skip to main |
skip to sidebar
One of the things the prosecution must do in order to be able to introduce items into evidence at trial is to “authenticate” them, i.e., be able to show they are what they purport to be.
A recent Ohio Court of Common Pleas case illustrates the approach one court took to authenticating emails. The case is State v. Bell, 145 Ohio Misc.2d 55, 882 N.E.2d 502 (2008), and it’s from Clermont County, Ohio.
The defendant, Jaysen Bell, was (and is, I guess) charged with “one count of rape, three counts each of sexual battery and sexual imposition, and one count of gross sexual imposition stemming from alleged improper sexual conduct involving two foster children, T.T. and T.W., between July 2003 and June 2006. “ State v. Bell, supra. He filed a number of motions seeking to prevent evidence from being used at trial; one of the motions was directed at emails and online chats that allegedly occurred between him and one of the victims. State v. Bell, supra.
What the opinion tells us about the evidence involving the emails and chats is this:
During . . . their investigation, police obtained a search warrant for computer equipment located in defendant's home. A search of the seized hard drives uncovered stored pornographic images, e-mail messages, and MySpace chat messages. . . . The state seeks to introduce the images and . . . allegedly incriminating e-mail and chat messages between defendant and the complaining witnesses during trial.
State v. Bell, supra.
As I said, Mr. Bell moved to bar the state from introducing emails and MySpace chats allegedly between him and one of the victims, T.W. He argued, among other things, that the state could not authenticate them. Specifically, he argued that
MySpace chats can be readily edited after the fact from a user's homepage. Furthermore, he points out that while his name may appear on e-mails to T.W., the possibility that someone else used his account to send the messages cannot be foreclosed. Defendant's motion thus raises . . . authentication of those electronic communications offered in printed form during trial.
State v. Bell, supra.
The court explained the standard for authenticating evidence, noting that it is relatively undemanding:
Ohio Rule of Evidence 901(A) provides, `The requirement of authentication . . . as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.’ According to the Twelfth District, the evidence necessary to support this finding is quite low-even lower than the preponderance of the evidence. Burns v. May (1999), 133 Ohio App.3d 351, 728 N.E.2d 19. Other jurisdictions characterize documentary evidence as properly authenticated if `a reasonable juror could find in favor of authenticity.’ See, e.g., United States v. Tin Yat Chin (C.A.2, 2004), 371 F.3d 31, 38.
Mindful of this low standard, the court finds that T.W. may sufficiently authenticate the electronic communications through testimony that (1) he has knowledge of defendant's e-mail address and MySpace user name, (2) the printouts appear to be accurate records of his electronic conversations with defendant, and (3) the communications contain code words known only to defendant and his alleged victims. In the court's view, this would permit a reasonable juror to conclude that the offered printouts are authentic.
State v. Bell, supra.
The court then noted that Mr. Bell’s challenge actually raised a related issue – chain of custody. As Wikipedia explains, chain of custody refers to the need to document
the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering . . . which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is fact related to the alleged crime - rather than, for example, having been planted fraudulently to make someone appear guilty.
The chain of custody requirement, therefore, both protects innocent people from being convicted and helps to ensure that properly obtained convictions can be upheld on appeal.
According to this Ohio court, Bell’s argument was, as I noted, really about chain of custody:While Ohio courts have had little opportunity to address the issue at hand, this court views defendant's complaints that the communications at issue are incomplete, easily altered, or possibly from an unidentified third party using his account information as akin to issues involving chain-of-custody disputes. Such issues touch upon concerns regarding the weight of given evidence and not its authenticity. `When an item is sufficiently authenticated to be admissible, but the chain of custody remains doubtful, the possibility that the exhibit may be misleading is an issue of weight of the evidence.’ Hall v. Johnson (1993), 90 Ohio App.3d 451, 455, 629 N.E.2d 1066 , . . . Other jurisdictions . . . addressing Defendant's concerns agree that they present issues of evidentiary weight. United States v. Tank (C.A.9, 2000), 200 F.3d 627 (arguably incomplete chat room logs presented issue of weight, not authenticity). . . .
So what the court found is that the evidence could be admitted -- because it had been authenticated – but Mr. Bell could still argue to the jury that it was not credible enough, not reliable enough, for them to rely upon in finding him guilty of the charges against him.
A Nebraska federal district court reached a different conclusion in U.S. v. Jackson, 488 F. Supp.2d 866 (D. Neb. 2007). There, the defendant moved to bar the government from using a “cut-and-paste” document that allegedly recorded online conversations between the Jackson and Postal Agent David Margitz, who had posed online as a 14-year-old girl. Based on alleged chats online chats between Jackson and the person he allegedly believed to be a 14-year-old girl, he was charged using a computer to induce a minor to engage in sexual activity in violation of 18 U.S. Code section 2422(b).
The problem was that the government did not have either printed transcripts of the alleged communications between Margitz and Jackson or access to the hard drive on which they were stored. Margitz had wiped the hard drive at some point, and had not made a back-up copy of its contents; and he apparently never printed out the conversations he allegedly had with Jackson. Instead, Margitz had assembled a “cut-and-paste” synopsis, or set of excerpts, of the conversations; it was this the prosecution wanted to introduce into evidence at trial.
The court held that it was not admissible because it was not authentic:
[T]here are numerous examples of missing data, timing sequences that do not make sense, and editorial information. The court finds that this document does not accurately represent the entire conversations that took place between the defendant and Margritz. The defendant argues that his intent when agreeing to the meeting was to introduce his grandniece to the fourteen-year-old girl. Defendant is entitled to defend on this basis, as it goes to the issue of intent. Defendant alleges that such information was excluded from the cut-and-paste . . . The court agrees and finds the missing data creates doubt as to the trustworthiness of the document. . . . Changes, additions, and deletions have clearly been made to this document, and accordingly, the court finds this document is not authentic as a matter of law.
U.S. v. Jackson, supra.
Like the Ohio court, the prosecutors in the Jackson case cited the decision in U.S. v. Tank, but the Nebraska federal court found it did not apply here because in Tank “the actual computer files were offered as evidence, not a cut-and-paste version of the computer files”. The court therefore granted Jackson’s motion to suppress the evidence (which, as it turned out, was not all that important, since it also dismissed the charges against him because the government had violated his Fifth Amendment right to a speedy trial).
I recently ran across a case from last year in which a lawyer pled guilty to misprision of a felony for destroying “a laptop containing pornographic images of children”. Alison Leigh Cowan, Lawyer Admits Destroying Evidence of Pornography, New York Times (September 28, 2007).
It’s not a reported judicial opinion; the case resulted in a plea, which the defendant has apparently not contested.
It’s an unusual case, I think, in two respects: One is the misprision of felony charge, which is not all that common. The other is that it was a lawyer who destroyed the evidence and wound up being charged for doing so.
Let’s start with the charge. Misprision of felony, as Wikipedia explains, at common law consisted of not reporting a felony, of which you were aware, to the authorities. The crime still exists, but it’s changed a bit.
The lawyer in this case was charged with the federal version of misprision of felony, under this statute: Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.
18 U.S. Code section 4.According to a Department of Justice Press Release, here are the facts that resulted in lawyer Philip D. Russell’s being charged with misprision of felony:
RUSSELL is admitted to practice law in Connecticut and has specialized in criminal and civil litigation in state and federal courts. On October 7, 2006, an employee of a church in Greenwich, who at the time was working in the church’s choir program, discovered images of naked boys on a laptop regularly used by Robert F. Tate, who had been the choirmaster and organist at the church for approximately 34 years. On October 8, 2006, church officials sealed and wrapped Tate’s laptop computer, treating it as evidence. RUSSELL represented the church with respect to Tate’s conduct.
On October 9, 2006, RUSSELL and two church officials met with Tate and confronted him about the images found on his laptop computer. Tate acknowledged that the images on the laptop were his, that they were inappropriate, and that they were personal to him. RUSSELL told Tate, words to the effect, that `this is serious business,’ `this is a federal crime that carries a minimum of five years in jail,’ and `you need a lawyer.’ RUSSELL then provided Tate with the name and telephone number of a criminal defense attorney, and Tate said he would resign from the church.
RUSSELL then took possession of Tate’s laptop computer knowing that it contained child pornography and returned to his law office. At his office, RUSSELL told an employee to go outside and RUSSELL then destroyed and concealed Tate’s laptop. RUSSELL failed to report to law enforcement that Tate, who was not his client, had possessed child pornography.
Press Release, supra. (The Times article says Russell “pulverized” the laptop.)
In February of 2007, a federal grand jury indicted Russell for obstructing justice and destroying child pornography. A trial on those charges was set to begin in October, but Russell pled to a new charging document – an information – that charged him instead with one count of misprision of felony. Press Release,, supra.
On December 17, 2007, the court sentenced Russell to six months of home confinement plus a fine of $250,000 and the requirement that he perform some period of community service. The judge cited his “years of good service” in letting him avoid prison time. I find the case interesting because I cannot imagine what was in Mr. Russell’s mind. I can’t understand why a lawyer would so egregiously breach his professional and ethical obligations. I can’t understand why he would go to such extreme measures to protect Mr. Tate; and I can’t understand why he would be so foolish as to destroy evidence when a number of people knew it was out there. His behavior is incomprehensible, at least to me, on pretty much every level.
Mr. Tate, by the way, was charged with possessing child pornography, pled guilty and, after spending several weeks at a treatment center for “sexually deviant behavior,” was sentenced to serve 5.5 years in prison. He must also pay a $50,000 fine and participate in sex offender treatment.
Our focus, though, is on Mr. Russell and, specifically, on the misprision charge. When I first heard about the case, I wondered why he was charged with misprision instead of obstruction of justice, which is the usual charge. There are a LOT of obstruction of justice provisions in the federal criminal code, but here’s the one I assume was used in Mr. Russell’s indictment: Whoever corruptly . . . alters, destroys . . . or conceals a record . . . or other object, or attempts to do so, with the intent to impair the object's integrity or availability for use in an official proceeding . . . shall be fined under this title or imprisoned not more than 20 years, or both.
18 U.S. Code section 1512(c). Here, “corruptly” essentially means “acting with an improper purpose,” i.e., with the purpose of obstructing the proper administration of criminal justice.
So Mr. Russell was charged with obstruction of justice, which, as I said, is the usual charge when someone destroys (or creates) evidence in an attempt to frustrate an investigation or prosecution of federal crime. According to the New York Times article, he was charged with 2 counts of obstruction of justice in the indictment, which means he would have faced prison if he had been convicted. Also according to that article, probation would not have been an option, and the probable sentence would have been 27-33 months in prison. New York Times, supra.
The sentence he could have gotten for pleading to misprision was 8-14 months but, as I said, the court was lenient because of his “prior service.” He also seems to have accepted responsibility, admitting what he did but saying that he did not “foresee” that law enforcement was going to be involved in the case . . . which kind of answers the questions I posed above . . .
I can’t imagine, though, why a lawyer who had been handling at least some criminal cases and knew enough to tell Mr. Tate what the possible sentence was for possessing child pornography would not have thought law enforcement would get involved here. Anyway, just a cautionary tale . . . if there is any indication law enforcement is looking into something, don’t destroy anything that could even potentially constitute evidence, not for yourself and not for anyone else.
The use of peer-to-peer file-sharing networks to steal people's identities is not anything new.
A Google search shows people have been writing about it for at least two years.
P2P identity theft has gotten more publicity lately, since the first person to be convicted of using file-sharing networks for identity theft was sentenced by a Seattle federal judge a couple of months ago.
This is how a Department of Justice Press Release describes what Gregory Kopiloff did that got him into trouble:
Using peer to peer programs, including `Limewire,’ KOPILOFF could `search’ the computers of others who were part of the file sharing “network” for federal income tax returns, student financial aid applications, and credit reports that had been stored electronically by other real people on and in their own private computers. KOPILOFF would download those documents onto his own computer, and would then use the identity, and banking, financial, and credit information to open credit accounts over the Internet, in the names of the other real people whose identities he had stolen. KOPILOFF would make fraudulent online purchases of merchandise, have it shipped to various mailboxes in the Puget Sound area, and then would sell the merchandise for about half its retail value.
U.S. Department of Justice, Press Release (March 17, 2008).
The tactics Kopiloff used may have been somewhat outside the norm, but this is one of those instances in which the method used to commit the crime is different, but the crime is not.Kopiloff was sentenced to serve 51 months in prison after pleading guilty to mail fraud, computer fraud and aggravated identity theft. Only aggravated identity theft could even colorably be described as a new crime. U.S. Department of Justice, Press Release.
Mail fraud has been a crime since 1872. It’s currently codified by 18 U.S. Code §1341. Mail fraud consists of using the mails to execute a scheme to defraud someone or something. When Kopiloff had his fraudulently-purchased merchandise mailed to him, he committed mail fraud. Each time the mail is used for that purpose, it’s a separate crime, so there were probably a lot of mail fraud counts.
He was also charged with computer fraud under 18 U.S. Code § 1030(a)(4). Section 1030 was added to the federal criminal code in 1984, so while it’s not as old as mail fraud, it’s definitely not a new crime. Section 1030(a)(4) makes it a federal crime for someone “knowingly and with intent to defraud” to exceeds the scope of his authorized access to a computer “and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”. According to the facts outlined above, Kopiloff had authorized access to some of the files on his victims’ computers, but he went further, accessing files he was not supposed to be using and stealing information from them. He used that access, and the information he obtained, to consummate fraudulent transactions.
The third charge – aggravated identity theft – is the newest of the three offenses. The crime was created in 2004, when the Identity Theft Penalty Enhancement Act went into effect. The aggravated identity theft statute is 18 U.S. Code § 1028A. Section (a)(1) of 1028A provides as follows:
Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Basically, § 1028A is a sentencing enhancement provision. It means that someone who uses another person’s identity in committing any of over 100 federal felonies, including mail fraud, will be sentenced to an additional prison term of 2 years. So to prove this charge, all the federal prosecutor would have to do is prove Kopiloff committed mail fraud and used someone else’s identification documents in doing so.Kopiloff apparently victimized over 50 people. After he pled guilty to these charges, the judge – who called him “a highwayman in a virtual world” -- sentenced Kopiloff to serve 4 years in prison and pay over $70,000 in restitution.As to whether that is “enough” punishment, I don’t know. I’d refer you to my earlier post on how we go about deciding what is enough and what is not. In making that decision, the court had the benefit of testimony from at least some of the victims, one of whom said Kopiloff took outa credit card in her name and charged nearly $4,000. She said it took weeks working with the banks and credit bureaus to sort it out; in the meantime she worried she wouldn't be able to afford Christmas for her two young children.
I don't have the same trust in people that I used to,’ she said
Mike Carter, Man Gets 4 Years in ID Theft, The Seattle Times (March 18, 2008).
This is a follow-up to Atis’ comments on my last post, the one about the woman who was prosecuted for “computer crime” after she allegedly called into an automated unemployment office system and falsely indicated that she wasn’t working when, in fact, she was. The result was that she, apparently, got unemployment benefits when she should not have.
She was charged with computer crime, as I explained in that last post, to “access” a computer or computer system to commit theft.
I called the post “Computer Crime?” because while I can certainly see that what she did fit within the language of the statute, I don’t see why it was charged as computer crime, instead of plain old, garden variety crime.
As I noted in that post, and as I’ve said before, we have a well-developed repertoire of crimes because we, as a species, have had a lot of experience with crime. Crime, as I’ve explained in a number of law review articles, is an internal threat to social order and, as such, is something societies have to control if they are to survive and prosper.
They control crime – we cannot now, or in the foreseeable future, eliminate it, given human intelligence and the ability it creates to contumaciously refuse to follow rules – by defining certain behaviors and/or results as proscribed – “crimes” – and by defining other behaviors as acceptable. They do the latter through a process of socializing their members into the values and norms of that particular culture, which usually works well enough that only a subset of the populace will commit “crimes.”
Societies control the commission of crimes, as we all know, by having a dedicated, professional force that tracks down people who commit crimes and send them through the justice system, where they are tried, convicted or plead guilty and are then given certain sanctions. I’ve written in recent posts about the varied purposes of imposing those sanctions, so I’m not going to get into that here.
Here I want to elaborate on what I said in response to Atis’ first comment: As I noted above, and in response to Atis, what the defendant in the Colorado case allegedly did clearly fit within the state’s “computer crime” statute: If we accept the facts outlined in the opinion I cited in that last post, we see that the defendant called into the automated system for the purpose of obtaining money to which she was not lawfully entitled. The statute makes it a crime to “access” a computer system to commit theft. Since theft consists of purposely obtaining money or property that doesn’t rightfully belong to you, her alleged conduct qualifies and we have a literal violation of the statute.
My question, though, is “why computer crime?” Why not theft or fraud? Theft I defined above. Fraud is obtaining property from someone by tricking them into giving it to you. It seems to me her alleged conduct fits very nicely into fraud – she used the system to trick the state unemployment agency into giving her money to which she was not lawfully entitled (allegedly). It is true that she did not directly deceive an individual; she instead indirectly deceived the individuals who run the agency, but I don’t really see why that makes a difference.
As I noted in my last post, there was a British case in which the court found that it is not possible to “defraud a machine,” but I don’t think that issue comes up in the U.S. under a basic fraud statute. The reason I don’t think it comes up is, as I noted in my post on the British case, U.S. fraud statutes are “result” statutes, that is, they focus on the result, which is that someone uses deceit to get money or property to which they are not lawfully entitled. If our statutes focused on the “conduct” element of defrauding a human being, then the machine issue might be a problem . . . though I still think it should not, because it is humans who are ultimately defrauded out of their property. (Now, if and when we start dealing with sentient non-biological entities, it might be a problem.)
As I noted in my comments to Atis and in my last post, I also think there are good reasons to go with the generic, fraud charge rather than the computer crime charge.
One is that the computer’s role in a case like this is peripheral. This is not a case – like a denial of service or malware or hacking case – in which the computer plays a central role. The “harm” in the latter cases directly implicates the computer or computer system; the “harm” in the case above is the wrongful acquisition of property from a human-run agency.
Another reason is, I submit, that using the generic, traditional charge is less likely to cause problems at trial and on appeal. The appeal in this case dealt with whether she had “accessed” the computer system, and the conviction was reversed and the case was sent back for a new trial because of a disconnect between the language used in the charging document and the jury instructions . . . which, I submit, could probably have been avoided if she’d simply been charged with fraud.
Yet another reason is that I don’t think we need to keep creating new “crimes” when we have crimes defined that encompass the “harm” inflicted in a particular situation. As I explained above, we have two generic crimes – theft and fraud – either of which encompasses the “harm” allegedly inflicted in this case. So why not use them?
As I’ve argued in law review articles and in my latest book, I think the law has, for some very basic reasons, become distracted by the effects of technology . . . with the result that we tend to adopt technologically-specific crime laws (and other laws, as well). I think that distorts our proper focus. The focus of criminal law is discouraging and sanctioning the infliction of particular, socially-intolerable “harms.” It has not been on the method used to inflict “harm.”
So we have, for example, outlawed homicide – the killing of another human being. We have not outlawed homicide by gun, homicide by knife, homicide by poison, homicide by strangulation, homicide by beating, and so on. There’s no reason to – our concern is the “harm,” not the method.
Now, method is a legitimate concern in certain instances, such as when deadly force is used. That’s why we have the distinct offenses of “theft” (I take your laptop when you’re not looking) and “robbery” (I use a gun and forcibly take your laptop away from you). One encompasses the distinct “harm” inflicted or risked by the use of deadly force in committing an otherwise lesser crime. I can see the argument that computers play a similar role in certain kinds of cases, have, indeed, made a similar argument in a slightly different context. You can commit a lot more fraud with a computer and a 419 email than you can in person on by calling victims.
But the better way to do that, I think, is the way many systems deal with the use of deadly force – guns – in the commission of crimes: make it an aggravating factor at sentencing. That way you keep the focus of your criminal offense laws on the proper thing – the “harm” being inflicted – but you still encompass the heightened risk or heightened injury the perpetrator was able to inflict because he or she used a gun or a computer.
On May 15, the Colorado Court of Appeals decided People v. Rice, 2008 WL 2053490, which, IMHO, is an odd "computer crime" case.
(The opinion doesn't seem to be online -- yet?-- at the Colorado Court of Appeals site, I'm afraid.)
Here are the facts that led to the defendant’s – Nina Rice’s – being charged with and convicted by a jury of “computer crime” under Colorado law:[D]efendant made biweekly unemployment benefits claims by calling an automated phone system, the CUBLine, maintained by the Department. An employee of the Department testified that the CUBLine is a `computerized system, which uses interactive voice response technology.’ . . . . [A[n unemployment benefits claimant identifies . . . herself by entering a Social Security number and a personal identification number using numbers on a telephone when prompted by the system. The system then asks the claimant a number of questions related to `weekly eligibility requirements, such as ... did you work during the weeks you are claiming?’ The claimant responds by pressing `1’ for `yes’ and `9’ for `no.’ This procedure is described in a brochure that was admitted into evidence at trial and, according to the record, was given to defendant to review before she made her first biweekly claim. When the computer system determines a claimant is eligible for unemployment benefits, a computer prints a check that is automatically sent to the claimant. Typically, an eligible claimant completes a claim and receives a check without interacting with a person.
The evidence showed that defendant used the CUBLine to make biweekly claims for unemployment benefits. Each time the computer system asked if she worked during the week for which she was claiming benefits, defendant entered `9’ for `no,’ even though she was, in fact, working.
People v. Rice, supra.Here are the charges and what happened at trial:Defendant was charged by information with the crimes of theft and computer crime. The theft count alleged that defendant intended to permanently deprive the Department of money, and the computer crime count alleged that she accessed a computer for the purpose of obtaining money from the Department or committing theft. At trial, she testified that she believed the money she received from her unemployment claims belonged to her and had been withheld from her paychecks issued by her previous employer.
The jury was unable to reach a verdict on the theft count and found defendant guilty of computer crime.
People v. Rice, supra.And here is the offense she was convicted of – computer crime under Colorado Statutes § 18-5-5-102(c)-(d):
A person commits computer crime if the person knowingly . . .
(c) Accesses any computer, computer network, or computer system, or any part thereof to obtain, by means of false or fraudulent pretenses, representations, or promises, money; property; services; passwords or similar information through which a computer, computer network, or computer system or any part thereof may be accessed; or other thing of value; or
(d) Accesses any computer, computer network, or computer system, or any part thereof to commit theft. . . .
People v. Rice, supra.I, for one, don’t understand why they didn’t charge her with fraud, since it seems to me that’s the crime she committed, if the facts as alleged are true. Fraud is, as I’ve said before, obtaining money or property by deceiving someone. Here, the defense could argue that she deceived a machine, but as I wrote in an earlier post I don’t think that would be a problem . . . because the fraud works because people are ultimately deceived.Anyway, that wasn’t an issue in the case. After being convicted, Ms. Rice appealed, arguing that “she did not `access’ a computer” under the statute quoted above “by making a phone call and pressing telephone buttons in response to the CUBLine questions.” People v. Rice, supra.She lost. Here is how the court of appeals parsed the term “access:”In construing a statute, our primary purpose is to ascertain and give effect to the intent of the General Assembly. . . . We look first to the language of the statute itself, giving words and phrases their plain and ordinary meaning. . . . We read words and phrases in context, and construe them according to their common usage. . . .
`Access’ is not defined in the Colorado Criminal Code. However, it is a term of common usage, and persons of ordinary intelligence need not guess at its meaning. We, therefore, begin with the dictionary definition in determining the plain and ordinary meaning of `access.’ . . . Black's Law Dictionary . . . defines the word `access as `[a]n opportunity or ability to enter, approach, pass to and from, or communicate with.’
[W[e conclude defendant accessed, within the ordinary meaning of the term, a computer system, because she communicated with the CUBLine by inputting data in response to computer-generated questions. Also, the CUBLine was described in testimony at trial sufficient to support a finding that it was a `computer system’ as that term is defined in section 18-5 .5-101(6). . . .
People v. Rice, supra.
What do you think? Is this "computer crime" or not? I tend to see no reason to use specialized computer crime statutes when, as I noted above, the conduct alleged would fit nicely into a traditional offense category, such as fraud. Aside from anything else, it seems to me that would have avoided the need for this issue to be raised and considered on appeal. It also seems to me there's no need to use boutique criminal statutes when a traditional one suffices (but I could be wrong).
The case also demonstrates that it's a really good idea to define "access" in a statute that criminalizes unauthorized "access" or the use of "access" to commit fraud. That, too, can make things simpler.
(Oh, the court did reverse Ms. Rice's conviction and order a new trial, because of a conflict, basically, between the charges in the indictment and the prosecution's closing argument and the jury instructions.)
This post is about how we decide what kinds of penalty to impose on someone who commits a cybercrime. Part of the problem in reconciling the "harm" the person committed (which can be actually or potentially very severe) with their personal characteristics (e.g., non-violent, no prior criminal record, etc.).
In a recent post, I outlined the goals of sentencing: incapacitation, deterrence, rehabilitation and retribution. ("Why?", May 16, 2008.)
In sentencing offenders, judges are to consider (i) those goals, (ii) the “harm” inflicted by the crimes the defendant committed and (iii) the defendant’s personal characteristics insofar as they impact on how a particular sentence would comport with the “harm” inflicted and the goals of sentencing.
Sentencing is not an easy task, even when real-world crimes like murder and rape and arson and robbery are involved. But sentencing for real-world crimes is, I submit, much easier than sentencing for cybercrime, at least for the moment.
We have had at least two thousand years’ experience in learning how to sentence people for crimes that cause tangible “harms” in the real, physical world. As I noted in that recent post, the ancient principle of lex talionis demanded simple equivalence between the “harm” caused and the punishment inflicted on the offender. So, in the phrase we all know, the lex talionis called for an “eye for an eye,” and so on.
Writing in the eighteenth century, English lawyer William Blackstone explained why the lex talionis principle really isn’t workable in practice:
The difference of persons, place, time, provocation, or other circumstances, may enhance or mitigate the offence; and in such cases retaliation can never be the proper measure of justice. If a nobleman strikes a peasant, all mankind will see, that if a court . . awards a return of the blow, it is more than just compensation. On the other hand, retaliation may sometimes be too easy a sentence; as, if a man maliciously should put out the remaining eye him who had loft one before, it is too slight a punishment for the maimer to lose only one of his. . . . Besides, there are many crimes, that will in no shape admit of these penalties, without manifest absurdity and wickedness. Theft cannot be punished by theft, defamation by defamation, forgery by forgery, adultery by adultery, and the like.
Blackstone’s Commentaries.
The difficulty of ascertaining what punishment is proper for cybercrimes – which tend to inflict intangible “harms” – is something we are still struggling with.
A few years ago, someone argued – facetiously, I hope – that we should apply the death penalty to “hackers” and those who spread worms and viruses. The premise was that death is an appropriate penalty because of the extreme financial losses these crimes can, and do, cause.
Even if the article was serious, the proposal cannot be implemented in the United States, anyway, because the U.S. Supreme Court has held that the death penalty can only be imposed for crimes involving serious physical “harm.” So far, in a move reminiscent of the lex talionis, the Court has limited the death penalty to serving as a punishment for homicide, but it is currently considering whether it can also be imposed for raping a child. However that case comes out, though, death is not going to be used as a punishment in economic crime cases. The Supreme Court has held that the Eighth Amendment prohibition on cruel and unusual punishment bars the imposition of “too much” punishment, and death for economic damage would be “too much.”
That leaves us to think about how courts should use the “other” available penalties – imprisonment, fines, probation and restitution – in sentencing cybercriminals. I can’t begin to cover all the issues this problem raises here, so I’m going to use a recent cybercrime case as an example to consider what should and should not be taken into account in sentencing a cybercriminal.
According to a Department of Justice Press Release, in March, 2006, Christopher Maxwell pled guilty to one count of violating 18 U.S. Code section 1030 by intentionally causing or intending to cause damage to a computer and one count of conspiring to do so in violation of 18 U.S. Code section 371. (Section 371 makes it a crime to conspire to commit a federal offense). Here’s how the Press Release describes the crimes:
[A] botnet is created when a hacker executes a program . . . that seeks out computers with a security weakness it can exploit. The program will then infect the computer with malicious code so that it becomes . . . a robot drone for the hacker . . . controlling the botnet. . . . Botnets can range in size . . . to tens of thousands of computers doing the bidding of the botherder.
MAXWELL and two unnamed co-conspirators created the botnet to fraudulently obtain commission income from installing adware on computers without the owners' permission. . . . [B]y controlling someone's . . .computer, the botherder can remotely install the adware and collect the commission all without the computer owner's permission or knowledge. In this case, the government alleges that MAXWELL and his co-conspirators earned $100,000 in fraudulent payments from companies that had their adware installed. . . .
[A]s the botnet searched for . . . computers . . . it infected the computer network at Northwest Hospital in . . .Seattle. The increase in computer traffic as the botnet scanned the system interrupted . . .hospital computer communications. These disruptions affected the hospital's systems in numerous ways: doors to the operating rooms did not open, pagers did not work and computers in the intensive care unit shut down. By going to back up systems the hospital was able to avoid any compromise in the level of patient care.
Following MAXWELL's indictment in February, 2006 the investigation revealed that the botnet had also damaged U.S. Department of Defense computer systems at the Headquarters 5th Signal Command in Manheim, Germany and the Directorate of Information Management in Fort Carson, Colorado. More than 400 computers were damaged at a cost of $138,000 to repair.
According to a news story, Maxwell’s botnet also caused more than $50,000 in damage to the computer system at a California school. According to investigators, Maxwell’s botnet attacked more than 441,000 computers during the two weeks it was in operation. (The other conspirators were juveniles, which is why they're not named in the Press Release.)The conspiracy count was punishable by up to 5 years in prison and a $250,000 fine. The damaging a computer count was punishable by up to 10 years in prison and a fine of $250,000.The federal prosecutor wanted Maxwell sentenced to serve 6 years in prison. She said the sentence was warranted by deterrence: “There is a hacker community. They will know immediately what sentence you impose."
According to one news story, Maxwell, “holding back tears,” pled for probation instead of prison: "`I am a 21-year-old boy with a good heart and I made a mistake,’ he told the judge. `I never realized how dangerous a computer could be. I thank God no one was hurt.’"The judge agreed with the prosecutor that the need for deterrence warranted a prison term, but didn’t go as far as the prosecutor wanted. She cited Maxwell’s age and lack of previous criminal history in sentencing him to serve 37 months and to pay $114,000 in restitution to the hospital and $138,000 in restitution to the Department of Defense. I suspect that will take a while.What do you think? Should the judge have maxed out (no pun intended) and sentenced him to serve 15 years? Should she have gone with the prosecutor and sentenced him to 6 years? Or is 37 months enough?If the sentence is meant to deter others from following his lead, there may be a problem. Studies have shown that deterrence is not simply a function of harsh the penalty is. It’s a function of two things: the severity of the punishment I’ll get if I’m caught; and the likelihood I’ll get caught. If I’m not likely to get caught, or if I think I’m not likely to get caught, even a really severe penalty isn’t likely to deter me from committing crimes if I can make money by doing so.If you could make, say, $1,000,000 in the next two months by committing crimes for which you could be sentenced to 25 years in jail IF you got caught, but your chances of getting caught are 1%, would you be deterred or would you go for it? What if you could make $100,000 with a 10% chance of getting caught and prosecuted?
At the end of 2006, I did a post on online imposture. In that post, I was talking about pretending to be someone else by posting information or messages in their name. I was primarily concerned with whether that would qualify as defamation and, if so, if that would provide the victim with adequate redress.Here, I want to talk about something different.
In my last post – on the juvenile charged with harassment – the facts indicated that another juvenile had pretended to be the principal of her school in creating a MySpace profile. Given that the students were in middle school, I’m willing to guess that the profile created in the principal’s name was probably too amateurish and juvenile to convince anyone he created it.But that raises an interesting possibility: creating a MySpace or Facebook page in someone’s else’s name and using it to embarrass them and maybe even cause major damage to their reputation and career. It could be a really insidious, nasty thing to do, because it might well take the victim a long time to find out what had been done . . . by which time the damage would have been done. Then the victim would be in the position of having to convince anyone who’s seen the fake MySpace or Facebook page that it was, in fact, created by someone else for malicious purposes. I’ve found some indication that this has already been done. According to this site, it was done to Yaron London, an Israeli “media star.” The site doesn’t tell me much about what was done, but does indicate that he was embarrassed by comments on the page that was created without his knowledge. And I find posts on various sites in which people report that this has happened to them though, again, they don’t provide much detail about the “harm” the imposture caused. And I found a story from last year that talks about MySpace and Facebook imposters and about what the victim can do, in terms of getting the fake site taken down. My interest in this phenomenon goes to the possibility of criminal liability. One of the stories I found about Facebook and MySpace imposture refers to it as “identity theft.” It could be identity theft, I suppose, but not in the scenario I set out above.The crime of identity theft is not about imposture; instead, it’s usually about fraud. Here, for example, is how Connecticut defines identity theft: A person commits identity theft when such person intentionally obtains personal identifying information of another . . . without the authorization of such other person and uses that information to obtain or attempt to obtain, money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.
Connecticut General Statutes Annotated § 531-129a(a). Except for “medical information,” the statute is criminalizing the use of somebody else’s identity for financial gain, which is a kind of fraud.A few states break identity theft into two categories, as in this Arkansas statute: (a) A person commits financial identity fraud if, with the intent to:
(1) Create, obtain, or open a credit account, debit account, or other financial resource for his or her benefit or for the benefit of a third party, he or she accesses, obtains, records, or submits to a financial institution another person's identifying information for the purpose of opening or creating a credit account, debit account, or financial resource without the authorization of the person identified by the information; or
(2) Appropriate a financial resource of another person to his or her own use or to the use of a third party without the authorization of that other person, the actor:
(A) Uses a scanning device; or
(B) Uses a re-encoder.
(b) A person commits nonfinancial identity fraud if he or she knowingly obtains another person's identifying information without the other person's authorization and uses the identifying information for any unlawful purpose, including without limitation:
(1) To avoid apprehension or criminal prosecution;
(2) To harass another person; or
(3) To obtain or to attempt to obtain a good, service, real property, or medical information of another person.
Arkansas Code § 5-37-227. The statute defines “identifying information” as including the following: Social security number; driver's license number; checking or savings account number; credit or debit card number; personal or electronic identification number; digital signature; or “[a]ny other number or information that can be used to access a person's financial resources”. Arkansas Code § 5-37-227.It seems this statute could encompass the scenario I outlined above, since it, unlike most identity theft statutes, reaches harassment as well as using someone’s identity for financial gain. Massachusetts is the only state I can find that has a similar statute. Massachusetts General Laws 266 § 37E.I’m not sure it really could encompass the scenario, though, because of the way the statute defines “identifying information.” Identifying information seems to be limited to financial information. The Massachusetts statute looks like it might, since it defines identifying information as “any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual, including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, credit card number or computer password identification.” Massachusetts General Laws 266 § 37E. I’m also not sure if when the statutes refer to harassing “another person” (which both do) they mean harassing the victim of the identity theft or a third person; I tend to think they mean harassing a third person (but I could be wrong). If I’m right, then neither statute could be used to prosecute the kind of imposture I hypothesized above.The more important question is “should we use criminal law to reach this kind of conduct?” On the one hand you can, as I noted above, cause a lot of “harm” to someone by essentially using MySpace or Facebook to frame them. My law school, like other law schools and, I assume, other professional schools and undergraduate programs, makes a great effort to warn our students that they put on MySpace or Facebook pages can come back to haunt them. Both bar associations and potential employers troll the sites to find information that discredits a bar applicant or potential employee. If you framed someone, you could, in the law school context, prevent them from being able to sit for the bar examination and/or to find a job. That’s pretty nasty.I tend, though, to believe we can’t use criminal law to handle every nasty maneuver that crops up. In the United States, we already have, IMHO, way too many crimes and lock up way too many people. We can’t keep going along that path. Aside from anything else, it takes a lot of resources – a lot of money and personnel – to enforce criminal law and to punish offenders. I also wonder if this is to some extent a transitional problem. I wonder if, as time passes, we will become less credulous, more jaded consumers of the information posted online.
I’ve written recently – and not so recently – about how the law deals with people who "annoy, alarm and harass" each other, but that post, and an earlier one, were both about adult conduct.
Magistrate Marcia Linsky of the Allen County (Indiana) Superior Court sent me a link to a recent opinion from the Indiana Supreme Court that deals with a very different kind of harassment. . . harassment by a middle school student.
According to the Indiana Supreme Court’s opinion, this is what resulted in the student's being charged with harassment:
When the 2005-06 school year began, A.B. was a student at Greencastle Middle School, where Shawn Gobert had been principal for thirteen years. Sometime before February 2006, she transferred to a different school. In February 2006, Mr. Gobert learned from some of his students of a vulgar tirade posted on MySpace that apparently targeted his actions in enforcing a school policy. As appropriate for a . . . prudent school administrator, Mr. Gobert investigated. With the assistance of others, including some students, he discovered that a `Mr. Gobert’ profile” had been created on a MySpace Internet web page, purportedly by him, and on which A.B. had posted a vulgarity-laced tirade directed against him. In fact, another juvenile, R.B., a friend of A.B. and at the time a student at Greencastle Middle School, had created this false `Mr. Gobert’ MySpace private `profile’ and allowed access to it by twenty-six designated `friends,’ one of whom was A.B. A.B. then made her posting about Mr. Gobert on this private `profile’. Thereafter, . . . A.B. created her own MySpace `group’ page, accessible by the general public, and titled with a vulgar expletive directed against Mr. Gobert and Greencastle schools.
As a result, delinquency proceedings were initiated against A.B. The . . . petition . . . charged A.B. with nine counts. Three . . . were dismissed at the fact-finding hearing. The remaining counts each allege conduct by A.B., a minor, that if committed by an adult would constitute Harassment . . . . The various surviving counts allege her use of a computer network to harass Mr. Gobert. Counts I and V allege that A.B. used a computer network to transmit the following:
`hey you piece of greencastle s* *t. what the f* *k do you think of me know (sic) that you cant [sic] control me? huh? ha ha ha guess what ill [sic] wear my f* *king piercings all day long and to school and you cant [sic] do s* *t about it.! ha ha f* *king ha! stupid b* *tard!
Counts III and VII each allege Harassment based on A.B.'s transmission of “die ... gobert ... die;” and Counts IV and VIII are based on A.B.'s transmission of `F* *K MR. GOBERT AND GC SCHOOLS!’
The Indiana Supreme Court, not me, edited the post so the “expletives are identified symbolically.” I think we get the idea, though, even with the edits. (I do like how A.B. refers to him as “Mr.” Gobert in that last one.) Before we get into the legal issues, I want to note something: what happened here is an example of what has happened in lots of schools in at least several countries. When I was I school, the only ways we could take out our frustrations with our teachers was by drawing obnoxious cartoons and making up scandalous stories about them. Whatever we did had a very limited circulation, and so had a very limited impact. Cyberspace lets anybody with a computer and Internet access become a “publisher,” so students can be a lot more creative in the ways they take out their frustrations and their expressions of frustration can enjoy a very wide circulation, especially if they’re interesting. Now, let’s talk harassment. Here’s the statute A.B. was charged with violating:
A person who, with intent to harass, annoy, or alarm another person but with no intent of legitimate communication . . . uses a computer network . . . or other form of electronic communication to communicate with a person or transmit an obscene message or indecent or profane words to a person; commits harassment, a Class B misdemeanor.
Indiana Code § 35-45-2-2(a)(4). A.B. was adjudicated delinquent for violating the statute and appealed. Since, as the Indiana Supreme Court noted, “in juvenile delinquency adjudication proceedings, the State must prove every element of the offense beyond a reasonable doubt”, we are essentially dealing with a criminal case. If you look at the Indiana harassment statute, you will see that its structure is analogous to that of a “threat” statute. That is, it requires that the perpetrator (i) have sent harassing communications to the victim (ii) with the intent to harass that that specific person and (iii) for no legitimate purpose. That has traditionally been how harassers have conducted themselves; they have called, emailed and otherwise communicated directly with their victim for the deliberate purpose of annoying and/or alarming that person. As the Indiana Supreme Court pointed out, what A.B. did doesn’t fit within the elements of the statute: The allegedly harassing communications by A.B. identified in Counts I, III, V, and VII were postings by A.B. on her friend's MySpace `private profile’ site. This . . . site, . . . could not be seen by the general public except for those . . . accepted as `friends’ by the creator of the `profile.’. . . Mr. Gobert was able to view it only because R.B., the student who created the `profile,’ . . .authorized him to access the `profile’ during his investigation. . . . [T[here was no evidence . . . A.B. expected that Mr. Gobert would see or learn about A.B.'s messages. . . .
The analysis differs as to Counts IV and VIII, which refer to A.B .'s remarks on her MySpace `group’ page. Because this site was publicly accessible, it may be reasonably inferred that A.B. had a subjective expectation that her words would likely reach Mr. Gobert. This alone, however, does not establish the intent element specified in the Harassment statute. . . .While A.B. titled her `group’ page with the vulgar expletive, her own posting on the page elaborated as follows:
[R.B.] made a harmless joke profile for Mr. Gobert. and [sic] some retarded b* *ch printed it out and took it to the office. [R.B .] is expelled, has to go to court, might have to go to girl [sic] school, and has to take the 8th grade over again! that's [sic] just from the school, her paretns [sic] have grounded her, and took [sic] her computer, she cant [sic] be online untill [sic] 2007! GMS is full of over reacting idiots!
Other than the title and this posting on A.B.'s `group’ page, there was no other evidence relevant to the issue of her intent as to Counts IV and VIII. And the content of the posting presents strong evidence that A.B. intended her `group’ page as legitimate communication of her anger and criticism of the disciplinary action of Mr. Gobert and the Greencastle Middle School against her friend. . .
The court therefore held that the prosecution had failed to prove beyond a reasonable doubt that A.B. sent the communications with the intent to harass Mr. Gobert and for no legitimate purpose. I think the court is absolutely correct. I also think the evidence failed to prove another element, the first of the three I noted above: the statute requires that the harassing communication be sent TO the victim. A.B. did not do that. She merely posted them online, where they COULD be seen by the victim.
As I wrote in an earlier post, the Sixth Circuit Court of Appeals threw out threat charges against a Michigan college student some years ago for essentially the same reason: Jake Baker was charged with threatening a classmate by posting violent fantasies online, fantasies in which he raped and killed her. The Sixth Circuit said it wasn’t a threat because Baker did not send the communications directly to her. Seems to me we have the same problem here, too.
A friend of mine just sent me the link to a recent decision issued by the U.S. Court of Appeals for the Seventh Circuit.
It’s an appeal in a civil case and has nothing to do with cybercrime. It does involve some First and Fourth Amendment claims but, all in all, it's not the kind of case students go to law school to handle.
If you want to read a really funny opinion – with some equally funny pictures – about a neighborhood squabble gone very bad, check it out.
Click on this link. Then search the opinions using this case number: 06-3176
You can download the pdf file and see what I mean.
I assume everyone has seen the stories about the indictment in the Megan Meier suicide case. I did a post on the case last fall, because it at once outraged and mystified me.
(How could an adult get involved in all this?)
If you want a review of the facts and my take on the permissibility (not) of charges, check out that earlier post.Here, I want to talk about something different.
I want to talk about why the woman who set the events in motion that led to Megan’s suicide has been charged in a federal indictment with (a) gaining unauthorized access to “a computer used in interstate and foreign commerce, namely the MySpace servers located in Los Angeles” and (b) conspiring to gain such unauthorized access to the MySpace servers for the purpose of inflicting emotional distress (harassment) on Megan. U.S. v. Lori Drew, Indictment, N.D. California 2008.
The unauthorized access charges were brought under the basic federal cybercrime statute, 18 U.S. Code section 1030, which I have written about before. If you want an outline of what can be charged under the statute, check out this post. The conspiracy charge was brought under the basic federal conspiracy statute 18 U.S. Code section 371, which makes it a crime to conspire to commit a federal offense.
My “why” questions (don’t expect answers) have two parts. The first goes to the propriety of bringing these charges. As I said in my earlier post on Megan’s suicide, it’s a horrible tragedy and I cannot understand what was in Lori Drew’s mind, but I don’t think it warrants criminal charges. And the local prosecutor simply was not able to bring charges because the facts didn’t warrant them. So now the federal government has gotten into this.
The people who created the Constitution and our federal system intended that criminal law be enforced firstly and foremost at the state and local level. They intended that because crime and the imposition of criminal liability are matters that resonate with local concerns, local mores, local attitudes. They also didn’t want too much power centralized in the federal government.
Over the last century, the number of federal crimes has exploded. I’m not getting into whether that is a good thing or a bad thing. It’s a fact, and it means federal prosecutors have access to a broad statute like section 1030 which can, maybe, be shoehorned into a prosecution like this. I think the charges can be, as they have been, put together in a fashion that will survive a motion to dismiss based on the premise that “this ain’t a crime,” but I don’t think they make sense in terms of law or policy.
Last January, I raised the grand jury investigation into Megan’s death with the students in my cybercrime class and we analyzed how section 1030 COULD be used against Lori Drew. It really doesn’t make sense, though: the statue was intended to criminalize hacking, both the general, exploratory kind of hacking and the kind that involves stealing or destroying data in a system you’re not suppose to have access to. Here, IMHO, it’s being used in a really distorted manner. There’s also the minor matter of diverting federal resources to a case that, I would argue, belongs in a state court if it belongs anywhere.
Okay, that’s the first part of “why.” Here’s the second: The stories say (and I haven’t parsed the figure out myself, using the statute and sentencing guidelines and all that) Lori Drew faces up to 20 years in prison if she is convicted of the charges in the 4-count indictment. Why?
The imposition of criminal liability and punishment – imprisonment – in our system is based on achieving four goals:- Incapacitation: We lock you up so you can’t re-offend.
- Deterrence: We lock you up to teach you a lesson so you won’t re-offend when we let you go, and we lock you up to convince others not to follow your example and commit the crime(s) you did.
- Rehabilitation: This used to be very important, but is a minor theme now. Basically, if we have time and it seems easy, we’ll try to rehabilitate you so you don’t re-offend.
- Retribution: This is the oldest reason for punishment. The ancient law, the lex talionis, called for an “eye for an eye, tooth for tooth” and so on. So, we lock you up to exact pain from you for what you did.
Does it make sense to lock Lori Drew up for 20 years? Would doing that achieve any or all of these goals?
This goes to an issue I often raise with my students: overcharging. If Missouri had a harassment statute that would have encompassed what Ms. Drew allegedly did, then it seems to me it would be perfectly appropriate to charge her with that crime, convict her if the evidence established that she committed it and then punish her "enough" to achieve whichever of the above goals were driving the prosecution. So, in our hypothetical, she's convicted of harassment under state law and, what?, maybe fined, maybe given 30 days in jail, put on probation for a few years, required to work at suicide prevention center or some other appropriate place. That would make sense to me.
I just don't see the sense in, as the saying goes, "making a federal case out of it", especially not when it could mean 20 years in jail.
This post is based on some questions that were emailed me . . . questions about a private citizen searching your private property, finding evidence and then taking it to the police. The questions and my thought on each follow.
B gives C access to a computer server containing illicit materials. C turns over what he finds to the authorities, who find out that A is leasing the server. The authorities seize the server and search A's house. A claims to have never given access to B or C and there is no evidence otherwise. Can the search warrant and its fruits be suppressed?I think A loses on the 4th Amendment issue. In analyzing this question, I’m assuming A did, in fact, give B access to the server and that the information C turns over to law enforcement, combined with whatever efforts they make to connect A to the material, gave them probable cause to get the search warrant, i.e., gave them probable cause to believe they would find illicit material on the server and in A’s house.
(If probable cause was lacking, then the search warrant should not have issued, and that should mean the evidence would be suppressed . . . unless the court finds that the good faith exception applies. U.S. v. Leon, 468 U.S. 897 (1984). Under the Leon good-faith exception to the 4th amendment’s exclusionary rule, evidence will not be excluded when police officers reasonably rely on a search warrant issued by a judge, even if that search warrant is later declared invalid. This means that even if the court were to determine that the warrant was not based on probable cause, the evidence would not be suppressed if the officers who executed the warrant did so in the good faith belief that it was supported by probable cause, since it was issued by a judge who decided probable cause existed).
So the issue basically becomes whether the evidence should be suppressed because A gave B access to the server, but did not intend that B would give C access, and never intended that B (or C) would betray him by taking evidence to law enforcement.
The answer, almost certainly, is no. I talked about this general issue in an earlier post. I won’t repeat everything I said there here; I’ll just note that for Fourth Amendment purposes, basically you assume the risk of being betrayed when you give someone access to your “stuff” . . . whether it’s your house or your car or your computer or your server. So by giving B access to the server, A assumed the risk that B would use that access to find evidence and himself betray A and/or that B would do so indirectly, by giving C access to the evidence (which set in motion the possibility that C would then betray A, if, indeed, C can be said to be in a position to betray A, since we don’t know if there was any connection between them.)
What if C hacked in to the server and gained access to it by illegal means? He saw illicit material, copied it and gave the copy to law enforcement officers. They used the copies plus what C told them (i.e., where C got the stuff) to secure a warrant to seize the server. Could the search later be deemed illegal, if C wasn't supposed to be in that server anyway?
There was a case in the city where I live: A burglar broke into an apartment to rob it, found child pornography, went to the police and told them what he'd found. They used what he said to get a search warrant, searched the apartment, found child pornography, and prosecuted the person who lived in that apartment . . . and prosecuted the burglar for burglarizing the apartment. This scenario is a variation of the scenario above.
Basically, if a private person – your friend or a stray burglar who happens to break into your home and finds incriminating evidence – decides to turn on you, you’re out of luck. The 4th Amendment only applies to state action, i.e., to searches and seizures conducted by law enforcement agents and by people who are acting on their behalf.
So in the local case, the 4th Amendment would only be implicated if the police had put the burglar up to breaking into the apartment to see if he could find child pornography so they could then use what he found to get the warrant, and so on. If he acted on his own, then we don’t have state action and the 4th Amendment doesn’t apply . . . until the law enforcement officers enter the apartment. If they have a valid search warrant, that entry is constitutional. In the case posited above, the entry into the apartment with the search warrant would only be a problem if the police had instructed C to hack in illegally.
If you want to read about some cases where the scenario set out above pretty much happened, but the person who hacked someone's computer did not get charged with a crime, see this post.
In State v. Young, 974 So.2d 601 (Fla. App. 2008), a Florida court of appeals had to decide whether a search of a minister’s office was valid under the Fourth Amendment.
As I’ve mentioned before, consent is an exception to the Fourth Amendment’s warrant requirement. That is, if someone consents to have their property searched, officers do not need to get a search warrant; the consent in effect waives the requirement of a warrant.
To be valid, consent must be voluntary (not coerced) and must be given by someone with authority to consent to the search. Someone who owns or uses property can give valid consent to a search.
“Use” means that the person who consents either is the sole user of the property or is a joint user of the property. Spouses, for example, can each consent to the search of the property they share and the consent will justify the search (unless the other spouse is present and refuses to consent).
Young was the pastor of a small church in Florida. According to the Florida court of appeals' opinion, the church provided Young with a desktop computer and a private office. Although the computer was provided to Young for use in connection with his duties at the church, there was no official policy regarding the use of the computer or others' access to it. . . . This office had a special lock that could not be opened with the Church's master key. Three keys to Young's office existed. Young kept two of the keys, and the church administrator kept the third key, which she stored in a locked credenza drawer in her office.
State v. Young, supra.
As to the events leading to the search, and to Young’s being charged with "viewing child pornography", according to the Florida Times-Union, it all began when the church’s administrator got a call from the church's Internet service provider. The caller said spam had been linked to the church's Internet protocol address. The church administrator then ran a “spybot” program on the church's computers. When she ran the program on Young's computer, she saw “some very questionable [w]eb site addresses.” The church administrator then contacted a member of the staff parish and an information technology person to set up a time to have the computer examined. State v. Young, supra. Later, the chairperson of staff parish relations, Kenneth Moreland, contacted Richard Neal, district superintendent of the Church, to tell him what had happened. State v. Young, supra. After discussing the matter with the bishop and getting approval for the decision, Neal instructed Moreland to contact law enforcement officials and allow them to see the computer. The next morning Neal instructed Young not to return to the church until the two could meet and discuss the situation. When officers arrived at the church, Moreland unlocked Young's office and signed `consent to search' forms for the office and computer. Young arrived at the church during the morning when the officers were there. Moreland and an officer instructed Young to leave the property immediately, and he complied.
State v. Young, supra.
The officers apparently found incriminating evidence that, at least in part, consisted of websites Young had bookmarked on his office computer. They interviewed him, he made incriminating statements, and charges were filed, after which he because he moved to suppress evidence found in his office. The court held a hearing on the motion.
The officers who searched the computer testified that they understood Moreland to be a “representative of the church” whose authority to consent was based on instructions from a church supervisor. State v. Young, supra.
Neither of them talked to Moreland's supervisor or asked Moreland further questions about his authority before the search began. One officer said she had spoken with Neal after she was inside Young's office. At the time, she knew Neal had never used Young's computer, did not work in Young's office, and did not keep property there. (Remember, joint use is a basis for being able t consent.) Neal testified to the same effect. Moreland testified that he did not work in Young's office and did not keep belongings there. Neal, though, testified that he had authority to consent to the search and to instruct Young to stay away from the church under the Church’s Book of Discipline, by which Young had agreed to be bound when he was ordained.
State v. Young, supra.
The issue in the case was whether the search of the computer in Young’s office was valid as a consent search. I get the sense that the viability of the charges (whatever they were) against Young depended on the evidence found there, so the issue was crucial. The trial court found that none of the church personnel had authority to consent to the search of Young’s office, and the court of appeals agreed.
The church personnel who consented clearly did not use the office jointly with Young; and they apparently made that clear to the officers, so the officers could not have believed they had the authority to consent to a search of his office. As the court of appeals explained, although the church owned the computer, Young was the sole regular user. Although the church administrator performed maintenance on the computer, there was no evidence that she or anyone other than Young stored personal files on the computer or used it for any purpose other than maintenance. There was no policy informing Young that others at the church could enter his office and view the contents of his computer. The only way to access the computer to view its contents was to enter through the locked office door. It is clear under these circumstances that the church trusted Young to use the computer appropriately and that it gave no indication that the computer would be searched by anyone at the church. The fact that Young violated this trust does not detract from a proper analysis of whether he had a legitimate reason to expect that others would not enter his office and inspect the computer.
State v. Young, supra.
The evidence found in Young’s office was suppressed, and so were the incriminating comments he made to the officers, because they derived from (were the fruit of the poisonous tree of) the illegal search of his office. I assume the charges, whatever they were, were dismissed.
A while back, I did a post on the Trojan horse defense, which is basically a cyber-version of an old defense: Some Other Dude Did It, or the SODDI defense.
In this post, I want to talk about how a defense lawyer’s failure to raise a similar defense was found to constitute ineffective assistance of counsel.
The case is People v. Patterson, 2008 WL 886203 (Mich. App., April 1, 2008), and I’ll talk about the facts and charges in a minute.
First, I want to outline what a convicted defendant has to establish in order to win on an ineffective assistance of counsel claim: The benchmark in evaluating a claim that trial counsel was ineffective is whether counsel's conduct so undermined the proper functioning of the adversarial process that the trial cannot be relied on as having produced a just result. Strickland v. Washington, 466 U.S. 668, 686 (1984. The defendant must show, first, that counsel's performance was deficient. This requires a showing that counsel made errors so serious that he was not functioning as the `counsel’ guaranteed by the Sixth Amendment. Second, the defendant must show prejudice. This requires proof that counsel's errors were so serious as to deprive the defendant of a fair trial, i.e., a trial whose result is reliable.
People v. Patterson, supra. Here are the facts in the Patterson case: This case stems from an investigation that Patterson had stalked an ex-girlfriend. Deputy Cuatt was a part of a team that executed a warrant to search defendant's residence. Cuatt has expertise in computers, which was needed so that evidence purportedly on a computer in the home would not be lost. Police located an old computer . . . in a small room and two hard drives. The computer was powered on even though no one was home. . . . Police seized the computer and Deputy Cuatt eventually subjected both hard drives to certain forensic programs. One . . . had a large amount of adult pornography on it. The same hard drive had four pictures of young girls who were obviously under the age of eighteen. The hard drives also contained photographs of defendant, family members, and friends, as well as e-mail to and from defendant.
People v. Patterson, supra. Mr. Patterson was charged with possessing child sexually abusive material, in violation of a Michigan statute. He was convicted, but moved to have the conviction set aside and a new trial ordered. At the hearing on the motion for a new trial, Mr. Patterson testified that he had sent trial counsel a list of witnesses he wanted called at trial. According to defendant, several witnesses would have testified that he did not live alone and that a number of people, who either lived with him or assisted him because of his physical limitations, had access to the computer. Defendant also testified that some of those people were no longer friends and they had a reason sabotage his computer.
People v. Patterson, supra.
So according to Mr. Patterson, he wanted his defense attorney to raise a SODDI defense. At the hearing, his defense attorney, when asked why he decided not to call witnesses to show that others had had access to the computer, said he told Mr. Patterson “that the witnesses would . . . probably assert their 5th Amendment rights against self-incrimination.” People v. Patterson, supra. The trial court denied the motion for a new trial because it found that the defense attorney had “employed a proper trial strategy in not calling witnesses, even though he never contacted any of the dozen or more witnesses offered by defendant.” People v. Patterson, supra.
The Michigan Court of Appeals disagreed: [T]rial counsel knew weeks before the trial that many others had access to the computer containing the illegal pictures yet failed to investigate or produce these individuals as defense witnesses. On these facts alone, we conclude that counsel's conduct fell far below an objective standard of reasonableness. . . . . We also conclude defendant was prejudiced. . . . Testimony that others were present in his home and had access to the computer would have created a reasonable probability that the result would have been different, especially considering that even the trial prosecutor was somewhat surprised by the jury's finding of guilt. Given that the prosecutor's case rested entirely on the premise that defendant was the only person who could have put the illegal images on the computer, and where defendant's trial counsel thought defendant lived alone, counsel's failure to investigate the witness list was ineffective and extremely prejudicial.
People v. Patterson, supra. I can certainly understand why the court of appeals reached this result, but here’s an aspect of this case that really puzzles me.
First, the prosecutor, who had the burden of proving the case beyond a reasonable doubt, presented no witness to testify that the Defendant put the child sexually abusive images on the computer found in his home. The People called only two witnesses: the officer who analyzed the computer and an expert who gave an opinion about the age of the children whose images were on the computer. The officer acknowledged that there was no way for him to determine how the images became stored on the computer or who did so.
People v. Patterson, supra. If that’s all the prosecution presented, it clearly did not meet its burden of proving beyond a reasonable doubt that Mr. Patterson was responsible for the images’ being on the computer. All the defense needed to do was to move for a judgment of acquittal, based on the prosecution’s failure.
The defense did not do that, apparently because the defense attorney thought he had to prove that other people, maybe even specific other people, were responsible for the images’ being on the computer. That gets it backwards: As anyone who’s familiar with the O.J. Simpson murder trial knows, all the defense has to do is to raise “doubt” about the prosecution’s claim that the defense is guilty. Here, it was a slam dunk, since the prosecutor didn’t offer ANY evidence from which a reasonable juror could find that Mr. Patterson was the person who put the images on the computer. Makes you wonder what will happen at the new trial the court of appeals ordered.
This is a follow-up to my last post, which talked about a prosecutor’s discretion in deciding how many charges to file against a defendant.
In that post, I talked a bit about how the prosecutor in that case increased the number of charges against Mr. Cline after his first conviction was thrown out and the case was remanded for a new trial. The prosecutor said he increased the number of counts because there had been a problem – a duplicity problem – in the first indictment.
I want to talk here about what the issues that can arise in deciding whether a particular charge – a “count” – charges, essentially, too “much” crime or too little. Let’s start with a basic premise of bringing criminal charges.
Defendants are usually charged in an indictment, which is a set of charges returned by a grand jury, but they can also be charged in an information, which is an essentially identical set of charges that is produced by a prosecutor without the assistance of a grand jury.
In any charging document, each specific “charge” – each accusation that a defendant committed a “crime”, is set out in a separate “count.” So, an indictment will have a “Count I,” a “Count II, and so on, each of which charges a different crime. There are two kinds of challenges a defendant can raise to how a prosecutor has structured the charges in the counts in an indictment or information.
One is what is called “duplicity.” Duplicity essentially consists of charging two or more crimes in a single count. That’s the reason the prosecutor in the Cline case gave for adding all those charges the second time. The rationale was that in the first indictment some of the counts charged Mr. Cline with sending two emails to harass a particular victim; since each act of sending a harassing email was a separate crime under the statute at issue, that indictment was duplicitous, i.e, it improperly combined “crimes” in a single count.
The other problem is called “multiplicity.” Multiplicity is often described, in a phrase I like, as “impermissibly fractionating a single course of conduct into multiple offenses.” It means that the prosecution breaks one crime up into pieces, and charges the pieces in different counts of an indictment or information.
The reason duplicity and multiplicity are a problem is that both undermine the fairness of the proceeding. With duplicity, the defendant has to defend against a count that has two or more crimes in it; and that can make it difficult for the defense to figure out how to structure their case (do we defend against all of them or only one of them?). It can also make it difficult for the defendant who has been acquitted to raise double jeopardy if he’s charged again.
Assume a defendant was acquitted on a Count that charged crimes A and B. The prosecution then charges him again, in a new indictment, with Crime B. He says that’s double jeopardy. The prosecution says “no, they acquitted you of Crime A. We can still pursue Crime B.” The problem with multiplicity is even simpler. It means that the prosecution is taking one crime and turning it into several crimes. Assume, for example, someone is arrested for possessing an illegal drug. The drug comes in tablet form, and the person arrested had 5,000 tablets of the drug. He is charged in an indictment with 5,000 counts of illegally possessing the drug . .. one count per tablet. He can argue that the counts are multiplicitous because they break one crime (possessing “the drug”) into 5,000 counts (possessing 5,000 iterations of “the drug”). IMHO, that could would be seriously multiplicitous, which means the prosecutor would be told to revise it into a single count.
Okay, let’s get to cybercrime. In U.S. v. Davenport, 519 F.3d 940 (9th Circuit Court of Appeals 2008), Davenport was charged both with possessing child pornography and with receiving child pornography. The charges were based on the same images. Let’s make things simple and say that he was charged with “receiving” 10 images of child pornography (it was a lot more) and with “possessing” the same 10 images.
Davenport argued that the charges were multiplicitous . . . that they turned what should be, at most, 10 crimes into 20 crimes (10 of possessing + 10 of receiving). He said the charges were multiplicitous because they punished the same conduct. Davenport said, basically, that you can’t “possess” something without having first “received” it, so the act of possession necessarily encompasses the act of receiving the item possessed. Davenport was essentially arguing that “receipt” is a “lesser included offense” of possession.
A lesser included offense is a “smaller” crime the elements of which are contained within a larger crime. Trespass is a lesser included offense of burglary: Trespass is knowingly and unlawfully entering premises (a house, a business); burglary is knowingly and unlawfully entering premises for the purpose of committing a crime (theft, arson, murder, etc.) once inside. So, if a defendant is charged with both criminal trespass and burglary for the same course of conduct, i.e., for breaking into the same building to commit a crime inside, he can argue that the charge is multiplicitous, because it breaks a single “crime” into two pieces. And the defendant should win, which means the prosecution has to decide whether to charge trespass OR burglary.
What about Davenport? What do you think? Is “receipt” a lesser included offense of “possession”, or are they two different crimes?
(Spoiler: In the Davenport case, the Ninth Circuit Court of Appeals held that receipt IS a lesser included offense of possession, so Davenport could not be charged, and convicted of multiple counts of both based on the same images. At least one other federal court has reached the same conclusion.)(If you’re interested in reading the Davenport opinion, you can find it on the Ninth Circuit’s website. Click on the “opinions” link on the left-hand side of the page and go to the opinions issue for March. You’ll find Davenport listed as having been issued on March 20, 2008; the docket number is 06-30596.)
In this post, I want to talk about the discretion a prosecutor has in deciding what – or, more precisely, how much – to charge someone with. I also want to talk about how that decision can impact on the sentence a convicted defendant receives.
To do that, I want to use a recent decision of the Second District of the Ohio Court of Appeals: State v. Cline, 2008 WL 1759091.
You can read all of the facts in the opinion, which you can access via the link, above.
Basically, in 1999 and 2000 James Cline repeatedly harassed and stalked several women, relying on email for much of the harassment.
As a result of these activities, he was indicted (charged) on “eighty-six counts, including telecommunications harassment, conspiracy to commit aggravated arson, criminal mischief, intimidation of a crime witness/victim, menacing by stalking, and unauthorized use of a computer.” State v. Cline, supra. He went to trial and was convicted, but the Ohio Court of Appeals reversed his conviction because it found he had not adequately waived his constitutional right to counsel and ordered that he be given a new trial. (I’m not sure what was going on with that, but that’s not the issue we’re concerned with.)
After the Court of Appeals reversed Cline’s conviction, and before his new trial on these charges could start, “the State indicted Defendant on an additional two hundred and fifty-five counts of telecommunications harassment.” State v. Cline, supra. In other words, the prosecution got a new charging document – a new indictment – and in it they added an extra 250 counts.
The telecommunications harassment counts were based on his having used emails to harass at least some of his victims; each of the new counts was based on his sending an email to a victim. That’s an important, but often overlooked, issue in criminal law.
First of all, prosecutors have a great deal of discretion in deciding what charges they will bring. In some cases, the decision is pretty obvious: If A kills B, then the charge will be murder – one count because murder is killing a human being and one human being (B) was killed. The same basic principle holds for car theft (steal 1, that’s 1 count, etc.) and other more straightforward crimes. It can become a lot more complicated when you get into cases like online harassment when the harassment involves emails. If hypothetical defendant X harasses victim Y by sending Y 1,000 harassing emails, is that 1 crime (single victim harassed = one crime) or 1,000 crimes (1,000 discrete acts of harassment = 1,000 crimes)? As I suspect you can already see, the answer to that question can have serious implications for sentencing, because while sentencing is not based merely on the number of counts the defendant was convicted of, that’s obviously a very significant factor in sentencing. So if, in my hypothetical, the prosecutor charges X with one count of harassment, he’s likely to fact a significantly lighter sentence than if he’s charged with 1,000 counts.
Cline tried to challenge the additional counts by claiming what’s called prosecutorial vindictiveness. Basically, prosecutors have a great deal of discretion in charging, but they can’t use that discretion improperly, simply to “punish” someone for exercising their rights, say. Cline argued that he was being “punished” for winning on his appeal. The Court of Appeals rejected his argument, basically because it bought the prosecution’s claim that the additional counts were added because, in preparing for the second trial, they discovered that they’d made an error by NOT breaking the counts up the first time.
(All of that gets us into the legal intricacies surrounding charging, which I’m not going to get into here. Basically, it’s improper for a prosecutor to take one crime and break it into parts; it’s also improper for a prosecutor to charge two crimes in a single count. The prosecution in the Cline case said they added the counts because they decided they’d made the latter error the first time.)
Cline went to trial and “was found guilty of four counts of unauthorized use of a computer, two counts of conspiracy to commit aggravated arson, one count of menacing by stalking, one count of criminal mischief, one count of intimidation of a crime witness/victim, and one hundred seventy-six counts of telecommunications harassment.” State v. Cline, supra. The trial court imposed the maximum sentence on most of the counts, and imposed sentences that ran consecutively on 48 of the counts (which means he had to serve the time imposed for each one in sequence, which elongates the ultimate time served). The total sentence imposed on him was imprisonment for “fifty-eight and one-half years”, a pretty stiff sentence.
Cline argued that the sentence was excessive, noting that since he was 39 when he was sentenced, the 58+ year sentence is effectively a life sentence. He also pointed out that “of the one hundred and eighty-five counts he was found guilty of committing, one hundred and eighty of those, including all of the telecommunications harassment charges and the four unauthorized use of a computer charges, are low level felonies of the fifth degree.” State v. Cline, supra. This means that, individually, the sentence for each count would be quite low; but when you have those sentences run consecutively, and you’re talking about almost 200 counts, you can get a substantial sentence.
The Court of Appeals found that the sentence was not excessive, given (i) Cline’s lack of remorse, (ii) his having engaged in “strikingly similar” conduct in the past and (iii) the sheer magnitude of the harassing emails he sent and phone calls he made. State v. Cline, supra. It does seem to have been a truly egregious case. If you want to find out how egregious, take a look at the opinion using the link above.
I’m going to do another post on sentencing in cybercrime cases, generally, but I want to throw out a couple of thoughts before I end this post. What do you think of the sentence in the Cline case? Is 58+ years too much or just right for someone who used hundreds of emails (maybe thousands) to harass women who had broken up with him?
What issues should we consider when we’re sentencing computer criminals? Does it matter that computer criminals are (usually, Cline seems to have made some threats about arson) nonviolent? How do we weigh the “harm” inflicted on a victim – is emotional distress a “harm” significant enough to major jail time?
In 2005, Nikolai Ivanov Karenev was charged with using email to harass his wife, Elena.
He was, more precisely, charged with one count of harassment by means of an electronic communication. Karenev v. State, ___ S.W.3d ___, 2008 WL 902799 (Tex. App. 2008).
The specific language of the charge was “`sending harassing and/or threatening e-mail to Elena with the intent to harass, annoy, alarm, abuse, torment, or embarrass [her.]’” Karenev v. State, supra.
According to the appellate court’s opinion, Elena was Nikolai Karenev’s wife, who had filed for divorce in October of 2004. The email messages were sent in Bulgarian, which was apparently the native language of both Nikolai and Elena.
At trial, the translation of the emails relied on by the prosecution was challenged by the defense, but that is not the issue that concerns us. Nikolai was convicted of sending harassing and/or threatening emails to Elena with the intent noted above, i.e., “to harass, annoy, alarm, abuse, torment or embarrass” her. The quoted language, and the charge, came from a Texas harassment statute: Section 42.07(a)(7) of the Texas Penal Code, which reads as follows:
(a) A person commits an offense if, with intent to harass, annoy, alarm, abuse, torment, or embarrass another, he: . . . (7) sends repeated electronic communications in a manner reasonably likely to harass, annoy, alarm, abuse, torment, embarrass, or offend another.
A jury convicted Nikolai of violating the statute and he appealed, arguing that this portion of the Texas harassment statute was unconstitutional. Karenev v. State, supra. He specifically argued that the statute was unconstitutional because it was void for vagueness. In an earlier decision, another Texas Court of Appeals described the issues such a challenge raises:It is well-established that criminal laws must be sufficiently clear in at least three respects. First, a person of ordinary intelligence must be given a reasonable opportunity to know what is prohibited. Second, the law must establish determinate guidelines for law enforcement. Finally, where First Amendment freedoms are implicated, the law must be sufficiently definite to avoid chilling protected expression. `When a statute is capable of reaching First Amendment freedoms, the doctrine of vagueness ‘demands a greater degree of specificity than in other contexts.’ Greater specificity is required to preserve adequately the right of free expression because `[u]ncertain meanings inevitably lead citizens to steer far wider of the unlawful zone than if the boundaries of the forbidden areas were clearly marked.’ Moreover, when a vagueness challenge involves First Amendment considerations, a criminal law may be held facially invalid even though it may not be unconstitutional as applied to the defendant's conduct.
Long v. State, 931 S.W.2d 286 (Texas Court of Criminal Appeals 1996).
In ruling on Nikolai’s challenge, the Karenev court cited a federal decision issued by the Fifth Circuit Court of Appeals: Kramer v. Price, 712 F.2d 174 (5th Cir. 1983). In the Kramer case, the court held that the “words `annoy’ and `alarm’ were inherently vague”, an issue many have raised in regard to statutes like this. I have often used harassment statutes that are predicated on “annoying” someone in my classes, asking the students to tell me when someone crosses the line from simply being annoying (and we all know there are a lot of annoying people out there) to magically becoming criminally annoying so that they can be prosecuted for their conduct. We usually wind up agreeing that “annoy” is not an appropriate term upon which to predicate criminal liability.
I would also go along with the Kramer court ‘s holding that “alarm” suffers from pretty much the same problem, unless the statute includes terms to make it clear what “alarm” means and how it rises to the level at which criminal liability is appropriate. A stalking statute might, for example, include language describing a course of action – like repeatedly following someone, showing up at their house at odd hours, repeatedly telephoning them, etc. – and couple that with the term “alarm.” There, "alarm" would probably not be void for vagueness because the context in which it is used would put a reasonable person on notice as to what they should avoid doing if they don’t want to be charged with stalking.
The Karenev court said pretty much the same thing about the statute under which Nikolai was charged:
If (a)(7)(A) is viewed in isolation, it appears to suffer the same flaws denounced by Kramer. The words `annoy’ and `alarm’ . . . are now joined by . . . `harass,’ `abuse,’ `torment,’ and `embarrass’ But, all these terms are joined with a disjunctive “or,” and thus do nothing to limit the vagueness originally generated by `annoy’ and `alarm.’ Moreover, the additional terms are themselves susceptible to uncertainties of meaning.
Karenev v. State, supra. In other words, you could be charged with and convicted for engaging in conduct that alarmed OR annoyed OR harassed OR abused OR torments OR embarrassed someone. That means, as I’ve told my students when we’ve discussed statutes like this, that a prosecutor could charge someone with violating the statute for simply “annoying” someone else, and that won’t work.
In 1971, the U.S. Supreme Court held that a Cincinnati ordinance that made it a crime for “three or more persons to assemble . . . on any of the sidewalks . . . and there conduct themselves in a manner annoying to persons passing by” was void for vagueness. Coates v. Cincinnati, 402 U.S. 611 (1971). The Supreme Court held that it was void for vagueness because it predicated criminal liability on an “unascertainable standard”:
Conduct that annoys some people does not annoy others. Thus, the ordinance is vague, not in the sense that it requires a person to conform his conduct to an imprecise but comprehensible normative standard, but rather in the sense that no standard of conduct is specified at all.
Coates v. Cincinnati, supra.
The Texas court’s holding is interesting because a federal statute – 47 U.S. Code section 223(a)(1)(C) – makes it a crime to use a telecommunications device (email, for example) to “annoy, abuse, threaten or harass any person . . . who receives the communications”. The federal statute does add “threaten” to the mix, but it also uses “or” as the connector, so it may well suffer from the same defect as the statute the Texas court held unconstitutional.
Last October I wrote about how, and why, encrypting the contents of our emails would guarantee that they are “private” under the 4th Amendment, for the same reasons sealed letters sent through the mail are “private.”
As I mentioned in that post, a three-judge panel of the Sixth Circuit Court of Appeals held, in June of last year, that the contents of emails stored with an ISP are “private,” notwithstanding the fact that they have not been encrypted. (U.S. v. Warshak)
That opinion was later vacated, and the entire Sixth Circuit heard arguments in the case last December. The government, not surprisingly, is trying to get the Sixth Circuit to change its mind.
We still don’t have a decision in the case, as of today, but I assume one will be coming soon. The government’s arguments in the case on rehearing go to procedural issues, mostly; they challenge Warshak’s standing, his right to bring the legal challenge, which is one way of giving a court an easy way to duck deciding a hard issue. The Sixth Circuit could simply say that Warshak lacked standing, and so it cannot properly address the 4th Amendment issue. I hope the court doesn’t do that, but it wouldn’t surprise me.
Thinking about what might happen with the Warshak case brings me back to the issue I wrote a bit on last October: encryption. If we all simply encrypted our emails, they would clearly be “private” under the line of Supreme Court authority I discussed last fall. By encrypting our emails, we would, in effect, be “sealing” them just as we seal envelopes we send through the mail; it is indisputable that we have a 4th amendment expectation of privacy in sealed letters, so it seems to follow inevitably that we would also have a 4th amendment expectation of privacy in our emails . . . if we encrypted them.
Why don’t we encrypt? As I noted last fall, we don’t because it’s a pain. It’s a pain because encryption is not seamlessly incorporated into our email programs, so I have to get the software (which is freely available and free) and learn how to use it and then use it and then get the people I correspond with to use it . . . and it just seems too much trouble.
We were talking about this in one of my cybercrime classes, and a student wondered why some ISP hasn’t come up with an easy, seamless, idiot-proof system for encrypting one’s emails. If an ISP could implement such a system, the default encryption would presumably be available only with regard to emails sent within the system, which would mean it would only apply to emails among users of the system.
But as my student pointed out, the advantages of such a system should make it popular enough to be very much of a commercial success (assuming this solution is technologically viable). And it would give all of us what is lacking now: a choice as to whether to, in effect, send a postcard and waive any expectation of privacy in the contents of our communications or to seal the envelope by encrypting and gain 4th amendment protection for our emails.
Another student had an alternative approach, one that would not require coming up with a system like the one I postulate above, one that allows users of a system to seamlessly encrypt their emails. He asked whether the users of an ISP would have a legitimate 4th amendment expectation of privacy in the contents of their emails if the ISP’s terms of service said, in effect, “We not only do not read the contents of emails sent through and/or stored on our service we have implemented measures that make it impossible for any of our employees to do so.”
In other words, the contractual provisions binding the ISP and its customers would guarantee that no one employed by the ISP would ever read emails sent via its system and/or stored on its system. The emails would, in effect, become like items we store in a safe deposit box at a bank; the bank “has” the items, but the bank has no legitimate access to them. The items are, therefore, private.
That’s a very interesting hypothetical. As I explained in a post in July, 2006 the reason we don’t have a 4th amendment expectation of privacy in the contents of emails stored with an ISP (or sent via an ISP) is that the contents CAN be read by employees of the ISP. As I explained in that earlier post, the Supreme Court held, about thirty years ago, that we do not have a 4th amendment expectation of privacy in information we “knowingly” reveal to third parties. So, under the Supreme Court’s precedents, we have no 4th amendment expectation of privacy in, say, our bank records or the records of what we buy at Amazon.com or any other transaction we carry out.
The student’s suggestion could be a clever way of getting around that holding. If the ISP establishes policies and procedures which guarantee that none of its employees will ever read emails sent via the system and/or stored on it, then those who use that ISP would not seem to have “knowingly” revealed that information to its staff. If they did not “knowingly” reveal that information, then they cannot, under the Supreme Court’s general approach to the 4th amendment, be held to have assumed the risk that an employee of the ISP would read their emails and share the information with law enforcement (without the latter’s obtaining a search warrant).
If the Sixth Circuit reverses the district court and holds that we do not have a 4th amendment expectation of privacy in our emails, then a system such as the one I outline above (courtesy of the suggestion from my student) could be a possible alternative for ensuring the privacy of unencrypted emails. I ran that possibility by a federal prosecutor and asked him what he thought of it; he said he thought, “someone could make a lot of money doing that.” We’ll see.
This is a follow-up to the last post I did, which was on how the use of P2P file-sharing networks can impact on whether someone has a reasonable expectation of privacy in the files on their hard drive.
For what a reasonable expectation of privacy under the 4th amendment is and why it matters whether you have one, see the post just before this one. That post also talks about how using of LimeWire or other P2P file-sharing networks can impact on it, see the post just before this one.
This post is responding to two questions someone emailed me, follow-ups to what I talked about last time. I’ll comment on each question in order.
(1) What if the person requires a password to access and view the files on his HD, then do they have a reasonable expectation of privacy.
They presumably would. To return to the analogy I used in my past post, password-protecting files is functionally identical to closing the curtains on a window, i.e., it cuts off access by others.
Some courts have held that password-protecting files does establish a reasonable expectation of privacy under the 4th Amendment. If you’d like to read one of them, try Trulock v. Freeh, which you can find here. Click on the link for the first opinion listed: Trulock v. Freeh (December 28, 2001), Docket # 00-2260 and Opinion # 002260.P.(2) What if person A gave person B access to person's A HD and person B loaded it with illicit material, then person B gives a undercover policeman access to person A's HD. Does person A have a reasonable expectation of privacy?
Probably not – it’s always impossible to say exactly what a court will hold because so much can depend on the particular circumstances of a case. But this one reminds me of a Supreme Court case, Frazier v. Cupp, 394 U.S. 731 (1969). After being convicted of murder, Frazier argued that the trial court should have suppressed some of his clothing found in a duffel bag he owned but had let his cousin, Rawls, use. This is how the Supreme Court dealt with his argument:
[Frazier] argues that the trial judge erred in permitting some clothing seized from his duffel bag to be introduced into evidence. This duffel bag was being used jointly by Frazier and his cousin Rawls, and it had been left in Rawls' home. The police, while arresting Rawls, asked him if they could have his clothing. They were directed to the duffel bag, and both Rawls and his mother consented to its search. During this search, the officers came upon Frazier's clothing, and it was seized as well. Since Rawls was a joint user of the bag, he clearly had authority to consent to its search. The officers therefore found evidence against Frazier while in the course of an otherwise lawful search. Under this Court's past decisions, they were clearly permitted to seize it. Frazier argues that Rawls only had actual permission to use one compartment of the bag, and that he had no authority to consent to a search of the other compartments. We will not, however, engage in such metaphysical subtleties in judging the efficacy of Rawls' consent. Frazier, in allowing Rawls to use the bag and in leaving it in his house, must be taken to have assumed the risk that Rawls would allow someone else to look inside. We find no valid search and seizure claim in this case.
Frazier v. Cupp, supra.
Under Frazier, if you give someone access to your possessions – duffel bag, hard drive whatever – you assume the risk that they will betray you and give law enforcement officers access to those possessions.
As to B’s having been the one who put the illegal stuff on the hard drive, that’s irrelevant as to 4th amendment issues. That becomes a defense – what’s called a failure of proof defense – A can use at trial. That is, A can say “it wasn’t me who did this, it was B”, and if the jury buys A’s argument, the prosecution’s proof fails and he should be acquitted.
Someone emailed me to ask if it is a 4th Amendment “search” for a law enforcement officer to use P2P networks -- such as LimeWire -- to access files on a hard drive that have been marked “NOT TO BE SHARED”.
It’s a very good question, one I have debated with people at various meetings and with students in my classes.
To answer it I want to use a decision issued by a federal district court in Oklahoma a few weeks ago. The case is U.S. v. Breese, 2008 WL 1376269 (April 9, 2008). The opinion doesn’t seem to be available via the court’s website, so I’ll summarize it.
According to the opinion, Special Agent Scott Gibson, an officer with the FBI Cybercrimes Task Force
utilized LimeWire to search the internet using a search term known to be associated with child pornography files and then used a `browse host’ function of LimeWire to look at names of other shared files available on the same computer as a file in the search result. From file names suggesting child pornography, Agent Gibson selected files to download and, after viewing them, confirmed that they did contain images of child pornography. Agent Gibson subsequently used an administrative subpoena to identify the subscriber for the Internet Protocol (IP) address associated with the computer, which was Defendant's father, and then obtained a search warrant for the residence occupied by Defendant, his parents, and his girlfriend.
U.S. v. Breese, supra. Mr. Breese was obviously charged with possessing child pornography, though the opinion doesn’t describe the exact charged.
Mr. Breese moved to suppress the evidence seized from his home, arguing that the search warrant was the product of an “unlawful search of his personal computer by accessing files on it” using LimeWire. If police violate the 4th Amendment by conducting an unlawful search and then use evidence they obtained as a result of that unlawful search, the warrant is no good and any evidence obtained as a result of executing the warrant has to be suppressed. So if Mr. Breese could should that the agent’s accessing the files on his home computer was a “search,” he could have the evidence suppressed and, I suspect, the case would be dismissed.
The court held a hearing on the motion to suppress. At the hearing, an Oklahoma Highway Patrol officer, Captain Jeffrey Elliott, testified that
LimeWire is a computer program that permits users to establish a direct connection via the internet between two computers and to share files located on those computers, unless the file-sharing function is disabled. In other words, when a computer with peer-to-peer file sharing software like LimeWire is connected to the internet, the shared files on that computer are available to anyone else using compatible peer-to-peer software and connected to the internet; all users of the software can search the shared files on anther user's computer and gain entrance to those files via the internet.
U.S. v. Breese, supra.
In ruling on the motion, the district court noted that for agent’s use of LimeWire to violate the 4th Amendment, it would have had to be a “search.” A “search” violates someone’s reasonable expectation of privacy in a place, such as the contents of one’s hard drive. In Katz v. U.S., 389 U.S. 347 (1967), the Supreme Court held that one has a reasonable expectation of privacy in a place if two conditions are met: (i) He thinks it is private; and (ii) society accepts his belief that the place is private as objectively reasonable.
When I teach this issue to my students, I use this hypothetical (just that) to illustrate how the two prongs of the Katz test work: I live in a small suburb, which has officers patrolling, sometimes, on bicycles. Assume, hypothetically, that I have a marijuana plant in my house and I want it to get some sun. I put it on a table in front of the large, uncurtained picture window in the front of my house, a picture window that is only about 25 feet from the sidewalk in front of my house. I leave it there while I go to work. An officer rides down the sidewalk on his bike and sees the marijuana plant; this gives him probable cause (!) to believe there is evidence of a crime (drug possession) in my house. He uses that to get a search warrant, enters the house, seizes the marijuana plant and I am, hypothetically (keep that in mind), charged with possession of an unlawful substance.
Like Mr. Breese, I (hypothetically) move to suppress the evidence, arguing that it was a “search” for the officer to observe the plant because it was in my home, which is the most private of 4th Amendment places. I will say I firmly believed it was private because it was in my home, and the court may buy that.
But even if the court accepts that I believed the plant was private, it will hold that the officer’s observing the plant was not a “search” under the 4th Amendment because society does not regard my belief as objectively reasonable. The court will hold that society does not regard my belief as objectively reasonable because ANYone walking down the sidewalk could have seen the plant; I took no steps, at all, to shield it from public view. For society to regard my belief that the plant in my home was private, I would have had to do something . . . put curtains on the window, for example.
That is exactly what the federal district court held in U.S. v. Breese:
The Court finds that, notwithstanding any subjective expectation that Defendant may have had in the privacy of his computer, it was not reasonable for him to expect privacy in files that were accessible to anyone else with LimeWire . . . software and an internet connection. This is not unlike the personal computer that the defendant in United States v. Barrows, 481 F.3d 1246 (10th Cir.2007), networked to a workplace computer for the purpose of sharing files. The court of appeals stated that, even though the defendant invited no one else to use his computer and may have expected its contents to remain private, `his failure to take affirmative measures to limit other employees' access makes that expectation unreasonable.’ . . . . Similarly, Defendant here had no Fourth Amendment expectation of privacy in files on his computer which were open to anyone connected to the internet to access via peer-to-peer file sharing.
U.S. v. Breese, supra.
In other words, Mr. Breese loses because he didn’t put curtains on the window. It presumably follows that someone who uses LimeWire or any other P2P network DOES have a reasonable expectation of privacy in files they have not designed as private by disabling the file-sharing function.
First, I apologize for having been MIA for so long. It was due to a combination of things, classes, outside commitments, travel, etc. . . . basically not having the ability to turn down interesting things.
Second, I’m doing this post because I got an email from someone who’s read what I’ve written about laptop searches and who wondered what my take is on the 9th Circuit Court of Appeals’ recent decision in U.S. v. Arnold. You can find the opinion here, if you’re interested. Just click on this link, then click on the box on the left-hand side that says “opinions”, go to the opinions decided in April and look for Arnold, which was decided April 21, 2008. You can also find it by docket number: 06-50581.
As I wrote earlier, Mr. Arnold’s laptop was searched at LAX when he was returning from the Philippines. The Customs and Border Patrol officers didn’t just turn the laptop on to see if it was a functional laptop. They did that, but they also searched through files on the laptop and found child pornography. Mr. Arnold was then charged with possession and transportation of child pornography, which are very serious charges. He moved to suppress the images found on this laptop, arguing that the search of the files violated the Fourth Amendment.
Mr. Arnold argued that the contents of a laptop were not encompassed by the border search exception to the 4th Amendment’s requirement that police obtain a search warrant to search private property. The border search is an exception to the 4th Amendment’s requirement that officers get a warrant; it’s a very old exception, one that goes back even beyond the history of the United States. It’s based on the very logical premise that a sovereign nation has the right to find out what’s coming into its territory and what’s going out. It follows from that premise that the sovereign’s border agents can check out luggage and parcels being transported across the border . . . routinely, without probable cause or a warrant or any of the other niceties required by the 4th Amendment.
Mr. Arnold argued that searching a laptop’s contents should require a higher standard, what is called “reasonable suspicion.” Reasonable suspicion is less than probable cause, but it’s still what is called “individualized suspicion.” That is, it means an officer has to be able to justify his/her searching your property based on something you, as an individual, did. If a laptop search comes within the scope of the border exception, then when a Customs officer is asked why she searched a particular laptop, she says, in effect, “because it was crossing the border and I search things crossing the border.”
If an officer must have reasonable suspicion to search a laptop, then when she is asked why she searched a particular laptop, she has to justify the search based on specific things about the person carrying it (behavior, fake passport, etc.) and/or about the laptop itself (that’s harder for me to articulate, but there could be something about a laptop that might justify checking out the files on it). My point is that individualized suspicion means officers cannot routinely search any and every laptop that happens to be crossing the border which is, IMHO, a very important point.
Mr. Arnold argued that “`laptop computers are fundamentally different from traditional closed containers,’ and analogized them to . . . the `human mind.’ . . . He argues that a laptop is like the `human mind’ because of its ability to record ideas, e-mail, internet chats and web-surfing habits. U.S. v. Arnold, supra (9th Circuit, April 21, 1008). He also analogized laptops to “homes,” on the theory that they contain essentially as much information about a person as does their home.
The district court agreed with Mr. Arnold and granted the motion to suppress, but the Ninth Circuit reversed. It essentially held that, under the U.S. Supreme Court’s interpretation of the border search exception, a container is a container is merely a container . . . so reasonable suspicion is not required. The Ninth Circuit noted, correctly, that about the only restrictions the Supreme Court has imposed on border searches are on those that are physically intrusive, e.g., on strip searches or other intense explorations of someone’s body.
What do I think of the Ninth Circuit’s opinion? I think it’s the predictable result, given two factors: The first factor is, as the Ninth Circuit correctly noted, the state of the law governing the border search exception. The other is the sad truth that U.S. courts have not grappled with how evolved technologies can alter the nature of a “container.” Yes, of course, a laptop is literally and functionally a “container” – it “contains” data. But it is, I respectfully submit, a container of an entirely different order from the suitcase I carry with me when I leave and enter the U.S.
I believe, as I may have said before, that cases like these are the twenty-first century’s version of a mistake the U.S. Supreme Court made 80 years ago. In Olmstead v. U.S., 277 U.S. 438 (1928), a majority of the Supreme Court held that it was not a “search” under the 4th Amendment for law enforcement officers to put a tap on phone lines outside a house and use it to listen to the contents of calls made from the house. Olmstead, a notoriously successful bootlegger, argued that it was a search because the conversations they heard originated from inside his home, which is the most “private” of “private” places under the 4th Amendment. The majority of the Court applied a “law as it has always been” theory and held that it was not a search because there was no physical entry, no trespass, into Olmstead’s home.
That was the Supreme Court’s first encounter with evolving technologies, and the Court got it wrong. In a prescient dissent, Justice Brandeis pointed out that ‘in the application of a Constitution, our contemplation cannot be only of what has been, but of what may be.’ The progress of science in furnishing the government with means of espionage is not likely to stop with wire tapping. Ways may some day be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. Advances in the psychic and related sciences may bring means of exploring unexpressed beliefs, thoughts and emotions. ‘That places the liberty of every man in the hands of every petty officer’ was said by James Otis of much lesser intrusions than these.
Justice Brandeis essentially argued that simply because law enforcement officers have the ability to do something does not mean they should necessarily be allowed to do it under the 4th amendment.
While we have not yet seen the “advances in the psychic sciences” Justice Brandeis postulated, consider where this might go: What if, in 10 or 15 years, instead of carrying a laptop I have a surgically implanted device in my head that lets me store data of all types, communicate instantly with anyone around the globe and carry out a series of other functions? Can law enforcement routinely access and copy the contents of my surgically implanted device whenever I enter or leave the U.S., on the basis of the border search exception?
That scenario would seem to involve a collision between the cases I noted above – the ones in which the Supreme Court has held that the 4th Amendment does impose some higher requirements for border searches that are physically intrusive – and cases like the 9th Circuit’s decision in Arnold.
I suppose the government could argue, though, that since accessing the information in my implant is conducted remotely and electronically, with none of the distasteful groping and probing involved in body searches, that it would come under the Arnold rationale, rather than the body search rationale.
Final word: Justice Brandeis was right. In construing the 4th Amendment we have to stop thinking literally and think, instead, about what it is we are trying to protect.
One of the things the prosecution must do in order to be able to introduce items into evidence at trial is to “authenticate” them, i.e., be able to show they are what they purport to be. 
