Monday, November 29, 2010

Transportation “in Interstate or Foreign Commerce”

This post deals with an issue Jason Wright raised in appealing his conviction for transporting and possessing child pornography in violation of 18 U.S. Code § 2252A(a)(1). U.S. v. Wright, __ F.3d __, 2010 WL 4345670 (U.S. Court of Appeals for the 9th Circuit 2010).

Section 2252A(a)(1) currently states that “[a]ny person who . . . knowingly mails, or transports or ships using any means or facility of interstate or foreign commerce or in or affecting interstate or foreign commerce by any means, including by computer, any child pornography” commits a federal offense. (emphasis added). In 2003, when Wright was charged with violating the statute, it "punished any person who `knowingly mail[ed], or transport [ed] or ship[ped] in interstate or foreign commerce by any means, including by computer, any child pornography.'” U.S. v. Wright, supra.

According to the opinion cited above, Wright’s conviction for violating the statute arose from the following facts:

On January 16, 2003, from the Tucson FBI office, Special Agent Andrews conducted an undercover search on a file-sharing program known as an mIRC (Internet Relay Chat). Andrews came across the user name `azgymguy2’ in the chat rooms `100eensexpics’ and `gayteenpics.’ After typing in a `trigger’ that allowed her to establish a direct connection with azgymguy2's file-trader, the following announcement appeared:

`Welcome to my server. I'm fairly open to uploads, so please just upload stuff you feel is good. However, I am always looking for huge cocks, young boys and movies. I hope you enjoy your stay.’

Andrews downloaded thirteen files -- three of which were child pornography. Andrews conducted a second session that afternoon. . . . This time she downloaded fifty-nine files, twenty-one of which were child pornography. Andrews conducted three more undercover sessions on January 27, January 29, and February 4, 2003.

According to the government's expert witness at trial, Sven Nielsen, Wright's direct client-to-client connection to Andrews -- . . . the connection Wright used to transport the images to Andrews -- did not go through IRC servers such `that the actual traffic of sending the file or sending the chat from that point on d[id] not actually cross state lines.’ Nielsen explained that . . . to establish a direct client-to-client connection, the initial request takes `the normal IRC route,’ but once the request is accepted the computers are connected directly, not through the server.

Of course, while the direct client-to-client communication does not actually cross state lines, the files are still transmitted over the Internet. . . . Andrews testified that when she logged on to the IRC network on January 16 and eventually connected to Wright's file-server, . . . she connected through a server in San Jose, California.

After matching Wright's home address with `azgymyguy2's’ Internet connection, the FBI executed a search warrant at Wright's residence on February 13, 2003. Agents seized Wright's desktop computer. . . .

U.S. v. Wright, supra. Wright was indicted on 8 counts of possessing child pornography in violation of 18 U.S. Code § 2252(a)(5)(B), 1 count of publishing a notice or advertisement seeking or offering child pornography in violation of 18 U.S. Code § 225(c)(1)(A) and two counts of transporting child pornography in violation of 18 U.S. Code § 2252A(a)(1). U.S. v. Wright, supra. The jury acquitted Wright on all the charges except the two § 2252A(a)(1) counts. U.S. v. Wright, supra.

As I noted earlier Wright appealed, arguing that “§ 2252A(a)(1), as it existed” as it existed at the time of his offense, required interstate transmission of child pornography images”. U.S. v. Wright, supra. Legislation adopted in 2008 removed this language and replaced it with the language I highlighted above. In his appeal, Wright argued that the

`in interstate . . . commerce’ language requires the government to prove the images themselves traveled across state lines. . . . [B]oth parties agree that the . . . never traveled outside Arizona when Andrews downloaded them from Wright's computer. The government counters that the statute does not require the images to cross state lines. Alternatively, it argues that while the images . . . may not have traveled across state lines, their transmission would not have occurred except for the prior communications from [Wright’s] file server through the IRC network to the FBI.

U.S. v. Wright, supra.

In analyzing the government’s first argument, the Court of Appeals noted that “the plain language” of the original version of the statute “requires that a person mail, transport, or ship child pornography interstate. That is to say, a plain reading of the statute seems to require at least some method of interstate travel.U.S. v. Wright, supra. But the court also noted that in U.S. v. MacEwan, 445 F.3d 237 (U.S. Court of Appeals for the 3d Circuit 2006), that Court of Appeals found that in a prosecution under 18 U.S. Code § 2252A(a)(2)(B), which makes it a crime to knowingly receive or distribute “any material that contains child pornography that has been . . . shipped or transported in interstate or foreign commerce by any means”, did not require that the images have actually crossed state lines. U.S. v. Wright, supra.

The 9th Circuit also noted, however, that two other Courts of Appeals – the U.S. Court of Appeals for the 10th Circuit and the U.S. Court of Appeals for the 1st Circuit – rejected the 3d Circuit ‘s reasoning. They found that “courts have interpreted Congress' decision to criminalize transportation `in interstate or foreign commerce’ of the relevant material “to require actual crossing of a state or national border.” U.S. v. Wright, supra (quoting U.S. v. Lewis, 554 F.3d 208 (U.S. Court of Appeals for the 1st Circuit 2009) and citing U.S. v. Schaefer, 501 F.3d 1197 (U.S. Court of Appeals for the 10th Circuit 2007)).

The 9th Circuit explained that it had reached the same conclusion in interpreting similar language in other criminal statutes:

In United States v. Korab, we addressed 18 U.S. Code § 875(b), in which someone is guilty of federal extortion if he `transmits in interstate commerce any communication containing any threat . . . to injure the person of another.’ U.S. v. Korab, 893 F.2d 212, 213 (U.S. Court of Appeals for the 9th Circuit 1989. We held that the statute required the government to prove that the threats themselves, in that case telephone calls, traveled across state lines. There, all of the threatening phone calls between the defendants and the victim took place intrastate and the one telephone call that crossed state lines did not contain threats. . . . `[F]ind[ing] no evidence of threatening interstate communication, we reversed the conviction. U.S. v. Korab, supra.

U.S. v. Wright, supra. The 9th Circuit also noted that it had reached this conclusion with regard to a prosecution under 18 U.S. Code § 875(c), which makes it a federal crime to transmit “in interstate or foreign commerce any communication containing any threat to” kidnap or injury a person. In U.S. v. Sutcliffe, 505 F.3d 944 (2007), the 9th Circuit held that the requirements of the statute were met when the government proved that the “defendant’s website, containing the threats, crossed state lines by way of Internet servers in three different states.” U.S. v. Wright, supra.

The Court of Appeals then rejected the government’s attempt to rely on a case construing the Travel Act, 18 U.S. Code § 1952(a), which makes it a crime to use “any facility in interstate or foreign commerce” to further specified types of unlawful activity. U.S. v. Wright, supra. The Court of Appeals explained that because § 2252A(a)(1) “does not include the word `facility’”, the phrase `in interstate or foreign commerce’ modifies the actus reus proscribed in the statute – mailing, transporting or shipping child pornography.” U.S. v. Wright, supra.

Finally, the Court of Appeals rejected the government’s argument that “use of the Internet, standing alone” satisfied the statute’s interstate or foreign commerce requirement. U.S. v. Wright, supra.

What distinguishes this case from those cases holding that Internet use, standing alone, provides the sufficient jurisdictional nexus, is that in each of those cases it was impossible to determine whether the images in question actually crossed state lines. . . . In the face of that uncertainty, those courts held that proof of Internet use was sufficient, reasoning that because it was just as likely that use of the Internet either remained entirely intrastate or involved multiple states, `the very interstate nature of the Internet’ favored finding that the images traveled in interstate commerce. [citing U.S. v. Lewis and U.S. v. MacEwan, supra.] Thus, MacEwan and Lewis stand for the proposition that, where it is impossible to determine whether the receipt of child pornography images crossed state lines, a defendant's use of the Internet may serve as a proxy for satisfying the interstate commerce requirement.

However, the question MacEwan and Lewis left unanswered is that presented by Wright's case: whether use of the Internet, standing alone, is sufficient to satisfy the `interstate commerce’ requirement where it is undisputed that the images themselves did not cross state lines. . . . [W]e hold that a defendant's mere connection to the Internet does not satisfy the jurisdictional requirement where there is undisputed evidence that the files in question never crossed state lines.

U.S. v. Wright, supra.

I decided to do a post on this case, even though the 2008 revision of § 2252A(a)(1) may have eliminated the problem the government had here, because the “in interstate or foreign commerce” language is still used in other federal criminal statutes, which means this holding might be used to challenge charges in other cases.

If you’re wondering why the “interstate or foreign commerce” is so important, you might check out this Wikipedia entry on federal criminal jurisdiction. As Wikipedia notes, for a federal court to have jurisdiction over a criminal case, the case must involve charges for a crime that “has been created pursuant to an express or implied constitutional grant of authority.” As Wikipedia also notes, Congress has relied heavily on the Commerce Clause of the U.S. Constitution to expand federal criminal jurisdiction . . . which is why the “in interstate or foreign commerce” element was so important in this case.

Friday, November 26, 2010

Charging Error Due to Computer Glitch

This post isn’t about a case in which computer technology was used in the commission of a crime. It’s about a case in which a computer glitch erroneously altered one of the charges against a defendant . . . and about how the court dealt with the error.

The case is State v. Hassan, 2010 WL 4409691 (Washington Court of Appeals 2010), and here’s a pretty abbreviated account of how the charges at issue arose:

On the evening of August 30, 2008, Yudith Fuentes Carrazco celebrated her 26th birthday with her boyfriend, Fidel Juarez Castillio. . . . Yudith and Fidel went to celebrate with [her] sister, Benecia Carrazco and her boyfriend, Ismail Hassan at their apartment. . . . Hassan arrived a short time later accompanied by two men. . . . [whom he] identified as `cousins.’ . . . Soon thereafter, a number of Yudith's and Fidel's friends arrived. The group included Fidel's two brothers, Oscar and Luis, and friends, Mari Carmen Vasquez, Martha Mercado, and Eduardo Nicio.

He greeted the guests and offered them drinks. Shortly after Fidel's brothers and friends arrived, Hassan's friend Brian Williams, his wife and . . . Benecia left . . . [L]ater, Hassan told Yudith, Fidel, and their friends they were being too loud. The[y] . . . decided to leave. . . . [b]ut before they could do so, Fidel and Hassan got into a fight. . . .

Fidel's brothers intervened to pull [them] apart. . . . One of Hassan's cousins grabbed the knife used to cut the birthday cake and threatened Fidel with it. . . . As they were running down the stairs to the parking lot, someone threw a beer bottle and hit one of them on the head. Luis, Fidel, Yudith, and Mari Carmen got into Luis's truck. Martha Mercado and Oscar got into Mercado's car. As the vehicles drove past Hassan's apartment, they saw [him] . . . aiming [a] shotgun at the two vehicles. . . . Hassan fired at least three, and possibly four, shots at the vehicles. . . .

Officer Bunk arrived at the apartment complex in response to a report of a fight with a weapon. After [he] blocked the entrance to the complex with his police car, he . . . gunshots. . . . [He] saw a truck and a car approaching at high speed and stopped both vehicles. . . . The officers searched the parking lot and recovered two spent twelve gauge shotgun shells. Hassan approached the officers and identified himself. . .

Each of the occupants of the vehicles identified Hassan as the shooter and identified the shirt found in his apartment as the one Hassan had been wearing earlier in the evening.

State v. Hassan, supra.

Based on this and other evidence, prosecutors charged Hassan in an information with

two counts of assault in the first degree. In count I, the State alleged assault in the first degree with a firearm of Mari Carmen, Yudith, Luis and Fidel. In count II, the State alleged assault in the first degree with a firearm of Martha Mercado and Oscar.

State v. Hassan, supra.

The trial lasted “approximately two-week[s]”, after which the prosecution and defense prepared to give their closing arguments to the jury. State v. Hassan, supra. At that point, the prosecution filed a motion asking the court to let it amend the information to

correct the names of the victims identified in count I. The defense did not object. The court granted the motion to amend. The . . . amended information substituted `Yudith Fuentes Carrazco’ for `Yudith Fuentes,’ `Mari Carmen Vasquez’ for `Mari Carmen Vasquez Calderon,’ and deleted a hyphen in Fidel's surname, Juarez Castillio. However, unbeknownst to the court and the parties, the . . . amended information also changed the charge in count II from assault in the first degree to assault in the second degree.

State v. Hassan, supra.

Amazingly, I don’t think anyone noticed the change, because the opinion says that the prosecution and defense submitted proposed jury instructions only for assault in the first degree and that during closing arguments “both the State and the defense emphasized that . . . to convict Hassan, the jury had to find beyond a reasonable doubt” that he “committed assault in the first degree.” State v. Hassan, supra.

The jury did precisely that, i.e., found Hassan guilty of two counts of first degree assault. State v. Hassan, supra. At some point thereafter, the court realized the problem:

Before sentencing, the court notified the parties that the . . . amended information had changed the charge in count II from assault in the first degree to assault in the second degree. At . . . the sentencing hearing, the State informed the court that alteration of the charge in count II in the second amended information was an unintentional clerical error. The State moved to amend the information to accurately reflect the charge of assault in the first degree.

Hassan's attorney conceded it was `clear’ that the purpose of the . . . amended information was to correct the victims' names. But the attorney argued that even though `the Jury found Mr. Hassan guilty of first degree assault,’ because the information was inadvertently amended to change the charge to assault in the second degree in count II, the court should deny the motion to amend and to enter a verdict on assault in the second degree for count II. The court granted the State's motion to amend and file a [new] amended information correcting the clerical error.

State v. Hassan, supra. This is apparently how the error occurred:

The prosecutor explained . . . that during the plea negotiations, the State proposed that Hassan plead guilty to second degree assault on count II and drafted an amended information to that effect. That information was the last version on the computer and the alteration of count II was therefore erroneously incorporated into the . . . amended information.

State v. Hassan, supra. I gather Hassan was sentenced on the basis of the corrected information, i.e., was sentenced for two counts of first degree assault, because he appealed, arguing that the trial court “erred in granting the State’s motion to amend the information after the jury verdict.” State v. Hassan, supra.

On appeal, Hassan argued that the

trial court violated his constitutional rights . . . by allowing the State to file an amended information after the jury verdict. The State argues that allowing the State to file an amended information correcting a clerical error did not prejudice Hassan or violate his constitutional rights.

State v. Hassan, supra. The Court of Appeals agreed with the prosecution. State v. Hassan, supra.

It found that the defense (i) did not object to the amendment which was intended to correct the victims’ names and (ii) “waived formal reading” of the amended information to the jury. State v. Hassan, supra. The Court of Appeals also point out that, as I noted above, the “evidence at trial, the jury instructions, and closing arguments only addressed assault in the first degree.” State v. Hassan, supra.

The Court of Appeals also rejected Hassan’s claim that the trial judge approved

amending count II from assault in the first degree to assault in the second degree. The record shows the court granted the motion to amend to correct the names of the victims `and for no other purpose.’ The court stated, in pertinent part:

`This was a clerical error, and the trial was on two counts of assault in the first degree, and that's what went to trial. . . . It was my intention to allow the filing of the amended information to correct the name of the victim and for no other purpose, and I probably should have reviewed the information more closely to make sure that the only thing that was in it was what my intention was, which was to file that.

So, and I did review the file from beginning to end when I found that error to make sure that the prior information that was filed was for two counts of Assault 1, and it was.

So, it was clearly a clerical error in that I did not review what I was allowing to be amended more closely. And so I am signing this, the motion to amend, and it is to correct a clerical error. And I believe that I clearly have the authority to do that.’

State v. Hassan, supra.

Based on all this, the Court of Appeals found that the trial court judge “did not violate Hassan’s constitutional rights” in allowing the original amendment or the amendment that restored the charge in Count II to first degree assault. State v. Hassan, supra. It noted that “Hassan was not prejudiced” by the erroneous amendment and that the “trial court did not abuse its discretion in allowing amendment.” State v. Hassan, supra.

I see this case as another cautionary tale . . . like the case from Texas in which the appellate court had to grant a new trial because a virus ate the record of the original trial. Both illustrate how computer glitches can impact criminal proceedings in various ways, some much more significant than others.

Tuesday, November 23, 2010

Outlawing Botnets

The European Commission is apparently considering the promulgation and adoption of a directive that would, at least in part, criminalize botnets. As I understand it, the premise behind adopting such a directive is that since botnets are capable of inflicting “harm” on a large scale, we need to separately criminalize them. I decided to examine the need for and utility of such legislation in this post.

Before I get to the botnet issue, I should, perhaps, note a few things about the European Commission. As Wikipedia explains, it is the “executive body of the European Union. The body is responsible for proposing legislation, implementing decisions, upholding the Union’s treaties and the general day-to-day running of the Union.” The European Union (EU), of course, is an

economic and political union of 27 member states which are located primarily in Europe. Committed to regional integration, the EU was established by the Treaty of Maastricht in 1993. . . . [and has] over 500 million citizens. . . .

The EU has developed a single market through a standardised system of laws which apply in all member states. . . . It enacts legislation in justice and home affairs. . . .

You can read more abut how the European Commission functions in the Wikipedia entry for the Commission. That entry notes that the Commission “[r]ecently . . . moved into creating European criminal law” which, of course, is why we’re going the analyze the botnet legislation it might draft and enact. (You can read about the processes by which the Commission drafts, adopts and enforces criminal legislation in the Wikipedia entry.)

Let’s get back to botnets. I assume everyone knows what a botnet is, but if not, you can check out Wikipedia’s entry on the topic. As Wikipedia notes, “the term `botnet’ . . . is . . . used to refer to a collection of compromised computers (called zombie computers) running” software that was surreptitiously installed without the computer owner’s knowledge and consent. The botnet software gives the person who created and/or controls the botnet the ability to direct the zombies to engage in various activities, such as launching a denial of service attack on a given target. Botnet-based denial of service attacks can be devastating, as Myanmar discovered this year and Estonia discovered in 2007.

Enough preface. We’ll assume, for the purposes of analysis, that botnets are capable of inflicting “harms” that are serious enough they can justify “criminalizing botnets.” I don’t want to focus on the justifications for taking such a step. I want to focus on (i) how we might go about criminalizing botnets and botnet attacks and (ii) whether such a step would appreciably add to the criminal law’s ability to deal with this type of cybercrime.

I always tell my students it’s easy to write new criminal laws . . . you just decide what you want to outlaw and draft a statute, throwing in some level of mens rea, articulating what the culpable conduct and/or result is/are and maybe including some penalties. I should note that, with regard to conduct and/or result, some criminal statues are “result” crimes (like homicide . . . the crime consists of causing the death of another human being, so homicide statutes target achieving a prohibited result, i.e., another’s death) and others are conduct crimes (like speeding . . . to use a rather trivial example). So we’d have to decide if we want to structure a botnet statute as targeting a particular result (which might be the creation of a botnet, maybe a botnet of a given minimum size, or the use of a botnet to inflict “harm”) of conduct (which could be the conduct involved in creating a botnet, either any botnet or one that exhibits certain characteristics, such as a minimal size or capacity for inflicting “harm” of a given magnitude).

That might sound like a daunting task . . . but the state of Texas has been kind enough to tackle it . . . in a sense, thereby giving us some guidance in how to proceed. Section 324.055 of the Texas Business and Commerce Code provides as follows:

(b) A person who is not the owner or operator of the computer may not knowingly cause or offer to cause a computer to become a zombie or part of a botnet.

(c) A person may not knowingly create, have created, use, or offer to use a zombie or botnet to:

(1) send an unsolicited commercial electronic mail message . . .;

(2) send a signal to a computer system or network that causes a loss of service to users;

(3) send data from a computer without authorization by the owner or operator of the computer;

(4) forward computer software designed to damage or disrupt another computer or system;

(5) collect personally identifiable information; or

(6) perform an act for another purpose not authorized by the owner or operator of the computer.

(d) A person may not:

(1) purchase, rent, or otherwise gain control of a zombie or botnet created by another person; or

(2) sell, lease, offer for sale or lease, or otherwise provide to another person access to or use of a zombie or botnet.

Texas Business and Commerce Code § 324.055(b)-(d). Section (a) of the statute defines the terms “person” and “Internet service provider” . . . since the definitions are pretty routine, I won’t quote them. Section 324.002 of the Texas Business and Commerce Code define two specialized terms that are integral elements of the statute quoted above:

(1-a) `Botnet’ means a collection of two or more zombies. . . .

(9) `Zombie; means a computer that, without the knowledge and consent of the computer's owner or operator, has been compromised to give access or control to a program or person other than the computer's owner or operator.

The substantive and definitional provisions of the Texas botnet statutes are pretty straightforward, as you can see. What I find interesting is that they aren’t part of a criminal statute. As I noted earlier, these sections are part of the Business and Commerce Code; what I didn’t note, is that the § 324.055 allows the imposition of civil liability on someone who violates these provisions. More precisely § 324.055(e) provides as follows:

The following persons may bring a civil action against a person who violates this section:

(1) a person who is acting as an Internet service provider and whose network is used to commit a violation under this section; or

(2) a person who has incurred a loss or disruption of the conduct of the person's business, including for-profit or not-for-profit activities, as a result of the violation.

The person bringing such a suit can seek an injunction against the bot herder and/or (i) actual damages resulting from the violation or (ii) “$100,000 for each zombie used to commit the violation”. Texas Business and Commerce Code § 324.055(f).

I really don’t understand the logic of drafting and adopting a statute that prohibits creating and/or using a botnet and then leaves the enforcement of the statute to civil litigants. I’m not at all sure that’s effective . . . since a civil litigant would either have to have enough resources to be able to pursue such litigation without any confidence that he/she/it would actually recover damages from the botnet perpetrator(s) or would have to be really, really confident that he/she/it could find the perpetrator(s), have him/her/it held liable in a civil suit and then collect the damages awarded in that suit from the defendant(s). I’m afraid I don’t think either of those conditions is likely to be met, at least not often enough to make this approach an effective way to create real disincentives for creating and using botnets.

What about criminal liability . . . what about using the basic prohibitional and definitional structure in the Texas statute but making the proscribed activity a crime, instead of the basis of a civil cause of action? Well, on the one hand I think criminal liability is likely, as a general matter, to be a more effective way to create disincentives for such conduct than civil liability.

On the other hand, I’m not sure what a botnet-specific criminal statute (or statutes) would add to the tools law enforcement already has. As I explained in an article I published almost ten years ago, I think the best approach to cybercrime statutes is a parsimonious one that only creates new crimes if and when a new offense is needed.

I also think we want to avoid relying on statutes that are too technologically-specific, which is another concern I have about the Texas statutes. They specifically target botnets composed of zombie computers, which reflects the empirical state of the problem at this point in time . . . but the technology may evolve so that these terms and, indeed, this approach, is no longer particularly effective.

I think the approach used in 18 U.S. Code § 1030(a)(5)(A) is much better. Section 1030(a)(5)(A), as you may know, makes it a federal crime to knowingly cause “the transmission of a program, information, code, or command, and as a result of such conduct, intentionally” cause damage to a computer. “Damage” is later defined as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S. Code § 1030(e)(8).

The deceptively simple § 1030(a)(5)(A) can be used to prosecute both the dissemination of malware dissemination and botnet-predicated denial of service attacks. It was, in fact, used in the 2006 prosecution of Christopher Maxwell for his role in a botnet-based denial of service attack (or attacks) that targeted a hospital and other entities.

I think a general, essentially technologically-neutral statute like § 1030(a)(5)(A) is quite adequate to prosecute the two substantive crimes that are predicated on botnets: One crime is creating a botnet; the other is using it. Section 1030(a)(5)(A) criminalizes the use of a botnet. A related statute – 18 U.S. Code § 1030(b) -- makes it a crime to attempt to commit the § 1030(a)(5)(A) offense; it seems to me that, at least in most circumstances, creating a botnet could be prosecuted as attempting to commit the § 1030(a)(5)(A) crime, i.e., attempting to use a botnet to cause “damage” to a computer. (Whether particular conduct had gone far enough to actually constitute such an attempt would, of course, be a factual issue that would have to be resolved in specific cases.)

Bottom line: I certainly don’t see anything wrong with criminalizing the use of botnets to inflict “harms” of a type that falls within the concern of the criminal law. I’m not, however, at all sure that the best way to do this is to create botnet-specific criminal statutes.

Monday, November 22, 2010

“No Record” and the Best Evidence Rule

This is another post on the applicability of the best evidence rule in a cybercrime case. As Wikipedia explains, the best evidence rule is a rule of evidence that dates back

at least as far as the 18th century. In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was `the best that the nature of the case will allow’. The general rule is that secondary evidence, such as a copy . . . , will be not admissible if an original document exists, and is not unavailable due to destruction or other circumstances indicating unavailability.

The rationale for the . . . rule can be understood from the context in which it arose: in the eighteenth century a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.

This post is about a recent decision from the U.S. Court of Appeals for the 9th Circuit that analyzed the best evidence rule’s application to the results of a database search.

The case is U.S. v. Diaz-Lopez, __ F.3d __, 2010 WL 4455880 (9th Cir. 2010), and it involves Luis Diaz-Lopez’s appeal from his conviction “of being a removed alien found in the United States in violation of 18 U.S. Code § 1326(a). U.S. v. Diaz-Lopez, supra. The statute, which you can find here, makes it a crime – punishable by a fine and/or imprisonment for up to 2 years – for an alien who has been denied admission to the U.S., “deported, or removed” from the U.S. to re-enter the country without being authorized to do so or under other circumstances that take the entry outside the scope of the statute.

This is all the opinion says about the facts that led to Diaz’s conviction for violating the statute and his subsequent appeal:

Diaz was born in and is a citizen of Mexico. On February 13, 2009, a Border Patrol agent found and arrested Diaz on a road in California, north of the United States-Mexico border. The government charged Diaz under 18 U.S. Code § 1326(a) with being a removed alien found in the United States without permission. At a bench trial, the government introduced testimony from a Border Patrol agent stating that he had performed a search of the Computer Linked Application Information Management System (`CLAIMS’) database using Diaz's name, alien number, and date of birth, and had found no record of Diaz having filed a Form I-212, which is the required application for permission to reapply for admission to the United States after having been previously removed.

U.S. v. Diaz-Lopez, supra. The district court judge who presided over the bench trial found Diaz guilty and sentenced him to 21 months in prison and 3 years of supervised release, after which he appealed the conviction. U.S. v. Diaz-Lopez, supra.

On appeal, Diaz argued that the judge erred in admitting the Border Patrol agent’s testimony about the database search because the admission of the testimony violated the best evidence rule as codified in Federal Rule of Evidence 1002. U.S. v. Diaz-Lopez, supra. In addressing his argument, the 9th Circuit explained that

challenging the testimony under the best evidence rule presents a question of first impression in our circuit. We must decide if testimony that a search of a computer database revealed no record of a matter violates the best evidence rule when it is offered without the production of an `original' printout showing the search results.

U.S. v. Diaz-Lopez, supra.

The court then noted that Federal Rule of Evidence 1002 provides as follows: “To prove the content of a writing, recording, or photograph, the original writing, recording, or photograph is required, except as otherwise provided in these rules or by Act of Congress.” It also noted that Federal Rule of Evidence 1001(1) states that “‘[w]ritings' and ‘recordings' consist of letters, words, or numbers, or their equivalent, set down by handwriting, typewriting, printing, photostating, photographing, magnetic impulse, mechanical or electronic recording, or other form of data compilation.”

The issue the 9th Circuit had to resolve, therefore, was whether the government was

required to produce an `original’ to show the CLAIMS database did not contain any record of Diaz having filed an I-212. When records or data are stored `in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an “original.“’ Federal Rule of Evidence 1001(3). Diaz argues that the government should have introduced a printout of the search results from the CLAIMS database rather than testimony from the agent performing the search.

U.S. v. Diaz-Lopez, supra. The court noted that Diaz was correct in arguing that the

CLAIMS database falls within the scope of the best evidence rule, because the database is a `[w]riting[ ] or recording[ ] . . . set down by . . . magnetic impulse . . . or electronic recording, or other form of data compilation.’ Federal Rule of Evidence 1001. The next question is whether the evidence was introduced `[t]o prove the content of a writing, recording, or photograph.’ Federal Rule of Evidence 1002. We conclude that it was not.

The agent's testimony that he searched the database and found no record of Diaz having filed an I-212 is similar to testimony `that an event did not occur because relevant records contain no mention of it. This negative type of testimony is usually held not to constitute proof of contents and thus not to require production of records.’ . . . Indeed, the advisory committee's note to Rule 1002 states that the best evidence rule does not apply to `testimony that books or records have been examined and found not to contain any reference to a designated matter.’

U.S. v. Diaz-Lopez, supra (quoting 2 George E. Dix et al., McCormick on Evidence § 234 (6th ed. 2009)). The “advisory committee” the court refers to is, as Wikipedia notes, the committee that originally drafted the Federal Rules of Evidence.

The 9th Circuit then considered, and rejected, Diaz’s best evidence argument:

Diaz concedes that if no record were found pursuant to an agent's physical search of an A-file, testimony to that effect would be admissible under Federal Rule of Evidence 1002. However, Diaz asserts that, although the Rule applies to computer databases, the advisory committee note's limitation on the Rule applies only to searches of `physical’ records.

We decline to adopt such a position. First, we do not see any meaningful difference between a search of a physical file and a search of a database. Databases contain `physical’ records, too, even if those records are not printed on paper. Second, the best evidence rule, like us, now survives in the twenty-first century. It is common sense, and not mere symmetry, to say that because the rule applies to computer databases, the rule's limitations must also apply to such databases. It is reasonable to apply the best evidence rule to new circumstances as technology evolves, but when the rule is extended, courts will necessarily be required to decide if the limits on the rule extend as well. When, by virtue of new technology, the best evidence rule can be applied to testimony about databases, the traditional limits on the rule should be properly extended as well.

U.S. v. Diaz-Lopez, supra. The court explained that its conclusion in this case did not conflict with its decision in U.S. v. Bennett, 363 F.3d 947 2004):

There, we held that testimony about data retrieved from a boat's global positioning system (`GPS’) was barred by the best evidence rule because the testimony had been introduced to prove the `content’ of the GPS, which, in turn, was evidence that the defendant had come from Mexico. But Bennett concerned testimony about the contents of the GPS data, not testimony about the absence of data. . . . We reached that decision because the testimony about the GPS data was introduced to prove its content (i.e., the location and travels of a boat).

In Diaz's case, the government did not introduce testimony to prove the content of a writing; rather, the government introduced testimony to prove that a particular record was not part of the contents of a database. Moreover, the testimony about the search of the database was not testimony in which `the smallest variation in words may be of importance.’

U.S. v. Diaz-Lopez, supra (quoting Wigmore, Evidence in Trials at Common Law (1972)). Finally, the 9th Circuit explained that while some might argue that the

`smallest variation in words’ is not of importance in the case of testimony regarding the negative results of a database search, such variations may well be significant if the testimony is offered to prove what particular search terms were used to search a database. However, even if Diaz had raised this argument, it would not aid his case. Any dispute about the particular search terms used by the agent for searching the CLAIMS database is not a dispute about the contents of the database, or about the contents of any records in the database, but rather a dispute about the specific actions performed by the agent. As a result, the best evidence rule would not apply because it applies only to writings, recordings, and photographs . . .

U.S. v. Diaz-Lopez, supra. The court therefore held that the district court judge didn’t err in admitting the agent’s testimony about the search. U.S. v. Diaz-Lopez, supra.

Saturday, November 20, 2010

Computer Logs and Obstruction of Justice

As one website notes, obstruction of justice is a “criminal offense that involves interference, through words or actions, with the proper operations of a court or officers of the court.” As this site also notes, law criminalizes acts interfering with the operations of a court because the “integrity of the judicial system depends on the participants’ acting honestly”.

This post is about a federal case in which the defendant was, among other things, charged with obstructing justice.

The case is U.S. v. Reddy, 2010 WL 3211029 (U.S. District Court for the Northern District of Georgia 2010), and this is how it arose:

[Rajashakher P. Reddy] is a board-certified radiologist who owns and operates Reddy Solutions, Inc. (`RSI’), a company offering around-the-clock professional radiology services to various healthcare facilities. Essentially, the hospital or other facility sends its X-Rays, Magnetic Resonance Images, CT scans and other imaging tests via electronic transmissions to RSI, so [Reddy], or an RSI-contract radiologist, can review them for a fee and then provide the client with a diagnostic report.

Clients would bill Medicare or other insurers for RSI's `professional services’. Although RSI employs `Radiology Practice Assistants’ (`RPAs’) to assist the radiologists and draft preliminary reports, RPAs are not physicians and cannot render clinical findings or diagnoses. Rather, `a physician must . . . perform an independent review of the radiology films and data before accepting the findings and diagnosis in the draft report and signing it.’

The indictment alleges that [Reddy] fraudulently signed and submitted radiology reports for approximately 40,000 patients to the hospitals and other RSI clients where neither he nor any other RSI physician had reviewed and analyzed the file. Instead, it is alleged that [he] simply signed and submitted reports drafted by the RPAs without checking their accuracy, thus fraudulently passing off the RPAs' preliminary reports as final radiology reports prepared by a board-certified radiologist. [Reddy] allegedly received over $1.5 million for this scheme.

U.S. v. Reddy, supra. Reddy was charged with “multiple counts” of wire fraud, mail fraud and health care fraud under federal law . . . and with “falsification of records in a federal investigation” in violation of 18 U.S. Code § 1519. U.S. v. Reddy, supra. The last charge is the only one we’re concerned with.

Section 1519 of Title 18 of the U.S. Code provides as follows:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

(emphasis added). Count 34 of the original indictment alleged the following:

In or about February 2008, in the Northern District of Georgia, the defendant, DR. RAJASHAKHER P. REDDY, did knowingly alter, destroy, conceal, cover up, falsify and make a false entry in a record, document, and tangible object, with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of department and agency of the United States, in that the Defendant did cause others to alter and falsify certain records known as `access logs’ maintained by Reddy Solutions, Inc., and to have those falsified records produced to the United States Department of Justice and United States Department of Health and Human Services, in response to a subpoena dated January 29, 2008, all in violation of title 18, United States Code, Sections 1519 and 2.

Motion to Dismiss Count 34, U.S. v. Reddy, 2009 WL 6919659 (2009). (The count references both sections 1519 and 2 because it at least implicitly alleges that Reddy committed the § 1519 offense in cooperation with others – i.e., with accomplices.)

This count is the one Reddy targeted in the motion to dismiss we’ll get to in a moment. A superseding indictment that was returned about a year after the original one added additional factual allegations:

[A]t the direction of the Defendant, DR. RAJASHAKHER P. REDDY, a RSI information technology employee altered and falsified these access logs before they were produced to the United States. The original records as maintained by RSI's system reflected that in many cases neither the Defendant nor any other physician reviewed the radiological images in numerous cases. Rather, according to the original unaltered data, the sole RSI personnel who reviewed various images were non-physician . . . RPAs. Thus, at the Defendant's direction, these records were altered before production to the United States to insert the Defendant's username in various entries where it did not originally appear, and to replace entries reflecting that certain RPAs had accessed the film images instead. In other words, the altered records falsely showed that the Defendant had accessed certain images of films, which, according to the original unaltered records, he had not.

After the access logs were falsified, the Defendant, DR. RAJASHAKHER P. REDDY, directed another employee to produce the set of falsified records to RSI's lawyers who then produced the false materials to the United States in response to the subpoena.

Second Superseding Indictment, U.S. v. Reddy, 2010 WL 3924163 (2010).

Reddy moved to dismiss Count 34 (which became Count 37 in the later indictment), arguing that the phrase “any record” as used in § 1519 was not intended to cover

electronic records such as the `access logs’ he allegedly altered or falsified, and therefore count 37 does not allege an actual crime. [Reddy] bases his argument on the fact that Congress, in passing 18 U.S. Code § 1520 concurrently with § 1519, used the phrase `records’ (including electronic records)’ in the former but made no specific mention of `electronic’ in the latter. . . .

Therefore, [Reddy] argues, § 1519 was clearly intended to not pertain to electronic records, because `[w]here Congress includes particular language in one section of a statute but omits it in another . . . it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion.’

U.S. v. Reddy, supra (quoting Motion to Dismiss Count 34, supra).

As the government pointed out in its response to Reddy’s motion to dismiss the § 1519 count, both §§ 1519 and 1520 were added to the federal criminal code by the Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat. 745. Government’s Response to Defendant’s Motion to Dismiss, U.S. v. Reddy, 2010 WL 3924157 (2010). The government’s response also explained that Reddy’s comparison of §§ 1519 and 1520

misses the mark. Section 1520 addresses regulations promulgated by the Security and Exchange Commission for the retention of records. `Electronic records’ are referred to in a list of the types of records that will be regulated by the SEC's retention rules. In contrast, § 1519 deals with the destruction, alteration and falsification of records in the context of a federal investigation. Consequently, the provisions address very different issues and serve different purposes. . . .

Moreover, taken to its logical conclusion, [Reddy’s] argument leads to extreme results. If § 1519 only applied to paper records, a criminal could engage in the most wanton obstruct without fear of prosecution, provided the records were not in paper form at the time. In other words, he could alter, falsify mutilate or destroy any computerized record in anticipating of a federal investigation as long as he did not alter the same record that was reduced to paper. This . . . is an odd result given the breath of the statutory language and the harms it was intended to address.

Government’s Response Defendant’s Motion to Dismiss, supra.

In ruling on Reddy’s motion to dismiss the § 1519 count, the federal district judge who has the case agreed “with the Government’s position that `§§ 1519 and 1520 cover different topics’” and held that “`[t]he latter statute does not refer to or otherwise relate to the former, and therefore its use of different language shines no light on an already clear statute.’” U.S. v. Reddy, supra (quoting Government’s Response Defendant’s Motion to Dismiss, supra).

The judge also did not find

any ambiguity in the phrase `any record.’ The word `any’ means just that -- every and all without qualification or specification. The computer access logs are a record of who accessed the computer and when, and therefore they fall within this classification. In other words, the term `any record’ in 18 U.S. Code § 1519 clearly applies to electronic records such as the computer `access logs’ [Reddy] allegedly falsified. Due to the plain language of the statute, there is no need to resort to alternative methods of statutory interpretation.

U.S. v. Reddy, supra. The judge therefore denied Reddy’s motion to dismiss the count. U.S. v. Reddy, supra.

If you’d like to read a little more about the case, check out the press release you can find here.