Saturday, September 29, 2007

Booze and bytes

We were talking in my cyberspace law class about the DMCA and the recording and movie industries’ war on file-sharing.

Specifically, we were talking about whether our current system for controlling the ownership and use of intellectual property makes sense in a world in which such property generally ceases to be tangible and instead becomes digital.

Tangible property can be duplicated to some extent – books can be copied and music can be taped, for example – but it tends to be much more difficult and time-consuming to do so than it is to duplicate digital property.

I read a law review article that explained how, and why, it was functionally impossible for regular people to duplicate or otherwise copy vinyl records when they were the only way in which music was distributed commercially. The article also said that while the introduction of taping devices gave people the ability to copy records and tape songs off the radio, the cumbersomeness of the process and the often erosion in quality meant that this did not become a huge problem for the record companies. And much the same is true for the movie industry; the introduction of video recording devices made it at least possible to record movies shown on television and, later, to copy tapes rented from a store or obtained otherwise. But it was still enough of a pain that it didn’t become a major problem.

As we all know, digital technology changes all that. Property moves from being tangible to becoming bytes, and bytes can be copied easily and quickly and without the erosion of quality you saw in older methods. And that, of course, causes major problems for the industries the existence of which is predicated on monopolizing the ability to distribute music, movies and other types of intellectual property.

And we all, I’m sure, know the approach these industries are taking to the problem of file-sharing: First, they’re encouraging the federal government to bring criminal copyright infringement suits against larger-scale file-sharing operations. Second, because there simply aren’t enough federal agents and federal prosecutors to go after a significant percentage of the people who are engaging in file-sharing, these industries – particularly the music industry – are using the threat of civil suits to deter individual file-sharers. The music industry has been sending offer to settle letters to students at many colleges and universities; they tell students they have been identified as having illegally downloaded copyrighted music and can either settle their liability by paying $3,000 or face a lawsuit seeking damages for the full amount, which can easily run into six figures.

We were talking about all this in class, and about whether it is a rational and/or effective way to deal with these issues. I said that what the music and movie industries are doing reminds me of the United States’ experiment with Alcohol Prohibition in the 1920s, but with one difference. The laws implementing Alcohol Prohibition in this country did not make it a crime to have or consumer alcohol; they only made it a crime to manufacture and/or distribute alcohol. Whoever drafted these laws apparently realized that it would be impossible to go after everyone in the United States who continued to buy and drink alcohol, so they tried to address the problem by cutting off the source of alcohol.

As we probably all know, that didn’t work either because alcohol could be manufactured pretty easily. Distilling alcohol is not, as they say, rocket science. I’ve never tried it, but I know people who’ve made their own wine and their own beer, and from what I’ve read online it’s really not that complicated . . . even in our contemporary, primarily urban environment. It would probably have been even easier in the 1920s, when the country was less urban and therefore more used to doing things from scratch.

My point is that Alcohol Prohibition failed because the government could not cut off the source of the prohibited item. That is, they could not prevent people from making and sharing alcohol. We all know about Al Capone and the infamous bootlegging mobs, but there was a lot of local, home-grown bootlegging, as well.

And that’s what I was mentioning in my class: I see some interesting parallels between our failed national experiment with Alcohol Prohibition and the mostly private effort that is currently underway to eliminate the digital distribution of unlicensed copies of music, movies, software, and whatever else industries are or will be concerned about.

The music and movie industries are in one sense making the mistake the architects of the Alcohol Prohibition laws avoided: They’re trying to go after the consumers of the product, the people who possess and use unlicensed digital copies of music or movies. The problem with that is scale: To do this effectively, the music and movie industries, alone and/or with the assistance of law enforcement, would have to continually track down and prosecute a segment of the domestic file-sharing market that is substantial enough to put the fear of God into everyone who might even consider file-sharing.

I don’t think that’s possible. Law enforcement, and especially federal law enforcement, has a number of other priorities it needs to attend to; so law enforcement can spare only a small part of its resources to assist in this effort. The civil suits are intended to act as a separate deterrent, but I’m not sure how effective they are going to be. Some colleges and universities are resisting the industries’ efforts to get them to provide the names of students linked to IP addresses used to illegally download files, and this trend might increase. The industries’ approach does put colleges and universities in something of an untenable position; their posture toward their students has traditionally been semi-parental, but this threatens to transform it into a more adversarial one. There’s also the issue of resources: Why should colleges and universities have to bear the added, extraordinary cost of identifying students and otherwise contributing to the industries’ effort to discourage illegal file-sharing?

There are other problems. The civil suit approach only works within a country; the music and recording industries cannot use the threat of civil suits hear to target file-sharers in other countries, even if they can identify them. They could transport the civil suit tactic abroad, and threaten to sue file-sharers in France and Pakistan and many, many other countries, but I suspect the cost of such an effort would soon become prohibitive. And, on another note, the technology of file-sharing may become more sophisticated and therefore more undetectable. If it becomes impossible, even extraordinarily difficult, to identify file-sharers, then this approach simply cannot be effective.

What is the alternative? Well, we could continue our analogy to Alcohol Prohibition and argue that the music and movie industries should emulate the approach taken there by targeting not the consumers of the outlawed product but those who create and distribute the product.

I see two problems with that analogy: One is that with digital file-sharing the distinction between production and consumption arguably erodes; each file-sharer is, or can be, not only the recipient of shared files but also the distributor of shared files. So the industries might argue that the approach they are currently using is inevitable. I’m sure they would also point out that they, in cooperation with law enforcement, have also gone after the higher-level distributors in file-sharing operations. The RIAA got Napster shut down, and there have been prosecutions of software-sharing, warez sites.

That brings us to the other problem: Even if we assume that the music and movie industries and the laws they employing are analogous to the approach taken with Alcohol Prohibition, that approach did not work. It simply failed to cut off the supply of alcohol in this country, both because it could be imported from Canada and elsewhere and because it could be manufactured here. And manufacturing and distributing alcohol is a much more time-consuming and risky endeavor than digital file-sharing. The former takes place in the real-world, and is therefore a highly visible endeavor; you need space and materials and time and then you have to transport a very bulky, somewhat fragile product over highways or sea lanes or rail lines. All of that increases the chances you will be identified and apprehended. You run some of those risks with file-sharing, but they are much reduced, both because of the relative invisibility and ease of the process and because it is highly distributed. You’re no longer looking for Al Capone’s operation; you’re looking for, what, 10% of Illinois?

Like many others, I think our current approach to the protection of intellectual property rights is seriously flawed when it comes to dealing with distributed file-sharing. I will not attempt to outline the alternatives, because others who are far more knowledgeable than I have already done so.

My point is that the use of criminal and quasi-criminal sanctions cannot be effective when it is impossible to control the manufacture and distribution of a product and when the culture sees such control as illegitimate. When people in a culture see such control as illegitimate, and have access to the product, norms of evasion grow up. Compliance with the control system becomes the exception; the norm becomes the process of evading the system. During Alcohol Prohibition, alcohol use increased in this country, especially among women. There was a disconnect between what the law forbade and what people saw as appropriate.

We have something similar, albeit on a much smaller scale, with file-sharing. And it may be that the disconnect we see see between laws outlawing file-sharing and attitudes toward file-sharing in a segment of the populace are merely an indicator of what is to come. We may find that the approach our law has used to allocate and enforce tangible property rights is not a viable approach for intangible property rights.

Sunday, September 23, 2007

GPS detectors, jammers & spoofers

On Friday, I spoke to a group of lawyers about various issues in criminal law and technology. One of the issues we talked about is the police's use of Global Positioning System (GPS) devices to track people’s movements. (GPS devices are used by private parties, as well, but my focus here is on criminal matters, so I’m only going to deal with the government’s use of them.)

This is really a follow-up to a post I did a while back, on Anti-GPS technology. Since I found the technology here is more complex that I realized, I thought I'd do a follow-up on the issue.

Under current law in the U.S., the Fourth Amendment’s prohibition on unreasonable searches and seizures are not implicated when the government installs a GPS device on someone’s vehicle and uses it to track their movements in public places. Courts have held that installing the device is not a seizure of your vehicle because it in no way interferes with your operation or use of the vehicle; you don’t even know the device is there (which is the point, after all). At least one state court has held that police do need a warrant, but that decision was made under state law and I’m focusing on the Fourth Amendment, because it is the default general national standard.

They have also cited a 1983 U.S. Supreme Court decision upholding the use of “beepers” to help police follow suspects in their vehicles for the proposition that it is not a search for the government to use a GPS device to track your movements in public places. (Courts say it is a search if police use GPS to track you into a private place, like your garage.) They have reached this conclusion even though a GPS device, unlike the beeper at issue in the Supreme Court case, substitutes for a police officer; the device tracks your movements without a police officer’s having to be assigned to follow you around. At least one state court has said that makes a difference under state law, because GPS lets police conduct surveillance on a larger scale than they could if they had to have officers follow people around; and the Seventh Circuit Court of Appeals noted that this might be a problem in the future, if police really begin to use GPS devices on a wide scale.

But, as of now, police do not have to get a search warrant to install and/or monitor a GPS device. Both activities are completely outside the Fourth Amendment, and that means police can install and monitor the device without your knowing anything about it (which, as I noted above, is the whole point). The basic practice when they have to get a warrant to do something is that they serve the warrant on you, then conduct a search of your home or other property, and then leave you with an inventory of what you took. That way, you know they were there, why they were there and what they took.

In the course of talking about this with the bar association on Friday, I suggested this might create a market for GPS detectors, and we talked about that a bit. One of the attorneys there, who has a good technical background, said there’s no way to use a detector to discover a passive GPS tracking device (GPS logger) that simply stores up information about your movements, but that a detector could be effective for an active device (GPS tracker) that transmits information periodically. So we talked about that a bit, and I joked as to how there could become a real market for these things.

I decided to see if GPS detectors are on the market and, yes, there are some. There are also GPS jamming devices and spoofers. I’ll talk a bit about each type of device, and then we’ll consider the legality of using any or all of them devices, now and in the future.

According to one site, it is possible to detect a GPS tracking device that transmits information by using a radio frequency detector/scanner. The problem, according to this site, is that the RF detector/scanner will only detect the transmissions of the GPS device when the device is actually transmitting. This site also notes that GPS devices use different technologies, which can also cause complications in detecting them. Another site follows up on that, explaining that some trackers do transmit a constant signal, which makes them easier to detect, and that the same is true of GPS devices that use cell phone connections. The site says ultimately the best way to find a GPS device is to use a combination of detection and “finger-tip searching.”

We, though, are interested in the use of technology to find GPS tracking devices, so we’ll stay with that. Before we consider the legality of using GPS detectors, I want to consider the second logical approach to dealing with a GPS tracking device: GPS jamming.

I found a website that advertises at least two different GPS jamming devices. Both plug into your vehicle’s cigarette lighter, and both jam a GPS device’s ability to collect and/or transmit location information. I also discovered that it is possible to spoof the signals sent to a GPS device, so the device thinks it is in Place A when it’s really in Place B.

As far as I can tell, there are no laws in the U.S. that criminalize the use of GPS detectors, jammers or spoofers. Since I can see objections being raised to the use of these devices if and when they become more popular, I want to speculate a bit as to whether the use of any of these devices could legitimately be outlawed.

The obvious source of analogy here is radar detectors. Like GPS detectors, jammers and spoofers, radar detectors allow those who use them to evade police surveillance technology.

A very few US states outlaw radar detectors. Virginia, for example, has a statute that makes it unlawful “to operate a motor vehicle on the highways of the Commonwealth when such vehicle is equipped with any device . . . to detect or purposefully interfere with . . . the measurement capabilities of any radar, laser, or other device . . . employed by law-enforcement personnel to measure the speed of motor vehicles on the highways”. Virginia Code section 46.2-1079(A).

In 1987, a bill was introduced in Congress that would have made it a federal crime to manufacture, sell or possess a radar detector, but the bill languished and finally disappeared. See H.R. 2102, 100th Congress, 1st Session (1987). There was apparently little support for such a measure because, as one author notes, “the nationwide criminalization of a segment of the electronics industry and its consumers is arguably unjustifiable and implicates questions of federalism. Proponents of federalism allege that the issue is best left to state legislatures.” Nikolaus Schandlbauer, Busting the “Fuzzbuster:” Rethinking Bans on Radar Detectors, 94 Dickinson Law Review 783, 789 (1990).

There seems to be no reason why states cannot outlaw radar detectors. A federal court of appeals upheld the constitutionality of the Virginia ban, agreeing with the district court that it “furthers a significant state interest in the health or safety of Virginia’s motorists”. Bryant Radio Supply, Inc. v. Slane, 507 F. Supp. 1325 (District Court of Virginia 1981), affirmed 669 F.2d 921 (Fourth Circuit Court of Appeals 1982). Notwithstanding that, most states have chosen not to outlaw them, presumably because they do not feel the evasion of law at issue here warrants such a punitive measure.

What about GPS detectors, jammers and spoofers? Can they legitimately be outlawed? Should they be outlawed?

In answering those questions, there may be some reason to differentiate between (a) detectors and jammers and (b) spoofers. From my brief research online, it seems that spoofers can be used by thieves who want to hijack cargo being moved by trucks; the thieves can apparently use the spoofed GPS signals to disguise the fact that a truck is deviating from its authorized route, a deviation which is leading up to the theft of its cargo. So, spoofing can be used to commit distinct, freestanding crimes as well as to frustrate law enforcement surveillance. While the same might be true of the other two types of GPS countermeasures, I am going to assume they only frustrate surveillance, and so am going to treat them differently.

As to spoofers, the answers to the questions I posed above are “yes,” in both instances. If spoofers can be used to set up cargo thefts and other crimes, then they are analogous to burglar’s tools. As I have explained before, many states outlaw the mere possession of burglar’s tools (which are usually defined as items that, in isolation or when collected together, clearly have no purpose other than illegal break-ins). The justification for these statutes is that they outlaw a type of attempted crime; in other words, there is no reason to possess burglar’s tools except to use them in a burglary. Spoofers are, I think more ambiguous: I am not sure they have any legitimate purpose, but they can be used either to (a) frustrate law enforcement surveillance or (b) to facilitate cargo thefts and maybe other types of crimes, as well. To the extent they fall into category (a), they should be encompassed by my analysis of the legality of outlawing jammers and detectors, which we’ll get to in a moment. To the extent they fall into category (b), they can be outlawed if they are truly analogous to burglar’s tools, i.e., if they have no independent legitimate use.

As to detectors and jammers, we need to analyze each of them separately. It seems to me that GPS detectors are very much analogous to radar detectors, in that they do not interfere with the functioning of law enforcement surveillance technology; they simply alert the target of the surveillance so that he or she can take appropriate measures to frustrate the surveillance. One could, therefore, argue that there is no more reason to outlaw GPS detectors than there is to outlaw radar detectors. The problem I see with this argument is that radar detectors are used only to detect a very low level of criminal activity, but GPS devices are usually used in investigating more serious crimes. That could make a real difference in how states answer the two questions I posed above. Because these detectors frustrate surveillance in investigations targeting more serious crimes, they could be seen as an effort to obstruct justice. (The same is true of radar detectors, but here the frustration is at a very low level, given the minor criminal activity at issue.) Indeed, one can argue that this is their whole purpose. If you accept that view of GPS detectors, the answers to the two questions I posed above are, again, “yes.”

What about GPS jammers? The analysis I went through in the paragraph above seems to apply to them, too. And there is an aggravating factor here. According to what I read on several websites, jamming GPS signals can create a safety hazard for ground vehicles and/or for aircraft. If that is true, then the use of these devices creates a new, distinct hazard to public safety, and the creation of such a hazard is a matter the criminal law can legitimately address. I suspect, then, that if GPS jammers begin to be used with any frequency, we will see efforts to outlaw their use at the state and/or federal level. I understand that their use is already illegal in European Union countries.

Saturday, September 22, 2007

Fourth Amendment privacy: IP addresses & URLs

In United States v. Forrester, 2007 WL 2120271 (9th Circuit 2007), the Ninth Circuit Court of Appeals considered whether a defendant had a Fourth Amendment expectation of privacy in the “to and from addresses” of his email messages, the addresses of the websites he visited and the “total amount of data transmitted to or from” his Internet account. Dennis Alba, a defendant in this case, argued that the government violated his Fourth Amendment right to privacy when it used “computer surveillance” techniques to obtain this information.

As I explained in my previous post, a Fourth Amendment “search” occurs if and only if you had a “reasonable expectation of privacy” in the place or thing searched. If you had such an expectation of privacy, the government must have had either a search warrant or a valid exception to the search warrant that justified the search for it to have been “reasonable.” If they had neither, then the search was “unreasonable,” and violates the Constitution, which means the defendant can have the evidence suppressed.

This is how the opinion describes the surveillance Alba was challenging:
During its investigation of Forrester and Alba's Ecstasy-manufacturing operation, the government employed various computer surveillance techniques to monitor Alba's e-mail and Internet activity. The surveillance began in May 2001 after the government applied for and received court permission to install a pen register analogue known as a `mirror port’ on Alba's account with PacBell Internet. The mirror port was installed at PacBell's connection facility in San Diego, and enabled the government to learn the to/from addresses of Alba's e-mail messages, the IP addresses of the websites that Alba visited and the total volume of information sent to or from his account.
United States v. Forrester, supra.

In ruling on Alba’s motion to suppress, the Ninth Circuit applied the Supreme Court’s ruling in Smith v. Maryland, 442 U.S. 735 (1979). In Smith, the government put a pen register, a device that captures the numbers dialed on a telephone, on Smith’s home phone. They were investigating him for making harassing calls, and used the data collected by the pen register against him in a prosecution for doing so.

Smith argued that the use of the pen register was a “search” because he had a reasonable expectation of privacy in the numbers he dialed from his home phone. The Supreme Court, in an opinion I think was wrongly decided, said he did not. The Court said he assumed the risk (read my prior post) by giving that information to a third party. The Supreme Court said that Smith (a) could not have had a subjective expectation of privacy in that data because he knew he was giving it to the phone company and (b) even if he had such an expectation, it is not one society would accept as objectively reasonable because, the Court said, we all know that if we give information to a third party it is no longer private. It’s the assumption of risk concept I noted in my prior post.

The Forrester court noted that the issue Alba was raising had not been addressed by any other federal court of appeals, so this was an issue of “first impression.” Alba lost, but the court did reserve an issue which may prove interesting in the future.

Let’s begin with why he lost. This is the court’s explanation:
We conclude that these surveillance techniques are constitutionally indistinguishable from the use of a pen register that the Court approved in Smith. First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users' imputed knowledge that their calls are completed through telephone company switching equipment. . . . Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties. Communication by both Internet and telephone requires people to “voluntarily turn[ ] over [information] to third parties.” [Smith, supra]

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers. When the government learns the phone numbers a person has dialed, it may be able to determine the persons or entities to which the numbers correspond, but it does not know what was said in the actual conversations. Similarly, when the government obtains the to/from addresses of a person's e-mails or the IP addresses of websites visited, it does not find out the contents of the messages or the particular pages on the websites the person viewed. At best, the government may make educated guesses about what was said in the messages or viewed on the websites based on its knowledge of the e-mail to/from addresses and IP addresses-but this is no different from speculation about the contents of a phone conversation on the basis of the identity of the person or entity that was dialed. The distinction between mere addressing and more content-rich information drawn by the Court in Smith and Katz is thus preserved, because the computer surveillance techniques at issue here enable only the discovery of addressing information.
United States v. Forrester, supra. (In Katz v. United States, 389 U.S. 247 (1967), the Supreme Court held that we do have a Fourth Amendment expectation of privacy in the content of our phone calls.)

The Forrester court also reserved an issue: whether we have a Fourth Amendment expectation of privacy in the URLs of the pages we access. As the Forrester court explained,
Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (`URL’) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person's Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at, whereas a technique that captures URLs would also divulge the particular articles the person viewed. See Pen Register Application, 396 F.Supp.2d at 49 (`[I]f the user then enters a search phrase [in the Google search engine], that search phrase would appear in the URL after the first forward slash. This would reveal content. . . .’).

Fourth amendment privacy and websites

In United States v. D’Andrea, 497 F. Supp. 117 (D. Mass. 2007), a federal district court was asked to decide if the police's accessing a password-protected website was a “search” under the Fourth Amendment.

Under the Fourth Amendment, police must have either a search warrant or an exception to the warrant requirement, such as consent of someone with authority to allow the search, for a search to be “reasonable” under the Constitution. If a search is not “reasonable,” then it is unconstitutional and the evidence obtained can’t be used in court.

In D’Andrea, an anonymous caller reported that
Jane Doe [a pseudonym] the eight-year old daughter of defendant Kendra D'Andrea, was being sexually abused by her mother and the mother's live-in boyfriend, defendant Willie Jordan. The caller also stated that pictures of Jordan performing oral sex on the girl had been posted on a Sprint PCS website. The caller provided the address of D'Andrea's apartment . . ., the log-in name and password for the website, and the number of a cellular telephone used by defendants.
United States v. D’Andrea, supra.

An investigator accessed the website, using the login information provided by the caller. The investigator downloaded images of the child being abused, and police used the tip by the informant plus the photos to obtain a search warrant. The warrant was executed at D’Andrea’s home, where they found other images and further evidence.

D’Andrea and Jordan were charged with child abuse and moved to suppress the downloaded images police used to obtain the search warrant plus the evidence seized pursuant to the warrant. If the investigator conducted a Fourth Amendment search by accessing the website and downloading the photos, then the search warrant would be invalid and all the evidence would be suppressed.

So, the critical question is, was it a Fourth Amendment search for the investigator to access the website? As I’ve noted before, a search under the Fourth Amendment is police conduct that violates violates a “reasonable expectation of privacy.” To have a reasonable expectation of privacy in a place or thing, you have to believe that place or thing is private and your belief has to be one society accepts as objectively reasonable. So, if I say I thought my actions in my unfenced front yard were “private”, I would lose; I might be able to convince a court I really believed that, but the court would say my belief was not objectively reasonable, since we all know what we do in public, as in my front yard, is not “private.” Anyone can observe what I’m doing. Conversely, what I do in my own home with the shades drawn is private because no one can observe me.

That brings us to the website. According to the court, D’Andrea and Jordan argued that because the website
was password-protected, they believed that what was posted on the site was a private matter that was exclusively theirs to share, and that they therefore had a subjective expectation of privacy in the website's contents. Assuming that this is true -- it would be somewhat astonishing if it were not -- the question still remains whether this expectation is one that society would recognize as reasonable.
United States v. D’Andrea, supra. D’Andrea and Jordan lost.
`It is well-settled that when an individual reveals private information to another, he assumes the risk that his confidant will reveal that information to the authorities, and if that occurs the Fourth Amendment does not prohibit governmental use of that information.’ [United States v.] Jacobsen, 466 U.S. 109, 117 (1984). . . . Thus, even granting defendants a reasonable expectation of privacy in the graphic website images of Jane Doe, by sharing the website access information with the anonymous caller, defendants took the risk that their right to privacy in the website's contents could be compromised.
United States v. D’Andrea, supra.

So, it appears that if you share your login information with anyone else, you assume the risk they will give that information to the police, who use it to access your website or whatever else it provides access to.