Tuesday, June 30, 2009

MySpace Assault Case

A law dictionary defines “assault” as the “threat or use of force on another that causes that person to have a reasonable apprehension of imminent harmful . . . contact; the act of putting another person in reasonable fear . . . of an immediate battery by means of an act amounting to an attempt or threat to commit battery”. Black’s Law Dictionary (8th ed. 2004). It defines “battery” as the “use of force against another, resulting in harmful or offensive contact.” We’ll get back to assault in a minute.

This post is about a Tennessee case involving what was, in effect, a MySpace assault. The facts in the case are a little complicated (and a little bizarre):
[In] February of 2007, [Wesley Carroll] was browsing the internet on his home computer at approximately 3:00 or 4:00 a.m. He . . . was having trouble sleeping and was `looking through profiles; on . . . www.MySpace.com. . . [Brandon’ Medley knocked on his door and appeared intoxicated. . . . Medley stepped into his home with [Thomas] Tucker, whom he had not met. . . . Medley asked if Carroll wanted to buy . . . or trade prescription pills for marijuana. Carroll responded that he did not want any marijuana. . . . Medley asked to use his computer to access his MySpace account but that . . . was unable to operate the computer. Medley then asked Carroll to log him into his account, and Mr. Carroll complied. . . .

[W]hile he was interacting with Medley near his computer, Carroll noticed he had left his wallet lying on a table near where Tucker was sitting. . . . [and then] noticed [it] had been taken from the table. He . . . `hurried over to where [his] wallet was and Tucker was sitting.’ . . . Tucker had the wallet and was taking money from it. Carroll asked Tucker, `[D]o you mind getting your hand out of my wallet?' Tucker then rushed toward Mr. Carroll, struck him in the jaw, and placed him in a `choke hold.’

Carroll . . . asked Medley to stop Tucker. . . . Medley walked behind him and he heard Medley and Tucker whispering behind his back. Carroll . . . overheard Tucker say, `I thought you told me to,’ and that Medley responded inaudibly. . . .Tucker said, `. . . . I am going to give you your money back, and don't swing on me when you get up. I am going to get out of here. I am going to walk away.”. . . Tucker released [Carroll] and threw his money on the floor. Tucker left while Medley remained in the home. Carroll . . . stared at Medley `with hate in [his] eyes’. . . . Medley then left.

[About five minutes after they left, Carroll] counted the money Tucker had thrown on the floor and noticed he was missing approximately $80 from the $300 in his wallet. After discovering Medley had failed to log off his MySpace account, Carroll decided to `get even’ with Medley. Carroll `wrote all kinds of vulgar, derogatory statements’ alleging that Medley was a homosexual. Carroll changed the password for Medley's MySpace account so that he could no longer access his MySpace profile. . . .

[B]etween 2:30 and 3:00 a.m. on March 19, 2007, [Carroll] was at his home playing a video game and falling asleep when he heard `[a] kick, a boom’ at his door. Upon hearing another, louder kick, Carroll awoke and stood up. . . . [A]fter . . . a third kick, his door opened and that Medley came through the door. . . . [A] man wearing a mask accompanied Medley. . . . [T]he second man later removed the mask, and [Carroll] identified him as Tucker. . . .

Medley. . .` beat [Carroll] with the stick.' . . . . Carroll . . . fell on his back and Tucker held his feet as Medley . . . `reared back’ to punch him. . . . Medley was `ranting’ about what Carroll did to his MySpace profile. Carroll testified that, after he `reared back,' Mr. Medley apparently decided not to strike him again and let him stand. . . .

Carroll ran toward his bedroom to find his portable telephone. . . . Tucker pulled off his mask and said, `Hold on. . . . Let's search this place.’ Carroll `just froze” and observed Tucker remove a .25 caliber handgun from Carroll's desk. . . . [T]he pistol . . .was very old. [Carroll] did not know whether the gun functioned. Tucker pulled back the slide . . . and observed. . . .a .22 caliber rimfire bullet, although the pistol was a .25 caliber center-fire weapon. . . . Tucker . . . struck [Carroll] with the gun and `jabb[ed]’ the knife in his direction several times. . . .

Carroll . . . hit the `page button on . . . his cordless telephone to determine the location of the telephone's portable receiver. He heard [it] beeping in his bathroom, and fought with Medley to get to the receiver. . . . Carroll managed to emulate dialing 9-1-1. . . . [Medley and Tucker left]. . . . Tucker took the pistol with him when he left.
State v. Medley, 2009 WL 1676051 (Tennessee Court of Criminal Appeals 2009). Police arrived and took Carroll to the hospital. He “received three or four stitches on his face, eight or nine stitches on his ear, and . . .his head was `busted.’” State v. Medley, supra.

Medley told police he came to the house to talk to Carroll about Carroll's changing his MySpace password. Medley said the fight resulted from that and denied he or Tucker hit Carroll with anything. State v. Medley, supra. Medley was charged with and convicted of aggravated robbery; Tucker was charged with and convicted of facilitating aggravated robbery. State v. Medley, supra.

On the facts, I think it’s clear Medley could have been charged with assault: He used force against Carroll and, in so doing, put Carroll in reasonable apprehension of further harmful contact. That, though, is not all Medley and Tucker did: They also, according to Carroll and the prosecutor, took Carroll’s gun . . . and that is a another crime, robbery.

Tennessee defines robbery as the intentional "theft of property from the person of another by violence or putting the person in fear.” Tennessee Code § 39-13-401(a). The prosecutor in this case, though, didn’t just charge Medley with robbery: He charged him with aggravated robbery. Aggravated robbery is robbery that is “[a]ccomplished with a deadly weapon” and in which “the victim suffers serious bodily injury”. Tennessee Code § 39-13-403. Tennessee law defines “serious bodily injury” as “bodily injury involving `substantial risk of death,` `[p]rotracted unconsciousness,’ `[e]xtreme physical pain’ [or] `[p]rotracted or obvious disfigurement’”. State v. Medley, supra. Carroll suffered “extreme pain for three weeks” after the incident, had “periodic headaches” for months and “displayed scarring from the incident.” State v. Medley, supra.

As I noted, Medley was convicted of aggravated robbery. He appealed, claiming the evidence was “`highly circumstantial’” and therefore, I’m guessing, insufficient to support the conviction. State v. Medley, supra. (The court points out that the brief Medley's lawyer submitted on appeal says the evidence “in the record is insufficient as a matter of law to sustain a conviction for the offense of Forgery”, which suggests the lawyer didn’t read the brief very carefully.)

As I explained in an earlier post, there’s nothing wrong with circumstantial evidence, as long as it meets the requirements to be admissible in court. And as I noted, convictions are often based purely on circumstantial evidence. The Court of Criminal Appeals rather summarily rejected Medley’s argument as to the insufficiency of the evidence; as you can see from the quoted passages above, it went into great detail summarizing what was proven at trial. The court therefore held that the jury “acted within its province” I convicting Medley of aggravated robbery.

There aren’t any novel or interesting legal issues in this case. I find it interesting that changing a MySpace password (and posting “vulgar, derogatory comments”) resulted in one person being beaten and two others going to jail. Says something, I guess, about how much our online lives mean to us.

(I'm posting this a little earlier than I usually do, because I'm out of the country and don't have internet access all the time.)

Monday, June 29, 2009

Incrimination and Encryption -- UK Style

I’ve done a couple of posts about the 5th Amendment privilege against self-incrimination’s applicability to encryption keys. I’ve analyzed whether US officers can compel someone to give up their encryption key without violating the privilege.

This post is about how that issue is handled – or has been handled – under UK law. I am indebted to Professor Ian Walden of the School of Law, Queen Mary, University of London for the case I’m going to write about.

The case is R. v. S and A, [2008] EWCA Crim. 2177 (Court of Appeal – Criminal Division 2008). Here are the facts that led to the charges:
H was made the subject of a control order under the Prevention of Terrorism Act 2005 . The order obliged him . . . not to leave his home address without the consent of the Secretary of State for the Home Department. [S and A] are alleged to have conspired . . . with H and others, to breach that order. The objective . . . was to assist H to abscond from his address in Leicester and to convey him to a new, secret address in Sheffield. On 9 September 2007 S collected H and drove him there. Shortly after their arrival in Sheffield the police entered the premises. H was in one room and S was in another

alone [with] a computer. The key to an encrypted file appeared to have been partially entered. He was arrested, and . . . made no comment. . . . [H]is home in London was searched. The search revealed computer material. Various documents had been deleted from the computer hard drives, but when retrieved, they provided the basis for charges . . . under section 58 of the Terrorism Act 2000, that is, possessing documents or records . . . likely to be useful to a terrorist or potential terrorist. However without the encryption keys . . ., the encrypted files could not be accessed and their contents examined.
R v. S and A, supra.

S and A were charged with conspiracy to breach the control order imposed on H. S was arrested; after refusing to answer questions, was charged under § 58 of the Terrorism Act. He was then served with a notice under § 53 of the UK Regulation of Investigatory Powers Act 2000. Under § 53, officers can order someone to give up their encryption key; it is a crime to comply with such an order.

The disclosure notice identified the purpose of seeking the key as the “investigation of protected electronic information”; it explained that S was legally obliged to comply and that refusing to do so constituted a crime. R v. S and A. supra. It then read as follows:
I hereby require you to disclose a key or any supporting information to make information intelligible [T]he information to which this notice relates is: the full encryption key in order to access the encrypted volume of the laptop computer that is exhibited as exhibit AM/1 under file path: C:\ Documents and Settings\Administrator\My Documents\My Videos, within a file called Ronin.wma. This was found in the room where you were arrested. . . .’
R. v. S and A, supra. The notice explained the “circumstances in which the” encryption key implicated the “interests of national security and the detection of crime.” It said S could comply by providing the information in “verbal or written” form. S did not comply, claiming that requiring him to disclose the encryption keys violated the privilege against self-incrimination. The judge who ruled on that claim rejected it, so S appealed.

In the US, the 5th Amendment creates the privilege against self-incrimination. In the U.K., the privilege arises under Article 6 of the European Convention on Human Rights. Article 6 doesn’t mention the privilege, but it creates a right to a fair trial in criminal cases. In a 1996 case from the U.K., the European Court of Human Rights held that Article 6 implements the privilege against self-incrimination:
Although not specifically mentioned in Article 6 . . ., the right to remain silent . . . and the privilege against self-incrimination are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6. . . . By providing the accused with protection against improper compulsion by the authorities these immunities contribute to . . . securing the aims of Article 6.
Murray v. United Kingdom, 22 Eur. H.R. Rep. 29 (1996). S, then, has the privilege against self-incrimination under U.K. law. The issue is whether he can invoke it.

In ruling on the issue, the Court of Appeal began its analysis by noting that under prior cases, the issue was whether the constituted a “statement” S was being compelled to make or a “piece of information with an existence separate from his `will’”. If it was a separate piece of information, S could not claim the privilege; it had to be a statement.

The court found that while the key had an existence separate from S’s will, the analysis was not that simple. It noted that if police learned S had the key in his possession, their knowledge of that was incriminating evidence. So the court found “the privilege against self-incrimination may be engaged by a requirement of disclosure of knowledge of the means of access to protected data under compulsion of law”. R. v. S and A, supra. In this, it disagreed with the lower court, which essentially found that since the key had an independent existence, it did not come within the scope of the privilege.

That was not the end of the matter. The court noted that while S’s knowledge of the
means of access to the data may engage the privilege . . ., it would only do so if the data itself - which . . . exists independently of the will of [S] and to which the privilege . . . does not apply - contains incriminating material. If that data was neutral or innocent, the knowledge of the means of access to it would . . . be neutral or innocent. . . . [I]f the material were, . . . incriminatory, it would be open to the trial judge to exclude evidence of the means by which the prosecution gained access to it. Accordingly the extent to which the privilege against self-incrimination may be engaged is indeed very limited.
R. v. S and A, supra. The Court of Appeals then addressed an issue that does not arise under the US version of the privilege against self-incrimination:
[T]he question which arises, if the privilege is engaged at all, is whether the interference with it is proportionate and permissible. . . . The material which really matters is lawfully in the hands of the police. Without the key it is unreadable. That is all. The . . . material in the possession of the police will simply be revealed for what it is. To enable the otherwise unreadable to be read is a legitimate objective which deals with a recognised problem of encryption. The key . . . is . . . a fact. It does not constitute an admission of guilt. Only knowledge of it may be incriminating. . . .The requirement for information is based on the interests of national security and the prevention and detection of crime. . . . [T]he requirement to disclose extends no further than the provision of the key . . . or access to the information. No further questions arise. . . . Procedural safeguards . . . are addressed . . . in the powers under section 78 of the 1984 Act to exclude evidence in relation, first, to the underlying material, second, the key or means of access to it, and third, an individual defendant's knowledge of the key or means of access, remain.
R. v. S and A, supra. The Court of Appeals therefore upheld the lower court’s order requiring S to give up the encryption key, which meant S would be charged with refusing to comply with a disclosure notice. In closing, it noted that if S were to give up the key, “we suspect the prosecution would be disinclined” to pursue the charge and, if it did, the judge “would take a merciful view when addressing sentence”. R. v. S and A, supra.

I disagree with the Court of Appeals (and the lower court) on the first issue – whether the privilege applies to turning over an encryption key. As I explained in an earlier post, under the 5th Amendment you can take the privilege against self-incrimination only as to “testimony,” which is essentially a communication. To constitute a communication, you must use the contents of your mind to express a fact (the key) or to express thoughts or feelings. You can’t take the 5th as to non-communicative physical evidence, like blood or a gun or a key. You CAN, however, take the 5th Amendment if the act of handing over evidence is itself a testimonial act; as I explained in that earlier post, the US Supreme Court has held that producing evidence is a testimonial act when it tells the government that (i) you have it, (ii) it’s in your possession or control and (iii) what you’re handing over is what the government asked for. For more on that, see the prior post.

In the US we don’t have anything like the “proportionate and permissible” intrusion principle, which apparently provides a loophole when someone successfully invokes the privilege against self-incrimination. In the US, if you successfully invoke the privilege, that’s the end of the matter . . . unless, as I noted in that prior post, the government gives you immunity from prosecution. As I think I noted in that post, the rationale is that since immunity means the government can’t prosecute you, you no longer need the privilege.

My disagreement on the first issue is a function of the fact that I take a very different view of the scope of the privilege than this court and the US federal court I wrote about in the earlier post. As to the “proportionate and permissible” principle, I don’t like the idea of a loophole in the rule (5th Amendment or the UK rule). Maybe that’s because I’m an American and I’m used to the fact that our version of the privilege is impenetrable. Seems to me that’s the point.

Friday, June 26, 2009

Private Prosecution

As I’ve noted here and elsewhere, law enforcement officers are having a very difficult time battling cybercrime. They’re having a very difficult time for several reasons: one is that cybercrime is a quantum of new crime that’s added to the old, real-world crime they still have to deal with. Another reason is that because cybercrime can be automated, it can involve the commission of lots and lots of crimes; the expanded scale also makes law enforcement’s life more difficult.

Yet other reasons are the greater ability to commit crime anonymously in a virtual environment; the technical and legal complexity of many cybercrime cases; and the fact that cybercrime is often international, which means suspects may have to be extradited and/or evidence obtained from another country.

The obvious way to solve this problem is to pour millions (billions?) of dollars into expanding law enforcement’s resources – personnel, technology, etc. That is a logical option but not a practical one; in a world dealing with recession and other problems, countries simply cannot afford to pour massive funds into beefing up law enforcement. And I don’t know if we want countries to massively expand the size and capacities of law enforcement. Although it would be done with the best of motives, you can get mission creep, which can lead to adverse consequences.

The other way to solve the problem is to somehow bring civilians into the process of combating cybercrime. When I speak on this issue, people often suggest using civil liability, as in suing the cybercriminal. That, too, is a logical option but not a practical one. The Computer Fraud and Abuse Act, 18 U.S. Code § 1030(g), creates a civil cause of action for “[a]ny person who suffers damage or loss by reason of a violation” of the CFAA. The injured party can seek “compensatory damages and injunctive relief” from the person responsible for the violation. There are several reasons why this option is not a viable one, at least not in most cases. One is that most cybercriminals are likely to be what the law calls judgment-proof; that is, they won’t have the assets to be able to pay an award of civil damages. This option also suffers from many of the same problems as the law enforcement option: anonymous perpetrators; perpetrators in other countries; cases that are complicated and complex to investigate and litigate. So while this option works sometimes, it’s not likely to be particularly important in combating cybercrime.

I’m in London, and a conversation I recently had with a British lawyer made me think about a third option, one that combines the law enforcement strategy and the notion of private civil litigation against the cybercriminal(s).

England, unlike the United States, allows private prosecutions. As Wikipedia explains, the term “private prosecution” refers to criminal proceedings that are “initiated . . by an individual or private organisation instead of a public prosecutor who represents the Sovereign State”, the U.S. or England or Japan, etc.

Chapter 23, Part I § 6 of the United Kingdom’s Prosecution of Offences Act 1985 authorizes private prosecutions: “Subject to subsection (2) below, nothing in this part [of the Act] shall preclude any person from instituting any criminal proceedings or conducting any criminal proceedings to which the Director [of Public Prosecution]’s duty to take over the conduct of the proceedings does not apply.” Section 6(2) says the Director of Public Prosecutions can take over such proceedings “at any stage.”

According to the guidelines for Private Prosecutions issued by The Crown Prosecution Service, the Crown Prosecution Service “should only take over a private prosecution when there is a particular need to do so on behalf of the public”. The private prosecutor is not under a duty to inform the CPS that he/she has begun a private prosecution. The private prosecutor can, however, ask the CPS to take over the case, which they will do if they think prosecution is warranted. The CPS – represented by the Director of Public Prosecutions – will take over a private prosecution on its own and discontinue it if (i) “[t]here is no case to answer” or (ii) public interest factors against prosecution outweigh those in favor” of prosecution. The CPS guidelines give these examples of cases in which it would be appropriate for the CPS to take over a private prosecution and discontinue it: malicious prosecutions (i.e., prosecutions brought out of spite); a stale minor offense; the defendant is either too ill to stand trial or is terminally ill; or where the defendant has been given immunity from prosecution by the CPS.

As to how someone starts a private prosecution, this is what Wikipedia says:
[T]o initiate a private prosecution an individual or organization other than the state-funded prosecutor goes to the local court of appropriate jurisdiction . . . and gets in line to see a Justice of the Peace or a Judge to swear on oath in an attempt to convince the Justice or Judge that there is enough evidence to demonstrate a reasonable probability of conviction.

Once the Justice or Judge has been convinced of such, he or she will issue an `information’ which is a form telling the name and occupation of the informant (the person swearing to the Justice or the Judge) the name and address of the alleged offender, and the description of the alleged Offence.

The Justice or Judge will sign the `information’ form and issue a summons to the defendant with a date to appear in court. The informant then delivers the summons to the defendant in the prescribed manner and court proceedings are commenced.

The date of First Appearance the defendant is to plead guilty or not guilty and the trial date is set if the defendant pleads not guilty, or if a plea of guilty is given the courts can deal with the matter right away by registering a conviction and sentence.
As to what penalties the defendant gets if he pleads or goes to trial and convicted, they’re the same penalties that are imposed in a prosecution brought by the CPS. I found a news story from 1996 about the first English private prosecution for rape. The defendant was convicted and sentenced to 14 years in prison, which a Court of Appeal later reduced to 11 years. That private prosecution was initiated and conducted by two prostitutes whom the man had raped.

I’d heard of private prosecution before, but it wasn’t until I chatted with this British lawyer that it occurred to me this might (and I emphasize “might”) be an option for dealing with cybercrime. Since law enforcement and prosecutors’ offices simply don’t have the resources to deal with all (or even most) cybercrimes, we could (again, I emphasize “could”) create the possibility of bringing private prosecutions in at least some cybercrime cases. The option would, of course, only be available if the official, public prosecutor who would have jurisdiction to pursue the case chose not to do so.

Since I, as an American, find the whole motion of private prosecution to be more than a little scary, I don’t think we would want to go down this path unless we determine that using private prosecutions could really be an effective way to supplement our ability to pursue cybercriminals. And that brings us back to the same issues that arise with regard to public prosecutions and private civil suits against cybercriminals.

Private prosecutions of cybercriminals would still present the legal and logistical issues I noted above, i.e., extraditing foreign defendants and/or obtaining evidence from abroad, investigating and litigating cases that can be factually and legally complex, etc. They might be a useful alternative in cases in which both the defendant and the victim(s) are in the same jurisdiction – the United States, say – and the effects of the cybercrime (the “harm” inflicted) occurred in the U.S. If we decided private prosecution might be a useful alternative in domestic cybercrime cases, we could implement it – subject to strict requirements and standards – and perhaps use it to ease some of the burden on law enforcement officers, freeing them to concentrate more on the legally and/or logistically challenging cases.

One advantage private prosecution offers over the option of bringing a civil suit against a cybercriminal is that success is not predicated on the plaintiff’s/prosecutor’s being able to recover damages from the defendant. In a private prosecution, the private prosecutor – as I understand it – recovers nothing but the satisfaction of seeing the defendant held liable for his/her crimes and punished for them by being fined and/or incarcerated.

As I said, I’m not arguing for instituting a system of private prosecution of cybercrimes. The notion of private prosecution is so strange to me I tend to be very leery about adding it to the repertoire of actions available in the United States. I’m also concerned that if we were to do so, it might produce an explosion or frivolous or otherwise untenable cases, which would only further burden the court system. And I can see another problem with pursuing this so-far purely hypothetical strategy: If we went down this path, we’d have to have someone – U.S. versions of the Crown Prosecution Service – would be able to intervene when a private prosecution is malicious or otherwise unjustifiable. That, in turn, would mean we would either have to add a lot of prosecutors who would be assigned to this task or we would have to divert time from people who are already overworked so they can review prosecutions brought by people who are not trained in law and litigation.

There’s also yet another problem: Who would arrest the defendant and see that he/she remains in the jurisdiction while the private prosecution works its way toward a plea or a trial and conviction? It looks like the English system works because the defendants tend to hang around to plead or go to trial, but that very well might not be true when it came to private cybercrime prosecutions. The perpetrators might take off for Canada or Mexico or other points abroad. And we absolutely cannot – IMHO – give private citizens or any private agency the authority to arrest and detain suspected cybercriminals. That opens up many opportunities for abuse.

Overall, I think private prosecution is probably not a viable way to improve our ability to apprehend and sanction cybercriminals. . . . but maybe some version of it might be useful.

Wednesday, June 24, 2009

Exigent Circumstances Letters

This post is about one of the ways officers can get information about someone from the person’s ISP. Before we get to the law, I need to outline the facts in U.S. v. Beckett, 544 F.Supp.2d 1346 (U.S. District Court for the Southern District of Florida 2008) as described by the court.

On July 12, 2007, Palm Beach Sheriff's Office Detective Collins received a cybertip that a Palm Beach County child victim, identified . . . as `J.H.,’ was being sexually solicited by an adult through the use of a computer over the internet. The information included the victim's name and the screen name of the subject. Boynton Beach Detective Athol also received the information, as well as information about a second child victim, identified as . . . as `C.L.,’ who appeared to have been solicited by the same subject.

The subject contacted the victims . . . on MySpace representing himself to be a 17 year old girl looking to engage in sex. . . . The subject sent a picture of a nude girl to the victims and solicited nude pictures from the victims in response. The subject obtained the victims' addresses and phone numbers. Then the subject revealed that `she’ was in fact a male seeking to engage in oral sex with the victim. The subject threatened the victim with exposure by publishing their nude photos if they did not comply.

Detective Collins testified that it takes at least 3 days to get a subpoena issued to a service provider . . . under these circumstances. Because she believed these or other victims were in imminent danger, on July 12 she and Detective Athol sent `exigent circumstance’ letters to MySpace, AOL, and Comcast to get subscriber information, notably the subject's address, for the internet account used by the subject. . . . After the subject called child victim C.L. on July 13, the detectives sent `exigent circumstance’ letters to AT & T and T-mobile. . . . TIMOTHY WAYNE BECKETT, was the owner of the cell phone from which the July 13, 2007, phone call to child victim C.L. was made.

The terms and conditions of the internet and phone providers had clauses prohibiting child pornography, stalking and harassment, and reserving the right to investigate, take legal action, and cooperate with law enforcement.

On July 17, the detectives obtained a search warrant for the defendant's address, allowing the search for and seizure of computers, data storage devices, and records or data produced in various forms, such property constituting evidence of Computer Crimes, Transmission of Pornography by Electronic Device, Transmission of Material Harmful to Minors by Electronic Device, Threats and Extortion, and Prohibition of Sale or Other Distribution of Harmful Materials to Persons under 18 years of age. . . .

On July 18, Detective Collins executed the search warrant at the . . . . The defendant confessed to the scheme and to having child pornography on his computer. . . .

U.S. v. Beckett, supra. (I apolotize forr not indenting the quote -- I`m abroad and using a computer that's not very cooperative.)

Beckett was indicted by a federal grand jury on what the opinion calls “sex crimes,” which obviously included possessing and distributing child pornography. He moved to suppress “the evidence received from the Government's `exigent circumstance’ letters to MySpace, AOL, Comcast, AT & T and T-mobile, as [having been obtained] in violation of . . . 18 U.S.C. Sections 2702 and 2703.” He argued that under “those statutes law enforcement needs a search warrant, court order or subpoena to obtain customer information”. U.S. v. Beckett, supra.

Why, you may ask, didn’t he move to suppress under the 4th Amendment? As I noted in an earlier post, in the 1979 Smith v. Maryland case the U.S. Supreme court held that we have no 4th Amendment expectation of privacy in information we voluntarily share with telephone companies and other businesses. Under Smith, the information the officers sought from the ISPs and phone companies was not protected by the 4th Amendment.

Concerned about the implications this holding has in an era of digital communication, Congress adopted the Electronic Communications Privacy Act (ECPA) in 1986. ECPA imposed statutory restrictions on law enforcement’s ability to get the kind of third-party information that is not protected by the 4th Amendment (as long as the Smith decision remains good law_. It’s a complicated set of statutes, so I’ll just note that, as Beckett argued, 18 U.S. Code § 2703(c) says that a government entity can “require a provider of electronic communication service . . . to disclose a record or other information pertaining to a . . . customer . . . (not including the contents of communications) only when the government” does one of the following: gets a search warrant; uses a subpoena or court order; or “has the consent of the . . . customer to such disclosure”.

Beckett, then, argued that the detectives violated ECPA when they used the “exigent circumstance” letters to get his subscriber information. It’s a good argument, on its face, but it didn’t work for two reasons.

One is that the detectives relied on another provision of ECPA in utilizing the exigent circumstance letters: 18 U.S. Code § 2702(b)(8) says an ISP service provider can give information “to a governmental entity, if the provider . . . believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”. The difference between § 2703 and § 2702 is that § 2703 deals with law enforcement’s ability to compel an ISP to provide subscriber information, while § 2702 sets out the conditions under which an ISP can voluntarily share such information.

The opinion doesn’t quote the letters sent in this case, but I’m sure they simply asked the ISPs to provide the information the detectives sought. (If you’d like to see examples of exigent circumstance letters used for a while by the FBI, you can find them here.) If the letters simply asked for the information, then they were not compelling the ISP’s to do anything; the dynamic seems to be that the letters simply trigger the provisions of § 2702(b)(8), letting the ISPs provide the information voluntarily.

The other reason Beckett lost is that his goal was to suppress the evidence the detectives obtained from the ISPs, but suppression is usually a remedy only for constitutional violations. Statutory schemes like ECPA can make suppression of evidence obtained in violation of their requirements a remedy available to the victim of such a violation. But if the statutory scheme does not explicitly do this, suppression of improperly obtained evidence is not available as a remedy.

ECPA does not make suppression a remedy for violations of its requirements. Section 2708 of Title 18 of the U.S. Code says that “[t]he The remedies and sanctions described in [ECPA] are the only judicial remedies and sanctions for . . . violations of [ECPA}.” The only remedy ECPA provides is a civil action for damages under 18 U.S. Code § 2707. Under § 2707(a), an ISP’s customer who is “aggrieved by any violation” of ECPA “in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity. . . which engaged in that violation such relief as may be appropriate.” Section 2707(b) says that the relief available under this statute includes damages, attorney’s fees and litigation costs and injunctive relief, if appropriate.

So the federal district judge denied Beckett’s motion to suppress the evidence. If Beckett thinks he has a cause of action under § 2707, he can try suing the detectives who used the exigent circumstances letters to get his ISP information, but I suspect he won’t be doing that. First, as I noted above, it looks like the letters didn’t violate ECPA; if they didn’t, then he has no cause of action under § 2707. And even if he did, would you be interested in pursuing probably expensive, time-consuming civil litigation while you’re facing the prospect of spending 90 years in jail?

(If you’re wondering about the picture, Beckett was a 20-year-old Pizza Hut manager when he was arrested, as this site explains. As it also explains, he was convicted and sentenced to 15 years in prison.)

Monday, June 22, 2009

Pyrrhic Tactic

As I assume we all know, a Pyrrhic victory is essentially winning a battle but, in so doing, putting yourself in a situation that is ruinous for your hopes of winning the war.

This post is about two provisions in the Senate Bill 773 – the Cybersecurity Act of 2009 -- which was introduced in the Senate on April 1, 2009. Nothing seems to have happened with it since then.

Section 18 of the proposed Act gives the President the power to do two things I find particularly interesting: One is to “declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network”. The other is to “order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security”. Cybersecurity Act of 2009 § 18(2) & (3). In discussing these options, I’m going to refer to the first one as “shutdown” and to the second one as “disconnect.”

The bill doesn’t define “cybersecurity emergency” or “critical infrastructure information systems or networks”. Some construe the references to “Federal Government or United States” critical infrastructure information systems or networks as limiting the President’s authority to taking only federal systems offline. I can see that interpretation, but if that’s what the drafters of the bill meant, why didn’t they just say Federal Government critical infrastructure systems or networks, instead of throwing in the “United States” part? It seems to me the inclusion of United States clearly means both provisions apply (i) to Federal Government computer systems AND (ii) to “United States” systems, which I interpret as meaning any systems in U.S. territory (and maybe systems outside U.S. territory that are owned by U.S. citizens) that qualify as “critical infrastructure information” systems. If that interpretation is correct, then this bill would give the President a lot of power.

I can’t find any legislative history or other information that tells me what each of these options is intended to cover (e.g., what would justify the President’s exercising the power bestowed on him by either provision and what, exactly, does it mean to order the shutdown of Internet traffic and/or the disconnection of systems from the Internet?). I assume they’re intended to implement some kind of cyber-duck and cover response to a massive cyberattack, of whatever type (crime, terrorism, warfare) . . . a triage reaction designed to prevent further damage by taking systems offline.

If that’s what it’s intended to be, then it seems a cyber-version of military tactics like an army’s (Army A’s) retreating across a bridge and blowing up the bridge so the enemy (Army B) can’t follow them. That can make sense in a real-world battle, especially if it isn’t important for Army A to use the bridge to go back to the other side of the river.

I’m trying to figure out if a version of that tactic makes sense in the cybersecurity context. I’m going to speculate a bit about that here. I’m afraid it’s going to be pretty uninformed speculation given the lack of definitions and standards in the bill. I assume they’ll be added as it makes its way through Congress. . . . if it does.

In trying to figure out if this tactic makes sense in the cyber context, I’m going to use my blowing up the bridge scenario as a source of analogy. Blowing up the bridge works, as I noted earlier, as long as Army A doesn’t need to recross the river to attack Army B, help out some friendly forces that are being attacked by Army B on the other side, etc. In other words, it’s effective only if it deprives the retreating army, Army A, of something it that doesn’t need at all or doesn’t need enough to preserve it. Whether Army A needs the bridge enough to preserve it depends, of course, on the nature of that need: If Army A only “needs” the bridge in order to go back and attack Army B, then it’s probably not sacrificing much by blowing it up (since we’re assuming Army A was losing in the original battle). If Army A has some other need for the bridge – like using it to reunite with other forces on its side or using it to get to supplies it dearly needs – then the decision to blow up the bridge will be more complicated.

The officer in charge will very carefully have to weigh the advantages and disadvantages of doing so. In weighing those factors, this officer will also have to consider whether Army A has a viable alternative; even if there is a good reason not to blow up the bridge, blowing it up may be the only way Army A can avoid actual or operational annihilation.

And that brings us to the shutdown and disconnect options. While I don’t understand the parameters of either option, I think they probably involve conduct that differs in type and magnitude. Since I don’t really know what those differences are, I’m not going to try to analyze each option separately. Instead, I’m going to speculate about the advisability of using a blow-up-the-bridge strategy in the cybercontext.

To answer that question, we have to resolve the two issues noted above: The first issue is what we lose by doing a shutdown or disconnect. If we don’t lose anything we need, then it at least theoretically becomes a viable option. If we don’t lose anything we really need, then it is still potentially a viable option; if we lose something we really need, then I don’t see how it can be a viable option.

What would we lose if the President did a shutdown or disconnect? We’d lose all or part of our Internet connectivity. Internet connectivity differs from the bridge in the scenario I analyzed above in at least one respect: After Army A crossed the bride and left Army B behind, Army A had no need for the bridge anymore, at least in my original scenario; it had done what it was needed for. I could be missing something, but I don’t think Internet connectivity is like the bridge in the original scenario.

Unlike the bridge, the Internet has many uses, some bad (like the potential for launching cyberattacks), most good. That means we would eliminate some bad (the online equivalent of preventing Army B from using the bridge to catch Army A) but would also eliminate some, maybe a lot of good (using the Internet for all kinds of legitimate uses). I say “maybe a lot of good” because I’m assuming the nature of an attack that justifies a shutdown or disconnect response would already have substantially impaired legitimate uses of the Internet. If the attack had seriously or completely compromised Internet access, then it becomes more and more like the bridge, which could be sacrificed without great loss to Army A.

That brings us to the second issue: Do we have viable alternatives to doing a shutdown or disconnect? As I noted above, even if blowing up the bridge is a costly option, it may be Army A’s only option; if that is the case, then Army A will have to blow up the bridge and live with the consequences of that action.

Since I don’t know what type of scenarios the shutdown and disconnect options are intended to address and/or the scope of a shutdown or disconnect response, I can’t really do much with this issue. It seems like we should have other alternatives, but maybe I say that because I want to believe we do, however pessimistic I tend to be about the current state of cybersecurity.
I think I’m having trouble buying shutdown and disconnect because they remind me of another historical military tactic: the siege. Siege warfare has been around for a long time, but was particularly popular in the Middle Ages. Seems like a good idea: you wall yourself up in a fortress of some kind, hoping your attackers can’t get in before they lose interest and abandon the whole thing. It looks to me like shutdown and disconnect are intended to extrapolate the siege concept to the world of cyberattacks.

When we’re hit with an attack of the appropriate severity, we’ll shut down or disconnect our computer systems and seal ourselves away in our virtual fortress . . . to do what? Wait until the attackers get bored and leave (“leave” virtually, of course)?

That tactic could work when you were sealed in a physical fortress with (you hoped) all the food and water and other supplies you needed to wait out an attacker. I don’t see how it can work in a world in which we depend on networked computer systems for all kinds of things, many of which are essential to our survival. If shutdown and disconnect are intended to extrapolate siege warfare to the cybercontext, then I think they represent a very flawed strategy.

Friday, June 19, 2009


This post is about the nature of the information police officers rely on to get a magistrate to issue a search warrant.

As I’ve explained, the 4th Amendment’s default position is that to be “reasonable” a search (and seizure) must be conducted pursuant to a search (and seizure) warrant.

And as I noted in an earlier post, to get a warrant, officers must present the magistrate who an issue the warrant with information that establishes probable cause to believe evidence of a specific crime will be found in a particular place -- the place to be searched. If they do that, then the magistrate will issue the warrant.

As I may have noted, probable cause is less than the beyond a reasonable doubt standard of proof used in criminal cases, and eve lower than the preponderance of the evidence standard used in civil cases. That makes sense because applications for and the issuance of search warrants takes place in a context that’s a lot more fluid than a civil or criminal trial. Police are investigating to see if they can bring criminal charges the validity of which will then be determined at a trial.

The purpose of probable cause is to curb an officer’s discretion. As I may have noted, the 4th Amendment was adopted to abolish general warrants, a device British officers used in the colonial era. A general warrant was basically a blank check; it let an officer search anywhere just because he was so inclined. The colonists hated general warrants because they were easily abused. The 4th Amendment therefore requires that an officer get a search warrant – based on probable cause to believe evidence of a specific crime will be found in a specific place – before he can search that place. Requiring probable cause was not intended to prevent police officers from doing their jobs; it was intended to ensure that they could not search someone’s property on a whim.

This post is a about a case that raised an issue related to probable cause: U.S. v. Silva, 2009 WL 1606453 (U.S. District Court for the Western District of Texas 2009). On May 5, 2008, federal agents obtained a search warrant for Fernando Silva’s home; they executed the warrant on May 6, seizing a computer, hard drives and thumb drives, among other things. On March 19, 2009, Silva was charged with possessing child pornography, and moved to suppress the evidence seized in the May 6 search.

Silva argued the evidence should be suppressed because the “warrant lacked probable cause because the information relied upon was stale.” U.S. v. Silva, supra. The staleness principle adds a temporal element to the probable cause requirement. As one court noted, “[u]nder the staleness doctrine, `information supporting the . . . application for a warrant must show that probable cause exists at the time the warrant issues.’” U.S. v. Meryl, 2009 WL 943574 (U.S. Court of Appeals for the Eleventh Circuit 2009).

The staleness doctrine is a matter of common sense: If an informant tells an officer that “a year ago they were selling drugs out of the house at 344 Brown Street, and I bought drugs from them”, that information probably can’t be used in establishing probable cause to search 344 Brown Street for drugs today. Because someone was selling drugs out of the house a year ago does not mean they’re selling drugs there today; to get a warrant to search 344 Brown Street, officers have to show probable cause to believe that drugs are being sold there now. Silva essentially claimed they hadn’t done that in his case.

In analyzing the staleness issue, we start with the information the federal agents used to get the warrant. Here’s how the federal district court summarized what they had:

Immigrations and Customs Enforcement (ICE) Special Agent Butler provided the Magistrate Judge a sworn affidavit. The affidavit stated that in April 2006, ICE began Operation Flicker, investigating a website known as the `Home Collection.’ The investigation revealed this organization was responsible for numerous commercial child pornography websites. Individuals would pay . . . $79.95 or $99.95 a month to gain access to the restricted websites. . . . [O]n January 18, 2007, the Defendant paid $99.95 to a PayPal account for Video Shop CD1, ID 1159. . . . The subject identifier 1159 refers to a child exploitation member restricted website known as `Video Shop CD 1.’ ICE agents purchased access to this member restricted website on February 12, 2007 and March 19, 2007. On these two occasions, the transaction was either identified by the subject identifier Video Shop CD1 or Item 1159. . . .

[O]n May 18, 2007, a summons was prepared and served on Time Warner requesting subscriber information for the Defendant's identity and residence. Time Warner confirmed that the Defendant was the subscriber and still had an active account. . . .

[O]n August 23, 2007, a Federal Grand Jury Subpoena was prepared and served on Wells Fargo Bank Texas, N.A., the financial institution responsible for issuing the check/debit card (# xxxx74013491xxxx) [redacted] to checking account number xxx-xxxxxxx. [redacted] On April 30, 2008, the account number was verified as belonging to the Defendant. The statement revealed that a check card purchase in the amount of $99.95 was debited by PayPal to Defendant's account. There was no information provided by Wells Fargo Bank that there had been any evidence of suspected fraud, identity theft, unauthorized use, or wrongful charges related to he purchase in question. A comparison of Webtrace records indicated the Defendant purchased access to a child pornography website on January 18, 2007. . . .

[A]gents in another investigation titled Operation FALCON identified Defendant as possibly . . . accessing suspected child pornography website on April 26, 2003 and May 20, 2003. The email account used to purchase access to the Operation FALCON website was the same account used to purchase access to the Video Shop CD 1 website. Defendant's current address was also identified by Operation Falcon at the time.

U.S. v. Silva, supra. The search warrant remember, issued on May 5, 2008. Silva said since “473 days had elapsed from when the illegal activity was discovered to the day the search warrant was issued,” the evidence was stale. U.S. v. Silva, supra.

In ruling on Silva’s argument, the judge to whom the case is assigned pointed out that whether evidence used to obtain a warrant is stale is “not merely an exercise in counting the days or even months between the facts relied on and the issuance of the warrant.” U.S. v. Silva, supra. As the judge noted, the “age of inculpatory information” is only one facts in determining if a warrant was based on stale evidence:
Staleness is to be determined on the facts of each case. A finding of staleness . . .can depend upon the nature of the unlawful activity, and when the information of the affidavit clearly shows a long-standing, ongoing pattern of criminal activity, even if fairly long periods of time have lapsed between the information and the issuance of the warrant. Information a year old is not necessarily stale as a matter of law, especially where child pornography is concerned.
U.S. v. Silva, supra. The judge found the evidence used in this case was not stale, and therefore could be used to establish probable cause for the warrant:
[A]n investigation of child pornography involves a multitude of websites, companies, and individuals whose common goal is to elude detection. Given the complicated nature of a child pornography investigation, the evidence may take several months or years to accrue, and . . . may consist of bits and pieces from several camouflaged sources. It would frustrate the Fourth Amendment[] . . . to force those tasked with investigating child pornography to hastily charge an individual based upon incomplete and uncorroborated information because of fear that a more complete investigation would consume too much time, rendering some information stale and unable to support a search warrant. . . . [I]t is better [to give investigators] a reasonable amount of time so [they] may acquire as much corroborated information concerning the suspect and the alleged activity before taking the next step of entering his home or residence.
U.S. v. Silva, supra. In finding the evidence wasn’t stale, the judge also relied on the premise that information
is less likely to be stale where the items sought in a search are of the type which could reasonably be expected to be kept in a particular location for long periods of time. At least one circuit has found that computer files are of a type that could be expected to be kept for long periods of time in the place to be searched.
U.S. v. Silva, supra. He also noted that evidence is “unlikely to be stale if it `clearly shows a long-standing, ongoing pattern of criminal activity”. U.S. v. Silva, supra.

The judge found the evidence showed Silva purchased child pornography in 2007 and was “possibly purchasing child pornography” in 2003. U.S. v. Silva, supra. He also found that the information submitted in support of the warrant showed that the evidence being sought was of a type that could be expected to be kept for a long time:
[T]he affidavit provided by Special Agent Butler . . . stated that persons involved in pornography and pedophilia tend to keep for long periods of time extensive pornography collections. This observation supports the conclusion that the more than a year gap between receipt of the information and issuance of the warrant is not excessive.
U.S. v. Silva, supra.

As a matter of common sense, I suppose the judge is right. As he and other judges have noted, if the information law enforcement has shows someone is a collector of something, it’s reasonable to infer that they will hold on to that thing (or things of that types), even for a long time. And it probably makes sense to give law enforcement some latitude in investigations that involve concerted attempts to conceal online activity so they can satisfy the 4th Amendment’s requirements, instead of putting them in the position of having to act on inadequate information.

Wednesday, June 17, 2009

Ghosts, Contraband and Seeking the Return of Seized Property

I’ve done several posts about trying to get the government to return computers and computer storage media it seized while executing a search warrant or pursuant to an exception to the 4th Amendment’s warrant requirement.

As I explained, someone whose computer equipment was seized can file a motion for return of property to try to get it back. The motion can be filed by someone who was never charged with a crime or by someone who was charged based on evidence found in the seized property. When a person who was never charged files a motion for return of property, he’s essentially saying the government is holding onto his stuff for no reason. In other words, if there’s no criminal case, the government doesn’t need it.

Someone who is being prosecuted based on evidence found in property seized from him usually begins by moving to suppress the evidence found in that property because his primary goal is to make it as difficult as possible for the prosecution to convict him. But those who have been charged can also file motions for the return of their property; they usually do this when the criminal case seems to be at an end, i.e., when the defendant has pled guilty or been convicted and has been sentenced. The rationale for the motion is that while the government needed the property while the case was pending, the case is over and the government’s authority to retain it has been exhausted.

One more bit of preface and we’ll get to the case this post is about: As I noted in a recent post, whether seized property will be returned to its owner depends to a great extent on whether it’s “evidence” or “contraband.” If it’s evidence, you have a chance at getting the property back because, as I noted above, the government is only authorized to keep evidence as long as it has some need for it, i.e., while the case is pending. But if the property is contraband (child pornography, say), you have no chance of getting it back because it’s illegal to possess that kind of property.

This brings us to Genao v. U.S., 2009 WL 1033384 (U.S. District Court for the Southern District of New York 2009). In 2005, a jury convicted Ismael Genao of “advertising child pornography in interstate commerce in violation of 18 U.S. Code § 2251(c) and transporting child pornography in interstate commerce in violation of 18 U.S. Code § 2252A(a)(1).” U.S. v. Genao, 224 Fed. Appx. 39 (U.S. Court of Appeals for the Second Circuit 2007). The criminal case began when, on the morning of March 6, 2003, Agent
Andrews of the [FBI] . . . used a computer in her office to access a chat room on the Internet Relay Chat. While on the IRC, Agent Andrews went to a chat room named `100reTeenGirlSexPics’ that she knew from her experience was dedicated to child pornography. Upon going to that chat room, Agent Andrews saw that file servers. . . had posted advertisements seeking to exchange child pornography.
U.S. v. Genao, supra. Andrews stayed online investigating two servers that seemed to be offering child pornography; she signed off after she “download[ed] seven images of children engaged in sexually explicit conduct” from one of them. U.S. v. Genao, supra. Andrews traced the images to an account owned by Genao and on “April 14, 2003, the FBI executed a search warrant” at his apartment in Yonkers, “where agents seized Genao’s computer and multiple computer hard drives.” U.S. v. Genao, supra.

Genao was convicted on both counts, sentenced and appealed his conviction to the Second Circuit Court of Appeals; on March 16, 2007, the Court of Appeals upheld the conviction. On September 1, 2008, he filed a motion seeking the return of property the FBI seized from his home. The property he sought fell into several categories, but we’re only concerned with three of them: “(1) one computer with two hard drives, (2) two separate external hard drives, (3) 118 compact discs”. Genao v. U.S., supra. In ruling on Genao’s motion, the federal district judge noted that Genao and the FBI agreed that
the hard drives . . . are contraband, in that they contain encrypted files containing child pornography. The government contends that the three CDs (numbered QNY31, QNY 33 and QNY 34) seized by the FBI contain what were described at trial as Ghost Image files, which would allow a user to restore encrypted information from the hard drives. The Government argues . . . that . . . the CDs numbered QNY31, QNY33, and QNY 34, cannot be returned to Plaintiff because they are contraband.
Genao v. U.S, supra. As to the Ghost Image files, the judge noted that they are
`used to copy a partition or hard drive into one huge file so it can be restored. If a hard drive should go bad or if a partition should go bad, the operating system or whatever it was on, that partition can be restored rather quickly.’ There were password protected Ghost files on several of the CDs but not the password for the encrypted material.
Genao v. U.S., supra. Genao responded to the FBI’s contraband claim by claiming
evidence at trial showed (1) that the FBI has cracked the password on the Ghost files . . . on some of the CDs and (2) that an FBI agent testified that `no contraband was found in said Ghost files.’ Plaintiff asks the Court to order the Government to produce FBI Agent Friesen and Assistant United States Attorney Collins . . . to testify at a hearing that the FBI opened and checked each Ghost file found on . . . the CDs and found no such contraband. Plaintiff further requests that he participate in the hearing by telephone.
Genao v. U.S., supra. The FBI opposed Genao’s request for a hearing: “First, the Government contends that it is reasonable to assume that the Ghost Image Files may indeed contain child pornography, and second, it would take the FBI two or three years conduct this particular forensic examination in preparation for the proposed hearing by Plaintiff.” Genao v. U.S., supra. And the FBI won:
Agent Friesen did testify . . . that someone . . . had cracked the password on the some of the encrypted Ghost Image Files and provided the password to him. However, he also testified that when representatives of the Government tried this password on files that were encrypted by PGP (`Pretty Good Privacy’), they could not open the files. Thus, the Court has been presented with no trial testimony . . . that these encrypted CDs do not contain contraband. Since the encryption would only serve to hide an illegal activity, there is a strong presumption that the encrypted CD's are contraband.

Furthermore, in his complaint, [Genao] acknowledged that the hard drives containing the encrypted material . . . should not be returned to him. Since the CDs containing encrypted materials (QNY31, QNY33, and QNY34) can be used to restore the images encrypted on the hard drives . . . there is strong circumstantial evidence that the encrypted Ghost Image Files on CDs QNY31, QNY33, and QNY34 contain images [he] encrypted in an attempt to hide his alleged activity. The Court finds that the CDs contain contraband, and since [Genao] has offered no evidence to show that the encrypted materials on CDs QNY31, QNY33, and QNY34 do not contain pornographic materials, denies [his] demand for a hearing and dismisses [his] claim for return of those CDs.
Genao v. U.S., supra.

So Genao lost because he couldn’t prove the encrypted data on the CDs did not include child pornography. I find that interesting because according to the leading expert on 4th Amendment law, when someone moves for the return of property AFTER the criminal case is over (as it was here), the government has the burden of proving that the property should not be returned because it’s contraband. Wayne R. LaVafe. Search and Seizure: A Treatise on the Fourth Amendment § 11.2(i) (4th ed. Thomson West 2008). He cites a couple of U.S. Court of Appeals cases which held that once the criminal case is over, the person from whom the property was seized is presumed to have a right to its return; to overcome that presumption, the government has to prove, by a preponderance of the evidence, that it cannot be returned because it’s contraband.

Did the government do that here? The federal judge seems to have relied on another presumption – the presumption that the only reason to use encryption is to hide illegal activity – to find that it did. I don’t know what I think of that result.

It’s an interesting issue: If the government seizes my property and I move to have it returned, either because I haven’t been charged or because I’ve been charged and convicted, can the government justifiably defeat my motion by showing that there are encrypted files on the computer and that, inferentially, the only reason to encrypt files is to conceal evidence of illegal activity? Do I have to give up the encryption key and let the government examine the files to prevail on my motion and get my property back?

Monday, June 15, 2009

Loss, Aggregation and Multiplicity

This post is about an opinion a federal judge issued a little less than a year ago. It deals with some interesting issues involving the application of the general federal computer crimes statute: 18 U.S. Code § 1030.

The case is U.S. v. Lanam, 2008 WL 2705514 (U.S. District Court for the Eastern District of Michigan 2008), and this is how it arose:
In March 2006, [Kirk] Lanam was indicted on six counts of unauthorized computer intrusion in violation of 18 U.S.C. § 1030(a)(5)(A) (i). The government later voluntarily dismissed three of the six counts.

The remaining three counts asserted that Lanam: (1) accessed the computer system of Total Mortgage Corporation (`Total’) without authorization and entered `ping flood’ commands that rendered Total's telephone system inoperative; (2) accessed Total's computer system without authorization and disabled the `firewall,’ thereby rendering the system vulnerable to subsequent attacks via the Internet; and (3) accessed the computer system of Air Source One, Inc. without authorization in order to gain access to Total's computer system.
U.S. v. Lanam, supra. Lanam went to trial and was convicted on all three counts.

After being convicted, he “move[d] for relief pursuant to” 22 U.S. Code § 2255, which is the federal habeas statute. As Wikipedia explains, habeas corpus “is an action often taken after sentencing by a defendant who seeks relief for some perceived error in his criminal trial.” In his habeas petition, Lanam asked for a new trial based on any or all of three reasons: his attorney was ineffective; the evidence was not sufficient to support the convictions; and the indictment was multiplicitous. We’re not concerned with the first argument; we’ll focus on the other two.

To understand Lanam’s second argument, I need to review the prior and current versions of 18 U.S. Code § 1030(a)(5). Until last September, § 1030(a)(5)(A)(i), the statute Lanam was convicted under, required (i) that the defendant have launched a DDoS attack on a computer system or accessed the system without being authorized to do so AND (ii) that by doing either or both he caused “loss to 1 or more persons during any 1-year period (and . . . loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value”.

Section 1030(a)(b) was revised last September, and one of the revisions eliminated the $5,000 requirement, which means it doesn’t apply to cases brought after September 26, 2008.
Lanam, though, was indicted prior to September 26, 2008, so he was charged under the earlier version of the statute, which means that the caused “loss to 1 or more persons” provision applied to him. In challenging his conviction he initially argued “that the evidence adduced at trial was not sufficient to support the statutory loss element of $5,000 for any of the three counts on which he was convicted.” U.S. v. Lanam, supra.

The federal judge, though, found that § 1030(a)(5) “does not require a $5,000 loss stemming only from the conduct underlying each individual count of unauthorized intrusion. Rather, the statute requires only a total loss of $5,000, which may be aggregated based on the conduct charged and any related course of conduct during a one-year period. U.S. v. Lanam, supra.
Lanam subsequently conceded that §1020(a)(5) only required aggregate loss totaling at least $5,000, but then argued that “the indictment was drafted in such a way that the government was required to prove a $5,000 loss stemming from each particular count.” U.S. v. Lanam, supra.

The federal judge didn’t agree. The judge began by noting that Count One of the indictment against Lanam read as follows:

On or about March 1, 2005 in the Eastern District of Michigan and elsewhere, Kirk Lanam . . . did knowingly cause the transmission of a computer command, and as a result . . . intentionally caused damage without authorization, to a protected computer, by accessing the computer system of Total Mortgage Corporation, which computer was used in interstate commerce, and entering commands that rendered Total Mortgage's telephone system inoperative that caused costs to be incurred . . . over $5,000, all in violation of Title 18, United States Code, [Section] 1030(a)(5)(A)(i).
U.S. v. Lanam, supra. The judge then noted that the other counts were phrased in an essentially identical manner.

The indictment is vague in that it does not explicitly state that the $5,000 loss may be aggregated from a related course of conduct. However, Lanam cites no law to support his contention that the sort of inartful drafting evident in this indictment may work to redefine the statutory elements of a crime.

U.S. v. Lanam, supra. The judge found Lanam was not entitled to a new trial based on this claim because there was “no suggestion that the indictment failed to charge an essential element of the crime or to provide Lanam with fair notice of the charges against him.” U.S. v. Lanam, supra.
Since the judge found the losses resulting from the charges in the indictment “and any related course of conduct during a one-year period” could be aggregated, he rejected Lanam’s second argument for a new trial.

As I noted above, Lanam’s third and final argument was that the counts in the indictment were multiplicitous. As I explained in a post I did last year, multiplicity is an error in the structure of a charging document, such as an indictment. Multiplicity is often described, in a phrase I like, as “impermissibly fractionating a single course of conduct into multiple offenses.” It means the prosecution breaks what is really one crime up into pieces, and charges the pieces in different counts of an indictment. So when a prosecutor creates a multiplicitous indictment, the effect is to multiply the criminal liability the defendant faces in a manner that’s inconsistent with the level of “harm” he or she actually caused.

The federal judge summarily disposed of Lanam’s multiplicity argument:

Lanam . . . argue[s] that if the loss element may be aggregated based on the conduct charged and any related course of conduct within a one-year period, the indictment is multiplicitous and violates . . . the Fifth Amendment. The . . . rule against multiplicity is properly invoked where a single illegal act is charged under more than one count, such that the defendant may be punished twice for the same crime. . . . Lanam's argument . . . is meritless because, although the losses from his conduct may be aggregated, each count of the indictment charged Lanam with committing a separate and discrete act of unauthorized intrusion.

U.S. v. Lanam, supra.
It looks like Lanam ultimately decided this issue was a lost cause. Last September, he filed a motion to appeal the judge’s ruling on the ineffective assistance of counsel issue (only); last September the federal district court granted him a Certificate of Appealability, which a defendant must obtain in order to appeal a federal district court’s ruling on a claim in a habeas petition. Since Lanam didn’t include the multiplicity argument in the issues he intends to appeal, he presumably thought he didn’t have a chance of winning on that issue.

I suspect he didn’t. While I can see the argument that if the government can aggregate the loss resulting from all 3 crimes to satisfy the $5,000 requirement as to each crime, it’s essentially breaking a single crime (which would consist of the sum total of the actions that inflicted the $5,000+ loss) into parts, the argument doesn’t work in the end. The reason it doesn’t work is that when Congress revised 18 U.S. Code § 1030 in 1986, it added a jurisdictional damage requirement of $1,000 to limit the use of the statute:

The [Senate Judiciary] Committee believes this threshold is necessary to prevent the bringing of felony-level charges against every individual who modified another’s computer data. Some modifications or alterations, while constituting `damage’ in a sense, do not warrant felony-level punishment, particularly when almost no effort or expense is required to restore the affected data to its original condition
U.S. Senate Report No. 99-432, 1986 U.S. Code Congressional and Administrative News, pp. 2479-2496 (1986). Since the $1,000 (later $5,000) requirement was simply a threshold requirement for establishing federal jurisdiction to prosecute a person for one of the § 1030(a)(5) crimes, it wasn’t one of the elements of those crimes and therefore couldn’t support a multiplicity claim.

And as noted earlier, last September Congress eliminated any possibility of basing a multiplicity claim on the government’s aggregating the “loss” resulting from a series of crimes to satisfy the jurisdictional requirement by revising § 1030. One revision moved the “loss . . . aggregating at least $5,000 in value” provision that had been in § 1030(a)(5) to 18 U.S. Code § 1030(c). It’s now a sentencing provision; section 1030(c)(4)(A), one who gains unauthorized access to a computer can be sentenced to a fine and/or imprisonment for “not more than 5 years” if the crime caused loss “during any 1-year period” that aggregated “at least $5,000 in value”.

Why did Congress do that?
I can’t say for sure. The revision clearly eliminated any possibility that a defendant could use the multiplicity argument if the government decided to aggregate loss across the counts of an indictment in order to establish the $5,00 loss requirement. Prior to the revision, some argued that the placement of the $5,000 requirement in the part of the statute that defined the unauthorized intrusion and DDoS crimes did, in fact, transform it into an element of the offense. I don’t really buy that argument because it’s clear the loss requirement was added, originally, to limit the use of the statute, which makes it a jurisdictional provision, not an offense element.

Anecdotally, I’ve heard Congress eliminated the $5,000 requirement as a condition for bringing a prosecution in order to give federal prosecutors the ability to use § 1030 against people who gain unauthorized access to computers and/or hit them with DDoS attacks but do not cause $5,000 in loss, not even in the aggregate. I think that’s the real reason Congress made this change; in other words, Congress reversed the position it took in 1986, when it revised the original, 1984 version of § 1030.

Because § 1030 now CAN be used against defendants who violate its provisions but don’t cause $5,000 in loss, does that mean we’ll see it being used a lot more often? I doubt it; I don’t think Congress meant to create the opportunity for a flood of § 1030 prosecutions. I think the goal was to give federal prosecutors the ability to use the statute in particular cases where, in their opinion, circumstances other than the amount of loss inflicted justified bringing a federal prosecution. I suspect they’ll use the new latitude they have carefully. Does that mean a federal prosecutor couldn’t abuse that latitude to prosecute someone under § 1030 when the nature of the “harm” – the loss – really doesn’t justify it? No, it doesn’t. Federal prosecutors have a great deal of discretion in deciding what cases they want to pursue, so such a scenario is at least conceivable. I, though, think it’s unlikely.

Friday, June 12, 2009

"Creates a Digitized Image"

In a sense, this post is about the need for -- and difficulty of -- drafting criminal statutes that define crimes with precision while still addressing the "harm" to be outlawed,

As you may have noticed, I seldom do posts on child pornography or child exploitation cases . . . not because the “harm” involved isn’t important, but because the defendants tend to be so inept (to put it kindly) that the legal issues just aren’t novel or complex.

This post is about an Indiana defendant who appealed his conviction for child exploitation and a related charge, and won . . . by successfully challenging the substance and application of the statutes at issue.
The case is Salter v. State, 2009 WL 1409484 (Indiana Court of Appeals 2009), and here are the facts that led to the charges:
In the fall of 2006, the Indianapolis Police Department received information from Delaware authorities that Salter had been having communications of a sexual nature with M.B., a girl in Delaware who was under . . . eighteen. On October 23, IPD officers obtained and executed a search warrant at Salter's house. . . . [They] seized computer towers, CDs, DVDs . . . and miscellaneous documents. Upon searching . . . two of the CDs, officers discovered thirty-eight images of M.B., fully or partially nude, eight images of other nude `prepubescent’ children, and five images of Salter's genitals. In addition, Delaware State Police found the images of Salter's genitals on M.B.'s computer.
State v. Salter, supra. Salter was charged with 46 counts of child exploitation plus 5 counts of disseminating matter harmful to minors. The child exploitation charges were brought under Indiana Code § 35-42-4-4(b)(1), which provides as follows:
A person who knowingly or intentionally . . ., exhibits, photographs, films, videotapes, or creates a digitized image of any performance or incident that includes sexual conduct by a child under eighteen (18) years of age . . . commits child exploitation, a Class C felony.
The disseminating material harmful to minors charge was brought under Indiana Code § 35-49-3-3((a)(1), which provides as follows: “[A] person who knowingly or intentionally . . . disseminates matter to minors that is harmful to minors . . . commits a Class D felony.” To constitute material harmful to minors, the material disseminated must (i) be obscene, (ii) be child pornography or (iii) the person who sent the material must have sent it to “ a child less than eighteen (18) years of age believing of intending that the recipient is a child less than eighteen (18) years of age.” Indiana Code § 34-49-3-3(b).

Salter was tried by a judge, not a jury, and convicted on 35 of the 46 counts. The counts he was convicted of included both child exploitation and disseminating material harmful to minors. State v. Salter, supra. As I may have mentioned, defense attorneys often go with a bench trial (trial by a judge) instead of a jury trial when the charges involve issues a jury is likely to find distasteful and the defense is based primarily on legal issues. My guess is that this is why Salter went with a bench trial, instead of a jury trial.

On appeal, Salter challenged the legal sufficiency of the charges under both statutes. That means he isn’t challenging the facts; instead, he’s basically saying, “even if I did what you claim I did, it wasn’t a crime” (or maybe, more precisely, “it wasn’t the crime you charged me with”). If the charge is invalid, then the conviction can’t stand.

As to the child exploitation charge, Salter argued that “the State's attempt to include downloading an electronic image and saving it on a CD in the definition of `creates a digitized image’ exceeds the permissible scope of the child exploitation statute.” State v. Salter, supra. In response, the prosecution argued that “a person who uses a computer to download an electronic image and save it on a CD `creates a digitized image’ as that phrase is used in Indiana Code subsection 35-42-4-4(b).” State v. Salter, supra.

In deciding which argument was correct, the Court of Appeals reviewed the history of Indiana Code § 35-42-4-4(b). The version of the statute that was originally adopted in 1978 created only one crime, which it defined as follows: “A person who knowingly or intentionally photographs, films, or videotapes a child under sixteen (16) years of age while the child is performing or submitting to” sexual intercourse or other sexual activity “commits child exploitation, a Class D felony.” The Court of Appeals noted that the current version of the statute creates two crimes: child exploitation (which is defined above); and possession of child pornography. State v. Salter, supra. The court found that the legislature’s addition of the second offense indicated that it had “for good reason, decided to punish the production and distribution of child pornography more broadly -- extending to matter portraying sixteen and seventeen year olds -- and more severely -- Class C felony -- than mere possession of child pornography, which concerns only children under sixteen and is a Class D felony.” State v. Salter, supra.

The Court of Appeals then looked at two cases from other states – a New Jersey case and a Maryland case – that dealt with essentially the same issue. Both of those courts held that “a person who prints an image from a computer or who downloads an image onto a computer does not `create’ the image. The image was already created. All the person is doing is saving a copy of the image.” The Indiana Court of Appeals therefore reached the same conclusion in the Salter case, noting that someone
who opens an e-mail and saves an attached picture to his computer or a CD `creates’ something. He `creates’ a new unit of data on the computer or a file on a CD that was not there before. But is that what our legislature meant by `creates a digitized image of’?

To answer that question, we need look no further than the original statute, which was written to punish the photographing, the filming, and the videotaping of sexual activity involving a child. . . . [T]his was . . . aimed at eliminating the initial creation of these images, i.e., the original act of recording. Until the late 1990s, the only way to do so was to use a camera along with film or tape. But. . .`modern digital cameras do not use any kind of film, but record real-life images directly in digital form.’ . . . Because people who digitally record a performance or incident are not technically photographing, filming, or videotaping, our legislature acted to close a possible loophole for users of modern digital devices. As technology evolved, so did the statute. . . .

[T]he aim of statutes like ours . . . is the same: to stop the creation of child pornography. Here, Salter did not `create’ any of the images underlying Counts 1-46; M.B. created the thirty-eight pictures of herself, and some unknown person created the eight images of the other children before they were posted on the nudist websites visited by Salter. By downloading the images . . . and burning them onto CDs, Salter only saved copies of them, i.e., he possessed them.
Salter v. State, supra. The Court of Appeals therefore reversed Salter’s convictions on the child exploitation counts. It also addressed the possibility of charging him with possession of child pornography:
As for the images of M.B., he has committed no crime. The State concedes M.B. was sixteen when she took the pictures of herself, and Indiana's possession of child pornography statute only extends to children under sixteen. . . . The children in the other eight images all appear to be under sixteen, but the State might implicate Indiana's Successive Prosecution Statute if it chooses to charge Salter with possession of child pornography based on those images. . . .
State v. Salter, supra. As to the 8 images of children that appear to be under 16, the court is saying that the State probably has a double jeopardy problem here, i.e., it prosecuted him for SOME crimes based on those images, and that probably means he cannot be prosecuted for other crimes based on the same images.

Finally, Salter argued that the charges for disseminating material harmful to minors were void for vagueness and therefore unconstitutional. As the Court of Appeals explained, under the constitutional guarantee of due process established by the 14th Amendment,
a penal statute is void for vagueness if it does not clearly define its prohibitions. . . . A penal statute must give a person of ordinary intelligence fair notice that his . . . conduct is forbidden so no man shall be held criminally responsible for conduct which he could not reasonably understand to be proscribed.
State v. Salter, supra. Salter’s argument here was based on this Indiana statute: “A person at least eighteen . . . who, with a child . . . less than sixteen . . ., performs or submits to sexual intercourse commits” what is usually known as statutory rape. Indiana Code § 35-42-4-9(a). Salter did not deny

that he disseminated or displayed `matter’ to M.B. or that M.B. was a `minor’ for purposes of the statute. Rather, he contends that `[n]o person of ordinary intelligence would think that he could legally have sexual relations with another person, but could not send that same person an electronic image of his genitals. We understand Salter's argument to be that he had no way of knowing that pictures of his genitals would be considered `harmful’ to M.B., given that, under Indiana law, he could have been naked in front of M.B. and had sex with her without violating any law.
State v. Salter, supra. The Court of Appeals agreed:
Such sexual activity could involve varying degrees of nudity and necessarily involves some exposure of the genitals. By setting the legal age of consent at sixteen, the Indiana legislature has made an implied policy choice that in-person viewing of another person's genitals is `suitable matter’ for a sixteen- or seventeen-year-old child. That being so, how could Salter have known that a picture of his genitals would be `harmful’ . . . for M.B.? . . . [I]f such images are harmful to sixteen- and seventeen-year-old children, then why would our legislature allow those children to view the same matter in-person, in the course of sexual activity? These questions reveal the flaw in Indiana Code section 35-49-3-3 as applied to Salter: it did not provide him with fair notice that the State would consider pictures of his genitals harmful to or unsuitable for a sixteen-year-old girl.
State v. Salter, supra. The Court of Appeals therefore reversed the convictions on the disseminating material harmful to minors charges, as well.