"True Threat"

In an earlier post, I talked about the Alkhabaz case, in which a federal court dismissed a charge of using the Internet to transmit a “threat” to someone.

The defendant in that case was charged under 18 U.S. Code § 875(c), which makes it a crime to transmit in interstate commerce “any communication containing any threat to kidnap any person or any threat to injure the person of another”.

The use of the Internet qualifies as the use of interstate commerce, so the only issue in the case was whether what the defendant posted online constituted a threat, or what courts usually refer to as a “true threat.” As I explained in that earlier post, Alkhabaz posted stores describing the horrific torture and eventual murder of a woman who seemed to be a classmate of his. He didn’t send them to her or post them anywhere he thought she’d see them; he did post them on a website for people interested in such things.

When she discovered the posts, essentially by accident, she was horrified, as was everyone else, apparently. The federal district court dismissed the charge because it found the stories weren’t a “threat.” The government appealed to the Sixth Circuit Court of Appeals, which begin its analysis of the issue by explaining that

to constitute `a communication containing a threat’ under Section 875(c), a communication must be such that a reasonable person (1) would take the statement as a serious expression of an intention to inflict bodily harm (the mens rea), and (2) would perceive such expression as being communicated to effect some change or achieve some goal through intimidation (the actus reus).

U.S. v. Alkhabaz, 104 F.3d 1492 (6th Cir. 1997).

The Sixth Circuit agreed that the fantasies Alkhabaz had posted were not a threat, in part because he had not sent them to the person he described in them:

For example, `if the court mails this opinion to West Publishing Company, having quoted verbatim the language used by defendant which is alleged to be threatening,’ it is unlikely that any reader's sense of personal safety and well being would be jeopardized. Likewise, if `a member of the general public . . . took notes of defendant's statements and mailed them to a family member, law professor, or newspaper for their information,’ such communication would not . . . compromise the recipient's sense of personal safety. In both cases, the recipient's sense of well-being is not endangered because, from an objective standpoint, the sender has no desire to intimidate.

U.S. v. Alkhabaz, supra. The court found that rather than intending to threaten the woman featured in the fantasies, Alkhabaz posted them “in an attempt to foster a friendship based on shared sexual fantasies.” U.S. v. Alkhabaz, supra. (As I noted, he put them on a web site for people who like this type of fantasy).

That brings me to the case I want to write about. It involves another defendant who was charged with using the Internet to transmit a threat in violation of section 875(c). Here, according to an article in the Penn State Daily Collegian, are the facts that gave rise to the charges:

Steven Voneida, 24, of Harrisburg, . . . placed a photographic illustration and poem focusing on the Virginia Tech shootings on his MySpace page on April 18, [2007]. . . .

A poem entitled `the Ballad of Cho Seung-hui’ about Seung-Hui Cho -- the shooter who killed 32 people and then himself during a rampage on the Virginia Tech campus -- was just one of the pieces on Voneida's MySpace profile focusing on the incident. . . . The poem itself appeared under a headline, `Virginia Tech Massacre: They got what they deserved.'

The Daily Collegian article says Voneida's MySpace profile also included this statement: "Someday I will make the Virginia Tech incident look like a trip to an amusement park”. April 18, 2007 was two days after the shootings at Virginia Tech.

The week after the Virginia Tech killings, an Indiana University of Pennsylvania student visiting MySpace saw Voneida’s postings and contacted the Penn State - Harrisburg University Police. (Voneida was a student there.) The University Police contacted the FBI, who began an investigation, in cooperation with he Pennsylvania State Police and the local police department.

Voneida was charged with using the Internet (interstate commerce) to transmit a threat “to injure the person of another”. He filed motions seeking to exclude various evidence from his trial on the charge, and in ruling on the motions the federal district court noted it was “It is unclear to whom these posts were directed, if anyone, or whether they were made public to all MySpace users.” U.S. v. Voneida, 2008 WL 189667 (U.S. District Court for the Middle District of Pennsylania 2008). The court did note that the material Voneida posted remained on MySpace “for at least nine days”, and so had the potential to “reach an audience.” U.S. v. Voneida, supra.

If Voneida filed a motion to dismiss the charges against him on the grounds that what he posted was not a threat, I can’t find any mention of it, either in the press or in the cases reported on Westlaw.

What do you think? Was Voneida’s posting the stuff described above on MySpace a “true threat” as the Sixth Circuit defined that concept in the Alkhabaz case?

Like Alkhabaz, he didn’t send his comments directly to people at his university or any other location where he intended to make “the Virginia tech incident look like a trip to an amusement park”. Like Alkhabaz, he simply posted his comments and the poem about Cho (I can’t find the content online, not surprisingly) on an Internet site. Does it matter if he made the posts publicly available (which I’d assume, given that the IU – Pennsylvania student was able to read them) or not?

If you’re interested in what actually happened, here it is: In February of this year, he was convicted after a one-day bench trial (before a federal district court judge, instead of a jury . . . which could have been a wise move, especially if he was relying on the legal claim that what he posted was not a threat). According to a press release from the U.S. Attorney’s for the Middle District of Pennsylvania (where the case arose), he faces up to five years in prison on the conviction. I found a news story that noted, not surprisingly, that Voneida is going to appeal the conviction.

I have to assume the central issue in an appeal will be the Alkhabaz issue: whether or not posting what he posted on MySpace is really a threat (a “true threat”) or something else. I admit it was really reprehensible and I can’t imagine what he was thinking, but I wonder if it really constitute a “true threat.”

The usual section 875(c) cases involving the use of the Internet are cases like U.S. v. Li, 537 F. Supp.2d 431 (U.S. District Court for the Northern District of New York 2008). Li was given a temporary teaching position at Morrisville State College in Morrisville, New York, but was not rehired because of “poor job performance and inappropriate conduct.” U.S. v. Li, supra. He responded by sending emails threatening to kill college faculty members and administrators, as well as members of their family. U.S. Li, supra. Here are a few of the acts alleged in the indictment that charged him with sending threats in violation of section 875(c):

On September 26, 2006, defendant sent an email to James C. VanRiper, Vice President of the College, stating `Van Ripper: You made a mistake. You will die hard.’

On October 29, 2006, defendant sent an email to Frederick Paine, a professor at the College, stating `You are on the death list!’

On January 15, 2007, defendant sent an email to Kim Mills, Chairman of the College’s Computer Department, stating `I want you to suffer the hardest death'.

Finally, on March 12, 2007, defendant sent an email to VanRiper stating `Do you think [the Morrisville Police] can protect you from a man who wants to die and want to kill you? Asshole, for sure you will be killed by such a man.’

U.S. v. Li, supra. There were more like those.

In Li, the threat issue is pretty straightforward because he emailed people and told them he was going to kill them. As the Alkhabaz court noted, the definition of a threat has always been based on that direct communication with the victim; it’s considered to be one reason why we criminalize threats, i.e., telling someone you’re going to harm them causes injury in its own way.

Voneida didn’t send his statements to anyone . . . which seems to me more like Alkhabaz than like Li.

Crime, War and . . . ?

I’m reading Jane Mayer’s book, The Dark Side, which is about how the U.S. went seriously off-track in its efforts to pursue Al-Qaeda. I recommend it very highly; it’s revelatory, depressing and infuriating.

But this is a blog about cybercrime, not about the so far pretty unimpressive War on Terror. This post was prompted by something I read in the book, early on.

People in various federal government departments and divisions (e.g., CIA, Department of State, Department of Defense, White House) were trying to figure out the conceptual basis on which U.S. personnel would pursue and deal with members of Al-Qaeda and others who fell into the category of anti-American terrorists.

At first, the FBI was investigating the 9/11 attacks, just as they investigated the 1998 Al-Qaeda attacks on U.S. embassies in Kenya and Tanzania. That was the presumptive approach because terrorism has been approached as a crime since 1937, when the League of Nations promulgated a Convention on terrorism that called for countries to make it a crime and prosecute it as such. The League promulgated the Convention in response to a terrorist assassination of a Yugoslavian king and French foreign minister.

So, as I’ve noted before, terrorism became, and essentially remains, a type of crime. And that’s how the FBI, anyway, was proceeding after 9/11, until things went awry. In Mayer’s book, she quotes someone (I’ve forgotten who) as saying the U.S. government had to come up with a different approach to Al-Qaeda style terrorism because the law enforcement approach didn’t work.

It didn’t work, this person-whose-name-I-can’t-recall-and-am-too-lazy-to-look-up said, because law enforcement is retroactive – it responds to what has already happened. This person said the U.S. needed to move to a proactive approach that emphasized preventing future attacks. And he said the different approach had to be the military approach (think “enemy combatants”) because there were only two choices: law enforcement or the military.

That comment sparked this post. I want to write about the notion that there are two and only two choices, though not in terms of dealing with Al-Qaeda style terrorism. I want to talk about the notion in the context of different threats – cyberthreats.

As I explained at length in an earlier post, cybercrime challenges the law enforcement model because it deviates from the real-world crime the model assumes in several ways. Cybercrime is often transborder, transnational or trans-state in federal systems like the United States. That frustrates law enforcement because law enforcement is set up to work effectively within a particular territorial area. Once conduct leaks outside that area into one or more other areas, then law enforcement has to deal with often cumbersome legal procedures (and practical constraints) that impede officers’ ability to do their job. Another different is scale: As I’ve written in law review articles, real-world crime tends to be one-to-one crime. A perpetrator burglarizes a house, then another house, and so on; a rapist attacks one victim, then another, and so on; and that pattern operates as the default for most real world crime.

A third difference is physical proximity between perpetrator and victim, which is required in traditional crimes. To rob, rape or kill someone, I have to be close to them; and the same was historically true for crimes like fraud. Fraud was face to face crime, until the invention of the telephone. (There was, of course, some mail fraud prior to the invention of the telephone, but historically the mails were to so unreliable that this was not a good way to go.) And, finally, law enforcement has a pretty good handle on the incidence of crime in the real world; there’s a science called crime mapping that can track where crime (of particular types) is most likely to occur, and I suspect most police departments can do the same, pretty effectively. That means police have a way to allocate their very scarce resources in a way to maximize their ability to do their job.

Their job, of course, is to control crime by discouraging its commission. They do that by finding people who have already committed crimes, having them prosecuted, convicted and then sanctioned for what they did. The empirical premise of the twentieth century criminal justice system is that law enforcement officers will capture enough of the people who commit crimes (they can’t possibly catch all of them) to deter them and deter others from following their lead.

Cybercrime, as I explained in that earlier post, erodes the efficacy of this model because it can be committed from halfway around the world as easily as it can be committed next door, because it can be committed on a scale vastly exceeding the one to one default of traditional crime, because physical proximity is irrelevant and because we so far do not have accurate statistics on its incidence and authorship. The crimes themselves are for the most part the same old stuff (theft, fraud, trespass, burglary, etc.) but the medium is new and operationally problematic for law enforcement.

So the comment about needing to move from a law enforcement model in dealing with terrorism also has application to cybercrime or, more broadly, to cyberthreats. As I explained in another post, there are three cyberthreats: cybercrime, cyberterrorism and cyberwarfare.
Cyberterrorism is really a subset of cybercrime, but since it’s usually broken out in discussions I’ll make it a third category.

Three categories, two models. As with transnational terrorism, we have, if we go with the comment noted earlier, two and only two models to choose from in dealing with cybercrime, cyberterrorism and cyberwarfare. If we follow the real-world approach, then law enforcement will deal with the first two and the military will deal with the third.

The problem with that, as I noted in an earlier post and in an article cited in that post, is that the difference between the first two and the third one may not be apparent, at all. With cyberwarfare, the attacker doesn’t bomb Pearl Harbor, or London, thereby making it pretty easy to tell that this is “war,” not “crime.” We haven’t had a definitive cyberwar attacks so far (to my knowledge . . . sorties, but not an attack), so we don’t really know what one will look like. But we do know it’ll use tools essentially indistinguishable from those used by criminals, cybercriminals and cyberterrorists.

My point here is that in dealing with cyberthreats we face the same problem U.S. officials thought the United States faced in dealing with Al-Qaeda-style transnational terrorism. (I think they were wrong there, but that is irrelevant here.). The law enforcement model is not effective against anonymous, extraterritorial opponents who leave no physical crime scene and can inflict damage on a scale that is yet to be determined. (For more on that, I refer you to my post on cyberwarfare.)

So, does that leave us with only two choices in dealing with cyberthreats – keep the law enforcement model or move to a military model? First of all, in the U.S. there is a federal statute – the Posse Comitatus Act – that says the military cannot be involved in civilian law enforcement. It is only a statute, which means it could be repealed; but it rests on legal principles that go back to English common law, as well as other principles, all of which dictate that it’s a very bad idea to mix civilian and military metaphors when it comes to keeping order inside a country. I don’t think we should do that, and I suspect most military officers don’t want to do that, either.

Are there only two choices? If so, why? As I’ve written in law review articles, the dichotomy between military and civilian law enforcement evolved over time: The military deals with external threats (e.g., Nazi Germany), while civilian law enforcement deals with internal threats (e.g., the Mafia). By “threat,” I mean activity that can undermine a nation-state’s ability to maintain the internal (crime) and external (war) order it needs to survive and prosper.
We have two categories because modern nation-states are the product of and defined by the territory they control. Think about it: One of the common terms we use for a nation-state is “country.” A state’s “country” is its defining characteristic in a binary definitional system: Territory either belongs to Country A or to Country B. If it belongs to Country A, then Country A’s army will protect it from encroachment by Country B and Country A’s police will keep order within the territory.

As we all know, cyberspace is increasingly making territory irrelevant, just as modern transportation made it less of an obstacle for real-world terrorist groups like Al-Qaeda. The distinction between “inside” (law enforcement) and “outside” (the military) erodes, leaving us with an apparent conundrum: If our only options are law enforcement OR the military, then we presumably have to keep going as we are, even though we know law enforcement’s ability to deal with cyberthreats has eroded in ways we are not likely to be able to remediate (at least, not if we intend to maintain something other than a garrison state).

I’ve been wondering for some time if we don’t need to think about the inevitability of this dichotomy. I certainly don’t want it collapsed into a single system (the U.S. Military and Law Enforcement Agency) – bad, bad idea. But why can’t we expand it? Why can’t we come with a third option (not considered in developing the response to 9/11)? After World War II, the U.S. in a sense did this by creating the Central Intelligence Agency. The CIA was created as a response to the new realities of the Cold War, which was in a way analogous to cyberthreats or Al-Qaeda-style terrorism. Since it was “cold,” the cold war didn’t fit into the traditional category of war, and it wasn’t crime because it was about dealing with an external, nation-state threat. So we created a new agency and a new approach . . . not a free-standing approach, not a third option, but a new way of dealing with a new kind of threat.

I don’t see why we can’t do something similar with cyberthreats.

Complicity

As a Chicago television station reported a little over a month ago, for two years the Cook County Sheriff’s office has been targeting the use of Craigslist to facilitate prostitution.

According to the story, prostitutes advertise in the “erotic services” section of Craigslist. It says officers from the Sheriff’s Office have conducted four online prostitution stings in the last year and a half and made dozens of arrests. They arrested 76 people in their last sting, in June.

The story quotes Cook County Sheriff Tom Dart as saying “repeated attempts” to get Craigslist to shut down the “erotic services” section of its site have failed. It also reports that his office is “looking into legal action” against Craigslist, such as a “criminal or civil lawsuit.”

I don’t do civil litigation, so I have no interest in talking about that possibility. I suspect the more likely possibility is some kind of criminal prosecution, but that, of course, raises a very basic question: prosecute Craigslist for WHAT?

Let’s parse the possibilities. We begin with the obvious fact that prostitution itself is a crime in Illinois. An Illinois statute says that anyone who “performs, offers or agrees to perform any act of sexual penetration . . . or any. . . fondling of the sex organs of . . . another person, for any money, property . . . anything of value, for the purpose of sexual arousal or gratification commits an act of prostitution.” 720 Illinois Compiled Statutes Annotated § 5/11-14. Under the statute, the first conviction is a misdemeanor, while all subsequent convictions are a minor felony.

I can see two ways for the state of Illinois to bring a criminal prosecution against sites like Craigslist that provide information about prostitutes. The first is the traditional way: prosecute them for soliciting prostitution.

An Illinois statute says anyone “who performs any of the following acts commits soliciting for a prostitute:” (i) Solicits another for the purpose of prostitution; (ii) arranges or offers to arrange a meeting of persons for the purpose of prostitution; or (iii) directs another to a place knowing such direction is for the purpose of prostitution.” 720 Illinois Compiled Statutes Annotated § 5/11-15.

I don’t think sites like Craigslist could be charged under this statute because while the advertisements they carry may help prostitutes hook up with their customers, the intent – the mens rea – is missing. To violate this statute, you have to (i) purposely solicit (i.e., try to get someone interested in) an act of prostitution or (ii) purposely arrange a meeting for a prostitute or (iii) send someone to a place knowing you’re doing so to facilitate prostitution. I don’t see how any of that can apply to a site like Craigslist. According to their fact sheet, they get more than 30,000,000 new ads each months. There’s no way they could police the content of all that, even if they wanted to. There’s certainly no way a prosecutor could show that Craigslist carried a particular ad for one of the purposes noted above, i.e., acting with what the law calls the specific intent to solicit an act of prostitution.

The other way the state of Illinois might be able to prosecute sites like Craigslist for providing information about prostitutes is to use complicity, or aiding and abetting a crime. I talked about aiding and abetting in an earlier post, so if you’re interested in reading more about how it works, you might check that post.

Essentially, complicity is a principle that says someone who purposely facilitates the commission of a crime is as guilty as the person who actually carries out the crime (the principal). So if I know you are going to rob a bank and you ask me to get you a gun for the robbery and I do that, I’ve aided and abetted your crime . . . have, as the law says, become you accomplice. I can be held liable for the robbery as if I committed it. Aiding and abetting liability is a way of ratcheting up the stakes for those who might assist in the commission of a crime; it makes it very risky for someone to do that. You might as well commit the crime yourself, because if you’re caught you’ll face the same penalty as the perpetrator, absent your cutting a deal with the prosecutor.

Here’s what Illinois law requires to establish complicity in a crime:

[Complicity] requires a showing that the offender intended to promote or facilitate the commission of a crime, and . . . such intent is usually proven by showing that the accomplice shared a community of purpose or common design with the principal. . . . . The principal attribute of accountability is the showing of affirmative conduct by an accomplice that in some way aids, encourages or incites another to commit a crime.

People v. Peterson, 273 Ill. App.3d 412, 652 N.#.2d 1252 (Illinois Court of Appeals 1995).

Prosecutors sometimes go after legitimate businesses for aiding and abetting a crime. About fifteen years ago, there was a California fellow who owned a store that sold chemicals. He realized three particular chemicals could be used to make methamphetamine; he also realized he could make a lot of money selling those chemicals to people who made methamphetamine. So he pretty much turned his store into a store selling those three chemicals for cash to people whose names he either didn’t bother to get or that were transparent aliases. He was prosecuted for aiding and abetting the manufacture of methamphetamine. To show he was complicit in that crime, the prosecution proved that (i) he knew the three chemicals in combination could only be used to make methamphetamine and (ii) the sale of those chemicals accounted for the vast majority of his profits. From those facts, and the related facts that he dealt in cash, kept no customer records and deliberately did not know who his customers were, the prosecutors asked the jury to infer that he “shared a community of purpose” with the meth manufacturers, and so was complicit in what they did. The jury bought it and he was convicted.

The problem with trying to extrapolate that theory to what Craigslist is doing with its “erotic services” ads is showing that Craigslist shares such a “community of purpose,” i.e., that its purpose is to promote prostitution. In that regard, my hypothesized effort to charge Craigslist as an accomplice of prostitutes using its website reminds me of an old California case: People v. Lauria, 251 Cal. App.2d 471, 59 Cal. Rptr. 628 (California Court of Appeals 1967).

The defendant in that case operated a telephone answering service, which was very useful in a pre-cell phone, pre-pager era. My impression is that they were used by lots of people. Lauria’s service was in Los Angeles, so it was probably used a lot by would-be movie people, among others. For some reason, a policewoman decided to do a sting on his service: She signed up for the service, dropping hints that she was going to use it for prostitution and saying she had been referred by Terry, a prostitute known to use the service. The policewoman met with Lauria and dropped hints about needing customers, but the court’s opinion says he didn’t take the bait. All he said was that his “business was taking messages.” People v. Lauria, supra.

Lauria winds up being arrested, along with three prostitutes. He’s charged with aiding and abetting prostitution. He argued that the charge

was undeserved, stating that Hollywood Call Board had 60 to 70 prostitutes on its board while his own service had only 9 or 10, that he kept separate records for known or suspected prostitutes for the convenience of . . . the police. When asked if his records were available to police . . . to investigate call girls, Lauria replied that they were whenever the police had a specific name. However, his service didn't ‘arbitrarily tell the police about prostitutes on our board. As long as they pay their bills we tolerate them.’ In a . . . voluntary appearance before the Grand Jury Lauria testified he had always cooperated with the police. But he admitted he knew some of his customers were prostitutes, and he knew Terry was a prostitute because he had personally used her services, and he knew she was paying for 500 calls a month.

People v. Lauria, supra.

Lauria got the trial court to dismiss the charges against him, but the prosecution appealed. The California Court of Appeals agreed with the lower court:

When we review Lauria's activities . . ., we find no proof that Lauria took any direct action to further, encourage, or direct the call-girl activities of his codefendants and we find an absence of circumstances from which his special interest in their activities could be inferred. Neither excessive charges for standardized services, nor the furnishing of services without a legitimate use, nor an unusual quantity of business with call girls, are present. . . . Under these circumstances, . . . there was insufficient evidence that he intended to further their criminal activities, and hence insufficient proof of his [intent to aid and abet prostitution].

People v. Lauria, supra.

Craigslist is in essentially the same situation, though its relationship with the prostitutes who use its service is complicated by the vastness of the ads listed on its site. Lauria knew prostitutes were using his service, and probably knew who most of them were because his client base was tiny, compared to the number of people Craigslist deals with. I do not see how Craigslist could be charged as an accomplice to prostitution carried out by those who happen to put ads on its service. Absent complicity, I don’t see any other basis for bringing criminal charges again the site.

ISP Subscriber Records Private in NJ

As I explained last fall, in two decisions issued in the 1970s the U.S. Supreme Court held that we do not have a 4th Amendment expectation of privacy in what are called third-party records.

In one of the cases, the Supreme Court held that a man who made calls from his home did not have an expectation of privacy in the numbers he dialed because he “knowingly revealed” them to the phone company and thereby assumed the risk the company would give them to the police (without the police’s having a search warrant).

In the other case, the Court held essentially the same thing as to a customer’s bank records; by sharing information with the bank, the customer lost any expectation of privacy in it and assumed the risk the bank would share it with law enforcement.

Like many, including Justice Marshall who wrote a great dissent in the telephone case, I think those decisions were wrong when they were decided and are still wrong. Justice Marshall pointed out that he doubted the man who made the calls really realized he was “giving” information to the phone company that it might then share with the police; he also pointed out that the assumption of risk analysis was wrong because it implies you have a choice, and the only choice the decision left telephone users with is either don’t use the phone (or any technology) or, if you do, understand that your information is not private. You can read about these issues in that earlier post I mentioned.

The Warshak case dealt with the privacy of the CONTENT of our emails. What we’re talking about now is not the content of our communications; it’s either the data used in the transmission of those communications, like phone numbers (“traffic data”) or data concerning the identity of the person who’s using the telephone or email service. That’s the issue I want to focus on here.

The New Jersey Supreme Court rather recently held that subscriber information IS private in New Jersey. It reached this result by applying the New Jersey Constitution. A state court, like the New Jersey Supreme Court, can interpret a state’s constitution in essentially any way it likes, as long as the interpretation does not provide the citizens of that state with LESS protection than they have under the federal constitution. So while the New Jersey Supreme Court can’t change the U.S. Supreme Court’s interpretation of the 4th Amendment, it can interpret its own constitution – the New Jersey Constitution – to give the citizens of that state MORE protection than they have under the federal Constitution.

The case is State v. Reid, 194 N.J. 386, 945 A.2d 26 (N.J. 2008). You can find the opinion here. And here are the facts:

On August 27, 2004, Timothy Wilson, the owner of Jersey Diesel, reported to the Lower Township Police Department that someone had used a computer to change his company's shipping address and password for its suppliers. The shipping address was changed to a non-existent address.

Wilson explained that Shirley Reid, an employee who had been on disability leave, could have made the changes. Reid returned to work on the morning of August 24, had an argument with Wilson about her . . . assignment, and left. According to Wilson, Reid was the only employee who knew the company's computer password and ID.

Wilson learned of the changes through one of his suppliers, Donaldson Company, Inc. Both the password and shipping address for Jersey Diesel had been changed on Donaldson's website on August 24, 2004. . . . [S]omeone accessed their website and used Jersey Diesel's username and password to sign on at 9:57 a.m. The individual changed the password and Jersey Diesel's shipping address and then completed the requests at 10:07 a.m.

Donaldson's website captured the user's IP address, 68.32.145.220, which was registered to Comcast.

State v. Reid, supra.

A subpoena was used (by the police or by Wilson acting as an agent of the police, I’m not sure) to get “`[a]ny and all information pertaining to IP Address . . . 68.32.145.220’” from Comcast. “Comcast . . . identified Reid as the subscriber of the IP address. In addition, Comcast provided . . . Reid's address, telephone number, type of service provided, IP assignment (dynamic), account number, e-mail address, and method of payment.” State v. Reid, supra. Based on that and probably other evidence, Reid was charged with computer theft. State v. Reid, supra.

Reid moved to suppress the information Comcast provided pursuant to the subpoena, claiming it violated her right to be free from “unreasonable searches and seizures” because she had a reasonable expectation of privacy in the information. That sounds like she was making a 4th Amendment argument, but as the NJ Supreme Court noted, both “the Fourth Amendment . . . and Article I, Paragraph 7, of the New Jersey Constitution protect, in nearly identical language, `the right of the people to be secure ... against unreasonable searches and seizures.’” State v. Reid, supra.

The NJ Supreme Court began its analysis of the argument by noting, as I explained above, that Reid had no 4th Amendment expectation of privacy in the information. It then turned to the state analog of the 4th Amendment, explaining that on multiple occasions this Court has held that the New Jersey Constitution `affords our citizens greater protection against unreasonable searches and seizures” than the Fourth Amendment.’” State v. Reid, supra. Specifically, the NJ Supreme Court had already held that the New Jersey Constitution (i) protects the privacy of the numbers one dials on their phone and (ii) protects the privacy of bank account records. So, the court had already used the state provision to, in effect, overrule the 4th Amendment insofar as searches and seizures by New Jersey officers against New Jersey citizens or residents are concerned.

In what I find a well-reasoned opinion, the NJ Supreme Court held that “Internet users . . . enjoy relatively complete IP address anonymity when surfing the Web. Given the current state of technology, the dynamic, temporarily assigned, numerical IP address cannot be matched to an individual user without the help of an ISP. Therefore, we accept as reasonable the expectation that one's identity will not be discovered through a string of numbers left behind on a website.” State v. Reid, supra. It noted that the

availability of IP Address Locator Websites has not altered that expectation because they reveal the name and address of service providers but not individual users. Should that reality change over time, the reasonableness of the expectation of privacy in Internet subscriber information might change as well. For example, if one day new software allowed individuals to type IP addresses into a “reverse directory” and identify the name of a user-as is possible with reverse telephone directories-today's ruling might need to be reexamined.

State v. Reid, supra.

The court did not go as far as to require police to get a search warrant for IP addressing information and subscriber information. In this case, the police used what was conceded to be a “defective” municipal subpoena. The NJ Supreme Court found, as had the trial court, that this was not sufficient, but it declined to require them to get a warrant in future cases. The court held that a “grand jury subpoena . . . based upon a showing of relevant” satisfies the requirements of the NJ Constitution. State v. Reid, supra.

So in the future, officers will have to go to a grand jury and get the grand jury to subpoena the records; I assume the relevancy issue comes up if the person whose records were subpoenaed later challenges the process used to obtain them. I’m assuming that if such a challenge is made, then the prosecution has to show that the grand jury had reason to believe the evidence was relevant to criminal activity, instead of simply conducting a fishing expedition.

It may not be full 4th Amendment protection, but citizens in New Jersey have a lot more privacy in their bank, telephone, utility and ISP records than citizens in most states.

Best Evidence

As Wikipedia explains, the best evidence rule is a principle that can be traced back to common law.

In an often-cited eighteenth century decision, an English judge noted that evidence was not admissible unless it was “the best that the nature of the case will allow”. Omychund v. Barker, (1745) 26 ER 15, 33.

According to Wikipedia, the rationale for the rule arose from how documentary evidence was produced in the eighteenth century: “a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.”

Though technology is far more advanced, and copies are no longer made by hand, the rule survives. I’m going to use a recent case to show how it applies in an era of digital technology.

The case is Bobo v. State, 2008 WL 2191159 (Arkansas Court of Appeals, 2008). Bobo was convicted of first-degree sexual assault and appealed, challenging the admission into evidence of certain emails. Here, according to the court, are the facts that led to her conviction:

On November 3, 2005, Twilla Frosco checked her email on the family computer. She saw that the email account of her fourteen-year-old son (DF) was open on the screen. She read some of the messages and found . . . exchanges between DF and Bobo, one of DF's former . . . teachers. The messages were sexually explicit. Twilla . . . called her husband, Richard Frosco, who asked [her] to forward the emails to him.

Richard called the prosecutor's office . . . and was referred to . . . Detective Heather McCaslin, who asked [him] to forward the emails to her. . . . [She sent them to] Sergeant James Flynn. . . . [who] issued subpoenas to the internet providers . . . obtained consent to search DF's computer, and secured a warrant to search Bobo's computer.

At trial, DF testified that when he was in eighth grade, Bobo was his math co-teacher. In February 2005, Bobo picked DF up at church and drove him to a loading dock where DF testified they had sexual intercourse in Bobo's vehicle. Afterwards, Bobo drove DF back to church. DF testified that Bobo came to his house a few weeks later while his parents were not home, and they had sexual intercourse again.

Bobo v. State, supra.

On appeal, Bobo argued that the trial court erred in admitting 19 emails allegedly exchanged between her and DF. “Because the original emails from the computers of DF and Bobo no longer exist, she argues that the State failed to properly authenticate the forwarded emails (as there was evidence of tampering and/or altering of them) and that the emails were admitted in violation of best-evidence rules found in Arkansas Rules of Evidence 1001- 1004”. Bobo v. State, supra. According to the court of appeal’s opinion, the emails no longer existed because DF deleted them from “his computer, and Bobo's computer crashed in June 2005.” Bobo v. State, supra.

Since the authentication and best evidence issues were inter-related, the court began with authentication:

Rule 901(a) of the Arkansas Rules of Evidence provides that: `[A]uthentication . . .as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.’ . . . Authentication requirements are satisfied if the trial court . . . concludes that the evidence presented is genuine and, in reasonable probability, has not been tampered with or altered in any significant manner. . . . [E]very possibility of tampering need not be eliminated.

[T]he emails were properly authenticated. DF testified that he either mailed to Bobo or received from Bobo each of the emails in question. Moreover, DF's mother testified that she read the original emails exchanged between DF and Bobo. Bobo admitted to sending emails to DF, and although she denied any of the sexual content of the emails, she admitted that she sent emails to DF with non-sexual content. For example, she admitted visiting with DF via email about her computer problems, his new school, and his girlfriend. She also admitted that she sent him an email telling him that she hoped he did not forget her. All of this non-sexual content was contained in the emails in question.

Further, the State presented evidence confirming that the emails in question were properly addressed to DF's email account and the email account of Bobo and her husband. Sergeant Adam Holland of the Fort Smith Police Department and Michael Parks of the Fayetteville Police Department conducted forensic examinations of DF and Bobo's computer and located the emails in question. The State offered an additional expert witness, Paul Brown, who not only examined the computers but also the server through which the emails traveled. Brown verified that fifteen of the emails sent by Bobo to DF matched a temporary, unique IP internet address for her computer. Despite arguments made by Bobo that the emails could have been tampered with or altered because some of the forwarded emails had no headers, the State's experts concluded that the emails were genuine and that the validity of the emails was not in question.

Bobo v. State, supra.

The court then addressed Bobo’s best evidence issue, which seems a pretty good argument, considering that the originals of the emails had been destroyed before the trial. The court of appeals held, though, that the email printouts introduced at trial were the best evidence of the

emails exchanged between DF and Bobo. Arkansas Rule of Evidence 1002 provides: `To prove the content of a writing . . . the original . . . is required, except as otherwise provided in these rules’. Rule 1004 provides that `t]he original is not required, and other evidence of the contents of a writing is admissible if . . . [a]ll originals . . . have been destroyed, unless the proponent lost or destroyed them in bad faith.’ `If data are stored in a computer . . . any printout or other output readable by sight, shown to reflect the data accurately, is an “original.”’ Ark R. Evid. 1001(3).

The emails . . . were stored in the computers of DF and Bobo. Original emails could not be printed from Bobo's computer because it crashed in June 2005, and could not be printed from DF's computer because he deleted them. . . . [U]nder Rule 1004, because the originals were . . . destroyed, it is permissible to admit . . . printouts of the emails, which were forwarded to other computers, as long as they were shown that they reflect the data accurately. As set forth above, there is sufficient evidence demonstrating that the emails offered into evidence are accurate. Furthermore, the bad-faith exception does not apply because there is no evidence that the State -- the proponent of the emails --in bad faith lost or destroyed the emails.

Bobo v. State, supra. So Bobo lost on this and her other issues, and the court of appeals upheld her conviction. She was sentenced to serve two 6-years of imprisonment, to run consecutively (12 years), so she had an incentive to appeal. I assume she’ll try again with the Arkansas Supreme Court, if possible, but I suspect they’ll agree with this court.

I don’t have a problem with the court’s resolution of the best evidence rule. We’ve come a long way from when copies were made by hand (maybe by parties to the case), and it’s pretty straightforward to substitute a printout or another copy when something’s been destroyed.

What I cannot understand is how DF was able to delete the emails on his computer. Bobo was apparently just really lucky to have had her computer crash a few months before all this came to light. But once DF’s parents and the police discovered that the emails were on his computer, wouldn’t someone have taken steps to preserve them? Imagine what would have happened if DF’s mother had not forwarded the emails to her husband. They might have been destroyed before anyone could make a printout of them . . . which might have jeopardized the case.

Photoshop Crime

A year ago today, Thailand’s Computer Crime Act, B.E.2550 (2007,) went into effect. If you’re interested, you can find an unofficial translation of the Act here.

Most of it is straightforward computer crimes legislation that focuses on offenses like unauthorized access and causing damage to data or computer systems. It also appears to have cyberterrorism provisions in Section 12, which is unusual. (Note: This translation refers to the provisions as “sections”. I’ve also seen them referred to as “articles.” Not knowing which is correct, I’ll go with sections.)

I’m interested in the provisions of Section 16 of the Act -- its “Photoshop” section. Here is the unofficial translation of that section:

Any person, who imports to a computer system that is publicly accessible, computer data where a third party's picture appears either created, edited, added or adapted by electronic means or otherwise in a manner that is likely to impair that third party's reputation or cause that third party to be isolated, disgusted or embarrassed, shall be subject to imprisonment for not longer than three years or a fine of not more than sixty thousand baht, or both.

I find the statute interesting it essentially seems to be a photo-defamation crime.

As I noted in an earlier post, modern U.S. law really does not criminalize defamation. Working in the 1950s, the drafters of the Model Penal Code, the set of model criminal laws that has been very influential at the state level, decided not to criminalize libel, or defamation. They said, as I noted earlier, it was the most difficult decision they made. They essentially decided not to criminalize defamation because they believed civil remedies were enough, i.e., someone who’d been defamed could sue the newspaper or television station or magazine responsible and recover substantial monetary damages.

As I wrote in the earlier post, and in a law review article, that may have made sense in the 1950s and 1960s, because the publication of text and images was controlled by the mainstream media. The MSM had, and has, trained personnel, procedures and an economic incentive not to recklessly defame people; the MSM also has what lawyers call deep pockets, i.e., money to be able to pay a substantial civil judgment by someone they defamed.

Now, of course, any of us can be a publisher. In that earlier post I talked about the issues that rises, and how it undermines the rationale the drafters of the Model Penal Code relied on in reaching their decision not to criminalize defamation.

Our newly-acquired ability to become cyber-William Randolph Hearsts has a number of consequences, most good, some bad. In the earlier post I noted some cases in which people used this ability to cause varying types of harm to other people.

Since we can use our ability to publish online to harm other people, it seems we might want to consider criminalizing at least some of that activity. That’s a common reaction when we as a species find a new way to exploit our apparently infinite capacity to inflict harm on each other.
I’m not opposed to criminalizing certain types of “harmful” online publication, but doing so is not as simple a process as it may seem. Aside from anything else (e.g., political or practical concerns), criminalizing any kind of speech implicates two often problematic issues: (i) free speech guarantees (which are particularly important in the U.S.) and (ii) line-drawing.

I’m not going to go into the free speech issue here for several reasons: I suspect everyone has a pretty good idea of how the First Amendment protects most speech, even obnoxious speech; First Amendment analysis can be long and complex; and I did that in the law review article I mentioned, which you can read online, if you like. Another reason is that this post is about Section 16 of the Thai cybercrimes act, and the First Amendment is irrelevant in Thailand.

When I was researching the law review article, I found a number of stories about people whose images had been altered in photos posted online. Some were humiliated, both by how they were made to appear and, perhaps even more importantly by the fact that someone would want to do that to them. I remember reading a story about an Asian woman whose face was distorted in a photograph posted online; she said she kept wondering why someone would do that to her -- whether they thought she was a bad person or worthless or what their reasons might have been. It actually affected her life; she became something of a recluse, never knowing who around her might have been responsible (and probably wondering what they thought of the photo, and of her).

You might think she’s overreacting, but I don’t. A year or so ago, I did a presentation on this issue to a group of prosecutors, including some state Attorney Generals. I used the case of this woman in the presentation; I remember, as I was covering it, looking at the audience and thinking, “They’re not going to get this. They’re going to think this is silly, focusing on having your photo altered.” After the conference, I walked ou with a former state Attorney General. He told me he found that part of the presentation interesting because when he was Attorney General an alternative newspaper in the state capitol published an altered photograph of him . . . one that made his face look grotesque. He said it really bothered him, and I could tell it still did. He asked me, “Why did they have to do that? Why couldn’t they just use my regular photo?”

Making people look foolish or unattractive is actually a pretty effective way of attacking their ego, their self-confidence. Obviously, the impact will vary from person to person. Until I saw Section 16, though, I would not have thought of criminalizing such conduct. And that brings me back to the second issue I noted above: line-drawing.

If you’re going to criminalize posting an altered photo of someone online, how do you define when doing that is (i) great, (ii) okay, (iii) maybe a little annoying but nothing more or (iv) criminal because it just goes TOO FAR. How do you know when posting an altered photo crosses the line and becomes criminal?

The Thai provision defines going TOO FAR as posting an altered photo that (i) impairs the victim’s reputation or (ii) causes them to be “isolated, disgusted or embarrassed”. The woman I mentioned above was isolated and embarrassed, so posting her photo would qualify under this statute. The former Attorney General was embarrassed, so I suppose posting his photo online (instead of in print) would also qualify.

In the law review article, I tried to deal with the line-drawing issue by dividing harmful online publication into various categories: (i) ridicule; (ii) invasion of privacy; (iii) false light; and not-so-false light. I’ll hold ridicule for a minute, while I briefly summarize the others.

Invasion of privacy is publishing information you’d prefer to keep private; a few years ago two Congressional staffers had an affair, and she published the details (“likes to be spanked and to spank”) on a website. That’s invasion of privacy; the gentleman involved would have preferred that information not get into the public domain. This is harmful publication, but it’s true; invasion of privacy by definition involves revealing accurate information, so it’s not defamatory. False light is presenting someone as they are not; a few years a university student posted a story on a website saying her physics professor sexually harassed her and told her he was a pedophile; neither was true. (He sued for defamation and won, no damages because she was broke, but he presumably felt better.) We could probably make that a crime, but we don’t, so far.
Not-so-false light is publishing not private but discreditable information about someone, stuff they’d prefer not to see in the public domain; a couple of years ago, The Smoking Gun published mug shots of women – “Foxy Felons” – charged with various crimes. The women weren’t particularly happy about this, but since the information was true it wasn’t defamation.

In the article I argued for criminalizing defamatory publication, but not the other two. Invasion of privacy publication can represent a terrible betrayal of trust but, sadly, that is something I think we are going to have to deal with. I suggest in the article that perhaps the facility with which we can publish all kinds of information (true, untrue, discreditable, complimentary, seamy, etc.) online may ultimately make all of us far more sophisticated and discerning consumers of content. I hope so, anyway.

What about ridicule? It seems to me that this is the “harm” the Thai statute is primarily concerned with. If that is true, then I don’t think the statute is a good idea; I don’t see how it can be controlled, i.e., how a prosecutor decides when embarrassment rises to the level at which prosecution is appropriate and when it does not.

When I first saw Section 16, I thought of the “Star Wars Kid,” who was one of the examples I used in the ridicule section of my law review article. In 2003, a high school student in Canada recorded himself as he pretended to wield a Star Wars light saber (actually a golf ball retriever). He left the video in the recorder, classmates found it and posted it online and it went viral --- estimates are that it’s been viewed over 900,000,000 times. The boy was humiliated, though the people who viewed it seem to have been sympathetic for the most part. Like the lady I mentioned earlier, he felt foolish.

I sympathize with him, and with all the other people I’ve mentioned in this post, but I don’t see how we can prosecute people for embarrassing others. (And please don’t take that as an invitation to make me change my mind).

Video Voyeurism

A New York Criminal Court judge recently dismissed charges of disseminating an unlawful surveillance image that had been filed against Angelo Morriale.

According to the court’s opinion, Morriale “used a camera phone to videotape himself having sexual intercourse with the [victim] on two separate occasions on the same date, without her knowledge, permission, or authority.” People v. Morriale, 2008 WL 2346132, 2008 N.Y. Slip Op. 28214 (N.Y. City Criminal Court, June 10, 2008). He was alleged to have “sent the videos to at least one other person and to his own email account without the [victim’s] permission or authority to do so.” People v. Morriale, supra.

The charge was brought under New York Penal Law § 250. 55, which provides as follows:

A person is guilty of dissemination of an unlawful surveillance image in the second degree when he or she, with knowledge of the unlawful conduct by which an image or images of the sexual or other intimate parts of another person or persons were obtained and such unlawful conduct would satisfy the essential elements of the crime of unlawful surveillance in the first or second degree, intentionally disseminates such image or images.

Since Morriale was alleged to have sent the videos (i) to himself and (ii) to someone else, he was charged with two counts of violating this statute. As I explained in an earlier post, each “count” of a charging document (the superseding complaint, in this case) represents the commission of a separate crime, a separate violation of the statute at issue. Since this statute makes it a crime to “disseminate” an unlawful surveillance image, each time someone “disseminates” an image, that’s a new crime and a new count.

The provision – known as Stephanie’s Law – was added to the Penal Code in 2003, due in large part to the efforts of a woman whose landlord had secretly videotaped her by putting a camera in the smoke detector over her bed. People v. Morriale, supra. The court noted this was a case of first impression, i.e., there are no other reported cases construing this new statute.

Morriale moved to dismiss the charge, and the court granted his motion as to one count:

One of the two counts . . . is predicated on defendant's alleged dissemination of the video recording to his own email account. `Disseminate’ is defined as `to give, provide, lend, deliver, mail, send, forward, transfer or transmit, electronically or otherwise to another person.’ (Penal Law § 250.40[5] ). Since defendant's alleged transmission of the video to himself does not constitute dissemination as defined, one count of the charge must be dismissed.

People v. Morriale, supra.

It also dismissed the other count – the one based on Morriale’s allegedly sending the videos to someone else. The court began by parsing the statute into its elements. To be guilty under § 250. 55, someone must have

• Intentionally disseminated one or more image of the sexual or other intimate parts of another person;
• Knowing of the unlawful conduct by which the image(s) was/were obtained; and
• That unlawful conduct must satisfy the essential elements of the crime of unlawful surveillance in the first or second degree [under New York Penal Law § 250.50].

The court dismissed the remaining count because it found that the last element was not established by the allegations in the count against Morriale.

To commit unlawful surveillance in the first degree under § 250. 50, someone has to commit “the crime of unlawful surveillance in the second degree and [have] been previously convicted within the past ten years of unlawful surveillance in the first or second degree.” People v. Morriale, supra. The charge did not allege that Morriale had been convicted of unlawful surveillance within the last ten years, so it did not charge this crime.

To commit unlawful surveillance in the second degree under New York Penal Law § 250. 45, someone has to have done one of the following:

1. For his or her own, or another person's amusement, entertainment, or profit, or for the purpose of degrading or abusing a person, he . . . intentionally uses or installs, . . . an imaging device to surreptitiously view . . . or record a person dressing or undressing or the sexual or other intimate parts of such person at a place and time when such person has a reasonable expectation of privacy, without such person's knowledge or consent; or

2. For his or her own, or another person's sexual arousal or sexual gratification, he or she intentionally uses or installs. . . an imaging device to surreptitiously view . . . or record a person dressing or undressing or the sexual or other intimate parts of such person at a place and time when such person has a reasonable expectation of privacy, without such person's knowledge or consent; or

3. For no legitimate purpose, he or she intentionally uses or installs. . . an imaging device to surreptitiously view, broadcast or record a person in a bedroom, changing room, fitting room, restroom, toilet, bathroom, washroom, shower or any room assigned to guests . . . in a motel, hotel or inn, without such person's knowledge or consent; or

4. Without the knowledge or consent of a person, he or she intentionally uses or installs. . . an imaging device to surreptitiously view, broadcast or record, under the clothing being worn by such person, the sexual or other intimate parts of such person.

The court found the allegations against Morriale did not allege a violation of either the first or second subsections of § 250. 45 because the first requires that the perpetrator commit the act for his "own, or another person's amusement, entertainment, or profit, or for the purpose of degrading or abusing a person”, and the second requires that he act for his "own, or another person's sexual arousal or sexual gratification”. Since the count filed against Morriale made “no allegation as to defendant's purpose either in its accusatory or in its factual portions”, it failed to allege the crime of unlawful surveillance in the second degree, and so failed to charge Morriale with violating § 250. 55. People v. Morriale, supra.

The court also found that the count did not allege a violation of the other sections of the statute: It did not, as subsection 3 requires, allege that Morriale used or installed an imaging device in a “bedroom, changing room, fitting room, restroom, toilet, bathroom, washroom, shower or any room assigned to guests or patrons in a motel, hotel or inn”. And it did not, as subsection 4 requires, allege that he used or installed such a device “to surreptitiously view, broadcast, or record the sexual or other intimate parts of the victim `under the clothing being worn by such person’”. People v. Morriale, supra. So the court granted his motion to dismiss.

The count was dismissed because it was factually and legally insufficient, which means the prosecutor’s office can try again, with a new set of charges, if it wishes. The charges would, though, have to allege facts that would establish the elements set out above.

It’s clear the prosecution won’t be able to bring a dissemination charge against Morriale for sending the videos to himself, because that’s just not “dissemination” under this, or any other, criminal statute. The whole point of criminalizing the dissemination of something (drugs, child pornography, videos like these) is to punish the act of sharing the “harm.” If I possess drugs or child pornography, that’s one kind of “harm;” if I also give them to you, that’s a whole new, additive “harm.” Here, though, Morriale only sent the videos to himself, so there’s no additive “harm,” no sharing of the “harm.”

I saw a news story that said the prosecutor’s office is considering what to do now. I suspect one reason why the charges were flawed is that this is, as the court noted, a new statute, so prosecutors maybe haven’t brought many (any) charges under it before. The other problem is that it looks like what Morriale did may just not fit under the New York video voyeurism law.

Video voyeurism laws are an evolved version of the Peeping Tom laws that came from common law, the ones that make it a crime to sneak onto someone else’s property and observe them without their permission (usually for the purposes of sexual gratification). It looks like the New York law is a little too complicated (as, I think, are some other, similar laws). Why not just make it a crime – a smaller crime – to capture images of someone without their permission when they are in a place where they have a legitimate expectation of privacy? You could then either define additional, more serious offenses based on other aspects of the conduct, such as disseminating the pictures to others and/or capturing the images in REALLY private places. Or you might simply use such conduct as aggravating factors to increase the sentences imposed for the base crime.

If you did that, then it seems like it would be easy to bring a legitimate charge against Morriale. You do have the complicating issue that the victim knew he was there and, I suppose, at some level knew he COULD take videos of her. That differentiates this kind of video voyeurism from the kind of activity many of these statutes target (e.g., dressing rooms, hotel rooms, etc) and the kind of conduct Peeping Tom laws targeted. It seems to me it’s not reasonable to assume (if, indeed, that assumption is at least in part for the convoluted specificity of some of these statutes) that someone should be deemed to have assumed the risk of being photographed simply because they were involved in an intimate moment with another person.

Kyllo

As I’ve explained in earlier posts, the 4th Amendment to the U.S. Constitution protects citizens from “unreasonable” searches (and seizures).

As I’ve also explained, a search intrudes on a cognizable 4th Amendment expectation of privacy – what the Supreme Court in Katz v. United States defined as a “reasonable expectation of privacy.” To have a reasonable expectation of privacy in something – like the contents of your hard drive, say – you have to believe it is private and a court has to find that our society, in general, does, too. In other words your belief that the contents of your hard drive are private has to be objectively reasonable; we don’t enforce the quirky beliefs of those who are out of step with the general culture.

Courts uniformly agree that you have a reasonable expectation of privacy in your hard drive unless, as I’ve noted earlier, you give people access to it via file-sharing software or by simply giving them the password they need to access the files on it. (In those instances, courts say that your belief, if you really continued to believe that the contents of the hard drive were private, was unreasonable, and so fails.)

A couple of years ago I noted that in 2001, in Kyllo v. United States, the Supreme Court was asked to decide if it was a “search” for law enforcement officers to stand across the street from someone’s home and use a thermal imager to detect the signature of the heat radiating from the house. A federal agent did that to Danny Kyllo’s home, and the thermal imager showed that there was an unusual amount of heat radiating from his garage. The agent (as agents regularly did back then) used that information plus other information he had gathered to get a warrant to search Kyllo’s house and garage for evidence of marijuana being grown illegally (as it inevitably is).

Kyllo moved to suppress the evidence (marijuana plants, among other things) the agents found when they executed the warrant at his house. He argued that it was a search to use the thermal imager because he had a 4th Amendment expectation in the privacy of his home. As I’ve explained before, the home is the ultimate private place under the 4th Amendment, so it seemed Kyllo had a pretty good argument.

The problem was that every federal court (and most state courts) that had addressed this issue up to that point had held it was NOT a search to use the thermal imager, even on a home. The rationale was that the use of the thermal imager was not a “search” because nobody and no thing actually intruded INTO the home. The thermal imager detected heat radiating out of the home. So courts said this was not a search; some of them agreed with the prosecution’s theory that what the thermal imager was picking up was essentially garbage (which isn’t private under the 4th Amendment, at least not once you put it outside). The problem with that, IMHO, is that you choose to discard garbage, but you cannot choose whether or not to let heat radiate from your home. As I understand it, you might be able to seal your home so no heat got out, but you’d be in a very, very bad way after spending time in it.

Okay, so what does all this have to do with cybercrime? Well, in deciding the Kyllo case the Supreme Court decided (correctly, IMHO) that the user of the thermal imager was a search. The problem comes with the standard they enunciated in issuing that holding. The Kyllo Court held that it is a search (i) to use technology that is not in general public use to (ii) detect information from inside a home.

That’s a bad standard for two reasons. The first reason results from the reference to one’s home: Does that mean it’s not a search to use a thermal imager on a business or a school or a church? You may not have as much of a privacy interest in a non-home structure as in your home, but you still have a privacy interest and police still have to get a warrant to search (absent consent or other exceptions). So it would have been better, again IMHO, for the Court to have said something like “it’s a search to use a thermal imager to detect information from inside a home or other structure in which a person has a cognizable 4th Amendment expectation of privacy.” Since that wasn’t spelled out in the opinion but MIGHT be a logical corollary of the holding, it looks like officers are tending to get warrants to use thermal imagers on structures other than homes, according to the slight anecdotal evidence I can find. Seems like a very good idea to me.

It’s the other problem with the Kyllo holding that I find really interesting. When does technology move into “general public use”? When Court issued its opinion (and when the thermal imager was used on Kyllo’s home), you could buy a thermal imager if you liked. You still can – they’re even cheaper and more effective. So is it now not a search to use a thermal imager on a home (or other private place) because we can buy them? Or does something else have to happen for technology to move into general public use?

I keep waiting for cases to raise that issue with various technologies – including computer technology – but so far all the reported Kyllo-general-public-use cases are about the use of drug dogs. When my students and I discuss that I usually ask them if a dog – a trained drug dog, to be specific – is “technology.” Not in the conventional sense, but I suppose a highly trained drug dog is technology. (My not highly trained dog is most certainly not technology, though he is a great dog.)

So far, I’ve only found one case that explicitly raises the Kyllo issue with regard to computer technology. In State v. Jacobs, 2007 WL 1121289 (Minnesota Court of Appeals, 2007), Jacobs was charged with possessing child pornography after officers searched his home and found child pornography. This is how the search came about:

[A] Pennsylvania police officer . . . was assigned to investigate computer crimes involving child pornography. . . . [W]hile searching for child pornography on Kazaa P2P, a software program that allows people to share and exchange computer files over the Internet, he observed that a particular computer with an IP (Internet protocol) address was offering to share images of child pornography. The officer then determined that the Internet service provider, Mediacom Communications Corporation, had the name and address of the user and obtained a court order requiring Mediacom to provide that information to him. When the officer recovered the information from Mediacom, he forwarded it to the Redwood Falls police department. A search warrant was executed on [Jacobs’] residence, which resulted in the seizure of the computer disks.

State v. Jacobs, supra.

Jacobs moved to suppress the evidence, arguing that the “officer’s acquisition of his identity and address from a third-party Internet Service Provider” was an unreasonable search under the 4th Amendment. Specifically, he argued that “because he had installed certain software programs on his computer and turned his file-sharing option to the `off’ position, the officer's use of software to discover his IP address was a violation of his reasonable expectation of privacy and was a `search’ similar to the one in United States v. Kyllo”. State v. Jacobs, supra.

The Minnesota Court of Appeals disagreed:

In Kyllo, police used special thermal-imaging technology to peer into defendant's home and obtain proof that he was growing marijuana. The Court held that this was a `search’ within the meaning of the Fourth Amendment because the police employed technology not widely used by the general public to peer into defendant's home. . . . But this case is factually distinguishable. . . Here, the officer did not use special technology to identify appellant's IP address, but rather was able to identify appellant through CommView, a software program that is readily available to the public. Thus, there was no `search’ . . . requiring a warrant under the Fourth Amendment.

State v. Jacobs, supra.

I found one other case that mentioned the use of CommView for the same purpose:

FBI Special Agent (SA) Gordon, using an internet connected computer, launched the P2P Limewire program and conducted a keyword search using the term `r@gold’ which is commonly found in the file names of child pornography images on file sharing networks. The . . . search identified 19 matching files which could be viewed and downloaded from the computer using the IP address 68.224.236.152. . . . [He] used the Limewire `browse’ function to view the names of . . . 270 image files stored in the share folder of the computer using the IP address 68.224.236.152. . . . [M]ore than half . . . had names indicative of child pornography. SA Gordon then downloaded four image files from the computer using IP address 68.224.236.152, all of which contained images of child pornography. . . . During the downloading process, the Limewire program displayed the source IP address of each image as 68.224.236.152. SA Gordon also used a . . . program called CommView which monitors internet and local network traffic and allows the user to view detailed IP address connections. This program also showed that the four images of child pornography were downloaded from the IP address 68.224.236.152.

United States v. Latham, 2007 WL 4563459 (U.S. District Court - District of Nevada, 2007).

You can buy CommView online, for $149 if you’re a “home user” or for $499.99 if you’re an “enterprise user.”

I’m not sure if the Jacobs court was right in finding that CommView is in general public use. What I find interesting, and disconcerting, is the premise that once a technology CAN be purchased by members of the public, it moves into general public use which means that law enforcement’s using it against us is not a 4th Amendment search. If it’s not a search, then law enforcement can use the technology without getting a warrant or otherwise satisfying the 4th Amendment. My problem with what the Jacobs court did is that I don’t see how CommView differs from the thermal imager that was used on Kyllo’s home: Any member of the general public who could afford one could buy (and use) a thermal imager when one was used on Kyllo’s home; and any member of the general public could have done the same at the time the Supreme Court decided the Kyllo case. The Court still held it was a search to use the thermal imager. So why isn’t it a search for law enforcement to use CommView?

My concern about the holding in Jacobs is the consequences. If this approach prevails, I’m afraid it’s going to skew the notion of privacy, so that instead of working on my laptop in my home study (as I am at this moment) and assuming what I’m doing is private, I have to take countermeasures to ensure what I am doing is private. Once a surveillance technology (of whatever type) goes on sale, I presumably have to know that and have to figure out how to defeat its application to me . . . or I’ve waived my privacy. Somehow, that doesn’t seem quite right.

Warshak: 6th Circuit Blinks

As I explained in an earlier post, last year a decision issued by three of the judges on the Sixth Circuit Court of Appeals held, in effect, that we have a 4th Amendment expectation of privacy in our emails, even when the emails are stored on the servers of our Internet Service Provider.

As I also noted, the government was appealing the ruling to the full Sixth Circuit. In the federal courts of appeals, most appeals are heard and decided by a sub-set of the full court consisting of three judges. When someone is not happy with a ruling, they can try to get the entire court to rehear the matter, which the government succeeded in doing in this case.

As I explained earlier, a federal district judge in Cincinnati had held that the statute the government uses to gain access to stored emails without getting a search warrant violated the 4th Amendment and issued an injunction barring its enforcement. (The statute is based on the premise that, as I noted earlier, we do not have an expectation of privacy in email because it can be read by employees of our Internet Service Provider.) The three judge panel that heard the initial appeal last year agreed with her and held the statute unconstitution.

I talked to a Department of Justice lawyer earlier this year. He said that the position the DOJ was taking in this appeal to the entire court was to raise two procedural issues in hopes of getting the case kicked out without the court’s addressing the substantive issue, i.e., whether the 4th Amendment encompasses email. He said the government was doing that because, frankly, their case was weak; it was weak, according to this attorney, because the government hadn’t developed a complete record, which meant they didn’t have the facts they needed to make strong arguments. And I suspect the government was more than a little freaked by the fact that a federal district court judge and three court of appeals judges found that the 4th Amendment does encompass email. They know they’ll have to deal with that issue at some point, but they want to pick a case that puts them in the best tactical advantage when they finally do so.

The entire court – 14 federal appellate judges – threw the case out because they found it wasn’t “ripe.” “A claim is not `amenable to . . . the judicial process . . . when it is filed too early (making it unripe).’) Warshak v. U.S. 2008 WL 2698177 (6th Cir. 2008). Here is why the court found that Warshak’s claim was not ripe for judicial decision:

To start, we have no idea whether the government will conduct an ex parte search of Warshak's e-mail account in the future and plenty of reason to doubt that it will, making this a claim that depends on `contingent future events that may not occur as anticipated, or indeed may not occur at all.’ . . . Answering difficult legal questions before they arise and before the courts know how they will arise is not the way we typically handle constitutional litigation. . . .

Nor can we rely on previous government searches of Warshak's e-mails to hypothesize the factual context of the next search. Even if the record contained the full text of the NuVox and Yahoo! service-provider agreements (it does not. . .), we would run into a similar conjecture problem. Just as there is little basis for assuming the government will conduct another ex parte search of Warshak's e-mails, there is little basis for assuming any future search will concern e-mails facilitated by these service providers, as opposed to e-mails facilitated by other service providers. . . .

Concerns about the premature resolution of legal disputes have particular resonance in the context of Fourth Amendment disputes. In determining the "reasonableness" of searches under the Fourth Amendment and the legitimacy of citizens' expectations of privacy, courts typically look at the `totality of the circumstances,’ . . . reaching case-by-case determinations that turn on the concrete, not the general, and offering incremental, not sweeping, pronouncements of law. . . . Courts thus generally review such challenges in two discrete, post-enforcement settings: (1) a motion to suppress in a criminal case or (2) a damages claim . . . against the officers who conducted the search. In both settings, the reviewing court looks at the claim in the context of an actual, not a hypothetical, search and in the context of a developed factual record of the reasons for and the nature of the search. A pre-enforcement challenge to future e-mail searches, by contrast, provides no such factual context. The Fourth Amendment is designed to account for an unpredictable and limitless range of factual circumstances, and accordingly it generally should be applied after those circumstances unfold, not before.

Warshak v. U.S., supra.

There’s more, but it’s all along the same lines.

For those of us who think we do (should) have a 4th Amendment expectation of privacy in the content of our emails, it’s heartening to note that 5 of the judges dissented. Judge Martin, whose dissent was joined by the others, began his opinion as follows:

Why do today what can be done tomorrow? I dissent because I not only believe this case is ripe for review, but because the majority gives unwarranted deferential treatment to the government. Such treatment would not be afforded a private litigant defending against a motion for preliminary injunction, and should not be given here.

He also has a nice ending, IMHO:

While I am saddened, I am not surprised by today's ruling. It is but another step in the ongoing degradation of civil rights in the courts of this country. The majority makes much of the fact that facial challenges are no way to litigate the constitutional validity of certain laws. Yet our Supreme Court has no problem striking down a handgun ban enacted by a democratically elected city government on a facial basis. See Dist. of Columbia v. Heller, --- U.S. ----, 2008 WL 2520816 (June 26, 2008). History tells us that it is not the fact that a constitutional right is at issue that portends the outcome of a case, but rather what specific right we are talking about. If it is free speech, freedom of religion, or the right to bear arms, we are quick to strike down laws that curtail those freedoms. But if we are discussing the Fourth Amendment's right to be free from unreasonable searches and seizures, heaven forbid that we should intrude on the government's investigatory province and actually require it to abide by the mandates of the Bill of Rights. I can only imagine what our founding fathers would think of this decision. If I were to tell James Otis and John Adams that a citizen's private correspondence is now potentially subject to ex parte and unannounced searches by the government without a warrant supported by probable cause, what would they say? Probably nothing, they would be left speechless.

You can find the full opinion here. Search for opinion # 08a0252p.06.

Lawyer Hacks Email Accounts

The West Virginia Supreme Court recently suspended a lawyer for hacking.

While this isn’t really a cybercrime case (since he wasn’t facing criminal charges), it’s still a case about hacking. And it raises some interesting legal issues . . . as well as illustrating the various motives that can drive people to do things they know they shouldn’t.

Here are the facts as set out in the Supreme Court’s opinion:

[Markins] has been a practicing attorney since October, 2001. . . . [H]e was . . . an associate . . . at the law firm of Huddleston Bolen, LLP (“Huddleston”). His wife, also an attorney, was . . . employed at the law firm of Offutt, Fisher & Nord (“OFN”). In . . . 2003, [Markins] began accessing his wife's OFN e-mail account without her . . . knowledge. . . . to secretly monitor her activities because he believed she had become involved in an extramarital affair with an OFN client. . . . [I]nitially, he improperly accessed only his wife's account and later, that of . . . an OFN partner. Eventually, . . . [Markins]. . . began accessing the e-mail accounts of seven other OFN attorneys.

Lawyer Disciplinary Board v. Markins (2008). (The testimony and evidence mentioned in the opinion were presented at an attorney disciplinary hearing held in 2007.)

His activity came to light after an OFN lawyer suspected her email had been improperly accessed. OFN hired an expert to investigate; he found Markins gained unauthorized access to the OFN email accounts “on numerous occasions from sometime prior to November 7, 2003, until March 16, 2006”. Lawyer Disciplinary Board v. Markins, supra.

At the hearing, OFN’s managing partner, D.C. Offutt, Jr., testified that while they could not view the e-mails Markins read, they could determine which accounts he accessed and when they were accessed. If an email had an attachment, they could tell if it had been opened. Lawyer Disciplinary Board v. Markins, supra. They also found that Markins had opened “confidential OFN financial information sent by the firm's chief accountant to the firm's partners by e-mail attachment”. Lawyer Disciplinary Board v. Markins, supra.
The Supreme Court summarized the scope of Markins’ intrusions as follows:

[Markins] accessed the e-mail accounts of OFN attorneys on more than 150 occasions. . . . [H]e learned personal information about certain attorneys which had been relayed confidentially. . . . OFN and Huddleston, [Markins]'s employer, represented co-defendants in a large mass tort case that was in litigation during the time period at issue. In March, 2006, [Markins] . . . was monitoring the trial from the Hampton Inn in Beckley. . . . [He] gained unauthorized access into . . . OFN e-mail accounts from the Hampton Inn's IP account. . . . Huddleston's mass tort client had . . . a claim for indemnity against OFN's client. . . .Mr. Offutt testified that information . . .in the firm's e-mail system would have been `helpful’ to Huddleston's client. However, neither Huddleston nor OFN found evidence that any information between OFN attorneys and its client in that case had been compromised.

Lawyer Disciplinary Board v. Markins, supra.

As to the effects of Markins’ email voyeurism, Mr. Offutt submitted an affidavit which explained that after his activities were reported by the press, OFN

`suffered further damage to its image and reputation .’ . . . [O]ne of the firm's clients expressed `serious concerns’ . . . about whether [Markins] . . . accessed important information concerning that client. According to Mr. Offutt, this client has put the firm on notice of a potential claim for damages against it. Mr. Offutt . . . anticipates that similar concerns will be expressed by other clients . . . and that the . . .ramifications and stigma of [Markins’] misconduct will be felt for many years. Finally, Mr. Offutt indicated that his firm suffered direct economic losses as a result of [his] actions: Mr. Offutt, along with other firm lawyers and staff, spent considerable time and resources investigating . . . the matter and were distracted by the events and their aftermath.

Lawyer Disciplinary Board v. Markins, supra.

Markins’ voyeurism had other, more personal consequences: After his wife told him someone had been breaking into OFN email accounts and the firm was investigating, Markins admitted he was responsible for the intrusions. Later, his attorney contacted OFN and told them Markins was their hacker. His admission of responsibility apparently came after their expert identified him as the person responsible for the break-ins; after OFN learned that, Offutt asked Markins’ wife if she knew he was responsible. She said she did not, though she had “just learned” of it. Lawyer Disciplinary Board v. Markins, supra.

OFN fired her and Huddleston fired Markins. Lawyer Disciplinary Board v. Markins, supra. (According to an article in the ABA Journal, he “reportedly landed” another job with a different firm, at a salary of $80,000, $2,000 more than he was making at Huddleston.)

At the disciplinary hearing, Markins claimed he never revealed, forwarded or used any information in the emails he accessed, and the court found that there was “no evidence to the contrary.” Lawyer Disciplinary Board v. Markins, supra. He also said he took full responsibility for what he had done and was remorseful. According to an article published in the ABA Journal before the Supreme Court issued its decision, Markins’ lawyer said the penalty was “very hard’” and “`excessive for the acts committed.’”

In deciding what sanction should be imposed on Markins, the court considered the factors mitigating his responsibility (notably the reason he began accessing the emails in the first place) and the aggravating factors (the fact he kept going, the scope of his intrusions and the effects it was having on OFN). It also considered the importance of sending a message:

[W]ith the widespread use of . . . e-mail as an important method of communication between . . . attorneys and their clients comes the potentiality that the communication might be improperly infiltrated. This Court does not take lightly . . . that . . . it was an attorney who repeatedly accessed the confidential e-mails of other attorneys without their knowledge. . . . [T]he imposition of a suitable sanction in a case such as this is not exclusively dictated by what sanction would appropriately punish the offending attorney but, just as importantly, this Court must ensure that the discipline imposed adequately serve as an effective deterrent to other attorneys,

Lawyer Disciplinary Board v. Markins, supra.

The Supreme Court imposed the sanctions that had been recommended by the Lawyer Disciplinary Board (which held the hearing): Markins was suspended from practicing law for 2 years; upon being reinstated, his practice would be supervised for 1 year; he had to complete 12 hours of continuing legal education in ethics before he could be reinstated; and he had to pay the costs of the disciplinary proceeding. Lawyer Disciplinary Board v. Markins, supra.

In a concurring opinion, Justice Stracher said he would have preferred sanctions that also required Markins to “make restitution for injuries that resulted from his conduct.” Justice Stracher said the Lawyer Disciplinary Board should be asked to “quantify the damages, review Mr. Markins' earnings capacity, evaluate his ability to make restitution, and recommend a payment schedule to the Court.”

This case raises two interesting issues, the first of which goes to the “harm” inflicted by what Markins did. As I’ve explained before, crimes are intended to discourage the infliction of particular type of “harm,” such as the death or injury of human beings, the theft of property and so on. As I’ve also noted before, it can be difficult to quantity or even articulate the “harm” in a cybercrime case.

This is essentially an unauthorized access to computers case. The obvious victim is OFN because they suffered “direct economic loss,” in the form of a damage suit from one or more clients plus the time and expense involved in finding out what Markins had done. Were there any other victims? Were the clients whose information was accessed improperly (but not, according to Markins, used) “harmed”? They certainly suffered a loss of confidence in their attorneys, but criminal law tends to focus on tangible “harm,” so a loss of confidence probably doesn’t quality. What about Markins’ wife? She was “harmed” by having the privacy of her emails violated and by being fired by her firm. And what about Huddleston? Was Markins’ law firm also a victim? If so, what was the “harm”?

I throw those questions out not to be annoying but to illustrate the ripple effects actions like Markins’ can have and the criminal law’s essential uncertainty as which of those effects should trigger the imposition of criminal liability.

And that brings me to the other interesting aspect of the case: As far as I can tell, Markins has not been charged with a crime, even though West Virginia has at least one criminal statute that seems like it might apply to what he did:

Any person who knowingly, willfully and without authorization accesses a computer or computer network and examines any employment, salary, credit or any other financial or personal information relating to any other person, after the time at which the offender knows or reasonably should know that he is without authorization to view the information displayed, shall be guilty of a misdemeanor, and, upon conviction thereof, shall be fined not more than five hundred dollars or confined in the county jail for not more than six months, or both.

West Virginia Code § 61-3C-12.

The attorney disciplinary proceeding would not bar criminal charges; since it’s not a criminal proceeding, the prohibition on double jeopardy would not apply.

I’m not lobbying to have Mr. Markins convicted of however many misdemeanor counts his activity might support. I’m just noting an apparently unexplored possibility . . . .

Spam Jurisdiction

As I explained in an earlier post, jurisdiction is a court’s power to act in a given case. Law divides jurisdiction into two categories.

Subject-matter jurisdiction is a court’s ability to hear and decide a particular kind of case. In the U.S., copyright law is exclusively federal law, so a state court doesn’t have subject-matter jurisdiction to decide a copyright case.

Personal jurisdiction is a court’s ability to exercise its authority over a particular person. To see how it works, imagine that a court in, say, Indiana has subject-matter jurisdiction to hear and decide cases involving murder (the intentional killing of another human being). A defendant charged with murder and set to be tried by the court points out that (i) neither he nor the victim was a citizen of Indiana, (ii) the killing occurred in Oregon and (iii) neither the conduct nor anything else about the crime has any ties with Indiana. He'd win on that argument because on those facts the Indiana court wouldn't have personal jurisdiction to try the case. It would have to be tried in Oregon or some other state with a connection to the crime.

For a court to legitimately exercise its authority over someone, that person essentially has to either (i) be in the territory where the court sits (e.g., Utah), (ii) have conducted business or otherwise engaged in activity in that territory or (iii) have engaged in activity outside the territory that had an effect in that territory. This is a matter of simple fairness. It would, for example, be blatantly unfair for a court in Alabama to enter a judgment against me when I have (i) never been to Alabama, (ii) never conducted business or any activity in Alabama and (iii) never engaged in any activity that, to my knowledge, had any impact at all in Alabama.

Our modern U.S. law dealing with personal jurisdiction is a product of our very complex federal system (one federal jurisdiction and 50+ state and other component jurisdictions). It is also a function of the fact that civil litigants long figured out that it could be a useful point of leverage to file suit in Alaska against someone who lives in Maryland. It will be a lot more expensive and time-consuming to defend that suit in Alaska, so the defendant might be more inclined to settle. Courts essentially said that’s not fair and we won’t let you do it.

This post, though, is about personal jurisdiction in a criminal case. I outlined the basic principles involved in that earlier post.

The case we’re going to focus on is Jaynes v. Commonwealth, 275 Va. 341, 657 S.E.2d 478 (Virginia Supreme Court 2008), and here are the facts, as the court described them:

From his home in Raleigh, North Carolina, Jaynes used several computers, routers and servers to send over 10,000 e-mails within a 24-hour period to subscribers of America Online, Inc. (AOL) on each of three separate occasions. On July 16, 2003, Jaynes sent 12,197 pieces of unsolicited e-mail with falsified routing and transmission information onto AOL's proprietary network. On July 19, 2003, he sent 24,172, and on July 26, 2003, he sent 19,104. None of the recipients of the e-mails had requested any communication from Jaynes. He intentionally falsified the header information and sender domain names before transmitting the e-mails to the recipients, causing the Internet Protocol (IP) addresses to convey false information to every recipient about Jaynes' identity as the sender. However, investigators used a sophisticated database search to identify Jaynes as the sender of the e-mails. Jaynes was arrested and charged with violating [Virginia] Code § 18.2-152.3:1. . . .

Jaynes v. Commonwealth, supra. Section 18.2-152.3:1 provides as follows:

A. Any person who. . . [u]ses a computer or computer network with the intent to falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers . . . is guilty of a Class 1 misdemeanor.

B. A person is guilty of a Class 6 felony if he commits a violation of subsection A and [t]he volume of UBE transmitted exceeded 10,000 attempted recipients in any 24-hour period, 100,000 attempted recipients in any 30-day time period, or one million attempted recipients in any one-year time period. . . .

Jaynes was tried on the charges and convicted by a jury. Jaynes v. Commonwealth, supra. According to the court’s opinion, evidence presented at trial showed he knew that

the more than 50,000 recipients of his unsolicited e-mails were subscribers to AOL . . . because the e-mail addresses . . . ended in `@aol. Com’ and came from discs stolen from AOL. Jaynes' e-mails advertised . . . three products. . . .To purchase one of these products, potential buyers would click on a hyperlink within the e-mail, which redirected them outside the e-mail, where they could consummate the purchase. Jaynes operated his enterprise through several companies . . . and evidence was introduced as to billing and payment activities for these companies, including evidence that registration fees were paid to AOL with credit cards held by fictitious account holders.

Jaynes v. Commonwealth, supra.

That evidence was important because in appealing his conviction to the Virginia Supreme Court, Jaynes claimed that the trial court – the Virginia circuit court – did not have jurisdiction over him because he did not

`use’ a computer in Virginia. He contends that a violation of that statute can occur only in the location where the e-mail routing information is falsified. Jaynes maintains that because he only used computers . . . from his home in . . . North Carolina, he committed no crime in Virginia. Further, because he had no control over the routing of the e-mails, he argues his actions did not have an `immediate result’ in Virginia, and . . . cannot be the basis for jurisdiction over him by Virginia courts. Therefore, . . . the circuit court had no jurisdiction over him and his convictions are void.

Jaynes v. Commonwealth, supra.

That’s a really great argument – if it works – because he wins even if he committed all the acts the prosecution attributed to him. Jurisdiction can be one of those nuclear bombs I occasionally mention – like the fact that something claimed to be a crime really isn’t a crime, legally. Those claims have nothing to do with the facts; they go directly to the court’s ability to act. If there’s no crime, there can be no conviction, because there’s nothing to convict someone of. (Law calls that “legal impossibility.”) And if the court doesn’t have jurisdiction, then it can’t act; a conviction entered by a jury impaneled by a court that doesn’t have jurisdiction to try a case is null and void.

Jaynes’ argument, though, didn’t work. The Virginia Supreme Court first rejected his claim that

he “merely” sent emails that “happened” to be routed through AOL servers:
all e-mail must flow through the recipient's e-mail server in order to reach the intended recipient. By selecting AOL subscribers as his e-mail recipients, Jaynes knew and intended that his e-mails would utilize AOL servers because he clearly intended to send to users whose e-mails ended in `@aol.com.’ . . . AOL servers are located in Virginia, and . . . the location . . . was information easily accessible to the general public. . . . [T]he evidence supports the conclusion that Jaynes knew and intended that the e-mails he sent to AOL subscribers would utilize AOL's servers which are located in Virginia.

Jaynes v. Commonwealth, supra.

Jaynes also argued that an email “could be routed through a number of different mail handling networks” before reaching its destination. He claimed “the intervention of intermediate e-mail routers and servers” prior to the emails’ arrival “at the AOL servers shows that the alleged harm through the AOL servers in Virginia was not the `immediate result’” of his actions in North Carolina. Jaynes v. Commonwealth, supra. Again, the Virginia Supreme Court disagreed:

[S]electing AOL subscribers as recipients of his e-mails insured the use of AOL's computer network to deliver the e-mails and such use was the `immediate result’ of Jaynes' action, regardless of any intermediate routes taken by the e-mails. Because the use of the computer network of an e-mail service provider or its subscribers is an integral part of the crime charged and because the use of AOL's e-mail servers was the `immediate result’ of Jaynes' acts, . . . Jaynes was amenable to prosecution in Virginia for a violation of Code § 18.2-152.1:3. . . . [T]he circuit court had jurisdiction.

Jaynes v. Commonwealth, supra.

The residual question this case leaves unanswered is: What happens when someone is charged with violating the Virginia spam act but the facts DON'T show that they knowingly and deliberately targeted people in Virginia by, say, using AOL servers? What if someone simply sends out spam and some of it affects people in Virginia? That's the difficult issue.

And this jurisdictional decision is not the end of this case: Jaynes made it back to the Virginia Supreme Court last month; this time, he argued that Virginia’s anti-spam statute violates the First Amendment and is therefore unconstitutional and unenforceable. He’s currently serving the nine-year sentence he got for violating that statute under house arrest in Loudon, Virginia. So now he’s trying another major nuclear bomb – the argument that because the statute is unconstitutional, the convictions can’t stand. He just might win.

Burglar's Tools

As I’ve noted before, many U.S. states (and probably many countries) outlaw the possession of “burglar’s tools.”

Here’s New York’s possession of burglar’s tools statute:

A person is guilty of possession of burglar's tools when he possesses any tool, instrument or other article adapted, designed or commonly used for committing or facilitating offenses involving forcible entry into premises. . . under circumstances evincing an intent to use or knowledge that some person intends to use the same in the commission of an offense of such character.

McKinney’s Penal Law of New York § 140.35. Possession of burglar’s tools is a misdemeanor under § 140.35.

Some states go further and outlaw creating burglar’s tools:

A person is guilty of manufacturing . . . burglar's tools when he manufactures . . . any tool, instrument or other thing adapted, designed or commonly used for advancing or facilitating offenses involving unlawful entry into premises . . .under circumstances manifesting an intent to use or knowledge that some person intends to use the same in the commission of an offense of such character.

Connecticut General Statutes Annotated § 531-106(a). Manufacturing burglar’s tools is a misdemeanor under the Connecticut statute.

The rationale for outlawing the possession of burglar’s tools is the same as the rationale for outlawing an attempt to commit a crime: In both instances, the law (i.e., the burglar’s tools law or the law making it a crime to attempt to commit a crime like murder or theft) lets police interrupt someone before they have actually completed the commission of the crime they’re clearly heading toward.

Attempt is an inchoate, or incomplete, crime.. If police get credible information that John Doe is going to murder his neighbor on Friday, and if they investigate and find evidence corroborating what they’re heard (e.g., Doe has bought a high-powered rifle or poison and he has been telling people his neighbor “won’t be around any more”), then they can arrest Doe for attempting to murder his neighbor. Obviously, the evidence has to be pretty strong to support their conclusion that he was attempting to do so; we don’t lock people up for simply holding a grudge against their neighbor or saying bad things about them. But if they’ve clearly embarked on a course of conduct that indicates they intend to kill their neighbor, we say police should be able to intervene, instead of having to wait around till the crime is committed, and then charge Doe with murder.

Possessing of burglar’s tools is, therefore, a very specific kind of attempt crime. The premise behind this particular offense is, as the New York statute demonstrates, that if you are found in possession of tools specifically adapted for committing burglary (which is breaking into property for the purpose of committing a crime – theft, murder, arson, etc. – once inside) and if the circumstances inferentially indicate that it was your intent to use those tools, you can be arrested for possession of burglar’s tools. If you have gone far enough in your effort to commit burglary, you can also be charged with attempted burglary, but that’s a different matter. (To be charged with attempted burglary, you’re really going to have to have started doing something to get into the premises; to be charged with possession of burglar’s tools, you merely have to have the tools in a context that indicates it was your intention to use them, at some point.)

Possession of burglar’s tools statutes essentially define an attempt to attempt a crime. The law distinguishes between “mere preparation” (which is not an attempt – it’s conduct that’s so prefatory to any criminal activity that we can’t reasonably conclude you’ve embarked on a course of conduct leading to the commission of a crime) and “attempt (which is conduct – like being found outside a house, which is not yours and which you have no business being at, having broken out a window – that pretty clearly indicates you are getting ready to commit a crime). Possession of burglar’s tools makes “mere preparation” a crime and, in so doing, arguably criminalizes an attempt to attempt a crime.

Okay, that’s the rationale for outlawing possessing burglar’s tools. The rationale for outlawing the manufacture of burglar’s tools, as defined by statutes like the Connection one quoted above, is based on accomplice liability, not attempt. The premise here is that one who creates burglar’s tools is, in effect, an accomplice of those who use them. That is, by creating tools that can be used to commit burglary, I am aiding and abetting those who subsequently use those tools to do just that. The Connecticut statute (and, I think, other manufacture of burglar’s tools statutes) deviates from accomplice liability in one respect: As I’ve noted before, an accomplice stands in the shoes of the person who actually commits the crime, i.e., the accomplice is liable for the crime the perpetrator commits. So if someone aids and abets a murderer by, say, supplying him with the murder weapon, they will be held liable for the murder just as if they’d committed it.

But the Connecticut statute (and other, similar statutes in the U.S.) don’t go that far – they make manufacturing the burglar’s tools a misdemeanor. They do that essentially out of fairness: An accomplice is someone who knows that the perpetrator is going to commit a specific crime and, with that knowledge, purposely helps the perpetrator to succeed in doing so. When someone manufactures burglar’s tools, they know, at some level, what the tools can be used for, so they are in a very general sense aiding and abetting the crime of burglar. But since they don’t act with a specific purpose to aid and abet a specific crime, the law essentially gives them a break; they commit a distinct crime, one with smaller penalties.

So why, you ask, am I talking about burglar’s tools on a cybercrime blog? The reason is that someone asked me recently what we can do about malware – software that is up to no good. Malware is, as Wikipedia notes, a catch-all term for viruses, worms, Trojan horse programs, spyware, botnets, etc.

Should we simply follow the burglar’s tools approach and criminalize the possession and/or manufacture of malware?

As far as I can tell, the only U.S. jurisdiction to do so is Pennsylvania. Before I talk about what they do, let me know what the federal system and, it seems, the other states do: They all criminalize the use of malware; their focus is on the damage a virus, etc. does to a particular computer system. So these statutes are, in effect, burglary statutes, i.e., they criminalize the actual infliction of damage.

The Pennsylvania statute is captioned “distribution of computer virus” and here is what it says:

A person commits an offense if the person intentionally or knowingly sells, gives or otherwise distributes or possesses with the intent to sell, give or distribute computer software or a computer program that is designed or has the capability to:

(1) prevent, impede, control, delay or disrupt the normal operation or use of a computer, computer program, computer software, computer system, computer network, computer database, World Wide Web site or telecommunication device; or
(2) degrade, disable, damage or destroy the performance of a computer, computer program, computer software, computer system, computer network, computer database, World Wide Web site or telecommunication device or any combination thereof.

18 Pennsylvania Consolidated Statutes § 7616(a). The offense is a third-degree felony, so it’s more serious than possessing or manufacturing burglar’s tools, but probably less serious than actually using a virus.

As you may know, the Council of Europe’s Convention on Cybercrime does something similar, under the concept of “misuse of devices.” Article 6 of the Convention requires parties to the Convention to criminalize “the production, sale, procurement for use, import, distribution or otherwise making available of” a “device, including a computer program, designed or adapted primarily for the purpose of committing” crimes that encompass unauthorized access to computer systems, interfering with access to such systems and/or altering or damaging computer data.

Under Article 6, the production, sale, etc. must be “committed intentionally and without right”. The same Article requires parties to criminalize the possession of any of the above items with the intent that the item(s) be used to commit the crimes noted above. The Explanatory Report for the Convention explains that this provision “restricts its scope to cases where the devices are objectively designed, or adapted, primarily for the purpose of committing an offence” which will presumably “exclude dual-use devices.” Explanatory Report ¶ 73.

Is this a good idea? Possession of burglar’s tools statutes are sometimes challenged on the grounds that they are impermissibly vague – what is a burglar’s tool? – or are overly broad – encompass too many things. That hasn’t been a particular problem in the real, physical world (though one court threw out a conviction based on possessing a plastic bag, thank heavens), but isn’t software far more ambiguous than burglar’s tools? And what about ambiguity – the dual-use – notion? How can you tell when malware is just malware, nothing more?

Remote Monitoring of Sex Offenders' Computer Use

Once again, I am indebted to Magistrate Marcia Linsky of the Allen County (Indiana) Superior Court for an interesting new decision. It was issued by the U.S. District Court for the Southern District of Indiana in John Doe et al. v. Prosecutor, Marion County, Indiana (Case No. 1:08-cv-0436-DFH-TAB).

(If you’re interested in reading it, you can probably find it on the court’s website, which is here. Once you get to the site, click on the “Case Information” button you’ll see in the panel on your left. Then click on “Recent Court Opinions” in the pop-up box. Once you get to the Recent Court Opinions page, click on Chief Judge David F. Hamilton, and you should see the opinion listed, probably at the top on the left. They seem to be listed with the recent decisions first. The decision was issued on June 24, 2008, and so should be up by the time you look for it. It’s not up as I write this on July 3.)

The case is a civil class action brought by “a class of `all persons, current and future, who are required to register as sex or violent offenders pursuant to Indiana law and who are not currently on parole or probation or court supervision.’” John Doe v. Prosecutor, supra. They brought a declaratory judgment action. In a declaratory judgment action, the plaintiffs aren’t seeking damages, which is what civil plaintiffs usually seek; they’re asking the court to declare what the law is. Here, the plaintiffs asked this federal court to declare that a particular provision in a new Indiana law scheduled to go into effect on July 1 violates the 4th Amendment. They also asked the court to issue an injunction barring enforcement of the law if the court found that it did, indeed, violate the 4th amendment.

The law in question was an amendment to the Indiana laws requiring the registration of sex offenders. Here is how Judge Hamilton described the structure of the existing laws:

Indiana has established a sex and violent offender registry, and the information is available on a public website. Ind. Code § 36-2- 13-5.5. The law requires those convicted of a wide range of offenses to register. The offenses include rape, criminal deviate conduct, child molesting, child exploitation, vicarious sexual gratification, child solicitation, child seduction, sexual misconduct with a minor , . . , incest, sexual battery, kidnaping if the victim is less than 18 years old, . . . possession of child pornography, promoting prostitution, human trafficking and promoting human trafficking if the victim is less than 18 years old, sexual trafficking of a minor, murder, voluntary manslaughter, an attempt to commit a listed offense, and any substantially equivalent crime under the laws of another jurisdiction, and certain juvenile offenses. Ind. Code § 11-8-8-5.1. Some . . . offenders must register for the rest of their lives. Ind. Code § 35-38-1-7.5. Others must register until ten years have passed after the later of the offender’s release from prison . . . or placement on parole or probation. Ind. Code § 11-8-8-19(a).

John Doe v. Prosecutor, supra. Judge Hamilton noted that plaintiff class consisted of people who have committed serious crimes and have been punished for those crimes. They have returned to society, and they have rights under the . . . Constitution.” John Doe v. Prosecutor, supra. He also noted that they were entitled to bring the challenge to the law because its requirements would apply to them.

The law they were challenging was Indiana Public Law 119-2008 § 6 (2008), to go into effect on July 1. One thing it does is increase the information someone required to register must provide. “Under current law, the registry must include a recent photograph of the offender, the home address, . . . . a physical description, information about the vehicles he uses, and employer and/or school information.” John Doe v. Prosecutor, supra. Under the new law, “the registrant must also provide any electronic mail address, instant messaging user name, electronic chat room user name, or social networking web site user name that the registrant uses or intends to use.” John Doe v. Prosecutor, supra. The plaintiffs didn’t challenge any of those requirements.

They did challenge the new requirement to be codified as Ind. Code § 11-8-8-8(b). This is what § 8(b) required:

(b) If the sex or violent offender registers any information under subsection (a)(7) [i.e., electronic mail addresses, user names, etc.], the offender shall sign a consent form authorizing the:
(1) search of the sex or violent offender’s personal computer or device with Internet capability, at any time; and
(2) installation on the sex or violent offender’s personal computer or device with Internet capability, at the sex or violent offender’s expense, of hardware or software to monitor the sex or violent offender’s Internet usage.

John Doe v. Prosecutor, supra. A knowing or intentional failure to comply with the requirements would be a felony under Indiana law, as would a knowing or intentional failure to provide the consent. John Doe v. Prosecutor, supra.

Two of the plaintiffs (Doe and Morris)were designated as class representatives, which means their facts were used essentially as an exemplar of the impact the statute could have on all the members of the class. Remember, the people in the class have all been released from prison and from any subsequent probation other court supervision. Here is what the court knew about the two designated class representatives:

Doe owns his own business and operates it out of his home. He has an electronic mail address and constantly uses his computer in his business. He also owns a cellular telephone with internet capability. Doe. . . will be required to give permission to unspecified law enforcement authorities to enter his home at any time and to search his computer and telephone at any time, all without a warrant. He also will be required to pay for software or hardware to allow other unspecified law enforcement authorities to search his computer and monitor his internet use. Doe does not want to comply with section 8(b) because it will remove his privacy in his own home. Also, his computer contains a great deal of private information concerning his clients and his business dealings, including information that his clients have sent him in confidence and that they consider proprietary. He has formal non-disclosure requirements with clients and may not disclose information to other persons who have not also signed non-disclosure agreements. Neighbors know that Doe is listed on the registry, but he believes his clients do not know. Doe does not want to tell clients he is on the registry because of his fear that he will lose business and suffer financially. Doe’s computer also contains confidential information personal to Doe, including personal banking information and communications with his attorney.

Morris lives with his wife. He owns a personal computer at home. He has an electronic mail address and owns an internet-capable cellular telephone. Morris does his family’s banking over the internet with his personal computer, which thus contains his financial and banking records. Morris also does not want to comply with section 8(b) because it will remove his and his wife’s privacy in their home. He does not want to lose his privacy in his home and effects, and he also does not want to have to install and pay for software and/or hardware that would allow other persons to monitor his computer use.

John Doe v. Prosecutor, supra.

The plaintiffs argued that the requirements violate the 4th Amendment because they authorize warrantless intrusions into the homes of all members of the plaintiff class – and the homes of all future people who would fall into that category. The home is the most private of all the places protected by the 4th Amendment, for reasons that go back into our history. The 4th Amendment is based in the English notion that a “man’s home is his castle”, which means law enforcement officers can’t just barge in and search whenever they feel like it. The method English common law and the drafters of the 4th Amendment jointly arrived at is (i) probable cause to look for a particular thing and (ii) a search warrant issued by a magistrate authorizing a search for that thing. That protects people by limiting what law enforcement can do.

Judge Hamilton held that the new requirements are unconstitutional:

Section 8(b) cuts into the heart of the Fourth Amendment – privacy in the home. Section 8(b) requires the members of the plaintiff class to consent to the search of their personal computers or internet-capable devices `at any time.’ Even if law enforcement officers chose to wait outside the home to demand the right to search a registrant’s portable devices (the statute is silent on the point), personal computers will most often be inside the home. By granting unlimited access to these devices, the Indiana legislation crosses the most fundamental boundary under the Fourth Amendment, and dispenses with the warrant requirement. The ability of the individual to retreat into his home, and there to be free from unreasonable intrusion by the government, stands `at the very core’ of the protections granted by the Fourth Amendment.

John Doe v. Prosecutor, supra.

He also found that the statute’s use of “consent” was invalid because it’s a coerced consent: “These plaintiffs have rights under the Fourth Amendment. The State may not force them to waive those rights under threat of criminal prosecution for failing or refusing to do so.” John Doe v. Prosecutor, supra. (His opinion is very well-reasoned and detailed and, as such, is 50 pages long, so I can’t do it justice here. If you’re interested, check it out on the court’s website.)

The plaintiffs won, and the new statute can’t be enforced. I don’t know about you, but I’m on Judge Hamilton’s side. But I’m sure the state of Indiana will appeal the decision to the 7th Circuit Court of Appeals.

Computer-Generated Records and Hearsay

As I’m sure you know (if you’ve ever watched a fictional trial in a movie or on TV or have ever watched a real-trial on TV or in real-life), the law has rules that define the kinds of evidence that ARE admissible in court and the kind that ARE NOT admissible.

One kind of evidence that is not admissible – unless it falls within certain exceptions to the blanket rule deeming it inadmissible – is hearsay.

Rule 801(c) of the Federal Rules of Evidence defines hearsay as “a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.” Every U.S. state has a similar provision. Rule 802 of the Federal Rules of Evidence (and comparable state provisions) also says hearsay “is not admissible unless provided by these rules”.

Why is hearsay excluded (except if it comes within certain exceptions to rules like Rule 802)? It’s simply a matter of common sense and fairness.

If hearsay weren’t excluded, John Doe could take the stand and say that Jane Doe told him that the defendant – Richard Roe – who’s on trial for murder confessed to the whole thing. That puts Roe in a really bad place: If the jury believes what John Doe says – i.e., that Jane Doe heard Roe confess to the murder for which he is on trial – they’re almost certainly going to convict him (unless he’s arguing self-defense, say). Roe can try to show that John Doe is a liar or is mistaken or is insane or otherwise can’t be believed, but neither he nor his lawyers can do much with Jane Doe because she isn’t there . . . she’s a declarant who isn’t testifying at the trial.

Allowing second-hand evidence – someone’s repeating what someone else allegedly told them – opens up all kinds of possibilities for unfairness and error. We’ve probably all played that rumor game where something gets whispered to one person and then passed along and comes out totally garbled. That’s the kind of inadvertent error hearsay rules are intended to guard against; they’re also intended to guard against fabrication or deceit, i.e., intentional error.

So the theory of the hearsay rule is that – subject to certain exceptions – you can’t admit the statements of declarant who isn’t testifying at trial because that means the other party (Roe in my example) can’t cross-examine them. Roe can’t cross-examine Jane Doe, and cross-examination is, in the US and Britain, generally considered to be the best device for truth-testing. Jane Doe takes the stand and tells her story about Roe’s allegedly confessing to her, and Roe’s lawyer can try to show that she cannot be believed: she’s a pathological liar; she hates Roe and wants him to be convicted out of spite; she’s insane and therefore doesn’t know what the truth is; any or all of the above.

Now, let’s get to a cybercrime case where a hearsay issue came up.

In State v. Colwell, 715 N.W.2d 768 (Iowa Court of Appeals, 2006), Aaron Colwell appealed his conviction of two counts of making a false report under this statute:

A person who, knowing the information to be false, conveys or causes to be conveyed to any person any false information concerning the placement of any incendiary or explosive device or material or other destructive substance or device in any place where persons or property would be endangered commits a class “D” felony.

Iowa Code Annotated § 712.7.

According to the Iowa court of appeals, here are the facts that led to the conviction:

On March 11, 2004, the Bloomfield Foundry received two telephone calls warning foundry management of an alleged bomb on the premises. The employees were evacuated and authorities conducted a search of the foundry, which confirmed that the calls were false. Telephone records secured by the police showed that two calls originating from the same phone number were made to the foundry at the time of the bomb-threat calls. During the investigation, it was determined that the originating number was the home number of a foundry employee, Aaron Colwell. Colwell consistently denied making the calls, claiming that he was at a gas station about ten miles from his home around the time the calls were made. Colwell was charged with two counts of making a false report and found guilty following a jury trial in December 2004.

State v. Colwell, supra.

One of the issues Colwell raised on appeal was the admission of “two telephone records documenting calls between Colwell’s residence and the foundry.” State v. Colwell, supra. He argued that the records were inadmissible hearsay.

Iowa uses the same definition of hearsay as the Federal Rule of Evidence I quoted earlier. So, is Colwell right? Were the records inadmissible hearsay?

Here is what the prosecution – the State – argued on that issue:

The evidence at trial shows that the computers which generated Exhibits 1 and 2 are programmed to automatically log and compile a record of calls made to or from a certain number. Jim Miller, general manager of Citizens' Mutual Telephone Cooperative, testified as to how the records were secured. The State does not dispute that it offered the telephone records to prove the truth of the matter asserted in them -- that calls to the foundry at the time the bomb threats were made originated from Colwell's home phone. However, the State urges us to conclude the records are not hearsay because they were produced by a computer that automatically records the trace between numbers when calls are placed.

State v. Colwell, supra.

In its argument, the State of Iowa also relied on this excerpt from a treatise on the law of evidence:

Because such records are not the counterpart of a statement by a human declarant, which should ideally be tested by cross-examination of that declarant, they should not be treated as hearsay, but rather their admissibility should be determined on the basis of the reliability and accuracy of the process involved.

John W. Strong, et al., McCormick on Evidence § 294 (5th ed. 1999).

The Iowa court of appeals – like other courts – agreed with the prosecution: “We conclude that the computer-generated records tracing calls between certain phone numbers in this case are not hearsay, as they lack a human declarant required by our rules of evidence.” State v. Colwell, supra. As a Louisiana court explained a quarter of a century ago in a case also involving phone records, the

printout of the results of the computer's internal operations is not hearsay evidence. It does not represent the output of statements placed into the computer by out of court declarants. Nor can we say that this printout itself is a `statement’ constituting hearsay evidence. The underlying rationale of the hearsay rule is that such statements are made without an oath and their truth cannot be tested by cross-examination. Of concern is the possibility that a witness may consciously or unconsciously misrepresent what the declarant told him or that the declarant may consciously or unconsciously misrepresent a fact or occurrence. With a machine, however, there is no possibility of a conscious misrepresentation, and the possibility of inaccurate or misleading data only materializes if the machine is not functioning properly.

State v. Armstead, 432 So.2d 837 (Louisiana Supreme Court 1983).

In other words, the rule excluding hearsay is concerned with the fallibilities and falsehoods of humans . . . and computers cannot lie and can (as in this case) be shown to be reliable. (The court noted that the prosecution’s evidence – the testimony of Jim Miller – showed that the evidence was reliable, something that was not required, since the evidence was not hearsay.)

So, people can lie but computers can’t . . . at least not yet . . . .