Wednesday, November 30, 2011

Cal. cybercrime investigator's e-mails exposed

Last week, hacker group Anonymous published the private e-mails, home address, and telephone number of the special agent supervisor for computer crime investigations in California's Department of Justice. They also accessed his voicemail, text messages, and Google Voice account.

Posts from the International Association of Computer Investigative Specialists's private discussion list were included in the 38,000 e-mails.

The release is a part of Operation Antisec, a joint effort between Anonymous and LulzSec, in response to investigations concerning Occupy Wall Street and general censorship of the Internet.

Shortly after the release, the group wrote, "You want to keep mass arresting and brutalizing the 99%? We'll have to keep owning your boxes and torrenting your mail spools, plastering your personal information all over teh internets [sic]."

Antisec also released a video, detailing their mission (note: contains some explicit language).

Defendant may have had authority to access electronic storage

In Shefts v. Petrakis, 2011 U.S. Dist. LEXIS 136538 (C.D. Ill. 2011), a court denied summary judgment where a business partner accessed an employee's e-mail in violation of the SCA because he may have had authority to do so.

The plaintiff and defendant were two of four partners in a business. After hearing various reports of wrongdoing by the plaintiff (including sexual harassment of employees), the defendant asked their computer technician to have a copy of plaintiff's e-mail account copied to his laptop. The plaintiff argues that this was a violation of the SCA.

The court first finds that this was "access" under the SCA when the copy was made - it was irrelevant whether the defendant actually opened or read any of the e-mails. And although he did not personally "access" the account, he caused it to be accessed.

Whether he had accessed communications in "electronic storage" was the second issue addressed. The defendant cited the district court opinion in Fraser (135 F.Supp.2d 623 (E.D. Pa. 2001)), arguing that the e-mails were in post-transmission storage, but the court rejected it under Theofel's reasoning (Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)).

Ultimately, the case comes down to authority. Since the e-mails were stored on a company server, the rules are slightly different. They had no policy on the matter, so each side argues that favors them. The board had not given the defendant any express authorization to access others' emails, though the court argues that firing the plaintiff may have been after-the-fact consent depending on what the board knew. The defendant also claims that the plaintiff knew he was accessing the account, and his continued use was consent. Because of this disputed issue, summary judgment was denied.

Tuesday, November 29, 2011

Facebook, FTC settle on privacy concerns

An agreement was reached today between Facebook and the Federal Trade Commission (FTC) regarding concerns about Facebook users' privacy. The settlement requires Facebook to develop a comprehensive privacy program and have outside audits conducted for the next 20 years.

The FTC complaint alleged that Facebook shared users' personal information with third parties and advertisers without their knowledge or consent, changed privacy policies without informing users, continued sharing data after users deactivated or deleted their accounts, and did not properly verify the security of apps.

Facebook will now be required to get users' permission before making changes to the way it shares information. They are also required to prevent access to a user's data no more than 30 days after their account is deleted. Violations of the agreement results in a fine of $16,000 per violation per day.

Many have criticized the deal. Noting that Facebook has "two former members of the Federal Trade Commission on payroll," Gawker declared, "This settlement makes a mockery of the idea of holding corporations accountable for their actions."

CEO Mark Zuckerberg addressed the settlement in a blog post. Facebook currently has over 800 million users.

SCOTUS denies cert in case on CP victim restitution

The Supreme Court yesterday denied certiorari in Amy, the Victim in the Misty Child Pornography Series v. Monzel, 181 L. Ed. 2d 508 (2011) (an appeal from United States v. Monzel, 641 F.3d 528 (2011)) which could have resolved a circuit split regarding child pornography victim restitution.

In April, the DC Circuit denied that "Amy", a victim of child pornography that has been spread around the globe, was entitled to no more than nominal damages under Section 2259 and the CVRA.

The issue is whether defendants must pay only nominal damages or full restitution when they did not actually know the victim, but simply possessed images of them (and therefore were not the proximate cause of the victim's damages). The Second, Ninth, Tenth, Eleventh, and DC Circuits have each held that the defendant must be the proximate cause of the damages in order to be forced to pay restitution. The Fifth Circuit, however, has held otherwise.

Though most side with the circuit court plurality, several lower courts have awarded restitution to Amy in amounts up to $3,680,153 (U.S. v. Staples, 2009 WL 2827204 (S.D. Fla. 2009)).

In her impact statement, Amy wrote, "I am being exploited and used every day and every night somewhere in the world by someone. How can I ever get over this when the crime that is happening to me will never end? How can I get over this when the shameful abuse I suffered is out there forever and being enjoyed by sick people?” More than 700 claims of restitution have been filed on Amy's behalf, each seeking more than $3 million.

See other posts about restitution here.

Monday, November 28, 2011

Wired.com explains how Big Brother is watching you

Wired.com recently published an article titled "9 Reasons Wired Readers Should Wear Tinfoil Hats" which hypothesized the many ways in which the government tracks us electronically. The post explains how the government [probably] uses wiretapping, tracking devices, border search, fake cell phone towers, government malware, and more. Some of it is simply written to entertain conspiracy theorists, but it is interesting to ponder nonetheless.

It's a little more hypothetical than I'd usually post, but the best part of the article is the graphic (at right) showing how long cell phone companies keep text messages, call records, and Internet activity.

Just last week, confidential guidelines were released detailing how long Facebook, Microsoft, and AOL keep IP logs and data.

RELATED NEWS: NPR released a story detailing how LAPD has a new computer program that predicts the location of future crimes based on past crime patterns. "[C]rime, especially property crime, happens in predictable waves."

Friday, November 25, 2011

6th Circuit vacates pornography ban as condition of release

This summary is not available. Please click here to view the post.

Tuesday, November 22, 2011

Military court finds Facebook messages authenticated

The United States Air Force Court of Criminal Appeals held in United States v. Grant, 2011 CCA LEXIS 217 (A.F. Ct. Crim. App. 2011) that Facebook correspondence admitted into evidence in a court-martial proceeding were properly authenticated by testimony from the recipient. As I discussed here, authenticating messages from Facebook can be a tricky process.

The court listed several reasons for its decision:
  • Messages contained the defendant's name and profile picture
  • A witness testified that:
    • She had just met the defendant when he requested her to be his friend
    • He gave her his cell phone number, and they used it to text message each other
    • She and the defendant made plans over Facebook messaging
While the appellate court used the testimony to authenticate the messages, usually this is done with the evidence itself. It contained unique information (Commonwealth v. Purdy, 945 N.E.2d 372 (Mass. 2011)), and the continued conversations through the defendant's cell phone and making plans properly connected the defendant to the Facebook conversation (Commonwealth v. Amaral, 78 Mass. App. Ct. 671 (2011)).

RELATED CASE: In State v. Mosley, 2011 Wash. App. LEXIS 2644 (2011), the court upheld authentication of photos that were printed from MySpace because an officer recognized the people in the picture. Some courts have not been so trusting, such as People v. Lenihan, 911 N.Y.S.2d 588 (2010) which declined to do so because of the ability to "photoshop" images.

Friday, November 18, 2011

Company alleges SCA, Wiretap, and CFAA claims against former VP

In Exec. Sec. Mgmt. v. Dahl, 2011 U.S. Dist. LEXIS 132538 (C.D. Cal. 2011), The APEX Group (an event security firm) alleges that former employees (one was a VP and board member) made misrepresentations that caused them to lose a contract with the PGA. The ten claims include violations of the SCA, Wiretap Act, and the CFAA. The defendants moved for summary judgment.

The SCA claim is the most interesting. Apex argues two violations - unauthorized access to e-mail and deletion of information on Apex laptops. The latter argument was struck down because defendants had not "accessed a facility," among other issues. However, defendants argue that they were administrators of the Apex e-mail accounts. The issue at hand is whether they, as administrators "with authorization to access the facility, ... accesse[d] unauthorized information." Thus, summary judgment was denied on the e-mail issue.

The Wiretap Act claim appears to be based on defendants setting up their cell phones to download e-mails from accounts not their own through a POP3 account. The court denied this to be "interception" under the statute because the e-mails were not "halt[ed]"; they simply read "emails not intended for their eyes."

With the CFAA claim, Apex argues that defendants used an "erasure program" to delete information from company computers. To satisfy the mandatory $5,000 damage requirement, they argue that this violation ultimately caused the PGA to terminate its relationship with Apex at a cost of over $118,000. As noted here, CFAA damages can be hard to demonstrate, but the court decided to send both arguments to the jury.

This case has nothing extremely profound in it (though the VP being the e-mail administrator presents an interesting question). But if you are interested in learning the basics of these three statutes, Judge Snyder does an excellent job of explaining how these claims work.

Court finds cell site location data to be protected by Fourth Amendment

A federal district court held that cell site location data obtained without a search warrant to be unconstitutional, bringing the number of such holdings to more than a dozen, according to the Wall Street Journal.

In a one page opinion, Judge Lynn Hughes (S.D. Tex.) ruled that "[w]hen the government requests records from cellular services, data disclosing the location of the telephone at the time of particular calls may be acquired only by a warrant issued on probable cause."

The government had argued that the location data was a business record, and thus does not fall within the protections of the Fourth Amendment.

Such records are theoretically obtainable under the Stored Communications Act (SCA) without a warrant as are call records, text messages, subscriber information, etc., but because cell site location data may allow the government to track a person's every movement, some courts require a higher standard.

The great showdown for the government's ability to track without a search warrant will come when the Supreme Court releases its decision in United States v. Jones, heard last week by the high court concerning the government's ability to place a GPS device on a vehicle and track its movements without probable cause.

Thursday, November 17, 2011

Defendant wins on restriction not to live near school in CP possession case

The defendant in United States v. Schweizer, 2011 U.S. Dist. LEXIS 132065 (D. Nev. 2011) challenged the sentencing requirement that forbade him from living within 200 yards of a school, park, or other location children may congregate after being convicted of possession of child pornography. The defendant and his wife have lived near a middle school for nearly twenty years, and this requirement would require them to sell their home.

The court modified the requirement to exempt their current home. As justification, the court noted that he is 62 (and will be 65 by the time of release from prison), has documented health problems, and will face a lifetime term of supervised release. They also acknowledged that the real estate market in Nevada is bad, and the requirement would have great economic consequences for the defendant and his wife.

RELATED CASE: In a California CP possession case, the defendant was required to "inform all persons with whom he/she has a significant relationship about his/her criminal history." An appellate court found this to be vague and struck it from the probation requirements. People v. Ebersold, 2011 Cal. App. Unpub. LEXIS 8761 (Cal. Ct. App. 2011).

Wednesday, November 16, 2011

FTC settles with website violating COPPA

The Federal Trade Commission recently settled a case with www.skidekids.com, a website promoted as a "Facebook and Myspace for kids," after the website illegally collected information from thousands of children in violation of the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501. Skid-e-kids targets children ages 7-14 and seeks to create a Facebook-type environment that is child-friendly.

The settlement requires the company to destroy all data collected in violation of COPPA and pay a fine of $100,000 (with all but $1,000 suspended under the terms of the settlement), among other agreements.

COPPA forbids websites from collecting personal information from children under the age of 13 without the consent of a parent. Websites have struggled to comply with the law as children often falsify information on websites that do not allow users under that age (such as Facebook). Skid-e-kids now requires parents to register first using their Facebook account which will then let them register their children on the site and monitor their child's activity.

RELATED NEWS: The FTC recently proposed rule changes for COPPA and is seeking comments through the end of the month.

Tuesday, November 15, 2011

International Cybercrime Roundup

Here's a look at recent news in the cybercrime field from other countries:
  • CANADA - The case of a convicted child pornographer who possessed 4.5 million images (the largest ever in Canada) has set the sentencing "benchmark ... at the maximum." How long exactly? Five years.
  • CHINA - A website hosting illegal copies of Windows operating systems was recently shutdown. Over 4,000 copies were downloaded in 2011 alone.
  • SERBIA - Police broke up a child pornography ring of more than 80 people in an operation known as Armagedon.
  • UNITED KINGDOM - Northern Ireland schools participate in week of cyberbullying awareness.

Saturday, November 12, 2011

WiFi hotspots to increase 350% by 2015



The Wireless Broadband Alliance (WBA) released a study projecting WiFi hotspots to increase by 350% to a total of 5.8 million by 2015. The increased use of data by smartphones is the predominant reason for the expansion as use of smartphones continues to increase. Already in the United States, smartphones outnumber laptops on WiFi hotspots.

The WBA membership includes Comcast, Time Warner, Google, AT&T, Cisco, Intel and other leading technology companies. The full report is available here.

'Seize-it-all-and-sort-it-out-later warrant' struck down by court

In United States v. Schesso, 2011 U.S. Dist. LEXIS 129993 (W.D. Wash. 2011), a search warrant was struck down for being too broad after applying CDT III.

German authorities discovered an IP address in the U.S. sharing child pornography in October 2008, and a search warrant was obtained in June 2010. The application sought "broad authorization to seize and examine every sort of computer storage device." Applying Ninth Circuit precdent in U.S. v. Comprehensive Drug Testing, Inc., 621 F.3d 1162 (9th Cir. 2010) (referred to as CDT III), the court found that the general search in the case was not justified by the application. "To rule to the contrary would be to say that if any person ever had a child pornography file or made such a file available to download on a peer-to-peer network, that person is subject to a general search of all of that person's computer-related equipment without reference to the particular crime or crimes that are known to law enforcement."

Let's look at the errors made as determined by the court:
  • Waiting 20 months
  • Lack of information connecting generic child pornographers to the defendant
  • Lack of information showing that the named storage devices sought are those typically used with peer-to-peer file sharing
  • Not naming specific crimes (though they did cite violations of two statutes)
The court also found a lack of good faith and required exclusion of the evidence (six images of the defendant's prepubescent niece and over 3,400 other images of child pornography).

2703(d) order challenged in Wikileaks investigation

Information related to three Twitter accounts was recently obtained by the government by a 2703(d) order in an investigation related to Wikileaks. The account holders made many claims including: (1) they had a § 2704 right to challenge the order, (2) the release of IP address information violated their Fourth Amendment rights, (3) the order violated their due process rights, and (4) the order violated their First Amendment rights. Finding no violation of § 2704 or any constitutional arguments, the court upheld the order. There is not really anything profound in the case, but the parties were represented by the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) and presented some interesting arguments.

For those of you not very familiar with the section (like myself before reading this case), under 18 USCS § 2704 details how a user can challenge a subpoena or 2703(d) order under the SCA. It's actually very simple - when the user gets notice, they can challenge it. But the problem presented in this case is that notice is often delayed under § 2705 for fear of destruction of evidence and other considerations. The question raised is whether one should always have the right to challenge before execution of the order. As the court held - and understandably - the answer must be no. Otherwise, the delayed notice provision would be invalidated.

The Twitter users also argue that by revealing their IP addresses to the government, they are giving away their location, making a Karo tracking beeper analogy. The court strikes this argument down because disclosure of phone numbers may give away one's location and does not violate the Fourth Amendment and regardless of tracking abilities, the data was obtained by a non-governmental entity. Plus, there's the third party doctrine (which the court discusses in great detail).

They also argue a right to challenge under due process because "the SCA threatens the rights of any subscriber who cannot oppose an order because the individual does not know about it." However, the court finds that judicial review of the order satisfies due process rights.

Finally, the First Amendment claim argued that the order "has chilled [the users'] rights of association and speech." Despite good arguments, the claim didn't hold up because content wasn't requested in the order, and even if it was, the content was accessible by the public.

The case is In re United States, 2011 U.S. Dist. LEXIS 130171 (E.D. Va. 2011).

Thursday, November 10, 2011

Court awards nominal restitution under § 2259

In United States v. Aumais, 656 F.3d 147 (2d Cir. 2011), the Second Circuit reversed restitution in a child pornography possession case. Aumais had no connection to the victim, "Amy", in the pornography nor did she know of his existence. Amy's impact statement made no mention of Aumais and was written before he was arrested. The court held that "where the Victim Impact Statement and the psychological evaluation were drafted before the defendant was even arrested--or might as well have been-- ... the victim's loss was not proximately caused by a defendant's possession."

The same photos arose in a recent Ohio case, United States v. Klein, 2011 U.S. Dist. LEXIS 129761 (S.D. Ohio 2011). Like in Aumais, the 2008 Victim Impact Statement was presented although Klein was arrested in 2010. Here, the government argued that these "images are being found almost on a daily basis and it would be unreasonable for the victims to have to update their request for restitution daily." While the court reasoned that there was no probable cause to show calculable damages caused by Klein, the court awarded $5,000 in nominal damages which "are designed to vindicate legal rights 'without proof of actual injury.'"

The Klein court is not alone in finding that 18 U.S.C. § 2259 requires a nominal damage award were proximate cause does not exist. See United States v. Church, 701 F.Supp.2d 814 (W.D. Va. 2010). Read Aumais to better understand the § 2259 circuit split on whether proximate cause is required or whether general causation is allowed in issuing restitution.

Wednesday, November 9, 2011

Pew Internet report outlines teen SNS usage, cyberbullying activity

A Pew Internet study released today on teen usage of social networking sites (SNS) addresses online behavior and privacy and security concerns. Highlights among the study include:
  • 25% of teens have had an experience on an SNS site that resulted in a face to face argument or confrontation with someone
  • Nearly 70% witness cruelty to others online at least "every once in a while"
  • Teens from lower-income households are much less likely to witness cruelty on SNS sites
  • 44% of teens admit to lying about their age in order to access a website (COPPA requires a child to be 13 or older to register for a website without parental permission directly to the company.)
  • 17% of teens admit that their SNS profiles are fully public
  • 16% of teens have received sexually suggestive photos on an SNS site from someone they know
  • 77% of parents monitor their child's online activity (up from 65% in 2006)
The entire study is 86 pages and is an excellent source of information. Thanks to Pew Research for another great contribution to this field.

Warrant in CP case may have violated Fourth Amendment

Imagine this set of facts: Law enforcement receives a tip of a website containing child pornography. Yahoo e-mail account qek9pj8z9ec@yahoo.com is the suspect, and the IP address used to create the account is provided. Detectives connect the account with Nicole Chism living in Washington (but the account registration says she lives in Chile). Her credit card was used to pay for hosting of the website. The IP addresses used to create and access the account were tracked to two other people - both living in Washington, but hundreds of miles from Chism's home. Based on this information, detectives believed they had probable cause to believe Nicole's husband committed the crime.

Nicole's husband, Todd, was arrested, and his home and office were searched for child pornography. He was never charged with a crime and subsequently argued that his Fourth Amendment rights were violated. As you might imagine, the Chisms' credit card had been stolen. No evidence connected Todd to the images except for the hosting payment. The affidavit also alleged that the credit card was used to purchase images of child pornography, but no evidence existed for that claim. Further, it never mentioned the other IP addresses, connected Todd to Nicole's credit card, or mentioned that the account was registered to Nicole in Chile.

As a result, the Ninth Circuit reversed the district court's grant of summary judgment, finding that a substantial showing of the officers' reckless or intentional disregard for the trust existed, their false statements and omissions were material, and the officers are not entitled to qualified immunity upon remand. The case is Chism v. Washington, 661 F.3d 380 (9th Cir. 2011).

Monday, November 7, 2011

Divorce, Spyware, and Wiretaps, oh my!

Well, it happened again. A Tennessee woman used "spyware" to investigate her husband's online activities. The court says that it allowed her "to intercept his incoming and outgoing e-mail and to monitor his activities on the internet" and ultimately denied wife's 12(b)(6) and summary judgment motions on the issue of a Wiretap Act violation.

The short opinion released by the court in Klumb v. Goan, 2011 U.S. Dist. LEXIS 127880 (E.D. Tenn. 2011), leaves much to be desired with regard to the facts of the case. However, based on what the court says, it seems as if the function that allowed her to "intercept" e-mail was either a keylogger or just a saved password. Here's what the plaintiff alleged:
"[He] first developed suspicions about Goan's installation of unauthorized internet spy software in November 2007 when he compared hard copies of his original email communications to an email recipient to later emails to that same recipient, and discovered that the original email communications had been intercepted, tampered with, and resent to the original recipient by Goan."
It seems to me like this was probably a Gmail account or something similar where it shows the entire e-mail conversation together. She obviously forwarded all of the e-mails to her own account, leaving the forwarded e-mails connected (since Gmail doesn't easily let you delete a specific e-mail without deleting the entire conversation).

Friday, November 4, 2011

Tech Watch: Introduction to Tumblr

Blogging has been around since the late 90's, but a new form, microblogging, is quickly taking hold of the Internet world. Rather than long-winded posts (not too much unlike my own), microbloggers post small bits of information - maybe a quote, picture, video, or link. Because of the ease in microblogging, a picture can spread to millions of people in a matter of seconds.

Tumblr, the most popular microblogging service, hosts over 33 million blogs and twelve billion posts. Unlike Twitter, Tumblr is designed to better deal with the millions of images posted on its website each day. Over half of Tumblr's posts are images whereas Twitter is mostly text-based.

So why is all of this important to you? Find out after the jump.

Thursday, November 3, 2011

Anonymous posts 190 IP addresses from child pornographers

This map shows the locations of those "caught" by Anonymous.
Anonymous, famous for their online protests and "hacktivism" has just released 190 IP addresses of child pornographers. The operation, called "Operation Paw Printing", was based around a Tor update released last week, and they knew that Tor users would want to immediately update their software. The group edited the code to allow them to track a user's online activity for 24 hours and posted the modified update on "Hard Candy", an underground child pornography forum on a website called The Hidden Wiki.

The administrator of "Hard Candy" added this note to the forum: "If you were stupid enough to install the recently linked Tor button 'update'... then your anonymity has no doubt been compromised. As a result you should consider running anti-virus/malware programs and/or fully wiping your hard drives."

Anonymous acknowledged their dedication to free speech, but noted: "Child Pornography is NOT FREE SPEECH.  We proved beyond doubt, that 70% of users to The Hidden Wiki access the HARD CANDY section, "a secret directory" used by the pedophiles to access sites like Lolita City and The Hurt Site, a site dedicated to trade of child rape."

The IP addresses and a more detailed explanation of Anonymous's operation can be found here.

RELATED NEWS: Anonymous has announced that they soon plan to release a list of at least 75 collaborators of a Mexican drug cartel after the group intercepted 25,000 e-mails from the Mexican government. According to a spokesperson, the list includes taxi drivers, public officials, and police officers.

Tuesday, November 1, 2011

International Cybercrime Roundup

Here's a look at recent news in the cybercrime field from other countries.
  • UNITED KINGDOM - A British court has ruled that the country's largest broadband Internet provider must block a website that allows visitors to download copyrighted material.
  • CANADA - Peer-to-peer networks accessible only to university students at various Canadian schools has recently come to the government's attention.
  • NEW ZEALAND - Three strikes copyright violation law has gone into effect, and the first notices have gone out. Once a person receives three notices, they could go before the Copyright Tribunal and face fines.
  • TAIWAN - A Taiwanese file sharing company has been shutdown due to copyright law violations.
  • GERMANY - The German government is using software that allows interception of communications and the takeover of a user's microphone and webcam despite clear laws showing that it is unconstitutional.

.XXX TLD sunrise period closes with 80,000 applications

The .XXX TLD went into
effect April 15, 2011.
The newly approved .xxx top level domain's sunrise period ended yesterday, October 31, with over 80,000 applications for domain names, according to a press release by the ICM Registry. The sunrise period was set to allow trademark and brand holders to purchase their corresponding names before sales go public on December 6, 2011.

Initially, the sunrise period was set to end October 28, but the sale was extended due to demand and a backlog of applications.

Nine domain names were sold in the sunrise period for over $100,000, including Gay.xxx for $500,000.

Currently, obtaining a new .xxx domain name is only voluntary. Some fear that the creation of the TLD will lead to legislation that forces all pornographic websites to make the swap, though no such official action has been introduced in Congress.

UPDATE: As I neglected to mention, the sale of these domain names is not limited to websites that will host pornographic content. Gizmodo recently reported that universities are buying up domain names from the .xxx TLD to prevent others from using domain names related to the schools.