statute. The reason I don’t think it comes up is, as I noted in my post on the British case, U.S. fraud statutes are “result” statutes, that is, they focus on the result, which is that someone uses deceit to get money or property to which they are not lawfully entitled. If our statutes focused on the “conduct” element of defrauding a human being, then the machine issue might be a problem . . . though I still think it should not, because it is humans who are ultimately defrauded out of their property. (Now, if and when we start dealing with sentient non-biological entities, it might be a problem.)

As I noted in my comments to Atis and in my last post, I also think there are good reasons to go with the generic, fraud charge rather than the computer crime charge.

One is that the computer’s role in a case like this is peripheral. This is not a case – like a denial of service or malware or hacking case – in which the computer plays a central role. The “harm” in the latter cases directly implicates the computer or computer system; the “harm” in the case above is the wrongful acquisition of property from a human-run agency.

Another reason is, I submit, that using the generic, traditional charge is less likely to cause problems at trial and on appeal. The appeal in this case dealt with whether she had “accessed” the computer system, and the conviction was reversed and the case was sent back for a new trial because of a disconnect between the language used in the charging document and the jury instructions . . . which, I submit, could probably have been avoided if she’d simply been charged with fraud.

Yet another reason is that I don’t think we need to keep creating new “crimes” when we have crimes defined that encompass the “harm” inflicted in a particular situation. As I explained above, we have two generic crimes – theft and fraud – either of which encompasses the “harm” allegedly inflicted in this case. So why not use them?

As I’ve argued in law review articles and in my latest book, I think the law has, for some very basic reasons, become distracted by the effects of technology . . . with the result that we tend to adopt technologically-specific crime laws (and other laws, as well). I think that distorts our proper focus. The focus of criminal law is discouraging and sanctioning the infliction of particular, socially-intolerable “harms.” It has not been on the method used to inflict “harm.”

So we have, for example, outlawed homicide – the killing of another human being. We have not outlawed homicide by gun, homicide by knife, homicide by poison, homicide by strangulation, homicide by beating, and so on. There’s no reason to – our concern is the “harm,” not the method.

Now, method is a legitimate concern in certain instances, such as when deadly force is used. That’s why we have the distinct offenses of “theft” (I take your laptop when you’re not looking) and “robbery” (I use a gun and forcibly take your laptop away from you). One encompasses the distinct “harm” inflicted or risked by the use of deadly force in committing an otherwise lesser crime. I can see the argument that computers play a similar role in certain kinds of cases, have, indeed, made a similar argument in a slightly different context. You can commit a lot more fraud with a computer and a 419 email than you can in person on by calling victims.

But the better way to do that, I think, is the way many systems deal with the use of deadly force – guns – in the commission of crimes: make it an aggravating factor at sentencing. That way you keep the focus of your criminal offense laws on the proper thing – the “harm” being inflicted – but you still encompass the heightened risk or heightened injury the perpetrator was able to inflict because he or she used a gun or a computer.

Thursday, May 22, 2008

Computer Crime??

On May 15, the Colorado Court of Appeals decided People v. Rice, 2008 WL 2053490, which, IMHO, is an odd "computer crime" case.

(The opinion doesn't seem to be online -- yet?-- at the Colorado Court of Appeals site, I'm afraid.)

Here are the facts that led to the defendant’s – Nina Rice’s – being charged with and convicted by a jury of “computer crime” under Colorado law:

[D]efendant made biweekly unemployment benefits claims by calling an automated phone system, the CUBLine, maintained by the Department. An employee of the Department testified that the CUBLine is a `computerized system, which uses interactive voice response technology.’ . . . . [A[n unemployment benefits claimant identifies . . . herself by entering a Social Security number and a personal identification number using numbers on a telephone when prompted by the system. The system then asks the claimant a number of questions related to `weekly eligibility requirements, such as ... did you work during the weeks you are claiming?’ The claimant responds by pressing `1’ for `yes’ and `9’ for `no.’ This procedure is described in a brochure that was admitted into evidence at trial and, according to the record, was given to defendant to review before she made her first biweekly claim. When the computer system determines a claimant is eligible for unemployment benefits, a computer prints a check that is automatically sent to the claimant. Typically, an eligible claimant completes a claim and receives a check without interacting with a person.

The evidence showed that defendant used the CUBLine to make biweekly claims for unemployment benefits. Each time the computer system asked if she worked during the week for which she was claiming benefits, defendant entered `9’ for `no,’ even though she was, in fact, working.
People v. Rice, supra.

Here are the charges and what happened at trial:
Defendant was charged by information with the crimes of theft and computer crime. The theft count alleged that defendant intended to permanently deprive the Department of money, and the computer crime count alleged that she accessed a computer for the purpose of obtaining money from the Department or committing theft. At trial, she testified that she believed the money she received from her unemployment claims belonged to her and had been withheld from her paychecks issued by her previous employer.

The jury was unable to reach a verdict on the theft count and found defendant guilty of computer crime.
People v. Rice, supra.

And here is the offense she was convicted of – computer crime under Colorado Statutes § 18-5-5-102(c)-(d):
A person commits computer crime if the person knowingly . . .

(c) Accesses any computer, computer network, or computer system, or any part thereof to obtain, by means of false or fraudulent pretenses, representations, or promises, money; property; services; passwords or similar information through which a computer, computer network, or computer system or any part thereof may be accessed; or other thing of value; or

(d) Accesses any computer, computer network, or computer system, or any part thereof to commit theft. . . .
People v. Rice, supra.

I, for one, don’t understand why they didn’t charge her with fraud, since it seems to me that’s the crime she committed, if the facts as alleged are true. Fraud is, as I’ve said before, obtaining money or property by deceiving someone. Here, the defense could argue that she deceived a machine, but as I wrote in an earlier post I don’t think that would be a problem . . . because the fraud works because people are ultimately deceived.

Anyway, that wasn’t an issue in the case. After being convicted, Ms. Rice appealed, arguing that “she did not `access’ a computer” under the statute quoted above “by making a phone call and pressing telephone buttons in response to the CUBLine questions.” People v. Rice, supra.

She lost. Here is how the court of appeals parsed the term “access:”
In construing a statute, our primary purpose is to ascertain and give effect to the intent of the General Assembly. . . . We look first to the language of the statute itself, giving words and phrases their plain and ordinary meaning. . . . We read words and phrases in context, and construe them according to their common usage. . . .

`Access’ is not defined in the Colorado Criminal Code. However, it is a term of common usage, and persons of ordinary intelligence need not guess at its meaning. We, therefore, begin with the dictionary definition in determining the plain and ordinary meaning of `access.’ . . . Black's Law Dictionary . . . defines the word `access as `[a]n opportunity or ability to enter, approach, pass to and from, or communicate with.’

[W[e conclude defendant accessed, within the ordinary meaning of the term, a computer system, because she communicated with the CUBLine by inputting data in response to computer-generated questions. Also, the CUBLine was described in testimony at trial sufficient to support a finding that it was a `computer system’ as that term is defined in section 18-5 .5-101(6). . . .
People v. Rice, supra.

What do you think? Is this "computer crime" or not? I tend to see no reason to use specialized computer crime statutes when, as I noted above, the conduct alleged would fit nicely into a traditional offense category, such as fraud. Aside from anything else, it seems to me that would have avoided the need for this issue to be raised and considered on appeal. It also seems to me there's no need to use boutique criminal statutes when a traditional one suffices (but I could be wrong).

The case also demonstrates that it's a really good idea to define "access" in a statute that criminalizes unauthorized "access" or the use of "access" to commit fraud. That, too, can make things simpler.

(Oh, the court did reverse Ms. Rice's conviction and order a new trial, because of a conflict, basically, between the charges in the indictment and the prosecution's closing argument and the jury instructions.)

Wednesday, May 21, 2008

Sentencing: "Harm" and Punishment

This post is about how we decide what kinds of penalty to impose on someone who commits a cybercrime. Part of the problem in reconciling the "harm" the person committed (which can be actually or potentially very severe) with their personal characteristics (e.g., non-violent, no prior criminal record, etc.).

In a recent post, I outlined the goals of sentencing: incapacitation, deterrence, rehabilitation and retribution. ("Why?", May 16, 2008.)

In sentencing offenders, judges are to consider (i) those goals, (ii) the “harm” inflicted by the crimes the defendant committed and (iii) the defendant’s personal characteristics insofar as they impact on how a particular sentence would comport with the “harm” inflicted and the goals of sentencing.

Sentencing is not an easy task, even when real-world crimes like murder and rape and arson and robbery are involved. But sentencing for real-world crimes is, I submit, much easier than sentencing for cybercrime, at least for the moment.

We have had at least two thousand years’ experience in learning how to sentence people for crimes that cause tangible “harms” in the real, physical world. As I noted in that recent post, the ancient principle of lex talionis demanded simple equivalence between the “harm” caused and the punishment inflicted on the offender. So, in the phrase we all know, the lex talionis called for an “eye for an eye,” and so on.

Writing in the eighteenth century, English lawyer William Blackstone explained why the lex talionis principle really isn’t workable in practice:
The difference of persons, place, time, provocation, or other circumstances, may enhance or mitigate the offence; and in such cases retaliation can never be the proper measure of justice. If a nobleman strikes a peasant, all mankind will see, that if a court . . awards a return of the blow, it is more than just compensation. On the other hand, retaliation may sometimes be too easy a sentence; as, if a man maliciously should put out the remaining eye him who had loft one before, it is too slight a punishment for the maimer to lose only one of his. . . . Besides, there are many crimes, that will in no shape admit of these penalties, without manifest absurdity and wickedness. Theft cannot be punished by theft, defamation by defamation, forgery by forgery, adultery by adultery, and the like.
Blackstone’s Commentaries.

The difficulty of ascertaining what punishment is proper for cybercrimes – which tend to inflict intangible “harms” – is something we are still struggling with.

A few years ago, someone argued – facetiously, I hope – that we should apply the death penalty to “hackers” and those who spread worms and viruses. The premise was that death is an appropriate penalty because of the extreme financial losses these crimes can, and do, cause.

Even if the article was serious, the proposal cannot be implemented in the United States, anyway, because the U.S. Supreme Court has held that the death penalty can only be imposed for crimes involving serious physical “harm.” So far, in a move reminiscent of the lex talionis, the Court has limited the death penalty to serving as a punishment for homicide, but it is currently considering whether it can also be imposed for raping a child. However that case comes out, though, death is not going to be used as a punishment in economic crime cases. The Supreme Court has held that the Eighth Amendment prohibition on cruel and unusual punishment bars the imposition of “too much” punishment, and death for economic damage would be “too much.”

That leaves us to think about how courts should use the “other” available penalties – imprisonment, fines, probation and restitution – in sentencing cybercriminals. I can’t begin to cover all the issues this problem raises here, so I’m going to use a recent cybercrime case as an example to consider what should and should not be taken into account in sentencing a cybercriminal.

According to a Department of Justice Press Release, in March, 2006, Christopher Maxwell pled guilty to one count of violating 18 U.S. Code section 1030 by intentionally causing or intending to cause damage to a computer and one count of conspiring to do so in violation of 18 U.S. Code section 371. (Section 371 makes it a crime to conspire to commit a federal offense). Here’s how the Press Release describes the crimes:
[A] botnet is created when a hacker executes a program . . . that seeks out computers with a security weakness it can exploit. The program will then infect the computer with malicious code so that it becomes . . . a robot drone for the hacker . . . controlling the botnet. . . . Botnets can range in size . . . to tens of thousands of computers doing the bidding of the botherder.

MAXWELL and two unnamed co-conspirators created the botnet to fraudulently obtain commission income from installing adware on computers without the owners' permission. . . . [B]y controlling someone's . . .computer, the botherder can remotely install the adware and collect the commission all without the computer owner's permission or knowledge. In this case, the government alleges that MAXWELL and his co-conspirators earned $100,000 in fraudulent payments from companies that had their adware installed. . . .

[A]s the botnet searched for . . . computers . . . it infected the computer network at Northwest Hospital in . . .Seattle. The increase in computer traffic as the botnet scanned the system interrupted . . .hospital computer communications. These disruptions affected the hospital's systems in numerous ways: doors to the operating rooms did not open, pagers did not work and computers in the intensive care unit shut down. By going to back up systems the hospital was able to avoid any compromise in the level of patient care.

Following MAXWELL's indictment in February, 2006 the investigation revealed that the botnet had also damaged U.S. Department of Defense computer systems at the Headquarters 5th Signal Command in Manheim, Germany and the Directorate of Information Management in Fort Carson, Colorado. More than 400 computers were damaged at a cost of $138,000 to repair.
According to a news story, Maxwell’s botnet also caused more than $50,000 in damage to the computer system at a California school. According to investigators, Maxwell’s botnet attacked more than 441,000 computers during the two weeks it was in operation. (The other conspirators were juveniles, which is why they're not named in the Press Release.)

The conspiracy count was punishable by up to 5 years in prison and a $250,000 fine. The damaging a computer count was punishable by up to 10 years in prison and a fine of $250,000.

The federal prosecutor wanted Maxwell sentenced to serve 6 years in prison. She said the sentence was warranted by deterrence: “There is a hacker community. They will know immediately what sentence you impose."

According to one news story, Maxwell, “holding back tears,” pled for probation instead of prison: "`I am a 21-year-old boy with a good heart and I made a mistake,’ he told the judge. `I never realized how dangerous a computer could be. I thank God no one was hurt.’"


The judge agreed with the prosecutor that the need for deterrence warranted a prison term, but didn’t go as far as the prosecutor wanted. She cited Maxwell’s age and lack of previous criminal history in sentencing him to serve 37 months and to pay $114,000 in restitution to the hospital and $138,000 in restitution to the Department of Defense. I suspect that will take a while.

What do you think? Should the judge have maxed out (no pun intended) and sentenced him to serve 15 years? Should she have gone with the prosecutor and sentenced him to 6 years? Or is 37 months enough?

If the sentence is meant to deter others from following his lead, there may be a problem. Studies have shown that deterrence is not simply a function of harsh the penalty is. It’s a function of two things: the severity of the punishment I’ll get if I’m caught; and the likelihood I’ll get caught. If I’m not likely to get caught, or if I think I’m not likely to get caught, even a really severe penalty isn’t likely to deter me from committing crimes if I can make money by doing so.

If you could make, say, $1,000,000 in the next two months by committing crimes for which you could be sentenced to 25 years in jail IF you got caught, but your chances of getting caught are 1%, would you be deterred or would you go for it? What if you could make $100,000 with a 10% chance of getting caught and prosecuted?

Monday, May 19, 2008

Imposture (Revisited)

At the end of 2006, I did a post on online imposture. In that post, I was talking about pretending to be someone else by posting information or messages in their name. I was primarily concerned with whether that would qualify as defamation and, if so, if that would provide the victim with adequate redress.

Here, I want to talk about something different.

In my last post – on the juvenile charged with harassment – the facts indicated that another juvenile had pretended to be the principal of her school in creating a MySpace profile. Given that the students were in middle school, I’m willing to guess that the profile created in the principal’s name was probably too amateurish and juvenile to convince anyone he created it.


But that raises an interesting possibility: creating a MySpace or Facebook page in someone’s else’s name and using it to embarrass them and maybe even cause major damage to their reputation and career. It could be a really insidious, nasty thing to do, because it might well take the victim a long time to find out what had been done . . . by which time the damage would have been done. Then the victim would be in the position of having to convince anyone who’s seen the fake MySpace or Facebook page that it was, in fact, created by someone else for malicious purposes.

I’ve found some indication that this has already been done. According to this site, it was done to Yaron London, an Israeli “media star.” The site doesn’t tell me much about what was done, but does indicate that he was embarrassed by comments on the page that was created without his knowledge. And I find posts on various sites in which people report that this has happened to them though, again, they don’t provide much detail about the “harm” the imposture caused. And I found a story from last year that talks about MySpace and Facebook imposters and about what the victim can do, in terms of getting the fake site taken down.

My interest in this phenomenon goes to the possibility of criminal liability. One of the stories I found about Facebook and MySpace imposture refers to it as “identity theft.” It could be identity theft, I suppose, but not in the scenario I set out above.

The crime of identity theft is not about imposture; instead, it’s usually about fraud. Here, for example, is how Connecticut defines identity theft:
A person commits identity theft when such person intentionally obtains personal identifying information of another . . . without the authorization of such other person and uses that information to obtain or attempt to obtain, money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.
Connecticut General Statutes Annotated § 531-129a(a). Except for “medical information,” the statute is criminalizing the use of somebody else’s identity for financial gain, which is a kind of fraud.

A few states break identity theft into two categories, as in this Arkansas statute:
(a) A person commits financial identity fraud if, with the intent to:

(1) Create, obtain, or open a credit account, debit account, or other financial resource for his or her benefit or for the benefit of a third party, he or she accesses, obtains, records, or submits to a financial institution another person's identifying information for the purpose of opening or creating a credit account, debit account, or financial resource without the authorization of the person identified by the information; or
(2) Appropriate a financial resource of another person to his or her own use or to the use of a third party without the authorization of that other person, the actor:
(A) Uses a scanning device; or
(B) Uses a re-encoder.

(b) A person commits nonfinancial identity fraud if he or she knowingly obtains another person's identifying information without the other person's authorization and uses the identifying information for any unlawful purpose, including without limitation:

(1) To avoid apprehension or criminal prosecution;
(2) To harass another person; or
(3) To obtain or to attempt to obtain a good, service, real property, or medical information of another person.
Arkansas Code § 5-37-227. The statute defines “identifying information” as including the following: Social security number; driver's license number; checking or savings account number; credit or debit card number; personal or electronic identification number; digital signature; or “[a]ny other number or information that can be used to access a person's financial resources”. Arkansas Code § 5-37-227.

It seems this statute could encompass the scenario I outlined above, since it, unlike most identity theft statutes, reaches harassment as well as using someone’s identity for financial gain. Massachusetts is the only state I can find that has a similar statute. Massachusetts General Laws 266 § 37E.

I’m not sure it really could encompass the scenario, though, because of the way the statute defines “identifying information.” Identifying information seems to be limited to financial information. The Massachusetts statute looks like it might, since it defines identifying information as “any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual, including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, credit card number or computer password identification.” Massachusetts General Laws 266 § 37E.

I’m also not sure if when the statutes refer to harassing “another person” (which both do) they mean harassing the victim of the identity theft or a third person; I tend to think they mean harassing a third person (but I could be wrong). If I’m right, then neither statute could be used to prosecute the kind of imposture I hypothesized above.

The more important question is “should we use criminal law to reach this kind of conduct?” On the one hand you can, as I noted above, cause a lot of “harm” to someone by essentially using MySpace or Facebook to frame them. My law school, like other law schools and, I assume, other professional schools and undergraduate programs, makes a great effort to warn our students that they put on MySpace or Facebook pages can come back to haunt them. Both bar associations and potential employers troll the sites to find information that discredits a bar applicant or potential employee. If you framed someone, you could, in the law school context, prevent them from being able to sit for the bar examination and/or to find a job. That’s pretty nasty.

I tend, though, to believe we can’t use criminal law to handle every nasty maneuver that crops up. In the United States, we already have, IMHO, way too many crimes and lock up way too many people. We can’t keep going along that path. Aside from anything else, it takes a lot of resources – a lot of money and personnel – to enforce criminal law and to punish offenders.

I also wonder if this is to some extent a transitional problem. I wonder if, as time passes, we will become less credulous, more jaded consumers of the information posted online.

Sunday, May 18, 2008

Harassment, MIddle School Style

I’ve written recently – and not so recently – about how the law deals with people who "annoy, alarm and harass" each other, but that post, and an earlier one, were both about adult conduct.

Magistrate Marcia Linsky of the Allen County (Indiana) Superior Court sent me a link to a recent opinion from the Indiana Supreme Court that deals with a very different kind of harassment. . . harassment by a middle school student.

According to the Indiana Supreme Court’s opinion, this is what resulted in the student's being charged with harassment:
When the 2005-06 school year began, A.B. was a student at Greencastle Middle School, where Shawn Gobert had been principal for thirteen years. Sometime before February 2006, she transferred to a different school. In February 2006, Mr. Gobert learned from some of his students of a vulgar tirade posted on MySpace that apparently targeted his actions in enforcing a school policy. As appropriate for a . . . prudent school administrator, Mr. Gobert investigated. With the assistance of others, including some students, he discovered that a `Mr. Gobert’ profile” had been created on a MySpace Internet web page, purportedly by him, and on which A.B. had posted a vulgarity-laced tirade directed against him. In fact, another juvenile, R.B., a friend of A.B. and at the time a student at Greencastle Middle School, had created this false `Mr. Gobert’ MySpace private `profile’ and allowed access to it by twenty-six designated `friends,’ one of whom was A.B. A.B. then made her posting about Mr. Gobert on this private `profile’. Thereafter, . . . A.B. created her own MySpace `group’ page, accessible by the general public, and titled with a vulgar expletive directed against Mr. Gobert and Greencastle schools.

As a result, delinquency proceedings were initiated against A.B. The . . . petition . . . charged A.B. with nine counts. Three . . . were dismissed at the fact-finding hearing. The remaining counts each allege conduct by A.B., a minor, that if committed by an adult would constitute Harassment . . . . The various surviving counts allege her use of a computer network to harass Mr. Gobert. Counts I and V allege that A.B. used a computer network to transmit the following:

`hey you piece of greencastle s* *t. what the f* *k do you think of me know (sic) that you cant [sic] control me? huh? ha ha ha guess what ill [sic] wear my f* *king piercings all day long and to school and you cant [sic] do s* *t about it.! ha ha f* *king ha! stupid b* *tard!

Counts III and VII each allege Harassment based on A.B.'s transmission of “die ... gobert ... die;” and Counts IV and VIII are based on A.B.'s transmission of `F* *K MR. GOBERT AND GC SCHOOLS!’
The Indiana Supreme Court, not me, edited the post so the “expletives are identified symbolically.” I think we get the idea, though, even with the edits. (I do like how A.B. refers to him as “Mr.” Gobert in that last one.)

Before we get into the legal issues, I want to note something: what happened here is an example of what has happened in lots of schools in at least several countries. When I was I school, the only ways we could take out our frustrations with our teachers was by drawing obnoxious cartoons and making up scandalous stories about them. Whatever we did had a very limited circulation, and so had a very limited impact. Cyberspace lets anybody with a computer and Internet access become a “publisher,” so students can be a lot more creative in the ways they take out their frustrations and their expressions of frustration can enjoy a very wide circulation, especially if they’re interesting.

Now, let’s talk harassment. Here’s the statute A.B. was charged with violating:
A person who, with intent to harass, annoy, or alarm another person but with no intent of legitimate communication . . . uses a computer network . . . or other form of electronic communication to communicate with a person or transmit an obscene message or indecent or profane words to a person; commits harassment, a Class B misdemeanor.
Indiana Code § 35-45-2-2(a)(4). A.B. was adjudicated delinquent for violating the statute and appealed. Since, as the Indiana Supreme Court noted, “in juvenile delinquency adjudication proceedings, the State must prove every element of the offense beyond a reasonable doubt”, we are essentially dealing with a criminal case.

If you look at the Indiana harassment statute, you will see that its structure is analogous to that of a “threat” statute. That is, it requires that the perpetrator (i) have sent harassing communications to the victim (ii) with the intent to harass that that specific person and (iii) for no legitimate purpose. That has traditionally been how harassers have conducted themselves; they have called, emailed and otherwise communicated directly with their victim for the deliberate purpose of annoying and/or alarming that person.

As the Indiana Supreme Court pointed out, what A.B. did doesn’t fit within the elements of the statute:
The allegedly harassing communications by A.B. identified in Counts I, III, V, and VII were postings by A.B. on her friend's MySpace `private profile’ site. This . . . site, . . . could not be seen by the general public except for those . . . accepted as `friends’ by the creator of the `profile.’. . . Mr. Gobert was able to view it only because R.B., the student who created the `profile,’ . . .authorized him to access the `profile’ during his investigation. . . . [T[here was no evidence . . . A.B. expected that Mr. Gobert would see or learn about A.B.'s messages. . . .

The analysis differs as to Counts IV and VIII, which refer to A.B .'s remarks on her MySpace `group’ page. Because this site was publicly accessible, it may be reasonably inferred that A.B. had a subjective expectation that her words would likely reach Mr. Gobert. This alone, however, does not establish the intent element specified in the Harassment statute. . . .While A.B. titled her `group’ page with the vulgar expletive, her own posting on the page elaborated as follows:

[R.B.] made a harmless joke profile for Mr. Gobert. and [sic] some retarded b* *ch printed it out and took it to the office. [R.B .] is expelled, has to go to court, might have to go to girl [sic] school, and has to take the 8th grade over again! that's [sic] just from the school, her paretns [sic] have grounded her, and took [sic] her computer, she cant [sic] be online untill [sic] 2007! GMS is full of over reacting idiots!

Other than the title and this posting on A.B.'s `group’ page, there was no other evidence relevant to the issue of her intent as to Counts IV and VIII. And the content of the posting presents strong evidence that A.B. intended her `group’ page as legitimate communication of her anger and criticism of the disciplinary action of Mr. Gobert and the Greencastle Middle School against her friend. . .
The court therefore held that the prosecution had failed to prove beyond a reasonable doubt that A.B. sent the communications with the intent to harass Mr. Gobert and for no legitimate purpose. I think the court is absolutely correct. I also think the evidence failed to prove another element, the first of the three I noted above: the statute requires that the harassing communication be sent TO the victim. A.B. did not do that. She merely posted them online, where they COULD be seen by the victim.

As I wrote in an earlier post, the Sixth Circuit Court of Appeals threw out threat charges against a Michigan college student some years ago for essentially the same reason: Jake Baker was charged with threatening a classmate by posting violent fantasies online, fantasies in which he raped and killed her. The Sixth Circuit said it wasn’t a threat because Baker did not send the communications directly to her. Seems to me we have the same problem here, too.

Saturday, May 17, 2008

Having Absolutely Nothing To Do With Cybercrime

A friend of mine just sent me the link to a recent decision issued by the U.S. Court of Appeals for the Seventh Circuit.


It’s an appeal in a civil case and has nothing to do with cybercrime. It does involve some First and Fourth Amendment claims but, all in all, it's not the kind of case students go to law school to handle.

If you want to read a really funny opinion – with some equally funny pictures – about a neighborhood squabble gone very bad, check it out.

Click on this link. Then search the opinions using this case number: 06-3176

You can download the pdf file and see what I mean.

Friday, May 16, 2008

Why?

I assume everyone has seen the stories about the indictment in the Megan Meier suicide case. I did a post on the case last fall, because it at once outraged and mystified me.

(How could an adult get involved in all this?)

If you want a review of the facts and my take on the permissibility (not) of charges, check out that earlier post.


Here, I want to talk about something different.

I want to talk about why the woman who set the events in motion that led to Megan’s suicide has been charged in a federal indictment with (a) gaining unauthorized access to “a computer used in interstate and foreign commerce, namely the MySpace servers located in Los Angeles” and (b) conspiring to gain such unauthorized access to the MySpace servers for the purpose of inflicting emotional distress (harassment) on Megan. U.S. v. Lori Drew, Indictment, N.D. California 2008.

The unauthorized access charges were brought under the basic federal cybercrime statute, 18 U.S. Code section 1030, which I have written about before. If you want an outline of what can be charged under the statute, check out this post. The conspiracy charge was brought under the basic federal conspiracy statute 18 U.S. Code section 371, which makes it a crime to conspire to commit a federal offense.

My “why” questions (don’t expect answers) have two parts. The first goes to the propriety of bringing these charges. As I said in my earlier post on Megan’s suicide, it’s a horrible tragedy and I cannot understand what was in Lori Drew’s mind, but I don’t think it warrants criminal charges. And the local prosecutor simply was not able to bring charges because the facts didn’t warrant them. So now the federal government has gotten into this.

The people who created the Constitution and our federal system intended that criminal law be enforced firstly and foremost at the state and local level. They intended that because crime and the imposition of criminal liability are matters that resonate with local concerns, local mores, local attitudes. They also didn’t want too much power centralized in the federal government.


Over the last century, the number of federal crimes has exploded. I’m not getting into whether that is a good thing or a bad thing. It’s a fact, and it means federal prosecutors have access to a broad statute like section 1030 which can, maybe, be shoehorned into a prosecution like this. I think the charges can be, as they have been, put together in a fashion that will survive a motion to dismiss based on the premise that “this ain’t a crime,” but I don’t think they make sense in terms of law or policy.

Last January, I raised the grand jury investigation into Megan’s death with the students in my cybercrime class and we analyzed how section 1030 COULD be used against Lori Drew. It really doesn’t make sense, though: the statue was intended to criminalize hacking, both the general, exploratory kind of hacking and the kind that involves stealing or destroying data in a system you’re not suppose to have access to. Here, IMHO, it’s being used in a really distorted manner. There’s also the minor matter of diverting federal resources to a case that, I would argue, belongs in a state court if it belongs anywhere.


Okay, that’s the first part of “why.” Here’s the second: The stories say (and I haven’t parsed the figure out myself, using the statute and sentencing guidelines and all that) Lori Drew faces up to 20 years in prison if she is convicted of the charges in the 4-count indictment. Why?


The imposition of criminal liability and punishment – imprisonment – in our system is based on achieving four goals:

  • Incapacitation: We lock you up so you can’t re-offend.
  • Deterrence: We lock you up to teach you a lesson so you won’t re-offend when we let you go, and we lock you up to convince others not to follow your example and commit the crime(s) you did.
  • Rehabilitation: This used to be very important, but is a minor theme now. Basically, if we have time and it seems easy, we’ll try to rehabilitate you so you don’t re-offend.
  • Retribution: This is the oldest reason for punishment. The ancient law, the lex talionis, called for an “eye for an eye, tooth for tooth” and so on. So, we lock you up to exact pain from you for what you did.
Does it make sense to lock Lori Drew up for 20 years? Would doing that achieve any or all of these goals?

This goes to an issue I often raise with my students: overcharging. If Missouri had a harassment statute that would have encompassed what Ms. Drew allegedly did, then it seems to me it would be perfectly appropriate to charge her with that crime, convict her if the evidence established that she committed it and then punish her "enough" to achieve whichever of the above goals were driving the prosecution. So, in our hypothetical, she's convicted of harassment under state law and, what?, maybe fined, maybe given 30 days in jail, put on probation for a few years, required to work at suicide prevention center or some other appropriate place. That would make sense to me.

I just don't see the sense in, as the saying goes, "making a federal case out of it", especially not when it could mean 20 years in jail.

Wednesday, May 14, 2008

Faithless Friends and Good Faith Mistakes

This post is based on some questions that were emailed me . . . questions about a private citizen searching your private property, finding evidence and then taking it to the police. The questions and my thought on each follow.

B gives C access to a computer server containing illicit materials. C turns over what he finds to the authorities, who find out that A is leasing the server. The authorities seize the server and search A's house. A claims to have never given access to B or C and there is no evidence otherwise. Can the search warrant and its fruits be suppressed?


I think A loses on the 4th Amendment issue. In analyzing this question, I’m assuming A did, in fact, give B access to the server and that the information C turns over to law enforcement, combined with whatever efforts they make to connect A to the material, gave them probable cause to get the search warrant, i.e., gave them probable cause to believe they would find illicit material on the server and in A’s house.

(If probable cause was lacking, then the search warrant should not have issued, and that should mean the evidence would be suppressed . . . unless the court finds that the good faith exception applies. U.S. v. Leon, 468 U.S. 897 (1984). Under the Leon good-faith exception to the 4th amendment’s exclusionary rule, evidence will not be excluded when police officers reasonably rely on a search warrant issued by a judge, even if that search warrant is later declared invalid. This means that even if the court were to determine that the warrant was not based on probable cause, the evidence would not be suppressed if the officers who executed the warrant did so in the good faith belief that it was supported by probable cause, since it was issued by a judge who decided probable cause existed).

So the issue basically becomes whether the evidence should be suppressed because A gave B access to the server, but did not intend that B would give C access, and never intended that B (or C) would betray him by taking evidence to law enforcement.

The answer, almost certainly, is no. I talked about this general issue in an earlier post. I won’t repeat everything I said there here; I’ll just note that for Fourth Amendment purposes, basically you assume the risk of being betrayed when you give someone access to your “stuff” . . . whether it’s your house or your car or your computer or your server. So by giving B access to the server, A assumed the risk that B would use that access to find evidence and himself betray A and/or that B would do so indirectly, by giving C access to the evidence (which set in motion the possibility that C would then betray A, if, indeed, C can be said to be in a position to betray A, since we don’t know if there was any connection between them.)


What if C hacked in to the server and gained access to it by illegal means? He saw illicit material, copied it and gave the copy to law enforcement officers. They used the copies plus what C told them (i.e., where C got the stuff) to secure a warrant to seize the server. Could the search later be deemed illegal, if C wasn't supposed to be in that server anyway?


There was a case in the city where I live: A burglar broke into an apartment to rob it, found child pornography, went to the police and told them what he'd found. They used what he said to get a search warrant, searched the apartment, found child pornography, and prosecuted the person who lived in that apartment . . . and prosecuted the burglar for burglarizing the apartment.
This scenario is a variation of the scenario above.

Basically, if a private person – your friend or a stray burglar who happens to break into your home and finds incriminating evidence – decides to turn on you, you’re out of luck. The 4th Amendment only applies to state action, i.e., to searches and seizures conducted by law enforcement agents and by people who are acting on their behalf.


So in the local case, the 4th Amendment would only be implicated if the police had put the burglar up to breaking into the apartment to see if he could find child pornography so they could then use what he found to get the warrant, and so on. If he acted on his own, then we don’t have state action and the 4th Amendment doesn’t apply . . . until the law enforcement officers enter the apartment. If they have a valid search warrant, that entry is constitutional.
In the case posited above, the entry into the apartment with the search warrant would only be a problem if the police had instructed C to hack in illegally.

If you want to read about some cases where the scenario set out above pretty much happened, but the person who hacked someone's computer did not get charged with a crime, see this post.

Searching a Pastor's Computer

In State v. Young, 974 So.2d 601 (Fla. App. 2008), a Florida court of appeals had to decide whether a search of a minister’s office was valid under the Fourth Amendment.

As I’ve mentioned before, consent is an exception to the Fourth Amendment’s warrant requirement. That is, if someone consents to have their property searched, officers do not need to get a search warrant; the consent in effect waives the requirement of a warrant.

To be valid, consent must be voluntary (not coerced) and must be given by someone with authority to consent to the search.
Someone who owns or uses property can give valid consent to a search.

“Use” means that the person who consents either is the sole user of the property or is a joint user of the property. Spouses, for example, can each consent to the search of the property they share and the consent will justify the search (unless the other spouse is present and refuses to consent).


Young was the pastor of a small church in Florida. According to the Florida court of appeals' opinion, the
church provided Young with a desktop computer and a private office. Although the computer was provided to Young for use in connection with his duties at the church, there was no official policy regarding the use of the computer or others' access to it. . . . This office had a special lock that could not be opened with the Church's master key. Three keys to Young's office existed. Young kept two of the keys, and the church administrator kept the third key, which she stored in a locked credenza drawer in her office.
State v. Young, supra.

As to the events leading to the search, and to Young’s being charged with "viewing child pornography", according to the Florida Times-Union, it all began when the church’s administrator got a call from the church's Internet service provider. The caller said spam had been linked to the church's Internet protocol address. The church administrator then ran a “spybot” program on the church's computers. When she ran the program on Young's computer, she saw “some very questionable [w]eb site addresses.” The church administrator then contacted a member of the staff parish and an information technology person to set up a time to have the computer examined. State v. Young, supra.
Later, the chairperson of staff parish relations, Kenneth Moreland, contacted Richard Neal, district superintendent of the Church, to tell him what had happened. State v. Young, supra. After discussing the matter with the bishop and getting approval for the decision, Neal instructed Moreland to contact law enforcement officials and allow them to see the computer. The next morning Neal instructed Young not to return to the church until the two could meet and discuss the situation. When officers arrived at the church, Moreland unlocked Young's office and signed `consent to search' forms for the office and computer. Young arrived at the church during the morning when the officers were there. Moreland and an officer instructed Young to leave the property immediately, and he complied.
State v. Young, supra.


The officers apparently found incriminating evidence that, at least in part, consisted of websites Young had bookmarked on his office computer. They interviewed him, he made incriminating statements, and charges were filed, after which he because he moved to suppress evidence found in his office. The court held a hearing on the motion.


The officers who searched the computer testified that they understood Moreland to be a “representative of the church” whose authority to consent was based on instructions from a church supervisor. State v. Young, supra.
Neither of them talked to Moreland's supervisor or asked Moreland further questions about his authority before the search began. One officer said she had spoken with Neal after she was inside Young's office. At the time, she knew Neal had never used Young's computer, did not work in Young's office, and did not keep property there. (Remember, joint use is a basis for being able t consent.) Neal testified to the same effect. Moreland testified that he did not work in Young's office and did not keep belongings there. Neal, though, testified that he had authority to consent to the search and to instruct Young to stay away from the church under the Church’s Book of Discipline, by which Young had agreed to be bound when he was ordained.
State v. Young, supra.


The issue in the case was whether the search of the computer in Young’s office was valid as a consent search. I get the sense that the viability of the charges (whatever they were) against Young depended on the evidence found there, so the issue was crucial.
The trial court found that none of the church personnel had authority to consent to the search of Young’s office, and the court of appeals agreed.

The church personnel who consented clearly did not use the office jointly with Young; and they apparently made that clear to the officers, so the officers could not have believed they had the authority to consent to a search of his office. As the court of appeals explained, although
the church owned the computer, Young was the sole regular user. Although the church administrator performed maintenance on the computer, there was no evidence that she or anyone other than Young stored personal files on the computer or used it for any purpose other than maintenance. There was no policy informing Young that others at the church could enter his office and view the contents of his computer. The only way to access the computer to view its contents was to enter through the locked office door. It is clear under these circumstances that the church trusted Young to use the computer appropriately and that it gave no indication that the computer would be searched by anyone at the church. The fact that Young violated this trust does not detract from a proper analysis of whether he had a legitimate reason to expect that others would not enter his office and inspect the computer.
State v. Young, supra.

The evidence found in Young’s office was suppressed, and so were the incriminating comments he made to the officers, because they derived from (were the fruit of the poisonous tree of) the illegal search of his office. I assume the charges, whatever they were, were dismissed.

Tuesday, May 13, 2008

Ineffective Assistance of Counsel

A while back, I did a post on the Trojan horse defense, which is basically a cyber-version of an old defense: Some Other Dude Did It, or the SODDI defense.

In this post, I want to talk about how a defense lawyer’s failure to raise a similar defense was found to constitute ineffective assistance of counsel.


The case is People v. Patterson, 2008 WL 886203 (Mich. App., April 1, 2008), and I’ll talk about the facts and charges in a minute.

First, I want to outline what a convicted defendant has to establish in order to win on an ineffective assistance of counsel claim:
The benchmark in evaluating a claim that trial counsel was ineffective is whether counsel's conduct so undermined the proper functioning of the adversarial process that the trial cannot be relied on as having produced a just result. Strickland v. Washington, 466 U.S. 668, 686 (1984. The defendant must show, first, that counsel's performance was deficient. This requires a showing that counsel made errors so serious that he was not functioning as the `counsel’ guaranteed by the Sixth Amendment. Second, the defendant must show prejudice. This requires proof that counsel's errors were so serious as to deprive the defendant of a fair trial, i.e., a trial whose result is reliable.
People v. Patterson, supra. Here are the facts in the Patterson case:
This case stems from an investigation that Patterson had stalked an ex-girlfriend. Deputy Cuatt was a part of a team that executed a warrant to search defendant's residence. Cuatt has expertise in computers, which was needed so that evidence purportedly on a computer in the home would not be lost. Police located an old computer . . . in a small room and two hard drives. The computer was powered on even though no one was home. . . . Police seized the computer and Deputy Cuatt eventually subjected both hard drives to certain forensic programs. One . . . had a large amount of adult pornography on it. The same hard drive had four pictures of young girls who were obviously under the age of eighteen. The hard drives also contained photographs of defendant, family members, and friends, as well as e-mail to and from defendant.
People v. Patterson, supra. Mr. Patterson was charged with possessing child sexually abusive material, in violation of a Michigan statute. He was convicted, but moved to have the conviction set aside and a new trial ordered. At the hearing on the motion for a new trial, Mr. Patterson
testified that he had sent trial counsel a list of witnesses he wanted called at trial. According to defendant, several witnesses would have testified that he did not live alone and that a number of people, who either lived with him or assisted him because of his physical limitations, had access to the computer. Defendant also testified that some of those people were no longer friends and they had a reason sabotage his computer.
People v. Patterson, supra.

So according to Mr. Patterson, he wanted his defense attorney to raise a SODDI defense.
At the hearing, his defense attorney, when asked why he decided not to call witnesses to show that others had had access to the computer, said he told Mr. Patterson “that the witnesses would . . . probably assert their 5th Amendment rights against self-incrimination.” People v. Patterson, supra. The trial court denied the motion for a new trial because it found that the defense attorney had “employed a proper trial strategy in not calling witnesses, even though he never contacted any of the dozen or more witnesses offered by defendant.” People v. Patterson, supra.

The Michigan Court of Appeals disagreed:
[T]rial counsel knew weeks before the trial that many others had access to the computer containing the illegal pictures yet failed to investigate or produce these individuals as defense witnesses. On these facts alone, we conclude that counsel's conduct fell far below an objective standard of reasonableness. . . . . We also conclude defendant was prejudiced. . . . Testimony that others were present in his home and had access to the computer would have created a reasonable probability that the result would have been different, especially considering that even the trial prosecutor was somewhat surprised by the jury's finding of guilt. Given that the prosecutor's case rested entirely on the premise that defendant was the only person who could have put the illegal images on the computer, and where defendant's trial counsel thought defendant lived alone, counsel's failure to investigate the witness list was ineffective and extremely prejudicial.
People v. Patterson, supra. I can certainly understand why the court of appeals reached this result, but here’s an aspect of this case that really puzzles me.

First, the prosecutor, who had the burden of proving the case beyond a reasonable doubt,
presented no witness to testify that the Defendant put the child sexually abusive images on the computer found in his home. The People called only two witnesses: the officer who analyzed the computer and an expert who gave an opinion about the age of the children whose images were on the computer. The officer acknowledged that there was no way for him to determine how the images became stored on the computer or who did so.
People v. Patterson, supra. If that’s all the prosecution presented, it clearly did not meet its burden of proving beyond a reasonable doubt that Mr. Patterson was responsible for the images’ being on the computer. All the defense needed to do was to move for a judgment of acquittal, based on the prosecution’s failure.

The defense did not do that, apparently because the defense attorney thought he had to prove that other people, maybe even specific other people, were responsible for the images’ being on the computer. That gets it backwards: As anyone who’s familiar with the O.J. Simpson murder trial knows, all the defense has to do is to raise “doubt” about the prosecution’s claim that the defense is guilty. Here, it was a slam dunk, since the prosecutor didn’t offer ANY evidence from which a reasonable juror could find that Mr. Patterson was the person who put the images on the computer.
Makes you wonder what will happen at the new trial the court of appeals ordered.