Wednesday, July 30, 2008

"True Threat"

In an earlier post, I talked about the Alkhabaz case, in which a federal court dismissed a charge of using the Internet to transmit a “threat” to someone.

The defendant in that case was charged under 18 U.S. Code § 875(c), which makes it a crime to transmit in interstate commerce “any communication containing any threat to kidnap any person or any threat to injure the person of another”.

The use of the Internet qualifies as the use of interstate commerce, so the only issue in the case was whether what the defendant posted online constituted a threat, or what courts usually refer to as a “true threat.” As I explained in that earlier post, Alkhabaz posted stores describing the horrific torture and eventual murder of a woman who seemed to be a classmate of his. He didn’t send them to her or post them anywhere he thought she’d see them; he did post them on a website for people interested in such things.


When she discovered the posts, essentially by accident, she was horrified, as was everyone else, apparently. The federal district court dismissed the charge because it found the stories weren’t a “threat.” The government appealed to the Sixth Circuit Court of Appeals, which begin its analysis of the issue by explaining that
to constitute `a communication containing a threat’ under Section 875(c), a communication must be such that a reasonable person (1) would take the statement as a serious expression of an intention to inflict bodily harm (the mens rea), and (2) would perceive such expression as being communicated to effect some change or achieve some goal through intimidation (the actus reus).
U.S. v. Alkhabaz, 104 F.3d 1492 (6th Cir. 1997).

The Sixth Circuit agreed that the fantasies Alkhabaz had posted were not a threat, in part because he had not sent them to the person he described in them:
For example, `if the court mails this opinion to West Publishing Company, having quoted verbatim the language used by defendant which is alleged to be threatening,’ it is unlikely that any reader's sense of personal safety and well being would be jeopardized. Likewise, if `a member of the general public . . . took notes of defendant's statements and mailed them to a family member, law professor, or newspaper for their information,’ such communication would not . . . compromise the recipient's sense of personal safety. In both cases, the recipient's sense of well-being is not endangered because, from an objective standpoint, the sender has no desire to intimidate.
U.S. v. Alkhabaz, supra. The court found that rather than intending to threaten the woman featured in the fantasies, Alkhabaz posted them “in an attempt to foster a friendship based on shared sexual fantasies.” U.S. v. Alkhabaz, supra. (As I noted, he put them on a web site for people who like this type of fantasy).

That brings me to the case I want to write about. It involves another defendant who was charged with using the Internet to transmit a threat in violation of section 875(c). Here, according to an article in the Penn State Daily Collegian, are the facts that gave rise to the charges:
Steven Voneida, 24, of Harrisburg, . . . placed a photographic illustration and poem focusing on the Virginia Tech shootings on his MySpace page on April 18, [2007]. . . .

A poem entitled `the Ballad of Cho Seung-hui’ about Seung-Hui Cho -- the shooter who killed 32 people and then himself during a rampage on the Virginia Tech campus -- was just one of the pieces on Voneida's MySpace profile focusing on the incident. . . . The poem itself appeared under a headline, `Virginia Tech Massacre: They got what they deserved.'
The Daily Collegian article says Voneida's MySpace profile also included this statement: "Someday I will make the Virginia Tech incident look like a trip to an amusement park”. April 18, 2007 was two days after the shootings at Virginia Tech.

The week after the Virginia Tech killings, an Indiana University of Pennsylvania student visiting MySpace saw Voneida’s postings and contacted the Penn State - Harrisburg University Police. (Voneida was a student there.) The University Police contacted the FBI, who began an investigation, in cooperation with he Pennsylvania State Police and the local police department.

Voneida was charged with using the Internet (interstate commerce) to transmit a threat “to injure the person of another”. He filed motions seeking to exclude various evidence from his trial on the charge, and in ruling on the motions the federal district court noted it was “It is unclear to whom these posts were directed, if anyone, or whether they were made public to all MySpace users.” U.S. v. Voneida, 2008 WL 189667 (U.S. District Court for the Middle District of Pennsylania 2008). The court did note that the material Voneida posted remained on MySpace “for at least nine days”, and so had the potential to “reach an audience.” U.S. v. Voneida, supra.

If Voneida filed a motion to dismiss the charges against him on the grounds that what he posted was not a threat, I can’t find any mention of it, either in the press or in the cases reported on Westlaw.

What do you think? Was Voneida’s posting the stuff described above on MySpace a “true threat” as the Sixth Circuit defined that concept in the Alkhabaz case?

Like Alkhabaz, he didn’t send his comments directly to people at his university or any other location where he intended to make “the Virginia tech incident look like a trip to an amusement park”. Like Alkhabaz, he simply posted his comments and the poem about Cho (I can’t find the content online, not surprisingly) on an Internet site. Does it matter if he made the posts publicly available (which I’d assume, given that the IU – Pennsylvania student was able to read them) or not?

If you’re interested in what actually happened, here it is: In February of this year, he was convicted after a one-day bench trial (before a federal district court judge, instead of a jury . . . which could have been a wise move, especially if he was relying on the legal claim that what he posted was not a threat). According to a press release from the U.S. Attorney’s for the Middle District of Pennsylvania (where the case arose), he faces up to five years in prison on the conviction. I found a news story that noted, not surprisingly, that Voneida is going to appeal the conviction.

I have to assume the central issue in an appeal will be the Alkhabaz issue: whether or not posting what he posted on MySpace is really a threat (a “true threat”) or something else. I admit it was really reprehensible and I can’t imagine what he was thinking, but I wonder if it really constitute a “true threat.”

The usual section 875(c) cases involving the use of the Internet are cases like U.S. v. Li, 537 F. Supp.2d 431 (U.S. District Court for the Northern District of New York 2008). Li was given a temporary teaching position at Morrisville State College in Morrisville, New York, but was not rehired because of “poor job performance and inappropriate conduct.” U.S. v. Li, supra. He responded by sending emails threatening to kill college faculty members and administrators, as well as members of their family. U.S. Li, supra. Here are a few of the acts alleged in the indictment that charged him with sending threats in violation of section 875(c):
On September 26, 2006, defendant sent an email to James C. VanRiper, Vice President of the College, stating `Van Ripper: You made a mistake. You will die hard.’

On October 29, 2006, defendant sent an email to Frederick Paine, a professor at the College, stating `You are on the death list!’

On January 15, 2007, defendant sent an email to Kim Mills, Chairman of the College’s Computer Department, stating `I want you to suffer the hardest death'.

Finally, on March 12, 2007, defendant sent an email to VanRiper stating `Do you think [the Morrisville Police] can protect you from a man who wants to die and want to kill you? Asshole, for sure you will be killed by such a man.’
U.S. v. Li, supra. There were more like those.

In Li, the threat issue is pretty straightforward because he emailed people and told them he was going to kill them. As the Alkhabaz court noted, the definition of a threat has always been based on that direct communication with the victim; it’s considered to be one reason why we criminalize threats, i.e., telling someone you’re going to harm them causes injury in its own way.

Voneida didn’t send his statements to anyone . . . which seems to me more like Alkhabaz than like Li.

Monday, July 28, 2008

Crime, War and . . . ?

I’m reading Jane Mayer’s book, The Dark Side, which is about how the U.S. went seriously off-track in its efforts to pursue Al-Qaeda. I recommend it very highly; it’s revelatory, depressing and infuriating.

But this is a blog about cybercrime, not about the so far pretty unimpressive War on Terror. This post was prompted by something I read in the book, early on.

People in various federal government departments and divisions (e.g., CIA, Department of State, Department of Defense, White House) were trying to figure out the conceptual basis on which U.S. personnel would pursue and deal with members of Al-Qaeda and others who fell into the category of anti-American terrorists.

At first, the FBI was investigating the 9/11 attacks, just as they investigated the 1998 Al-Qaeda attacks on U.S. embassies in Kenya and Tanzania. That was the presumptive approach because terrorism has been approached as a crime since 1937, when the League of Nations promulgated a Convention on terrorism that called for countries to make it a crime and prosecute it as such. The League promulgated the Convention in response to a terrorist assassination of a Yugoslavian king and French foreign minister.

So, as I’ve noted before, terrorism became, and essentially remains, a type of crime. And that’s how the FBI, anyway, was proceeding after 9/11, until things went awry. In Mayer’s book, she quotes someone (I’ve forgotten who) as saying the U.S. government had to come up with a different approach to Al-Qaeda style terrorism because the law enforcement approach didn’t work.

It didn’t work, this person-whose-name-I-can’t-recall-and-am-too-lazy-to-look-up said, because law enforcement is retroactive – it responds to what has already happened. This person said the U.S. needed to move to a proactive approach that emphasized preventing future attacks. And he said the different approach had to be the military approach (think “enemy combatants”) because there were only two choices: law enforcement or the military.


That comment sparked this post. I want to write about the notion that there are two and only two choices, though not in terms of dealing with Al-Qaeda style terrorism. I want to talk about the notion in the context of different threats – cyberthreats.

As I explained at length in an earlier post, cybercrime challenges the law enforcement model because it deviates from the real-world crime the model assumes in several ways. Cybercrime is often transborder, transnational or trans-state in federal systems like the United States. That frustrates law enforcement because law enforcement is set up to work effectively within a particular territorial area. Once conduct leaks outside that area into one or more other areas, then law enforcement has to deal with often cumbersome legal procedures (and practical constraints) that impede officers’ ability to do their job. Another different is scale: As I’ve written in law review articles, real-world crime tends to be one-to-one crime. A perpetrator burglarizes a house, then another house, and so on; a rapist attacks one victim, then another, and so on; and that pattern operates as the default for most real world crime.

A third difference is physical proximity between perpetrator and victim, which is required in traditional crimes. To rob, rape or kill someone, I have to be close to them; and the same was historically true for crimes like fraud. Fraud was face to face crime, until the invention of the telephone. (There was, of course, some mail fraud prior to the invention of the telephone, but historically the mails were to so unreliable that this was not a good way to go.) And, finally, law enforcement has a pretty good handle on the incidence of crime in the real world; there’s a science called crime mapping that can track where crime (of particular types) is most likely to occur, and I suspect most police departments can do the same, pretty effectively. That means police have a way to allocate their very scarce resources in a way to maximize their ability to do their job.

Their job, of course, is to control crime by discouraging its commission. They do that by finding people who have already committed crimes, having them prosecuted, convicted and then sanctioned for what they did. The empirical premise of the twentieth century criminal justice system is that law enforcement officers will capture enough of the people who commit crimes (they can’t possibly catch all of them) to deter them and deter others from following their lead.

Cybercrime, as I explained in that earlier post, erodes the efficacy of this model because it can be committed from halfway around the world as easily as it can be committed next door, because it can be committed on a scale vastly exceeding the one to one default of traditional crime, because physical proximity is irrelevant and because we so far do not have accurate statistics on its incidence and authorship. The crimes themselves are for the most part the same old stuff (theft, fraud, trespass, burglary, etc.) but the medium is new and operationally problematic for law enforcement.

So the comment about needing to move from a law enforcement model in dealing with terrorism also has application to cybercrime or, more broadly, to cyberthreats. As I explained in another post, there are three cyberthreats: cybercrime, cyberterrorism and cyberwarfare.
Cyberterrorism is really a subset of cybercrime, but since it’s usually broken out in discussions I’ll make it a third category.


Three categories, two models. As with transnational terrorism, we have, if we go with the comment noted earlier, two and only two models to choose from in dealing with cybercrime, cyberterrorism and cyberwarfare. If we follow the real-world approach, then law enforcement will deal with the first two and the military will deal with the third.

The problem with that, as I noted in an earlier post and in an article cited in that post, is that the difference between the first two and the third one may not be apparent, at all. With cyberwarfare, the attacker doesn’t bomb Pearl Harbor, or London, thereby making it pretty easy to tell that this is “war,” not “crime.” We haven’t had a definitive cyberwar attacks so far (to my knowledge . . . sorties, but not an attack), so we don’t really know what one will look like. But we do know it’ll use tools essentially indistinguishable from those used by criminals, cybercriminals and cyberterrorists.

My point here is that in dealing with cyberthreats we face the same problem U.S. officials thought the United States faced in dealing with Al-Qaeda-style transnational terrorism. (I think they were wrong there, but that is irrelevant here.). The law enforcement model is not effective against anonymous, extraterritorial opponents who leave no physical crime scene and can inflict damage on a scale that is yet to be determined. (For more on that, I refer you to my post on cyberwarfare.)

So, does that leave us with only two choices in dealing with cyberthreats – keep the law enforcement model or move to a military model? First of all, in the U.S. there is a federal statute – the Posse Comitatus Act – that says the military cannot be involved in civilian law enforcement. It is only a statute, which means it could be repealed; but it rests on legal principles that go back to English common law, as well as other principles, all of which dictate that it’s a very bad idea to mix civilian and military metaphors when it comes to keeping order inside a country. I don’t think we should do that, and I suspect most military officers don’t want to do that, either.

Are there only two choices? If so, why? As I’ve written in law review articles, the dichotomy between military and civilian law enforcement evolved over time: The military deals with external threats (e.g., Nazi Germany), while civilian law enforcement deals with internal threats (e.g., the Mafia). By “threat,” I mean activity that can undermine a nation-state’s ability to maintain the internal (crime) and external (war) order it needs to survive and prosper.
We have two categories because modern nation-states are the product of and defined by the territory they control. Think about it: One of the common terms we use for a nation-state is “country.” A state’s “country” is its defining characteristic in a binary definitional system: Territory either belongs to Country A or to Country B. If it belongs to Country A, then Country A’s army will protect it from encroachment by Country B and Country A’s police will keep order within the territory.

As we all know, cyberspace is increasingly making territory irrelevant, just as modern transportation made it less of an obstacle for real-world terrorist groups like Al-Qaeda. The distinction between “inside” (law enforcement) and “outside” (the military) erodes, leaving us with an apparent conundrum: If our only options are law enforcement OR the military, then we presumably have to keep going as we are, even though we know law enforcement’s ability to deal with cyberthreats has eroded in ways we are not likely to be able to remediate (at least, not if we intend to maintain something other than a garrison state).

I’ve been wondering for some time if we don’t need to think about the inevitability of this dichotomy. I certainly don’t want it collapsed into a single system (the U.S. Military and Law Enforcement Agency) – bad, bad idea. But why can’t we expand it? Why can’t we come with a third option (not considered in developing the response to 9/11)? After World War II, the U.S. in a sense did this by creating the Central Intelligence Agency. The CIA was created as a response to the new realities of the Cold War, which was in a way analogous to cyberthreats or Al-Qaeda-style terrorism. Since it was “cold,” the cold war didn’t fit into the traditional category of war, and it wasn’t crime because it was about dealing with an external, nation-state threat. So we created a new agency and a new approach . . . not a free-standing approach, not a third option, but a new way of dealing with a new kind of threat.

I don’t see why we can’t do something similar with cyberthreats.

Friday, July 25, 2008

Complicity

As a Chicago television station reported a little over a month ago, for two years the Cook County Sheriff’s office has been targeting the use of Craigslist to facilitate prostitution.

According to the story, prostitutes advertise in the “erotic services” section of Craigslist. It says officers from the Sheriff’s Office have conducted four online prostitution stings in the last year and a half and made dozens of arrests. They arrested 76 people in their last sting, in June.

The story quotes Cook County Sheriff Tom Dart as saying “repeated attempts” to get Craigslist to shut down the “erotic services” section of its site have failed. It also reports that his office is “looking into legal action” against Craigslist, such as a “criminal or civil lawsuit.”


I don’t do civil litigation, so I have no interest in talking about that possibility. I suspect the more likely possibility is some kind of criminal prosecution, but that, of course, raises a very basic question: prosecute Craigslist for WHAT?

Let’s parse the possibilities. We begin with the obvious fact that prostitution itself is a crime in Illinois. An Illinois statute says that anyone who “performs, offers or agrees to perform any act of sexual penetration . . . or any. . . fondling of the sex organs of . . . another person, for any money, property . . . anything of value, for the purpose of sexual arousal or gratification commits an act of prostitution.” 720 Illinois Compiled Statutes Annotated § 5/11-14. Under the statute, the first conviction is a misdemeanor, while all subsequent convictions are a minor felony.

I can see two ways for the state of Illinois to bring a criminal prosecution against sites like Craigslist that provide information about prostitutes. The first is the traditional way: prosecute them for soliciting prostitution.

An Illinois statute says anyone “who performs any of the following acts commits soliciting for a prostitute:” (i) Solicits another for the purpose of prostitution; (ii) arranges or offers to arrange a meeting of persons for the purpose of prostitution; or (iii) directs another to a place knowing such direction is for the purpose of prostitution.” 720 Illinois Compiled Statutes Annotated § 5/11-15.

I don’t think sites like Craigslist could be charged under this statute because while the advertisements they carry may help prostitutes hook up with their customers, the intent – the mens rea – is missing. To violate this statute, you have to (i) purposely solicit (i.e., try to get someone interested in) an act of prostitution or (ii) purposely arrange a meeting for a prostitute or (iii) send someone to a place knowing you’re doing so to facilitate prostitution. I don’t see how any of that can apply to a site like Craigslist. According to their fact sheet, they get more than 30,000,000 new ads each months. There’s no way they could police the content of all that, even if they wanted to. There’s certainly no way a prosecutor could show that Craigslist carried a particular ad for one of the purposes noted above, i.e., acting with what the law calls the specific intent to solicit an act of prostitution.


The other way the state of Illinois might be able to prosecute sites like Craigslist for providing information about prostitutes is to use complicity, or aiding and abetting a crime. I talked about aiding and abetting in an earlier post, so if you’re interested in reading more about how it works, you might check that post.

Essentially, complicity is a principle that says someone who purposely facilitates the commission of a crime is as guilty as the person who actually carries out the crime (the principal). So if I know you are going to rob a bank and you ask me to get you a gun for the robbery and I do that, I’ve aided and abetted your crime . . . have, as the law says, become you accomplice. I can be held liable for the robbery as if I committed it. Aiding and abetting liability is a way of ratcheting up the stakes for those who might assist in the commission of a crime; it makes it very risky for someone to do that. You might as well commit the crime yourself, because if you’re caught you’ll face the same penalty as the perpetrator, absent your cutting a deal with the prosecutor.

Here’s what Illinois law requires to establish complicity in a crime:
[Complicity] requires a showing that the offender intended to promote or facilitate the commission of a crime, and . . . such intent is usually proven by showing that the accomplice shared a community of purpose or common design with the principal. . . . . The principal attribute of accountability is the showing of affirmative conduct by an accomplice that in some way aids, encourages or incites another to commit a crime.
People v. Peterson, 273 Ill. App.3d 412, 652 N.#.2d 1252 (Illinois Court of Appeals 1995).

Prosecutors sometimes go after legitimate businesses for aiding and abetting a crime. About fifteen years ago, there was a California fellow who owned a store that sold chemicals. He realized three particular chemicals could be used to make methamphetamine; he also realized he could make a lot of money selling those chemicals to people who made methamphetamine. So he pretty much turned his store into a store selling those three chemicals for cash to people whose names he either didn’t bother to get or that were transparent aliases. He was prosecuted for aiding and abetting the manufacture of methamphetamine. To show he was complicit in that crime, the prosecution proved that (i) he knew the three chemicals in combination could only be used to make methamphetamine and (ii) the sale of those chemicals accounted for the vast majority of his profits. From those facts, and the related facts that he dealt in cash, kept no customer records and deliberately did not know who his customers were, the prosecutors asked the jury to infer that he “shared a community of purpose” with the meth manufacturers, and so was complicit in what they did. The jury bought it and he was convicted.

The problem with trying to extrapolate that theory to what Craigslist is doing with its “erotic services” ads is showing that Craigslist shares such a “community of purpose,” i.e., that its purpose is to promote prostitution. In that regard, my hypothesized effort to charge Craigslist as an accomplice of prostitutes using its website reminds me of an old California case: People v. Lauria, 251 Cal. App.2d 471, 59 Cal. Rptr. 628 (California Court of Appeals 1967).

The defendant in that case operated a telephone answering service, which was very useful in a pre-cell phone, pre-pager era. My impression is that they were used by lots of people. Lauria’s service was in Los Angeles, so it was probably used a lot by would-be movie people, among others. For some reason, a policewoman decided to do a sting on his service: She signed up for the service, dropping hints that she was going to use it for prostitution and saying she had been referred by Terry, a prostitute known to use the service. The policewoman met with Lauria and dropped hints about needing customers, but the court’s opinion says he didn’t take the bait. All he said was that his “business was taking messages.” People v. Lauria, supra.

Lauria winds up being arrested, along with three prostitutes. He’s charged with aiding and abetting prostitution. He argued that the charge

was undeserved, stating that Hollywood Call Board had 60 to 70 prostitutes on its board while his own service had only 9 or 10, that he kept separate records for known or suspected prostitutes for the convenience of . . . the police. When asked if his records were available to police . . . to investigate call girls, Lauria replied that they were whenever the police had a specific name. However, his service didn't ‘arbitrarily tell the police about prostitutes on our board. As long as they pay their bills we tolerate them.’ In a . . . voluntary appearance before the Grand Jury Lauria testified he had always cooperated with the police. But he admitted he knew some of his customers were prostitutes, and he knew Terry was a prostitute because he had personally used her services, and he knew she was paying for 500 calls a month.


People v. Lauria, supra.

Lauria got the trial court to dismiss the charges against him, but the prosecution appealed. The California Court of Appeals agreed with the lower court:
When we review Lauria's activities . . ., we find no proof that Lauria took any direct action to further, encourage, or direct the call-girl activities of his codefendants and we find an absence of circumstances from which his special interest in their activities could be inferred. Neither excessive charges for standardized services, nor the furnishing of services without a legitimate use, nor an unusual quantity of business with call girls, are present. . . . Under these circumstances, . . . there was insufficient evidence that he intended to further their criminal activities, and hence insufficient proof of his [intent to aid and abet prostitution].
People v. Lauria, supra.

Craigslist is in essentially the same situation, though its relationship with the prostitutes who use its service is complicated by the vastness of the ads listed on its site. Lauria knew prostitutes were using his service, and probably knew who most of them were because his client base was tiny, compared to the number of people Craigslist deals with. I do not see how Craigslist could be charged as an accomplice to prostitution carried out by those who happen to put ads on its service. Absent complicity, I don’t see any other basis for bringing criminal charges again the site.

Wednesday, July 23, 2008

ISP Subscriber Records Private in NJ

As I explained last fall, in two decisions issued in the 1970s the U.S. Supreme Court held that we do not have a 4th Amendment expectation of privacy in what are called third-party records.

In one of the cases, the Supreme Court held that a man who made calls from his home did not have an expectation of privacy in the numbers he dialed because he “knowingly revealed” them to the phone company and thereby assumed the risk the company would give them to the police (without the police’s having a search warrant).

In the other case, the Court held essentially the same thing as to a customer’s bank records; by sharing information with the bank, the customer lost any expectation of privacy in it and assumed the risk the bank would share it with law enforcement.


Like many, including Justice Marshall who wrote a great dissent in the telephone case, I think those decisions were wrong when they were decided and are still wrong. Justice Marshall pointed out that he doubted the man who made the calls really realized he was “giving” information to the phone company that it might then share with the police; he also pointed out that the assumption of risk analysis was wrong because it implies you have a choice, and the only choice the decision left telephone users with is either don’t use the phone (or any technology) or, if you do, understand that your information is not private. You can read about these issues in that earlier post I mentioned.

The Warshak case dealt with the privacy of the CONTENT of our emails. What we’re talking about now is not the content of our communications; it’s either the data used in the transmission of those communications, like phone numbers (“traffic data”) or data concerning the identity of the person who’s using the telephone or email service. That’s the issue I want to focus on here.

The New Jersey Supreme Court rather recently held that subscriber information IS private in New Jersey. It reached this result by applying the New Jersey Constitution. A state court, like the New Jersey Supreme Court, can interpret a state’s constitution in essentially any way it likes, as long as the interpretation does not provide the citizens of that state with LESS protection than they have under the federal constitution. So while the New Jersey Supreme Court can’t change the U.S. Supreme Court’s interpretation of the 4th Amendment, it can interpret its own constitution – the New Jersey Constitution – to give the citizens of that state MORE protection than they have under the federal Constitution.

The case is State v. Reid, 194 N.J. 386, 945 A.2d 26 (N.J. 2008). You can find the opinion here. And here are the facts:
On August 27, 2004, Timothy Wilson, the owner of Jersey Diesel, reported to the Lower Township Police Department that someone had used a computer to change his company's shipping address and password for its suppliers. The shipping address was changed to a non-existent address.

Wilson explained that Shirley Reid, an employee who had been on disability leave, could have made the changes. Reid returned to work on the morning of August 24, had an argument with Wilson about her . . . assignment, and left. According to Wilson, Reid was the only employee who knew the company's computer password and ID.

Wilson learned of the changes through one of his suppliers, Donaldson Company, Inc. Both the password and shipping address for Jersey Diesel had been changed on Donaldson's website on August 24, 2004. . . . [S]omeone accessed their website and used Jersey Diesel's username and password to sign on at 9:57 a.m. The individual changed the password and Jersey Diesel's shipping address and then completed the requests at 10:07 a.m.

Donaldson's website captured the user's IP address, 68.32.145.220, which was registered to Comcast.
State v. Reid, supra.

A subpoena was used (by the police or by Wilson acting as an agent of the police, I’m not sure) to get “`[a]ny and all information pertaining to IP Address . . . 68.32.145.220’” from Comcast. “Comcast . . . identified Reid as the subscriber of the IP address. In addition, Comcast provided . . . Reid's address, telephone number, type of service provided, IP assignment (dynamic), account number, e-mail address, and method of payment.” State v. Reid, supra. Based on that and probably other evidence, Reid was charged with computer theft. State v. Reid, supra.

Reid moved to suppress the information Comcast provided pursuant to the subpoena, claiming it violated her right to be free from “unreasonable searches and seizures” because she had a reasonable expectation of privacy in the information. That sounds like she was making a 4th Amendment argument, but as the NJ Supreme Court noted, both “the Fourth Amendment . . . and Article I, Paragraph 7, of the New Jersey Constitution protect, in nearly identical language, `the right of the people to be secure ... against unreasonable searches and seizures.’” State v. Reid, supra.

The NJ Supreme Court began its analysis of the argument by noting, as I explained above, that Reid had no 4th Amendment expectation of privacy in the information. It then turned to the state analog of the 4th Amendment, explaining that on multiple occasions this Court has held that the New Jersey Constitution `affords our citizens greater protection against unreasonable searches and seizures” than the Fourth Amendment.’” State v. Reid, supra. Specifically, the NJ Supreme Court had already held that the New Jersey Constitution (i) protects the privacy of the numbers one dials on their phone and (ii) protects the privacy of bank account records. So, the court had already used the state provision to, in effect, overrule the 4th Amendment insofar as searches and seizures by New Jersey officers against New Jersey citizens or residents are concerned.

In what I find a well-reasoned opinion, the NJ Supreme Court held that “Internet users . . . enjoy relatively complete IP address anonymity when surfing the Web. Given the current state of technology, the dynamic, temporarily assigned, numerical IP address cannot be matched to an individual user without the help of an ISP. Therefore, we accept as reasonable the expectation that one's identity will not be discovered through a string of numbers left behind on a website.” State v. Reid, supra. It noted that the
availability of IP Address Locator Websites has not altered that expectation because they reveal the name and address of service providers but not individual users. Should that reality change over time, the reasonableness of the expectation of privacy in Internet subscriber information might change as well. For example, if one day new software allowed individuals to type IP addresses into a “reverse directory” and identify the name of a user-as is possible with reverse telephone directories-today's ruling might need to be reexamined.
State v. Reid, supra.

The court did not go as far as to require police to get a search warrant for IP addressing information and subscriber information. In this case, the police used what was conceded to be a “defective” municipal subpoena. The NJ Supreme Court found, as had the trial court, that this was not sufficient, but it declined to require them to get a warrant in future cases. The court held that a “grand jury subpoena . . . based upon a showing of relevant” satisfies the requirements of the NJ Constitution. State v. Reid, supra.

So in the future, officers will have to go to a grand jury and get the grand jury to subpoena the records; I assume the relevancy issue comes up if the person whose records were subpoenaed later challenges the process used to obtain them. I’m assuming that if such a challenge is made, then the prosecution has to show that the grand jury had reason to believe the evidence was relevant to criminal activity, instead of simply conducting a fishing expedition.


It may not be full 4th Amendment protection, but citizens in New Jersey have a lot more privacy in their bank, telephone, utility and ISP records than citizens in most states.

Monday, July 21, 2008

Best Evidence

As Wikipedia explains, the best evidence rule is a principle that can be traced back to common law.

In an often-cited eighteenth century decision, an English judge noted that evidence was not admissible unless it was “the best that the nature of the case will allow”. Omychund v. Barker, (1745) 26 ER 15, 33.


According to Wikipedia, the rationale for the rule arose from how documentary evidence was produced in the eighteenth century: “a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.”

Though technology is far more advanced, and copies are no longer made by hand, the rule survives. I’m going to use a recent case to show how it applies in an era of digital technology.

The case is Bobo v. State, 2008 WL 2191159 (Arkansas Court of Appeals, 2008). Bobo was convicted of first-degree sexual assault and appealed, challenging the admission into evidence of certain emails. Here, according to the court, are the facts that led to her conviction:
On November 3, 2005, Twilla Frosco checked her email on the family computer. She saw that the email account of her fourteen-year-old son (DF) was open on the screen. She read some of the messages and found . . . exchanges between DF and Bobo, one of DF's former . . . teachers. The messages were sexually explicit. Twilla . . . called her husband, Richard Frosco, who asked [her] to forward the emails to him.

Richard called the prosecutor's office . . . and was referred to . . . Detective Heather McCaslin, who asked [him] to forward the emails to her. . . . [She sent them to] Sergeant James Flynn. . . . [who] issued subpoenas to the internet providers . . . obtained consent to search DF's computer, and secured a warrant to search Bobo's computer.

At trial, DF testified that when he was in eighth grade, Bobo was his math co-teacher. In February 2005, Bobo picked DF up at church and drove him to a loading dock where DF testified they had sexual intercourse in Bobo's vehicle. Afterwards, Bobo drove DF back to church. DF testified that Bobo came to his house a few weeks later while his parents were not home, and they had sexual intercourse again.
Bobo v. State, supra.

On appeal, Bobo argued that the trial court erred in admitting 19 emails allegedly exchanged between her and DF. “Because the original emails from the computers of DF and Bobo no longer exist, she argues that the State failed to properly authenticate the forwarded emails (as there was evidence of tampering and/or altering of them) and that the emails were admitted in violation of best-evidence rules found in Arkansas Rules of Evidence 1001- 1004”. Bobo v. State, supra. According to the court of appeal’s opinion, the emails no longer existed because DF deleted them from “his computer, and Bobo's computer crashed in June 2005.” Bobo v. State, supra.

Since the authentication and best evidence issues were inter-related, the court began with authentication:
Rule 901(a) of the Arkansas Rules of Evidence provides that: `[A]uthentication . . .as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.’ . . . Authentication requirements are satisfied if the trial court . . . concludes that the evidence presented is genuine and, in reasonable probability, has not been tampered with or altered in any significant manner. . . . [E]very possibility of tampering need not be eliminated.

[T]he emails were properly authenticated. DF testified that he either mailed to Bobo or received from Bobo each of the emails in question. Moreover, DF's mother testified that she read the original emails exchanged between DF and Bobo. Bobo admitted to sending emails to DF, and although she denied any of the sexual content of the emails, she admitted that she sent emails to DF with non-sexual content. For example, she admitted visiting with DF via email about her computer problems, his new school, and his girlfriend. She also admitted that she sent him an email telling him that she hoped he did not forget her. All of this non-sexual content was contained in the emails in question.

Further, the State presented evidence confirming that the emails in question were properly addressed to DF's email account and the email account of Bobo and her husband. Sergeant Adam Holland of the Fort Smith Police Department and Michael Parks of the Fayetteville Police Department conducted forensic examinations of DF and Bobo's computer and located the emails in question. The State offered an additional expert witness, Paul Brown, who not only examined the computers but also the server through which the emails traveled. Brown verified that fifteen of the emails sent by Bobo to DF matched a temporary, unique IP internet address for her computer. Despite arguments made by Bobo that the emails could have been tampered with or altered because some of the forwarded emails had no headers, the State's experts concluded that the emails were genuine and that the validity of the emails was not in question.
Bobo v. State, supra.

The court then addressed Bobo’s best evidence issue, which seems a pretty good argument, considering that the originals of the emails had been destroyed before the trial. The court of appeals held, though, that the email printouts introduced at trial were the best evidence of the
emails exchanged between DF and Bobo. Arkansas Rule of Evidence 1002 provides: `To prove the content of a writing . . . the original . . . is required, except as otherwise provided in these rules’. Rule 1004 provides that `t]he original is not required, and other evidence of the contents of a writing is admissible if . . . [a]ll originals . . . have been destroyed, unless the proponent lost or destroyed them in bad faith.’ `If data are stored in a computer . . . any printout or other output readable by sight, shown to reflect the data accurately, is an “original.”’ Ark R. Evid. 1001(3).

The emails . . . were stored in the computers of DF and Bobo. Original emails could not be printed from Bobo's computer because it crashed in June 2005, and could not be printed from DF's computer because he deleted them. . . . [U]nder Rule 1004, because the originals were . . . destroyed, it is permissible to admit . . . printouts of the emails, which were forwarded to other computers, as long as they were shown that they reflect the data accurately. As set forth above, there is sufficient evidence demonstrating that the emails offered into evidence are accurate. Furthermore, the bad-faith exception does not apply because there is no evidence that the State -- the proponent of the emails --in bad faith lost or destroyed the emails.
Bobo v. State, supra. So Bobo lost on this and her other issues, and the court of appeals upheld her conviction. She was sentenced to serve two 6-years of imprisonment, to run consecutively (12 years), so she had an incentive to appeal. I assume she’ll try again with the Arkansas Supreme Court, if possible, but I suspect they’ll agree with this court.

I don’t have a problem with the court’s resolution of the best evidence rule. We’ve come a long way from when copies were made by hand (maybe by parties to the case), and it’s pretty straightforward to substitute a printout or another copy when something’s been destroyed.

What I cannot understand is how DF was able to delete the emails on his computer. Bobo was apparently just really lucky to have had her computer crash a few months before all this came to light. But once DF’s parents and the police discovered that the emails were on his computer, wouldn’t someone have taken steps to preserve them? Imagine what would have happened if DF’s mother had not forwarded the emails to her husband. They might have been destroyed before anyone could make a printout of them . . . which might have jeopardized the case.

Friday, July 18, 2008

Photoshop Crime

A year ago today, Thailand’s Computer Crime Act, B.E.2550 (2007,) went into effect. If you’re interested, you can find an unofficial translation of the Act here.

Most of it is straightforward computer crimes legislation that focuses on offenses like unauthorized access and causing damage to data or computer systems. It also appears to have cyberterrorism provisions in Section 12, which is unusual.
(Note: This translation refers to the provisions as “sections”. I’ve also seen them referred to as “articles.” Not knowing which is correct, I’ll go with sections.)

I’m interested in the provisions of Section 16 of the Act -- its “Photoshop” section. Here is the unofficial translation of that section:
Any person, who imports to a computer system that is publicly accessible, computer data where a third party's picture appears either created, edited, added or adapted by electronic means or otherwise in a manner that is likely to impair that third party's reputation or cause that third party to be isolated, disgusted or embarrassed, shall be subject to imprisonment for not longer than three years or a fine of not more than sixty thousand baht, or both.
I find the statute interesting it essentially seems to be a photo-defamation crime.

As I noted in an earlier post, modern U.S. law really does not criminalize defamation. Working in the 1950s, the drafters of the Model Penal Code, the set of model criminal laws that has been very influential at the state level, decided not to criminalize libel, or defamation. They said, as I noted earlier, it was the most difficult decision they made. They essentially decided not to criminalize defamation because they believed civil remedies were enough, i.e., someone who’d been defamed could sue the newspaper or television station or magazine responsible and recover substantial monetary damages.

As I wrote in the earlier post, and in a law review article, that may have made sense in the 1950s and 1960s, because the publication of text and images was controlled by the mainstream media. The MSM had, and has, trained personnel, procedures and an economic incentive not to recklessly defame people; the MSM also has what lawyers call deep pockets, i.e., money to be able to pay a substantial civil judgment by someone they defamed.

Now, of course, any of us can be a publisher. In that earlier post I talked about the issues that rises, and how it undermines the rationale the drafters of the Model Penal Code relied on in reaching their decision not to criminalize defamation.

Our newly-acquired ability to become cyber-William Randolph Hearsts has a number of consequences, most good, some bad. In the earlier post I noted some cases in which people used this ability to cause varying types of harm to other people.

Since we can use our ability to publish online to harm other people, it seems we might want to consider criminalizing at least some of that activity. That’s a common reaction when we as a species find a new way to exploit our apparently infinite capacity to inflict harm on each other.
I’m not opposed to criminalizing certain types of “harmful” online publication, but doing so is not as simple a process as it may seem. Aside from anything else (e.g., political or practical concerns), criminalizing any kind of speech implicates two often problematic issues: (i) free speech guarantees (which are particularly important in the U.S.) and (ii) line-drawing.

I’m not going to go into the free speech issue here for several reasons: I suspect everyone has a pretty good idea of how the First Amendment protects most speech, even obnoxious speech; First Amendment analysis can be long and complex; and I did that in the law review
article I mentioned, which you can read online, if you like. Another reason is that this post is about Section 16 of the Thai cybercrimes act, and the First Amendment is irrelevant in Thailand.

When I was researching the law review article, I found a number of stories about people whose images had been altered in photos posted online. Some were humiliated, both by how they were made to appear and, perhaps even more importantly by the fact that someone would want to do that to them. I remember reading a story about an Asian woman whose face was distorted in a photograph posted online; she said she kept wondering why someone would do that to her -- whether they thought she was a bad person or worthless or what their reasons might have been. It actually affected her life; she became something of a recluse, never knowing who around her might have been responsible (and probably wondering what they thought of the photo, and of her).

You might think she’s overreacting, but I don’t. A year or so ago, I did a presentation on this issue to a group of prosecutors, including some state Attorney Generals. I used the case of this woman in the presentation; I remember, as I was covering it, looking at the audience and thinking, “They’re not going to get this. They’re going to think this is silly, focusing on having your photo altered.” After the conference, I walked ou with a former state Attorney General. He told me he found that part of the presentation interesting because when he was Attorney General an alternative newspaper in the state capitol published an altered photograph of him . . . one that made his face look grotesque. He said it really bothered him, and I could tell it still did. He asked me, “Why did they have to do that? Why couldn’t they just use my regular photo?”

Making people look foolish or unattractive is actually a pretty effective way of attacking their ego, their self-confidence. Obviously, the impact will vary from person to person. Until I saw Section 16, though, I would not have thought of criminalizing such conduct. And that brings me back to the second issue I noted above: line-drawing.

If you’re going to criminalize posting an altered photo of someone online, how do you define when doing that is (i) great, (ii) okay, (iii) maybe a little annoying but nothing more or (iv) criminal because it just goes TOO FAR. How do you know when posting an altered photo crosses the line and becomes criminal?

The Thai provision defines going TOO FAR as posting an altered photo that (i) impairs the victim’s reputation or (ii) causes them to be “isolated, disgusted or embarrassed”. The woman I mentioned above was isolated and embarrassed, so posting her photo would qualify under this statute. The former Attorney General was embarrassed, so I suppose posting his photo online (instead of in print) would also qualify.

In the law review article, I tried to deal with the line-drawing issue by dividing harmful online publication into various categories: (i) ridicule; (ii) invasion of privacy; (iii) false light; and not-so-false light. I’ll hold ridicule for a minute, while I briefly summarize the others.

Invasion of privacy is publishing information you’d prefer to keep private; a few years ago two Congressional staffers had an affair, and she published the details (“likes to be spanked and to spank”) on a website. That’s invasion of privacy; the gentleman involved would have preferred that information not get into the public domain. This is harmful publication, but it’s true; invasion of privacy by definition involves revealing accurate information, so it’s not defamatory. False light is presenting someone as they are not; a few years a university student posted a story on a website saying her physics professor sexually harassed her and told her he was a pedophile; neither was true. (He sued for defamation and won, no damages because she was broke, but he presumably felt better.) We could probably make that a crime, but we don’t, so far.
Not-so-false light is publishing not private but discreditable information about someone, stuff they’d prefer not to see in the public domain; a couple of years ago, The Smoking Gun published mug shots of women – “Foxy Felons” – charged with various crimes. The women weren’t particularly happy about this, but since the information was true it wasn’t defamation.


In the article I argued for criminalizing defamatory publication, but not the other two. Invasion of privacy publication can represent a terrible betrayal of trust but, sadly, that is something I think we are going to have to deal with. I suggest in the article that perhaps the facility with which we can publish all kinds of information (true, untrue, discreditable, complimentary, seamy, etc.) online may ultimately make all of us far more sophisticated and discerning consumers of content. I hope so, anyway.

What about ridicule? It seems to me that this is the “harm” the Thai statute is primarily concerned with. If that is true, then I don’t think the statute is a good idea; I don’t see how it can be controlled, i.e., how a prosecutor decides when embarrassment rises to the level at which prosecution is appropriate and when it does not.

When I first saw Section 16, I thought of the “Star Wars Kid,” who was one of the examples I used in the ridicule section of my law review article. In 2003, a high school student in Canada recorded himself as he pretended to wield a Star Wars light saber (actually a golf ball retriever). He left the video in the recorder, classmates found it and posted it online and it went viral --- estimates are that it’s been viewed over 900,000,000 times. The boy was humiliated, though the people who viewed it seem to have been sympathetic for the most part. Like the lady I mentioned earlier, he felt foolish.

I sympathize with him, and with all the other people I’ve mentioned in this post, but I don’t see how we can prosecute people for embarrassing others. (And please don’t take that as an invitation to make me change my mind).

Wednesday, July 16, 2008

Video Voyeurism

A New York Criminal Court judge recently dismissed charges of disseminating an unlawful surveillance image that had been filed against Angelo Morriale.

According to the court’s opinion, Morriale “used a camera phone to videotape himself having sexual intercourse with the [victim] on two separate occasions on the same date, without her knowledge, permission, or authority.” People v. Morriale, 2008 WL 2346132, 2008 N.Y. Slip Op. 28214 (N.Y. City Criminal Court, June 10, 2008). He was alleged to have “sent the videos to at least one other person and to his own email account without the [victim’s] permission or authority to do so.” People v. Morriale, supra.

The charge was brought under New York Penal Law § 250. 55, which provides as follows:
A person is guilty of dissemination of an unlawful surveillance image in the second degree when he or she, with knowledge of the unlawful conduct by which an image or images of the sexual or other intimate parts of another person or persons were obtained and such unlawful conduct would satisfy the essential elements of the crime of unlawful surveillance in the first or second degree, intentionally disseminates such image or images.
Since Morriale was alleged to have sent the videos (i) to himself and (ii) to someone else, he was charged with two counts of violating this statute. As I explained in an earlier post, each “count” of a charging document (the superseding complaint, in this case) represents the commission of a separate crime, a separate violation of the statute at issue. Since this statute makes it a crime to “disseminate” an unlawful surveillance image, each time someone “disseminates” an image, that’s a new crime and a new count.

The provision – known as Stephanie’s Law – was added to the Penal Code in 2003, due in large part to the efforts of a woman whose landlord had secretly videotaped her by putting a camera in the smoke detector over her bed. People v. Morriale, supra. The court noted this was a case of first impression, i.e., there are no other reported cases construing this new statute.

Morriale moved to dismiss the charge, and the court granted his motion as to one count:
One of the two counts . . . is predicated on defendant's alleged dissemination of the video recording to his own email account. `Disseminate’ is defined as `to give, provide, lend, deliver, mail, send, forward, transfer or transmit, electronically or otherwise to another person.’ (Penal Law § 250.40[5] ). Since defendant's alleged transmission of the video to himself does not constitute dissemination as defined, one count of the charge must be dismissed.
People v. Morriale, supra.

It also dismissed the other count – the one based on Morriale’s allegedly sending the videos to someone else. The court began by parsing the statute into its elements. To be guilty under § 250. 55, someone must have
  • Intentionally disseminated one or more image of the sexual or other intimate parts of another person;
  • Knowing of the unlawful conduct by which the image(s) was/were obtained; and
  • That unlawful conduct must satisfy the essential elements of the crime of unlawful surveillance in the first or second degree [under New York Penal Law § 250.50].
The court dismissed the remaining count because it found that the last element was not established by the allegations in the count against Morriale.

To commit unlawful surveillance in the first degree under § 250. 50, someone has to commit “the crime of unlawful surveillance in the second degree and [have] been previously convicted within the past ten years of unlawful surveillance in the first or second degree.” People v. Morriale, supra. The charge did not allege that Morriale had been convicted of unlawful surveillance within the last ten years, so it did not charge this crime.

To commit unlawful surveillance in the second degree under New York Penal Law § 250. 45, someone has to have done one of the following:
1. For his or her own, or another person's amusement, entertainment, or profit, or for the purpose of degrading or abusing a person, he . . . intentionally uses or installs, . . . an imaging device to surreptitiously view . . . or record a person dressing or undressing or the sexual or other intimate parts of such person at a place and time when such person has a reasonable expectation of privacy, without such person's knowledge or consent; or

2. For his or her own, or another person's sexual arousal or sexual gratification, he or she intentionally uses or installs. . . an imaging device to surreptitiously view . . . or record a person dressing or undressing or the sexual or other intimate parts of such person at a place and time when such person has a reasonable expectation of privacy, without such person's knowledge or consent; or

3. For no legitimate purpose, he or she intentionally uses or installs. . . an imaging device to surreptitiously view, broadcast or record a person in a bedroom, changing room, fitting room, restroom, toilet, bathroom, washroom, shower or any room assigned to guests . . . in a motel, hotel or inn, without such person's knowledge or consent; or

4. Without the knowledge or consent of a person, he or she intentionally uses or installs. . . an imaging device to surreptitiously view, broadcast or record, under the clothing being worn by such person, the sexual or other intimate parts of such person.
The court found the allegations against Morriale did not allege a violation of either the first or second subsections of § 250. 45 because the first requires that the perpetrator commit the act for his "own, or another person's amusement, entertainment, or profit, or for the purpose of degrading or abusing a person”, and the second requires that he act for his "own, or another person's sexual arousal or sexual gratification”. Since the count filed against Morriale made “no allegation as to defendant's purpose either in its accusatory or in its factual portions”, it failed to allege the crime of unlawful surveillance in the second degree, and so failed to charge Morriale with violating § 250. 55. People v. Morriale, supra.

The court also found that the count did not allege a violation of the other sections of the statute: It did not, as subsection 3 requires, allege that Morriale used or installed an imaging device in a “bedroom, changing room, fitting room, restroom, toilet, bathroom, washroom, shower or any room assigned to guests or patrons in a motel, hotel or inn”. And it did not, as subsection 4 requires, allege that he used or installed such a device “to surreptitiously view, broadcast, or record the sexual or other intimate parts of the victim `under the clothing being worn by such person’”. People v. Morriale, supra. So the court granted his motion to dismiss.

The count was dismissed because it was factually and legally insufficient, which means the prosecutor’s office can try again, with a new set of charges, if it wishes. The charges would, though, have to allege facts that would establish the elements set out above.

It’s clear the prosecution won’t be able to bring a dissemination charge against Morriale for sending the videos to himself, because that’s just not “dissemination” under this, or any other, criminal statute. The whole point of criminalizing the dissemination of something (drugs, child pornography, videos like these) is to punish the act of sharing the “harm.” If I possess drugs or child pornography, that’s one kind of “harm;” if I also give them to you, that’s a whole new, additive “harm.” Here, though, Morriale only sent the videos to himself, so there’s no additive “harm,” no sharing of the “harm.”

I saw a news story that said the prosecutor’s office is considering what to do now. I suspect one reason why the charges were flawed is that this is, as the court noted, a new statute, so prosecutors maybe haven’t brought many (any) charges under it before. The other problem is that it looks like what Morriale did may just not fit under the New York video voyeurism law.

Video voyeurism laws are an evolved version of the Peeping Tom laws that came from common law, the ones that make it a crime to sneak onto someone else’s property and observe them without their permission (usually for the purposes of sexual gratification). It looks like the New York law is a little too complicated (as, I think, are some other, similar laws). Why not just make it a crime – a smaller crime – to capture images of someone without their permission when they are in a place where they have a legitimate expectation of privacy? You could then either define additional, more serious offenses based on other aspects of the conduct, such as disseminating the pictures to others and/or capturing the images in REALLY private places. Or you might simply use such conduct as aggravating factors to increase the sentences imposed for the base crime.

If you did that, then it seems like it would be easy to bring a legitimate charge against Morriale. You do have the complicating issue that the victim knew he was there and, I suppose, at some level knew he COULD take videos of her. That differentiates this kind of video voyeurism from the kind of activity many of these statutes target (e.g., dressing rooms, hotel rooms, etc) and the kind of conduct Peeping Tom laws targeted. It seems to me it’s not reasonable to assume (if, indeed, that assumption is at least in part for the convoluted specificity of some of these statutes) that someone should be deemed to have assumed the risk of being photographed simply because they were involved in an intimate moment with another person.

Monday, July 14, 2008

Kyllo

As I’ve explained in earlier posts, the 4th Amendment to the U.S. Constitution protects citizens from “unreasonable” searches (and seizures).

As I’ve also explained, a search intrudes on a cognizable 4th Amendment expectation of privacy – what the Supreme Court in Katz v. United States defined as a “reasonable expectation of privacy.” To have a reasonable expectation of privacy in something – like the contents of your hard drive, say – you have to believe it is private and a court has to find that our society, in general, does, too. In other words your belief that the contents of your hard drive are private has to be objectively reasonable; we don’t enforce the quirky beliefs of those who are out of step with the general culture.

Courts uniformly agree that you have a reasonable expectation of privacy in your hard drive unless, as I’ve noted earlier, you give people access to it via file-sharing software or by simply giving them the password they need to access the files on it. (In those instances, courts say that your belief, if you really continued to believe that the contents of the hard drive were private, was unreasonable, and so fails.)

A couple of years ago I noted that in 2001, in Kyllo v. United States, the Supreme Court was asked to decide if it was a “search” for law enforcement officers to stand across the street from someone’s home and use a thermal imager to detect the signature of the heat radiating from the house. A federal agent did that to Danny Kyllo’s home, and the thermal imager showed that there was an unusual amount of heat radiating from his garage. The agent (as agents regularly did back then) used that information plus other information he had gathered to get a warrant to search Kyllo’s house and garage for evidence of marijuana being grown illegally (as it inevitably is).

Kyllo moved to suppress the evidence (marijuana plants, among other things) the agents found when they executed the warrant at his house. He argued that it was a search to use the thermal imager because he had a 4th Amendment expectation in the privacy of his home. As I’ve explained before, the home is the ultimate private place under the 4th Amendment, so it seemed Kyllo had a pretty good argument.

The problem was that every federal court (and most state courts) that had addressed this issue up to that point had held it was NOT a search to use the thermal imager, even on a home. The rationale was that the use of the thermal imager was not a “search” because nobody and no thing actually intruded INTO the home. The thermal imager detected heat radiating out of the home. So courts said this was not a search; some of them agreed with the prosecution’s theory that what the thermal imager was picking up was essentially garbage (which isn’t private under the 4th Amendment, at least not once you put it outside). The problem with that, IMHO, is that you choose to discard garbage, but you cannot choose whether or not to let heat radiate from your home. As I understand it, you might be able to seal your home so no heat got out, but you’d be in a very, very bad way after spending time in it.


Okay, so what does all this have to do with cybercrime? Well, in deciding the Kyllo case the Supreme Court decided (correctly, IMHO) that the user of the thermal imager was a search. The problem comes with the standard they enunciated in issuing that holding. The Kyllo Court held that it is a search (i) to use technology that is not in general public use to (ii) detect information from inside a home.

That’s a bad standard for two reasons. The first reason results from the reference to one’s home: Does that mean it’s not a search to use a thermal imager on a business or a school or a church? You may not have as much of a privacy interest in a non-home structure as in your home, but you still have a privacy interest and police still have to get a warrant to search (absent consent or other exceptions). So it would have been better, again IMHO, for the Court to have said something like “it’s a search to use a thermal imager to detect information from inside a home or other structure in which a person has a cognizable 4th Amendment expectation of privacy.” Since that wasn’t spelled out in the opinion but MIGHT be a logical corollary of the holding, it looks like officers are tending to get warrants to use thermal imagers on structures other than homes, according to the slight anecdotal evidence I can find. Seems like a very good idea to me.

It’s the other problem with the Kyllo holding that I find really interesting. When does technology move into “general public use”? When Court issued its opinion (and when the thermal imager was used on Kyllo’s home), you could buy a thermal imager if you liked. You still can – they’re even cheaper and more effective. So is it now not a search to use a thermal imager on a home (or other private place) because we can buy them? Or does something else have to happen for technology to move into general public use?

I keep waiting for cases to raise that issue with various technologies – including computer technology – but so far all the reported Kyllo-general-public-use cases are about the use of drug dogs. When my students and I discuss that I usually ask them if a dog – a trained drug dog, to be specific – is “technology.” Not in the conventional sense, but I suppose a highly trained drug dog is technology. (My not highly trained dog is most certainly not technology, though he is a great dog.)

So far, I’ve only found one case that explicitly raises the Kyllo issue with regard to computer technology. In State v. Jacobs, 2007 WL 1121289 (Minnesota Court of Appeals, 2007), Jacobs was charged with possessing child pornography after officers searched his home and found child pornography. This is how the search came about:
[A] Pennsylvania police officer . . . was assigned to investigate computer crimes involving child pornography. . . . [W]hile searching for child pornography on Kazaa P2P, a software program that allows people to share and exchange computer files over the Internet, he observed that a particular computer with an IP (Internet protocol) address was offering to share images of child pornography. The officer then determined that the Internet service provider, Mediacom Communications Corporation, had the name and address of the user and obtained a court order requiring Mediacom to provide that information to him. When the officer recovered the information from Mediacom, he forwarded it to the Redwood Falls police department. A search warrant was executed on [Jacobs’] residence, which resulted in the seizure of the computer disks.
State v. Jacobs, supra.

Jacobs moved to suppress the evidence, arguing that the “officer’s acquisition of his identity and address from a third-party Internet Service Provider” was an unreasonable search under the 4th Amendment. Specifically, he argued that “because he had installed certain software programs on his computer and turned his file-sharing option to the `off’ position, the officer's use of software to discover his IP address was a violation of his reasonable expectation of privacy and was a `search’ similar to the one in United States v. Kyllo”. State v. Jacobs, supra.

The Minnesota Court of Appeals disagreed:

In Kyllo, police used special thermal-imaging technology to peer into defendant's home and obtain proof that he was growing marijuana. The Court held that this was a `search’ within the meaning of the Fourth Amendment because the police employed technology not widely used by the general public to peer into defendant's home. . . . But this case is factually distinguishable. . . Here, the officer did not use special technology to identify appellant's IP address, but rather was able to identify appellant through CommView, a software program that is readily available to the public. Thus, there was no `search’ . . . requiring a warrant under the Fourth Amendment.

State v. Jacobs, supra.

I found one other case that mentioned the use of CommView for the same purpose:
FBI Special Agent (SA) Gordon, using an internet connected computer, launched the P2P Limewire program and conducted a keyword search using the term `r@gold’ which is commonly found in the file names of child pornography images on file sharing networks. The . . . search identified 19 matching files which could be viewed and downloaded from the computer using the IP address 68.224.236.152. . . . [He] used the Limewire `browse’ function to view the names of . . . 270 image files stored in the share folder of the computer using the IP address 68.224.236.152. . . . [M]ore than half . . . had names indicative of child pornography. SA Gordon then downloaded four image files from the computer using IP address 68.224.236.152, all of which contained images of child pornography. . . . During the downloading process, the Limewire program displayed the source IP address of each image as 68.224.236.152. SA Gordon also used a . . . program called CommView which monitors internet and local network traffic and allows the user to view detailed IP address connections. This program also showed that the four images of child pornography were downloaded from the IP address 68.224.236.152.
United States v. Latham, 2007 WL 4563459 (U.S. District Court - District of Nevada, 2007).

You can buy CommView online, for $149 if you’re a “home user” or for $499.99 if you’re an “enterprise user.”

I’m not sure if the Jacobs court was right in finding that CommView is in general public use. What I find interesting, and disconcerting, is the premise that once a technology CAN be purchased by members of the public, it moves into general public use which means that law enforcement’s using it against us is not a 4th Amendment search. If it’s not a search, then law enforcement can use the technology without getting a warrant or otherwise satisfying the 4th Amendment. My problem with what the Jacobs court did is that I don’t see how CommView differs from the thermal imager that was used on Kyllo’s home: Any member of the general public who could afford one could buy (and use) a thermal imager when one was used on Kyllo’s home; and any member of the general public could have done the same at the time the Supreme Court decided the Kyllo case. The Court still held it was a search to use the thermal imager. So why isn’t it a search for law enforcement to use CommView?

My concern about the holding in Jacobs is the consequences. If this approach prevails, I’m afraid it’s going to skew the notion of privacy, so that instead of working on my laptop in my home study (as I am at this moment) and assuming what I’m doing is private, I have to take countermeasures to ensure what I am doing is private. Once a surveillance technology (of whatever type) goes on sale, I presumably have to know that and have to figure out how to defeat its application to me . . . or I’ve waived my privacy. Somehow, that doesn’t seem quite right.

Saturday, July 12, 2008

Warshak: 6th Circuit Blinks

As I explained in an earlier post, last year a decision issued by three of the judges on the Sixth Circuit Court of Appeals held, in effect, that we have a 4th Amendment expectation of privacy in our emails, even when the emails are stored on the servers of our Internet Service Provider.

As I also noted, the government was appealing the ruling to the full Sixth Circuit. In the federal courts of appeals, most appeals are heard and decided by a sub-set of the full court consisting of three judges. When someone is not happy with a ruling, they can try to get the entire court to rehear the matter, which the government succeeded in doing in this case.

As I explained earlier, a federal district judge in Cincinnati had held that the statute the government uses to gain access to stored emails without getting a search warrant violated the 4th Amendment and issued an injunction barring its enforcement. (The statute is based on the premise that, as I noted earlier, we do not have an expectation of privacy in email because it can be read by employees of our Internet Service Provider.) The three judge panel that heard the initial appeal last year agreed with her and held the statute unconstitution.

I talked to a Department of Justice lawyer earlier this year. He said that the position the DOJ was taking in this appeal to the entire court was to raise two procedural issues in hopes of getting the case kicked out without the court’s addressing the substantive issue, i.e., whether the 4th Amendment encompasses email. He said the government was doing that because, frankly, their case was weak; it was weak, according to this attorney, because the government hadn’t developed a complete record, which meant they didn’t have the facts they needed to make strong arguments. And I suspect the government was more than a little freaked by the fact that a federal district court judge and three court of appeals judges found that the 4th Amendment does encompass email. They know they’ll have to deal with that issue at some point, but they want to pick a case that puts them in the best tactical advantage when they finally do so.

The entire court – 14 federal appellate judges – threw the case out because they found it wasn’t “ripe.” “A claim is not `amenable to . . . the judicial process . . . when it is filed too early (making it unripe).’) Warshak v. U.S. 2008 WL 2698177 (6th Cir. 2008). Here is why the court found that Warshak’s claim was not ripe for judicial decision:
To start, we have no idea whether the government will conduct an ex parte search of Warshak's e-mail account in the future and plenty of reason to doubt that it will, making this a claim that depends on `contingent future events that may not occur as anticipated, or indeed may not occur at all.’ . . . Answering difficult legal questions before they arise and before the courts know how they will arise is not the way we typically handle constitutional litigation. . . .

Nor can we rely on previous government searches of Warshak's e-mails to hypothesize the factual context of the next search. Even if the record contained the full text of the NuVox and Yahoo! service-provider agreements (it does not. . .), we would run into a similar conjecture problem. Just as there is little basis for assuming the government will conduct another ex parte search of Warshak's e-mails, there is little basis for assuming any future search will concern e-mails facilitated by these service providers, as opposed to e-mails facilitated by other service providers. . . .
Concerns about the premature resolution of legal disputes have particular resonance in the context of Fourth Amendment disputes. In determining the "reasonableness" of searches under the Fourth Amendment and the legitimacy of citizens' expectations of privacy, courts typically look at the `totality of the circumstances,’ . . . reaching case-by-case determinations that turn on the concrete, not the general, and offering incremental, not sweeping, pronouncements of law. . . . Courts thus generally review such challenges in two discrete, post-enforcement settings: (1) a motion to suppress in a criminal case or (2) a damages claim . . . against the officers who conducted the search. In both settings, the reviewing court looks at the claim in the context of an actual, not a hypothetical, search and in the context of a developed factual record of the reasons for and the nature of the search. A pre-enforcement challenge to future e-mail searches, by contrast, provides no such factual context. The Fourth Amendment is designed to account for an unpredictable and limitless range of factual circumstances, and accordingly it generally should be applied after those circumstances unfold, not before.
Warshak v. U.S., supra.

There’s more, but it’s all along the same lines.

For those of us who think we do (should) have a 4th Amendment expectation of privacy in the content of our emails, it’s heartening to note that 5 of the judges dissented. Judge Martin, whose dissent was joined by the others, began his opinion as follows:
Why do today what can be done tomorrow? I dissent because I not only believe this case is ripe for review, but because the majority gives unwarranted deferential treatment to the government. Such treatment would not be afforded a private litigant defending against a motion for preliminary injunction, and should not be given here.
He also has a nice ending, IMHO:
While I am saddened, I am not surprised by today's ruling. It is but another step in the ongoing degradation of civil rights in the courts of this country. The majority makes much of the fact that facial challenges are no way to litigate the constitutional validity of certain laws. Yet our Supreme Court has no problem striking down a handgun ban enacted by a democratically elected city government on a facial basis. See Dist. of Columbia v. Heller, --- U.S. ----, 2008 WL 2520816 (June 26, 2008). History tells us that it is not the fact that a constitutional right is at issue that portends the outcome of a case, but rather what specific right we are talking about. If it is free speech, freedom of religion, or the right to bear arms, we are quick to strike down laws that curtail those freedoms. But if we are discussing the Fourth Amendment's right to be free from unreasonable searches and seizures, heaven forbid that we should intrude on the government's investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen's private correspondence is now potentially subject to ex parte and unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless.
You can find the full opinion here. Search for opinion # 08a0252p.06.