Friday, May 11, 2007

Can you trust your neighbors?

I want to talk about two recent cases, both of which go to our (some of us, anyway) using technology to spy on our neighbors, for various reasons.

The first story is from Rochester, New York. It’s about Monroe County Sheriff’s Deputy Michael Hildreth, who was convicted of felony eavesdropping but acquitted of computer trespassing.

The charges were based oh Hildreth’s using spyware to do just that—spy on his neighbor:

Hildreth, who . . . [was] assigned . . . to a computer crimes unit, conducted an unsanctioned investigation of next-door neighbor James E. Missel, whom he believed posed a threat to young girls in their neighborhood . . . in Penfield.

Assistant District Attorney Mark Monaghan said a follow-up investigation after Hildreth's arrest turned up no evidence of wrongdoing by Missel, who had volunteered for more than 30 years with a private school. . . .

Hildreth allegedly sent Missel an e-mail about potential job prospects with an attachment that, when opened, planted the spyware program eBlaster on Missel's computer and allowed Hildreth to monitor every keystroke made, Web site visited and chat room entered on the computer.

Michael Zeigler, Deputy Found Guilty in Spyware Case, Rochester Democrat and Chronicle (April 25, 2007). According to this story, the 45-year old Hildreth faces a sentence ranging from probation to up to four years in prison. He will be sentenced on June 26.

The other case is from New Jersey, and involves Robert DeFilippo, who allegedly spied on “his son, his daughter and a former landlord through their computers.” Margaret McHugh, Father Accused of Spying with Software, Newark Star-Ledger (January 12, 2005), 2005 WLNR 6489995.
DeFilippo sent e-mails containing attachments that, when opened, installed spyware allowing him to monitor the victims' computer activity, access their passwords and get into their e- mail, Morris County Prosecutor Michael Rubbinaccio said. . . .

Rubbinaccio's office began investigating . . . when DeFilippo's former landlord, Karen Kiehn, who had evicted him, reported that a computer service company discovered spyware on her computer. She began having problems with it after opening an e-mail from DeFilippo, according to the arrest affidavit. . . .

Kiehn said she has a $10,000 judgment against DeFilippo for back rent on a Morristown apartment, and she believes `he was looking for a way to get information on how I was going to proceed on collecting my judgment.’

McHugh, Father Accused of Spying with Software, supra. DeFillippo ultimately pled guilty to “four counts of third-degree computer theft”, according to the New Jersey Superior Court opinion denying his appeal of the 45-day jail term he was sentenced to serve. State v. DeFilippo, 2006 WL 1388878 (N.J. Super. Ct. 2006). In reviewing the facts, this court explained that in addition
to the e-mail problem experienced by Kiehn, defendant's son, a college student, subsequently noticed that someone had accessed his e-mail account and sent e-mails in his name, and defendant's daughter also discovered that false e-mails had been sent under her name.

[T]he prosecutor's office determined that defendant had installed a spyware program in Kiehn's computer, which permitted him to gain access to her passwords, credit card information, and e-mails. He obtained Kiehn's credit card number when she made an online purchase and wrote it down for future use. He had also installed the spyware programs on the computers of his son and daughter. He admitted to installing the spyware on Kiehn's computer to retaliate against her, and on his children's computers to `inquire about their well being.’

State v. DeFilippo, supra. The court affirmed the sentence, by the way.

The first thing I find interesting about the two cases is the similarity of the conduct – of how easy it is for our neighbors (former neighbors) and relatives to spy on us. We might at least casually consider the possibility that people whom we live with could engage in such activity . . . but who expects your neighbor or your former tenant or anybody else you just happen to know to decide to spy on you?

So that’s interesting. We can become a nation of really adept eavesdroppers, if we so desire . . . which reminds me of a bizarre incident I had in a law class a few years ago. We were discussing the federal wiretapping laws, and after class one of the students came up to me, to ask a question (a legal question, or so I thought). This student was a clearly middle-class woman, who had mentioned she was married, had some kids and lived n a nice suburb. . . . none of which matters in the slightest, except that it certainly did not lead me to expect her to ask what she did. She said she and her husband had gone to Radio Shack and bought some kind of directional microphone (whatever was hot technology, say, ten years ago) and were trying to use it to eavesdrop on conversations in their neighbors’ homes . . . but it wasn’t working!!!! She seemed to expect, what?, that I could make it work or explain why it didn’t work. All I remember is basically saying, in a nice, professional way, “get away from me.” Creepy, way too creepy.

Struggling back to my point: Hildreth was convicted of eavesdropping under a New York statute that makes it a crime unlawfully to engage “wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electronic communication.” N.Y. Penal Law § 250.05. That makes sense, doesn’t it? Based on the few facts we have, it seems he was intercepting his victim’s internet activity because he was monitoring what the man was doing in real-time. Federal courts parsing the federal wiretap laws have said for the “interception” of an electronic communication (like email, or web surfing or chatting) to occur, the communication must be captured “in flight,” that is, while it is still being transmitted.

Once an electronic communication has been stored on a computer, the violation, if any, consists of gaining access to the computer without being authorized to do so – what is often called hacking. It seems that there was not enough evidence to convict Hildreth of hacking, or computer trespassing. The evidence must have shown, then, that he merely tracked what his victim was doing online as it was occurring. That would be interception, not hacking.

As that may demonstrate, we have a bit of an arbitrary distinction (IMHO) between the processes of capturing data while it is in transmission and capturing it after it has been stored on a hard drive or other media. The New York offenses here derive from two old crimes: eavesdropping and trespassing. Eavesdropping, which was a crime at common law, centuries ago, basically consisted of just that: lurking around buildings in an effort to overhear what you weren’t supposed to overhead. Trespassing, as we all know, consists of going where you are not supposed to be. The statutes involved in the Hildreth case are simply evolved forms of these crimes: He was convicted of eavesdropping but acquitted of trespassing, presumably because the government could not show he “went into” the victim’s computer (whatever that means).

What about DeFillippo? Why computer theft? Well, the New Jersey statute that defines the crime I assume he pled guilty to makes it an offense (“computer-related theft”) either to (i) gain unauthorized access to a computer or computer data or (ii) obtain, take or copy any data stored on a computer which one has accessed without authorization. New Jersey Statutes Annotated § 2C:20-25. I can’t tell if the foundation of the charge against DeFilippo was that he gained access to the victims’ computers without being authorized to do so (hacked) or that he stole data from their computers (theft). From what the court said in the excerpt I quoted above, it seems as if he could have been charged with both . . . since he gained unauthorized access to the three victims’ computers and, as least as to his former landlady, took data from her computer without being authorized to do so.

One thing I find particularly interesting, and sinister, about the DeFilippo case is that he used his unauthorized access to these various computers to pretend to be other people, real people: He pretended to be his son in emails, he pretended to be his daughter in emails and he sent his former landlady an email that purported to come from her lawyer. McHugh, Father Accused of Spying with Software, supra. I’ve long been fascinated by that, because it seems to me you could do a lot of damage to someone’s life by posing as them, either in emails or online. Our law does not, however, make simply posing as someone else – simple imposture – a crime. It’s a crime to pretend to be certain things, like a judge or a police officer, but not you or me.


Unknown said...

(Please excuse my english)

It is very interested that you write about what I want to ask you.

I got this neighbor that doesnt even speak me in person, only to say good morning, etc. He recently add me in some chat room, and everytime he see the light of the computer room of my house on, he start to talk me by chat in an agressive way like: ANSWER ME! NOW! ARE YOU THERE? I KNOW THAT YOU ARE AWAKE! and this is really staring to freak me out.

I just want to know what can I do for avoid this person or for tell him that leave me alone without get some trouble with him. I know that he have some mental problems but I dont know what can I d

Susan Brenner said...

The New York Supreme Court - Appellate Division recently upheld Hildreth's conviction:

"The fact that none of the witnesses testified that information was recorded by the program installed by defendant on the victim's computer does not render the evidence supporting the eavesdropping conviction legally insufficient. . . . [T]here was ample circumstantial evidence, including the documentary evidence from the company that created the program, establishing that it was installed on the victim's computer, that it was configured to record certain types of communications and send a report regarding them to an e-mail address and that it attempted to send such a report.. . . [W]e conclude that the evidence at trial could lead a rational person to conclude that the program installed by defendant recorded information that it gained from the victim's electronic communication."

People v. Hildreth, ___ N.Y.S.2d ___, 2011 WL 2586813 (2011).

Robert DeFilippo said...

The bigger srory here is the collusion between Karen Kiehn and the Rent Control Board in Morristown. When DeFilippo challenged Kiehn's illegal rent increases based on lies she made to the Board, there was a hearing in which DeFilippo lost. When he tried to appeal, the tapes of the hearing were "lost: and the appeal could not go forward, The tapes would have proved conclusively that Kiehn had been raising rents illegally for years and the Director of the Rent Control dept knew and helped Kiehn cover up.Further objective by Brenner would have revealed this fact as well as the fact that DeFilippo never used any of the information used in the hacking. Brenner only reports what Kiehn 'thought' was the intent. Not oobjective and balanced by a professor of law.

Susan Brenner said...

I wasn't trying to research the facts in the case. When I do a post on a case, my point is to analyze how the court applied the law. And I assure you, my analysis of the court's application of the law is completely objective.