Shredder Programs and Obstruction of Justice

This is a follow-up to a post I did a couple of years ago, that dealt with using a forthwith grand jury subpoena to obtain computer hardware and other digital evidence. I used a federal case from Connecticut to illustrate how forthwith subpoenas work in this context.

This post is about what happened to the man whose (alleged) conduct was the impetus for the forthwith subpoena: Charles Spadoni. On January 9, 2001, a federal grand jury indicted him on charges of racketeering, conspiracy, bribery, wire fraud and obstruction of justice. U.S. v. Triumph Capital Group, Inc., 544 F.3d 149 (U.S. Court of Appeals for the Second Circuit 2008). He was convicted and appealed, claiming the evidence was Insufficient to prove certain elements of the crimes and the government “suppressed material exculpatory and impeaching evidence.” U.S. v. Triumph Capital, supra.

The Court of Appeals agreed that the government improperly suppressed exculpatory and impeaching evidence relevant to the first four charges, so it reversed his conviction and remanded for a new trial on those counts of the indictment. We, though, are only concerned with the obstruction of justice conviction.

I won’t go into all the facts that led to the non-obstruction of justice charges. I’ll just note that at the time, Spadoni was General Counsel for Triumph Capital, a “Boston-based private equity firm”. U.S. v. Triumph Capital, supra. The original indictment accused Spadoni and others of bribing people in state government, including Paul Silvester, who was for a while the Deputy Treasurer of the state of Connecticut. U.S. v. Triumph Capital, supra. All of this was allegedly going on in 1998 and 1999.

The relationship between Triumph Capital and state employees apparently came to the attention of federal investigators, because on May 25, 1999 a non-forthwith federal grand jury subpoena was served on the Connecticut office of Triumph Capital. It called for the production of evidence related to an investment contract that would later become the basic of certain of the charges in the original indictment. U.S. v. Triumph Capital, supra. Here is where things began to get interesting, as far as we’re concerned:

Shortly after the subpoena was served, Spadoni told Silvester about it. He said Triumph did not believe its consulting contracts with Stack and Thiesfield were covered by the subpoena, but Triumph's lawyers anticipated more subpoenas in the future. Spadoni . . . told [Silvester] that an attorney had advised him to destroy documents not called for by subpoena in anticipation of further subpoenas, and recommended specialized deletion software to remove them from his computer. . . .

On July 13, 1999, the grand jury issued another subpoena, which led Triumph to produce the Stack and Thiesfield consulting contracts. On December 29, 1999, the grand jury issued an additional subpoena, which led to the production of backup tapes from Triumph's computer networks.

On April 11, 2000, the grand jury subpoenaed a Triumph laptop computer assigned to Spadoni. An FBI forensic computer examiner testified at trial that his inspection of the laptop revealed that a copy of the commercial document deletion software `Destroy-It!’ was installed on the computer on June 21, 1999, and used to delete files in a directory named `Triumph’ on June 23, 1999. On December 28, 1999, the software was used to delete two files in a directory named `LAT, LLC,’ which was the name of Thiesfield's wholly-owned company.

Among the documents deleted from the laptop were files named `Stack Contract’ and `LAT Contract.’ These files were accessed on November 16, 1998, and at the time they had last been modified on November 10, 1998. . . . The document deletion software was also used to remove files called `Park Strategies Agreement,’ `Engagement Letter,’ and others apparently unrelated to this case.

At one point after the investigation began, Triumph's comptroller, Robert Trevisani, discussed with Spadoni how to destroy computer files securely, and remarked, `if we were trying to hide something, we could use a program like CleanSweep. . . . Spadoni informed Trevisani that the program he needed `would be Destroy-It!.’

U.S. v. Triumph Capital, supra. The April 11, 2000 subpoena was the forthwith subpoena I talked about in my last post. As I explained in that post, this subpoena issued because the government had heard Spadoni was going to delete evidence on the laptop.

The indictment charged Spadoni with obstructing justice in violation of 18 U.S. Code § 1503(a), which makes it a crime to “influence, obstruct, or impede, the due administration of justice”. Spadoni claimed he should have been acquitted of the charge “because there was insufficient evidence to support the jury's finding that he knew his actions were likely to affect the grand jury proceedings.” U.S. v. Triumph Capital, supra.

In making this argument, Spadoni relied on the U.S. Supreme Court’s decision in U.S. v. Aguilar, 515 U.S. 593 (1995). In Aguilar, the Court held that for someone to be guilty under § 1503(a), they had to know that their actions were “likely to affect the judicial proceeding” which was obstructed. The Aguilar Court reversed a federal judge’s conviction for obstructing justice because it found the evidence did not prove beyond a reasonable doubt that he knew, when he lied to FBI agents, that the false statements would be given to a grand jury.

The Court said it wasn’t enough that Aguilar knew a grand jury was investigating matters related to the false statements he gave; to convict him, the government had to prove he knew the agents were working for the grand jury and his statements would be given to the grand jury. The Court said that absent such knowledge, Aguilar simply lied to federal agents, which does not constitute obstruction of justice. It explained that obstruction of justice under § 1503 requires a nexus between false statements or other acts and a “judicial proceeding;” a grand jury investigation is a judicial proceeding, but talking to federal agents is not. U.S. v. Aguilar, supra.

Spadoni argues that his conduct was directly analogous to Aguilar's. Destroying a document does not in fact affect a grand jury proceeding if the grand jury never requests the document. While Spadoni deleted several documents from his company laptop, at no time did he delete a document for which there was an outstanding subpoena. Just as there was insufficient evidence to prove that Aguilar knew his false statements would later be communicated to the grand . . . , so, goes the argument, there is insufficient evidence to prove that Spadoni knew the documents he deleted would later be, or were likely later to be, requested by the grand jury.

U.S. v. Triumph Capital, supra. The Court of Appeals did not agree. It found, first, that his

argument ignores a key difference between . . . a grand jury subpoena duces tecum seeking the production of documents and the questioning of a subject by an investigating agent. Grand jury subpoenas duces tecum are customarily employed to gather information and make it available to the investigative team of agents and prosecutors so that it can be digested and sifted for pertinent matter. Before the subpoenas are issued, the government often does not have at its disposal enough information to determine precisely what information will be relevant. . . .

Accordingly, subpoenas duces tecum are often drawn broadly, sweeping up both documents that may prove decisive and documents that turn out not to be. This practice is designed to make it unlikely that a relevant document will escape the grand jury's notice, and it is generally effective. Destruction of a relevant document is therefore likely to impact the grand jury's deliberations. . . .

By contrast, an investigating agent collecting statements from witnesses (or even . . . a suspect) does not always act as `an arm of the grand jury,’ and `what use will be made of false testimony given to an investigating agent who has not been subpoenaed or otherwise directed to appear before the grand jury is ... speculative.’ [Aguilar, supra.])

U.S. v. Triumph Capital, supra. The Court of Appeals therefore found that the context provided

a crucial distinction between Aguilar's conduct and Spadoni's. The inference that Aguilar's statements to the agent would be presented to the grand jury was not strong. The statements were not obtained by grand jury subpoena, and statements made to investigating agents are not communicated to grand juries as a matter of course. By contrast, the inference that the grand jury would issue a subpoena for the Thiesfield and Stack contracts was quite strong, perhaps inescapable. The government produced evidence suggesting Spadoni's awareness of the comprehensive nature of the subpoenas duces tecum typically issued in federal grand jury investigations. The jury heard evidence that Triumph's attorneys anticipated further subpoenas; that Spadoni had received advice from a former prosecutor indicating that the grand jury would be likely to inspect the data contained on his laptop; that Spadoni stated his belief that federal investigations are `very comprehensive and thorough,’ and that Spadoni asked Silvester to destroy copies of a different contract. . . .

The Stack and Thiesfield contracts . . . were at the very core of the transaction the government was investigating. The jury could have concluded that Spadoni was aware that further subpoenas covering a broad range of documents would issue, and knew it was likely that the Stack and Thiesfield contracts would be requested. Accordingly, Spadoni's conviction for obstruction of justice, based on his destruction of those documents in his computer files, was supported by sufficient evidence.

U.S. v. Triumph Capital, supra.

The Court of Appeals affirmed the obstruction of justice conviction but remanded that count to the district court for resentencing. The district court had sentenced Spadoni to “concurrent 36-month terms of imprisonment on all counts”. U.S. v. Triumph Capital, supra. The Court of Appeals remanded for resentencing because it could not “be certain that the 36-month concurrent sentence” on the obstruction of justice count “was not affected by the convictions that we have reversed”. U.S. v. Triumph Capital, supra.

The Fake Salvation Army Website

This post is about an evidentiary issue that arose in U.S. v. Stephens, 2009 WL 1608845 (U.S. Court of Appeals for the 5^th Circuit 2009). Here, according to the Court of Appeals, is how brothers Bartholomew Stephens and Steven Stephens came to be prosecuted:

[I]n the wake of Hurricane Katrina, Steven registered a website: www. salvation army online. org The website was patterned after the official Salvation Army website and claimed to be the website of the organization's international headquarters. A donation link was created on the website, through which people could contribute money into PayPal accounts created in the names and identification numbers of individuals other than Steven or Bartholomew but linked to the brothers' bank accounts. Donations were made, and the brothers profited. Eventually, the FBI learned of the suspect Salvation Army site and obtained a search warrant for an apartment the brothers shared with another individual. The FBI executed the warrant and recovered a trove of incriminating evidence regarding each defendant.

U.S. v. Stephens, supra. They were indicted “for conspiracy to commit wire fraud and aggravated identity theft (count one), aiding and abetting wire fraud (counts two through seven), and aggravated identity theft (counts eight and nine).” U.S. v. Stephens, supra. The two went to trial together and were both convicted on all counts. They appealed, arguing, in part, that the district court judge who presided over their trial erred when he allowed the prosecutor to introduce this evidence:

Approximately one month after the bogus Salvation Army website was registered, the domain www.redcross-usa.org, purporting to be part of the Red Cross, was registered using the name Beis Stephens, as well as Bartholomew's e-mail address, mailing address, and credit card information. A laptop recovered from the brothers' apartment contained a picture of Bartholomew wearing a shirt that read `BEIS LETHAL INC.’ This laptop also contained the www. salvation army online. org web page and search results for the Salvation Army that listed www. salvation army online. org as the first `hit.’ One of these searches appeared in a subfolder entitled `BJ Stephens.’

U.S. v. Stephens, supra.

The federal judge who presided over the trial admitted the evidence under Rule 404(b) of the Federal Rules of Evidence. Rule 404(b) provides as follows:

Evidence of other crimes, wrongs, or acts is not admissible to prove the character of a person in order to show action in conformity therewith. It may, however, be admissible for other purposes, such as proof of motive, opportunity, intent, preparation, plan, knowledge, identity, or absence of mistake or accident. . . .

Rule 404(b) creates an exception to the general rule – found in Rule 404(a) of the Federal Rules of Evidence and in similar state provisions – “excluding circumstantial use of character evidence.” Advisory Committee Note – Federal Rule of Evidence 404. As the drafters of Rule 404 noted, character evidence can be used “for the purpose of suggesting an inference that the person acted on the occasion in question consistently with his character. This use of character is often described as `circumstantial.’” Advisory Committee Note – Federal Rule of Evidence 404. As the drafters also noted, in most

jurisdictions today, the circumstantial use of character is rejected but with important exceptions: (1) an accused may introduce pertinent evidence of good character . . .; (2) an accused may introduce pertinent evidence of the character of the victim, as in support of a claim of self-defense to a charge of homicide . . . ; and (3) the character of a witness may be gone into as bearing on his credibility.

Advisory Committee Note – Federal Rule of Evidence 404.

Rule 404(b), which is the rule that was at issue in U.S. v. Stephens, deals with a

specialized but important application of the general rule excluding circumstantial use of character evidence. Consistently with that rule, evidence of other crimes, wrongs, or acts is not admissible to prove character as a basis for suggesting the inference that conduct on a particular occasion was in conformity with it. However, the evidence may be offered for another purpose, such as proof of motive, opportunity, and so on, which does not fall within the prohibition. In this situation the rule does not require that the evidence be excluded. . . . The determination must be made whether the danger of undue prejudice outweighs the probative value of the evidence in view of the availability of other means of proof and other facts appropriate for making decision of this kind. . . .

Advisory Committee Note – Federal Rule of Evidence 404.

The premise is that one side shouldn’t be able to show you did some bad things in that past and use the evidence of those “bad acts” to claim you’re a bad person who continues to do bad things. As the Stephens judge noted, Rule 404(b) is intended “to `guard against the inherent danger that the admission of “other acts” evidence might lead a jury to convict a defendant not of the charged offense, but instead of an extrinsic offense.’” U.S. v. Stephens, supra.

The Stephens brothers argued that the district court judge shouldn’t have admitted the evidence of the Red Cross site; the government, not surprisingly, disagreed:

The Government asserts that . . . the Red Cross website . . .was intrinsic to the charged crimes. Rule 404(b) is not implicated if the Red Cross evidence was intrinsic to the acts for which the brothers were charged, i.e. the fraudulent Salvation Army website. We find `other act’ evidence to be intrinsic to the charged crime `when the evidence of the other act and the evidence of the crime charged are “inextricably intertwined” or both acts are part of a “single criminal episode” or the other acts were ‘necessary preliminaries' to the crime charged.’ Intrinsic evidence `is admissible so that the jury may evaluate all the circumstances under which the defendant acted. The government argues that the Red Cross website was intrinsic to the Salvation Army website conspiracy because it . . .established the connection between Steven and Bartholomew and was inextricably intertwined with the evidence of both of the substantive offenses.

U.S. v. Stephens, supra. The Court of Appeals didn’t buy the government’s argument:

[W]e conclude that the Red Cross website evidence is not intrinsic to the Salvation Army scheme. The action of creating the Red Cross website was not `inextricably intertwined’ with the evidence of the Salvation Army website. Neither was it a part of a single criminal episode or a necessary preliminary step in the Salvation Army website scheme. Certainly the actions are similar, but they were still distinct events.

U.S. v. Stephens, supra.

Since the evidence was extrinsic, the Court of Appeals applied a two-part test to decide if its admission constituted reversible error. The first question was whether the extrinsic evidence – the Red Cross site – was relevant to an issue other than the Stephens brothers’ character. The government said it was relevant to their “plan, intent, motive and preparation” for the Salvation Army site. U.S. v. Stephens, supra. The brothers argued it wasn’t relevant to any of those issues because “the Government did not put on proof that it was not a legitimate Red Cross website”. U.S. v. Stephens, supra. After noting that extrinsic evidence of “`using the same scheme repeatedly is relevant to . . . intent, in that it” demonstrates how an operation worked, the Court of Appeals found this

was the case with Bartholomew's registration of the Red Cross website. For example, the `Mock Money Makin.doc’ spreadsheet, recovered from one of the computers in the brothers' apartment, contained information about the PayPal accounts linked to the Salvation Army website, as well as information about creating a PayPal account for the Red Cross website and about listing the Red Cross website on a search engine called Overture. This spreadsheet demonstrated, at least in part, how the operation worked and therefore helped establish the brothers' intent, planning, preparation, and knowledge.

U.S. v. Stephens. The Court of Appeals then addressed the second question in its extrinsic evidence analysis: whether the evidence possessed probative value that was not substantially outweighed by its undue prejudice and otherwise met the requirements for admitting evidence. The Court of Appeals found that the Stephens brothers had not shown that the probative value of the evidence (as described above) was outweighed by its prejudicial effect:

There was ample non-Red Cross evidence supporting the jury's verdict. Though the defendants emphasize the number of references made to the Red Cross website by the Government, this does nothing to undermine the overwhelming evidence that exists regarding the Salvation Army web site scheme, nor the fact that the jury was instructed to use the extrinsic evidence to ascertain the brothers' mental state. . . . Furthermore, even assuming that the district court erred in admitting the evidence of the Red Cross website, neither defendant has demonstrated that such evidence affected his substantial rights. We cannot conclude that the district court committed plain error when it admitted evidence regarding the Red Cross website.

U.S. v. Stephens, supra. The court therefore affirmed their convictions.

(And if you were wondering, Steven was sentenced to serve 111 months in prison, while Bartholomew was sentence to serve 105 months in prison. Both prison terms were to be followed by three years supervised release. U.S. v. Stephens, supra.)

Networks and War of Aggression

This is another follow-up to the post I did last week on cyber war. This post is a response to someone who raised these questions after reading the earlier post:

I am a law student at Cornell University, and one other issue struck me while reading your article: What about potential liability for private carriers in allowing cyberwar signals to reach US government servers? In the event that these carriers have the capacity to identify enemy attacks, and the capacity to stop them, do they have a duty under the law as it currently stands to prevent such attacks from accessing sensitive computers in the first place?

They’re good questions, and I’m going to do my best to respond to them, given the limitations imposed by the relative brevity of a blog post and the fact that I am not an expert in the laws of war. I’m also going to limit my response to the issue of criminal liability, because I am an expert in that area; civil liability may, or may not, apply here.

The issue is whether U.S. civilian carriers can be held criminally liable for not preventing hostile cyberwar signals from reaching U.S. targets. (I’m including civilian and criminal targets because, as I’ve noted before, cyberwar will almost certainly blur or ignore the distinction between combatants and non-combatants.) There are two ways the carriers could, at least theoretically, be liable for letting the signals go through: direct criminal liability and derivative criminal liability.

Direct criminal liability means that the carriers themselves committed a crime by not preventing the signals from reaching their U.S. targets. The only way I can see they’d be liable under that principle is if the U.S. had laws requiring civilian carriers to block hostile cyberwar signals or be held criminally liable for failing to do so. As far as I know, we don’t have such laws. If I’m wrong on that, please let me know.

The other alternative is to use derivative criminal liability, which means we hold the carriers liable for aiding and abetting cyberwar or conspiring to commit cyberwar.

As I noted in an earlier post, conspiracy can be used to hold all the members of a conspiracy liable for the crimes their colleagues commit. As I also noted in that post, aiding and abetting – or accomplice – liability is based on the premise that if John helps Jane rob a bank by, say, giving her the combination to the bank safe, he should be held guilty of the robbery, even though he was not present when Jane actually robbed the bank. We impute liability for the completed crime – the target crime – to the accomplice who facilitates its commission, both because of the role he/she/it played in contributing to the crime and to deter others from aiding and abetting future crimes.

Accomplices usually do something overt to facilitate the commission of the target crime; they give the combination to the safe, they give the man who’s going to commit murder a gun, etc. In the scenario we’re analyzing, the civilian carriers haven’t done anything overt; they’ve simply not prevented the cyberwar signals from reaching their intended targets. The drafters of the Model Penal Code (which, as I’ve noted, is an influential template of criminal laws) specifically addressed this situation: Section 2.06(3)(a)(ii) of the Model Penal Code says one is an accomplice “in the commission of an offense if . . . with the purpose of . . . facilitating” the crime and “having a legal duty to prevent” the crime he “fails to make a proper effort so to do”.

We therefore would have to resolve three issues in order to hold the civilian carriers criminally liable for not preventing cyberwar signals from reaching their targets: One, as noted above, is the existence of a duty to prevent the crime; we can’t infer such a duty. It would have to exist in a statute or regulation or even under case law. For the purpose of this analysis, we’ll assume such a duty exists (even though I don’t think it does). The other issue we’d have to resolve is whether, having such a duty, the carriers purposely did not prevent the cyberwar signals from reaching their targets. While I think it would be impossible to prove that, I’m going to reserve that issue for the moment, and move on to what I think is the REALLY difficult issue.

As I noted above, an accomplice is held liable for facilitating the commission of a target crime, like robbery or murder. As I tell my students, accomplice liability doesn’t stand alone; that is, there’s no such crime as “being an accomplice.” The crime is “being an accomplice to ________” (insert target crime). So to hold the private carriers liable for not preventing the signals from reaching their targets, cyberwar has to be a crime. Then the carriers could, at least theoretically, be held liable as accomplices to cyberwar.

That brings us to the real issue: Is war (which we’ll assume includes cyberwar) a crime? As Wikipedia explains, there are three sources of authority for the proposition that “war of aggression” is a crime. The first derives from the Nuremberg trials: The 1945 London Charter of the International Military Tribunal defined three categories of crime, one of which was “crimes against peace.” In 1950, in a document submitted to the U.N. the Nuremberg Tribunal defined “crimes against peace” as “waging a war of aggression” or participating in a “common plan or conspiracy” to wage a war of aggression.

That principle was incorporated into the U.N. Charter and in 1974 became the basis of U.N. Resolution 3314. U.N. Resolution 3314 was a non-binding recommendation to the U.N. Security Council; so while it defines the “crime of aggression”, that definition is not binding under international law. Resolution 3314 says a “war of aggression is a crime against international peace” and defines aggression as “the use of armed force by a State against the sovereignty . . . of another State”. Under Article 51 of the U.N. Charter, states can lawfully use armed force to defend themselves against an attack by another state; essentially, any other use of armed force constitutes the crime of aggression.

That brings us to the final source: The Rome Statute of the International Criminal Court. Article 5 of the Statute gives the International Criminal Court jurisdiction over 4 types of crime: Genocide; crimes against humanity; war crimes; and the “crime of aggression”. The Rome Statute defines the first three, but does not define the crime of aggression; according to Wikipedia, a conference to be held some time next year is supposed to define it. I’m including the Rome Statute in this discussion, even though the U.S. does not intend to become a party to the statute; as a result, the Statute doesn’t bind the U.S.

I’m not sure, at this point, that war is a crime, so I’m even less certain that cyberwar is a crime. For the purpose of analysis, I’m going to assume cyberwar is a crime and can therefore support derivative liability under either of the theories noted above.

As far as I know, there has only been one attempt to hold civilian corporate executives criminally liability for an aggressive war. Count 1 of the Indictment in the Nuremberg Trials charged all of the defendants with participating in a “common plan or conspiracy” to wage a war of aggression. Twelve of the defendants charged were associated with the Krupp company, which had been Germany’s leading armament manufacturer. The prosecution’s theory was that the Krupp company and these individual defendants, had conspired with the Nazi regime to wage aggressive war; the premise seems to have been that the conspiracy could be inferred from the fact that the Krupp company, and these defendants, worked to rearm Germany, often in violation of the Versailles Treaty, and profited from their efforts.

The Tribunal eventually dismissed the aggressive war charge against these defendants because it found that their involvement in making weapons used to wage war was not enough to establish their liability absent evidence they knew the weapons were to be used in aggressive war and acted with the intent of furthering that end. In concurring in the acquittal, one of the judges noted that weapons can be used offensively or defensively, and the defensive use of weapons is lawful.

Even if we assume, as I have, that war of aggression is a crime and civilian carriers have a legal duty to prevent cyberwar signals from reaching their targets, I don’t see how the carriers could be held criminally liable as accomplices or conspirators. I think the critical issue is the same as in the Krupp case: Both accomplice liability and the principle that holds conspirators liable for the crimes their fellow conspirators commit require that the person have acted either with the purpose of facilitating the target crime (accomplice) or with the knowledge that he had joined a conspiracy and that his co-conspirators would or were likely to commit the target crime.

I think it would be impossible to prove that in the scenario we’re analyzing, at least as long as the carriers aren’t on notice that the signals in question are cyberwar signals being directed at U.S. targets. If a country decides to launch a cyberwar attack, how and why is a private carrier to know that these signals are war-of-aggression signals instead of routine signals (or even signals being used for cybercrime). If the Krupp defendants couldn’t be held guilty of conspiring to commit aggressive war when their conduct spanned many years (and what some would say were pretty clear markers), then I don’t see how a civilian carrier unexpectedly and almost instantaneously confronted with cyberwar signals heading for U.S. targets could be convicted of aiding and abetting the attack or being liable under the co-conspirator as agent theory.

I’m far from being an expert on international law or on the laws of war, so if I’ve missed something, let me know.

Proffer Gone Wrong . . .

In federal criminal practice a “proffer” (also known as a “proffer letter” or “proffer agreement”) is a written agreement between a prosecutor and someone suspected of committing federal crimes. Defense attorneys use proffers to negotiate plea bargains or immunity for their clients, but they can be tricky.

As this article explains, the proffer lets the suspect “tell the government about [his] knowledge of crimes, with the supposed assurance that [his] words will not be used against [him]” in any subsequent prosecution.

This post is about a case in which a suspect’s proffer didn’t work out as he had hoped. The case is U.S. v. Merz, 2009 WL 1183771 (U.S. District Court for the Eastern District of Pennsylvania), and I’ll summarize the facts that lead up to the proffer.

In 2006, FBI Agent Luders accessed the “Ranchi” website, which was located in Japan “displayed child pornography.” U.S. v. Merz, supra. He downloaded child pornography from the Ranchi site and then uploaded “two files . . . accompanied by text describing the purported contents of the files.” U.S. v. Merz, supra. Neither file contained child pornography. Luders’ computer monitored the files and recorded the IP addresses of those who tried to download them. On October 25, 2006, someone used IP address 68.80.255.70 to try to download the files; Luders traced the IP address to Paul Merz, at an address in Philadelphia. Another FBI agent used that information to get a warrant to search the Merz residence; FBI agents executed the warrant on February 27, 2007. U.S. v. Merz, supra. When the agents arrived at the residence, Paul Merz’s son, Robert, told them “`it’s me you want to arrest’”. U.S. v. Merz, supra. Robert also told the agents his father was “`not involved’” in his (Robert’s) activities. U.S. v. Merz, supra. The agents seized a computer and 106 DVDs from Robert’s bedroom. U.S. v. Merz, supra.

And that brings us to the proffer. On March 14, Merz engaged in a proffer session with the

Government [which] took place pursuant to a proffer letter, executed by Assistant United States Attorney Denise Wolf, Merz, and Merz's then-counsel, David Kozlow.

Regarding use of information gained during the . . . session . . . , the proffer letter states:

First, no statements made by . . . [Merz], or other information provided by . . . [him] during the `off-the-record proffer, will be used directly against [him] in any criminal case.

Second, the government may make derivative use of, and may pursue investigative leads suggested by, statements made or information provided by [Merz]. That is . . . [he] waives any right to challenge such derivative use and agrees that such use is proper. . . ;

At the proffer session, Merz gave the Government his password to access an Internet message board known as My Kingdom, and signed a separate consent form in which he allowed the Government to use his online identity when interacting with individuals who frequented the My Kingdom site. The Government used Merz's online identity in its investigation in this case. . . .

The grand jury returned an indictment on April 12, 2007, charging Merz with receipt and possession of child pornography.

On August 1, 2007, Merz . . . withdrew his permission for the Government's use of his online identity, and the Government ceased using Merz's identity.

On October 25, 2007, the grand jury returned a Superseding Indictment . . . which added another count -- advertising child pornography. The Government used evidence derived from Merz's March 14, 2007 proffer session to show he committed this offense.

U.S. v. Merz, supra. I wrote about the use of a “consent to assume online presence” in a post I did about a year and a half ago. As I explained, consent is an exception to the 4^th Amendment’s requirement that police obtain a warrant before searching a place and/or seizing a thing.

As I speculated there, the consent to assume online presence seems to act a little like a traditional consent to search and seize, but with a few differences. I’ll refer you to that post for the 4^th Amendment issues these consents seem to raise. This post is about the consequences of Merz’s executing such a consent.

After the grand jury returned the superseding indictment, Merz moved to suppress (i) the statements he made during the March 14 proffer session and (ii) the derivative evidence the government obtained from his consent to assume online presence. Since the proffer said no statements Merz made during the proffer session would be used “directly against [him] in any criminal case”, the judge granted Merz’s motion to suppress the statements. U.S. v. Merz, supra.

The derivative evidence issue arose from the fact that when FBI agents used his password to access the My Kingdom site, they discovered evidence that was used to charge him with advertising and transporting child pornography. U.S. v. Merz, supra. (The first indictment charged him with receipt and possession of child pornography; the superseding indictment added the two other charges, which were based on what the agents found on the My Kingdom site.) As the district court noted, Merz claimed the

derivative evidence should be suppressed because he understood from the proffer agreement he would have the opportunity to receive a reduced sentence as long as he provided truthful and complete information to the Government, and he contends he has provided such information. . . . Merz contends the Government's use of derivative evidence to charge him with additional counts, which expose him to a much greater prison sentence, is inconsistent with his understanding of the proffer agreement.

U.S. v. Merz, supra. He lost. The federal judge pointed out that Merz’s proffer letter said “`the government may make derivative use of, and may pursue investigative leads suggested by, statements made or information provided by . . . [Merz].’ In the letter, Merz agreed to `waive[ ] any right to challenge such derivative use and agree[d] such use is proper.’” U.S. v. Merz, supra. Having agreed to those conditions, the court said he couldn't complain about the consequences.

Merz also made another argument to try to get the evidence resulting from the agent’s use of his My Kingdom password: he moved to dismiss

Counts I and IV of the . . . Superseding Indictment, charging him with advertising and transportation of child pornography, on the ground that they are based on improper use of evidence derived from Merz's proffer session and post-proffer cooperation. Merz claims the Government gathered the evidence underlying Counts I and IV, including the discovery of a witness against him, when Merz allowed federal agents to use his My Kingdom password and assume his online identity.

U.S. v. Merz, supra. In making this argument, Merz claimed the “Government has a duty of good faith in its dealings with cooperating defendants”. U.S. v. Merz, supra. For that proposition, he cited a case that involved plea agreements and subsequent sentencing. The court noted that Merz’s argument was not based on constitutional violations but on the exercise of prosecutorial discretion, and that prosecutorial discretion is “generally non-reviewable” by courts. U.S. v. Merz, supra. The prosecution pointed out that the case Merz relied on only applied to plea agreements, not to proffer letters.

The judge noted, though, that the court in that case based its finding that a duty of good faith applied in plea negotiations on “the existence of a contractual relationship between the Government and the defendant”. U.S. v. Merz, supra. He also pointed out that the “Government appears to concede the existence of such a relationship between itself and Merz in the instant case when it argues the proffer letter should be construed according to principles of contract law.” U.S. v. Merz, supra.

Ultimately, however, the judge found he did not need to decide if a duty of good faith applies in the context of proffer letters because Merz voluntarily signed a proffer letter that “expressly authorize[d] use of derivative evidence”, such as the evidence resulting from the agents’ use of his My Kingdom password. U.S. v. Merz, supra. The judge therefore denied Merz’s motion to dismiss Counts I and IV of the Superseding Indictment. U.S. v. Merz, supra.

The judge did not rule on one final argument Merz made: In a different motion, he sought to prevent a witness from testifying at trial because of how the government found about him: “Merz argues government agents, while posing as Merz on the My Kingdom website, revealed information about Merz, particularly his name, to a third party who will testify against Merz at trial.” U.S. v. Merz, supra. Merz apparently argued that the witness should not be allowed to testify because of how the agents discovered him. The court reserved ruling on that issue until the government offered this person as a witness at Merz’s trial. U.S. v. Merz, supra.

As to that witness, the statement of facts I quoted from above said this:

On January 31, 2007, Jonathan Adams signed a consent to allow government agents to assume his online presence. Adams told government agents he jointly administered My Kingdom with Merz. Adams pled guilty to child pornography charges in the United States District Court for the District of New Jersey.

U.S. v. Merz, supra. So maybe Adams is the witness Merz wants to prevent from testifying, given how he was discovered.

I don’t know how common it is for agents (and officers) to use consents to assume someone’s online presence. I’ve found them mentioned in only a handful of reported cases, none of which address the issue I raised in my original post on the topic, i.e., whether they’re a 4^th Amendment device or something else.

"True Threats" - Revisited

Last year, I did a post about a case in which a college student was charged with violating 18 U.S. Code § 875(c).

I explained that § 875(c) makes it a federal crime to transmit a “threat . . to injure the person of another” via interstate commerce, and using the Internet satisfies the Internet commerce element of the offense. I noted that the only open question was whether the content the student put online qualified as a threat, or what the law calls a “true threat.”

I also explained that the U.S. Court of Appeals for the Sixth Circuit held, in U.S. v. Alkhabaz, 104 F.3d 1492 (6^th Cir. 1997), that a University of Michigan student’s posting violent sexual fantasies online was not a “true threat” . . . even though the student who wrote and posted the stories gave the victim the same name as one of his classmates. The student this post is about attended a university in Pennsylvania. In my previous post on the Pennsylvania case, I speculated as to whether the student’s conviction might be overturned on appeal given that the Pennsylvania case has some things in common with the Alkhabaz case.

It didn’t turn out that way: On July 15, the U.S. Court of Appeals for the Third Circuit affirmed Steven Voneida’s conviction for violating 18 U.S. Code § 875(c). U.S. v. Voneida, 2009 WL 2038633 (2009). In appealing his conviction, Voneida argued that

his statements were not “`hreats,’ were never transmitted to anyone, and there was `no imminent prospect of execution.’ Instead, he contends, they were more akin to `a college student's unfledged attempt at counterculture humor.’

U.S. v. Voneida, supra. The Court of Appeals didn’t agree. It found the evidence was sufficient to support Voneida’s conviction for using interstate commerce to transmit a “threat” to injure another person or persons. It first addressed the content of the material Voneida posted online:

Two days after the tragic shootings at Virginia Tech, Voneida, a student at the Harrisburg campus of Penn State University, posted several statements and pictures to different parts of his internet MySpace page that were the subject of his conviction. These statements and pictures included: `Someday: I'll make the Virginia Tech incident look like a trip to an amusement park’; `the weary violent types who are sick of self-righteous, lecherous, arrogant, and debauched attitudes displayed by [A]merican youth would band together with me for a day, and allow everyone at schools and universities across the nation to reap the bitter fruit of the seeds that they have been sowing for so long’; expressed `shock[ ]’ that after the Virginia Tech shootings his classmates `were actually surprised that there are people out there who would shoot them if given the opportunity’; `lost my respect for[ ] the sanctity of human life’; captioned a posting `Virginia Tech Massacre-They got what they deserved,’ where he noted his current mood was `extatically [sic] happy,’ and included a poem dedicated to the Virignia Tech shooter that concluded that the shooter's `undaunted and unquenched’ wrath would `sweep across the land’; and a picture of the bloodied Virginia Tech shooter holding two guns superimposed on a cross with the words `martyr,’ `massacre,’ `enrage,’ and `recompense.’

U.S. v. Voneida, supra.

The court noted that “some of the statements, taken in isolation, may not rise to the level of a threat within the meaning of § 875(c),” but found that “was not the context of the case here.” U.S. v. Voneida, supra. It found a rational jury could reasonably construe the statements “that were made only two days after the Virginia Tech shootings, specifically the comment about making Virginia Tech look like `a trip to an amusement park,’ as a serious intention to inflict bodily harm.” U.S. v. Voneida, supra.

The Court of Appeals also rejected Voneida’s argument that the statements were never

transmitted because his postings were more like a hand-written diary also fails. Section 875(c) requires that the communication be transmitted in interstate commerce. For other MySpace users to view the statements posted to various parts of Voneida's MySpace page, the postings had to pass through the main internet server, located in California. Further, the `amusement park’ statement and others were posted to Voneida's MySpace `bulletin board,’ which was set to send out update notices to members of his `buddy’ list when he added new information. And, those with access to Voneida's MySpace page could respond to his statements by posting their own comments on his page. Given these facts, we conclude that a rational jury could have determined that the offending statements met this element of the statute.

U.S. v. Voneida, supra.

Finally, the Court of Appeals rejected Voneida’s argument that to violate § 875(c), the prosecution had to prove the threat was “imminent,” i.e., that Voneida intended to implement what he posted online:

[T]here is no requirement in the statute of proof of imminency to make a threat real. In proving that Voneida's statements were threats, the Government `bore no burden of proving that [Voneida] intended his [statements] to be threatening or that he had an ability at the time to carry out the threats.’

U.S. v. Voneida, supra. The Court of Appeals therefore affirmed Voneida’s conviction, which means he’ll have to serve the sentence of 19 months in prison the district court imposed on him. U.S. v. Voneida, supra.

I don’t know if I agree with the Court of Appeals. Until I read the opinion, I hadn’t known about some of the comments Voneida posted on his MySpace page . . . and I admit some of them are pretty disconcerting. I think what bothers me about the opinion, and the conviction, is that the facts in the case differ in one important respect from traditional threat cases.

As I believe I noted in my earlier post on this case, the usual dynamic of a threat crime is that the perpetrator (the “threatener”) directly transmits the threat to the victim. That’s always been an essential element of the crime, and it’s one of the reasons criminal law can criminalize threats without violating the 1^st Amendment. A threat is, after all, speech, which means it’s protected by the 1^st Amendment unless some circumstance deprives it of that protection.

Historically, courts held that threats could be criminalized under either or both of two rationales: One is that a threat causes emotional “harm” to the victim, which is usually what the threatener intends to do. The premise here is that unlike regular speech – which can offend us or make us uncomfortable -- a threat inflicts an aggravated level of emotional “harm” which justifies criminalizing the act of making a threat.

The other rationale is that a threat can be seen as an initial step toward carrying out the threatened act of killing or injuring another person or persons. The premise here is that by making a “true threat,” you’ve shown that you’re dangerous, so the law can intervene to prevent you from carrying out what you have, in effect, promised to do.

Here, as far as I can tell, Voneida never directly transmitted his concededly unsettling comments to an intended victim. Instead, like Alkhabaz, he broadcast them to a rather undifferentiated audience. Also, as the Court of Appeals implicitly conceded, there doesn’t seem to have been much, if any, evidence that he actually intended to do the things he wrote about. That, again, reminds me of Alkhabaz.

Networks and Treason

This post is a follow-up to a post I did recently in which I analyzed whether the federal government could nationalize private computer networks if the owners refused to let them be used in defensive (or offensive) cyberwarfare.

This post is about a related issue: if the civilian owners of such networks refused to let them be used to carry offensive or defensive cyberwarfare traffic, would that constitute treason?

To answer that question, we first have to define treason. Article III § 3 clause 1 of the U.S. Constitution defines it as follows: “Treason against the United States shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.” (If you’re wondering why the sentence uses “them” and “their” rather than “it” and “its”, the reason is that the drafters of the Constitution saw the United States as a single sovereign entity that was composed of discrete sovereign entities – the states.)

Section 2381 of Title 18 of the U.S. Code implements the constitutional provision by making treason a crime:

Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason and shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.

To commit treason, therefore, one who is (i) a citizen or otherwise owes allegiance to the United States must (ii) intentionally (iii) levy war against it or give “aid and comfort” to its enemy/enemies. The first two elements are pretty straightforward, the second less so.

“Citizen” includes those born in the U.S. and/or to American citizens, as well as naturalized citizens. U.S. v. Stephan, 50 F. Supp. 445 (U.S. District Court for the Eastern District of Michigan 1943). And it must be your purpose – your intention – to levy war against the United States and/or give aid and comfort to its enemies. Stephan v. U.S., 133 F.2d 87, 94 (U.S. Court of Appeals for the Sixth Circuit 1943).

The first alternative in the third element – levying war against the United States – is unambiguous because it directly refers to “war.” If a U.S. citizen had joined the German Army in World War II and fought against the U.S. that would clearly be treason because he/she would directly be “levying war” against his own country. In re Charge to Grand Jury, 30 F. Cas. 1036 (U.S. Circuit Court for the Southern District of Ohio 1861).

The second alternative is more ambiguous, at least on its face: Giving “aid and comfort” is analogous to aiding and abetting a crime. For example, in Best v. U.S., 184 F.2d 131, 137-138 (U.S. Court of Appeals for the First Circuit 1950), a federal Court of Appeals upheld a U.S. citizen’s conviction for treason. It was based on Robert Best’s serving as a radio commentator for the German Short Wave Station, which operated during the last two years of World War II. As the court noted, his “Best’s Little Lifesaver” broadcasts were beamed at U.S. troops fighting in Europe and were intended to “foster a spirit of defeatism, of hopelessness in the face of vaunted German might”, thereby undermining the effectiveness of U.S. troops and helping Germany win the war. Best v. U.S. supra. The Court of Appeals held that this was enough to constitute treason:

‘When war breaks out, a citizen's obligation of allegiance puts definite limits upon his freedom to act on his private judgment. If he trafficks with enemy agents, knowing them to be such, and being aware of their hostile mission intentionally gives them aid in steps essential to the execution of that mission, he has adhered to the enemies of his country, giving them aid and comfort, within our definition of treason. He is guilty of treason, whatever his motive.’

Best v. U.S. supra (quoting Chandler v. U.S. 171 F.2d 921 (U.S. Court of Appeals for the First Circuit 1948)). The Court of Appeals found that Best’s motive was irrelevant:

Best having knowingly aided agents of the enemy in their efforts to bring about the military defeat of the United States, it is of no consequence that he may have thought it was for the ultimate good of the United States to lose World War II, in order that Hitler might accomplish the destruction of an ally of the United States whom Best regarded as a potential enemy. So far as the legal issues . . . are concerned, it entirely irrelevant to speculate whether the present position . . . of the United States in world affairs are better or worse, as compared with what would probably have been the alternative prospect of facing the final life-and-death struggle with a triumphant Hitler, master of most of the world outside the Americas.

Best v. U.S. supra.

That brings us to the final requirement for treason under the second alternative set out in § 2381: The person must have given aid and comfort to an “enemy” or “enemies” of the United States. Courts have held that the term “enemies” means “a foreign power in a state of open hostility with” the United States. Stephan v. U.S., supra. This is why Julius and Ethel Rosenberg, who were accused of giving the Soviet Union information about the U.S. atomic bomb program, were prosecuted for espionage, instead of treason. Since a state of open hostility did not exist between the U.S. and the Soviet Union at the time, what they did couldn’t be treason. U.S. v. Rosenberg, 195 F.2d 583 (U.S. Court of Appeals for the Second Circuit 1952).

And that brings us back to networks and cyberwarfare: If the civilian owner of a network refuses to let the U.S. military use the network to transmit signals as part of a cyberwar attack, is that treason? In answering that question, I’m going to assume the network owner qualifies as a citizen or someone who otherwise owes allegiance to the U.S.

Under the first alternative in § 2381, the answer depends in part on whether the network owner is directly or indirectly aiding military forces engaged in war with the U.S.. If the owner is refusing to let the network be used to respond to a cyberattack that has been already been launched against the U.S., that might qualify as aiding the attacking forces . . . as long as the owner is refusing for the purpose either of levying war against the U.S. or giving aid and comfort to the country that is attacking the U.S.

If the owner is refusing for other reasons – to keep the network from becoming the target of attacking forces or to stay neutral in a conflict conducted in cyberspace – would that negate any inference of an intent to aid the attackers? I think it would, because I think I can distinguish that scenario from the scenario in the Best case. The Best court said it didn’t matter – insofar as Best’s liability for treason was concerned – whether he aided the enemy because he thought the U.S. would benefit more from being defeated by Germany than by defeating Germany. All that mattered was that when he made the broadcasts he acted with the purpose of giving aid and comfort to the German forces in their battle against Allied forces.

If the network owner is refusing to let the network be used because of concerns that aren’t related to the conduct of cyber-hostilities between the U.S. and the country attacking the U.S., then I’d argue the owner can’t be convicted of treason. Since the owner isn’t a member of the armed forces and, we’re assuming, the government hasn’t nationalized computer networks in the U.S., it seems to me the owner can refuse to let the network be used to launch a defensive attack without incurring liability for treason.

What if the owner is refusing to let the network be used to launch an offensive attack? Does that alter the analysis? I think it does. I don’t see how the network owner could be convicted of treason here for several reasons: One is that since no state of war exists between the countries at least until the attack is launched, and maybe until it hits its target(s), I don’t see how the network owner could be levying war against anyone. (I’m assuming, throughout this analysis, that cybertattacks constitute acts of war.)

Another, related reason is that if the countries aren’t already in a state of open hostility, the owner can’t be giving aid and comfort to an “enemy” of the U.S. Given all that, I think it would be very difficult – even impossible – to prove that the network owner refused to let the network be used to launch the offensive cyberattack for the purpose of either levying war against the U.S. or giving aid and comfort to its “enemy.” The country against which the attack is/will be/would be launched isn’t an enemy, as I understand, until the attack has arrived, and maybe until the attacked state responds in kind.

Would it matter if, as I hypothesized in my earlier post, the federal government had earlier nationalized the computer networks controlled by U.S. citizens? I don’t know. I don’t know (so far) what, if any, effect nationalization has on the treason analysis. It seems all nationalization would do is to put the network owner in a position in which he/she/it is now obligated to follow orders from designated federal officials. If that’s true, then refusing to obey such an order would presumably be punished as precisely that, i.e., as the intentional refusal to follow an order issued under the authority of the statute authorizing nationalization of the networks. In other words, it seems that a refusal after nationalization should constitute the crime, if any, the nationalization statute created to sanction those who do not follow orders from an authorized source. I’ll have to look into that a little more, and see if nationalization would impact on the treason analysis.

Networks and Nationalization

This post isn't about -- or isn't only about -- the use of computer technology to commit crimes. It's more about the use of computer technology to commit war.

A few weeks ago, I was part of a conversation about the legal issues cyberwarfare raises. We were talking about various scenarios – e.g., a hostile nation-state uses cyberspace to attack the U.S. infrastructure by crippling or shutting down a power grid, air traffic control systems, financial system, etc.

Mostly, we were focusing on issues that went to the laws of war, such as how and when a nation-state that is the target of a cyberattack can determine the attack is war, rather than cybercrime or cyberterrorism. (As I noted in an earlier post, the distinction between the threats lies in the nature of the attacker: Cybercrime and cyberterrorism are carried out by civilians, while war is carried out exclusively by nation-states. For the purposes of the analysis in this post, I’m going to assume that war is the exclusive province of nation-states; in other words, I’m not going to consider scenarios in which civilians who are not affiliated with a nation-state launch what is, in effect, cyberwarfare.)

More precisely, we were discussing how a country that is under cyberattack – like the attacks that recently targeted U.S. sites or the ones that targeted Estonia in the 2007 – decides if it it is authorized to retaliate against the attacker (assuming it can identify the attacking nation-state with enough precision to justify launching a counterattack.) We were, in other words, focusing on the “Pearl Harbor moment,” i.e., the point at which a nation-state can justifiably conclude it is the target of state-initiated cyberwarfare.

As we discussed those issues, someone raised a very interesting point, one that had never occurred to me. He pointed out that the signals used to launch the initial attacks and the signals that would be used to launch counterattacks would travel primarily, if not exclusively, over civilian-owned and –operated networks. He asked what would happen if the companies that operate the networks that constitute the Internet refused to carry the signals that would deliver the cyber-counterattack (and, I assume, any subsequent attacks by either side to this almost-war). I don’t think any of us had a clue.

I still don’t . . . but I thought I’d use this post to raise the issue and throw out a few ideas as to how it MIGHT be resolved. As I analyze the issues, I’m making two assumptions, both of which I think are accurate: One is that a cyberwarfare attack would necessarily travel primarily, if not exclusively, over civilian networks; the other is that the operators of those networks can, at least at some point, identify traffic as “war” traffic, as opposed to the “not-war” traffic they usually carry.

If those assumptions are, in fact, valid, then it seems the civilians who own and operate the constituent networks that create the Internet can, in effect, exercise a veto over cyberwarfare . . . or at least aspects of cyberwarfare. In the scenario that was implicit in the discussion I noted above, the operators of civilian networks could exercise their veto to prevent the attacked state from launching retaliatory cyberattacks and, I assume, to stop the attacking state from launching further offensive cyberattacks. In this scenario, the network operators are essentially neutral. They probably don’t have to be, which means there’s another, more unsettling scenario: The civilians who operate the networks could choose sides; so they might allow the signals being used in the attacking state’s cyberattacks and prevent the defending state from launching its own counterattacks.

I, however, want to focus on the general issue: In the cyberwarfare context, it seems civilians have the capacity to control the battlefield or, perhaps more accurately, to control whether there will be a battlefield. I can’t think of any historical instances in which civilians had the ability to exercise a veto power over nation-states’ ability to carry out acts of war.

When the gentleman raised the issue of network operators’ deciding not to facilitate cyberwarfare, the first thing I thought of was nationalization, as in nationalizing the networks. That led me to think about whether the U.S. government has ever had to do anything similar . . . and that led me to the United States Railroad Administration. As you may know (I didn’t), President Wilson nationalized the railroads in 1917, after we declared war on Germany:

By proclamation dated December 26, 1917, the President of the United States, acting under the powers conferred on him by the Constitution and laws of the United States, by joint resolution of the Senate and House of Representatives, bearing dates of April 6 and December 7, 1917, . . . (said resolutions being respectively the resolutions declaring that a state of war existed between the United States and Germany, and between the United States and Austria-Hungary), and particularly under the powers conferred by section (1) of the act of Congress approved August 29, 1916, entitled ‘An Act Making appropriations for the support of the Army for the fiscal year ending June thirtieth, nineteen hundred and seventeen, and for other purposes,‘ took . , , assumed control . . . as of December 31, 1917, of . . . railroads. . . .The principal railroads in the United States were so taken over, and a central and administrative board was. . .set up and known as the United States Railroad Administration, at the head of which was an officer appointed by the President, and known as the Director General of Railroads.

Chicago & North Western Railway Co. v. Commissioner of Internal Revenue, 22 B.T.A. 1407, 1931 WL 473 (U.S. Board of Tax Appeals 1931).

As Wikipedia explains, once the U.S. entered World War I in April, 1917, “the nation's railroads proved inadequate to the task of serving the nation's war efforts.” Many of the companies were in bankruptcy, others were suffering financial difficulties because of the inflation that had “struck the American economy”, the unions were threatening to strike and despite the railroad companies attempt to “join forces and coordinate their efforts [to] help the war effort”, they failed. Wikipedia, supra.

In December 1917, the Interstate Commerce Commission “recommended federal control of the railroad industry” to improve its effectiveness and the President nationalized the railroads later that month. On March 21, 1918, the Railway Administration Act went into effect; among other things, it “guaranteed the return of the railroads to their former owners with 21 months of a peace treaty”. Wikipedia, supra. On March 1, 1920, the “railroads were handed back to their original owners and the” United States Railroad Administration was shut down. Wikipedia, supra.

There is, then, U.S. precedent for taking over companies that provide services which constitute part of what we now call the country’s critical infrastructure. Since no one seems to have challenged President Wilson’s nationalizing the railroads, the Act that authorized his doing so is (was) at least presumptively valid. My point is that what President Wilson did with the railroads COULD provide a precedent for a contemporary President’s nationalizing the networks that constitute, or contribute to the constitution of, the Internet. In this post, I’m not concerned with how viable it would be to do that in practice; I’m simply focusing on the legal issues that might be involved in an effort to do that, assuming it was practicable.

As Devil’s advocate, I see certain differences between President Wilson’s nationalizing the railroads and the hypothetical scenario in which a contemporary President somehow manages to nationalize the networks that create and sustain cyberspace. One lies in the justification for nationalization: President Wilson nationalized the railroads to improve their performance as a coordinated transportation system, the benefits of which would accrues to civilians as well as to the military; if a modern President nationalized the networks under the scenario(s) I outlined above, he/she would be nationalizing them to alter their performance, to shift their function from serving purely civilian ends to serving civilian and military ends.

In other words, I see nationalizing the networks as having a much more dramatic effect on the functioning of the networks than I suspect President Wilson’s nationalizing the railroads did on the functioning of the railroads. Nationalizing the railroads was intended to improve their ability to efficiently transport military personnel and equipment within the territorial United States. Nationalizing the railroads in no way altered their function so that they became, at least to some extent, an implement of war. Their role was simply to support the military by transporting the men and material it needed to wage war outside the territorial boundaries of the United States.

That brings me to another, related difference I see between the railroad and network nationalization scenarios: Nationalizing the railroads did not transform them from purely civilian entities into civilian/military entities. Nationalizing the networks would, I think, transform them into civilian/military entities or even into a component of the military. It seems to me that nationalizing the networks so they can carry defensive and offensive cyberwarfare traffic is analogous to nationalizing the airlines so Boeing 777s and 747s can drop bombs on the enemy.

I’m not saying nationalizing of the networks isn’t an option under the law, as it exists now or as it could exist. As far as law is concerned, I think nationalization of the networks clearly is an option. At this point, though, I’m not convinced it’s a practicable option nor am I convinced it would be a particularly advisable one.

But, as always, I could be wrong. I’ve just started thinking about these issues, so I may change my mind as I get further into them.

Power Point and the Plain View Doctrine

The plain view doctrine is a 4^th Amendment principle that lets an officer seize an item without first obtaining a search warrant, as long as the seizure comports with certain requirements. As Wikipedia explains, the requirements are that

The officer is lawfully present at the place from which he/she can plainly see the evidence;

The officer must be able to lawfully access the item to be seized; and

The incriminating character of the object must be `immediately apparent.’

Courts have found that the “immediately apparent” element means that the officer must have probable cause to believe the object is evidence of a crime. Probable cause exists when “the facts and circumstances within [the officer’s] knowledge and of which [he] had reasonably trustworthy information [are] sufficient in themselves to warrant a man of reasonable caution in the belief’ that the object is evidence of a crime. Brinegar v. U.S. 338 U.S. 160, 175-176 (U.S. Supreme Court 1949).

In Texas v. Brown, 460 U.S. 730, 738-739 (1983), the U.S. Supreme Court said the plain view doctrine is best “understood . . .not as an independent `exception’ to the 4<sup>th</sup> Amendment’s warrant clause, but simply as an extension of whatever the prior justification for an officer's `access to an object may be.”

When I cover the plain view doctrine in class, I use this example to illustrate how it works: Officers are executing a warrant to search John Doe’s home for stolen TV sets. As they walk into the living room of the house – which could contain the stolen TV sets, not all of which have been found yet – they see a transparent bag lying on the coffee table. As the officers look at the bag, they see it contains what they immediately recognize – based on their training and professional experience – as illegal drugs (e.g., marijuana, crack cocaine). Their looking at the bag doesn’t violate the 4^th Amendment because their search warrant authorizes them to be in Doe’s living room searching for the stolen TV sets. Since the illegal drugs are “in plain view,” looking at them is not a search under the 4^th Amendment; as the Supreme Court said in Katz v. U.S., 389 U.S. 347 (1967), “whatever a person knowingly exposes to public view, even in their own home or office, is not private” under the 4^th Amendment.

All the plain view doctrine does is to let the officers seize the drugs without first getting a warrant authorizing them to do so. As the Supreme Court noted in Texas v. Brown, it is

grounded on the recognition that when a police officer has observed an object in `plain view,’ the owner's remaining interests in the object are merely those of possession and ownership. . . . Likewise, it reflects the fact that requiring police to obtain a warrant once they have obtained a first-hand perception of . . . or incriminating evidence generally would be a `needless inconvenience’. . . that might involve danger to the police and public. . . . [O]ur decisions . . . reflect the rule that if, while lawfully engaged in an activity in a particular place, police officers perceive a suspicious object, they may seize it immediately. . . .This rule merely reflects an application of the Fourth Amendment's central requirement of reasonableness to the law governing seizures of property.

And that brings me to U.S. v. Jefferson, 571 F.Supp.2d 696 (U.S. District Court for the Eastern District of Virginia 2008). The search at issue arose from the indictment that charged William J. Jefferson, a Member of the U.S. House of Representatives, with “a variety of crimes including bribery, conspiracy, wire fraud, foreign corrupt practices, money laundering, obstruction of justice and racketeering.” U.S. v. Jefferson, supra.

As part of the investigation. . . [FBI] agents . . . went to defendant's residence . . . in New Orleans . . . to execute a search warrant. . . . Schedule B to the search warrant listed items to be seized . . . in four general categories: (1) records and documents related to various corporate entities, (2) records and documents related to specific correspondence or communications between certain individuals, (3) records and documents related to travel to Ghana and/or Nigeria by certain individuals, and (4) records and documents related to appointments, visits, and telephone messages to or for defendant.

U.S. v. Jefferson, supra. By the end of the seven and a half-hour search, the agents had seized 1.400 pages of documents plus “high-resolution photographs of thirteen separate items” and notes of the contents of documents they neither seized nor photographed. U.S. v. Jefferson, supra. Jefferson only moved to suppress the photographs and the agents’ notes. The agents relied on the plain view doctrine as their justification for taking the photographs and making the notes; they said they were told to only seize evidence that was “directly responsive to the list of items” in Schedule B. They said they took the photographs and the notes “in an effort to comply with the prosecutors’ instructions while still giving effect to the plain view doctrine.” U.S. v. Jefferson, supra.

We’re only concerned with one of the thirteen items the seizure of which was apparently not “directly responsive” to the list of items in Schedule B:

The sixth item at issue is a power-point presentation regarding an enterprise known as E-Star. The warrant did not authorize seizure of documents or records relating to E-Star, and nothing else in the power-point presentation made it responsive to Schedule B. The government nevertheless contends that the power-point presentation was appropriately seized under the plain view doctrine.

U.S. v. Jefferson, supra. I’m not sure how the FBI agents “seized” the PowerPoint presentation. In its opinion the federal district court initially says they took photographs of some of the 13 items and took notes on the others. Later in the opinion, though, the court describes item #6 as “[a] printout of a power-point presentation entitled `E-Star Wireless Broadband Network Business Opportunity.’” U.S. v. Jefferson, supra.

It really doesn’t matter how they seized it. The point is that they seized the presentation, which wasn’t directly responsive to the list of items they were supposed to be searching for and seizing . . . so the only justification for seizing it was the plain view doctrine.

Jefferson argued that “all evidence seized in the search should be suppressed because the FBI agents' decision to photograph and take notes of documents that were not (in defendant's view) subject to seizure under the terms of the search warrant transformed the search into an impermissible general search of the sort prohibited by the Fourth Amendment.” U.S. v. Jefferson, supra. The federal district court judge did not agree:

Because the agents were lawfully in defendant's house and . . . were authorized to conduct a cursory inspection of documents they found to determine whether those documents were subject to seizure, the plain view analysis with regard to the power-point presentation . . . turns on whether its incriminating character was apparent on its face. Here, agents had probable cause to believe that the power-point presentation was evidence of a crime. The investigation into defendant's activities that had led to the search at issue focused on a number of schemes by which defendant had allegedly solicited payment in return for the performance of official acts. Agents Horner and Thibault testified that many of these alleged schemes involved telecommunications ventures. According to Agent Horner, the E-Star power-point presentation, which detailed a telecommunications venture, closely resembled similar presentations involving iGate, Inc. that had been provided to the FBI by cooperating witness Lori Mody. Because the agents were familiar with defendant's receipt of bribes in return for his performance of official acts on behalf of iGate, the similarity between the iGate venture and the venture described in the E-Star power-point presentation gave rise to a reasonable belief that the power-point presentation was evidence of another illegal scheme, and warrantless seizure of the power-point was appropriate under the plain view doctrine.

U.S. v. Jefferson, supra.

In a later portion of the opinion, the federal district court judge also rejected Jefferson’s argument that the agents “flagrant disregard for the terms of the warrant” transformed the search into a constitutionally impermissible general search, i.e., rummaging through everything without regard to whether it fell within the scope of the search warrant or an exception such as the plain view doctrine.

[T]he majority of evidence seized by way of photograph and written note during the . . . search was seized legally pursuant to the search warrant or the plain view doctrine. Only two items were improperly seized -- the 1991 calendar and appointment book and the Moss Creek documents. Nor does the record indicate that the improper seizures were a result of any flagrant disregard for the terms of the warrant; to the contrary, in each case there is evidence that the seizing agents acted in good faith. Because this was not a general search based on flagrant disregard for the terms of the warrant, blanket suppression is unwarranted.

U.S. v. Jefferson, supra.

I think the judge was correct in applying the plain view doctrine to the seizure of the PowerPoint presentation. What I find interesting about this case is the use of the plain view doctrine to seize this kind of intangible evidence. I haven’t run across any other plain view seizure of PowerPoint presentations, but I suspect this won’t be the last one we see.

Finally, I'd like to note that the judge and, apparently, the prosecution and defense lawyers in this case all assumed that by printing out the Power Point slides or photographing them (whatever the agents did to obtain the contents of the presentation) the agents "seized" the Power Point presentation. In my last post, I argued that copying data is a seizure under the 4th Amendment, notwithstanding the fact that one federal district court opined otherwise. Everyone involved in this case seems to have assumed that copying is, in fact, a 4th Amendment seizure.

Copying as a Seizure (Again)

I’m going to revisit an issue I addressed in a post I did several years ago. The issue is whether copying data files is a seizure under the 4^th Amendment.

As I’ve noted in earlier posts, the 4^th Amendment prohibits unreasonable searches and seizures. As I’ve also noted, a “search” violates a reasonable expectation of privacy under the test the Supreme Court announced in Katz v. United States, 389 U.S. 347 (1967); and as the Supreme Court held in Soldal v. Cook County, 506 U.S. 56 (1992), a “seizure” interferes with our possession and use of our property.

I think the issue of whether or not copying data is a 4^th Amendment seizure is an important one because if copying is neither a search (which I don’t think it is) nor a seizure, then it’s completely outside the scope of the 4^th Amendment. If copying is completely outside the scope of the 4^th Amendment, then officers can copy data without getting a warrant authorizing them to do so and/or relying on an exception to the warrant requirement as their authorization for doing so.

Why don’t I think copying is a search? As I noted, searches violate – intrude on – a reasonable expectation of privacy under the 4^th Amendment. Let’s assume, for the sake of analysis, that someone has a legitimate 4^th Amendment expectation of privacy in the data stored on their computer. To really reinforce that assumption, we’ll also assume that this person lives alone and so doesn’t share the computer with anyone else and doesn’t give anyone else access to it, whether in person or remotely. The contents of that hard drive are, therefore, protected by the 4^th Amendment’s guarantee of privacy.

Assume a police officer equipped with the appropriate forensic software makes a copy of the hard drive. We’ll also assume the officer’s being in the home to make the copy didn’t itself violate the 4^th Amendment because I want to focus on the specific act of copying the data. If, as I believe is usually true, the officer doesn’t observe the contents of the data during the copying process, then I do not see how we can characterize the copying as a search.

He hasn’t looked at the data; no human being has looked at it. The computer and software he’s using have, in a literal sense, “looked at it” because both have had some level of access to the data. I, however, do not see that as a true 4^th Amendment search, if only because the 4^th Amendment was clearly intended to protect the privacy of our places and things from observation by people (law enforcement officers specifically).

We could construe the act of copying the data as a search under at least two theories: One theory is the one I noted above, i.e., that the implements have in a sense “looked at” the data and we’ll impute their “observations” to the law enforcement officer. The other theory is that the copying by the equipment is essentially the first step toward this officer’s viewing the contents of the hard drive, so it is the beginning of a search. We could also have a third theory if and when the programs officers use to copy data have attained a level of artificial intelligence; at that point, we still wouldn’t have a human being observing the data but an entity with a level of intelligence would be doing so. We could then, I suppose, impute the artificial intelligence’s viewing the data to the officer.

I concede that copying data COULD be construed as a search under these, and perhaps other, theories. I really don’t think that’s the way to go, though, because I think we really have to torture the notion of “search” to apply it to the non-observational copying of data.

I think it makes much more sense to treat copying data as a seizure. Copying data is, of course, not a traditional, zero-sum seizure. A traditional, zero-sum seizure is analogous to traditional, zero-sum theft: In both, the possession and use of property passes entirely from one person (the rightful owner) to another (the officer seizing the property or the thief stealing it). Zero-sum seizures are the only kind of seizures that are possible with tangible property, i.e., property that exists only in the physical world.

Zero-sum seizures are therefore the only kind of seizures the drafters of the Bill of Rights were thinking about when they wrote the 4^th Amendment. That, though, does not mean we have to limit the applicability of the 4^th Amendment to zero-sum seizures. After a few false starts, the Supreme Court recognized that unless it construed the 4^th Amendment broadly -- to encompass changing technologies -- the 4^th Amendment would become increasingly irrelevant to modern life. Since the 4^th Amendment is the closest thing the Constitution has to a guarantee of privacy and security in the possession of property, we do not want it to become a pretty-much-dead letter.

Expanding the traditional, zero-sum conception of seizure to encompass non-zero-sum seizures is consistent with the approach the Supreme Court took in holding that tapping phone conversations is a 4^th Amendment “search.” In 1928, in Olmstead v. U.S., 277 U.S. 438, the Supreme Court held it was not a search for federal agents to use wiretaps on the phone lines outside Olmstead’s home to listen to what he said when he making calls from his home phone. (Olmstead had argued it was a search because the officers were able to hear what he said when he was in his home, the home being the most private of all 4^th Amendment enclaves.)

Because many members of that Court were conceptually mired in the nineteenth century, they said the eavesdropping didn’t violate the 4^th Amendment because the officers never physically entered Olmstead’s home. They were construing the 4^th Amendment to reach only the evil it was originally designed to address: officers kicking down someone’s door, forcing themselves into the home and rummaging through the contents of the house. In his dissent, Justice Brandeis pointed out that

[s]ubtler and more far-reaching means of invading privacy have become available to the government. . . .The progress of science . . . is not likely to stop with wire tapping. Ways may . . . be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and . . . expose to a jury the most intimate occurrences of the home. . . . Can it be that the Constitution affords no protection against such invasions of individual security?

Olmstead v. U.S., supra (Brandeis dissenting). In 1967, in the Katz case, the Supreme Court reversed its Olmstead decision and said wiretapping is a search. In so doing, the Court moved beyond a literal interpretation of the 4^th Amendment and into one that can encompass advances in technology. I think we should do essentially the same thing with how we define 4^th Amendment seizures.

At the moment, the only case I can find in which a judge specifically rules on the copying-as-seizure issue is U.S. v. Gorshkov, 2001 WL 1024026 (U.S. District Court for the Western District of Washington 2001). As you may know, in the Gorshkov case FBI agents copied data from a computer Gorshkov used in Russia, without first obtaining a search and seizure warrant. Gorshkov argued that copying the data constituted a 4^th Amendment search, but the federal district judge disagreed:

[C]opying the data on the Russian computer was not a seizure under the Fourth Amendment because it did not interfere with Defendant's . . . possessory interest in the data. The data remained intact and unaltered. It remained accessible to Defendant. . . . The copying of the data had absolutely no impact on his possessory rights.

U.S. v. Gorshkov, supra. I vehemently disagree.

When officers copy data, a transfer takes place. Before officers copy the data on John Doe’s hard drive, Doe is the only person who had possession of it. After they copy it, both the officers and Doe have a copy of the data. Doe has not, as the Gorshkov judge correctly noted, entirely lost possession of the data. He has, I argue, lost a quantum of his possessory interest in the data.

In an earlier post, I wrote about an Oregon case in which the defendant was charged with using a computer to commit theft after he copied a password file belonging to his employer. The defendant claimed he didn’t commit theft because the employer still had the password file; he just had a copy of it. If we apply the Gorshkov judge’s approach to defining a seizure of property to this defendant’s argument, then he’d win; the Oregon court would have had to have dismissed the theft charge against him because the employer had not “entirely lost possession of the data.”

That, though, isn’t what the Oregon court did. It noted that “theft” is defined as taking someone’s property without being authorized to do so and that “property” is defined as “anything of value.” The court found that the evidence showed the passwords had “value,” which meant they were “property.” It then held that the defendant committed theft because he deprived his employer of exclusive possession of the passwords, which deprived the employer of property because much of the value of passwords lies in the fact that no one else knows what they are.

If copying data is theft, I think it also has to be a seizure, a non-zero sum seizure. Any time someone copies my data without permission, I “lose” something; more precisely, I lose part of my exclusive possession and control of the data. Even if my data doesn’t consist of passwords, much of its value lies in the fact that it’s mine and I, alone, control it. I think, therefore, that the loss of the ability to exercise sole control over one’s data justifies defining copying as a non-zero sum 4^th Amendment seizure . . . which would not mean law enforcement officers couldn’t copy data. It would mean they’d need to have a warrant or an exception to the warrant requirement (e.g., consent or the existence of exigent circumstances) to be able to copy the data without violating the 4^th Amendment.

Disagreement????

Controlling Child Pornography

This post is about a Pennsylvania statute that seems to create a fifth child pornography crime. As I’ve noted, there are – or I’ve assumed there are – four child pornography crimes: manufacturing child pornography, distributing child pornography, possessing child pornography and accessing (looking at) child pornography. The Pennsylvania statute adds what MAY be a fifth option: controlling child pornography.

The case is Commonwealth v. Diodoro, 970 A.2d 1100 (Supreme Court of Pennsylvania 2009). It began when on “November 20, 2003, the Ridley Township Police Department obtained a search warrant for appellant Anthony Diodoro's personal computer and seized the computer from his residence in Delaware County.” The forensic examination of the computer revealed that it “contained approximately 340 images of suspected child pornography and thirty additional images that were known to be child pornography.” Commonwealth v. Diodoro, supra. Diodoro was arrested and charged with 30 counts of child sexual abuse by violating 18 Pennsylvania Consolidates Statutes § 6312(d).

Section 6312(d) provides as follows: “Any person who knowingly possesses or controls any book, . . . photograph, film, videotape, computer depiction or other material depicting a child under the age of 18 years engaging in a prohibited sexual act or in the simulation of such act commits an offense.” As the Pennsylvania Supreme Court noted, “under Section 6312(d), a defendant may be convicted of sexual abuse of children for the mere knowing control of child pornography.” Commonwealth v. Diodoro, supra.

Diodoro pled not guilty and went to trial. At trial, Pennsylvania Trooper Peter Salerno

testified to the specifics of his forensic examination of appellant's computer. Trooper Salerno explained that he searched the images and web history on appellant's hard drive using forensic software, which revealed . . . web pages pertaining to child pornography websites, and 370 images relating to child pornography that were stored in the cache files or unallocated space of the hard drive. . . . Salerno testified that finding the images of child pornography stored in the cache files indicated that someone accessed the child pornography websites and by clicking the “next” button or a specific image, accessed and viewed the various images. . . . Salerno also noted that because of the large quantity of images stored in the cache files, it would have taken an individual a considerable amount of time to go through the images.

Commonwealth v. Diodoro, supra. The prosecution and defense stipulated that the images (i) depicted “female children engaged in prohibited sexual acts” and (ii) “were viewed by [appellant] on his computer while he was searching the World Wide Web for images of females under age [sixteen].” Commonwealth v. Diodoro, supra.

Diodoro was convicted and appealed, arguing that the evidence was not sufficient to support his conviction. His primary argument seems to have been that the evidence did not show he “controlled” the images. The first appellate court to consider his argument

focused its . . . analysis . . . on the term `control’. . . . [It] determined that the `ordinary, everyday meaning’ of the term . . . was: `. . . . [The ability to exercise a restraining or directing influence over something.’ . . . The [court] held that, in addition to . . . seeking out and viewing child pornography, `[h]is actions of operating the computer mouse, locating the [websites], opening the sites, displaying the images on his computer screen,’ at which time he had the ability to download, print, copy or e-mail the images, `and then closing the sites were affirmative steps and corroborated his . . . control over the child pornography.’ The majority found additional evidence of appellant's control . . . [in] Officer Salerno's testimony, wherein he explained that the sheer volume of child pornography stored in appellant's `cache files indicate[d] that someone, after accessing the particular [websites], had to click the “next” button on the screen to view successive images.’ Thus, [it] concluded that the totality of the circumstances was sufficient to support the jury finding that appellant's conduct constituted knowing control of child pornography under Section 6312(d).

Commonwealth v. Diodoro, supra. The Pennsylvania Supreme Court agreed to review the lower court’s decision. In his argument to that court, Diodoro claimed that “for the Commonwealth to establish that he had the power and intent to exercise control over the images of child pornography found on his computer, [it] was required to prove that he had knowledge of the existence of those images on his computer.” He also argued that because the statute did not define “control,” he was not on notice that “intentionally accessing and viewing child pornography via the internet-sans the intent to download, copy or send the images-constitutes `control’ of such material under Section 6312(d).” Commonwealth v. Diodoro, supra.

In analyzing his arguments, the Pennsylvania Supreme Court explained that the statue creates two crimes: “the Commonwealth need not establish that a defendant possessed child pornography to prove a violation of Section 6312(d) if the Commonwealth can prove that a defendant knowingly controlled child pornography”. So controlling child pornography is different from possessing child pornography.

The Pennsylvania Supreme Court analyzed the arguments of the two sides and the evidence in the case, and then held that Diodoro “controlled” the images:

An individual manifests . . . control of child pornography when he purposefully searches it out on the internet and intentionally views it on his computer. . . . [T]he viewer has affirmatively clicked on images of child pornography from different websites and the images are therefore purposefully on the computer screen before the viewer. Such conduct is clearly exercising power and/or influence over the separate images of child pornography because the viewer may, inter alia, manipulate, download, copy, print, save or e-mail the images. It is of no import whether an individual actually partakes in such conduct or lacks the intent to partake in such activity because intentionally seeking out child pornography and purposefully making it appear on the computer screen -- for however long the defendant elects to view the image -- itself constitutes knowing control. The use and operation of computers are not the novelty they once were. Control via a computer is little different from the control one exercises by viewing a book or a magazine-whether one purchases the tangible image or not. . . . Section 6312(d) should not and cannot be read to allow intentional and purposeful viewing of child pornography on the internet without consequence.

Commonwealth v. Diodoro, supra.

Based on the court’s analysis, it seems pretty clear that Pennsylvania’s “controlling child pornography” crime is the accessing child pornography crime I wrote about in an earlier post. As I explained in that post, the federal child pornography statute was amended to add accessing child pornography as one of the crimes it encompasses.

In an earlier post, I noted that a bill had been introduced into the Nevada legislature that would add an accessing crime to that state’s child pornography statutes. The bill passed the legislature and on June 9 the Governor signed it, so it’s presumably gone into effect by now.

Nevada’s new statute defines the access crime as follows: “Any person who, knowingly, willfully and with the specific intent to view any . . . visual presentation depicting a person under the age of 16 years engaging in or simulating sexual conduct, uses the Internet to control such a film, photograph or other visual presentation is guilty of” a felony. Nevada Assembly Bill 88, 2009 Nevada Laws Ch. 471.

Another part of the Nevada bill creates a civil cause of action for someone who was used to make child pornography. Such a person can sue anyone who promoted the child pornography, possessed it or used “the Internet to control the film, photograph or other visual presentation, with the specific intent to view the film, photograph or other visual presentation.” Nevada Assembly Bill, supra. I’m not sure what the rational of this provision is. I assume children used in child pornography can already sue those who created it and distributed it, under some theory, so this section must be meant to spread the liability net wider. I’m not sure how effective the cause of action against people who viewed the child pornography is going to be, though.

Getting back to the Pennsylvania statute, I’m not sure why the legislature went with “control” instead of “access” (or “view”). Logically, “control” implies a greater level of involvement than does “access,” so maybe that notion was part of the reason why they focused on control. If the Pennsylvania legislature had gone with “access,” it might have made things simpler; it would have been impossible, or at least much more difficult, for Diodoro to argue that he hadn’t “accessed” the images than it was for him to claim he hadn’t “controlled” them.

So if any state legislators are considering adding the fourth child pornography crime to their criminal code, I’d respectfully suggest they go with the access or view option.

Interception and Device

This post is about a recent decision from a federal court in Wisconsin that deals with email interception in violation of 18 U.S. Code § 2511(1)(a). The case is U.S. v. Szymuszkiewicz, 2009 WL 1873657 (U.S. District Court for the Eastern District of Wisconsin 2009) and here is the government’s version of the facts:

[D]efendant, a revenue officer with the IRS, created a `rule’ on his supervisor Nella Infusino's computer, which auto-forwarded to defendant all of Infusino's e-mails. The government presented testimony from Infusino and another IRS employee, Theresa Memmel, that . . . while Memmel was training Infusino on the use of `Outlook’-the e-mail program utilized by the IRS-the two came upon the rule on Ifusino's computer. Memmel and Infusino were shocked . . . and called the computer support department. Infusino . . . did not create the rule or intend for defendant to receive her e-mails. IRS computer specialist David Tietz . . . responded to Infusino's call and viewed the rule, which was active, on her computer. Tietz . . . disabled the rule, then deleted it. Tietz testified that defendant never advised him that he was receiving Infusino's messages, nor did he learn that from his co-workers in tech support.

William Taylor, an investigator with the Treasury Department's Inspector General's Office, testified that he looked into the matter after Infusino discovered the rule. Taylor reviewed data on the IRS's Outlook server, looking for e-mails auto-forwarded by rule, pursuant to which he recovered twenty-one e-mails forwarded from Ifusino to defendant. Taylor also checked defendant's computer hard drive, where he located 116 additional e-mails auto-forwarded from Infusino, all of which had been opened and some of which had been moved to different folders within defendant's Outlook program. . . .

Infusino . . . supervised defendant from 2001 to 2005 or 2006. . . . [and] . . . used a laptop computer, which she carried with her when she visited the officers under her supervision. Infusino never saw defendant access her computer (and she did not provide him with her password), but . . . at times she left the computer unattended in the Racine office where defendant worked. Infusino . . .testified that in 2003 and 2004 issues with defendant's work performance arose. . . .

U.S. v. Szymuszkiewicz, supra.

Szymuszkiewicz was charged with 3 counts of violating § 2511(1)(a), which makes it a federal crime to intercept the contents of electronic communications. He went to trial and moved for an acquittal before the case went to the jury; the judge reserved decision on his motion and sent the case to the jury. After the jury convicted Szymuszkiewicz, he renewed his motion, which the federal judge then considered.

In ruling on the motion, the judge began by noting that to convict Szymuszkiewicz,

the government had to prove (1) that defendant intercepted an electronic communication; and (2) that he did so intentionally. The term `intercept’ means to acquire the contents of any electronic communication through the use of any electronic, mechanical or other device. An `electronic, mechanical, or other device’ means any device or apparatus which can be used to intercept a wire, oral or electronic communication. Finally, . . . `intentionally’ means to act deliberately and purposefully; that is, defendant's act had to be the product of his conscious objective rather than the product of a mistake or an accident.

U.S. v. Szymuszkiewicz, supra. Szymuszkiewicz argued that the government had failed to prove beyond a reasonable doubt either that “he used a `device’ to intercept Infusino’s e-mails” or that he “intercepted” the emails.

In his first argument, Szymuszkiewicz contended that § 2511(1)(a) “requires use of a device separate and distinct from the drive and server upon which the communication was received.” U.S. v. Szymuszkiewicz, supra. In making his argument, he relied on two opinions issued in civil suits under the Wiretap Act, of which § 2511 is a part. The federal judge found neither case was relevant here because “both concerned defendants who received information directed by the sender to them; in neither case did the defendants take any action to re-direct to themselves a communication addressed to another.” U.S. v. Szymuszkiewicz, supra. The judge said the defendants in these cases engaged in “passive receipt” of communications, rather than intercepting them.

In the present case, the government did not rely solely on defendant's passive receipt of Infusino's e-mails on his own IRS computer via the IRS server. Rather, the government claimed that he used a device, i.e. Infusino's computer, to create the rule to intentionally effectuate re-direction/interception. He then used his own computer to receive and read the re-directed e-mails.

U.S. v. Szymuszkiewicz, supra. Since Szymuszkiewicz had not cited any cases holding that using two computers to intercept communications does not satisfy the requirements of § 2511(1)(a), the judge held that the government had carried its burden of proving the “use of device” element of the § 2511(1)(a) charges. U.S. v. Szymuszkiewicz, supra.

As I noted earlier Szymuszkiewicz’s other claim was that the government “failed to prove `contemporaneous’ interception of the e-mails.” That argument raises an issue a number of courts have dealt with. The issue arises because § 2511(1)(a) is part of the Wiretap Act, which dates back to 1968. The Wiretap Act was adopted to implement the Supreme Court’s holding, in U.S. v. Katz, that eavesdropping on phone calls is a search under the 4^th Amendment. Congress adopted the Wiretap Act to implement the Katz decision and to add even more requirements than the 4^th Amendment now imposes on wiretapping.

As I’ve noted, about ten years later the Supreme Court held, in Smith v. Maryland, that the 4^th Amendment does not apply to the numbers we dial on our phones or to any other information we share with third parties. The Smith Court relied on an earlier decision in which the Court essentially held that by sharing information with third parties, like banks and phone companies, we lose any expectation of privacy in that information.

So the Katz and Smith cases create the emphasis on “contemporaneousness” when it comes to “intercepting” electronic communications. The issue doesn’t arise for phone calls because the only way you can capture the contents of a phone conversation is to listen in or record it as it occurs. It arises for emails for at least two reasons: One is that we tend to leave read and unread emails stored with our ISP, which suggests they are governed by the Smith rule. The other reason is that unlike phone conversations, emails are not a simultaneous, unitary communication. As the Szymuszkiewicz court explained, they move as discrete packets, each of which is stored by computers as it travels to its final destination, where the packets “are reassembled to form the e-mail message”. U.S. v. Szymuszkiewicz, supra.

Courts have therefore struggled with what it means to “intercept” emails. Some courts have found that the temporary, intermediate storage involved in transmitting an email is enough to take the emails outside the scope of the Wiretap Act. In other words, they’ve held these emails are governed by Smith, not Katz. Szymuszkiewicz’s problem was that in U.S. v. Councilman, 418 F.3d 67 (U.S. Court of Appeals for the First Circuit 2005) (en banc), a federal court of appeals held that “the Wiretap Act applies to e-mail messages in the `transient electronic storage that is intrinsic to the communication process for such communications.’” While that decision was not binding on this federal district court, the judge agreed with the Councilman court’s logic:

Defining . . . `intercept; to generally require contemporaneousness, . . . would permit courts to maintain a distinction between prospective interception at the time of transmission and one-time access to information already received and in storage. . . . Such construction would avoid eliminating the protections of the Wiretap Act based on the transient storage incidental to e-mail communication.

U.S. v. Szymuszkiewicz, supra. The judge then found that the evidence was sufficient to establish that Szymuszkiewicz intercepted the emails that were the basis of the charges:

[He] did not access Infusino's messages on her computer after receipt. Rather, the messages destined for Infusino were auto-forwarded to defendant as soon as they were received on the IRS e-mail server. Further, . . . the e-mails relating to the three counts . . . reflect that they were sent to Infusino and defendant at the same time (accounting for a time zone difference). With respect to Exhibit 57 in particular, Agent Taylor testified that the e-mail was submitted to the server at 2:23:58, a version created for defendant at 2:23:58, and the version so created delivered to defendant at 2:23:58. Thus, the government demonstrated contemporaneous interception.

U.S. v. Szymuszkiewicz, supra. So Szymuszkiewicz lost.

I like this judge’s idea of striking a flexible balance between transmission and storage rather than relying on “a rigid storage/transit dichotomy”. My only concern is the potential uncertainty of a standard that is predicated on “generally” requiring contemporaneousness.

Mules

You’ve probably seen the news stories about the Ukrainians who extracted $415,000 from a Kentucky bank, courtesy of a Trojan horse program.

If you haven’t seen the stories, here’s a brief recap: Ukrainian hackers used a Trojan horse program to acquire access to and authentication authority over bank accounts belonging to Bullitt County, Kentucky. The Trojan gave the hackers access to the County Treasurer’s computer, according to the stories I read, and to the email account of the judge who had to approve wire transfers from the County’s account. They created accounts in the names of fictitious employees and then transferred $415,000 to those accounts.

Posing as the Fairlove Delivery Service, the Ukrainians had earlier hired people to edit text for them, primarily fixing the English from what I gather. They then approached at least some of these people, telling them the company had trouble getting funds to its clients oversees and asking if the employees would help them with their problem. Those who agreed accepted wire transfers of funds ($9,900) into their bank accounts, took part of the money (say, $500) as their “commission” and then wired the rest to a bank account in the Ukraine.

This post isn’t about the theft of the funds from the Bullitt County government’s bank account, as such. It’s clear that the Ukrainians who are responsible for the theft committed a variety of federal cybercrimes: unauthorized access to computers (the Treasurer’s and judge’s computers, at the very least), transmitting a program, code or information and causing damage (the Trojan horse program) and maybe accessing a computer without authorization to further a scheme to defraud (if we decide this was fraud, not theft). As I’ve explained, the general federal cybercrime statute – 18 U.S. Code § 1030(a) – criminalizes each of these acts: Section 1030(a)(5)(B) makes it a crime to gain unauthorized access to a computer and cause damage (which is defined as impairing the integrity or availability of data); section 1030(a)(5)(A) makes it a crime to transmit a code, program or information and cause damage; and section 1030(a)(4) makes it a crime to access a computer without authorization to further a scheme to defraud. (To make what they did fraud, we’d have to figure out someone who was defrauded into letting them have the money in the accounts. I’m not sure that one will work.) We’d also have conspiring to violate § 1030 in violation of 18 U.S. Code § (b), and a host of other federal crimes.

Okay, the perpetrators are easy. If they’re ever caught, there are plenty of crimes they can be charged with and, I’m sure, easily convicted of.

I want to focus on the mules . . . the people who received the initial transfers of funds from the County’s account at the banks and wired most of what they received to the account in the Ukraine. I’ve seen no indication that anyone intends to prosecute them for their role in the scam, but it’s still early in the investigation; and even if they aren’t actually prosecuted, I think the issue warrants exploring.

Since the mules didn’t play any role in the actual execution of the theft of the funds, they can’t be charged as actual perpetrators of any of the crimes outlined above. Their role essentially came after the theft had been committed; they helped the Ukrainians move the funds out of the U.S. and into their own, home account.

There are two possible ways a prosecutor could hold the mules liable for the theft of the funds. One is what’s called the Pinkerton doctrine. In Pinkerton v. U.S., 328 U.S. 640 (1946), the U.S. Supreme Court held that, as far as federal cases are concerned, one member of a conspiracy can be held liable for the substantive crimes the other members of the conspiracy commits. They become each other’s agents, in effect. In the Pinkerton case, two brothers were making liquor and selling it in violation of federal revenue laws. Daniel got caught, convicted and was serving time in jail when Walter committed some further violations of federal revenue laws. Daniel and Walter were both charged with committing those crimes, on the theory that they had conspired to violate federal revenue laws, which meant Daniel was responsible for what Walter did, even when Daniel wasn’t there. The Supreme Court accepted that theory, and held Daniel liable.

We could conceivably use that in this case, since I’m assuming federal charges, but for Pinkerton liability to apply, the person has to have joined the conspiracy the object of which is to commit the target crime – here, theft – before the crimes were committed. The crimes have to be a foreseeable consequence of the conspiracy the person joined, and occur after they joined the conspiracy. Since I’m assuming the theft was complete – more on that in a minute – I don’t think Pinkerton would work here. Even if the mules entered into a conspiracy to dispose of the funds, that couldn’t be used to hold them liable to taking the funds, IMHO.

So let’s try the obvious choice: aiding and abetting, or what the Model Penal Code calls accomplice liability. As I explained in an earlier post, an accomplice is someone who helps another person commit a crime – they “aid and abet” the crime. Here, the mules helped the Ukrainians get the money out of the country, which definitely constituted aiding the commission of the theft. To be liable as accomplices, though, the mules had to have acted with the purpose of aiding and abetting the crime (the theft) and the crime must not have been completed before they provided their assistance.

As a federal district court noted recently, the intent to aid and abet “must be formed prior to or during the commission of the offense.” Pickles v. Adams, 2009 WL 789904 (U.S. District Court for the Eastern District of Michigan 2009). “Thus aider and abettor liability is established if the getaway driver forms `the intent to facilitate or encourage commission of the robbery prior to or during the carrying away of the loot to a place of temporary safety.’" Pickles v. Adams, supra. We’re not dealing with a getaway driver, but the principle is the same: Like the driver, the mules helped the thieves get the loot to a place where it was safe.

At this point, I’m assuming, for the purpose of analysis, that the mules did have the intent to aid and abet the thefts; I’ll get to whether that was true or not in a minute.

So, assuming that they acted with the intent to aid and abet the theft of the Bullitt County government’s money, did they form that intent during the commission of the crime itself? The answer seems to be a little tricky. Some of the cases I read said that if you only provide assistance after the crime itself has been committed – which, for theft, seems to mean that the thieves have taken the property from the rightful owner’s possession, so the owner has been divested of it – you can’t be an accomplice because you can’t aid and abet a crime that’s already been committed. If we go with that theory, then it seems the mules can’t be liable as accomplices, or aiders and abettors.

Some courts expand that out a little, especially in the area of theft crimes, and use the theory quoted above, i.e., that if the accomplice forms the intent to facilitate the commission of the theft either while it’s being committed or while the thieves are in the process of getting away with the loot, that’s enough to make them an accomplice. If we go with this theory, then it might be possible to prosecute the mules as aiders and abettors because they did help the Ukrainians get away with their loot. The Ukrainians had gotten it out of the Bullitt County bank but not out of the U.S. and into the Ukraine; I can see a good argument that part of the crime – the asportation of the stolen property – was still in process when the mules did what they did. And since what they did directly facilitated the Ukrainians’ getting the money out of the country, it should qualify as aiding and abetting.

There is, though, that residual but very important issue of intent. Law has traditionally required that to be an accomplice to a crime, you must purposely aid and abet its commission. So for the mules to be held liable as accomplices, the prosecution would have to prove beyond a reasonable doubt that their purpose in accepting the initial transfers of funds and then in sending most of the funds to the Ukrainian account was to abet the crime of theft.

Several of the stories I’ve read about the case say that the two mules who have talked to the investigators say they were duped. They seem to have believed it was a legitimate transaction, at least initially. One said she became suspicious and didn’t wire all of the money; the other one seems to have gone along with no suspicions.

A prosecutor, of course, might not believe their claims that they had not idea there was anything wrong with the transaction. In situations like this, prosecutors can use certain facts to support the inference that the mule – while claiming innocence – actually knew what was going on and acted with the intent to facilitate the underlying crime. One factor here that might be used to infer intent is the amount the mules were being paid. One story I read said they were told they’d receive $9,900 and should keep $500 before wiring the rest to the Ukrainian account. That seems like a pretty good commission to me; excessive payments can indicate illegal activity and might be used in inferring intent. A prosecutor might also point to the use of an offshore, Ukrainian account as the place to which the funds were going, but the employer said they were for offshore clients, so maybe that wouldn’t be particularly compelling. If the mules had kept doing this, over and over, that, too, might be a circumstance from which intent could be inferred.

Am I arguing that the mules in this case should be prosecuted? No, at least not on the basis of what I’ve seen so far. The rationale for punishing mules who do act with the intent of aiding and abetting a crime like this is to make it more difficult for Ukrainian hackers to find someone to do this in the future. Aside from holding these people liable, such a prosecution could publicize the scam and help ensure that others don’t fall for it.

And, of course, the mules are here, which means we can easily prosecute them, if we get over the hurdles I’ve noted above. As to the Ukrainian perpetrators, I suspect prosecuting them is unlikely.

File-sharing and Child Pornography: Two Views

I’ve done a couple of posts on police officers using file-sharing software like Limewire or Kazaa to find child pornography on people’s computers. The issue I was dealing with in those posts was whether law enforcement’s using Limewire or Kazaa to access files on someone’s hard drive is a search under the 4^th Amendment.

This post is also about file-sharing software and child pornography, but it focuses on a different issue: whether putting child pornography into a folder that can be accessed via file-sharing software in and of itself constitutes “distributing” child pornography.

As I explained in an earlier post, most countries that outlaw child pornography use 3 crimes to do so: possessing child pornography, distributing child pornography and manufacturing child pornography. Section 2252A(a)(1) of Title 18 of the U.S. Code makes distributing child pornography a crime:

Any person who knowingly transports . . . using any means or facility of interstate or foreign commerce or in or affecting interstate or foreign commerce by any means including by computer or mails, any visual depiction, if . . . such visual depiction involves the use of a minor engaging in sexually explicit conduct; and such visual depiction is of such conduct.

The mental state – the mens rea – of the crime is therefore “knowingly,” which means “the defendant realized what he/she was doing and was aware of the nature of his/her conduct, and did not act through ignorance, mistake or accident.” Federal Criminal Jury Instructions of the U.S. Court of Appeals for the Seventh Circuit 4.06. The issue that has come up in the U.S. and the U.K. is whether putting images of child pornography into a folder that is accessible via file-sharing software constitutes “knowingly” distributing child pornography. I’m going to compare how courts in each country dealt with this issue.

We’ll start with the U.K. In R. v. Dooley, [2005] EWCA Crim 3093 (Court of Appeal 2005), Dooley was charged with violating the Protection of Children Act of 1978 by having images of child pornography in his possession “with a view to their being distributed . . . by himself or others”. Protection of Children Act of 1978 § 1(1)(c). Under § 2 of the Act, a person is “regarded as distributing an indecent photograph or pseudo-photographs if he parts with possession of it to, or exposes or offers it for acquisition by, another person”. The case arose after police searched Dooley’s home and seized a computer, on which they found Kazaa and “many thousands of indecent images of children, many of which he had obtained via Kazaa.” R. v. Dooley, supra. The Court of Appeals noted that “only six of the images” were found in Dooley’s “My Shared Folder.”

The prosecution argued that by putting images into that folder, Dooley violated § 1(1)(c) of the Protection of Children Act. Dooley’s lawyer said he didn’t violate it because

downloading of images from KaZaA will often take many days. . . . Rather than just download a few images, the appellant would download a very substantial number of images. The images . . . could not effectively be accessed by others until . . . the `My Shared Folders’ had the completed image. . . . [I]t was his `specific intention’ to remove the . . . image from the `My Shared Folder’ to some other part of his computer, where it could not be seen by others. Because of the large number of images that were downloaded, it took him time to do that.

R. v. Dooley, supra. The prosecution said the images had been in the folder for 10 days, and the court found this meant “they were available to be accessed” by those who were using Kazaa and were so inclined. The trial court found that because Dooley used Kazaa (and in effect joined “a computer club knowing its purpose is to make material downloaded by you accessible to all members”), he downloaded the images “with a view to” their being distributed by others. R. v. Dooley, supra.

Dooley appealed, arguing that the prosecution had to prove that one of the reasons he left the images in the folder was “to enable others to access” them; since the trial court apparently did not apply this standard, the Court of Appeals vacated the conviction. The trial court had commented that “if a person charged with this offence did not know that as a result of using the particular software there was a likelihood of the image . . . in the `My Shared Folder’ being accessed by others then he would have a good defence” to the charge. R. v. Dooley, supra. On appeal, Dooley’s lawyer said that since this wasn’t made clear to Dooley, he pled on the premise that the prosecution didn’t have to show he knew that by leaving images in the file he was violating § 1(1)(c) of the Act. The Court of Appeals found that Dooley’s plea was no good because it was based on a misunderstanding of what the prosecution had to prove to convict him.

Here’s how an American court dealt with a similar issue: Derek Schade was charged with distributing child pornography under § 2252A(a)(1). Like Dooley, Schade used file-sharing software (Bearshare); police got a warrant and searched his computer after an undercover officer “downloaded a child pornography video file through the Bearshare network in part from Schade’s compute.” U.S. v. Schade, 2009 WL 808308 (U.S. Court of Appeals for the Third Circuit 2009). Police found “numerous child pornography files on the computer, both movies and still images”. U.S. v. Schade, supra.

Schade went to trial and was convicted of “transporting . . . a visual depiction of a minor engaging in sexually explicit conduct in violation of” § 2252A(a)(1). He appealed, claiming the evidence at trial was not sufficient to establish the charge because “there is no way of knowing which portion of the downloaded file was contributed by his computer, and thus whether that portion actually depicted a minor engaged in sexual conduct.” U.S. v. Schade, supra.

I actually think that’s a pretty interesting argument in and of itself, but the Court of Appeals dismissed it because Schade was charged with transporting child pornography and with aiding and abetting the transport of child pornography. The court therefore held that the argument failed because “at the very least Schade is liable as an aider and abettor. His computer contributed some part of a video that showed a minor engaging in sexual activity.” The Court of Appeals found that it would be “eminently reasonable for the jury to have concluded that Schade aided and abetting the transportation of a visual depiction of a minor engaged in sexual activity by making the child pornography file available” on his computer, where it could be utilized “by another user of Bearshare seeking to download the complete video.” U.S. v. Schade, supra.

Now we get to the knowledge issue, which is similar to the issue the Dooley case. Schade also argued that “there was insufficient evidence to show that he knew the child pornography files on his computer could be downloaded by other Bearshare users.” U.S. v. Shade, supra. Since § 2252A(a)(1) makes it a crime to “knowingly” distribute child pornography, he could not have been lawfully convicted if the prosecution didn’t prove beyond a reasonable doubt that he knew the child pornography in his shared files could be downloaded by other Bearshare users. Not surprisingly, the Court of Appeals rejected this argument, as well:

[T]here was evidence . . . showing Schade was notified while downloading the software for Bearshare that it would allow others to upload files from his computer, and he even changed the default settings for file-sharing. Furthermore, Schade testified that he himself used Bearshare for file-sharing. . . . [W]e cannot conclude that the jury was unreasonable in determining from this evidence that Schade intentionally kept child pornography files in the `My Downloads’ folder and knew that doing so would allow Bearshare users to access and upload them.

U.S. v. Schade, supra. The prosecution had presented evidence that when he installed the Bearshare software, Schade was “shown a screen notifying him that he would be sharing files located in that folder and had left that setting in place, while changing the default setting regarding the sharing of partial files.” U.S. v. Schade, supra.

A Texas court reached a similar conclusion. Ruben Wenger was convicted of distributing child pornography via file-sharing software. Wenger v. State, 2009 WL 1815781 (Texas Court of Appeals 2009). He appealed, claiming the evidence at trial didn’t prove beyond a reasonable doubt that he “knowingly disseminated the files in question.” Wenger v. State, supra.

He lost for two reasons: One is that in a recorded interview with police, Wenger said he “knew Shareaza shared his files: he said he assumed users downloaded files from him and that the purpose of Shareaza was to allow users (like Detective Ried) to `pull files from members’” like himself. Wenger v. State, supra. The other reason is that at trial a detective with computer forensics expertise testified that at some point, Wenger had “change[d] the default Shareaza settings so that the program did not automatically share” his files. Wenger v. State, supra. That rebutted a claim Wenger made in the recorded interview with police: that he didn’t know how to `share and not share” files. The court therefore found that a jury could reasonably infer that Wenger knew “knew Shareasa was sharing his downloaded files and knew how to prevent” it from doing so.

Privacy in the Virtual World

I usually write about privacy in the context of the police searching places and seizing evidence. That is, I usually write about privacy in the context of the 4^th Amendment’s prohibition of “unreasonable” searches (and seizures). This post is about privacy in a different context.

Last week I went to a talk by a law professor who specializes in online privacy law. The crux of his talk was that the privacy we’ve had in the real-world is being eroded there and online by what people post online.

One of the examples he used is the Korean woman who didn’t pick up after her dog made a mess on a subway train. As you may know, someone took a cell-phone photo of her and posted it online. The photo went viral; people tracked down her name and address and posted that information online, along with more information about her. As I recall, she was a student at the time.) People altered the original photo and basically had a lovely time making her look ridiculous. As I recall from what I read at the time, she was humiliated by all the attention and wound up leaving school.

Another example he used is the “Star Wars kid.” As you may know, a Canadian high school student videotaped himself playing at being a Jedi knight, using a golf ball retriever as a light-saber. From what I read, he left the videotape in the recorder, where some other students found it and posted it online, where it really went viral. People made variations, complete with Star Wars adversaries and authentic light-sabers, etc. Instead of enjoying the publicit,, the boy in the video was humiliated. As I recall, he dropped out of high school and finished his studies with a tutor.

If you’d like to read more about these and other, similar stories, you might check out my article on Online Defamation. There’s a link to it on the right-hand site of the blog.

In this professor’s view, we’re creating an accelerating erosion of privacy that threatens to seriously diminish if not destroy privacy, at least as we think about it. He therefore believes we must take steps to mitigate or end this erosion, and he believes there are two ways we can go about doing this.

One is to simply accept the phenomenon . . . on the premise it will either run its course and result in a backlash that resuscitates privacy or produce a world in which privacy is negligible and therefore not valued. The other option he outlined is to take affirmative steps to preserve privacy online. One of these, for example, would be to eliminate the immunity 47 U.S. Code § 230(c)(1) creates for those who operate websites but do not exercise any editorial control over what is posted on the sites. Eliminating that immunity would essentially make the operator of such a site a “publisher” who can be held liable for what people post on the site.

The law professor had a great deal more to say about privacy but this, I think, gives you an idea of the focus of his remarks. Since I have great respect for this gentleman, I am perfectly willing to accept his sincerity and erudition when it comes to privacy law and policy. I cannot, though, agree with him, at least not entirely.

Where I take issue with the views of this professor and other privacy mavens who share his views about the nature and magnitude of the effect cyberspace is having on privacy is the foundational assumption on which his analysis is implicitly predicated.

They seem to assume the privacy that existed in various countries during some or much of the twentieth century has ALWAYS existed . . . in every nation-state, city-state, empire and tribe. One of the things he talked about is that using cyberspace can reveal intimate information about our private lives. That is, of course, true . . . whatever I buy online is recorded and stored in databases. If a man buys Viagra or a woman buys birth-control pills, the information about those transactions is recorded, stored in databases and can come to light. The same is also true of transactions in the real-world when we use a credit card or a loyalty/discount card or any other device that leaves traces of what we’ve done. It is also true of other things we do online: the websites we visit and join, what we post on our MySpace or Facebook pages, etc., etc. Unless we somehow anonymize our activities, they create a digital trail that is recorded and stored in various databases.

When someone says this state of affairs is problematic because it represents an erosion of the privacy we enjoyed prior to the rise of cyberspace and related technologies, they are assuming that in the past all of this information was private, i.e., no one would know what medications, food, alcohol, sex toys or other items I was purchasing for my own use. I think that assumption is valid to some extent, depending on the historical period and the cultural context in which the activities occurred, but invalid in other respects.

Let’s start in reverse order: From what I’ve read, the original social unit was the tribe (not the family because collective activity gives humans an advantage in dealing with the challenges they encounter in their respective environments). I’ve read some about what life was like in prehistoric tribes (I think I even saw a movie about that?); based on that and simple common sense, I can say with a fair degree of confidence that there wasn’t much of what we’d call privacy in those groupings. I’m sure people tried to keep some information from others (the head of a family’s being ill, for example), but I’m also sure that most of what went on was well known to everyone in the tribe.

I can’t trace all of history here, but the tribes evolved into larger groups, which evolved into city-states, empires, etc. I cannot imagine that there was much of what we’d call privacy when people lived in villages that were part of an empire or even when they lived in one of the empire’s urban centers. Wealthy people may have been able to shield at least part of their activities from the masses, but I’m guessing everyone knew a lot about each other at every level of the society. All of those societies depended on face to face interaction and face to face transactions, so unless you wore a mask or came up with some other way to disguise yourself, people knew what you were buying (and selling) and probably knew if you were abusing your spouse or children.

Even when people lived in large cities, they tended to stay in their neighborhood, primarily because it wasn’t as easy to travel then as it is now . . . no cars, no subway, etc. So the neighborhoods were a lot like the villages the rest of the population lived in, and I cannot imagine there was much in the way of personal privacy in ancient and medieval villages.

What do I base that on? I base it on what I’ve read about villages and small towns in the U.S. in the nineteenth and early twentieth centuries. Think about it: There was probably one general store (maybe two) where you bought everything you needed . . . in a face to face transaction. So if you were one of the people who got hooked on over the counter medications containing opium, the owner and staff of the store would know that. After all, how many colds can you have? The same was true for all of your other transactions, for your attendance at church, for whether you fought with your spouse, whether your spouse was abusing you and the kids, whether your spouse was a drunk or just “odd”, etc. etc. I’m not saying people didn’t have some privacy; they could go home and close their doors and – if they didn’t start yelling at each other or do other things that leaded into the public domain – they could keep some things private.

I don’t, though, think they were as exercised as we are about privacy. The purpose of the 4^th Amendment was to prevent police from breaking into someone’s home and going through their “stuff.” As the Supreme Court noted early last century, the 4^th Amendment was not intended to create a general right to privacy; it’s become the focus of much of our privacy law because it’s the amendment that is the most concerned with privacy.

I digress: I think the foundational assumption I outlined above is a product – perhaps a somewhat exaggerated product – of a type of information control that essentially arose during the twentieth century. When I think of that type of control I imagine someone who lived in Manhattan in, say, the 1960s or 1970s. If you lived in an apartment, did not interact with your neighbors, bought your food and other supplies at various stores and did not interact with the staff of those stores, you could come pretty close to realizing the type of privacy the foundational assumption is based on. The staff of those stores would know what you bought, but the staff might rotate so you wouldn’t deal with the same people over a period of time. That would reduce their knowledge of your long-term buying habits. More importantly, since they didn’t know you and probably didn’t live anywhere near you, they didn’t care what you bought.

My point is that I think the kind of privacy the foundational assumption relies on has existed, but only on a small scale. . . and maybe only in certain places at certain times. If we’re not embedded in a community, what we do may be visible to others, but their lack of interest means they will probably pay little or no attention to what we do. Our privacy is a function of our disconnectedness and mutual disinterest in the details of each other’s lives.

I suspect that kind of privacy has existed at a very small scale in the history of human society. Throughout history, and today, many people still live in small villages and neighborhoods where everyone knows a lot about their lives. They may like that.

That brings me to my final point: The Korean woman who didn’t clean up after her dog would have gotten away with that fifty, forty, even thirty years ago because even if someone had taken a picture, they wouldn’t have been able to circulate it. Information about that episode would therefore have remained with a disparate group of individuals, none of whom knew her or cared anything about her except for her negligence in dealing with her dog.

Now, what she did can be distributed online to a community that transcends spatial constraints. Everyone who rides a subway who walks along a street can empathize with the people on the subway: And that community can do what communities have always done: express displeasure at her behavior in a way that shames her and, I’m guessing, means she won’t do that again.

My point is that privacy isn’t a unitary concept. It’s a complex, fluid phenomenon that changes as our environment changes. I’m personally very much in favor of our having as much privacy as possible. My purpose in writing this post is to point out that while cyberspace and related technologies can erode our expectations of privacy, we should not assume that every use of these technologies represents a threat to privacy.