Wednesday, June 30, 2010

"Possession" and the Thumb Drive

As I noted in a post I did a couple of years ago, most people know that the law makes it illegal to “possess” certain items, including controlled substances and child pornography. What I suspect most people don’t know is that there are, as I explained in that post, two kinds of possession: actual and constructive.

In that earlier post, I used an instruction from the U.S. Court of Appeals for the 1st Circuit to illustrate the difference between the two types of possession:

The term `possess’ means to exercise authority, dominion or control over something. It is not necessarily the same as legal ownership. The law recognizes different kinds of possession.

Possession includes both actual and constructive possession. A person who has direct physical control of something on or around his person is then in actual possession of it. A person who is not in actual possession, but who has both the power and the intention to exercise control over something is in constructive possession of it.

U.S. Court of Appeals for the 1st Circuit, Pattern Jury Instructions 4.06 (1998).

This post is about a case in which the “possession” of a thumb drive was at issue, not because it’s illegal to possess a thumb drive but because of what was on this particular thumb drive.

The case is Hunt v. State, 2010 WL 1224372 (Georgia Court of Appeals 2010). As the opinion notes, “[f]ollowing a jury trial, Jimmy Dee Hunt was convicted of five counts of sexual exploitation of children” in violation of Georgia Code § 16-12-100. Hunt v. State, supra. Hunt appealed his conviction, and one of his arguments on appeal concerned the possession of the thumb drive. Hunt v. State, supra. Before we get to the issue, you need to know how it, and the case, arose:

Hunt was a registered guest in Room 508 at the Best Western Hotel in College Park from June 23-28, 2007. In August 2007, a housekeeper found a USB Kingston thumb drive on the fifth floor of the hotel, and turned it in to the hotel's lost and found area. After determining the USB drive did not belong to any of the hotel guests, Carlita Leonard, a front desk clerk, took the USB drive home for her daughter to use. On August 10, 2007, Leonard's daughter inserted the USB drive into a friend's computer, and when she opened the USB drive, she observed photographs of children. Leonard immediately contacted the police.

Detective Redding of the City of College Park Police Department confirmed that images depicting underage children engaged in various sexual acts were stored on the USB drive as well as two photographs of a man, later identified as Hunt. The USB drive also contained several files entitled `d.b.a., Jimmy Hunt’ or referencing a business affiliated with Hunt, which Detective Redding was unable to open due to the file's format.

Pursuant to Redding's request for assistance, Detective Ward of the Jonesboro Police Department in Arkansas obtained a search warrant to search Hunt's home in Paragould, Arkansas to seize Hunt's computers, equipment capable of storing media or internet communications, floppy drives, CDs, and cameras. Ward searched Hunt's home and discovered several computers, including a laptop computer, a second Kingston thumb drive, a portable hard drive, a Kodak digital camera, two floppy disks, a wireless mouse, and various cables. . . .

Jonathon Sims, a forensic computer specialist, . . . conducted a forensic examination of the USB drive found at the Best Western, and determined that on April 15, 2007 at 9:48 a.m., thirteen pornographic images of children were saved to [it]. Within seconds thereafter, two photographs of Hunt, dated April 14, 2007, were also saved to the drive. Sims testified that on April 29, 2007, two images of naked children were saved to the drive at 11:48 a.m. Six files, which included the name Jimmy Hunt or one of his businesses, were saved to [it] at 11:52 a.m. on April 29, 2007. . . .

Hunt v. State, supra. It appears, then, that the evidence on which Hunt’s conviction was based all came from the thumb drive the housekeeper found on the fifth floor of the Best Western. On appeal, Hunt argued that the prosecution

failed to establish that Hunt exercised dominion or control over the USB drive, and therefore, the evidence was insufficient to show that he knowingly possessed material depicting children engaged in sexually explicit conduct.

Hunt v. State, supra. As I noted above, the opinion says Hunt was convicted of “five counts of sexual exploitation of children in violation of Georgia Code § 16-12-100. Two of the counts (4 and 5) charged him with violating § 16-12-100(b)(7), which makes it a crime “knowingly” to “bring or cause to be brought” into Georgia “any material which depicts a minor . . . engaged in any sexually explicit conduct.” Hunt v. State, supra. The other counts (1, 2 and 3) charged Hunt with violating § 16-12-100(b)(8), which makes it a crime “knowingly” to possess “any material which depicts a minor . . . engaged in any sexually explicit conduct”. Hunt v. State, supra. And as I said, it appears that factually, all five counts were based on the material contained on the thumb drive found on the fifth floor of the College Park Best Western. Hunt v. State, supra.

Georgia law, like that (I assume) of all the states, recognizes both “actual possession” and “constructive possession.” In Uriostegui v. State, 269 Ga. App. 41, 603 S.E.2d 478 (Georgia Court of Appeals 2004), the court explained the difference between the two:

A person who knowingly has direct physical control over a thing at a given time is in actual possession of it. A person who, though not in actual possession, knowingly has both the power and the intention at a given time to exercise dominion or control over a thing is then in constructive possession of it.

Uriostegui v. State, supra. In another decision, the Court of Appeals said that “[a]s long as there is slight evidence of . . . power, and intention to exercise control or dominion over an instrumentality, the question of fact regarding constructive possession remains within the domain of the trier of fact”, i.e., it’s up to the jury to decide whether the person "possessed" the "instrumentality". Wright v. State, 279 Ga. App. 299, 630 S.E.2d 774 (Georgia Court of Appeals 2006).

In this case, the Court of Appeals rejected Hunt’s argument and held that the evidence was sufficient to establish that he had constructive possession of the thumb drive:

[T]he evidence showed Hunt was a resident of Paragould, Arkansas and had rented Room 508 at the College Park Best Western Hotel from June 23, 2007 until June 28, 2007. In August 2007, the USB drive was found on the fifth floor of the Best Western in which Hunt had stayed as a guest.

Sims testified that the date and time imprinted on a photograph taken from a digital camera is recorded from the digital camera's date and time feature. . . . Given Sims' testimony, coupled with the fact that Hunt possessed several computers, a Kodak digital camera, and another Kingston USB thumb drive in his home in Arkansas, a rational trier of fact could find that Hunt took photographs of himself on April 14, 2007 from his home in Arkansas with his digital camera; saved those photographs to the USB drive on April 15, 2007; took the USB drive with him to Georgia, where he stayed at the Best Western in late June 2007; and inadvertently left the USB drive on the fifth floor of the hotel. The jury could also conclude that Hunt knowingly possessed material depicting minors engaged in sexually explicit conduct in light of evidence that on April 15, 2007, 13 sexually explicit images of children were saved to the USB drive within seconds of the time two photographs of Hunt were saved to such drive. . . . Further, on April 29, 2007, six files listing Hunt's name and/or his business, two sexually explicit images of children, and two photographs of Hunt were saved to the USB drive within four minutes of each other. And three of the foregoing files listed the name of Hunt's business, Mister Appliance. . . .

Hunt had been a guest at the Best Western prior to the discovery of the USB drive, and . . . had the opportunity to access computer equipment from his home in order to save his photographs, files associated with him and his business, and sexually explicit images of children to the USB drive. Thus, the evidence was more than sufficient to exclude every reasonable hypothesis that someone other than Hunt possessed the USB drive when he stayed at the College Park Best Western in June 2007. . . . Accordingly, the evidence was sufficient to convict Hunt of five counts of sexual exploitation of children beyond a reasonable doubt.

Hunt v. State, supra. If nothing else, this opinion suggests that it's probably a good idea to keep track of your thumb drives.

Monday, June 28, 2010

Text Messages and the SODDI Defense

As Wikipedia explains, the SODDI (“Some Other Dude Did It”) defense is

often used when there is no question that a crime occurred, such as in murder or assault cases, where the defendant is not asserting self-defense. The SODDI defense in a murder, rape or assault case is often accompanied by a mistaken identity defense and/or an alibi defense.

As I noted in one of my early posts, one use of (or attempt to use) a SODDI defense in cybercrime cases occurs in child pornography cases when the defendant claims that it was a virus or a Trojan horse program – not him – that put child pornography on his computer.

This post is about Taylor Conley’s attempt to use a text message to at least implicitly establish a SODDI defense. Conley was charged with and convicted of “the aggravated first degree murder of Brian Swehla.” State v. Conley, 2010 WL 2283509 (Washington Court of Appeals 2010). The charges basically arose from these events:

On March 31, 2006, Amy Lynn Hardesty had been fighting with her boyfriend Brian Swehla at their home. Around 1:00 am, Hardesty's friend Wayne Hamrick picked her up, after which they stayed up all night and used methamphetamine.

Around 3:00 am, . . . Conley invited [James] Zebley to participate in a burglary. [Zebley declined but let Conley] take his truck.. . . . [B]etween 6:00 and 6:30 am . . . Jennifer Perry, Ronald Weller-Childers' girlfriend, was . . . home when [she] found Weller-Childers and Conley holding a 12 gauge shotgun; she told them to leave, which they did. . . . Between 8:20 and 9:00 am, Swehla's neighbors . . .noticed two men emerging from a wooded area near Swehla's house, carrying backpacks and `rifles.’. . . [They ran] to a truck, . . . [took] off most of their clothing, and [drove] away. . . .

Around 2:30 pm, Conley contacted Josh Derum and asked if he wanted to buy . . . a nickel-plated 12 gauge shotgun. . . . Conley [said] `he needed money to get out of town because he just put a hole in somebody's head.’. . . .

[A]round daybreak that same day, Hardesty and Hamrick [stopped] for breakfast around 8:30 am. Hamrick received a text message, apparently sent from Swehla's cellular telephone around 9:12 am that morning, which stated something like, `Where is you?’ Hamrick showed this message to Hardesty. Hardesty returned to Swehla's house around 8:30 or 9:00 pm, discovered him dead on his bedroom floor, and left. . . .

State v. Conley, supra. Police eventually found Swehla’s body; an autopsy showed that he had been beaten, shot with a .22 caliber gun and then shot in the head with a shotgun. State v. Conley, supra. Officers found “two unspent 12 gauge shotgun shells” on the kitchen floor of Swehla’s home. State v. Conley, supra. There was more evidence, but I think you get the idea.

The people noted above (including Hamrick) testified at trial to the events described above and other relevant facts and events, some of which occurred after the day of the murder. At trial, Conley wanted to use the “text message sent from Swehla's cellular telephone to Hamrick's cellular telephone as evidence that Hamrick was somehow connected to the murder.” State v. Conley, supra. The trial judge held that Conley could use the text message only to raise an issue about when the murder had occurred”, but the judge “did not instruct the jury about this limitation on use of the text message evidence.” State v. Conley, supra. We’ll get back to that in a minute.

As I noted, Conley was convicted. State v. Conley, supra. He appealed, arguing, in part, that the trial court violated

his due process rights under the Sixth and Fourteenth Amendments to the Constitution when it admitted the text message sent from Swehla's cellular telephone to Hamrick's cellular telephone for the sole purpose of controverting the time of the murder. Conley contends that in so doing, the trial court limited his ability to argue that this text message was evidence that Hamrick was somehow involved in the murder and, thus, any evidence involving Hamrick . . .was unreliable.

State v. Conley, supra. The prosecution acknowledged that the text message was

potentially relevant to Hamrick's and Hardesty's credibility and to the weight of Hamrick's testimony and any other evidence obtained through Hamrick or Hardesty, but it asserts that the trial court properly limited the use of this evidence because it did not establish that someone other than Conley actually committed the murder.

State v. Conley, supra (emphasis in the original).

In ruling on Conley’s argument, the Court of Appeals noted that since the trial judge never “cautioned the jury that it could consider the text message only as evidence of the time of the murder, the only potential effect” the ruling had was “to limit the scope of Conley's closing argument.” State v. Conley, supra. The Court of Appeals explained that a trial judge “has broad discretion over the scope of . . . closing arguments” but if a judge goes too far in limiting the scope of closing argument, that may violate the defendant’s constitutional rights to the effective assistance of counsel and/or due process. State v. Conley, supra. It noted that such an error “is subject to harmless error analysis”, which means the Court of Appeals can affirm a conviction if it finds that a “reasonable fact finder would have reached the same result absent the error.” State v. Conley, supra.

In analyzing the propriety of what the trial judge did, the Court of Appeals first noted that it agreed with the prosecution’s “assertion that the trial court's refusal to allow Conley to use the text message evidence to prove that someone other than Conley committed the murder was proper.” State v. Conley, supra. It explained that a defendant has no right to introduce evidence that a

third party committed the charged crime unless the defendant first establishes a sufficient foundation. . . . That foundation requires a nexus between the third person and the crime. . . . Motive, ability, and opportunity to commit a crime alone are not sufficient. . . . Only when the offered testimony would evidence a `step taken by the third party that indicates an intention to act’ on the motive or opportunity does the trial court abuse its discretion in refusing to allow the evidence for this purpose. . . . Under these standards, the trial court did not err to the extent it refused to admit the text message for the purpose of showing someone other than Conley killed Swehla. Although there was arguably evidence from Weller-Childers connecting another party to the actual murder, the chain of events linking the text message to that evidence was too attenuated to be relevant.

State v. Conley, supra. The Court of Appeals held, then, that to “the extent the trial court’s ruling precluded this argument, there was no error.” State v. Conley, supra.

The court also, however, agreed with Conley that the text message “was relevant and admissible for credibility, reliability, and weight purposes because it arguably connected Hamrick and, possibly, Hardesty, to the people who killed Swehla-a connection that could put any evidence related to Hamrick or Hardesty at issue.” State v. Conley, supra. It did not, though, find that the trial court’s ruling required reversing Conley’s conviction: “We do not . . . agree that the . . . ruling in any way prevented Conley from presenting this weight, reliability, and credibility issue to the jury.” State v. Conley, supra.

The trial judge, remember, held that Conley could only use the text message to raise an issue about when the murder occurred but did not instruct the jury about this limitation on use of the text message evidence. The Court of Appeals held, essentially, that the failure to instruct the jury on the limited use of the evidence made any error that occurred harmless:

In closing argument, Conley's counsel repeatedly pointed out the numerous connections between Hamrick and the witnesses who provided evidence against Conley, emphasizing that the text message was sent to Hamrick, `of all people,’ . . . and the State's rebuttal argument suggested that the text message could have connected Hamrick to the murder. Although defense counsel did not expressly argue that the text message implicated Hamrick and that Hamrick might, therefore, have been involved in providing false evidence against Conley, that theory was implicit in the closing arguments. Accordingly, Conley has not demonstrated that the trial court's ruling limited his ability to argue that Hamrick and Hardesty were somehow connected to the murder and that the jury should view any evidence related to Hamrick or Hardesty with caution. Because the trial court's ruling did not impair Conley's ability to make his credibility, reliability, and weight arguments, any error in the trial court's ruling was not reasonably likely to have affected the jury's verdict and was clearly harmless.

State v. Conley, supra.

Friday, June 25, 2010

Gigatribe and the 4th Amendment

As I’ve noted in earlier posts, courts have consistently rejected defendants’ claims that it is a “search” under the 4th Amendment for a law enforcement officer to use file-sharing software, such as LimeWire, to locate child pornography on someone’s hard drive.

The issue in these cases, as I’ve explained, is whether using P2P software to access files on someone’s hard drive is a “search” under the 4th Amendment. If it is a search, then the officer needs either a search warrant or an exception to the warrant requirement, such as consent, in order to access the files without violating the 4th Amendment. If, as courts have consistently held, it isn’t a search, then the officer doesn’t need either a warrant or an exception to the warrant requirement.

As I’ve noted in earlier posts, the test a court uses to determine if something is a 4th Amendment “search” is the test the U.S. Supreme Court enunciated in Katz v. U.S., 389 U.S. 347 (1967). The Katz Supreme Court held that one has a reasonable expectation of privacy in a place if two conditions are met: (i) He subjectively believes it is private; and (ii) society accepts his belief that the place is private as objectively reasonable.

The Katz Court also noted that whatever someone “knowingly exposes to public view” isn’t private and therefore isn’t protected by the 4th Amendment. So, to preserve a 4th Amendment expectation of privacy in a place, you have to shield it from the public by, say, putting shutters or blinds on your windows.

That brings us to U.S. v. Ladeau, 2010 WL 14427523 (U.S. District Court for the District of Massachusetts 2010). David Ladeau was charged with one count of possessing child pornography in violation of federal law, i.e., in violation of 18 U.S. Code § 2242(a)(4)(b). U.S. v. Ladeau, supra. After being charged, Ladeau “filed a motion to suppress all of the evidence seized as a result of the search of his apartment”, arguing that the warrantless search of his apartment violated the 4th Amendment. U.S. v. Ladeau, supra.

This is how the search came about:

[T]he Royal Canadian Mounted Police (`RCMP’) . . . arrested an individual for child exploitation offenses. The individual had used Gigatribe software . . . to post videos depicting child pornography onto an online network for exchange. . . [T]he RCMP, with [his] consent, began using [his] online identity to engage with other potential suspects. . . . within the individual's Gigatribe network.

Gigatribe is a peer-to-peer file-sharing program that allows users to share computer files with others in their network. The Gigatribe software enables a user to create his own private network, which he controls. He can invite guests to join his network, and remove guests from [it]. . . . He can prevent other users from viewing his personal information without his permission. A user can join the networks of other Gigatribe users, but only with the permission of the user who created the network. Users select specific folders on their computers they wish to share with other users in the network. . . .

Users [can] search for files on other users' computers. They can scroll through the available files to choose which files to download. The files may be available in thumbnail format, which provides a preview to anyone considering whether to download the files. Gigatribe software encrypts files before transmitting them from one user to another. Once received, the file is decrypted to allow the user to view it. . . . .

The . . . investigation using the . . . individual's online identity began on November 23, 2007. On August 20, 2008, an undercover investigator downloaded 171 files believed to be child pornography. These files were designated for sharing through Gigatribe by a user called `Tjayxx.’ Three of the files contained videos of pre-pubescent boys and girls engaged in sex acts with other pre-pubescent children and adult men. . . .

Gigatribe records showed that `Tjayxx’ signed onto Gigatribe on August 24, 2008, using IP address . . . `Tjayxx's’ last log-on before the warrant was obtained was on October 15, 2008, from the same IP address. Gigatribe records contained two e-mail addresses for `Tjayxx’: and . . .

Eric LaForte, a special agent with the Department of Homeland Security, Immigration and Customs Enforcement (`ICE), was informed by Gigatribe that it is not possible to have two accounts with the same username on the Gigatribe network. . . . [or] run the same Gigatribe account on two computers at the same time. LaForte concluded that . . . there was only one user on Gigatribe named `Tjayxx.’

Further investigation . . . revealed that IP address 216.195 .19.156 is provided by Shrewsbury Electric and Cable Operations (`SELCO'). . . . ICE issued an administrative subpoena to SELCO . . . . [and] SELCO identified David Ladeau of Shrewsbury, MA, as the user of the IP address. . . . Ladeau's account was listed as `active’ and he had an e-mail address of . . .

U.S. v. Ladeau, supra. The ICE agents did a lot of other things to link Ladeau to the IP address on the dates when the investigator downloaded files from Tjayxx’s network and Tjayxx logged into the Gigatribe network and otherwise establish probable cause to search Ladeau’s apartment for evidence of child pornography. U.S. v. Ladeau, supra. They got the warrant on April 14, 2009, executed it on April 15 and seized “computer equipment and various storage devices”, on which they apparently found the child pornography which resulted in Ladeau’s being prosecuted. U.S. v. Ladeau, supra.

As I noted, Ladeau moved to suppress the evidence, arguing that the remote download of the files from his network was a 4th Amendment search which was conducted without a warrant or an exception to the warrant requirement:

Ladeau contends that he had a reasonable expectation of privacy in the files the RCMP downloaded from his computer. . . . [H]e argues that by using Gigatribe software, which contains features that are designed to prevent members of the general public from accessing his computer files, he exhibited a subjective expectation of privacy. He also contends that because society has increasingly come to rely on the Internet to complete many transactions that require a measure of privacy (such as banking, shopping, corresponding through e-mail, and the like), society is prepared to recognize an expectation of privacy on a peer-to-peer network (such as Gigatribe) as reasonable.

U.S. v. Ladeau, supra. The government argued, in response, that “while Ladeau may have had a subjective expectation of privacy” in the files, the expectation was not objectively reasonable because “regardless of the amount of privacy safeguards Gigatribe offers its users, an individual cannot have a reasonable expectation of privacy in information he voluntarily shares with another.”

U.S. v. Ladeau, supra. Ladeau, in turn, argued that while users of other file-sharing software, such as LimeWire, may

not have a reasonable expectation of privacy in the contents of their computers, the same cannot be said of Gigatribe users. . . . because Gigatribe contains safeguards to prevent unauthorized users from accessing a Gigatribe user's computer. As LaForte described in his affidavit in support of the warrant, an individual may only access a Gigatribe user's computer if he is granted permission to enter that user's network [and] users may remove other users from their network. . . .

U.S. v. Ladeau, supra. The federal district court judge who has the case found that Gigatribe’s “security measures support the argument that Ladeau had a subjective expectation of privacy in his computer files” because he “controlled who accessed the files” and which files were “available to share with other users.” U.S. v. Ladeau, supra. The judge also found, however, that these security measures did not “establish that his expectation” of privacy was objectively reasonable:

No matter how strictly Ladeau controlled who accessed his . . .files, he had no control over what those people did with information about the files once he granted them access. . . . .Once Ladeau turned over the information about how to access the network to a third party, his expectation of privacy in the network became objectively unreasonable. Because the files he claims were private were made available to anyone on the network, his expectation of privacy in those files was also objectively unreasonable. Ladeau bore the risk that any person who had access to his Gigatribe network would provide information to the police about illegal acts occurring on the network. As a consequence, he also bore the risk that such a person would enable the police to access the network and download any files Ladeau made available for download. . . .

U.S. v. Ladeau, supra. The judge also noted that the fact that the RCMP investigators “accessed the network with the consent of the informant and downloaded the files does not require a different result” because the investigators could have “easily instructed the informant to download certain files and then had the informant turn the files over to them.” U.S. v. Ladeau, supra.

It’s not uncommon for courts to find that a defendant had a subjective expectation of privacy in a place or thing; like this judge, though, courts often find that the expectation wasn’t objectively reasonable.

As this case illustrates, under current law it is impossible to establish a 4th Amendment expectation of privacy in files you share with others regardless of the security measures you (and they) use to keep outsiders from gaining access to those files. The inescapable defect lies not in the technology but in the fact that you share the files with another person. The U.S. Supreme Court has held, in a long line of cases, that if you trust others, you assume the risk that they will betray you.

Wednesday, June 23, 2010

ID Theft and Threatening the VP

I’m sure you’ve see the stories about Barry Ardolf, the Minnesota man who is accused, as Wired notes, of “hacking into his neighbor’s computer and sending a threatening e-mail to Vice President Joe Biden”. Ardolf had apparently entered into a plea deal with prosecutors under which he would serve 2 years, but abandoned the deal earlier this week. The Wired story says he faces “a maximum” of “seven years imprisonment” if he’s convicted on the charges against him.

That’s really what I want to focus on in the post – the charges, or actually one of the charges, against him. If you go to the Wired article, you can download the information (a charging document returned by a prosecutor without a grand jury) against Ardolf: U.S. v. Ardolf, Information, U.S. District Court for the District of Minnesota (CR10-159 DWF) (filed June 7, 2010).

The information contains two counts: Count 1 charges Ardolf with aggravated identity theft in violation of 18 U.S. Code § 1028A. Here’s what the count says:

On or about February 22, 2009, in the District of Minnesota, the defendant, BARRY VINCENT ARDOLF, did knowingly possess and use, without lawful authority, a means of identification of another person, to-wit: the name of VICTIM A, a known adult male, during and in relation to a felony enumerated in 18 U.S. Code § 1028A(c), to-wit: unauthorized access to a protected computer under 18 U.S. Code § 1030, all in violation of Section 1028A(a)(1) of Title 18 of the United States Code.

U.S. v. Ardolf, supra. Count 2 charges Ardolf with violating 18 U.S. Code § 871(a) by “knowingly and willfully mak[ing] a threat to take the life of, to kidnap, and to inflict bodily harm upon the Vice President . . . specifically, causing an email to be sent to the Vice President that” contained such a threat. U.S. v. Ardolf, supra. If you want to see what the email said, or what the relevant portions of the email said, check out the information via the Wired story, or you can probably read about it in many news stories.

Our concern isn’t with Count 2. This post is about the charge in Count 1. When I first saw news stories that said Ardolf was being charged with identify theft in this case, I was surprised. As I’ve noted in earlier posts, the crime of “identity theft” doesn’t criminalize imposture, i.e., doesn’t make it a crime to “use” someone else’s identity without their knowledge and permission. The modern identity theft crime is a financial crime; the “harm” it targets is using someone else’s personally identifying information to enrich yourself. That, of course, is not what Ardolf is accused of doing.

According to a pretty detailed story in the Twin Cities’ Pioneer Press, prosecutors say a

couple living near Ardolf reported him to police for inappropriately touching one of their children, so to retaliate, he created e-mail accounts in their names, hacked into their wireless computer routers and sent threats, child pornography and other vile messages.

The story says that in February of 2009, the neighbor complained to police that someone was using an anonymous email account in his name to send child pornography his co-workers. The story also says the emails “took a more ominous turn May 6” when one of the victim’s email addresses “was used to send a threat to Vice President Joe Biden, Gov. Tim Pawlenty, Minnesota State Rep. Tim Sanders and a Blaine police captain.” That’s when the FBI got involved and the investigation that led to the federal charges began.

As I noted in the post I did on imposture and identity theft, conventional identity theft statutes really don’t encompass what Ardolf did, i.e., using another person’s identity to send a threat. Unlike many state identity theft statutes, which approach identity theft as a financial/fraud crime, the federal identity theft statute – 18 U.S. Code § 1028 – has one provision that might have been used to charge Ardolf. (You can find the statute here.)

Section 1028(a)(7) makes it a federal crime to use, “without lawful authority, a means of identification of another person with the intent to commit . . . any unlawful activity that constitutes a violation of Federal law”. Section 1028(d)(7) defines “means of identification” so broadly I think it clearly encompasses using someone’s name and probably their wireless network. (As you may have read, news stories, including the Pioneer Press article, say Ardolf seems to have hacked into the wireless network of one, and maybe two, of his neighbors and used those networks in sending his messages, child pornography and threats.)

But prosecutors didn’t use this provision. Instead, they charged Ardolf under 18 U.S. Code § 1028A(a)(1), which you can find here. Section 1028A creates the crimes of “aggravated identity theft”. Section 1028A(a)(1) provides as follows:

Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.

Section 1028A(a)(2) says that anyone who uses someone’s identity without being authorized to do so “during and in relation to any terrorism-related felony enumerated in section 2332b(g)(5)(B)” of Title 18 of the U.S. Code shall be sentenced to serve 5 years in addition to the penalty imposed for the terrorism offense. As federal courts have noted, the provisions of § 1028A(a) are essentially sentence enhancement provisions; they provide for enhanced penalties when someone uses a stolen identity to commit a felony, in much the same way as other statutes enhance penalties for using firearms to commit a crime.

As you can see from the language of Count 1 quoted above, Ardolf is charged with violating 18 U.S. Code § 1028A(a)(1) by using someone else’s identity “without lawful authority” to gain unauthorized access to a “protected computer” in violation of 18 U.S. Code § 1030(a)(1). U.S. v. Ardolf, supra. Section 1028A(c)(4) incorporates the provisions of the other sections of Chapter 47 of Title 18 of the U.S. Code that relate “to fraud and false statements”. Section 1030 of Title 18 of the U.S. Code is (i) part of Chapter 47 and (ii) is entitled “fraud and related activity in connection with computers”, so it’s a § 1028A(a)(1) predicate crime, i.e., a § 1028A(a)(1) charge can be based on violating § 1030.

As I’ve noted, § 1030 is the basic federal computer crime statute and, as such, criminalizes gaining unauthorized access to a “protected computer.” As I believe I’ve also noted, a “protected computer” is a computer that is either used by the U.S. government or in a manner that affects interstate or foreign commerce. 18 U.S. Code § 1030(g)(2).

Count 2 of the Ardolf information doesn’t specify which provision of § 1030 Ardolf is alleged to have violated, but the charge has to be based on a violation of § 1030(a) because that section contains all of the criminal provisions of the statute (which you can find here). My guess is that the § 1028A(a)(1) charge is based on a claim that Ardolf violated either § 1030(a)(5)(B) or § 1030(a)(5)(C). § 1030(a)(5)(B) makes it a federal crime to intentionally access a protected computer “without authorization, and as a result of such conduct” recklessly cause “damage.” § 1030(a)(5)(C) makes it a federal crime to intentionally access a protected computer “without authorization, and as a result of such conduct” cause “damage and loss.”

The sections differ in two respects: To convict someone of violating § 1030(a)(5)(B), the prosecution has to show that he (i) intentionally accessed a computer without being authorized to do so and thereby (ii) recklessly caused (iii) damage. Section 1030(g)(8) defines “damage” as “any impairment to the integrity or availability of data, a program, a system or information”. From the little I know about the specific facts in the Ardolf case, I suspect prosecutors will be able to prove all three elements beyond a reasonable doubt. To show that a perpetrator “recklessly” caused damage, prosecutors must show that he (i) “was aware of a substantial and unjustifiable risk . . . that the result required for the offense [“damage”] would be caused by (his) actions” and (ii) “consciously disregarded that risk”. U.S. Court of Appeals for the 3d Circuit Manual of Model Jury Instructions – Criminal § 5.08. So the prosecution doesn’t have to show that the defendant intended to cause damage.

To convict someone of violating § 1030(a)(5)(C), the prosecution must prove that he (i) intentionally accessed a computer without being authorized to do so and (ii) caused damage and loss. The only mens rea for this offense is the intent to gain unauthorized access to a computer; someone who does that and causes damage without intending to or even realizing they might do so can still be held liable here IF they caused damage AND “loss.” Haeji Hong, Hacking through the Computer Fraud and Abuse Act, 1998 UCLA Journal of Law & Technology 1. In other words, the statute holds a person strictly liable for causing damage and loss.

The definition of “damage” is the same as the one quoted above. Section 1030(g)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense,” and any “consequential damages incurred because of interruption of service”. From the little I know of the facts in the Ardolf case, I can’t speculate as to whether prosecutors could prove “loss” as well as damage.

We may find out. As I noted above, Ardolf bailed on the plea offer, so we might very well see a trial. And as the Wired story notes, he was charged by information, not indictment, which means prosecutors might follow up with an indictment, which might contain even more charges.

Monday, June 21, 2010

The Performance of Official Duty Defense

Maybe you’ve heard of this defense? . . . I hadn’t until I read the case this post is about.

The case is U.S. v. Flynn, 2010 WL 1782157 (U.S. District Court for the District of South Dakota 2010), and this is all I know about how it arose and the issues it involves:

[Leo Flynn] has been indicted on one count of possession of child pornography, in 18 U.S. Code §§ 2252(a)(4)(B) and 2252(b)(2), and two counts of distribution in violation of 18 U.S. Code §§ 2252(a)(2) and 2252(b)(1). [Flynn] has asserted that he is a `criminal defense attorney who specializes in representing persons accused of pedophilia and other sex crimes against children.’ [Flynn] further contends that in the course of his law practice, he has had clients who sought his advice about whether particular websites contained material which constituted child pornography. [Flynn] claims that in order to properly advise his clients he would access the website in issue on his office computer and `analyze the website's contents and render an opinion about whether the particular website contained pornography.’ [Flynn] contends that he was allowed under state law to access and view child pornography in his capacity as a criminal defense attorney representing persons who are charged or who may be charged under the child pornography statutes.

U.S. v. Flynn, supra. If you’d like to read a little more about the issues in the case, you might check out the blog post you can find here. I didn’t find any news stories on the case.

Flynn specifically relied on South Dakota Codified Laws § 22-24A-19, which provides as follows:

The provisions of §§ 22-19A-1, 22-24A-1 to 22-24A-20, inclusive, 22-24B-1, 23A-27-14.1, and 43-43B-1 to 43-43B-c, inclusive, do not apply to the performance of official duties by any law enforcement officer, court employee, attorney, licensed physician, psychologist, social worker, or any person acting at the direction of a licensed physician, psychologist, or social worker in the course of a bona fide treatment or professional education program.

I was too lazy to go through all those statutes, but from what I saw, the district court judge was absolutely correct in describing them as “various child pornography and child sexual exploitation laws”. U.S. v. Flynn, supra.

In this opinion, the judge is dealing with a motion Flynn filed asking the judge “to address the issue of a proposed jury instruction based on” the provisions of § 22-24A-19. U.S. v. Flynn, supra. I’m not sure how close this case is to actually going to trial, but I’ll assume there must be some prospect of a trial for Flynn to be submitting this motion. His motion asked the district court judge to “submit the following or a similar proposed instruction” to the jury when and if the case does go to trial:


U.S. v. Flynn, supra (upper-case in the original). The prosecution opposed the motion, arguing that “`the law does not permit a defendant to present a defense unless the law recognizes that defense.’” U.S. v. Flynn, supra (quoting U.S. v. Matthews, 209 F.3d 338 (U.S. Court of Appeals for the 4th Circuit 2000)). No one seems to have disputed that pretty reasonable proposition.

The issues Flynn’s motion raised were whether the South Dakota statute “is preempted by 18 U.S. Code § 3509(m)” and whether Flynn “may be entitled to an instruction based on § 22-24A-19 in a federal child pornography prosecution.” U.S. v. Flynn, supra. As I’ve noted in other posts, 18 U.S. Code § 3509(m) says that in any federal prosecution involving child pornography, the pornography must “remain in the care, custody and control of either the Government or the court.” You can find the statute here, if you want to check it out.

The judge in this case noted that the issue of whether

18 U.S. Code § 3509(m) preempts a state statute which allows possession of child pornography and research of the origin of child pornography by defense counsel and defense experts involved in the defense of state prosecutions of child pornography is currently pending in a declaratory judgment action in the Northern District of Ohio. See Dean Boland v. Eric Holder, No. 1:09 CV 1614 (N.D. Ohio filed July 14, 2009). According to the pleadings in this declaratory judgment action, no federal court has yet decided this preemption issue.

U.S. v. Flynn, supra. As far as I can tell, no decision has issued in the Boland v. Holder case as yet . . . and since I unfortunately don’t have access to the pleadings in the case I can’t tell you any more about it.

This judge then considered whether 18 U.S. Code § 3509(m) preempted the state statute. He noted that the preemption doctrine derives from Article VI, clause 2 of the U.S. Constitution, which states that “[t]his Constitution, and the Laws of the United States which shall be made in Pursuance thereof. . . shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.” He explained that preemption is either express (Congress specifically states its intention to preempt state law in the statute) or implied (implicit in the statute’s structure and purpose). U.S. v. Flynn, supra. Since the federal statute doesn’t state an intention to preempt state law, preemption must exist, if it exists at all, implicitly. U.S. v. Flynn, supra.

The judge found, first, that the legislative history of 18 U.S. Code § 3509(m) doesn’t do anything to resolve the preemption issue:

There is no legislative history to either support or oppose a determination as to whether there is a federal preemption of state exemptions for attorneys and others performing their duties involving state child pornography prosecutions and potential prosecutions. Despite the lack of any helpful legislative history, it seems most unlikely that Congress intended to hamper state child pornography proceedings by making state prosecutors, defenders, state investigators and grand jurors potentially subject to federal child pornography prosecutions. . . .

U.S. v. Flynn, supra. And while, as the judge noted, he was not bound by decisions of state courts, he considered decisions from the Tennessee and Missouri Courts of Appeals, both of which held that 18 U.S. Code § 3509(m) does not apply to proceedings in state courts and did not “criminalize any conduct that was not already illegal” before it was adopted. U.S. v. Flynn, supra (quoting Tennessee v. Allen, 2009 WL 348555 (Tennessee Court of Criminal Appeals 2009)).

The judge then said that his analysis of 18 U.S. Code § 3509(m) “also leads to the conclusion that this provision does not dictate the handling of child pornography materials by defense counsel and experts under South Dakota's statutory scheme in South Dakota state prosecutions.” U.S. v. Flynn, supra. The prosecution argued that even if Flynn relied on the South Dakota statute, he was ““not entitled to an instruction” based on that statute because “state or local officials may not bind the federal government to an erroneous interpretation of federal law or sanction a violation of federal law.” U.S. v. Flynn, supra. The judge disagreed:

Although an attorney acting in his official duties is not set forth as an affirmative defense in [the federal statute that defines affirmative defenses to child pornography charges], the Court is aware of no authority that the list of affirmative defenses set forth in this statute is exclusive. In another context Congress has recognized that an attorney who is performing bona fide legal representation services is fully protected by the law, and the performance of those duties constitutes an affirmative defense. . . . Congress by implication acknowledged that attorneys defending child pornography cases would be required to have lawful access to the alleged child pornography when it enacted 18 U.S. Code § 3509(m) and set forth the procedure by which those attorneys must operate in federal prosecutions.

U.S. v. Flynn, supra. The judge therefore found that it would

appear unjust to disallow a defense in a federal prosecution to attorneys who in state criminal matters have represented their clients within the limits set forth by the South Dakota Legislature and in compliance with the discovery and procedural rules set forth by the South Dakota state judiciary. This Court thus concludes that an attorney acting in accordance with § 22-24A-19 is not precluded from asserting the operation of this statute as an affirmative defense in a federal child pornography prosecution brought against him if the evidence at trial supports such a defense.

U.S. v. Flynn, supra. The judge didn’t grant Flynn’s motion because he found (correctly, IMHO) that he couldn’t rule on the propriety of giving a jury instruction until he knew what facts would be admitted at trial. U.S. v. Flynn, supra. In other words, the district court judge couldn’t commit to giving an instruction based on South Dakota Codified Laws § 22-24A-19 unless and until the evidence at trial supported the giving of such an instruction by establishing a factual basis for Flynn’s argument that his activities with child pornography were carried out purely as part of his duties as a criminal defense attorney.