Friday, January 29, 2010

"Computer Tampering" as Exceeding Authorized Access

As I’ve noted in earlier posts, federal and state statutes criminalize two kinds of unlawful “access” to a computer:

the “outsider” crime (unauthorized access, i.e., the person is not authorized to have any access to the computer or computer system); and

the “insider” crime (exceeding authorized access, i.e., the person is authorized to access the system for certain purposes or to a certain extent but went beyond what he or she was authorized to do).

As I’ve also noted, federal courts currently disagree as to whether the federal “exceeding authorized access” offense defined by 18 U.S. Code § 1030(a) targets (i) an employee’s going beyond the scope of his/her authorized access to the computer system or (ii) an employee’s using his/her access to the employer’s computer system to obtain data or otherwise engage in activity detrimental to the employer’s interests.

As I explained in an earlier post, how you resolve that issue basically depends on whether you construe the § 1030(a) crimes as “burglary” crimes (one gains unlawful entry into a place to commit a crime therein) or as “trespass” crimes (one gains unlawful entry into a place).

This post is about a recent case from Arizona – State v. Young, 2010 WL 129693 (Arizona Court of Appeals 2010 – which involved a conviction for Arizona’s exceeding authorized access crime. The Arizona Court of Appeals’ decision parses an Arizona statute that has a slightly different take on the crime. This is how the case arose:

[Clifton] Young was employed by the Arizona Department of Transportation (`ADOT’) as a member of the server management team. The seven-person team administered ADOT's computer server infrastructure. . . . Young had elevated domain administrator privileges, which provided him access to all computer servers on the ADOT computer network. Among the computer servers on the ADOT network was a server that hosted the personnel files for ADOT employees.

Employees of ADOT are subject to annual reviews of their work performance. As part of the review process, employees are given an Employee Performance Appraisal System (`EPAS’) score. The scores range from 1 to 5, with a score of 3 representing acceptable performance and . . . 5 indicating superior performance. The EPAS scores become a permanent part of an employee's personnel file and are considered confidential. . . .

[ADOT’s] Chief Information Officer decided EPAS scores in the IT department [were] inflated . . . and directed . . . managers to recalibrate the scoring of their subordinates to establish a more realistic baseline. The supervisor of the server management team complied. . . .Young's EPAS score, which had been no lower than 4, dropped to 3.3.

The recalibration became a subject of discussion among the server management team. The members of the team . . . were concerned that downgraded EPAS scores might be the first step toward outsourcing their jobs. The supervisor met with team members and explained that the scores were lowered as part of a general realignment of scores in the IT department and that they were not being individually penalized.

Young subsequently showed another member of the team an Excel spreadsheet displayed on a computer in his cubicle that included the names and EPAS scores for the entire IT department. . . . [It] indicated the server management team was the only group . . . to have its EPAS scores reduced. Young contacted the team supervisor and informed him of the spreadsheet. When the supervisor asked for a hard copy of the spreadsheet, Young left and returned with a printout. The supervisor [told] Young he would take the spreadsheet to his superior and ask if he could rescore the team given the failure of other supervisors to comply with the recalibration directive.

After the supervisor spoke to his superior . . . ADOT began an investigation [into] the source of the unauthorized disclosure of the EPAS scores. . . . [A] forensic examination was performed on the computers of the server management team. The examination revealed that the EPAS spreadsheet, which was stored on the server in question, had been accessed from one of Young's work computers by a person using his user ID and password. . . . [It] also revealed that [his] computer had been used to access other Human Resource documents on the server during the same time frame. . . . Young had no business need to access the spreadsheet or other Human Resource documents.

State v. Young, supra.

Young was “terminated from his position at ADOT” and “charged with one count of computer tampering” in violation of Arizona Revised Statutes § 13-2316(A)(7). State v. Young, supra. Section 13-2316(A)(7) provides as follows:

A person who acts without authority or who exceeds authorization of use commits computer tampering by . . . [k]nowingly obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system or network that is operated by this state, a political subdivision of this state or a medical institution.

Young went to trial on the charge, was convicted and was put “on probation for eighteen months.” State v. Young, supra. He appealed his conviction to the Arizona Court of Appeals, arguing “that the evidence presented at trial was insufficient to support his conviction.” State v. Young, supra. More precisely, he claimed it didn’t establish certain elements of the crime:

The elements of the species of computer tampering charged in this case are: (1) without authority or in excess of authority; (2) knowingly obtaining; (3) information required by law to be kept confidential or records that are not public records; (4) by accessing any computer, computer system or network operated by the State. . . . Young contends that the evidence was insufficient to permit the jury to find the existence of the first and third elements of this offense beyond a reasonable doubt.

State v. Young, supra. On the first issue, Young noted that “the indictment described the offense as having been committed `without lawful or administrative authority’ and the jury instructions defined it in the same manner. State v. Young, supra. He argued that “because he had `elevated domain administrator’ privileges that gave him the ability to access the server, no reasonable person could conclude that he acted without authority when he accessed the Human Resource documents” on the server. State v. Young, supra.

Young cited federal cases construing 18 U.S. Code § 1030(a) as supporting his argument. State v. Young, supra. But the Court of Appeals didn’t buy his argument:

These federal cases are inapposite because the federal statute they apply defines the offense simply in terms of `intentionally access[ing] a computer without authorization or exceed[ing] authorized access.’ 18 U.S. Code § 1030(a). In contrast, the essence of the offense with which Young was charged is the obtaining of specific information or records, not the act of accessing the computer. . . . [T]he issue of authority for purposes of § 13-2316(A)(7) turns on whether a person has authority to obtain the information or records that are the object of the offense-not on whether the person has authority to access the computer. We therefore reject Young's argument that the indictment and jury instructions constrained the State to prove facts not supported by the evidence.

State v. Young, supra.

The Court of Appeals then turned to Young’s second argument, which focused on the third element of the crime, i.e., the requirement that the improper access have been used to obtain either (i) information required by law to be kept confidential or (ii) records that are not public records. State v. Young, supra. The State conceded that the EPAS score spreadsheet did not fall in “this category because there is no statute requiring that such information be kept confidential”, but claimed the jury could legitimately have found that “Young obtained information within this category based on the evidence that [his] computer was used to access other Human Resource documents.” State v. Young, supra. The Court of Appeals found that the problem with this argument was that no

substantial evidence was presented at trial regarding the contents of these documents. None of the documents were admitted in evidence and testimony regarding them was limited to general descriptions. While there was testimony that there were files on the server that included social security numbers as well as personal medical information and other matters subject to state and federal confidentiality laws, that testimony was never tied to the specific files Young accessed. Absent evidence that the documents Young obtained actually contained information protected by state or federal law, any finding that Young obtained such information would be pure speculation.

State v. Young, supra.

The court also found that “the evidence is insufficient to support a finding that Young obtained `any records that are not public records’ from the server.” State v. Young, supra. It noted, first, that an Arizona statute states that “[p]ublic records . . . shall be open to inspection by any person at all times during office hours.” State v. Young, supra (citing Arizona Revised Statutes § 39-121). It also noted that Arizona case law defines a “public record” as one “`made by a public officer in pursuance of a duty’” or “`any written record of transactions of a public officer in his office’” State v. Young, supra (quoting Carlson v. Pima County, 141 Ariz. 487, 687 P.2d 1242 (Arizona Supreme Court 1984)).

The Court of Appeals then held that based on the

limited descriptions provided at trial of the Human Resource documents accessed by Young, all appear to fall within the definition of public records. The State does not dispute that the documents are public records, but asserts that the phrase `any records that are not public records’ should be construed to mean public records exempt from disclosure despite the presumption of access under the public records law. . . According to the State, in light of the testimony that the Human Resource documents were `confidential’ and `sensitive,’ the jury could find that the State had proven an exception to disclosure under the public records law.

The flaw in the State's argument is that it is contrary to the plain language of the statute. The phrase in issue clearly states `records that are not public records ‘ -- i.e., private records. The State's interpretation would require that `not public records’ be read to mean the exact opposite of the words used by the Legislature. When a statute's language is plain and unambiguous, we must apply the text as written.

State v. Young, supra. The Court of Appeals held that while Young “did not have authority to obtain the EPAS score spreadsheet on the server”, the prosecution did not prove that he “obtained information or records from the ADOT server within either of the two categories that are the subject of” Arizona Revised Statutes § 13-2316(A)(7). State v. Young, supra. It therefore reversed his conviction and ordered “the charge dismissed.” State v. Young, supra.

(The Court of Appeals noted that the State could instead have charged Young with computer tampering under Arizona Revised Statutes § 13-2316(A)(8), which defines the crime as (i) “exceed[ing] authorization of use” and (ii) “knowingly accessing” a computer or computer network or data “contained in a computer, computer system or network.” That would have eliminated the need to prove that Young accessed information required by law to be kept confidential or records that are not public records.”)

Wednesday, January 27, 2010

Attorney-Client Privilege & U.S. Department of Justice Emails

As I’ve noted before, it’s far from clear that we have a 4th Amendment expectation of privacy in emails we leave stored on an ISP’s servers. As I’ve also noted, there’s a good argument that unless we encrypt our emails, we “knowingly expose” them to the ISP’s employees, thereby forfeiting any 4th Amendment expectation of privacy in them.

We may get some clarification on this when the U.S. Supreme Court decides Ontario v. Quon, a case from the Ninth Circuit. The Court agreed to review Quon in December, so it will be a while before the Supreme Court issues its decision in the matter. If you’re interested, I did a blog post on the Ninth Circuit decision in Quon.

This case is about a somewhat related issue: whether an employee of the U.S. Department of Justice could assert the attorney-client privilege with regard to 36 emails he sent via the Department of Justice’s email system. The case is Convertino v. U.S. Dept. of Justice, 2009 WL 4716034 (U.S. District Court for the District of Columbia 2009) (Convertino v. USDOJ), and this is how it arose:

Richard G. Convertino filed the Complaint against the United States Department of Justice on February 13, 2004, raising two counts. One count has been dismissed leaving only whether defendant willfully and intentionally disclosed information to a reporter for the Detroit Free Press in violation of the Privacy Act, 5 U.S. Code § 552a. The disclosed information most likely consisted of one or more documents from an investigation into plaintiff's conduct by defendant's Office of Professional Responsibility (`OPR’).

The OPR began an investigation in November of 2003 after the United States Attorney's Office for the Eastern District of Michigan referred allegations of prosecutorial misconduct against Assistant United States Attorney Richard Convertino -- former lead trial counsel in the case of United States v. Koubriti.Free Press. Following the leak, the Office of the Inspector General (`OIG’) began an investigation to determine who provided the information to the press, ultimately concluding that there was insufficient evidence to prove, by a preponderance of the evidence, who the leaker was. The OPR crafted a series of letters stating what issues the OPR would investigate and which it would not. A limited number of people had access to these private letters. On January 17, 2004 an article addressing the investigation by OPR was written by David Ashenfelter and published in the Detroit

Convertino v. USDOJ, supra.

The primary issue the district court judge was dealing with in this opinion was Convertino’s motion to compel the Department of Justice to produce “736 various documents” he believed were “responsive to his discovery requests” in the case. Convertino v. USDOJ, supra. The Department of Justice opposed the motion, arguing that the documents were covered by any of several privileges and therefore were “not discoverable.” Convertino v. USDOJ, supra. We, though, aren’t concerned with the dispute between the Department of Justice and Convertino. Our concern is with a subsidiary issue that was raised by Jonathan Tukel:

Mr. Tukel was originally a named defendant -- being sued in his official capacity -- on Count I of the Complaint which was subsequently dismissed by the court on October 19, 2005. Mr. Tukel was serving as First Assistant United States Attorney of the Eastern District of Michigan when this case was filed and remained in this position until May 2005. Mr. Tukel was one of the original parties that initiated confidential personal matters related to plaintiff. Plaintiff was required to meet with Mr. Tukel to discuss the review of the cases that had been handled by plaintiff. Mr. Tukel was part of a committee that drafted and sent allegations to OPR and he was one of the recipients of OPR's letters indicating which allegations it would investigate.

In anticipation of litigation, Mr. Tukel retained private counsel Cadwalader, Wickersham & Taft LLP (`Cadwalader’). While working for defendant [the Department of Justice], Mr. Tukel used his DOJ-provided e-mail address to communicate with Cadwalader. The e-mails were sent between Mr. Tukel and Cadwalader, no one else was included on the e-mails.

Convertino v. USDOJ, supra.

Once the court dismissed Count I of the complaint, Tukel was no longer part of the case. But Tukel apparently heard about Convertino’s motion to compel production of the 736 documents and was concerned because they included 36 emails between him and the Cadwalader firm. Convertino v. USDOJ, supra.

In an effort to protect his interests, he filed a motion to intervene in the case. Convertino v. USDOJ, supra. As Wikipedia notes, intervention is a procedure that lets nonparties join “litigation . . . without the permission of the original litigants. The . . . rationale . . . is that a judgment . . . may affect the rights of nonparties, who ideally should have the right to be heard.” Tukel therefore sought to intervene for the limited purpose of asserting his attorney-client privilege over these emails. Convertino v. USDOJ, supra. The court granted his motion, and then addressed the applicability of the attorney-client privilege.

It clearly applied to the emails because (i) they were communications between a client (Tukel) and his attorneys (Cadwalader) (ii) that concerned the representation and (iii) were made for the purpose of securing legal services. The Department of Justice apparently believed it applied; in opposing Convertino’s motion to compel the production of the emails, it claimed they were protected by the attorney-client privilege because they were “communications between Jonathan Tukel and his attorney(s).”

Plaintiff Richard G. Convertino’s Motion to Compel Production from Defendant United States Department of Justice, 2009 WL 2248745 (2009). Convertino, in response, pointed out that “the DOJ does not hold the attorney client privilege . . . , it is held and thus may be asserted only by Mr. Tukel.” Plaintiff Richard G. Convertino’s Motion to Compel Production from Defendant United States Department of Justice, 2009 WL 2248745 (2009). Convertino was quite right in this regard, which is why Tukel had to intervene.

The issue the district judge addressed was whether Tukel waived the privilege. Convertino raised the issue of waiver. He claimed that

the mere fact that the DOJ has these documents means that Mr. Tukel has waived any claim of privilege that he might have had; any disclosure of potentially privileged information, even inadvertently, to any third party (including government agencies) for any purpose destroys the privilege as to those documents and any related documents.

Plaintiff Richard G. Convertino’s Motion to Compel Production from Defendant United States Department of Justice, 2009 WL 2248745 (2009).

The judge explained that one can waive the attorney-client privilege by

disclosing confidential information to a third-party, however, no waiver exists if `(1) the disclosure is inadvertent;’ and `(2) `the holder of the privilege or protection took reasonable steps to prevent disclosure.’ [Federal Rules of Evidence Rule 502(b)]. In this case, the disclosure was inadvertent. Mr. Tukel had no intentions of allowing the DOJ, his employer, to read the e-mails he was sending to his personal attorney through his work e-mail account. Mr. Tukel also took steps to delete the e-mails as they were coming into his account -- failing to realize that his employer had the e-mails. Additionally, since discovering that the DOJ still had access to his e-mails in April 2009, Mr. Tukel has taken reasonable steps to prevent disclosure to more parties by filing a motion . . . to intervene [in this case].

Convertino v. USDOJ, supra. (You might wonder why the court quoted Rule 502 of the Federal Rules of Evidence. Since this is a federal case, it’s governed by the Federal Rules of Evidence, and Rule 502 sets certain limitations on the waiver of the attorney-client privilege, one of which is the inadvertent disclosure quoted above.)

The judge also found that Tukel “reasonably expected his e-mails with his personal attorney to remain confidential.” Convertino v. USDOJ, supra. He explained that for

documents sent through e-mail to be protected by the attorney-client privilege there must be a subjective expectation of confidentiality that is found to be objectively reasonable. . . . Each case should be given an individualized look to see if the party requesting the protection of the privilege was reasonable in its actions. . . .

On the facts of this case, Mr. Tukel's expectation of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would be regularly accessing and saving e-mails sent from his account. Because his expectations were reasonable, Mr. Tukel's private e-mails will remain protected by the attorney-client privilege.

Convertino v. USDOJ, supra.

You may notice that in deciding whether Tukel could assert the attorney-client privilege, this judge found that his ability to do so depended on whether he had a “subjective expectation of confidentiality [in the emails] that is found to be objectively reasonable.” That, as I’ve explained in various posts, is the same standard the U.S. Supreme Court uses to decide if someone has a 4th Amendment expectation of privacy in a place of thing. One could therefore argue that this federal judge implicitly held that Department of Justice employees have a 4th Amendment expectation of privacy in the contents of emails they send and receive via the Department of Justice's email system. While I, personally, think that argument works, I suspect the Department of Justice would emphatically disagree.

Monday, January 25, 2010

Emails, Interception and Private Actors

This post is about a case that raised issues I’ve discussed in prior posts that arise in a rather unique context. But before we get to the issues, I need to note how the case arose.

The case is People v. Theobald, 2009 WL 5062033 (California Court of Appeals 2009). Herehere is how the California Court of Appeals described the facts that led to the opinion we’ll be analyzing in a moment:

Defendant [Brad Theobald] was born in July 1980.

A Corona police detective, Michelle McConnell, testified she interviewed Jane Doe, who was born in June 1990, on August 21, 2007. Jane Doe said she first met defendant in 2006 when he was a coach for a high school track team.

Their first sexual intercourse occurred in April 2007 at Huntington Beach at the lifeguard tower. Two weeks later, they had intercourse in a car at a Norco park. A third time they had intercourse and oral sex at the park. They also had intercourse at [Theobald’s] Upland apartment. A fifth incident of intercourse occurred in a car in a Home Depot parking lot. Jane Doe recalled two other instances of oral sex in a car. They engaged consensually in at least five instances of intercourse and three of oral sex. . . .

[T]he People charged [Theobald] with three counts of unlawful oral copulation ([in violation of California Penal Code § 288a, subd. (b)(1)]) and five counts of unlawful sexual intercourse. ([in violation of California Penal Code § 261.5, subd. (c).])

People v. Theobald, supra. Prior to trial, Theobald moved to suppress evidence “on the grounds that an email from Jane Doe to him was obtained without his consent by his friend, Brandon Kaan, at the behest of” Theobald’s wife. People v. Theobald, supra. Theobald claimed that if “Kaan had not obtained the email, Jane Doe would never have been identified and questioned by the police.” People v. Theobald, supra. Later in the opinion, the Court of Appeals explains that the

email was sent from Jane Doe to [Theobald]. It expresses Jane Doe's concern that [his] wife would discover her identity, which would be `horrible actually.’ [Theobald’s] friend, Kaan, who knew [Theobald’s] password, was able to access his email account and then, using Jane Doe's email address, identify her as a student at the high school where both men taught. Kaan then reported the information to the police.

People v. Theobald, supra.

Theobald based his motion to suppress primarily on two arguments: One was that “the email and any information derived from it constituted an illegal `interception’ of the electronic communication” between him and Jane Doe in violation of 18 U.S. Code § 2511; the other argument was that the email was obtained in violation of the 4th Amendment. People v. Theobald, supra.

The trial court denied Theobald’s motion to suppress and he would up pleading “no contest to eight sexual offenses” (presumably the eight noted above). People v. Theobald, supra. He was sentenced to “eight concurrent terms of two years in prison” but the trial court “spared” him “from being required to register as a sex offender”. People v. Theobald, supra.

Theobald apparently reserved his right to appeal the trial court’s denial of his motion to suppress, because that’s the primary issue he raised on appeal. (He also challenged testimony at his preliminary hearing as violating the rules against hearsay, but we’re not concerned with that argument.) People v. Theobald, supra.

As I noted above, Theobald argued on appeal that the way police gained access to the Jane Doe email violated 18 U.S. Code § 2511 and/or the 4th Amendment. People v. Theobald, supra. He lost on both issues.

As I explained in an earlier post, 18 U.S. Code § 2511 makes it illegal to “intercept” the contents of a wire, oral or electronic communication without complying with certain requirements. The Jane Doe email was clearly an “electronic communication” within the scope of § 2511, and Kaan obtained the contents of the email without complying with the statute’s requirements. So Theobald had the beginnings of a credible argument under § 2511.

The problem was that § 2511 makes it illegal to “intercept” the contents of an electronic communication; therefore, to violate§ 2511 Kaan not only had to obtain the contents of an electronic communication without complying with the statute’s requirements, he also had to have “intercepted” those contents. As I explained in my prior post on this issue, courts generally agree that to “intercept” the contents of an electronic communication, the contents must have been obtained contemporaneously with the transmission of the communication. Or as some courts have put it, the contents must have been obtained “in flight,” i.e., while they’re traveling from sender and receiver. In my prior post, I explained why interception is being construed in that fashion.

Theobald, of course, couldn’t show that the contents of the Jane Doe email had been obtained while they were in transmission, which meant he couldn’t show they were “intercepted” in violation of 18 U.S. Code § 2511. The trial court therefore denied his motion to suppress the email, noting that retrieving a stored email doesn’t constitute interception: “Interception means acquiring the data simultaneously with the original transmission.” People v. Theobald, supra. The Court of Appeals naturally agreed with the trial court: “[R]etrieving an demail after it has been received does not constitute `interception’ of an electronic communication.” People v. Theobald, supra.

That left Theobald’s 4th Amendment argument. As I’ve noted in earlier posts, it’s simply not clear if emails left stored in someone’s account are protected by the 4th Amendment. The issue, as I’ve explained in earlier posts, is basically whether you surrender your 4th Amendment expectation of privacy in the contents of emails by leaving them stored with a third party, which can access them. So the prosecution could have argued that Theobald had no 4th Amendment expectation of privacy in the email; and if he had no 4th Amendment right to privacy in the email, then what Kaan did couldn’t have violated the 4th Amendment.

Neither the trial court not the Court of Appeals took that route, though both rejected Theobald’s 4th Amendment argument. They instead relied on a different theory.

As I noted in another post, the 4th Amendment only applies to what’s called “state action.” That is, it only protects us from law enforcement officers when they are acting as law enforcement officers, i.e., are collecting evidence to be used in a criminal case.

As I explained in that post, the 4th Amendment doesn’t protect us from “private actors,” i.e., from people who are not associated with law enforcement but who decide to collect evidence on their own and take it to the police. As I also explained, the only way the 4th Amendment can apply to the actions of a private person is if that private person had become an agent of the state when he/she sought out evidence and took it to the police.

So, as both the trial court and the Court of Appeals held in the Theobald case, Kaan’s collecting the Jane Doe email from Theobald’s email account would implicate the 4th Amendment if Kaan was acting as an agent of the state (i.e., an agent of the police) when he obtained it. People v. Theobald, supra.

As I’ve also explained, to become an agent of the state you have to meet two requirements: One is that you had to have acted to benefit law enforcement; that requirement is of course met here, as it is in every case where someone collected evidence and took it to the police. But, as I tell my students, a private person’s acts are not, in and of themselves, binding on law enforcement. Becoming an agent of the state (or the police) also requires that the police have encouraged you to collect the evidence or done something else to indicate that they sanction your conduct. It’s something like a contract: I may be angry at my neighbor and grab evidence from his garage and take it to the police to get him prosecuted, but that, alone, doesn’t make me an agent of the state; there has to have been an agreement, in effect a contract, between us. The state has to have sicced me on my neighbor or at least acquiesced in what I was going to do, knowing I was going to do it.

We don’t have that in the Theobald case. In denying Theobald’s motion to suppress, the trial court held that the “`”seizure” of e-mails was by a private party and not acting on behalf of law enforcement but rather on behalf of a private party, [Theobald’s] wife.’” People v. Theobald, supra. The Court of Appeals agreed:

[T]he Fourth Amendment [protection] against illegal search and seizure does not afford protection to the subject email because it was obtained by a private party who then shared the information with the police. . . . Even if the private party intended to assist law enforcement, government participation has to be extensive enough to trigger Fourth Amendment scrutiny. . . . In the present case, Kaan acted on his own before contacting the police. No Fourth Amendment protection applied to his conduct as a private citizen.

People v. Theobald, supra. The Court of Appeals therefore upheld Theobald’s conviction and the sentence imposed on him. People v. Theobald, supra.

Friday, January 22, 2010

SHA-1 Hash Values and Defense Motions

Using Westlaw, I find six reported cases that mention SHA-1 hash values.

Three merely note that the United States “adopted the SHA-1 has algorithm . . . as a Federal Information SMWgo2 Processing Standard.” U.S. v. Schmidt, 2009 WL 2836460 (U.S. District Court for the Eastern District of Missouri 2009). See also U.S. v.. Stevahn, 2009 WL 405847 (U.S. Court of Appeals for the Tenth Circuit 2009); U.S. v. Warren, 2008 WL 3010156 (U.S. District Court for the Eastern District of Missouri 2008). Another explains that a Pennsylvania State Trooper “was able to” use SHA-1 hash values to identity child pornography images (more on that in a minute). U.S. v. Sutton, 2009 WL 3542446 (U.S. Court of Appeals for the Third Circuit 2009).

That leaves U.S. v. Beatty, 2009 WL 5220643 (U.S. District Court for the Western District of Pennsylvania 2009) and U.S. v. Schimley, 2009 WL 5171826 (U.S. District Court for the Northern District of Ohio 2009). In these cases, SHA-1 hash values played a role in a defense motion challenging some aspect of the prosecution.

We’ll start with U.S. v. Beatty. Since I described the charges and facts in the case in an earlier post, I won’t repeat them here. That post dealt with whether Beatty had standing to raise a 4th Amendment challenge; we’re dealing with a different issue here.

As I noted in the prior Beatty post, he moved to suppress evidence, arguing that the affidavit submitted to obtain the warrant didn’t establish probable cause for the issuance of the warrant. Beatty conceded that the affidavit submitted by FBI Agent Brenneis

supported a finding of probable cause to believe: (i) that the files which Trooper Pearson located through peer-to-peer networking were located on the [his] computer and (ii) that they matched the files in the Wyoming ICAC Task Force's national data base. `But what the affidavit fails to do,’ according to [Beatty], `is provide any information for [the issuing magistrate judge] to use to determine that there was a fair probability that those files were contraband or evidence of a crime.’

U.S. v. Beatty, supra (quoting Beatty’s motion to suppress). The prosecution relied, in part, on the “highly graphic titles of the files [Beatty] was making available to other P2P users”. U.S. v. Beatty, supra. In response, Beatty pointed out that people can name a file anything they want and that some file names are inherently ambiguous. In considering this issue, the district court judge noted that the file name “`“Lolita,” . . . could as easily reference an English term paper, a discussion of teacher-student relations, or . . . child pornography. Likewise, in a vacuum, the title “Teen Angel” could as likely reference a popular 1960s song as it could be a video file containing child pornography”. U.S. v. Beatty, supra (quoting U.S. v. Leedy, 85 M.J. 208 (U.S. Court of Appeals for the Armed Forces 2007)).

The judge, however, found it does not necessarily follow that

no file name can ever be regarded as a logical indication of the file's salient features. Just as one can envision circumstances where a particular file name might provide no basis for drawing inferences concerning the actual file content, one can also envision circumstances where the file name is so explicit and detailed in its description as to permit at least a reasonable inference as to what the actual file is likely to show.

U.S. v. Beatty, supra. Beatty, though, relied on comments Agent Brenneis included in the affidavit he used to obtain the warrant. In the affidavit, Brenneis explained that the SHA-1 hash value

is a `mathematical algorithm that allows for the fingerprinting of files.’ Once a file is located using a software application capable of generating the SHA1 value, that SHA value becomes a unique identifier for that file. . . `There is no known instance of two different computer files having the same SHA1 hash value.’ . . . [T]he SHA1 `digital fingerprint’ is `more unique to a data file than DNA is to the human body.’

U.S. v. Beatty, supra (quoting Agent Brenneis’ affidavit). In his argument, Beatty focused not on the identification capabilities of the SHA value but on his claim “that the names of files . . . cannot serve as meaningful indicators of the actual file content.” U.S. v. Beatty, supra. He specifically relied on this paragraph in Agent Brenneis’ affidavit:

[A]n investigator can be certain that an image being disseminated on the Gnutella network is child pornography simply by comparing that subject image's SHA1 hash value with a national database's listing of SHA1 hash values for known child pornography. This allows an extremely high degree of confidence that a known hash value represents a given file . . . regardless of the title utilized by the distributor or possessor of the image.

U.S. v. Beatty, supra. Beatty claimed that “this language demonstrates that `[t]he whole point of using the SHA1 hash value to identify files rather than file names is that the file names do not necessarily correspond to the file contents.’” U.S. v. Beatty, supra (quoting Beatty’s motion to suppress). The district judge didn’t agree:

When considered in context . . . the cited language merely establishes that use of SHA1 values provides an extremely high level of precision in identifying specific file content -- a level of precision which, according to the affidavit, is more unique than DNA matching. Such precision likely exceeds the exactitude necessary to establish proof beyond a reasonable doubt; certainly, it exceeds what is necessary under . . . probable cause standards. Thus, the affidavit may be fairly read as implying a fairly obvious principle -- that SHA1 values provide a more reliable means of identifying actual file content than is possible by virtue of file names alone. This principle, however, does not lead ineluctably to the conclusion that file names thereby always constitute meaningless information.

U.S. v. Beatty, supra. The judge therefore found that the file names were a factor the magistrate could properly consider in making a probable cause assessment. U.S. v. Beatty, supra.

That brings us to U.S. v. Schimley. After being charged with receiving, distributing and possessing child pornography in violation of 18 U.C. Code § 2252, Mark Schimley moved to suppress evidence and for a Franks hearing. U.S. v. Schimley, supra. As I explained in an earlier post, in Franks v. Delaware, 438 U.S. 154 (1978), the Supreme Court held that if a defendant proves by a preponderance of the evidence that an officer knowingly or with reckless disregard for the truth included false information in an affidavit used to get a search warrant, the court must decide if the affidavit would have justified issuing the warrant if that information hadn’t been included. So Schimley not only filed a motion to suppress, he also sought a hearing under Franks v. Delaware, which brings back to the origins of his case.

In 2007, Pennsylvania State Trooper Erdely was using Phex software to troll a file-sharing network for child pornography. U.S. v. Schimley, supra. He found “3929 files for download” originating from a network he traced to Schimley and was “able to identity sixty movie and images files that contained names related to child pornography, based on his previous experience in other” cases. U.S. v. Schimley, supra. An FBI Agent, Agent Russ, used what Erdely had found to obtain a warrant to search Schimley’ home and seize his computer, which apparently contained child pornography. U.S. v. Schimley, supra.

After being indicted, Schimley moved for a Franks hearing, claiming that the affidavit contained false statements made knowingly or recklessly; the prosecution conceded that it contained two false statements, both concerning a file named "[Loli Child Porn] (Loli Y) Babj 00(New) by Kidzilla.avi." U.S. v. Schimley, supra. The affidavit (apparently submitted by Russ) said Erdely had found this file on Schimley’s computer, but when the computer’s hard drive was searched the file wasn’t there. U.S. v. Schimley, supra. The prosecution blamed Phex:

[Erdely] maintains a text file which contains the names and hash values of known child pornography images recovered from other investigations. When [he] enters a search term into Phex, the search results will typically reveal tens or hundreds of Phex users sharing a file containing the search term. The list would include multiple users sharing the same file, although the file may be saved under a different file name. If the search results include a file with the same name or hash value as a file stored in the text file, the name from the trooper's text file will be assigned to the image he selects for download.

Thus, according to the government, when the trooper downloaded the suspect file from Mr. Schimley's IP address, that file was cross-referenced against his text file, either by file name or hash value, and assigned a name as specified in the text file.

U.S. v. Schimley, supra. The judge denied Schimley’s motions to suppress and for a Franks hearing because she held that he hadn’t shown the false statements were knowingly or recklessly included in the affidavit. U.S. v. Schimley, supra. Schimley moved for reconsideration of her ruling, asking the judge to order a Franks hearing because she had

relied on the government's claim that the SHA-1 hash value of the downloaded file matched that of the file being shared at Schimley's IP address. He states that under Supreme Court precedent, the Court may not rely upon information outside the four corners of the affidavit in its probable cause determination. Whiteley v. Warden, Wyoming State Penitentiary, 401 U.S. 560 (1971). He insists that whether the SHA-1 hash values match is an issue of fact only a Franks hearing can resolve, and that the Court cannot simply rest on the Government's assertion that the files did in fact match.

U.S. v. Schimley, supra. The judge agreed that the probable cause determination had to be based on what was in the affidavit but still rejected Schimley’s argument:

The Court ruled the way it did, not because the government claimed that the SHA-1 hash values matched, but because the defendant was unable to meet his burden. . . . Schimley essentially argued that Agent Russ' actions were necessarily intentional or reckless simply because the affidavit contained false statements. As the Court noted then, `Franks teaches that a mere showing of falsity is insufficient to demonstrate recklessness on the part of the affiant.’ Because Mr. Schimley did not meet his burden, the Court concluded, as it does now, that a Franks hearing is not warranted.

Furthermore, . . . the Court again concludes a Franks hearing is unwarranted, because the false statements were not material to [the] finding of probable cause. . . .

Schimley[] seems to suggest the warrant in this case would be supported by probable cause only if the agent had specifically described the matching SHA-1 hash values. . . .

[W]hile Agent Russ did not specify the actual SHA-1 hash values, he did attest that Erdely had taken steps to ensure the values did in fact match. Schimley has not otherwise met his burden that the warrant was insufficient. . . .

U.S. v. Schimley, supra. The judge also rejected Schimley’s claim that he was entitled to a Franks hearing because Erdely used a “modified version” of Phex. U.S. v. Schimley, supra.

His expert said it was “evident Erdely was not using a standard version” of Phex because the “software does not typically rename files in the way the” prosecution said Erdely’s version did. U.S. v. Schimley, supra. Schimley wanted a Franks hearing to question Erdely’s “`findings and methodology . . . through cross-examination’” but the judge decline to grant his request. U.S. v. Schimley, supra. She found that Schimley didn’t (i) show how the omission of this information misled the magistrate who issued the warrant into believing there was probable cause when there wasn’t and (ii) specifically allege “what difficulties he has encountered in attempting to validate the investigation”. U.S. v. Schimley, supra.

I find it interesting that the (apparently only) two reported cases that use SHA-1 values in defense motions arose last year. I wonder if we’ll see more use of this and related issues by defense attorneys.