Tuesday, September 29, 2009

Earthquake: Miranda and Computers?

In my last post, I essentially argued that the explicit language of the 4th Amendment doesn’t give courts the constitutional authority to impose requirements such as requiring the government to forfeit its right to rely on the plain view doctrine.

I focused on the forfeit-the-plain-view-doctrine requirement because I think it’s the hardest to justify of the five requirements the Ninth Circuit Court of Appeals articulated in the Comprehensive Drug Testing opinion.

I think two of the other requirements (search protocols for computer warrants and the segregation of computer data) are difficult to justify for the same reasons that, IMHO, make the plain-view-forfeiture requirement difficult to justify. I think the two remaining requirements (warrant application must disclose actual risks of destruction of evidence and returning non-responsive data) can be justified if not by the plain language of the 4th Amendment, then by doctrines the U.S. Supreme Court has articulated as it’s parsed the Amendment.

This post isn’t about any of that. It’s about whether we can derive the Ninth Circuit’s constitutional authority to impose the first three requirements (for the purposes of analysis, we’ll assume the last two are fine under existing law) from something other than the plain language of the 4th Amendment . . . and that brings me to Miranda.

As I assume everyone knows, in Miranda v. Arizona, 384 U.S. 436 (1966) the U.S. Supreme Court held that statements someone makes who is in police custody (i.e., has been arrested or is being detained by officers) are not admissible in court unless he was (i) warned of his “right to silence” and “right to counsel” and (ii) knowingly, intelligently and voluntarily waived both rights and agreed to speak to police. The person must be warned that (i) he has the right to remain silent, (ii) anything he says can and will be used against him, (iii) he has the right to have an attorney present at questioning and (iv) if he can’t afford a lawyer one will be appointed for him.

The Miranda Court said its decision addressed “the necessity for procedures which assure that the individual is accorded his privilege under the Fifth Amendment to the Constitution not to be compelled to incriminate himself.” Miranda v. Arizona, supra. It did not say that what have come to be known as the Miranda “rights” are part of the 5th Amendment. Instead, the Court said they were “procedural safeguards effective to secure the privilege against self-incrimination.” Miranda v. Arizona, supra.

In a subsequent decision – U.S. v. Mandujano, 425 U.S. 564 (1976) – the Supreme Court made it very clear that the Miranda “rights” go far beyond what is required by the 5th Amendment. The Mandujanoth Amendment: Court explicitly held that there is no right to silence under the 5 Instead, the individual must refuse to answer each question as it is asked, and can only refuse to answer if by doing so she would implicate herself (not her mother, not her son) in criminal activity. If the individual answers a question, she waives the 5th Amendment on that privilege and can be required to answer further questions on that topic. And the Mandujano Court said there is absolutely no right to counsel under the 5th Amendment. (If you want to know more about the Mandujano Court’s reasoning, you can read the opinion via the link above.)

In other decisions the Supreme Court has repeatedly said the Miranda rules are “not themselves rights protected by the Constitution but [are] instead measures” intended to protect the 5th Amendment privilege. Michigan v. Tucker, 417 U.S. 433 (1974). In multiple opinions, the Court has described the Miranda rules as “prophylactic rules designed to safeguard the core constitutional right protected by the Self-Incrimination Clause” of the 5th Amendment. Chavez v. Martinez, 538 U.S. 760 (2003).

This characterization of the Miranda rules is consistent with Justice Warren’s opinion for the Miranda majority. He explains, in great detail, that the Court is compelled to create this new set of standards for interrogations because a new “evil” has arisen, one that cannot be adequately addressed by the sole standard that then existed – a due process standard that banned the use of physical abuse during interrogations.

Warren explains, again in great detail, that the old rule is inadequate because police have shifted to using psychological coercion in interrogations; he uses empirical sources to explain the techniques police are using and buttress his argument that the use of these techniques undermines individuals’ ability to invoke their 5th Amendment privilege. Warren says the Court is creating the Miranda rules as a device – a set of tools people can use to resist the pressure of psychologically-based interrogation. He says the rules are necessary to protect the 5th Amendment and in doing so implicitly suggests that the 5th Amendment gives the Court the power to adopt and enforce the Miranda rules. He never actually explains what the connection between the two is.

That opened the door for a constitutional challenge to Miranda. In 1999, in U.S. v. Dickerson, the U.S. Court of Appeals for the 4th Circuit held that the Miranda rights are not constitutional. The case went to the Supreme Court and in 2000 a majority of the Court held that the Miranda rules are “constitutionally based” . . . so Miranda survives.

And that brings me back to the Ninth Circuit’s recent decision in the Comprehensive Drug Testing case. In my last post I explained why I doubt that the Ninth Circuit has the constitutional authority to impose certain of the requirements noted above. I explained that the plain language of the 4th Amendment doesn’t seem to confer such authority on the Ninth Circuit or any other U.S. court.

I could be wrong about that, but let’s assume I’m not. If the plain language of the 4th Amendment doesn’t support the approach the Ninth Circuit outlined in Comprehensive Drug Testing, then that approach is either unconstitutional or its constitutionality has to be justified on some other basis.

As I thought about that, it occurred to me that there are certain parallels between the Comprehensive Drug Testing court and the Miranda Court: Both were addressing what they considered to be new and highly problematic challenges to the implementation of one of the guarantees of the Bill of Rights. For the Miranda Court, the challenge was psychologically-based interrogation; for the Comprehensive Drug Testing court, it was the empirical complications digital technology introduce into the processes of searching for and seizing evidence.

As I explained in my original post on the Comprehensive Drug Testing case, that court explained that simply applying conventional search and seizure procedures to digital evidence “creates a serious risk that every warrant for electronic information will become, in effect, a general warrant, rendering the Fourth Amendment irrelevant.” U.S. v. Comprehensive Drug Testing, Inc., 2009 WL 2605378 (U.S. Court of Appeals for the Ninth Circuit 2009).

I actually agree with everything the Ninth Circuit said about the complications digital evidence creates for 4th Amendment analysis and about why we cannot simply continue to apply the rules that govern physical searches and seizures to digital searches and seizures. As I’ve noted before, my concern lay not with the premise of the opinion but with the court’s authority to implement the solution it adopted (or at least aspects of the solution it adopted).

If I had to justify the Ninth Circuit’s implementing this solution, I might derive its authority to do so from a Miranda-style argument. That is, I might argue that the Ninth Circuit, like the Miranda Court, confronted an empirical environment that had changed in ways that made the application of traditional constitutional principles increasingly problematic. I would then need to develop a theory that explains why the Supreme Court has the constitutional authority to promulgate and enforce prophylactic rules that go far beyond what the 5th Amendment requires with regard to interrogations; it’s certainly possible to do that. Law professors came up with such theories while Dickerson was pending in the Supreme Court (which, of course, ignored all of them).

I would then demonstrate why that theory is equally applicable for other constitutional guarantees, such as the 4th Amendment. I would have to show that the constitutional authority to promulgate and enforce prophylactic rules that exceed basic constitutional requirements is not unique to the 5th Amendment . . . which I suspect wouldn’t be that difficult. Logically, if the Supreme Court can promulgate and enforce prophylactic rules to protect the core values secured by one of the provisions of the Bill of Rights, it seems to follow that the Supreme Court (and, by extension, lower courts) can do the same thing to protect the values secured by another provision of the Bill of Rights.

I have neither the space nor the ambition to try to develop any of that in detail here . . . and I suspect you’d just as soon not have to read all of that. I’m sure these arguments can be made, probably without much difficulty. All that would be involved is deriving the courts’ authority to promulgate these prophylactic rules and extrapolating that authority to the 4th Amendment context.

Extrapolating that authority to the 4th Amendment context would involve doing two things: One is demonstrating that the need and justification for prophylactic rules isn’t limited to the interrogation context; prosecutors might argue that the Miranda Court was dealing with a problem that was uniquely compelling because, say, interrogation truly pits the individual against the power of the state. I’d have to rebut that argument by showing that the justification is broader and applies with equal force to the 4th Amendment’s concern with protecting individual privacy. (I could say that here we also have a confrontation between the individual and the state the outcome of which jeopardizes the individual’s rights to privacy and liberty.)

The other thing I’d have to do to extrapolate that authority to the 4th Amendment context is to show that digital evidence creates the potential for an “evil” comparable in severity to the “evil” the Miranda Court saw in psychologically-based interrogation. Prosecutors would probably argue that extant 4th Amendment principles are perfectly adequate to protect individual privacy even in the context of digital evidence searches. I’d have to be able to show why that isn’t true which, again, I don’t think would be that difficult. I could start with some of the things the Ninth Circuit said in the Comprehensive Drug Testing case and go on from there.

I’m not saying I could put together a perfect argument or even one that would win. I am saying that I think what the Supreme Court did in Miranda creates the opportunity for an argument along the lines of the one I’ve outlined here.

Monday, September 28, 2009

Earthquake: Further Thoughts

About a month ago, I did a post on the U.S. Court of Appeals for the Ninth Circuit’s decision in the Comprehensive Drug Testing case: U.S. v. Comprehensive Drug Testing, Inc., 2009 WL 2605378 (2009).

In it, I outlined the five principles the Ninth Circuit said should guide federal magistrates when they are asked to issue a warrant to search for, seize and then search computers and digital storage media. I also noted that I wasn’t sure if the court had the authority to enunciate and enforce all of these principles because some, at least, are a pretty radical departure from what courts have been doing in this area.

I want to use this post to elaborate on that topic as it relates to the first of the guiding principles the Comprehensive Drug Testing court set out in its opinion: the requirement that the government waive its right to rely on the plain view doctrine in digital evidence cases. As I explained in an earlier post, the plain view doctrine is an exception to the 4th Amendment’s warrant requirement; more precisely, it’s a rule that can expand the scope of a search that is conducted pursuant to a validly issued search warrant or to a valid exception to the warrant requirement, such as consent or exigent circumstances.

As Wikipedia explains, the plain view doctrine lets an officer seize items he or she sees while at a lawful 4th Amendment vantage point if it is “immediately apparent” to the officer that the items are evidence of a crime. To be at a lawful 4th Amendment vantage point, the officer’s presence at that place must be authorized by a warrant or an exception to the warrant requirement unless, of course, it’s a public place. When an officer is in a public place and observes what he immediately realizes is evidence of a crime (illegal drugs, for example), his observation doesn’t violate the 4th Amendment because he’s doing what anyone else who happened to be there could do.

In the physical world, the plain view doctrine often supplements the scope of a search conducted pursuant to a warrant. Assume, for example, that officers have a warrant to search Joan Doe’s house for stolen weapons. As they search the house, one officer sees a bag of what he clearly recognizes as crack cocaine sitting in plain view on a table; the plain view doctrine lets the officer seize the back of cocaine without his having to get a warrant to do so.

Perhaps you can see why the application of the plain view doctrine is problematic when it comes to digital searches and seizures. Courts have grappled with what it means to say data is in “plain view.” Assume, for example, that an officer searching a hard drive for records of drug dealing discovers child pornography. If the child pornography was in “plain view,” he can seize it and the government can use it to charge the owner of the hard drive with possessing child pornography.

The issue courts have been struggling with is when is data NOT in plain view. If an officer is authorized to search a hard drive for evidence of Crime A, is all of the data on that hard drive in plain view . . . so that if he finds evidence of Crimes B and C the government can use that evidence to prosecute the owner of the hard drive for these crimes? Defendants in various cases have argued that the entire hard drive is not – should not be – in plain view, but haven’t been able to come up with a workable standard for parsing what data is, and what data is not, in plain view when an officer analyzes a hard drive or other storage media.

The Ninth Circuit’s solution is, as I explained in my prior post, to have magistrates require the government to waive its right to rely on the plain view doctrine in order to get a warrant to search a hard drive or other digital storage media. The Ninth Circuit is implicitly saying, “We can’t come up with a way to limit the scope of the plain view doctrine when it comes to digital searches, so the government will have to give up the doctrine if it wants to get a warrant to seize and search computers and other containers of digital evidence.”

While I think we need to limit the scope of the plain view doctrine as it applies to digital searches, I have some reservations about this solution. One – which really doesn’t have much to do with law per se – is that it seems overbroad. I’d be more comfortable with an approach that applies the plain view doctrine to digital searches in a manner analogous to how we apply it to physical searches; that is, I’d prefer to see us come up with some way to define when data is, and is not, in “plain view” from the perspective of a computer forensics examiner. But maybe I’m wrong and the Ninth Circuit is right – maybe there’s simply no way to do that.

My other concern about the solution the Ninth Circuit has come up with is, as I noted earlier, with whether this court – indeed, any U.S. court – has the authority to require the government to waive its constitutional right to rely on the plain view doctrine in order to obtain a digital search warrant. The logical source of that authority – if it exists – is the 4th Amendment because it is the only constitutional provision that restricts what law enforcement officers can do in searching for evidence. In this post I’m going to consider whether the 4th Amendment gives courts the authority to require the government to waive its right to rely on the plain view doctrine. In my next post, I’m going to speculate about another possible source for that authority.

The 4th Amendment provides as follows: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Nothing in the text of the Amendment gives magistrates the right to control how a search warrant is executed. Indeed, the Amendment doesn’t explicitly refer to magistrates; its reference to warrants issuing based on probable cause supported by oath or affirmation implicitly incorporates the role judicial officers, like magistrates, play in implementing the 4th Amendment’s requirements.

The 4th Amendment has two clauses: the “unreasonable searches and seizures” clause and the "warrant-probable cause" clause. The Supreme Court has construed the first clause as creating a general right to be free from unreasonable searches and seizures and the second as specifying the requirements for obtaining a search warrant.

If I were a prosecutor, I’d argue that what the Ninth Circuit did in the Comprehensive Drug Testing case is not justified under either clause. I’d start with the second clause, because it is the one that at least implicitly refers to the role of the magistrate.

I’d point out that the plain language of the second clause clearly establishes that the magistrate’s only role is to ensure that a warrant (search or arrest) is properly issued, i.e., is based on probable cause and particularly describes the place to be searched (the hard drive of Dell computer serial number xxxxxxxxxxxxxx) and the things to be seized (images of child pornography). I’d then argue that because the clause focuses only on the magistrate’s role in ensuring that search warrants are properly issued, it does not give magistrates (or courts) the authority to prescribe what happens after the warrant is issued. In other words, a magistrate can’t tell an officer how he or she should go about executing a search warrant.

Courts do review the propriety of officers’ conduct in executing a valid search warrant. In Marron v. U.S., 275 U.S. 192 (1927), the Supreme Court explained that the 4th Amendment’s “requirement that warrants shall particularly describe the things to be seized . . . prevents the seizure of one thing under a warrant describing another.” This means, as a later Court noted, that the Amendment “confines an officer executing a search warrant strictly within the bounds set by the warrant.” Bivens v. Six Unknown Agents of the Federal Bureau of Narcotics, 403 U.S. 388 (U.S. Supreme Court 1971). The execution of the warrant must therefore stay within the prescribed scope of the warrant . . . which means defendants can move to suppress evidence on the grounds that the officers who executed a warrant went beyond the scope of the warrant, an argument that is often raised in digital searches.

When a defendant makes such an argument, the magistrate (court) will review the officers’ conduct to determine if they stayed within the scope of the warrant. If they did, the magistrate will deny the motion to suppress; if they did not, and if no exception to the warrant requirement applies, the magistrate will grant the motion. Some, then, might argue that because magistrates have the ability to retrospectively review the propriety of officers’ conduct in executing a search warrant they also have the authority to prescribe how the warrant will be executed.

I can see that argument, but I’m not sure that the authority to assess compliance with a search warrant translates into the authority to prescribe how officers are to go about executing a warrant . . . especially when that consists of requiring the government to forfeit its constitutional right to rely on the plain view doctrine.

A number of lower federal courts (e.g., federal district courts and courts of appeal) have noted that “no tenet of the Fourth Amendment prohibits a search merely because it cannot be performed with surgical precision.” U.S. v. Christine, 687 F.3d 749 (U.S. Court of Appeals for the Third Circuit 1982). The Christine court was referring to searches for documents – which often involve officers’ examining all of the documents in order to identity those that are within the scope of their warrant – but subsequent courts have made similar comments about computer searches. See, e.g., U.S. v. Graziano, 558 F. Supp.2d 304 (U.S. District Court for the Eastern District of New York 2008). And the Supreme Court said “it is generally left to the discretion of the executing officers to determine the details of how best to proceed with the performance of a search authorized by warrant”. Dalia v. U.S., 441 U.S. 238 (1979).

A prosecutor, then, could argue that the magistrate’s role is limited to ensuring that the warrant complies with the 4th Amendment when issued and that the execution of the warrant didn’t go beyond the scope of the warrant, taking the circumstances at issue into account. The prosecutor could say the Ninth Circuit’s solution is at once illegal (not authorized by the 4th Amendment) and unnecessary (a court’s after the fact review of the execution of a warrant ensures that the search stayed within the scope of the warrant and therefore complied with the 4th Amendment).

As I think I said, I don’t disagree with what the Ninth Circuit is trying to accomplish. I’m just not sure that the language of the 4th Amendment authorizes them to do this. In my next post, I’ll speculate a bit about whether we can find another source for that authority.

Friday, September 25, 2009

Privacy and the Cloud - Part 2

A while back, I did a post on privacy and cloud computing. In it, I focused on the extent to which the 4th Amendment’s guarantee of privacy applies to data stored in a cloud.

This post is about a different but related issue: the extent to which the federal statutes that govern intercepting communications and accessing stored data apply to cloud computing.

In analyzing the statutory issues, I’m going to deal with two scenarios: In the first, law enforcement officers copy data as it is in the process of being uploaded to the cloud. (The same issues would arise if they copied the data as it was being downloaded from the cloud, but I’m going to focus primarily on uploading, for reasons I’ll explain later.)

In the second scenario, law enforcement officers copy data that is being stored on a cloud. In neither scenario do the officers obtain a warrant before copying the data.

The critical issue in the first scenario is whether the officers who copied the data “intercepted” the contents of a communication in violation of Title III of the Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. 9-352, June 19, 1968, 82 Stat. 197, which was codified at 18 U.S. Code §§ 2510-2521. As Wikipedia explains, Title III was adopted to implement two U.S. Supreme Court decisions: Katz, v. United States, 389 U.S. 347 (1967) and Berger v. New York, 388 U.S. 41 (1967).

As I’ve explained before, in the Katz case the Supreme Court held it was a “search” under the 4th Amendment for FBI agents to wiretap calls Charles Katz made from inside a phone booth. The Court found that by going into the booth and closing the door, Katz manifested a “reasonable expectation of privacy” in the content of his calls; as I’ve explained, the Katz Court held that when one manifests a reasonable expectation of privacy in a place or thing, the 4th Amendment protects that place or thing. Since the place/thing is protected by the 4th Amendment, officers must have a search warrant or an exception to the warrant requirement to examine (search) the place/thing. In Berger, the Supreme Court held that a New York wiretap statute that did not require officers to comply with 4th Amendment requirements in order to get a wiretap authorization was unconstitutional.

We could simply be using the Katz and Berger decisions as our guide to how the 4th Amendment applies to the interception of phone calls and other communications, but Congress thought it was necessary to adopt statutes governing this type of activity. That is why Congress adopted, and the President signed, the bill that gave us the Title III-based provisions of the federal code. Title III’s requirements for intercepting the contents of communications actually go beyond the 4th Amendment in certain respects, such as requiring that a prosecutor approve applications for wiretaps and that such applications include a statement by officers saying that they need to use wiretaps because other methods have been tried and failed (or are likely to fail) or are too dangerous to use.

Okay, all that means is that law enforcement’s intercepting the contents of telephone calls must comply with the requirements of the 4th Amendment as slightly expanded by Title III. (Failing to do so is a crime.) So we need to review what Title III says.

When it was originally adopted, Title III applied to intercepting the contents of phone calls. In the Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 – Congress expanded the scope of Title III so it now applies to “wire, oral or electronic communications.” 18 U.S. Code § 2511(1)(a). That brings us back to the first scenario: Law enforcement agents copy a file as I upload it to my storage in the cloud; we’ll assume, for the purposes of analysis, that the file is a text file, so its contents are analogous to the conversations Katz had in the phone booth. (I’m not saying that the file wouldn’t contain “content” encompassed by Katz or Title III if it consisted of jpgs or other non-text data; I’m simply assuming text to make the analysis as analogous to what happened in Katz as possible).

If the agents copy the file as I am sending it to the cloud, have they “intercepted” the contents of an electronic communication? The original version of Title III defined “intercept” as the “aural acquisition” of the contents of a phone call. The drafters of Title III didn’t spend much time defining intercept because the only way you can capture the contents of a phone call is to do so in real-time, because the content’s existence is transient. That, of course, changed with electronic communications; you can capture them while they’re being transmitted or while they’re in storage (which we’ll get to in a minute). In this first scenario, though, I think we clearly have the “interception” of the contents of the file because the agents acquire the contents contemporaneously with the transmission of the file to the cloud. Courts have held that interception requires that the officers capture the contents while it is being transmitted.

So we have interception. We also have the acquisition of the contents of the file, so we have two elements – interception and contents – that are analogous to what happened in Katz. The critical issue, I think is whether we have an electronic “communication.”

Section 2510(12) of Title 18 of the U.S. Code defines terms used in Title III. It defines an electronic communication as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce”. On its face, that definition is, I think, clearly broad enough to encompass my transferring data from my computer to a server in a cloud. A prosecutor, however, could argue that my transferring data from my computer to the cloud server is not a communication because I am not transmitting information to another human being.

I can’t find any reported cases that deal with this issue, but Black’s Law Dictionary defines communication as the “exchange of information by speech, writing, gestures, or conduct; the process of bringing an idea to another's perception” Black’s Law Dictionary (8th ed. 2004). Since Title III was implementing the Court’s decision in Katz, that is the exactly the kind of communication it was intended to protect, which means this could be a very credible argument.

I focused the first scenario on my uploading the file to the cloud – instead of on my downloading it from the cloud – because I thought uploading was conceptually a little more analogous to the calls at issue in Katz than downloading. In downloading, the transfer of data is coming from an inanimate source to me; even though I initiated the transfer, it looks a little less like Katz’s phone calls, I think, than uploading.

That brings me to the second scenario, in which the officers copy the file as it is stored on the cloud. I’m assuming the company that owns the cloud servers gave the officers access to the server on which my data was stored, so they didn’t commit the crime of unauthorized access to a computer.

In my first post on cloud computing I analyzed whether copying data stored on a cloud would violate the 4th Amendment. Though there are credible arguments that it would not, I disagree, as I explained there. In this post, I’m going to focus on whether the federal statues that protect stored data would protect my information in the cloud.

The statute that applies here is the Stored Communications Act (SCA), Pub. L. 99-508, 100 Stat. 1860 (1986). Congress adopted the SCA to provide some protection for stored data; as I noted in my earlier post, some say it is outside the 4th Amendment under the Supreme Court’s decision in Smith v. Maryland.

The SCA applies to “electronic communication services” and to “remote computing services”, terms that made much more sense in 1986 than they do today. The SCA defines “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communications”. 18 U.S. Code § 2510(15). It defines “remote computing service” as “the provision to the public of computer storage or processing services by means of an electronic communications system”. 18 U.S. Code § 2711(2).

The SCA says that providers of electronic communication or remote computing services “shall not knowingly divulge” the contents of a communication that is being stored on an electronic communication service or is “carried or maintained” on a remote computing service. 18 U.S. Code § 2702(a). The prohibition is subject to certain exceptions, such as disclosing the contents to the person who sent it or was the intended recipient and disclosing contents that the provider inadvertently obtained and that relate to a crime. 18 U.S. Code § 2702(b). Law enforcement can obtain the contents of an electronic communication that has been stored on an electronic communications service for 180 days or less by getting a search warrant that complies with the 4th Amendment. Officers can get the contents of such a communication that has been stored for more than 180 days and can get the contents of an electronic communication from a provider of remote computing services by getting a search warrant, a subpoena or a court order. 18 U.S. Code § 2703(b). The premise is that communications (emails) stored for less than 180 days get 4th Amendment protection, while everything else does not.

Getting back to my second scenario, whether the officers acted lawfully when they got a copy of my file from the cloud server depends on a couple of things. One is whether the operator of the cloud server qualifies as a provider of electronic communication services or is a provider of remote computing service. If the company that owns the cloud service to which I subscribe simply operates a cloud data storage service, then it would seem to be a provider of remote computing services; if that is true, then the officers could use a subpoena (a grand jury or administrative subpoena) or a court order to get the copy of my file. Neither a subpoena nor the court order requires that they have probable cause to believe the file contains evidence of a crime, so neither satisfies the requirements of the 4th Amendment. The SCA is based on the premise that under Smith v. Maryland I don’t have a 4th Amendment expectation of privacy in stored data, so the statute is, in effect, giving me more privacy protection than I’m entitled to under the Constitution.

What if, like Apple’s Mobile Me service, the cloud operator also lets me send and receive emails? That would mean it is, at least in part, a provider of electronic communication services which, in turn, MIGHT mean the officers would have to get a search warrant to copy the file. The problem I can see here is the one I noted before -- that the contents of the file may not qualify as the kind of “communication” the SCA is talking about when it refers to communications that have been in storage more than/less than 180 days. By that, it means emails, and my file isn’t an email . . . so it probably falls under the remote computing services option, and can probably be obtained without a warrant.

Personally, I think the statutory approach is too outdated and too fragile to protect our privacy in an era of digital communications. I think this is best handled under the 4th Amendment; I think the Supreme Court should overrule Smith and apply the 4th Amendment to communications while they’re in flight and to data we (responsibly) store with reliable data storage agents.

Tuesday, September 22, 2009

Vindictive Prosecution

In the U.S. justice system, prosecutors have broad discretion in deciding whether to charge someone with a crime and, if they do, to decide what and how many crimes they will be charged with. Prosecutorial discretion is not, however, unlimited.

As a law review article notes, courts “protect individuals from prosecutorial decisions that are based on unconstitutional motives or executed in bad faith. Prosecutors may not engage in selective prosecution, which denies equal protection of the law, or vindictive prosecution, which violates due process rights.” 38 Prosecutorial Discretion, Georgetown Law Journal Annual Review of Criminal Procedure 219, 222 (2009).

This post is about a case in which the defendant claimed he was the victim of vindictive prosecution. As the law review article explains, the due process clauses of the Fifth and Fourteenth Amendments prohibit a prosecutor from using criminal charges

to penalize a defendant's valid exercise of constitutional or statutory rights. To prevail in a claim of vindictive prosecution, a defendant must show either actual vindictiveness or facts sufficient to give rise to a rebuttable presumption of vindictiveness. A presumption of vindictiveness typically arises when a defendant is reindicted following a trial, but only if there has been an increase in the number or severity of charges. A presumption arises only when the defendant is affirmatively exercising constitutional rights, not when additional charges are filed after a mistrial or an acquittal.

Prosecutorial Discretion, supra. As the article notes, actual vindictiveness “is often difficult to establish.” And the U.S. Supreme Court has noted that proving vindictive prosecution is particularly difficult when the claim arises in the pre-trial context: In U.S. v. Goodwin, 457 U.S. 368 (1982), the Court explained that “in the pretrial context, where `the prosecutor's assessment of the proper extent of prosecution may not have crystallized,’ reindictment on a more serious charge is much less likely to be motivated by prosecutorial vindictiveness than when a charge is changed after a trial begins or . . . a conviction has been obtained and the state has had the opportunity to fully assess its case.” Prosecutorial Discretion, supra.

That brings us to U.S. v. Bucci, 2009 WL 2902709 (U.S. Court of Appeals for the First Circuit 2009). In 2003, Sean Bucci and two other defendants – Anthony Belmonte and Darren Martin – were indicted on two federal drug-trafficking charges: conspiring to possess at least 100 kilograms marijuana with the intent to distribute in violation of 21 U.S. Code § 846 and possessing at least 100 kilograms of marijuana with the intent to distribute in violation of 21 U.S. Code § 841. U.S. v. Bucci, supra.

A year later, in August 2004, Bucci started a website, whosarat.com, where individuals could post information about government informants. Six months after Bucci started this website, the Government . . . filed a superseding indictment which charged Bucci and Martin with the same two drug-trafficking counts, but increased the amount of marijuana charged in the alleged conspiracy from 100 to at least 1000 kilograms. The increased amount of marijuana charged raised the . . . mandatory minimum sentence Bucci faced for the conspiracy offense, if convicted, from five to ten years.

A year after Bucci started whosarat.com, the Government . . .filed a second superseding indictment charging Bucci with the same two drug-trafficking offenses, but adding fourteen additional counts involving money laundering, tax evasion, and unlawfully structuring financial transactions to avoid reporting requirements. The second superseding indictment also added Bucci's mother, Catherine Bucci, as a co-defendant.

U.S. v. Bucci, supra.

Bucci thought the “Government's decision to file the two superseding indictments . . . amounted to vindictive prosecution intended to punish him for exercising his First Amendment right to operate his website, whosarat.com.” U.S. v. Bucci, supra. He tried to prove vindictive prosecution by “demonstrating circumstances establishing a likelihood of vindictiveness sufficient to create” the presumption noted above, but he was raising the claim in the pretrial context, where it is particularly difficult to establish. As the Court of Appeals noted, “[i]n our system, so long as the prosecutor has probable cause to believe that the accused committed an offense defined by statute, the decision whether or not to prosecute, and what charge to file or bring before a grand jury, generally rests entirely in [the prosecutor's] discretion.” U.S. v. Bucci, supra.

To obtain the evidence he needed to support his vindictive prosecution claim, Bucci “sought discovery from the Government” to support his claim, but “to obtain discovery, [he] first had to advance some evidence tending to establish his vindictive prosecution claim.” U.S. v. Bucci, supra. The trial court denied his discovery request, and the Court of Appeals upheld that decision:

Bucci relied on `statements of law enforcement and government officers . . . contained in . . . newspaper articles, documents, and security reports.’ While the statements . . . expressed serious concern about the danger to informants posed by postings made on Bucci's website, Bucci set forth no evidence suggesting this concern ever affected the prosecutors making the specific charging decisions in his case. To obtain discovery, Bucci must . . . . connect any vindictive animus to those making the challenged charging decisions in his case.

Bucci also relied on . . . the Government's opposition to a motion . . . Catherine Bucci, filed seeking early disclosure of statements made by Government witnesses. . . . [T]he Government noted that, while it generally would not oppose early disclosure, in this case it would not agree to it because of the Government's concern that Bucci was trying to intimidate Government witnesses through whosarat.com. In opposing Catherine Bucci's motion, however, the Government was only asserting a legitimate litigation strategy. . . .

Bucci further relied on the circumstances attendant to his prosecution, asserting that the prosecutor all along had enough evidence to charge him with the added offenses and increased amount of marijuana, but did not bring those charges until after Bucci started whosarat.com. Assuming the Government had enough evidence to indict Bucci initially on the increased charges, this fact alone is insufficient to establish that the Government later filed the superseding indictments to punish Bucci for whosarat.com. . . .

[T]he district court noted that `the sequence of events in this case is not so remarkable as to justify discovery.’ We agree. Bucci began operating his website in August 2004. It was six months later that the Government filed the first superseding indictment, and another six months before the Government filed the second superseding indictment against Bucci. These superseding indictments were not so close in time to Bucci's starting the whosarat.com website to provide strong evidence that the prosecutor acted vindictively.

U.S. v. Bucci, supra.

I think it’s an interesting vindictive prosecution argument. In a post I did a couple of years ago, I noted that law enforcement officers and judges were very concerned about the Who’s A Rat? site, and I assume they still are, since it still seems to be going strong.

Earlier this year, the U.S. Court of Appeals for the Sixth Circuit commented that

[i]nmates who are known to have co-operated with the government are at risk for mistreatment while incarcerated. Not only is there grapevine gossip within the institution, but `snitches’ are tracked on internet accessible data bases. See the web site `Who's a Rat’ www. whosarat. com.

U.S. v. Gapinski, 561 F.3d 467 (2009). In 2008, a Pennsylvania district court judge noted that “[j]udges are very concerned over the accessibility [of information about informants] by people with evil intentions, as most visibly seen by the notorious website `whosarat.com.’” K.R. v. School District of Philadelphia, 2008 WL 4822041 (U.S. District Court for the Eastern District of Pennsylvania 2008).

In an aside, the Pennsylvania judge said some courts were considering taking steps to protect informant information contained in court files. According to a recent article, the

federal judiciary recently considered a proposal to restrict public Internet access to plea agreements in criminal cases. This proposal responded in large part to uproar over the Web site whosarat.com. . . . Because of the obvious threat this site posed to informants' safety and willingness to come forward, the federal courts wondered whether removing plea information from public Internet access on PACER would stem whosarat.com's impact. After considering the option . . . the Privacy Subcommittee under CACM decided to recommend against changing the national policy. Instead, the committee suggested district courts consider adopting local policies to protect the interests of plea bargainers as they see fit. Some federal courts now bar nonparty remote access to plea documents. . . In other courts, plea agreements are excluded from the public record entirely. . . .

Rebecca Hulse, E-Filing and Privacy, Criminal Justice 14 (Summer 2009).

Bucci’s problem, of course, was that he couldn’t show any causal connection between the uproar over the site he created and the decisions that incrementally increased the charges against him and the liability he faced. If he had been able to do so, then he might have had a viable vindictive prosecution claim, since I assume he could show he had a First Amendment right to operate the website. (As I noted in my earlier post on Bucci’s site, he might also have been able to show he had Fifth and Sixth Amendment rights to operate the site if it was being used to help him prepare his defense to the charges against him.)

Bottom line: It’s really, really, really difficult to prove vindictive prosecution . . . .

Monday, September 21, 2009

"Authorization" -- Follow-up

This is a follow-up to what I said at the end of my last post, i.e., that conflating damage and authorization misinterprets and misapplies “access” crimes.

I thought of a way to illustrate what I mean. As I’ve probably noted before, criminal law makes “burglary” a crime. Basically, to commit burglary I must (i) enter a building or other property knowing I’m not authorized to do so (trespass) (ii) with the intent to commit a crime once inside (e.g., arson, theft, murder). So if I break into your house intending to steal whatever I can find inside, I’ve committed burglary.

Under some statutes, like the Model Penal Code, the crime of burglary and the target crime (the crime I intend to commit once I’m inside) merge, which means I can’t be convicted of both. Under many modern statutes, they don’t merge; that’s because the modern trend in U.S. criminal law (anyway) is to break offenses into their separate parts and allow liability to be imposed for each part.

But for the purposes of this analysis, let’s go with the formulation of burglary as (i) trespassing on property (ii) in order to commit a crime once I’m there. It seems to me there’s something of an analogy between burglary, in this sense, and the “access” crimes like those defined by 18 U.S. Code § 1030.

And that brings me back to authorization: I think § 1030 is a kind of burglary statute. Section 1030 doesn’t make simple trespass (gaining access to a computer without being authorized to do so) a crime; it only makes computer trespass a crime if the person who trespassed into a computer system caused damage to the system or data inside it.

If I’m right about that, then the Ninth Circuit was correct in its interpretation of what it means for access to be “unauthorized” and the Seventh Circuit erred in Citrin. If we look at the “access” crimes defined by § 1030 and other statues, it seems pretty clear that they’re computer burglary statutes. As far as I can tell (based on a lot of prior research and some quick refresher research I just did), all the “access” crimes in U.S. law (and, I believe, in the “access” statutes in force in many other countries, as well) require both unauthorized access (trespass) and the commission of a crime (damaging, deleting, copying data, etc.) for the person to be held liable.

That structure of the crimes inferentially established, IMHO, that the “authorization” and “damage” analyses are separate and sequential, as I noted at the end of my last post. They operate a lot like the analysis of a burglary charge: You first have to ask if the person trespassed (gained entry to property without being authorized to do so). If they did, then you go on to the second element: whether the intended to and did commit a crime once inside. If the facts establish both elements, you have burglary. If they only establish the first element, then you have criminal trespass. And if they only establish the second element, you only have the crime the person committed once inside; so you could only charge the person with arson, murder, theft, etc.

I think that’s exactly how we should approach “access” crimes like those defined under § 1030. If the facts don’t show that the access to the system was unauthorized, then we have to prosecute the person (usually, the faithless employee) for what he or she really did, i.e., theft (copied data and took the copy), vandalism/property damage (destroyed data or altered it so it’s useless), etc.

As to charging the person with theft, some state statutes specifically criminalize “computer theft.” A Minnesota statute, for example, makes it a crime to “intentionally and without claim of right” take, transfer or retain possession of computer software or data. Minnesota Statutes § 609.89. I find it interesting that this statute has two provisions: The first makes it a crime to access a computer without authorization to steal data; the second makes it a crime to take, transfer or retain data. So what Minnesota apparently did was to create both an “access” (computer burglary) crime and a “theft” (computer theft) crime.

Out of curiosity, I checked to see if any state statutes define a separate crime of “computer damage” which could be used when the “access” element failed but the evidence proves the person damaged data. I only found a few. Minnesota (again) has a statute that makes it a crime to “intentionally and without authorization” damage or destroy a computer, computer network or computer data. Minnesota Statutes § 609.88. I found one or two similar statutes in other states, and more may be out there.

Section 1030 doesn’t have this residual option for charging someone with theft or damage . . . which is probably why the Citrin court and a few other courts have tried to expand the “authorization” element. I think it would be better to add a theft and/or damage alternative to § 1030.