Tuesday, December 26, 2006

Give Up Your Encryption Key or Go to Jail

I've been reading about the British government’s plans to implement a provision of the Regulation of Investigatory Powers (or RIPA) Act.

RIPA was enacted in 2000, but the government has held off on implementing Part 3 of the Act. Under British law, Part III must be activated by a ministerial order before it goes into effect.

Part 3 of RIPA gives police the authority to order someone to give their encryption key to the police. If the person refuses to hand over the key, it is a crime.

Section 53 of RIPA makes it an offense, punishable by up to two years in prison, to knowingly refuse to surrender an encryption key after having been directed to do so by police.

The only defense the person can raise under the provisions of RIPA is that they did not have the key at the time they were ordered to turn it over. If they raise that defense, then the prosecution has to prove beyond a reasonable doubt that they did, in fact, have the key when they were ordered to produce it.

The possibility the British government will implement Part III apparently has many concerned, especially, according to one article, those in the financial industry. The author of that article quotes various sources as saying that bankers and others in the financial industry would be concerned about bringing master encryption keys into the United Kingdom, for fear they would be seized by police, for whatever reason.

Under Part III of RIPA, to get an order requiring disclosure of an encryption key police only need believe “on reasonable grounds” that the key is in the possession of a specific person and that its disclosure is “necessary” (i) in “the interests of national security,” (ii) for the purpose of preventing or detective crime” or (iii) “in the interests of the economic well-being of the United Kingdom.” (I assume (iii) goes to investigating possible economic espionage.)

The British police claim they need the ability to require the production of encryption keys to be able to effectively investigate terrorism, child abuse and other serious crimes. One detective was quoted as saying police had “over 200 PCs” containing encrypted data “sitting in property cupboards,” the inference being that the encrypted data includes evidence of crimes (or terrorism). So, police argue that unless they have the power to obtain encryption keys any clever criminal or terrorist can stymie an investigation by encrypting critical evidence.

There is no statutory analogue of Part III of RIPA in the United States, for what I think is a very good reason: the Fifth Amendment privilege against self-incrimination. The Fifth Amendment protects individuals (not corporations or other artificial entities) from being “compelled” to be a “witness against” themselves. The Supreme Court has construed this as meaning that you cannot be compelled to testify against yourself, but you can be compelled to give up physical evidence – samples of your blood, hair, etc.

The Supreme Court’s reasoning is that witnesses “testify,” so the historical meaning of the Fifth Amendment is rather narrow: You can’t be forced to testify against yourself, but you can be forced to cooperate with an investigation as long as you don’t have to testify.

In the U.S., police have no way to force someone to give up an encryption key – they can ask for it, but if the person refuses to give up the key, that’s that. A prosecutor can, however, use a grand jury subpoena (state or federal) to compel someone to give up an encryption key. If the person does not give up the key in compliance with the subpoena, they will be held in civil contempt and incarcerated until they do. (Think Judith Miller, the NY Times reporter who refused to identify a source when ordered to by a grand jury, and who then served time in jail for contempt.)

Could you take the Fifth and refuse to give up your encryption key if a grand jury issued a subpoena ordering you to do so? You can if giving up the key is “testimony,” but you can’t if it’s only the act of producing physical evidence (like handing over a gun).

If you have memorized the key (which is unlikely), then providing it to law enforcement should clearly be testimony. The dynamic would be as follows: The grand jury issues a subpoena ordering you to appear before the grand jury and give them the key. You show up on the date and time ordered. The prosecutor asks you what the key is and you recite it. I don’t think anyone would dispute that this would be testimony, which means you could invoke the Fifth and refuse to comply.

But what if, as is far more likely, you have recorded the very long and complicated key somewhere? Now instead of reciting it you’d be handing it over. That could be dicey. Under the Supreme Court’s interpretation of the Fifth Amendment privilege, you can take the Fifth for the act of handing over evidence to the government if, in doing so, you “tell” them something they don’t know. You can’t take the Fifth if they already know you have the thing; here, you’re not “telling” them anything.

Much as I’d like to say that you could take the Fifth and refuse to hand over the recorded key, I’m not sure that’s true. The government wouldn’t be asking for it if they didn’t know it existed and didn’t know you have it . . . so it doesn’t seem you tell them much if you hand it over. Now, I suppose you could argue that you do “tell” them something, in that you give them the data – the characters – the constitute the key. A prosecutor would respond to that argument by pointing out that you already “testified” to that information when you recorded it – you’re not, as in the previous instance, being asked to “speak” the information. You’re merely being asked to hand over information you wrote – information you “spoke” – at an earlier time. If a court buys that argument, then we would have, in effect, the same result in the U.S. as will exist if and when Part III of the RIPA goes into effect in Britain.

It’s a very difficult set of issues. On the one hand, encryption is an essential component in preserving privacy in an increasingly-automated world. On the other hand, what the British police said is quite true: criminals and terrorists can use encryption to put data outside the reach of law enforcement.

This may be a transient issue. I understand U.S. intelligence agencies are able to break even very sophisticated encryption. If and when that ability migrates to local police, they won’t need the power to coerce someone into giving up their encryption key . . . at least not unless and until someone comes up with a mode of encryption that cannot be broken or with some other way of securing data in an unbreakable way.

Tuesday, December 12, 2006


Last time I wrote about online stalking.

Today I want to write about a related issue: online imposture. Basically, online imposture consists of going online and pretending to be someone else.

It can be relatively harmless; I remember reading about ten years ago about an expert on online culture. She was puzzled when she got emails from people complimenting her on comment she'd made in a chat room the other night. Problem was, she had not been in the chat room. It seems someone had simply taken her identiy out for a ride -- had a good time pretending to be her and pontificating online for a bit.

That was harmless online imposture. It can also be harmful, and that is the kind I want to address.

I’m going to begin by summarizing a couple of incidents to illustrate what harmful online imposture is and how it occurs. Then I’ll talk a bit about the legal issues online imposture raises.

Let’s start with the incidents:
  • The following facts come from an article in the Milwaukee Journal-Sentinel. (Lisa Sink & Linda Spice, Man Charged with Defamation, Milwaukee Journal Sentinel (June 7, 2000), 2000 WLNR 3077063.) After his boss fired him, David Dabbert went to the “`Sex on the Side’” website, which “features `attached’ women who are seeking sexual encounters `on the side’”. Dabbart posted an ad on the site that purportedly came from his former boss, using her real name and email address. The ad “described her chest size and hair color and, in part, said: `I'm highly stressed out. . . . I've only been with my hubby. He's gone at work 24 hours at a time . . . I want someone to make me their slut for the night’”. The woman received many responses to the ad, which left her frightened and embarrassed.
  • Here’s another case reported by the same newspaper. (Lisa Sink, Family Therapist Investigated in Internet Complaint, Milwaukee Journal Sentinel (March 14, 2000), 2000 WLNR 3057614.) According to the article, a family therapist “posed as his former wife's new husband and posted an ad on an Internet site for swingers, asking interested men to call the couple.” It gave “the ex-wife's body measurements and home phone number and said: `Wife and I desire 3some with a male." The ad “prompted a slew of calls to the woman and her new husband”, which, again, left them frightened and embarrassed.
If we assume, as I do, that the facts were correctly reported in both stories, then we have two instances of online imposture: cases in which person A goes online and pretends to be person B.

Before we deal with the legal issues, let’s just consider this as a phenomenon. Online imposture has several dimensions: In these cases , it seems the imposture was undertaken for vindictive purposes – to embarrass the person who was the object of the imposture. Now one can embarrass another person – offline or online – by publishing discreditable information about them. So if someone (hypothetically) went online and published an allegation that I am a drug addict, that allegation would embarrass me, whether it was true or not.

If the allegation were true (and I assure you it is not), then the embarrassment would result from the dissemination of true information. The publisher of the information would in effect have invaded my privacy by revealing that which I chose to keep secret.

If the allegation were not true (as I assure you it is not), then the embarrassment takes on a different tone. Now it is not merely an invasion of privacy – the revelation of true information I am trying to conceal – but a misrepresentation that casts me in a “false light” . . . that depicts me as being something I am not, something that is disreputable.

The distinction between publishing true discreditable information and not-true discreditable information gets us into the first legal issue we need to deal with. In either of the above scenarios, I would certainly be angry about the publication of the (again, purely hypothetical) allegation that I am a drug addict. If I were like most people, I would probably want some kind of redress – some kind of vindication/revenge/all that. So I might decide to sue the person who published this allegation (if, of course, I can identify who published the allegation).

If the allegation were true, then I would probably not have a case for defamation. The basic rule in this country is that truth is a defense to an action for defamation. So, think about that: if I decide to sue the person who published the allegation that I am a drug addict, I will in essence have to prove in court that I am not, never have been, a drug addict. Now, I may be able to prove that quite easily . . . but I would still have to go through the embarrassing process of having to prove I am not a drug addict, something I used to be able to assume people know. (I might also have to deal with the possibility that, even if I won, some people would always wonder if the allegation was true . . . . )

If the allegation were not true and I could prove that, then I should be able to win in my defamation suit against the person who published it. Now, though, we come to a practical problem. Most of the people I know – probably most of the people you know – don’t have a lot of money. So what good is m civil suit if the person who published the allegation doesn’t have thousands and thousands (millions and millions) of dollars to pay me and my lawyers when I win? If the person I want to sue clearly doesn’t have enough money to pay a judgment and attorneys’ fees, then most lawyers won’t want to take my case unless I can show, up front, that I can pay the very large sum of money it will cost to litigate and win. I don’t have that much money, so even though I would have the legal basis for a defamation suit, in practice that’s really not an option. I assume it was not an option for the victims in the online imposture cases I described earlier.

I might try to deal with the defendant-who-has-no-money problem by suing the operator of the website on which my tormentor published the false allegation that I am a drug addict . . . but that raises another problem.

Historically, those who published defamatory material could be held civilly liable for their role in defaming someone. This is not true for online publication: A section of the Communications Decency Act, “overrides the traditional treatment of publishers. . . . ‘such as newspapers, magazines or television and radio stations, all of which may be held liable for publishing . . . defamatory material written or prepared by others.’” Batzel v. Smith, 333 F.3d 1018, 1026 (9th Cir. 2003). Concerned about lawsuits inhibiting free speech online, Congress added Section 230(c)(1) to title 47 of the U.S. Code. It states that “[n]o provider or user of an interactive computer service shall be treated as the publisher . . . of any information provided by another information content provider.” 47 U.S. Code § 230(c)(1). The effect of this provision is to immunize those who post content that is provided by someone like the hypothetical individual who posted the (quite false) allegation that I am a drug addict. The result is that my attempt to seek civil redress for the embarrassment I suffer from having that false allegation published will fail because (a) the person who posted the false information has no assets to pay a judgment or attorney’s fees and (b) the website operator is immune from suit.

In the Dabbart case, the local district attorney’s office prosecuted him for criminal defamation . . . and won. (Lisa Sink, Man Convicted Of Posting Ex-Boss' Name On Sex Site Defamation Case Believed To Be County's First Such Internet Prosecution, Milwaukee Journal Sentinel (August 11, 2000), 2000 WLNR 3037734.) Dabbart wound up pleading no contest to a misdemeanor defamation charge; he was sentenced to serve 15 days in jail, to two years on probation, to pay $1,280 in restitution and to perform 100 hours of community service. According to this new story, the victim urged Wisconsin lawmakers to “find new ways to charge individuals who pose as others over the Internet for lewd purposes.” (Sink, Man Convicted Of Posting Ex-Boss' Name On Sex Site Defamation Case, supra.)

This is an issue I explored in a long law review article I wrote recently. Criminal defamation (criminal libel) is very seldom used in this country – indeed, does not even seem to be a crime in many states. The reason is that our state criminal law was very much influenced by the Model Penal Code – a template of state criminal law that was drafted about fifty years ago. The Model Penal Code did many great things in terms of modernizing what had been a patchwork of criminal law derived from English common law.

It departed from English common law, though, in basically rejecting the notion of treating defamation as a crime. The drafters of the Model Penal Code (who said this was the most difficult decision they made) decided that defamation was better handled civilly than criminally.

I think they were probably right when they made that decision, about fifty years ago, but the landscape has since changed dramatically. When the drafters of the Model Penal Code decided defamation should not be a crime, they assumed that defamatory material would be published on television, in a newspaper, in a magazine – in the mainstream-media, in other words. And that was true when they wrote – if you think about it, fifty years ago someone with a grudge could not simply publish the kind of claims involved in the two cases I described at the beginning of this post. If they took that material to a newspaper or a magazine, they would have been sent packing.

The drafters of the Model Penal Code therefore implicitly assumed that someone injured by the publication of defamatory material would be able to find a deep-pocket to sue . . . someone with assets to pay attorneys’ fees and a judgment. As I’ve explained, that is no longer true: With online publication, anyone can pretend to be someone else and publish information that casts them in a seriously embarrassing light. The person who has been embarrassed cannot sue the individual who published the defamatory material unless that individual has enough assets to pay a judgment and attorneys fees (or unless the injured party does). The person who has been embarrassed may not even be able to identify the individual responsible for publishing the material, because it is so easy to be anonymous online. And, as I explained earlier, the operator of the website on which the material was published is, unlike conventional mainstream-media outlets, immune from suit for publishing the material.

So, maybe we should reconsider criminalizing defamation.

Sunday, December 03, 2006

Stalking a School

In 1999, a new and bizarre kind of stalking occurred in a small town, as is described in detail by Boston Globe reporter Michele Kurtz. (The “Stalker” Who Stayed at Home: A Town Terrorized Over the Internet, Boston Globe (Sept. 2, 2001)).

Twenty-year old Christian Hunold, who lived in Smithville, Missouri, stalked the students and faculty of the Hawthorne Brooke Middle School in Townsend, Massachusetts.

Hunold, a high-school athlete and honor student, was seriously injured in a 1995 auto accident. He recovered from most of his injuries but lost the ability to walk. According to Michele Kurtz, his disability left Hunold “seething” . . . and bored. She says he turned to the Internet, where he could become someone else: “Someone physically strong, someone living thousands of miles from Smithville. In the cyber world, no one would know the difference.” (Kurtz, The “Stalker” Who Stayed at Home).

He apparently met students from the Hawthorne Brooke Middle School in a chat room devoted to Limp Bizkit, and struck up a friendship with the eighth graders, who invited him to join them in a private chat room.
Hunold decided to pretend he was one of them, and to show them a thing or two about the real world.

By studying the kids' Internet profiles, Hunold was able to learn some of their birth dates, addresses, and hobbies. He created a computer file where he detailed what he knew about each student. Every online conversation with one of the kids contained another helpful nugget about someone else.

`When he talked to these kids, he knew specific things, like where they lived, what their house looked like, if they had a dog, what table they sat at at lunch,’ says Townsend Police Sergeant Cheryl Mattson, who investigated the case.

Within a few weeks, the banter between Hunold and the Townsend kids became more threatening. Hunold bragged he was a serial rapist and would come after them. He pointed students to child pornography online, including pictures of a 5-year-old girl being raped.

(Kurtz, The “Stalker” Who Stayed at Home).

It became increasingly difficult for him to sustain the pretense that he was a Hawthorne Brooke student. The students began challenging him, a “loss of control that infuriated him.” (Kurtz, The “Stalker” Who Stayed at Home). He responded by telling them he was going to blow up the school and then by posting a website that depicted
Hawthorne Brook Middle School seen through the crosshairs of a rifle scope. There was a picture of the school principal, made to look like he was bleeding through bullet holes in his head and chest. And there were references to Columbine, which had shocked the nation only five months before. . . .
(Kurtz, The “Stalker” Who Stayed at Home). He posted a “hit list” that contained the first names of 24 students and the last names of 3 Hawthorne Brooke teachers. Underneath the list he wrote: `You lucky individuals will go home with more holes in your body than you came with.’” (Kurtz, The “Stalker” Who Stayed at Home).

Hunold was halfway across the country, had no weapons and no intention of carrying through on this threats. For him, it was a game – he was manipulating the students (and, indirectly, their teachers and their families) for his own amusement – to boost his ego. (Kurtz, The “Stalker” Who Stayed at Home).

Not surprisingly, the Hawthorne Brooke teachers, students and parents were terrified. They knew the person who was sending the threats “had to be” local because he knew so much about the students. They assumed he was a Hawthorne Brooke eighth-grader; Hunold encouraged this by identifying himself as a particular eighth-grader, who was harassed because of that.

Parents whose children were on the “hit list” didn’t know what to do – whether to send the children to school or keep them at home. Police brought in bomb-sniffing dogs to patrol the hallways and classrooms of the school. Teachers searched student bags and other possessions, and some parents considered arming themselves to protect their children and themselves.

The Massachusetts State Police traced some of the mysterious person’s Internet activity to Missouri. At first they assumed the person was in Townsend and was routing his messages through Missouri, but they rather quickly figured out that the person was in Missouri. (Kurtz, The “Stalker” Who Stayed at Home). Massachusetts and Missouri officers collaborated in searching Hunold’s computer and interviewing him; he readily confessed to what he had done.

In October, 2000, Hunold pled guilty in Missouri to three felony counts of attempted promotion of child pornography and one misdemeanor count of harassment. (Similar charges were filed in Massachusetts but dismissed on the grounds that Massachusetts law did not criminalize the use of computer technology to distribute child pornography.) He was sentenced to 15 years in prison and served 120 days.

For some reason, the Hunold case reminds me of the Twilight Zone episode “The Monsters Are Due on Maple Street.” In that episode, space aliens (who look a lot like humans) manipulate electricity and a few other things to create paranoia in the good citizens of a pleasant suburb. The locals decide aliens are among them and turn on each other. As one source puts it, “total madness breaks out.”

It reminds me of that Twilight Zone episode because there really was no danger to the students or anyone else in Townsend, but Hunold was able to make everyone believe there was. My sense, from speaking to people familiar with the case, is that a little bit of the Twilight Zone episode began to happen in that no one knew who to trust. The mysterious person sending the threats might have been one of the students, might have been a teacher, might have been a staff person . . . might have been anyone. Hunold’s activities are a great example of how someone can use online imposture to break down the trust we assume, and rely on, in our everyday lives.

What I find most chilling about the Hunold episode is not what happened in Townsend, but what might have happened after. When police searched Hunold’s computer, they found evidence that led them to believe he was planning to do the same thing to a school in Georgia. I suspect he would have done an even better job of cultivating paranoia and inculcating terror the second (or third?) time around. What he did in Townsend seems to have been pretty much an accident, something that evolved as he developed an online relationship with the eighth-graders, whom he sought to control. The next time his efforts would have been more calculated and therefore, I think, even more devastating.

In terms of today’s law, Hunold could also have been charged with cyberstalking, which basically means someone used computer technology to engage in a course of conduct that inflicted serious (or substantial) emotional distress on another person. It can also encompass threatening someone with death or serious bodily injury. So I see no reason why Hunold could not have been charged with stalking, at least under current law. What I see as interesting is that he did not merely stalk. He played with the lives of people in Townsend just as the fictive Twilight Zone aliens played with the people in that suburb. Somehow, that seems more than stalking.