Saturday, June 23, 2007

Caller ID spoofing

You may have read about this: Someone, using easily available technology, spoof the caller ID information that appears on your phone when a call comes in. Indeed, there are websites that make it very easy for you to do this.

So to use an odd example I saw on TV, your phone rings, you check the caller ID and instead of giving an unknown name and set of numbers, you see “The White House” and a set of phone numbers that are, in fact, for the White House. I’m not sure why anyone would want to use the White House’s number in caller ID spoofing, but you certainly could do so, if you were so inclined.

The spoofing is being used to commit identity theft and other types of fraud, though, as I note below, it’s also been used for some other undesirable purposes. For fraud and identity theft, the would-be perpetrator spoofs the caller ID so the person taking the call believes they are talking to their bank, credit card company or some other source with which they would feel free to share personal information, such as their Social Security number. The caller persuades the person to give up as much information as seems useful, hangs up and identity theft or some other kind of fraud is set in motion, with the person duped by the caller ID spoofing as the victim.

It’s also been used, at least occasionally, for other purposes. Back in April a column in the Washington Post described how SWAT teams have been sent to empty buildings or other places after someone called police, using spoofed caller ID, and reported a crime in progress. According to the Washington Post article, a SWAT team was sent to an apartment after police received a call from a woman who said she was being held hostage there; there was no hostage, the caller ID was spoofed to make it look like the call came from that location.

I can see where spoofing caller ID could become a very useful tool for stalkers and others bent on “harming” someone; it would, for example, be very easy to trick a murder victim into showing up at the place where the perpetrator was prepared to commit the crime. All the would-be killer would have to do is, say, to call someone and tell them they needed to come to a particular, no doubt remote, location because their spouse or their child had been injured or some other emergency. (It’s also possible to alter the sound of one’s voice, which would probably help in orchestrating this kind of scenario.)

Last Wednesday, the House of Representatives approved the Truth in Caller ID Act of 2007, which makes it “unlawful for any person within the United States . . . to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm.” H.R. 251. A version of the bill has gone to the Senate, so we’ll see what they do with it. It looks like both versions make caller ID spoofing a crime, which is what I really want to write about.

Not to sound like a broken record, but do we need a law like this?

I started thinking about that because someone I saw interviewed in a news story about caller ID spoofing pointed out that it’s like falsifying the return address on an envelope, and we don’t make that a crime. Instead, we fold that kind of misrepresentation, which is merely one step in the ultimate infliction of “harm,” into the charges for the target crime or crimes . . . fraud or stalking or theft or extortion or whatever the misrepresentation is intended to promote.

So I started thinking (and I’ve just started) about why it should be different for spoofing caller ID. Spoofing caller ID is a slimy, devious trick, one that, like most slimy, devious tricks, is optimally calculated to exploit the vulnerable among us – our less sophisticated, more trusting neighbors.

It’s also calculated to exploit what I see as an increasing tendency among us: to trust what technology tells us. Why is spoofing caller ID any more deserving of criminalization than the practice of misidentifying or otherwise misrepresenting yourself when you call someone? Fraudsters have used misidentification and misrepresentation for centuries, probably longer. Misidentification is a tool of the trade for fraudsters; fraud is defined as deceiving someone to get them to give you their property or other valuables. So a law like the one I note above is criminalizing the use of a tool to commit what is already a crime, which may be redundant.

Some states criminalize the possession of burglar’s tools, and you might analogize the caller ID crime statute to those statutes. Both would be tool crimes. The burglar’s tools statutes are arguably redundant when and if they’re used to charge someone who has already broken into a house or business for the purpose of committing, say, theft; at that point, the person could be charged with both burglary and possessing burglar’s tools (if a prosecutor wanted to do that). Burglar’s tools statutes are not so clearly redundant when they’re used to charge someone who’s arrested before they break into a house or building to commit burglary; indeed, this is the whole point.

They let police do something when they encounter someone who is carrying what the law says are unambiguous tools for committing a particular crime. That gives police an advantage: they can prevent the commission of the crime by arresting the person on the lesser charge of possessing burglar’s tools. Of course, they could do the same thing by charging the person with attempting to commit burglary, a charge that could be based on having burglar’s tools and, say, being in the alley behind a house or a business. Attempt charges work if the facts support the inference that the person was headed toward committing the crime. Burglar’s tools statutes just make that easier, and push the time frame back a bit.

So, okay, maybe the proposed caller ID spoofing crime is a burglar’s tools crime, and maybe there isn’t anything wrong with that. I think the difficulty I’m having with this proposed law is that it says something about our relationship with technology. We’ve never criminalized falsifying the return address on an envelope, as such; we criminalize committing fraud and using the mails to commit fraud. Why, then, criminalize caller ID spoofing?

I wonder if the drive to criminalize caller ID spoofing is implicitly based on the premise that falsifying caller ID information is somehow more reprehensible, more “harmful,” than falsifying the return address on a letter. Why might it be more “harmful” than falsifying information on a snail mail item?

Well, and I’m just speculating here, I suspect we’re a little more skeptical of addressing and other information on snail mail, because we – the general public -- all know how easy it is to falsify documents. We, the general public, know that because we know it’s people who put addresses on mail and we know how easy it is for a person to put incorrect information on mail. We know all that because it’s embedded in our culture; we know people lie and fabricate, and we know people create addressing information on snail mail (with, of course, the help of some basic technology).

I suspect things are different for caller ID. When we look at the caller ID screen on our phone, we don’t think we’re getting information from a person (who can lie); we think we’re getting information from a technology (which can’t lie, so far, anyway). I may be wrong, but I think that’s why people (me, included) are finding caller ID spoofing to be particularly obnoxious.

There’s an implicit breach of trust there that I don’t think we’d find, or at least not find in the same degree, if we learned that, say, the letter which seemed to come from our bank or credit card company was a fake, a fraud. We’d be angry when we found out the letter was a fake, but we wouldn’t be . . . offended, for lack of a better term . . . because that would fit into what we know of the world. Crooks are out there, crooks fake things to take our money.

Maybe I’m crazy, but I think we trust technology more than we do each other.

Friday, June 22, 2007

Outing "rats"

You may have heard about Who’s A Rat?, the website that claims to offer (and probably does) the “largest online database of informants and agents!” According to the site, it is
"a database driven website designed to assist attorneys and criminal defendants with few resources. The purpose of this website is for individuals and attorneys to post, share and request any and all information that has been made public at some point to at least 1 person of the public prior to posting it on this site pertaining to local, state and federal Informants and Law Enforcement Officers. This includes an Informant who makes his or her Informant status known to any person."


The website, which was created in 2004, is a paid subscription service and explicitly disavows any intent to “promote or condone violence or illegal activity against informants or law enforcement officers.” It also specifically notes that it does not portray “Agents or Law enforcement officers as rats or informants.”

You may have seen news stories about Who’s A Rat?, since many in the criminal justice system find it controversial, and threatening. As one news story explained, judges and prosecutors around the country are afraid the site will “cripple investigations and hang targets on witnesses.”

I haven’t seen reports of any efforts to shut the site down through litigation, presumably because it’s clearly protected by the First Amendment. There’s actually a federal district court opinion which reached precisely that result with regard to a completely different website.

In 2003, Leon Carmichael, Sr. was charged in the U.S. District Court for the Middle District of Alabama with drug conspiracy and money laundering. U.S v. Carmichael, 342 F.Supp.2d 1070 (M.D. Alabama 2004). Not long after he was arrested, Carmichael created a website dealing with his case:
After the site was altered . . . to display the names of four `informants’ and four `agents,’ as well as photographs of the four `informants,’ the government renewed an earlier motion for a protective order directing Carmichael to remove his website from the internet. On July 20, 2004, following an evidentiary hearing and after careful consideration of the issues involved, this court denied the government's motion, reasoning that such an order would impermissibly infringe on Carmichael's First, Fifth, and Sixth Amendment rights.

U.S v. Carmichael, supra.

The federal district court found, basically, that the site was protected by the First Amendment because it did not constitute a “threat” to anyone. United States v. Carmichael, 326 F.Supp.2d 1267 (M.D. Alabama 2004). The information on the site was clearly speech within the scope of the First Amendment, which means it is protected unless it falls into a problematic category of speech, such as what courts call a “true threat” to harm someone or child pornography.

Based on the evidence presented at the hearing cited above, the district court held that the testimony of informants, who said Carmichael’s posting their pictures and requests for their addresses on his site made them “fearful,” was insufficient to establish that the site posed a “true threat” to them. As I explained in an earlier post, a “true threat” is exactly what you think it would be: a communication directed at the would-be victim which says, in effect, “I am going to do you harm” of some kind. Here, just as in the case I talked about in my earlier post on this, there was no direct communication with a potential victim and no statement threatening to do them harm.

(The court also found, as you can see in the quoted excerpt above, that forcing Carmichael to take down the site would violate his Fifth Amendment right to due process and his Sixth Amendment right to prepare a defense to the charges against him, since the site sought information directly relevant to his case. I’m not sure either of those rationales would apply to Who’s A Rat?, though, since it’s not operated by a specific person asking for help in preparing her defense to a particular case. It might, I’m just not sure.)

After the district court refused to take the site down, DEA Agent David DeJohn, one of the agents listed on the site did something very unusual: He asked the court to let him intervene in the criminal case so he could, on is own behalf, ask the federal district court to order that his photograph be taken off Carmichael’s website. U.S v. Carmichael, 342 F.Supp.2d 1070 (M.D. Alabama 2004). DeJohn alleged that “the website is not only interfering with his ability to pursue his profession as an undercover agent, it is putting him in danger.” U.S v. Carmichael, 342 F.Supp.2d 1070 (M.D. Alabama 2004).

The federal district court denied DeJohn’s motion to intervene. It began by noting that allowing someone to intervene in a criminal proceeding is “limited to those instances in which a third party's constitutional or other federal rights are implicated by the resolution of a particular motion, request, or other issue during the course of a criminal case.” U.S v. Carmichael, 342 F.Supp.2d 1070 (M.D. Alabama 2004). The court found, basically, that DeJohn really had no “stake” in the criminal proceeding against Carmichael:
Although he asserts that he has a `personal stake in this litigation as it is his photograph that was stolen and posted,’ DeJohn has not . . . shown that he has an interest that will be affected by Carmichael's conviction or acquittal in this criminal case or . . . by any proceeding in this criminal case leading up to such. DeJohn may have been personally affected by Carmichael's use of his picture on his website, but the website itself is not the issue in this case. The sole purpose of this criminal action is the adjudication of Carmichael's guilt or innocence. . . . .

DeJohn does not claim the infringement of any interest conferred on him by any provision of the United States Constitution or any federal statute. To be sure, DeJohn would have benefitted had the court ordered the removal of the website from the internet at the government's request. But any interest DeJohn has in the website's removal is not based on a legal entitlement specifically belonging to him in Carmichael's criminal case. Rather, his motion to intervene is an effort to resolve what is essentially a private dispute based, if anything, on state law.

U.S v. Carmichael, 342 F.Supp.2d 1070 (M.D. Alabama 2004). So the federal court denied his motion to intervene and told DeJohn to sue Carmichael in an Alabama state court if he wanted to try to have his photograph removed from Carmichael’s website.

I have no idea if Agent DeJohn ever sued Carmichael or not. I can’t find any news stories or reported cases involving such a suit.

Carmichael’s website – http://www.carmichaelcase.com -- is still online, but seems to have been abandoned. According to a relatively recent news story, Carmichael was convicted in 2005 of drug trafficking and money laundering and was sentenced last March to serve 480 months in prison. Montgomery Businessman Sentenced to 40 Years for Drug Trafficking, U.S. Federal News, 2007 WLNR 5923762 (March 23, 2007).

Tuesday, June 19, 2007

Court upholds email privacy

About a year ago I wrote about a Cincinnati federal district court’s decision which held that we have a Fourth Amendment expectation of privacy in emails being stored by ISPs.

That decision was important because the current federal statutory framework governing law enforcement access to stored emails (and emails in transmission, but that’s not what we’re concerned with here) is based on the premise that data we “knowingly” share with third-parties, like ISPs, is NOT protected by the Fourth Amendment. If it is not, then law enforcement officers don’t have to get a search warrant to gain access to emails, etc.

The Sixth Circuit Court of Appeals just affirmed the district court’s decision: Warshak v. U.S. (docket # 06-4092, opinion # 07a0225p.06). You can find it here.

The government will almost certainly ask the Sixth Circuit to rehear the case, with all the judges of the circuit sitting on the panel (this was the usual three-judge panel). If they lose again, they’ll almost certainly try to take the case to the Supreme Court which, I think, will probably take it.

Monday, June 18, 2007

Be careful what you consent to

In this post, I want to talk, again, about how courts are struggling to define the permissible scope of a consent search when that search involves a computer or other digital storage media.

More precisely, I want to use a Michigan case to illustrate the issues that can arise when someone consents to a search of their property.

As I’ve said before, the Fourth Amendment’s default position is that police must obtain a search warrant (actually a search and seizure warrant, since it lets police seize any evidence they find while searching) before they can lawfully search a place in which someone has a reasonable expectation of privacy.

As I’ve also said before, this default position is subject to a number of exceptions, each of which eliminates the need for police to obtain a search (and seizure) warrant.


One of these exceptions, which I’ve talked about before, is consent. Consent is basically a waiver of your Fourth Amendment right to privacy. If a police officer, say, stops you as you are walking down the street carrying an opaque bag and says, “Hey, can I search your bag?” and you say “sure,” then you’ve waived your Fourth Amendment right to privacy in the bag. You’ve also implicitly consented to let the officer seize any evidence of a crime he finds there. Evidence of a crime conceptually falls into two categories: contraband (things, like drugs and child pornography, the possession of which is prohibited, so they are illegal in themselves) and non-contraband items that are evidence of the commission of a particular crime (a murder weapon, for example).

So, if you consent to a search of a thing or a place under your possession and control, your consent substitutes for a search (and seizure) warrant). Consent, though, works a little differently than the other exceptions (and search warrants too, for that matter). The other exceptions (and search warrants) are based on probable cause, and that defines the scope of a search. So, if an officer has a warrant to search your home for 2 stolen big-screen TVs (of a particular, described type), she can search your home (i) only for those TVs and (ii) only until she finds both of them. So probable cause both authorizes and limits the scope of the search.

Consent is different, and can be trickier. Consent is basically a contract between you and the state. The officer, representing the state, asks for consent to conduct a specific search, as in my example above. In that example, the police officer asked for consent to search the bag and you, hypothetically, said “yes” (often a bad idea, btw). The contract that arose between you and the government allowed the officer to search this bag, and only this bag, and to search it for . . . whatever, basically, . . . since the object of the search was not specified.

And that’s an important aspect of consent. If you decide to consent to a search, you should think about precisely what you are consenting to. You can set limits on a search. If, say, an officer asks for consent to search your car, you can say something like, “all right, but you can only search the passenger compartment.” By doing that, you’ve limited how far the officer can go. And, too, remember that you can always call off the contract. That is, you can always revoke your consent to search (at least, until they find something, then other exceptions might kick in).

Okay, with that as background, let’s talk about a car consent search.

Here are the essential initial facts in People v. Dagwan, 269 Mich. App. 338, 711 N.W.2d 386 (Mich. App. 2005):
[Michael Dagwan] entered the Michigan State Police post in St. Ignace and asked Sergeant Amy Pendergraff how he could transfer his Michigan sex offender registration to Massachusetts. Pendergraff contacted Trooper Elaine Bitner at the State Police post in Sault Ste. Marie. Trooper Bitner told Sergeant Pendergraff that [Dagwan] was being investigated for a possible sex offender registry violation. . . .Trooper Bitner asked Sergeant Pendergraff to detain [Dagwan], so she searched [him[ for weapons, then placed him in a holding cell. Soon thereafter, Trooper Bitner told Sergeant Pendergraff that the Chippewa County prosecutor had authorized a complaint for an arrest warrant charging [Dagwan] with a sex offender registry violation and asked her to arrest [him] on the basis of this probable cause

People v. Dagwan, supra.

Sergeant Pendergraff told Dagwan he was under arrest and, according to the opinion, he “then consented to a search of his car. Sergeant Pendergraff stated that when she asked [Dagwan] if he was freely giving consent and . . . would sign a written consent form, he said yes. . . . Sergeant Pendergraff testified [at the suppression hearing that]: `He said yes. I got the form, filled it out. He read it over. He signed it.’” People v. Dagwan, supra. The consent form Dagwan signed gave the Michigan State Police his consent to “`conduct a complete search of the motor vehicle owned by me and/or under my care, custody, and control, including the interior, trunk, engine compartment, and all containers therein[.]’” People v. Dagwan, supra.

Sergeant Pendergraff took Dagwan outside; he unlocked the car so she could search it. She found a laptop in the car and gave it to Detective Sergeant Robin Sexton to search. People v. Dagwan, supra. Detective Sexton, “who had special training in computer data recovery,” did a quick search of the contents of the laptop and found child pornography on it. People v. Dagwan, supra. This, of course, resulted in Dagwan’s being charged with possessing child pornography, which only compounded the legal problems he had to face.

Dagwan moved to suppress the child pornography, arguing that the search of his computer exceeded the scope of his consent to search the car. In other words, he argued that his “consent contract” encompassed only the car, not the laptop. And the trial court agreed. It “granted the motion, concluding, in essence, that `containers,’ as referred to in the consent form, did not include `the inner workings of the computer.’” People v. Dagwan, supra.

The prosecution appealed, and the Michigan Court of Appeals reversed the trial court’s decision. Here is the appellate court’s reasoning:
[W]e conclude that it was objectively reasonable for the police to believe that defendant's consent included consent to examining data stored within the laptop found in defendant's car. First, the object of the police search was broad: to look for anything illegal, including stolen property. We conclude that a reasonable person would know that computers may be used to commit crimes. . . . Further, we conclude that a reasonable person would know that computers can contain illegal child sexually abusive material in the form of stored electronic images. . . . Second, the written consent to search that defendant signed. . . . agreed to permit the police to `conduct a complete search of [his] motor vehicle ..., including the interior, trunk, engine compartment, and all containers therein[.]’

The wording of the written consent is plain and unambiguous, so the police were objectively reasonable in believing that defendant consented to their examining data stored on the laptop. . . . `Complete’ is defined as “having all parts or elements; lacking nothing; whole; entire; full; ... thorough; total; undivided, uncompromised, or unqualified[.]” Random House Webster's College Dictionary (1992). A `container’ is “`anything that contains or can contain something. . . .’ Id. . . . Because a computer can store data in its memory, and thus act as a container, here of illegal child sexually abusive material, it was objectively reasonable for the police to believe that the scope of defendant's consent permitted them to examine the contents of the computer found inside the automobile. . . . Consequently, we conclude that a reasonable person would have understood that defendant's consent was broad enough to encompass a review of the computer's stored data. . . .

People v. Dagwan, supra. The appellate court also found it significant that Dagwan never either revoked the consent he had given to search the car or tried to limit the scope of the search. So, it reversed the trial court, which means the images found on the laptop could be used against him.

I don’t know what happened to Dagwan, other than that the prosecution apparently was resumed.

What I think is interesting, and instructive, about this case is that it illustrates the difficulties courts are having with the concept of computers as “containers.” Courts generally agree that computers are “containers” of a sort, as indeed they are. They contain “data.” Courts struggle, though, with whether computers are “containers” like the traditional, tangible, real-world containers we’ve always dealt with or whether they are different, somehow. . . . whether, basically, they represent an incremental container, one that encompasses a greater level of privacy than do conventional, physical containers. You can see that theory in the trial court’s opinion, noted above.

The other, I think, instructive aspect of this case goes back to the title of this post: Be careful about consenting to a search under any circumstances, but be particularly careful if a search could encompass a laptop or other computer device. If you have no problem with police’s searching your laptop or desktop computer or Blackberry or cell phone or whatever, then go ahead. But if you are at all concerned about their doing so, keep this decision in mind. The decision to consent, or not to consent, is entirely up to you, as is the scope and the duration of the search that results from your consent.

Wednesday, June 13, 2007

Corporate victimization . . . ?

Corporate victimization . . .

A recent story reminded me of an issue that came up several years ago – the question of whether corporate and other artificial entities can be the victims of certain crimes.

Corporations and other legally-created entities (such as partnerships) can, of course, be the victims of crimes. We often read, for example, about a company’s being the victim of theft or extortion, and I imagine we don’t give much, if any, thought to the fact that it’s a thing, a fictive construct, that is being victimized instead of a real, flesh-and-blood person.

I think this kind of corporate/artificial entity victimization has never been a conceptual problem either for the law or for the public because these are theft crimes. Theft, fraud, extortion, embezzlement and other financial crimes can all involve taking tangible (e.g., gold, silver, other physical assets) or intangible (e.g., data, proprietary information) from a corporate or other entity, and when that happens the entity suffers precisely the same “harm” a real human being would. The legally-created entity, like the victimized human being, loses all or a portion of their property.

But what about identity theft?

In 2004, Phoebe Nicholson, a paralegal who worked for Honeywell International, was generically accused of corporate identity theft. The law firm of Fish & Neave had done work for Honeywell in the past, so Nicholson allegedly “forged her boss’ signature on seven phony bills from the firm, then persuaded Honeywell to send the checks to her for delivery instead of mailing them to Fish & Neave.” She had sent up a bank account in a name that was “nearly identical” to the firm’s name and was able to divert almost $600,000 to that account before being caught. At the time, the local district attorney said that Nicholson “`basically stole the identity of this law firm’”, which made me think.

A law firm is usually either a partnership or a professional corporation. Can you steal the identity of an artificial entity? I believe most, if not all, identity theft statutes assume the victim is an individual.

The basic federal identity theft provision, for example, makes it a crime knowingly to possess and/or use an “identification document” that does not belong to you. 18 U.S. Code section 1028(a). It defines “identification document” as
a document made or issued by or under the authority of the United States Government, a State, political subdivision of a State, a sponsoring entity of an event designated as a special event of national significance, a foreign government, political subdivision of a foreign government, an international governmental or an international quasi-governmental organization which, when completed with information concerning a particular individual, is of a type intended or commonly accepted for the purpose of identification of individuals.. . .

18 U.S. Code 1028(d)(3). Under this statute, therefore, I don’t see how assuming the identify of a corporation or a partnership could ever be prosecuted as identity theft, and I think the same holds for state identity theft statutes, as well.

We could, of course, broaden existing identity theft statutes so they encompass the misappropriation of the identity of a corporate or other artificial entity . . . if we thought it was necessary to do so. I’m not at all sure it is. In the Fish & Neave case, Phoebe Nicholson was charged for what she really did: steal money that did not belong to her. More precisely, she was charged with grand larceny under New York law. She pled guilty to these charges and to separate charges stemming from using a similar scam to steal money from a mortgage company, and was sentenced to serve 3-9 years in state prison. Laura Williams, Guilty Plea in $1M ID Theft, New York Daily News (February 28, 2005).

So I’m not sure we need a corporate identity theft crime, at least not one that merely targets conduct that can be prosecuted as theft or embezzlement. And if we decide those laws are inadequate, it seems to me we can simply address the problem by simply expanding the scope of our existing theft and, if necessary, identity theft laws.

This brings me to the very recent case I read about and a very different kind of corporate victimization.

I saw a news story today, which is dated Tuesday, that comes from Cincinnati. It seems there’s a fellow there who is neither a student at the University of Cincinnati nor is employed there, but who keeps coming back to campus. The story says police have arrested him 22 times in the last 5 years for trespassing there (which is not something I’ve ever heard of, but maybe it doesn’t come up much). Last month the university got a temporary restraining order barring him from campus, and on Monday a local court held a hearing, at which lawyers for the university said he should never be allowed back on campus.

Specifically, a lawyer from the Ohio Attorney General’s office who was representing the university said this gentleman has been “`stalking an institution’”, which really gave me pause. I’m not sure how you “stalk” a corporate entity (universities being artificial legal entities, specifically, non-profit corporate entities).

According to the lawyers for the university, the man has “become too great a drain on the resources of police, who've spent `hundreds of hours’ locating him, cuffing him, writing reports, testifying in court.” He apparently attends classes on occasion, uses the library, and has been found in various positions and in various states of sobriety all over campus.

I’m sure the lawyer from the Ohio AG’s office was only speaking figuratively when he said this man is stalking the university, but I still found it an intriguing notion. I suppose it is possible (isn’t anything possible?) that someone could stalk a corporate entity, but I find the notion of that kind of corporation victimization problematic.

The “harm” stalking and harassment laws are intended to address is someone’s using a repeated course of non-threatening conduct (if the conduct is threatening, then it can be prosecuted on that basis, instead) to inflict emotional and/or psychic distress on an individual. We have the first component in this case; the gentleman at issue here has, according to the story I saw, engaged in a lengthy, repetitive course of non-threatening (but aggravating) conduct directed at the university.

The problem, IMHO, with ever construing this kind of incident (assuming this one is not unique, which is probably is not) as corporate stalking comes with the second element of a stalking or harassment offense – the requirement that the conduct inflict emotional or psychic injury on a victim. Being soulless, artificial entities, I do not see how a corporate entity can suffer psychic or emotional injury. It seems to me the injury they sustain, if any, is the injury encompassed by the harm of trespass: someone goes where they are not legally authorized to go, thereby violating a property owner’s rights to exclude persons from the occupation and use of their property. So I can’t imagine why we would ever really need a corporate stalking offense.

As I said, though, I’m sure the Ohio AG lawyer was only speaking figuratively.

Monday, June 04, 2007

Fourth Amendment privacy and operating systems

I ran across some interesting language in an Air Force court’s decision from last December: United States v. Larson, 64 M.J. 559 (Air Force Court of Criminal Appeals 2006).

Basically, Larson was caught up in a “To Catch A Predator”-type sting.

He thought he was emailing with, and setting up a meet with, 14 year-old Kristin when he was really corresponding with an undercover police officer. When he showed up to meet “Kristin,” Larson was arrested by local police officers.

After they heard of the arrest, the Air Force opened its own investigation and Larson’s commanding officer gave the investigating Air Force Office of Special Investigations (AFOSI) agents access to the office Larson used on the base.

The AFOSI agents seized the computer in the office, the one Larson had used to correspond with “Kristin.” “A search of the computer hard drive turned up data files, stored automatically by the Microsoft Windows operating system during [Larson’s] Internet browsing sessions” and the activity that led to his being charged with attempting to entice a minor for sexual purposes and related crimes. United States v. Larson, supra.

Larson moved to suppress the evidence seized from the computer he used at work, arguing that the search of the computer violated the Fourth Amendment. The AFOSI agents do not seem to have obtained a search warrant before they examined the computer’s hard drive. The appellate and lower Air Force courts might have disposed of the issue on some other grounds, such as that his commanding officer could consent to the search or, maybe, that he had no expectation of privacy at all in the contents of the computer because it was a government computer which he was supposed to use only for work.

The Air Force Court of Criminal Appeals didn’t take that approach, though. To understand what this court did, let me recap a bit how Fourth Amendment analysis works: To successfully suppress evidence, you have to show the government conducted an illegal “search” (or seizure, but we’re not dealing with that here). A “search, as I’ve explained before, violated a “reasonable expectation of privacy” in someplace or something.

To have a reasonable expectation of privacy in a place or thing, you have to meet two requirements, which come from the Supreme Court’s decision in Katz v. United States, 389 U.S. 347 (1967): (1) You have to have a subjective expectation of privacy (you, personally, think it’s private); and (2) if, and only if, you had a subjective expectation of privacy (you actually thought it was private), your subjective expectation must be objectively reasonable, that is, society must agree with you that it was private.

So, for example, if I use my cell phone while in a public place (an airport, say) to chat about robbing a bank, I can’t claim it was a search for a police officer to overhear what I said. I would probably say (being an idiot, in this hypothetical) that I thought my conversation was private; even if a court agreed that I did have this expectation it was private, the court would hold there was no search because it would say, correctly, that society would not consider my expectation of privacy in my conversation on a cell phone in a public place “reasonable.”

Courts usually accept that a defendant had a subjective expectation that a place or thing was private, but reject a defendant’s Fourth Amendment argument (if, indeed, they do reject the argument) on the second basis – by finding that the person’s expectation was not reasonable, was not one society will accept as valid.

That, though, is not what happened in the Larson case. The court rejected his Fourth Amendment argument on the first basis – it found that he did not have a subjective expectation of privacy in the data in question:
This appears to us to be a case of first impression in some respects. In military jurisprudence, the focus of Fourth Amendment litigation involving computers has primarily been on the expectation of privacy to be afforded to e-mail: personal communications between users, sent via computers using networks or the Internet. . . . The search of the government computer here did not focus on such communications. Instead, the AFOSI searched for certain data files, created as part of the `normal operating procedure’ of the Microsoft Windows operating system, which record the date, time, and Internet address of web sites visited by the computer user, as well as information about the user account in use on the computer at the time the sites were visited. . . .

The military judge concluded the appellant had no expectation of privacy in the contents of the computer. We find no abuse of discretion in his ruling. There is no evidence the appellant was aware the Internet history files existed, and we are unconvinced the appellant could entertain a subjective expectation of privacy in them without such knowledge.

United States v. Larson, supra.

(The court also, for good measure, held that he would not have had an objectively reasonable expectation even if he had had a subjective expectation of privacy in data on the computer: Larson “could not expect to keep private automatically-recorded data stored on government property he would reasonably have known would be turned over to another officer on that officer's return from deployment.”)

The court’s rejection of Larson’s subjective expectation of privacy in files generated by the operating system is quite interesting, since it’s not predicated on the fact that the computer was not “his” computer, but the government’s. Instead, it seems to be a blanket rejection of the idea that we can have a Fourth Amendment expectation of privacy in data generated by computer processes which we do not realize are going on and/or do not understand.