Friday, July 31, 2009

Shredder Programs and Obstruction of Justice

This is a follow-up to a post I did a couple of years ago, that dealt with using a forthwith grand jury subpoena to obtain computer hardware and other digital evidence. I used a federal case from Connecticut to illustrate how forthwith subpoenas work in this context.

This post is about what happened to the man whose (alleged) conduct was the impetus for the forthwith subpoena: Charles Spadoni. On January 9, 2001, a federal grand jury indicted him on charges of racketeering, conspiracy, bribery, wire fraud and obstruction of justice. U.S. v. Triumph Capital Group, Inc., 544 F.3d 149 (U.S. Court of Appeals for the Second Circuit 2008). He was convicted and appealed, claiming the evidence was Insufficient to prove certain elements of the crimes and the government “suppressed material exculpatory and impeaching evidence.” U.S. v. Triumph Capital, supra.

The Court of Appeals agreed that the government improperly suppressed exculpatory and impeaching evidence relevant to the first four charges, so it reversed his conviction and remanded for a new trial on those counts of the indictment. We, though, are only concerned with the obstruction of justice conviction.

I won’t go into all the facts that led to the non-obstruction of justice charges. I’ll just note that at the time, Spadoni was General Counsel for Triumph Capital, a “Boston-based private equity firm”. U.S. v. Triumph Capital, supra. The original indictment accused Spadoni and others of bribing people in state government, including Paul Silvester, who was for a while the Deputy Treasurer of the state of Connecticut. U.S. v. Triumph Capital, supra. All of this was allegedly going on in 1998 and 1999.

The relationship between Triumph Capital and state employees apparently came to the attention of federal investigators, because on May 25, 1999 a non-forthwith federal grand jury subpoena was served on the Connecticut office of Triumph Capital. It called for the production of evidence related to an investment contract that would later become the basic of certain of the charges in the original indictment. U.S. v. Triumph Capital, supra. Here is where things began to get interesting, as far as we’re concerned:

Shortly after the subpoena was served, Spadoni told Silvester about it. He said Triumph did not believe its consulting contracts with Stack and Thiesfield were covered by the subpoena, but Triumph's lawyers anticipated more subpoenas in the future. Spadoni . . . told [Silvester] that an attorney had advised him to destroy documents not called for by subpoena in anticipation of further subpoenas, and recommended specialized deletion software to remove them from his computer. . . .

On July 13, 1999, the grand jury issued another subpoena, which led Triumph to produce the Stack and Thiesfield consulting contracts. On December 29, 1999, the grand jury issued an additional subpoena, which led to the production of backup tapes from Triumph's computer networks.

On April 11, 2000, the grand jury subpoenaed a Triumph laptop computer assigned to Spadoni. An FBI forensic computer examiner testified at trial that his inspection of the laptop revealed that a copy of the commercial document deletion software `Destroy-It!’ was installed on the computer on June 21, 1999, and used to delete files in a directory named `Triumph’ on June 23, 1999. On December 28, 1999, the software was used to delete two files in a directory named `LAT, LLC,’ which was the name of Thiesfield's wholly-owned company.

Among the documents deleted from the laptop were files named `Stack Contract’ and `LAT Contract.’ These files were accessed on November 16, 1998, and at the time they had last been modified on November 10, 1998. . . . The document deletion software was also used to remove files called `Park Strategies Agreement,’ `Engagement Letter,’ and others apparently unrelated to this case.

At one point after the investigation began, Triumph's comptroller, Robert Trevisani, discussed with Spadoni how to destroy computer files securely, and remarked, `if we were trying to hide something, we could use a program like CleanSweep. . . . Spadoni informed Trevisani that the program he needed `would be Destroy-It!.’

U.S. v. Triumph Capital, supra. The April 11, 2000 subpoena was the forthwith subpoena I talked about in my last post. As I explained in that post, this subpoena issued because the government had heard Spadoni was going to delete evidence on the laptop.

The indictment charged Spadoni with obstructing justice in violation of 18 U.S. Code § 1503(a), which makes it a crime to “influence, obstruct, or impede, the due administration of justice”. Spadoni claimed he should have been acquitted of the charge “because there was insufficient evidence to support the jury's finding that he knew his actions were likely to affect the grand jury proceedings.” U.S. v. Triumph Capital, supra.

In making this argument, Spadoni relied on the U.S. Supreme Court’s decision in U.S. v. Aguilar, 515 U.S. 593 (1995). In Aguilar, the Court held that for someone to be guilty under § 1503(a), they had to know that their actions were “likely to affect the judicial proceeding” which was obstructed. The Aguilar Court reversed a federal judge’s conviction for obstructing justice because it found the evidence did not prove beyond a reasonable doubt that he knew, when he lied to FBI agents, that the false statements would be given to a grand jury.

The Court said it wasn’t enough that Aguilar knew a grand jury was investigating matters related to the false statements he gave; to convict him, the government had to prove he knew the agents were working for the grand jury and his statements would be given to the grand jury. The Court said that absent such knowledge, Aguilar simply lied to federal agents, which does not constitute obstruction of justice. It explained that obstruction of justice under § 1503 requires a nexus between false statements or other acts and a “judicial proceeding;” a grand jury investigation is a judicial proceeding, but talking to federal agents is not. U.S. v. Aguilar, supra.

Spadoni argues that his conduct was directly analogous to Aguilar's. Destroying a document does not in fact affect a grand jury proceeding if the grand jury never requests the document. While Spadoni deleted several documents from his company laptop, at no time did he delete a document for which there was an outstanding subpoena. Just as there was insufficient evidence to prove that Aguilar knew his false statements would later be communicated to the grand . . . , so, goes the argument, there is insufficient evidence to prove that Spadoni knew the documents he deleted would later be, or were likely later to be, requested by the grand jury.

U.S. v. Triumph Capital, supra. The Court of Appeals did not agree. It found, first, that his

argument ignores a key difference between . . . a grand jury subpoena duces tecum seeking the production of documents and the questioning of a subject by an investigating agent. Grand jury subpoenas duces tecum are customarily employed to gather information and make it available to the investigative team of agents and prosecutors so that it can be digested and sifted for pertinent matter. Before the subpoenas are issued, the government often does not have at its disposal enough information to determine precisely what information will be relevant. . . .

Accordingly, subpoenas duces tecum are often drawn broadly, sweeping up both documents that may prove decisive and documents that turn out not to be. This practice is designed to make it unlikely that a relevant document will escape the grand jury's notice, and it is generally effective. Destruction of a relevant document is therefore likely to impact the grand jury's deliberations. . . .

By contrast, an investigating agent collecting statements from witnesses (or even . . . a suspect) does not always act as `an arm of the grand jury,’ and `what use will be made of false testimony given to an investigating agent who has not been subpoenaed or otherwise directed to appear before the grand jury is ... speculative.’ [Aguilar, supra.])

U.S. v. Triumph Capital, supra. The Court of Appeals therefore found that the context provided

a crucial distinction between Aguilar's conduct and Spadoni's. The inference that Aguilar's statements to the agent would be presented to the grand jury was not strong. The statements were not obtained by grand jury subpoena, and statements made to investigating agents are not communicated to grand juries as a matter of course. By contrast, the inference that the grand jury would issue a subpoena for the Thiesfield and Stack contracts was quite strong, perhaps inescapable. The government produced evidence suggesting Spadoni's awareness of the comprehensive nature of the subpoenas duces tecum typically issued in federal grand jury investigations. The jury heard evidence that Triumph's attorneys anticipated further subpoenas; that Spadoni had received advice from a former prosecutor indicating that the grand jury would be likely to inspect the data contained on his laptop; that Spadoni stated his belief that federal investigations are `very comprehensive and thorough,’ and that Spadoni asked Silvester to destroy copies of a different contract. . . .

The Stack and Thiesfield contracts . . . were at the very core of the transaction the government was investigating. The jury could have concluded that Spadoni was aware that further subpoenas covering a broad range of documents would issue, and knew it was likely that the Stack and Thiesfield contracts would be requested. Accordingly, Spadoni's conviction for obstruction of justice, based on his destruction of those documents in his computer files, was supported by sufficient evidence.

U.S. v. Triumph Capital, supra.

The Court of Appeals affirmed the obstruction of justice conviction but remanded that count to the district court for resentencing. The district court had sentenced Spadoni to “concurrent 36-month terms of imprisonment on all counts”. U.S. v. Triumph Capital, supra. The Court of Appeals remanded for resentencing because it could not “be certain that the 36-month concurrent sentence” on the obstruction of justice count “was not affected by the convictions that we have reversed”. U.S. v. Triumph Capital, supra.

Wednesday, July 29, 2009

The Fake Salvation Army Website

This post is about an evidentiary issue that arose in U.S. v. Stephens, 2009 WL 1608845 (U.S. Court of Appeals for the 5th Circuit 2009). Here, according to the Court of Appeals, is how brothers Bartholomew Stephens and Steven Stephens came to be prosecuted:

[I]n the wake of Hurricane Katrina, Steven registered a website: www. salvation army online. org The website was patterned after the official Salvation Army website and claimed to be the website of the organization's international headquarters. A donation link was created on the website, through which people could contribute money into PayPal accounts created in the names and identification numbers of individuals other than Steven or Bartholomew but linked to the brothers' bank accounts. Donations were made, and the brothers profited. Eventually, the FBI learned of the suspect Salvation Army site and obtained a search warrant for an apartment the brothers shared with another individual. The FBI executed the warrant and recovered a trove of incriminating evidence regarding each defendant.

U.S. v. Stephens, supra. They were indicted “for conspiracy to commit wire fraud and aggravated identity theft (count one), aiding and abetting wire fraud (counts two through seven), and aggravated identity theft (counts eight and nine).” U.S. v. Stephens, supra. The two went to trial together and were both convicted on all counts. They appealed, arguing, in part, that the district court judge who presided over their trial erred when he allowed the prosecutor to introduce this evidence:

Approximately one month after the bogus Salvation Army website was registered, the domain, purporting to be part of the Red Cross, was registered using the name Beis Stephens, as well as Bartholomew's e-mail address, mailing address, and credit card information. A laptop recovered from the brothers' apartment contained a picture of Bartholomew wearing a shirt that read `BEIS LETHAL INC.’ This laptop also contained the www. salvation army online. org web page and search results for the Salvation Army that listed www. salvation army online. org as the first `hit.’ One of these searches appeared in a subfolder entitled `BJ Stephens.’

U.S. v. Stephens, supra.

The federal judge who presided over the trial admitted the evidence under Rule 404(b) of the Federal Rules of Evidence. Rule 404(b) provides as follows:

Evidence of other crimes, wrongs, or acts is not admissible to prove the character of a person in order to show action in conformity therewith. It may, however, be admissible for other purposes, such as proof of motive, opportunity, intent, preparation, plan, knowledge, identity, or absence of mistake or accident. . . .

Rule 404(b) creates an exception to the general rule – found in Rule 404(a) of the Federal Rules of Evidence and in similar state provisions – “excluding circumstantial use of character evidence.” Advisory Committee Note – Federal Rule of Evidence 404. As the drafters of Rule 404 noted, character evidence can be used “for the purpose of suggesting an inference that the person acted on the occasion in question consistently with his character. This use of character is often described as `circumstantial.’” Advisory Committee Note – Federal Rule of Evidence 404. As the drafters also noted, in most

jurisdictions today, the circumstantial use of character is rejected but with important exceptions: (1) an accused may introduce pertinent evidence of good character . . .; (2) an accused may introduce pertinent evidence of the character of the victim, as in support of a claim of self-defense to a charge of homicide . . . ; and (3) the character of a witness may be gone into as bearing on his credibility.

Advisory Committee Note – Federal Rule of Evidence 404.

Rule 404(b), which is the rule that was at issue in U.S. v. Stephens, deals with a

specialized but important application of the general rule excluding circumstantial use of character evidence. Consistently with that rule, evidence of other crimes, wrongs, or acts is not admissible to prove character as a basis for suggesting the inference that conduct on a particular occasion was in conformity with it. However, the evidence may be offered for another purpose, such as proof of motive, opportunity, and so on, which does not fall within the prohibition. In this situation the rule does not require that the evidence be excluded. . . . The determination must be made whether the danger of undue prejudice outweighs the probative value of the evidence in view of the availability of other means of proof and other facts appropriate for making decision of this kind. . . .

Advisory Committee Note – Federal Rule of Evidence 404.

The premise is that one side shouldn’t be able to show you did some bad things in that past and use the evidence of those “bad acts” to claim you’re a bad person who continues to do bad things. As the Stephens judge noted, Rule 404(b) is intended “to `guard against the inherent danger that the admission of “other acts” evidence might lead a jury to convict a defendant not of the charged offense, but instead of an extrinsic offense.’” U.S. v. Stephens, supra.

The Stephens brothers argued that the district court judge shouldn’t have admitted the evidence of the Red Cross site; the government, not surprisingly, disagreed:

The Government asserts that . . . the Red Cross website . . .was intrinsic to the charged crimes. Rule 404(b) is not implicated if the Red Cross evidence was intrinsic to the acts for which the brothers were charged, i.e. the fraudulent Salvation Army website. We find `other act’ evidence to be intrinsic to the charged crime `when the evidence of the other act and the evidence of the crime charged are “inextricably intertwined” or both acts are part of a “single criminal episode” or the other acts were ‘necessary preliminaries' to the crime charged.’ Intrinsic evidence `is admissible so that the jury may evaluate all the circumstances under which the defendant acted. The government argues that the Red Cross website was intrinsic to the Salvation Army website conspiracy because it . . .established the connection between Steven and Bartholomew and was inextricably intertwined with the evidence of both of the substantive offenses.

U.S. v. Stephens, supra. The Court of Appeals didn’t buy the government’s argument:

[W]e conclude that the Red Cross website evidence is not intrinsic to the Salvation Army scheme. The action of creating the Red Cross website was not `inextricably intertwined’ with the evidence of the Salvation Army website. Neither was it a part of a single criminal episode or a necessary preliminary step in the Salvation Army website scheme. Certainly the actions are similar, but they were still distinct events.

U.S. v. Stephens, supra.

Since the evidence was extrinsic, the Court of Appeals applied a two-part test to decide if its admission constituted reversible error. The first question was whether the extrinsic evidence – the Red Cross site – was relevant to an issue other than the Stephens brothers’ character. The government said it was relevant to their “plan, intent, motive and preparation” for the Salvation Army site. U.S. v. Stephens, supra. The brothers argued it wasn’t relevant to any of those issues because “the Government did not put on proof that it was not a legitimate Red Cross website”. U.S. v. Stephens, supra. After noting that extrinsic evidence of “`using the same scheme repeatedly is relevant to . . . intent, in that it” demonstrates how an operation worked, the Court of Appeals found this

was the case with Bartholomew's registration of the Red Cross website. For example, the `Mock Money Makin.doc’ spreadsheet, recovered from one of the computers in the brothers' apartment, contained information about the PayPal accounts linked to the Salvation Army website, as well as information about creating a PayPal account for the Red Cross website and about listing the Red Cross website on a search engine called Overture. This spreadsheet demonstrated, at least in part, how the operation worked and therefore helped establish the brothers' intent, planning, preparation, and knowledge.

U.S. v. Stephens. The Court of Appeals then addressed the second question in its extrinsic evidence analysis: whether the evidence possessed probative value that was not substantially outweighed by its undue prejudice and otherwise met the requirements for admitting evidence. The Court of Appeals found that the Stephens brothers had not shown that the probative value of the evidence (as described above) was outweighed by its prejudicial effect:

There was ample non-Red Cross evidence supporting the jury's verdict. Though the defendants emphasize the number of references made to the Red Cross website by the Government, this does nothing to undermine the overwhelming evidence that exists regarding the Salvation Army web site scheme, nor the fact that the jury was instructed to use the extrinsic evidence to ascertain the brothers' mental state. . . . Furthermore, even assuming that the district court erred in admitting the evidence of the Red Cross website, neither defendant has demonstrated that such evidence affected his substantial rights. We cannot conclude that the district court committed plain error when it admitted evidence regarding the Red Cross website.

U.S. v. Stephens, supra. The court therefore affirmed their convictions.

(And if you were wondering, Steven was sentenced to serve 111 months in prison, while Bartholomew was sentence to serve 105 months in prison. Both prison terms were to be followed by three years supervised release. U.S. v. Stephens, supra.)

Monday, July 27, 2009

Networks and War of Aggression

This is another follow-up to the post I did last week on cyber war. This post is a response to someone who raised these questions after reading the earlier post:

I am a law student at Cornell University, and one other issue struck me while reading your article: What about potential liability for private carriers in allowing cyberwar signals to reach US government servers? In the event that these carriers have the capacity to identify enemy attacks, and the capacity to stop them, do they have a duty under the law as it currently stands to prevent such attacks from accessing sensitive computers in the first place?

They’re good questions, and I’m going to do my best to respond to them, given the limitations imposed by the relative brevity of a blog post and the fact that I am not an expert in the laws of war. I’m also going to limit my response to the issue of criminal liability, because I am an expert in that area; civil liability may, or may not, apply here.

The issue is whether U.S. civilian carriers can be held criminally liable for not preventing hostile cyberwar signals from reaching U.S. targets. (I’m including civilian and criminal targets because, as I’ve noted before, cyberwar will almost certainly blur or ignore the distinction between combatants and non-combatants.) There are two ways the carriers could, at least theoretically, be liable for letting the signals go through: direct criminal liability and derivative criminal liability.

Direct criminal liability means that the carriers themselves committed a crime by not preventing the signals from reaching their U.S. targets. The only way I can see they’d be liable under that principle is if the U.S. had laws requiring civilian carriers to block hostile cyberwar signals or be held criminally liable for failing to do so. As far as I know, we don’t have such laws. If I’m wrong on that, please let me know.

The other alternative is to use derivative criminal liability, which means we hold the carriers liable for aiding and abetting cyberwar or conspiring to commit cyberwar.

As I noted in an earlier post, conspiracy can be used to hold all the members of a conspiracy liable for the crimes their colleagues commit. As I also noted in that post, aiding and abetting – or accomplice – liability is based on the premise that if John helps Jane rob a bank by, say, giving her the combination to the bank safe, he should be held guilty of the robbery, even though he was not present when Jane actually robbed the bank. We impute liability for the completed crime – the target crime – to the accomplice who facilitates its commission, both because of the role he/she/it played in contributing to the crime and to deter others from aiding and abetting future crimes.

Accomplices usually do something overt to facilitate the commission of the target crime; they give the combination to the safe, they give the man who’s going to commit murder a gun, etc. In the scenario we’re analyzing, the civilian carriers haven’t done anything overt; they’ve simply not prevented the cyberwar signals from reaching their intended targets. The drafters of the Model Penal Code (which, as I’ve noted, is an influential template of criminal laws) specifically addressed this situation: Section 2.06(3)(a)(ii) of the Model Penal Code says one is an accomplice “in the commission of an offense if . . . with the purpose of . . . facilitating” the crime and “having a legal duty to prevent” the crime he “fails to make a proper effort so to do”.

We therefore would have to resolve three issues in order to hold the civilian carriers criminally liable for not preventing cyberwar signals from reaching their targets: One, as noted above, is the existence of a duty to prevent the crime; we can’t infer such a duty. It would have to exist in a statute or regulation or even under case law. For the purpose of this analysis, we’ll assume such a duty exists (even though I don’t think it does). The other issue we’d have to resolve is whether, having such a duty, the carriers purposely did not prevent the cyberwar signals from reaching their targets. While I think it would be impossible to prove that, I’m going to reserve that issue for the moment, and move on to what I think is the REALLY difficult issue.

As I noted above, an accomplice is held liable for facilitating the commission of a target crime, like robbery or murder. As I tell my students, accomplice liability doesn’t stand alone; that is, there’s no such crime as “being an accomplice.” The crime is “being an accomplice to ________” (insert target crime). So to hold the private carriers liable for not preventing the signals from reaching their targets, cyberwar has to be a crime. Then the carriers could, at least theoretically, be held liable as accomplices to cyberwar.

That brings us to the real issue: Is war (which we’ll assume includes cyberwar) a crime? As Wikipedia explains, there are three sources of authority for the proposition that “war of aggression” is a crime. The first derives from the Nuremberg trials: The 1945 London Charter of the International Military Tribunal defined three categories of crime, one of which was “crimes against peace.” In 1950, in a document submitted to the U.N. the Nuremberg Tribunal defined “crimes against peace” as “waging a war of aggression” or participating in a “common plan or conspiracy” to wage a war of aggression.

That principle was incorporated into the U.N. Charter and in 1974 became the basis of U.N. Resolution 3314. U.N. Resolution 3314 was a non-binding recommendation to the U.N. Security Council; so while it defines the “crime of aggression”, that definition is not binding under international law. Resolution 3314 says a “war of aggression is a crime against international peace” and defines aggression as “the use of armed force by a State against the sovereignty . . . of another State”. Under Article 51 of the U.N. Charter, states can lawfully use armed force to defend themselves against an attack by another state; essentially, any other use of armed force constitutes the crime of aggression.

That brings us to the final source: The Rome Statute of the International Criminal Court. Article 5 of the Statute gives the International Criminal Court jurisdiction over 4 types of crime: Genocide; crimes against humanity; war crimes; and the “crime of aggression”. The Rome Statute defines the first three, but does not define the crime of aggression; according to Wikipedia, a conference to be held some time next year is supposed to define it. I’m including the Rome Statute in this discussion, even though the U.S. does not intend to become a party to the statute; as a result, the Statute doesn’t bind the U.S.

I’m not sure, at this point, that war is a crime, so I’m even less certain that cyberwar is a crime. For the purpose of analysis, I’m going to assume cyberwar is a crime and can therefore support derivative liability under either of the theories noted above.

As far as I know, there has only been one attempt to hold civilian corporate executives criminally liability for an aggressive war. Count 1 of the Indictment in the Nuremberg Trials charged all of the defendants with participating in a “common plan or conspiracy” to wage a war of aggression. Twelve of the defendants charged were associated with the Krupp company, which had been Germany’s leading armament manufacturer. The prosecution’s theory was that the Krupp company and these individual defendants, had conspired with the Nazi regime to wage aggressive war; the premise seems to have been that the conspiracy could be inferred from the fact that the Krupp company, and these defendants, worked to rearm Germany, often in violation of the Versailles Treaty, and profited from their efforts.

The Tribunal eventually dismissed the aggressive war charge against these defendants because it found that their involvement in making weapons used to wage war was not enough to establish their liability absent evidence they knew the weapons were to be used in aggressive war and acted with the intent of furthering that end. In concurring in the acquittal, one of the judges noted that weapons can be used offensively or defensively, and the defensive use of weapons is lawful.

Even if we assume, as I have, that war of aggression is a crime and civilian carriers have a legal duty to prevent cyberwar signals from reaching their targets, I don’t see how the carriers could be held criminally liable as accomplices or conspirators. I think the critical issue is the same as in the Krupp case: Both accomplice liability and the principle that holds conspirators liable for the crimes their fellow conspirators commit require that the person have acted either with the purpose of facilitating the target crime (accomplice) or with the knowledge that he had joined a conspiracy and that his co-conspirators would or were likely to commit the target crime.

I think it would be impossible to prove that in the scenario we’re analyzing, at least as long as the carriers aren’t on notice that the signals in question are cyberwar signals being directed at U.S. targets. If a country decides to launch a cyberwar attack, how and why is a private carrier to know that these signals are war-of-aggression signals instead of routine signals (or even signals being used for cybercrime). If the Krupp defendants couldn’t be held guilty of conspiring to commit aggressive war when their conduct spanned many years (and what some would say were pretty clear markers), then I don’t see how a civilian carrier unexpectedly and almost instantaneously confronted with cyberwar signals heading for U.S. targets could be convicted of aiding and abetting the attack or being liable under the co-conspirator as agent theory.

I’m far from being an expert on international law or on the laws of war, so if I’ve missed something, let me know.

Friday, July 24, 2009

Proffer Gone Wrong . . .

In federal criminal practice a “proffer” (also known as a “proffer letter” or “proffer agreement”) is a written agreement between a prosecutor and someone suspected of committing federal crimes. Defense attorneys use proffers to negotiate plea bargains or immunity for their clients, but they can be tricky.

As this article explains, the proffer lets the suspect “tell the government about [his] knowledge of crimes, with the supposed assurance that [his] words will not be used against [him]” in any subsequent prosecution.

This post is about a case in which a suspect’s proffer didn’t work out as he had hoped. The case is U.S. v. Merz, 2009 WL 1183771 (U.S. District Court for the Eastern District of Pennsylvania), and I’ll summarize the facts that lead up to the proffer.

In 2006, FBI Agent Luders accessed the “Ranchi” website, which was located in Japan “displayed child pornography.” U.S. v. Merz, supra. He downloaded child pornography from the Ranchi site and then uploaded “two files . . . accompanied by text describing the purported contents of the files.” U.S. v. Merz, supra. Neither file contained child pornography. Luders’ computer monitored the files and recorded the IP addresses of those who tried to download them. On October 25, 2006, someone used IP address to try to download the files; Luders traced the IP address to Paul Merz, at an address in Philadelphia. Another FBI agent used that information to get a warrant to search the Merz residence; FBI agents executed the warrant on February 27, 2007. U.S. v. Merz, supra. When the agents arrived at the residence, Paul Merz’s son, Robert, told them “`it’s me you want to arrest’”. U.S. v. Merz, supra. Robert also told the agents his father was “`not involved’” in his (Robert’s) activities. U.S. v. Merz, supra. The agents seized a computer and 106 DVDs from Robert’s bedroom. U.S. v. Merz, supra.

And that brings us to the proffer. On March 14, Merz engaged in a proffer session with the

Government [which] took place pursuant to a proffer letter, executed by Assistant United States Attorney Denise Wolf, Merz, and Merz's then-counsel, David Kozlow.

Regarding use of information gained during the . . . session . . . , the proffer letter states:

First, no statements made by . . . [Merz], or other information provided by . . . [him] during the `off-the-record proffer, will be used directly against [him] in any criminal case.

Second, the government may make derivative use of, and may pursue investigative leads suggested by, statements made or information provided by [Merz]. That is . . . [he] waives any right to challenge such derivative use and agrees that such use is proper. . . ;

At the proffer session, Merz gave the Government his password to access an Internet message board known as My Kingdom, and signed a separate consent form in which he allowed the Government to use his online identity when interacting with individuals who frequented the My Kingdom site. The Government used Merz's online identity in its investigation in this case. . . .

The grand jury returned an indictment on April 12, 2007, charging Merz with receipt and possession of child pornography.

On August 1, 2007, Merz . . . withdrew his permission for the Government's use of his online identity, and the Government ceased using Merz's identity.

On October 25, 2007, the grand jury returned a Superseding Indictment . . . which added another count -- advertising child pornography. The Government used evidence derived from Merz's March 14, 2007 proffer session to show he committed this offense.

U.S. v. Merz, supra. I wrote about the use of a “consent to assume online presence” in a post I did about a year and a half ago. As I explained, consent is an exception to the 4th Amendment’s requirement that police obtain a warrant before searching a place and/or seizing a thing.

As I speculated there, the consent to assume online presence seems to act a little like a traditional consent to search and seize, but with a few differences. I’ll refer you to that post for the 4th Amendment issues these consents seem to raise. This post is about the consequences of Merz’s executing such a consent.

After the grand jury returned the superseding indictment, Merz moved to suppress (i) the statements he made during the March 14 proffer session and (ii) the derivative evidence the government obtained from his consent to assume online presence. Since the proffer said no statements Merz made during the proffer session would be used “directly against [him] in any criminal case”, the judge granted Merz’s motion to suppress the statements. U.S. v. Merz, supra.

The derivative evidence issue arose from the fact that when FBI agents used his password to access the My Kingdom site, they discovered evidence that was used to charge him with advertising and transporting child pornography. U.S. v. Merz, supra. (The first indictment charged him with receipt and possession of child pornography; the superseding indictment added the two other charges, which were based on what the agents found on the My Kingdom site.) As the district court noted, Merz claimed the

derivative evidence should be suppressed because he understood from the proffer agreement he would have the opportunity to receive a reduced sentence as long as he provided truthful and complete information to the Government, and he contends he has provided such information. . . . Merz contends the Government's use of derivative evidence to charge him with additional counts, which expose him to a much greater prison sentence, is inconsistent with his understanding of the proffer agreement.

U.S. v. Merz, supra. He lost. The federal judge pointed out that Merz’s proffer letter said “`the government may make derivative use of, and may pursue investigative leads suggested by, statements made or information provided by . . . [Merz].’ In the letter, Merz agreed to `waive[ ] any right to challenge such derivative use and agree[d] such use is proper.’” U.S. v. Merz, supra. Having agreed to those conditions, the court said he couldn't complain about the consequences.

Merz also made another argument to try to get the evidence resulting from the agent’s use of his My Kingdom password: he moved to dismiss

Counts I and IV of the . . . Superseding Indictment, charging him with advertising and transportation of child pornography, on the ground that they are based on improper use of evidence derived from Merz's proffer session and post-proffer cooperation. Merz claims the Government gathered the evidence underlying Counts I and IV, including the discovery of a witness against him, when Merz allowed federal agents to use his My Kingdom password and assume his online identity.

U.S. v. Merz, supra. In making this argument, Merz claimed the “Government has a duty of good faith in its dealings with cooperating defendants”. U.S. v. Merz, supra. For that proposition, he cited a case that involved plea agreements and subsequent sentencing. The court noted that Merz’s argument was not based on constitutional violations but on the exercise of prosecutorial discretion, and that prosecutorial discretion is “generally non-reviewable” by courts. U.S. v. Merz, supra. The prosecution pointed out that the case Merz relied on only applied to plea agreements, not to proffer letters.

The judge noted, though, that the court in that case based its finding that a duty of good faith applied in plea negotiations on “the existence of a contractual relationship between the Government and the defendant”. U.S. v. Merz, supra. He also pointed out that the “Government appears to concede the existence of such a relationship between itself and Merz in the instant case when it argues the proffer letter should be construed according to principles of contract law.” U.S. v. Merz, supra.

Ultimately, however, the judge found he did not need to decide if a duty of good faith applies in the context of proffer letters because Merz voluntarily signed a proffer letter that “expressly authorize[d] use of derivative evidence”, such as the evidence resulting from the agents’ use of his My Kingdom password. U.S. v. Merz, supra. The judge therefore denied Merz’s motion to dismiss Counts I and IV of the Superseding Indictment. U.S. v. Merz, supra.

The judge did not rule on one final argument Merz made: In a different motion, he sought to prevent a witness from testifying at trial because of how the government found about him: “Merz argues government agents, while posing as Merz on the My Kingdom website, revealed information about Merz, particularly his name, to a third party who will testify against Merz at trial.” U.S. v. Merz, supra. Merz apparently argued that the witness should not be allowed to testify because of how the agents discovered him. The court reserved ruling on that issue until the government offered this person as a witness at Merz’s trial. U.S. v. Merz, supra.

As to that witness, the statement of facts I quoted from above said this:

On January 31, 2007, Jonathan Adams signed a consent to allow government agents to assume his online presence. Adams told government agents he jointly administered My Kingdom with Merz. Adams pled guilty to child pornography charges in the United States District Court for the District of New Jersey.

U.S. v. Merz, supra. So maybe Adams is the witness Merz wants to prevent from testifying, given how he was discovered.

I don’t know how common it is for agents (and officers) to use consents to assume someone’s online presence. I’ve found them mentioned in only a handful of reported cases, none of which address the issue I raised in my original post on the topic, i.e., whether they’re a 4th Amendment device or something else.

Thursday, July 23, 2009

"True Threats" - Revisited

Last year, I did a post about a case in which a college student was charged with violating 18 U.S. Code § 875(c).

I explained that § 875(c) makes it a federal crime to transmit a “threat . . to injure the person of another” via interstate commerce, and using the Internet satisfies the Internet commerce element of the offense. I noted that the only open question was whether the content the student put online qualified as a threat, or what the law calls a “true threat.”

I also explained that the U.S. Court of Appeals for the Sixth Circuit held, in U.S. v. Alkhabaz, 104 F.3d 1492 (6th Cir. 1997), that a University of Michigan student’s posting violent sexual fantasies online was not a “true threat” . . . even though the student who wrote and posted the stories gave the victim the same name as one of his classmates. The student this post is about attended a university in Pennsylvania. In my previous post on the Pennsylvania case, I speculated as to whether the student’s conviction might be overturned on appeal given that the Pennsylvania case has some things in common with the Alkhabaz case.

It didn’t turn out that way: On July 15, the U.S. Court of Appeals for the Third Circuit affirmed Steven Voneida’s conviction for violating 18 U.S. Code § 875(c). U.S. v. Voneida, 2009 WL 2038633 (2009). In appealing his conviction, Voneida argued that

his statements were not “`hreats,’ were never transmitted to anyone, and there was `no imminent prospect of execution.’ Instead, he contends, they were more akin to `a college student's unfledged attempt at counterculture humor.’

U.S. v. Voneida, supra. The Court of Appeals didn’t agree. It found the evidence was sufficient to support Voneida’s conviction for using interstate commerce to transmit a “threat” to injure another person or persons. It first addressed the content of the material Voneida posted online:

Two days after the tragic shootings at Virginia Tech, Voneida, a student at the Harrisburg campus of Penn State University, posted several statements and pictures to different parts of his internet MySpace page that were the subject of his conviction. These statements and pictures included: `Someday: I'll make the Virginia Tech incident look like a trip to an amusement park’; `the weary violent types who are sick of self-righteous, lecherous, arrogant, and debauched attitudes displayed by [A]merican youth would band together with me for a day, and allow everyone at schools and universities across the nation to reap the bitter fruit of the seeds that they have been sowing for so long’; expressed `shock[ ]’ that after the Virginia Tech shootings his classmates `were actually surprised that there are people out there who would shoot them if given the opportunity’; `lost my respect for[ ] the sanctity of human life’; captioned a posting `Virginia Tech Massacre-They got what they deserved,’ where he noted his current mood was `extatically [sic] happy,’ and included a poem dedicated to the Virignia Tech shooter that concluded that the shooter's `undaunted and unquenched’ wrath would `sweep across the land’; and a picture of the bloodied Virginia Tech shooter holding two guns superimposed on a cross with the words `martyr,’ `massacre,’ `enrage,’ and `recompense.’

U.S. v. Voneida, supra.

The court noted that “some of the statements, taken in isolation, may not rise to the level of a threat within the meaning of § 875(c),” but found that “was not the context of the case here.” U.S. v. Voneida, supra. It found a rational jury could reasonably construe the statements “that were made only two days after the Virginia Tech shootings, specifically the comment about making Virginia Tech look like `a trip to an amusement park,’ as a serious intention to inflict bodily harm.” U.S. v. Voneida, supra.

The Court of Appeals also rejected Voneida’s argument that the statements were never

transmitted because his postings were more like a hand-written diary also fails. Section 875(c) requires that the communication be transmitted in interstate commerce. For other MySpace users to view the statements posted to various parts of Voneida's MySpace page, the postings had to pass through the main internet server, located in California. Further, the `amusement park’ statement and others were posted to Voneida's MySpace `bulletin board,’ which was set to send out update notices to members of his `buddy’ list when he added new information. And, those with access to Voneida's MySpace page could respond to his statements by posting their own comments on his page. Given these facts, we conclude that a rational jury could have determined that the offending statements met this element of the statute.

U.S. v. Voneida, supra.

Finally, the Court of Appeals rejected Voneida’s argument that to violate § 875(c), the prosecution had to prove the threat was “imminent,” i.e., that Voneida intended to implement what he posted online:

[T]here is no requirement in the statute of proof of imminency to make a threat real. In proving that Voneida's statements were threats, the Government `bore no burden of proving that [Voneida] intended his [statements] to be threatening or that he had an ability at the time to carry out the threats.’

U.S. v. Voneida, supra. The Court of Appeals therefore affirmed Voneida’s conviction, which means he’ll have to serve the sentence of 19 months in prison the district court imposed on him. U.S. v. Voneida, supra.

I don’t know if I agree with the Court of Appeals. Until I read the opinion, I hadn’t known about some of the comments Voneida posted on his MySpace page . . . and I admit some of them are pretty disconcerting. I think what bothers me about the opinion, and the conviction, is that the facts in the case differ in one important respect from traditional threat cases.

As I believe I noted in my earlier post on this case, the usual dynamic of a threat crime is that the perpetrator (the “threatener”) directly transmits the threat to the victim. That’s always been an essential element of the crime, and it’s one of the reasons criminal law can criminalize threats without violating the 1st Amendment. A threat is, after all, speech, which means it’s protected by the 1st Amendment unless some circumstance deprives it of that protection.

Historically, courts held that threats could be criminalized under either or both of two rationales: One is that a threat causes emotional “harm” to the victim, which is usually what the threatener intends to do. The premise here is that unlike regular speech – which can offend us or make us uncomfortable -- a threat inflicts an aggravated level of emotional “harm” which justifies criminalizing the act of making a threat.

The other rationale is that a threat can be seen as an initial step toward carrying out the threatened act of killing or injuring another person or persons. The premise here is that by making a “true threat,” you’ve shown that you’re dangerous, so the law can intervene to prevent you from carrying out what you have, in effect, promised to do.

Here, as far as I can tell, Voneida never directly transmitted his concededly unsettling comments to an intended victim. Instead, like Alkhabaz, he broadcast them to a rather undifferentiated audience. Also, as the Court of Appeals implicitly conceded, there doesn’t seem to have been much, if any, evidence that he actually intended to do the things he wrote about. That, again, reminds me of Alkhabaz.

Wednesday, July 22, 2009

Networks and Treason

This post is a follow-up to a post I did recently in which I analyzed whether the federal government could nationalize private computer networks if the owners refused to let them be used in defensive (or offensive) cyberwarfare.

This post is about a related issue: if the civilian owners of such networks refused to let them be used to carry offensive or defensive cyberwarfare traffic, would that constitute treason?

To answer that question, we first have to define treason. Article III § 3 clause 1 of the U.S. Constitution defines it as follows: “Treason against the United States shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.” (If you’re wondering why the sentence uses “them” and “their” rather than “it” and “its”, the reason is that the drafters of the Constitution saw the United States as a single sovereign entity that was composed of discrete sovereign entities – the states.)

Section 2381 of Title 18 of the U.S. Code implements the constitutional provision by making treason a crime:

Whoever, owing allegiance to the United States, levies war against them or adheres to their enemies, giving them aid and comfort within the United States or elsewhere, is guilty of treason and shall suffer death, or shall be imprisoned not less than five years and fined under this title but not less than $10,000; and shall be incapable of holding any office under the United States.

To commit treason, therefore, one who is (i) a citizen or otherwise owes allegiance to the United States must (ii) intentionally (iii) levy war against it or give “aid and comfort” to its enemy/enemies. The first two elements are pretty straightforward, the second less so.

“Citizen” includes those born in the U.S. and/or to American citizens, as well as naturalized citizens. U.S. v. Stephan, 50 F. Supp. 445 (U.S. District Court for the Eastern District of Michigan 1943). And it must be your purpose – your intention – to levy war against the United States and/or give aid and comfort to its enemies. Stephan v. U.S., 133 F.2d 87, 94 (U.S. Court of Appeals for the Sixth Circuit 1943).

The first alternative in the third element – levying war against the United States – is unambiguous because it directly refers to “war.” If a U.S. citizen had joined the German Army in World War II and fought against the U.S. that would clearly be treason because he/she would directly be “levying war” against his own country. In re Charge to Grand Jury, 30 F. Cas. 1036 (U.S. Circuit Court for the Southern District of Ohio 1861).

The second alternative is more ambiguous, at least on its face: Giving “aid and comfort” is analogous to aiding and abetting a crime. For example, in Best v. U.S., 184 F.2d 131, 137-138 (U.S. Court of Appeals for the First Circuit 1950), a federal Court of Appeals upheld a U.S. citizen’s conviction for treason. It was based on Robert Best’s serving as a radio commentator for the German Short Wave Station, which operated during the last two years of World War II. As the court noted, his “Best’s Little Lifesaver” broadcasts were beamed at U.S. troops fighting in Europe and were intended to “foster a spirit of defeatism, of hopelessness in the face of vaunted German might”, thereby undermining the effectiveness of U.S. troops and helping Germany win the war. Best v. U.S. supra. The Court of Appeals held that this was enough to constitute treason:

‘When war breaks out, a citizen's obligation of allegiance puts definite limits upon his freedom to act on his private judgment. If he trafficks with enemy agents, knowing them to be such, and being aware of their hostile mission intentionally gives them aid in steps essential to the execution of that mission, he has adhered to the enemies of his country, giving them aid and comfort, within our definition of treason. He is guilty of treason, whatever his motive.’

Best v. U.S. supra (quoting Chandler v. U.S. 171 F.2d 921 (U.S. Court of Appeals for the First Circuit 1948)). The Court of Appeals found that Best’s motive was irrelevant:

Best having knowingly aided agents of the enemy in their efforts to bring about the military defeat of the United States, it is of no consequence that he may have thought it was for the ultimate good of the United States to lose World War II, in order that Hitler might accomplish the destruction of an ally of the United States whom Best regarded as a potential enemy. So far as the legal issues . . . are concerned, it entirely irrelevant to speculate whether the present position . . . of the United States in world affairs are better or worse, as compared with what would probably have been the alternative prospect of facing the final life-and-death struggle with a triumphant Hitler, master of most of the world outside the Americas.

Best v. U.S. supra.

That brings us to the final requirement for treason under the second alternative set out in § 2381: The person must have given aid and comfort to an “enemy” or “enemies” of the United States. Courts have held that the term “enemies” means “a foreign power in a state of open hostility with” the United States. Stephan v. U.S., supra. This is why Julius and Ethel Rosenberg, who were accused of giving the Soviet Union information about the U.S. atomic bomb program, were prosecuted for espionage, instead of treason. Since a state of open hostility did not exist between the U.S. and the Soviet Union at the time, what they did couldn’t be treason. U.S. v. Rosenberg, 195 F.2d 583 (U.S. Court of Appeals for the Second Circuit 1952).

And that brings us back to networks and cyberwarfare: If the civilian owner of a network refuses to let the U.S. military use the network to transmit signals as part of a cyberwar attack, is that treason? In answering that question, I’m going to assume the network owner qualifies as a citizen or someone who otherwise owes allegiance to the U.S.

Under the first alternative in § 2381, the answer depends in part on whether the network owner is directly or indirectly aiding military forces engaged in war with the U.S.. If the owner is refusing to let the network be used to respond to a cyberattack that has been already been launched against the U.S., that might qualify as aiding the attacking forces . . . as long as the owner is refusing for the purpose either of levying war against the U.S. or giving aid and comfort to the country that is attacking the U.S.

If the owner is refusing for other reasons – to keep the network from becoming the target of attacking forces or to stay neutral in a conflict conducted in cyberspace – would that negate any inference of an intent to aid the attackers? I think it would, because I think I can distinguish that scenario from the scenario in the Best case. The Best court said it didn’t matter – insofar as Best’s liability for treason was concerned – whether he aided the enemy because he thought the U.S. would benefit more from being defeated by Germany than by defeating Germany. All that mattered was that when he made the broadcasts he acted with the purpose of giving aid and comfort to the German forces in their battle against Allied forces.

If the network owner is refusing to let the network be used because of concerns that aren’t related to the conduct of cyber-hostilities between the U.S. and the country attacking the U.S., then I’d argue the owner can’t be convicted of treason. Since the owner isn’t a member of the armed forces and, we’re assuming, the government hasn’t nationalized computer networks in the U.S., it seems to me the owner can refuse to let the network be used to launch a defensive attack without incurring liability for treason.

What if the owner is refusing to let the network be used to launch an offensive attack? Does that alter the analysis? I think it does. I don’t see how the network owner could be convicted of treason here for several reasons: One is that since no state of war exists between the countries at least until the attack is launched, and maybe until it hits its target(s), I don’t see how the network owner could be levying war against anyone. (I’m assuming, throughout this analysis, that cybertattacks constitute acts of war.)

Another, related reason is that if the countries aren’t already in a state of open hostility, the owner can’t be giving aid and comfort to an “enemy” of the U.S. Given all that, I think it would be very difficult – even impossible – to prove that the network owner refused to let the network be used to launch the offensive cyberattack for the purpose of either levying war against the U.S. or giving aid and comfort to its “enemy.” The country against which the attack is/will be/would be launched isn’t an enemy, as I understand, until the attack has arrived, and maybe until the attacked state responds in kind.

Would it matter if, as I hypothesized in my earlier post, the federal government had earlier nationalized the computer networks controlled by U.S. citizens? I don’t know. I don’t know (so far) what, if any, effect nationalization has on the treason analysis. It seems all nationalization would do is to put the network owner in a position in which he/she/it is now obligated to follow orders from designated federal officials. If that’s true, then refusing to obey such an order would presumably be punished as precisely that, i.e., as the intentional refusal to follow an order issued under the authority of the statute authorizing nationalization of the networks. In other words, it seems that a refusal after nationalization should constitute the crime, if any, the nationalization statute created to sanction those who do not follow orders from an authorized source. I’ll have to look into that a little more, and see if nationalization would impact on the treason analysis.