Monday, December 31, 2012

Featured Paper: Quis Custodiet Ipsos Custodes?

I'd like to highlight a new student paper by Craig Roush, a law student at Marquette University Law School. The full title is: Quis Custodiet Ipsos Custodes? Limits on Widespread Surveillance and Intelligence Gathering By Local Law Enforcement After 9/11. Craig analyzes the changes in intelligence and surveillance gathering after 9/11 and in particular, the way in which local law enforcement has become intricately involved in the process. He goes on to identify the implications of such practices on civil liberties, and concludes by offering suggestions for protecting civil liberties through legislative methods. I've read a lot of student papers while on law review (this is my 3rd year), and I have no problem saying this is one of the best papers I have read. The abstract is below:
In the decade since the terrorist attacks of September 11, 2001, local law enforcement has become the front line in the nation’s counterterrorism strategy. This involvement has not come without controversy. As part of these counterterrorism efforts, police departments have begun to establish widespread surveillance and intelligence-gathering networks to monitor Muslim and other ethnic neighborhoods in the hopes of stopping the next terrorist attack at its source. Such surveillance does not necessarily run afoul of the Constitution, and both our political environment—in which voters demand that the government stop terrorism at all costs—as well as unprecedented levels of federal funding to fight terrorism have made these surveillance programs an attractive option for local law enforcement. But the same programs risk compromising citizens’ civil liberties and damaging police relationships with ethnic communities. This Comment analyzes whether and how a balance might be struck between national security and individual civil liberties interests, and offers a model statutory solution drawn from police surveillance in a non-terrorism- related context as one possible way forward.

11th Circuit finds reasonable a 25-day delay in submitting warrant application to search computer

In United States v. Laist, the Eleventh Circuit held that a government delay of 25 days from the defendant's revocation of consent to search a computer until a search warrant application was submitted did not violate the Fourth Amendment.

The distribution of child pornography was tracked to the defendant's home, and law enforcement went to search. Upon arrival, the defendant admitted to possession of child pornography and signed a consent form allowing the search and seizure of his computer. A week later, the defendant withdrew his consent by letter. The search warrant application was submitted 25 days later, and the application was approved six days after submission. The defendant was ultimately convicted of multiple child pornography related crimes.

At trial and again on appeal, the defendant argued that the evidence should have been suppressed because the 25-day delay was an unreasonable seizure under the Fourth Amendment. "Laist argued that he had a substantial possessory interest in the items; that after he revoked his consent to their search, the FBI continued to hold them only on the basis of probable cause; and that the subsequent delay in obtaining a search warrant was unreasonable and therefore violated his Fourth Amendment rights."

The Eleventh Circuit disagreed, holding that although the interference with the defendant's possession was "not insubstantial," it was diminished as he had been given the opportunity to copy documents he needed for school off the computer prior to the seizure, and he had admitted to possession of child pornography and shown such an image to law enforcement. Nonetheless, the government was still required to "diligently obtain[] a warrant," which the Eleventh determined happened in this case. The 25-day delay was reasonable due to the amount of time needed to prepare the warrant and how busy the office was at the time.
The government's efforts here were sufficiently diligent to pass muster under the Fourth Amendment. While a 25-day seizure based solely on probable cause is far from ideal, and we have found shorter delays unreasonable under different circumstances, see Mitchell, 565 F.3d at 1352 (21-day delay), the totality of the circumstances in this case demonstrate the reasonableness of the government's actions.

Friday, December 28, 2012

$299 software allows decryption of volumes with FireWire attack or the computer's hibernation or memory dump file

Software developer Elcomsoft has released a $299 software package claiming to be able to decrypt BitLocker, PGP, and TrueCrypt volumes. The software is able to obtain encryption keys from the computer's hibernation file or memory dump file and can also perform a FireWire attack if the encrypted volume is mounted.

Here's their description of how the keys are obtained:
Generally, the choice of one of the three attacks depends on the running state of the PC being analyzed. It also depends on whether or not installation of a forensic tool is possible on a PC under investigation.
If the PC being investigated is turned off, the encryption keys can be retrieved from the hibernation file. The encrypted volume must be mounted before the computer went to sleep. If the volume is dismounted before hibernation, the encryption keys may not be derived from the hibernation file.
If the PC is turned on, a memory dump can be taken with any forensic tool if installation of such tool is permitted (e.g. the PC is unlocked and logged-in account has administrative privileges). The encrypted volume must be mounted at the time of memory dump acquisition....
Finally, if the PC being investigated is turned on but installing forensic tools is not possible (e.g. the PC is locked or logged-in account lacks administrative privileges), a remote attack via a FireWire port can be performed in order to obtain a memory dump.... Both the target PC and the computer used for acquisition must have FireWire (IEEE 1394) ports.
Once the original encryption keys are acquired, Elcomsoft Forensic Disk Decryptor stores the keys for future access, and offers an option to either decrypt the entire content of encrypted container or mount the protected disk as another drive letter for real-time access.
This is nothing new but is simply a easy way to hack a well-known flaw. In order to properly protect your encrypted system when you're away from it, you simply cannot use sleep or hibernate mode on your computer.

ElcomSoft, based in Moscow, "helps law enforcement, military, and intelligence agencies in criminal investigations with its wide range of computer forensics products."

Thursday, December 27, 2012

Vermont Supreme Court upholds search warrant conditions requiring screening in computer search

The Vermont Supreme Court has held that a judge may attach ex ante conditions to a search warrant in an attempt to protect privacy of those searched. The judge issuing the warrant had specified that a search of electronic devices had to be conducted through a third party and restricted evidence of crimes unrelated to the specified crime of identity theft from being shared with investigators. The court did, however, strike down a condition prohibiting the use of the plain view doctrine. In re Application for Search Warrant (2010-479), 2012 VT 102.

An IP address obtained during an identity theft investigation led police to a Vermont address. The resident had set up an unsecured wireless network, and after the resident gave law enforcement permission to access it, the officer determined that a neighbor had accessed the network several times over the previous month. An application was made to search the address, and it was noted that several people lived at the address. The judge granted the search, but placed several restrictions on it including one forbidding police form relying on the plain view doctrine and another requiring a third party to perform a search of computers and forbidding them from sharing evidence of other crimes with investigators or prosecutors. The state filed a motion with the Vermont Supreme Court to have the restrictions removed.

The court held that the plain view doctrine restriction was inappropriate. The later requirements related to the sharing of other evidence removed the need for the provision. But further, "it is beyond the authority of a judicial officer issuing a warrant to abrogate a legal doctrine in this way."

With regard to the requirement of a third party to search the computers and withhold evidence of other crimes from investigators, the court upheld the restriction, finding that the broad search request coupled with "a legitimate privacy interest" allows a judge to provide "instructions on how a search will be conducted."

The court also upheld limitations on techniques of the search as well as instructions concerning "the copying, return, and destruction" of the property acquired in the search.

A concurring and dissenting opinion by Justice Burgess argued that the use of a third party to screen the evidence "does not protect actual privilege or privacy, does not further a Fourth Amendment privacy interest, and does not lend further particularity to the search."

Read Professor Kerr's analysis of the decision here and his 2010 article on the issue here.

Wednesday, December 26, 2012

Fifth Circuit strikes down Mississippi law making "non-harmful" caller ID spoofing illegal

In Teltech Systems, Inc. v. Bryant, No. 12-60027 (5th Cir. 2012), the Fifth Circuit held that a Mississippi law making it illegal to spoof caller ID information was preempted by a federal law which only made spoofing for harmful purposes illegal.

In 2010, Mississippi enacted the Caller ID Anti-Spoofing Act which made it a misdemeanor for a person to spoof the identity or phone number of a caller. A federal law enacted later that year made it illegal to spoof such information "with the intent to defraud, cause harm, or wrongfully obtain anything of value." 47 U.S.C. § 227(e)(1). Thus, the Mississippi law prohibits all spoofing, but the federal law prohibits only harmful spoofing. The plaintiffs argued that Congress therefore intended to protect "non-harmful spoofing." Looking at the legislative history of the federal statute, the court agreed, finding that Congress intended to protect legitimate spoofing.

Many websites and smartphone apps allow users to spoof caller information. Many such apps also allow the user to disguise their voice and record the phone conversation.

Jones II: District court holds that SCA's lack of suppression remedy and the good faith exception allows admission of CSLI

In the continuing saga of the case against Antoine Jones, the DC district court has held that the use of Jones's cell site location information does not violate the Fourth Amendment. United States v. Jones, No. 05-0386 (D.D.C. 2012). In January, the Supreme Court ruled that location information acquired as a result of law enforcement placing a GPS device on Jones's car could not be used at trial as it violated the Fourth Amendment.

During the initial investigation, law enforcement obtained both GPS data and cell site data but only sought to use the GPS data at trial. After the Supreme Court's determination that such data could not be used, the government sought to have CSLI introduced at Jones's retrial. The four months of cell site information had been obtained from Cingular Wireless under a 2703(d) order pursuant to the Stored Communications Act in 2005.

Jones's first motion to suppress argument was that prospective CSLI data (that which is acquired by the phone company after the order is issued rather than seeking "historical" data already obtained) cannot be obtained under the SCA without probable cause. The court held that a majority of courts have agreed, but the argument is irrelevant because the SCA does not provide a suppression remedy. Thus, regardless of a successful argument, the data would still be admissible under the SCA.

Of course, Jones's second argument was under the Fourth Amendment, which if successful would allow for suppression. The court thoroughly examined the different approaches for analyzing the Fourth Amendment's application to orders to obtain CSLI. However, the court declined to decide the issue, finding that the good-faith exception would apply, reasoning that at the time the order was obtained, the officers had no way of knowing how future courts would rule on prospective CSLI, and even today, the issue is not settled.

Thursday, December 20, 2012

Maryland appellate court applies good faith exception to GPS use because of prior adoption of Knotts rationale

The Court of Special Appeals of Maryland recently held that the good faith exception to the exclusionary rule from Davis applies to pre-Jones GPS use because of the state's adoption of the Supreme Court's decision in Knotts. Kelly v. State, Nos. 2479 & 2679 (Md. Ct. Spec. App. 2012). In case you're in need of a criminal procedure refresher, I'll go over what all of that means.

First, we know that the Fourth Amendment generally requires a probable cause search warrant in order to conduct a search. Thus, we have to know what is considered a "search." In 1983, the Supreme Court decided United States v. Knotts, in which police placed a beeper device in a container which was later given to the defendant and used to track his location. This act, according to the Court, was not a search.

The Knotts opinion has been applied to other technologies including global positioning systems (GPS). As law enforcement began using GPS devices on vehicles without search warrants, courts readily okayed the act, finding that it was not a Fourth Amendment act. Until the DC Circuit decided this issue in Maynard, each circuit deciding the issue had held that GPS use was not a search. The Supreme Court took the issue in United States v. Jones and held in January 2012 that it was, in fact, a search.

One of the issues that has developed from the Jones decision is whether GPS use prior to the Jones decision violates the Fourth Amendment. This is where things get a little more complicated.

Violations of the basic constitutional rule that searches require search warrants often results in any evidence acquired as a result of the violation to be excluded from trial under the exclusionary rule. However, there are several rules that allow for the evidence to be used regardless - one of them known as the good faith exception. There are several ways that the exception applies - one of them decided by the Supreme Court in Davis v. United States, which held that when there is "binding appellate precedent" that made it legal for law enforcement to do what it did, the evidence will be admissible.

Therefore, applying Davis, law enforcement in the Ninth Circuit could use GPS devices to track suspects prior to Jones because they had binding appellate precedent. Some courts have applied the principle more loosely, holding that a general consensus across the country allows the good faith exception to apply. Conversely, many courts have held that the exception does not apply because no appellate court had addressed the GPS issue. (There are exceptions to each of these and other decisions, too.)

Now, back to the Maryland case. Maryland didn't have binding precedent on GPS use specifically. The Court of Special Appeals didn't take the general consensus approach, but instead took one substantially more broad. Because, the court reasoned, the state "had recognized and applied the rationale of Knotts, the good faith exception would apply. As the court understood it, Davis "does not require there to be a prior appellate case directly on point, i.e., factually the same as the police conduct in question."

Federal courts in the Eleventh Circuit have held similarly, applying a 1981 beeper case.

Wednesday, December 19, 2012

WI Governor calls for GPS tracking of individuals with domestic violence restraining order against them

Since we talk a lot about GPS tracking, I thought this was an interesting proposal. As the article states, the recent Azana Salon shooting here in Wisconsin was committed by an estranged husband with a domestic violence restraining order in place. With the rash of recent shootings here in Wisconsin (Azana Salon and Sikh temple shooting), as well as the tragedy in Newtown, it appears politicians have been compelled to act. The question always remains, does the legislation or proposal alleviate the issue it is trying to achieve, or is it an overreaction to the current social and political environment.

In this case, I'm not sure that having a GPS monitor on the Azana Salon shooter's leg (or wherever) would have prevented the shooting - by the time an alert went out, he would have likely been already done shooting. Additionally, to provide notification to potential victims that an individual is getting near to them, the person who sought the restraining order would need to be constantly tracked as well. I'm sure there are a variety of ways of achieving this that might be less intrusive to either party, but the practical realities have yet to be seen. The bigger question is - does a restraining order against you trump your Fourth Amendment rights. And because you do not have to actually commit a crime to have a restraining order against you, is there sufficient justification on the say of another person, alone, to allow such monitoring. Perhaps it would only be allowed for individuals who actually committed a DV related crime.

Scott Walker states, in the article that:
Nothing's foolproof, so I'm cautious to say anything would prevent anything for sure," he said. "But in the case of Brookfield, if that guy had a bracelet on, she got a text or a phone (call) to say he was close . . . and (she) immediately called the police, you can't guarantee anything, but I don't think it's a leap of assumption to say they might have arrived fairly rapidly and potentially would have prevented him from gaining access or at least from attacking as many people as he did.
Very interesting, and I'm interested to see how this plays out.

The article can be found here: Walker: GPS monitoring needed for those with restraining orders

Tuesday, December 18, 2012

WSJ releases study of website user data sharing with third parties

The Wall Street Journal has compiled a list of 70 popular American websites that require registration and analyzed them based on how they share user data. For each entry, they report whether the user's e-mail address, name, username, age, and zip code are shared and to which website(s) that information is given. Each entry also contains a response from the website as well as the recipient websites if they company responded to the WSJ's inquiry.

In the study, they learned that the Wall Street Journal itself was sharing e-mail addresses and names with four companies, and users' ages or birth years with nine. In response to the investigation, the newspaper noted that many of these transmissions were done in error, and the company "is working to close that hole."

Two years ago, the Journal released a similar study related to data shared by mobile apps.

Eighth Circuit holds testimony that adults rarely seek actual minors online can be impeached, affirms conviction

In United States v. Grauer, No. 11-3852 (8th Cir. 2012), the Eighth Circuit affirmed the conviction of a man for enticement of a minor and possession of child pornography over multiple arguments from the defendant.

As part of an ICAC investigation, an Iowa deputy sheriff, pretending to be a 14-year-old girl, engaged in multiple instant messaging conversations with the defendant. The conversations were often of a sexual nature and involved the defendant sending pornography to the "girl," and the two ultimately decided to meet. The defendant was arrested, his home searched, and child pornography found. Charges for the child pornography possession and attempted enticement of a minor followed, and he was convicted.

At trial, the defense presented a witness who argued that adults often used chat rooms to engage in "age-play" online, where one of the participants pretends to be a "schoolgirl," but both are actually adults. As such, it was likely that the defendant actually believed the 14-year-old girl was an adult (he actually lied about his age - saying he was 49 rather than his actual age of 58). The doctor-witness testified that "it's either rare or nonexistent" for adults to actually seek minors online. The prosecutor then asked the witness if he was aware of multiple cases involving that activity, and he acknowledged hearing of them. The first wasn't objected to, the defense objected to the second and it was overruled, and an objection to a third and fourth case were sustained. On appeal, the defendant argued the questioning was improper and intended to inflame the jury, but the court disagreed as it was necessary to disprove the assertion.

The defendant also argued that the evidence presented on the child pornography charges was insufficient because "the government presented no evidence as to how the images came to be on his computer or when they were accessed." However, at trial, the defendant's wife testified that the laptop was used in his home office and "that no one else used his laptop regularly." Evidence was also shown that the multiple images were stored on folders created manually on the computer, and several of them had been sent over instant messaging to the "girl." As such, the Eighth Circuit found the evidence to be sufficient.

A sentencing enhancement was applied for "misrepresentation[s] ... made with the intent to persuade, induce ... the travel of, a minor to engage in prohibited sexual conduct." The defendant argued that despite his misrepresentations of his name and age, it was not made with the requisite intent. However, the Eighth affirmed the application of the enhancement, finding that the district court "was in the best position" to decide the issue, and it "was [not] clearly erroneous."

Monday, December 17, 2012

Anonymous announces plans to "destroy" Westboro Baptist, releases personal contact information for members

Hacktivist group Anonymous announced today the start of an attack on Westboro Baptist Church with the release of e-mail addresses, phone numbers, home addresses, and more for over fifty of the church's members. The announcement is in response to Westboro's announced plans to picket funerals in the wake of Friday's school shooting in Newtown, Connecticut.

In a video released along with the contact information, the group announced:
Since your one-dimensional thought protocol will conform not to any modern logic, we will not debate, argue, or attempt to reason with you. Instead, we have unanimously deemed your organization to be harmful to the population of The United States of America and have therefore decided to execute an agenda of action which will progressively dismantle your institution of deceitful pretext and extreme bias and cease when your zealotry runs dry. We recognize you as serious opponents and do not expect our campaign to terminate in a short period of time. Attrition is our weapon, and we will waste no time, money, effort, and enjoyment in tearing your resolve into pieces as with exposing the incongruity of your distorted faith.

What are your thoughts? Is Anonymous's release of personal contact information justified? Or should Westboro's free speech rights protect them from such privacy violations?

Thursday, December 13, 2012

Fifth Circuit surprises no one with decision that accessing another's text messages on their cell phone doesn't violate SCA

In Garcia v. City of Loredo, Texas, No. 11-41118 (5th Cir. 2012), the Fifth Circuit held that a person accessing text messages and images on the cell phone of another does not violate the Stored Communications Act (SCA). Those of you who have ever studied the SCA are certainly not surprised.

Garcia worked as a police dispatcher, and the wife of a coworker took Garcia's phone from her locker at work. After finding text messages and photos that showed department policy violations, the coworker's wife set up a meeting with the deputy assistant city manager and the interim police chief. The images and texts were shown, the videos were copied off of the phone, and Garcia was fired. Garcia later filed suit, and summary judgement was granted with regard to her SCA claim.

Her argument before the Fifth Circuit was that her cell phone was a "'facility' in which electronic communication is kept in electronic storage in the form of text messages and pictures stored on the cell phone." The Fifth cited a variety of district court cases, a law journal article by Professor Kerr, and the legislative history to back up its holding that devices such as cell phones are not facilities under the act.

The court also held that even if the cell phone was a "facility," the text messages and images certainly do not fit into the SCA's definition of "electronic storage." A common sense definition might make one think that would be the case, but we are, of course, dealing with statutes. Under the SCA, data is only in electronic storage when it "has been stored by an electronic communication service provider." If you want to know what that means, click here.

Thus, the Fifth affirmed the district court's grant of summary judgment, dismissing Garcia's SCA claim.

Tuesday, December 11, 2012

FBI job applicant fails polygraph, admits to CP possession, and asks if it would slow his application. It did.

Working for the Federal Bureau of Investigation is a dream of many Americans. The famed agency has - rather understandably - a difficult hiring process including a polygraph. I'm assuming questions concern possible crimes the job candidate has committed as well as generally making sure they are not a threat to national security.

When Dominick Pelletier appeared for a job interview with the FBI, he was escorted to the polygraph room where the types of questions were explained to him. Pelletier became nervous about the potential for questions about sex crimes as he had done research on child pornography in a different country. He was assured that the questions would only concern whether he possessed or distributed child pornography, and the test was administered.

Much to his dismay, he failed the polygraph. Explaining the situation, he said that he had seen child pornography images as part of his research. The FBI agent remained calm, and Pelletier continued to think he was in consideration for the position. FBI agents continued to ask him questions, and he admitted to possession of "child erotica" at home.

After refusing to allow FBI to accompany him to his home, Pelletier ultimately signed a consent form after being told they would just get a search warrant anyway. He remained at the office, never asked to leave or to speak with an attorney, and apparently still thought he would be considered for the job. Unfortunately for him, he didn't get the job, and more than 600 images of child pornography were found on his computer.

Pelletier was ultimately convicted of possession, and he appealed, arguing that "he was entitled to Miranda warnings and did not receive them" and that his consent to search was involuntary.

The Seventh Circuit held that Miranda rights were not necessary as Pelletier was not in custody. The lengthy time at the office, encounters with armed agents, and security measures were all a part of the job application process - and were not a result of his suspected criminal activity. "Pelletier was friendly and talkative throughout the day ... and asked at the end of the interview whether his possession of child pornography would slow his job application process."

The court also did not address the consent issue as they determined probable cause allowed for a search warrant which protects the evidence under the inevitable discovery doctrine.

As a side note, it is always a pleasure to read a Seventh Circuit opinion. Judge Kanne began the opinion:
Federal investigative agents will tell you that some cases are hard to solve. Some cases require years of effort—chasing down false leads and reigning in flighty witnesses. Others require painstaking scientific analysis, or weeks of poring over financial records for a hidden clue. And some cases are never solved at all—the right witness never comes forward, the right lead never pans out, or the right clue never turns up.
This is not one of those cases.
I'm always a little appreciative of a judge (and a clerk, of course) willing to be a little creative with their legal writing.

The case is United States v. Pelletier, No. 12-1274 (7th Cir. 2012).

Monday, December 10, 2012

Austrian Tor node operator's home searched in child pornography investigation

An Austrian man's home was recently and his computers seized in an investigation related to child pornography distribution. His involvement concerned the operation of Tor on his computer, which allowed others to hide their Internet activity by having their data encrypted and transmitted through others' computers.  Mr. Weber, likely to be charged with child pornography crimes, never actively possessed such files if this is true, though they may have been sent through his computer.

In the Tor network, files are transferred along a randomized path, ultimately becoming unencrypted at the last node just before making it to the intended destination. As such, it would appear to investigators as though the files actually originate from that exit node though the computer operator has no knowledge of the files or their content.

In a blog post, Weber explained that he runs Tor in order "to make it possible for the not so privileged folks to have uncensored access to the internet, without fear of government prosecution."

Firearms and marijuana were also found and taken after Weber was asked to open his safe and he complied.

Friday, December 7, 2012

Weindl: Why the court got it right, and the FBI agent/father shouldn't be viewed as a government agent

You'll have to forgive my co-blogger and me for turning our blog into a blog almost entirely about this Weindl case (United States v. Weindl, No. 1:12-CR-00017 (D.N.M.I. 2012), but as you're probably well-aware by now, it's an important case on the issues presented - and one likely to be appealed to the Ninth Circuit after the trial.

It's not often that Justin and I disagree. But in this case, while I find noble his attempt to argue for strengthened privacy rights under the Fourth Amendment, I cannot say that I find his reasoning compelling (see his previous posts here, here, and here). Justin argues that FBI Agent Auther left eBlaster on the computer intentionally because he suspected Weindl of "questionable activities," which apparently means that Auther knew that not only would Weindl fail to return the computer to the proper place, but that he would also watch child pornography on it. Perhaps Auther's training and experience gives him a sixth sense about such things, but it just doesn't seem likely. What is more likely is that he simply thought eBlaster had been deleted (after all, he did try to have all data removed twice), and he returned the computer as he was supposed to have done. Does law enforcement always comply with the Fourth Amendment? No. Does this seem like a case of an agent trying to circumvent the Fourth? Not really.

The issue that Justin and many others are raising and focusing on is the fact that Auther is an FBI agent. Yes, he is that, but he's also a parent, and as a parent, he should have the right to protect his children from content he doesn't think they should be viewing. That was his intent in installing eBlaster on the computer (unless it was an elaborate attempt to catch the principal beginning months before he even knew the computer would be returned). Who cares if he didn't own the computer? The school shouldn't be allowed to give students computers, and then tell parents that they're not allowed to attempt to prevent their children from viewing pornography, learn how to make meth, or whatever else kids do on computers nowadays. If Auther didn't want his son doing illicit activities, and this was the method he chose to make sure that didn't happen, then good for him. The point is that he didn't install it because he worked for the FBI nor did he install it for the purpose of wiretapping or searching Weindl's activities - he did it because he felt it was the best method for protecting his son.

So let's suppose Auther wasn't an FBI agent. "New Auther" is a grocery store manager, a father of three, happily married for 16 years. Semi-religious, and though not entirely opposed to the viewing of pornography, he thinks that his oldest son (in his mid-teens) is too young to be viewing it. He asks a co-worker what he can do, and the co-worker suggests eBlaster. He then downloads it and installs it on the computer where it sends him reports for the next few months. When New Auther is transferred to a grocery store in another state, he asks his computer friend/co-worker to remove all of his son's files. The co-worker is unsuccessful. He takes it to a computer store where they "reimage" it, making him think the computer has received a fresh start, free of eBlaster and everything else. He then returns the laptop to the school's principal, an acquaintance (not buddies, but something above Facebook friends). A couple weeks later, New Auther gets four eBlaster reports showing that the computer is now being used to view child pornography.

Those are essentially the same acts of real Auther, and those are the reports that the court refuses to suppress. After that point, Auther's actions do arguably cross the line into a government search. But those actions of a concerned parent that looked at the e-mails he received - those actions could have come from anyone - FBI agent or not. It is irrelevant that he opened all of the e-mails he received  - even if there were four of them. This was a mistake by someone who happens to also have a full-time job as a government agent, as opposed to a government agent who happens to make a mistake (and even that doesn't always warrant suppression thanks to good faith and other exceptions). This was not the case of Big Brother installing spyware on everyone's computers in order to capture our Internet activity (as if they actually need to go through that much trouble!).

Justin also argues that Weindl "certainly was not doing anything illegal." The computer loan program was a federally funded program to give students laptops for educational purposes. My guess is that under the terms of the grant, each laptop had to be accounted for at all times, and they probably are not allowed to just loan the computers out to anyone. By policy, they were only given to students and were never given to faculty. Anyone - especially the principal of the school - should have known that it went against the terms of the grant for a non-student to take possession of the laptop. My guess is that Weindl is smart enough to know that in taking possession of property purchased with federal government money and choosing to use it for personal purposes (especially viewing child pornography!), he's probably violating some sort of law for that possession.

There is something that my co-blogger and I agree on - I absolutely agree that the installation of eBlaster onto a person's computer without their knowledge and permission is a wiretap, in violation of the federal Wiretap Act. Where Justin and I would differ, however, is whether Auther's actions were intentional (as the Act requires). He thinks Auther intentionally left eBlaster on the computer in order to intercept Weindl's activity. I, however, would likely come down on the other side.

And... done. Are we finished talking about Weindl? Maybe.

Wednesday, December 5, 2012

Weindl (FBI agent's spyware vs. principal) - Why the court got it wrong

In this second post, I will explain my reasons for believing the court's reasoning in Weindl was flawed. The Weindl case, as a quick recap, involved a principal (Weindl) who was caught with child pornography after using a laptop assigned to the son of an FBI agent (Auther); the laptop was returned by Auther with spyware on it. For my original write-up of the facts of the case, see: Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression. I also wrote a quick follow-up post about the coverage and misinformation regarding the case after I wrote about it. That can be found here: Weindl - FBI agent spyware v. principal attracts attention and misinformation.

First, let me address the "smell test." It seems extremely odd that when Auther took the computer to the FBI and asked "fellow agents for advice on how to wipe it clean" they "tried to remove all the files but were unsuccessful." Two things: (1) the FBI investigates a significant number of "cyber" cases using forensics techniques to recover deleted files and search through hard drives, uncover steganography, and analyze complex network traffic. Yet, they can't wipe a hard drive - something that a simple Google search will tell you how to do? Also, (2) Auther paid for and installed the spyware, knew the "hot-keys" to access the information it collected, and set it up to email him reports. Yet, once again, he could not uninstall that program, the most cognizable change he made to a machine he did not own?

In addition, he took it to a computer store to wipe all of the files, with a service order showing "reimage" and "clean out files" as the work to be done. I accept that a local service may not have been aware of the spyware to look for it in the first place, but reimage means just that, start all over again.  And, more interestingly, Auther did not even mention that he installed spyware on the computer to the computer shop. Wouldn't that program be the first thing you would mention when cleaning up a computer?

Also, the court seemed to be quite deferential to Auther when it accepted the argument that he was more concerned about leaving than investigating the principal. Perhaps that is true, but is it not equally likely that he suspected the principal of questionable activities and, before leaving, wanted to confirm his suspicions? After all, the FBI agent did say that he was aware of the Sandusky case and that what happened at Penn State motivated some of his later actions. That coupled with the two-time failure to remove the spyware smells funny.

But lets assume that all of the facts are true - just as the court did. I find it questionable that the court omitted any discussion regarding the license agreement of eBlaster, which requires you to agree to "use [eBlaster] only on a computer you own," an agreement Auther clearly violated when he installed it on a school-loaned laptop. The court also breezes over the likelihood that Auther violated policies of the school or the PSS laptop loaner program. I point this out because Auther is permitted to walk all over policies and procedures carte blanche, but Weindl's use of the laptop in likely violation of the rules of the loaner program was sufficient to wipe out his expectation of privacy completely. More on that later.

I think one of the most glaring errors of the court is the reasoning that opening the first four emails was not a search and instead was inadvertent conduct not under the color of law.  First, the court found that the search was only the activity of the spyware program collecting the data, and did not include the person on the other end viewing that information. I am not convinced you can draw such a black and white line. The Fourth Amendment (and by proxy the protection of privacy) has been held to protect against the intrusion of the process of a search as well as the discovery of the information it provides. If the latter were not an aim, the Fourth Amendment would never have been extended outside of property notions, as it was in Katz.

Thus, Auther's decision to open an email with a subject line that clearly indicated the email regarded information collected after he had returned the PC should have been held a search. Moreover, knowledge that the email could not regard his own or his son's activity does not make opening the email inadvertent. The definition of inadvertent is: "not focusing the mind on a matter : inattentive." The case indeed indicated that Auther recognized that the emails were providing information they should not have been because he believed the program had been removed and the computer was no longer in his possession. An example is illustrative: If I move into a new house on Royal Avenue on Tuesday, and on Friday I get a package addressed to "our lifelong neighbors on Royal Avenue," opening that package would not be inadvertent. I clearly know that I do not constitute the "neighbor" the package was intended for, since I moved in three days prior. Auther's opening of the email is no different. The subject line contained prima facie evidence that it was not intended for him and arose from improper means. Thus, the only reason he could have to open it would be to pry.

I am willing to concede, however, that one might reasonably argue that opening the first email would be inadvertent. Maybe he wasn't paying attention to the subject line. But, after reading the first, he should have known something was awry. To open the other three emails, after reading the first, would indicate one very important thing: that he was now acting as an officer of the law because of the information the email contained (evidence of someone accessing child pornography). To go back to my example, if I opened the first package without paying particular attention to the address line that said "to our lifelong neighbors on Royal Avenue," it may be reasonable to say I was just careless (or it was inadvertent). However, if inside that box are pictures of a family that I don't know, then when three more packages arrive addressed the same way and similar in appearance, a reasonable person would not open them. They would instead return them to whomever delivered them. Or, in Auther's case, contact the principal or the PSS program and indicate that the spyware he installed without authorization from either the school program or the software author was in fact still installed and had generated an email to him. An interesting question raised by the case is: if the spyware email hadn't contained evidence of CP access, would he have called the school to raise the flag on the spyware? One would think so.

The last significant problem with the case is the court's decision to deny standing to Weindl on the reasonable expectation of privacy issue. The court stated:
Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.
Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. 
The court justifies the last paragraph on two reasonable expectation of privacy cases: one involving a stolen computer (Wong), and one involving a computer obtained by fraud (Caymen). The court then states that "Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer." I find the comparison to Wong and Caymen to be ill-advised. In both cases, the individual had either been convicted, or charged with obtaining the device by illegal means. Weindl did nothing of the sort, here. Additionally, in Caymen, where the defendant obtained the laptop by fraud, the court based its holding on cases from sister circuits regarding stolen cars. There is a theme here: stolen. Weindl did not steal, nor obtain anything by fraud. While he may not have had permission, he certainly was not doing anything illegal.

The Caymen court pointed out that a person who has stolen something lacks the property interests an owner has (the bundle of sticks) that define property ownership. Can the same be said for the laptop, here? Arguably, no. Weindl was permitted to have constructive possession of the laptop - something a thief would never have. Also, if the laptop had been stolen from the FBI agent's son and then recovered, it would likely have been returned to the principal (or someone under his authority). Granted, he lacked other property rights like the right to sell, but to analogize the computer to stolen property is off target.

Lastly, I believe the court was correct, technically, about the application of the Federal Wiretap Act: namely, that suppression is only for wire and aural communications in criminal cases. However, I find it fantastical to argue that placing spyware on an individual's computer isn't wiretapping. That the court had to cite to a 1978 case in support of this part of the holding is a clear illustration of the lack of coverage in this area. I hope that these facts present an opportunity for the 9th Circuit to directly address the issue and clarify that a "wire" communication should include such conduct. (Although maybe it is a legislative task, since to include what could be characterized as "electronic communications" within "wire communications" would arguably construe the civil portion of the law addressing "electronic communications" superfluous, something courts are reticent to do).

I am excited to see how the 9th Circuit handles this case. The facts of Weindl illustrate, as many other technologically centered cases do, the "play in the joints" of the law. And, with respect to the Wiretap Act, reflects the anachronistic nature of some federal statutes as applied to emerging technologies.

Tuesday, December 4, 2012

District court upholds CSLI order with erroneous phone number, finds defendant doesn't have standing

In United States v. Cannon, No. 6:11-cr-02302 (D.S.C. 2012), the court held that a typographical error did not violate an order for cell site data and that the defendant's failure to prove he had an interest in the phone removed his ability to challenge the search for lack of standing.

The defendant had been charged with multiple crimes related to the distribution of drugs. As part of the investigation, law enforcement obtained GPS data from his cell phone company. He filed a motion to suppress, arguing that the data was obtained in violation of his constitutional rights.

In challenging the use of the data, the defendant argued that the court order was invalid because it contained a phone number different than the one that information was provided for. The court found the argument to be without merit, holding, "Mere typographical errors do not undermine a finding of probable cause and do not invalidate a warrant." Because the correct number was used elsewhere, it was clear that it was a mistake.

The government argued that the defendant did not have standing because he was not the owner or authorized user of the phone. The defendant was unable to prove that he had any interest in the phone, and thus could not challenge any potential Fourth Amendment violation.

Monday, December 3, 2012

Weindl - FBI agent spyware v. principal attracts attention and misinformation

Since I wrote about United States v. Weindl on November 28th, Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression, the story was picked up by Kashmir Hill at Forbes (by way of Eric Goldman), An FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn Searches, and from there spread like wildfire to various other sites.

Today, Robert X. Cringely, on his Infoworld blog "Notes from the field" highlighted the story as well - School for scandal: FBI spyware nabs pervy principal. In the story, he states:
When spooks spy on their kids -- and happen to ensnare adults doing things they shouldn't -- isn't that illegal spying? I asked cyber lawyer Jonathan Ezor, Director of the Touro Law Center Institute for Business, Law and Technology in Islip, New York. 
Though Ezor cautioned that he is not a criminal attorney, he says Auther's discovery of Weindl's dark deeds probably falls under the "in plain sight" exception for evidence. If you open the door for the cops and they see a big pile of cocaine sitting on your coffee table, they have every right to break down the door, then seize you and the drugs, no warrant required. 
The more important issue, says Ezor, was what the feds told Weindl when they sat down with him in his office and whether they read him his rights. That might have a greater bearing on whether his Fourth Amendment rights were violated. 
On the other hand, Justin P. Webb of the CyberCrime Review blog says the court was wrong across the board (though he's saving his reasons why for a future blog post).
Two things:

(1) With all due respect to Jonathan Ezor, he clearly did not read the case. As I stated in my write-up, the court expressly dismissed the plain view exception to the warrant requirement. You cannot argue for plain view when you are somewhere you weren't authorized to be. Further, and as the case states specifically, Weindl was not read his rights" when [the the two FBI agents] sat down with him in his office." Most importantly: the significant implications of the case, which Weindl's attorney assured me will reach the the 9th Circuit, do not revolve around the interrogation, but the search.

(2) Cringely is correct to note that I believe the Weindl opinion was wrong across the board. While my post on that issue is not up yet, it will be within 48 hours.

Cal. Court: Sex offender registration for CP but not statutory rape does not violate Equal Protection

In People v. Gonzales, No. E054886 (Cal. Ct. App. 2012), the Court of Appeals of California held that it is not a violation of the Equal Protection clause to require sex offender registration for child pornographers but not statutory rapists.

The defendant pleaded guilty to possession of child pornography. The defendant had argued that the sex offender registration requirement violated the Equal Protection Clause because it did not require those convicted of statutory rape to register. The motion was denied during sentencing, and he was ordered to register.

On appeal, the defendant revived his argument:
Defendant argues that the present distinction between possession of child pornography and statutory rape is ... irrational, because a person who actually engages in voluntary sexual intercourse with a child is not subject to the mandatory registration requirement, yet a person who merely possesses a photo of that act is.
The court, predictably, shot down the argument, finding many significant differences. First, the fact that child pornography can be duplicated so easily makes it different because a statutory rape charge is "a single act" (each act should be brought as separate charges). Second, child pornography involves children of any age, but special crimes apply to sex with children under a certain age which do require sex offender registration. Finally, statutory rape is "characteristically voluntary on the part of the child." Therefore, in order for the Equal Protection Clause to apply, the defendant would have to show he is being treated differently from a person "who has committed the forcible rape of a child," which he has not shown.

Friday, November 30, 2012

Seventh Circuit develops rules for CP restitution cases, requires classification of offenders for calculation

In United States v. Laraneta, No. 12-1302 (7th Cir. 2012), the Seventh Circuit held that child pornography defendants who simply possessed images are only liable for restitution based on the limited amount of damage they caused. Distributors, however, are liable for the entire damages. Further, defendants may not seek contribution from others.

The defendant had pled guilty to seven counts related to child pornography. The defendant was sentenced to thirty years in prison and ordered to pay over $4 million in restitution to two victims.

The Seventh first examined whether child pornography victims can intervene in the criminal proceeding itself. Finding that it "would be a recipe for chaos," the court held that victim intervention is best left for an appeal.

In his appeal, the defendant argued that the district court's award of restitution to "Amy" and "Vicky" was erroneous. Amy and Vicky are two victims of child pornography, and the two have received restitution of varying amounts from cases around the country. Vicky's losses total nearly $1.25 million (and she's recovered just over $250,000), and Amy's losses are calculated at over $3 million (and she's recovered about half). The court ordered the defendant to pay the entire balance of those losses, and he argued that it's not his responsibility.

Courts have struggled with the federal statute that allows restitution for child pornography victims - 18 U.S.C. § 2259(c). Of all the circuits that have dealt with the issue, all but one (the Fifth) have determined that the defendant must have proximately caused the victim's losses in order to be required to pay restitution. Courts have further struggled with what exactly that means.

The Seventh Circuit, deciding to remand for a redetermination of restitution by the trial court, suggested that "it is beyond implausible that [Amy and Vicky] would have suffered the harm they did had [the defendant] been the only person in the world to view pornographic images of them." As such, on remand, the court must consider which portion can be allocated to the defendant. However, if the court labels the defendant a distributor, he should be liable for the entire amount of the damages.

Amy and Vicky suggested that imposing joint liability is fair because the defendant can seek contribution from other viewers. Posner opined such an approach to be "extraordinarily clumsy," considering the assets of most prisoners and "the bother of awarding contribution rights to hundreds of prison inmates. We have enough inmate suits as it is."

Thus, the Seventh's rules for restitution are:
  1. Subtract restitution payments already received in other cases.
  2. Determine the defendant's status. If he is simply a viewer, determine what of the damages are a result of his acts. If he is a distributor, the defendant is liable for the entire remaining loss.
  3. The defendant is not entitled to contribution from other offenders.
  4. Victims may not intervene in district court.
The defendant also appealed his 30-year sentence (including a 10-year consecutive possession charge), arguing that the length was inappropriate and it should not have been consecutive. These arguments were struck down, of course.

Thursday, November 29, 2012

Highlighted Paper: Orin Kerr, The Mosaic Theory of the Fourth Amendment

This week I would like to draw attention to Orin Kerr's new article on Mosaic Theory, a theory which gained notoriety after the GPS tracking case United States v. Maynard and was later implicitly accepted by some justices of the Supreme Court in United States v. Jones. I have a personal interest in this topic, since my law review article, Car-ving out the Notions of Privacy: The Impact of GPS Tracking and Why Maynard is a Move in the Right Direction, focused on Maynard and Mosaic Theory as well. This blog has also discussed Jones and Mosaic theory on numerous occasions, making the article that much more relevant.

Congratulations to Orin on his newest publication. And, if you look closely, you'll see that Orin cited a few student pieces that discussed the topic previously in a footnote on page 314.  I was excited to be among those cites, as any student author would be.

The article can be found here: Orin Kerr, The Mosaic Theory of the Fourth Amendment, 111 Mich. L. Rev. 311 (2012).

The abstract for the article is below:

In the Supreme Court's recent decision on GPS surveillance, United States v. Jones, five justices authored or joined concurring opinions that applied a new approach to interpreting Fourth Amendment protection. Before Jones, Fourth Amendment decisions had always evaluated each step of an investigation individually. Jones introduced what we might call a "mosaic theory" of the Fourth Amendment, by which courts evaluate a collective sequence of government activity as an aggregated whole to consider whether the sequence amounts to a search. 
This Article considers the implications of a mosaic theory of the Fourth Amendment. It explores the choices and puzzles that a mosaic theory would raise, and it analyzes the merits of the proposed new method of Fourth Amendment analysis. The Article makes three major points. First, the mosaic theory represents a dramatic departure from the basic building block of existing Fourth Amendment doctrine. Second, adopting the mosaic theory would require courts to answer a long list of novel and challenging questions. Third, courts should reject the theory and retain the traditional sequential approach to Fourth Amendment analysis. The mosaic approach reflects legitimate concerns, but implementing it would be exceedingly difficult in light of rapid technological change. Courts can better respond to the concerns animating the mosaic theory within the traditional parameters of the sequential approach to Fourth Amendment analysis.

Wednesday, November 28, 2012

Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression

This case will be discussed in two posts.

In United States v. Weindl, __ F.Supp __ (D. N.M.I. Nov. 20, 2012), a Northern Mariana Islands federal district court denied suppression of evidence obtained when spyware installed on school-owned laptop (assigned to an FBI agent's son and later used by the principal) sent child pornography (CP) reports (alerts) to the FBI agent - evidence that led to charges against the school principal (two counts of receiving CP and two counts of possession of CP). There are three relevant issues in the case: (1) whether the act of "accidental" failure to remove the spyware resulted in an "inadvertent search" or an intentional one, (2) whether the FBI agent was acting under the color of law when he opened and later investigated the reports he received from the spyware, and (3) whether Weindl had standing to assert a reasonable expectation of privacy in the spyware reports.

I believe this case was wrongly decided on the all three issues. I contacted David Banes, the lawyer for Weindl, and he (not surprisingly) agrees as well. He indicated that his client "fully intend[s]" to appeal this denial of suppression after the case goes to trial (it does not look like the judge will allow a conditional plea).

In this first post, I will give a summary of the case. In the second post, I will argue why the court erred in its holding.


The defendant Thomas Weindl ("Weindl") was a school principal at Whispering Palms public school in Saipan, Mariana Islands. The FBI agent whose actions gave rise to this case is Joseph Auther ("Auther"). Auther's eldest son was enrolled at Whispering Palms, and was assigned a laptop during his time there. Auther kept an eye on his son's use of the laptop by purchasing and installing eBlaster on the laptop (without his son's knowledge). eBlaster sent email reports directly to Auther, with keystrokes, internet sites visited, and a plethora of other information. The report in Auther's inbox "would give the subject as 'Report,' followed by the date and time span of covered activity."

Auther was reassigned to a different FBI office in April 2012 and as part of the moving process, returned the laptop to the school, and more specifically, handed it over to Weindl. Auther did not tell Weindl about eBlaster, apparently assuming that it had been removed, but had told Weindl (prior to turning it in) that he would wipe the machine. Auther did in fact attempt to wipe the machine, but failed. The court describes Auther's actions as follows:
The first step Auther took to service the laptop was to bring it into the FBI office and ask fellow agents for advice on how to wipe it clean. They tried to remove all the files but were unsuccessful. Next, . . . Auther asked a local computer store to repair a scratched screen and wipe off all the files on the laptop's hard drive. The store's service order (Ex. 1) lists the work to be done as "Reimage" and the work performed as "Clean out files." Auther did not tell the technician about eBlaster, but he expected that the cleaning would eliminate the program. 
As stated previously, eBlaster was not, in fact, removed. After handing the laptop over, Auther did not receive any emails from eBlaster for over six days. On the seventh day, Auther received four emails from eBlaster indicating someone was using the laptop to access child pornography. The emails had subject lines, as described above, that clearly indicated that they were regarding activity that occurred after Auther turned in the laptop. Auther viewed all four emails, nonetheless. Auther hypothesized that the activity could be from a virus, another student using the laptop, or Weindl himself. He thought of Weindl because the pornography searched for was of young asian children with older adults and Weindl had recently married a Korean woman and now had an 11-year-old stepdaughter.

At this point, Auther did not report the results of the reports to authorities, but instead called Weindl under false pretenses, acting as if he would like to purchase the laptop. Weindl indicated that he had given it back to the school laptop agency (PSS), and that Auther wouldn't be able to buy it. Auther did not indicate that he had received CP reports, or that eBlaster was apparently still on the computer. Auther's reasoning was:
. . .that he did not want to raise concerns in Weindl's mind about who was using the computer or about a possible investigation involving Whispering Palms teachers and students. . . . [H]e was concerned that the Internet activity might mean that a child molester was operating at Whispering Palms. He was aware that a former coach at Pennsylvania State University had just been convicted on child molestation charges, and he was determined not to allow similar conduct to go undetected at Whispering Palms. (emphasis added)
Three days later, instead of handing the case over to the authorities, Auther then proceeded to start an investigation into what was going on with the laptop. Flashing his FBI badge at the offices of the the laptop program agency (PSS), he inquired if the laptop had actually been returned, and found that it hadn't. Auther then inquired with his ISP about the IP address noted in the reports, attempting to find out where the computer was being used. Auther indicated to the court that he may have shown his FBI badge to the ISP. The ISP refused to tell him anything, but he was able to decipher that the computer usage was not from an IP at his house.

On the same day as the trip to PSS and the ISP, Auther received two more emails indicating that the computer was being used to access CP. He decided to drive by the school on his way to report everything to the FBI. He noticed Weindl's car in the parking lot and called Weindl on his cellphone. Auther asked about the laptop and Weindl said he was investigating some "hanky panky" going on at PSS. Auther knew he was lying since PSS did not have the laptop, and grew much more suspicious. He reported what was going on and his suspicion about Weindl to a special agent with the FBI (Ewing). He also asked that child protective services be sent to Weindl's house to check on his 11-year-old stepdaughter.

Over a week later, Ewing and Auther went to Weindl's office to speak with him. During the conversation, Weindl admitted he lied about returning the laptop to PSS and admitted to viewing child pornography. He also confessed that he had taken the laptop out into the jungle and smashed it. He was arrested outside the school a short time later. Prior to trial, Weindl filed a motion to suppress the eBlaster evidence arguing that it was obtained in violation of his Fourth Amendment rights.

The court, in denying suppression of the eBlaster evidence, began by declaring that to have a Fourth Amendment violation, there needed to be state action and standing (a reasonable expectation of privacy). Addressing the state action portion, the court laid out the standard relating to an off-duty officer - whether Auther was acting under color of state law, where his actions "in some way related 'to the performance of his official duties'" or "pursuant to [a] government or police goal." The court held that when Auther installed eBlaster he was acting as a private citizen, and not as an FBI agent. Despite the circumstances changing when Auther returned the laptop (that Auther wasn't acting as a concerned parent anymore), the court held that it was an inadvertent search not under color of state law because Auther did not intentionally leave eBlaster on the computer.

In reaching that result, the court was not persuaded by Weindl's argument that even if the presence of eBlaster was inadvertent, Auther opening and reading the eBlaster reports turned something inadvertent into intentional. The court reasoned that "[t]he search was the gathering of information by eBlaster, not the viewing of the contents." The court also dismissed the argument that "the initial eBlaster reports come under the Fourth Amendment via the two-part test for private-party searches."

So, to clarifiy, the original four emails from eBlaster sent to Auther, and him viewing them, were not the "product of a search conducted under color of state law."

The court did find a search, however, relating to the two eBlaster reports Auther received after he called Weindl to inquire about the laptop. The court stated:
By that time, Auther knew that someone may have been viewing illicit material on the laptop. He suspected Weindl even before he called him. When he did call, he hid his real concern about the laptop's usage behind a pretense that he was interested in purchasing the computer. After the call, he did not uninstall or disable eBlaster, even though as a private citizen he was under no obligation to continue monitoring an unknown person's offensive Internet activities. He did not immediately call his colleagues at the FBI and hand the investigation over to them — conduct that might have indicated Auther wanted to maintain a separation between his private self and his public persona as a law enforcement officer. . . . [instead] Auther continued his investigation into the child pornography website searches. . . . At the PSS offices, he showed his FBI badge. At the Internet service provider, he relied on the fact that he was known to be an FBI agent to seek information about IP addresses. The totality of the circumstances shows that at this point, Auther's actions were related to his official duties and in pursuit of a police goal. Although a formal FBI investigation had not been opened yet, Auther was now acting under color of law.
The court dismissed the government's argument to the contrary, that "even if Auther's conduct constituted state action, his discovery of the illicit Internet activity through eBlaster e-mails was accidental and therefore does not come under the Fourth Amendment." The court stated that precedent was clear that to have inadvertent discovery through plain-view doctrine, the police had to be somewhere they were justified to be. However, here, "Auther, . . . had no legitimate justification to intrude on anyone's conduct on the school laptop once it was no longer on loan to his son. Moreover, the incriminating evidence did not drop out while he was straightening the icons on the computer's desktop but came into view because of intentional spying on the keyboard and hard drive."

Addressing the argument that a violation of the federal Wiretap Act occurred, the court noted that under the criminal portion of the Act, "suppression motions are authorized only with respect to the contents of wire and oral — not electronic — communications."  The court laid out that the definition of "[a] wire communication is 'any aural transfer' involving wire or like connections between the point of origin and point of reception." 18 U.S.C. § 2510(1). And that, "an 'aural transfer' is 'a transfer containing the human voice' at some point in transmission of the communication." 18 U.S.C. § 2510(18). Thus, the court held that there was "no evidence that the transmission of information from the school laptop to Auther via eBlaster entailed hearing a human voice. Therefore, the evidence that Weindl seeks to suppress is not the product of a wire communication."

Finally, the court noted that to suppress the two eBlaster reports the arrived after Auther called Weindl under false pretenses, Weindl must have Fourth Amendment standing; that he had a subjective expectation of privacy regarding his actions on the laptop, and that his expectation was objectively reasonable. The court held that Weindl did not have standing. The court refused to accept the argument that Weindl had a property interest in the laptop. But, the court stated, the Fourth Amendment isn't solely grounded in property (note: don't tell that to Scalia), but also in privacy expectations.

Weindl argued, in that vein, that he had a legitimate expectation of privacy in the laptop because: he was the sole user, there were no warnings that his use would not be private (or that monitoring occured), he used the laptop in his own, locked office, when he was not using the laptop, he placed it in a desk drawer, and he never gave anyone else permission to use it. Not buying this argument, the court explained:

Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.
Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. See United States v. Wong, 334 F.3d 831, 839 (9th Cir. 2003) (stolen laptop); United States v. Caymen, 404 F.3d 1196, 1201 (9th Cir. 2005) (fraudulently obtained laptop). . . .
Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer. For these reasons, Weindl lacks standing to claim a Fourth Amendment violation with respect to the eBlaster reports. (emphasis added)
Accordingly, the court held that none of the eBlaster reports should be suppressed, because the first four were not part of a search under color of state law and the last two were searches, but Weindl lacked standing (a reasonable expectation of privacy) to challenge them.

The next post on this case will focus on the court's analysis and explain what I believe the correct holding should have been.

(There is an additional issue in this case regarding the interrogation of Weindl that occurred in his office (after it was determined that he had looked at the CP), specifically: whether the conversation constituted a custodial interrogation requiring Miranda rights. The court held that part of the interrogation could stand, and part had to go. I believe this issue was wrongly decided as well (the entire conversation should have been tossed). However, I'm not going to address it because it is tangential to the main issue (and actually goes away if the computer evidence is suppressed because it would be fruit of the poisonous tree)). 

Government appeals GPS case to Third Circuit; groups file amicus arguing that warrant is required

As frequent readers of this blog have become well-aware, an interesting fight occurring throughout American courtrooms concerns the interpretation of the Supreme Court's Jones decision and the application of the good faith doctrine to that opinion. Some patterns have appeared, but there are many exceptions to each of them.

One decision, United States v. Katzin, followed a pattern. Typically, if the jurisdiction of the search did not have binding precedent, the good faith exception does not save the search, and the evidence is suppressed. In Katzin (No. 11-226 (E.D. Pa. 2012)), the district court found that the warrantless use of a GPS tracking device violated the Fourth Amendment and cannot be excused under the good faith doctrine. The jurisdiction had no binding authority on the issue and as the installation occurred four months after Maynard, there was a circuit split.

The government has appealed the case, suggesting to the Third Circuit that no search warrant was needed because the Supreme Court did not specifically decide if a warrant is needed to monitor a person's movements via GPS. Further, they suggest that good faith saves the evidence.

The Electronic Frontier Foundation (EFF), American Civil Liberties Union (ACLU), and the National Association of Criminal Defense Lawyers (NACDL) have filed an amicus brief, arguing that Jones requires a warrant for installation of and monitoring with a GPS device and that the good faith doctrine only saves evidence when binding precedent existed at the time of the installation.

Tuesday, November 27, 2012

Fifth Circuit reissues en banc CP restitution opinion, retains substance of the opinion

In October, the Fifth Circuit, in an en banc opinion, held that a victim of child pornography is not limited to recovery for losses proximately caused by the defendant. In re Amy Unknown, No. 09-41238 (5th Cir. 2012) (en banc). Under the opinion, victims can be awarded the full amount of damages from any individual defendant - even if he only came into possession over the Internet. The decision, which I discussed in a previous post, vacated and remanded the combined cases for the district court to reconsider damages.

Each had been heard by different panels of the court individually. When the second case was heard, the panel agreed with the prior precedent, but wrote a special concurrence questioning the prior decision and suggesting the opinion be taken up en banc. The two cases were heard together by the full Fifth Circuit.

Last week, the Fifth Circuit withdrew its October opinion, choosing to vacate and remand one of the cases and to affirm the other. In re Amy Unknown, No. 09-41254 (5th Cir. 2012) (en banc). The court had remanded both in the October opinion, but in one of the cases, the government had not actually appealed the sentence which had awarded only partial damages. Therefore, the issue could not be remanded because it had not actually been appealed.

Monday, November 26, 2012

District court case provides road-map for what not to do under the Fourth Amendment

In Hatfield v. McDaniel, 2012 U.S. Dist. LEXIS (M.D. Ala. October 19, 2012), the court allowed the plaintiff's case alleging violations of section 1983 resulting from two illegal searches to proceed. The defendants were law enforcement officers and state/local entities that were party to the alleged Fourth Amendment violations.

This is the closest case I've ever seen of what not to do under the Fourth Amendment:
1.  Facially invalid searchwarrant - check
2.  Search of computer (pursuant to facially invalid search warrant), which was allowed within 10 days, executed 1 year later - check
3.  Failure to stop a search upon the owner's revocation of consent - check

Hatfield owned a car stereo store which occasionally accepted trade-in merchandise. He was careful, however, not to accept stolen goods. When a car stereo was brought in that he believed was stolen, he refused to accept it, and an officer showed up shortly after to take custody of the stereo and arrest the individual trying to trade it in. At that time, Hatfield asked the officer to take a look at a rifle he had received as a trade-in, because he was unsure if that was stolen, too. It turns out that it was.

The officers decided, based on the stolen merchandise they had found so far, that it would be prudent to go through all of Hatfield's inventory to check for other stolen merchandise. Hatfield agreed. The officers began the search, and a little while later, a drug dog showed up (his name was Hobbs - he was not a party to the action). At that point Hatfield removed consent for the search. The officers told him he could do it the hard way, or the easy way. Hatfield chose the hard way, which involved his arrest for the stolen rifle, and the police obtaining a warrant from a judge to continue to search. However, instead of waiting until the warrant arrived, there was evidence that the search continued at Hatfield's store. Error #1.

At some point during the search, Hatfield's girlfriend told officers there was child pornography on his computer. They drafted a facially invalid warrant, based on only her statement and no other evidence - they did not even include in the warrant a statement regarding her veracity or the basis for her claim. Error #2.

They then executed the facially invalid search warrant for Hatfield's computer, and seized it. The warrant gave the police 10 days to do so. Then, 1 year later, they actually searched the computer and found child pornography. (In my opinion, Error #3 - the court held otherwise).

Prior to trial, Hatfield moved to suppress all of the evidence obtained after he revoked consent, and the court granted the motion. This included the seizure of the computer. So, all charges were dropped. Hatfield then sued the police, the city, and individual officers for Section 1983 violations related to the search. The defendants moved for summary judgment, arguing qualified immunity applied. However, the court disagreed.

As to the search after consent was revoked, the court cited Arizona v. Hicks as controlling, and stated the following:
The controlling precedent, then, shows that an officer moving a box in Powerhouse Audio, even if only a few inches, and then inspecting it constituted a search (even if that search revealed nothing of great value). Accordingly, on summary judgment, Lieutenant McDaniel and Officer Furlong, who allegedly participated in that warrantless search, are not entitled to invoke the defense of qualified immunity as a shield to Mr. Hatfield's Fourth Amendment claim against them. (emphasis added)
The court then went on to analyze the search/seizure of the computer. Hatfield argued that the search warrant had not been executed within the defined term of 10 days, because the computer wasn't actually searched within that period. The court disagreed (which I think, personally, was erroneous). The court held that execution of the warrant occurred within 10 days because the seizure occured within 10 days. The court reached that conclusion as follows:
While it is undisputed that Sergeant Graves did not search the computer until nearly a year after the warrant was issued, it does not necessarily follow that the warrant was not executed within the ten-day limit. Although the term "execute" is undefined in § 15-5-12, usage of the term suggests a search warrant is executed when the described property is physically seized and taken into police custody. In the context of electronically stored information, that would mean the warrant is executed when the computer is seized, not when the files are accessed. 
With respect to the warrant to search the computer, the court held that it lacked even "a hint" of probable cause and was therefore facially invalid. The court explained:
. . . in light of controlling precedent, the affidavit fails to establish even probable cause to believe there would be pictures of children, pornographic or otherwise, on Mr. Hatfield's computer. The only fact supporting such a conclusion is the statement of an unidentified woman at the scene, because the affidavit did not reveal Ms. Neal's identity but only referred to her as "a person that was at the store." . . . It is well settled law that a statement from an anonymous source may establish probable cause for a search warrant, but only so long as "given all the circumstances set forth in the affidavit . . . , including the 'veracity' and 'basis of knowledge' of persons supplying hearsay information, there is a fair probability that contraband or evidence of a crime will be found in a particular place." Illinois v. Gates, 462 U.S. 213, 238, 103 S. Ct. 2317, 76 L. Ed. 2d 527 (1983). But here the only fact tending to establish probable cause is the anonymous statement, and there is absolutely nothing in the affidavit supporting the veracity or basis of knowledge of the woman who made it. . . .The statement here lacks even a conclusory assurance of reliability and credibility, so it could not have provided probable cause for a search warrant.

Moreover, the warrant was "so lacking in indicia of probable cause as to render official belief in its existence unreasonable." The court rejected a last ditch argument that the officer's conduct was based on the collective knowledge of law enforcement:
Even assuming Sergeant Graves had access to the collective knowledge of law enforcement, Mr. Hatfield's evidence shows his computer was searched pursuant to a facially void warrant. That conduct, if established at trial, constitutes a violation of clearly established law, and Sergeant Graves is therefore not entitled to invoke the defense of qualified immunity.
Total fail - check.

Friday, November 23, 2012

First Circuit holds that use of Yahoo!'s CP reports at trial requires author testimony under the Confrontation Clause

In United States v. Cameron, No. 11-1275 (1st Cir. 2012), the First Circuit held that certain reports prepared by Yahoo! and NCMEC as part of a child pornography investigation were testimonial, requiring the defendant to have the opportunity to confront the authors of those reports under the Sixth Amendment's Confrontation Clause. The court also held that Yahoo!'s investigation after an anonymous tip did not make it a government agent under Fourth Amendment law.

The defendant was charged with multiple child pornography crimes after law enforcement learned from Yahoo! that an account with his IP address had been sharing images of child pornography. The images had been reported by another user, and Yahoo! began an investigation which resulted in a report to NCMEC and ultimately ICAC. At trial, the defendant argued that the indictment did not meet the specificity requirement, evidence should be suppressed because Yahoo! was acting as a government agent, and evidence should be suppressed because the government was not planning to call witnesses from Yahoo! and Google which violated his Confrontation Clause rights. Each motion was denied. He was ultimately found guilty and sentenced to 192 months in prison.

On appeal, he argued each of the three above issues again. As to the sufficiency of the indictment, he argued that it was insufficient because it did not identify the specific images for each offense. The court held that a description of the offense, the date of the offense, the description of the images as digital, and the means of transportation was enough to meet the sufficiency requirement.

With the government agent argument, the defendant alleged that Yahoo!'s search of his password-protected account for images of child pornography violated his Fourth Amendment rights and made them government agents. The court, however, found that the government did not instigate or participate in the search nor did it have control over the search, and Yahoo! was therefore not acting as a government agent.

The defendant's Confrontation Clause argument centered upon whether the evidence from Yahoo! and Google were testimonial. If it was testimonial, a witness must be called that the defendant could then cross-examine.

  • They presented data concerning the defendant's connections to his accounts. These records, determined the court, were not testimonial as they "were totally unrelated to any trial or law enforcement purpose." 
  • Also used at trial were reports prepared by Yahoo! concerning their investigation into the report of child pornography. The court found that they were hearsay and testimonial. They were prepared to "prov[e] past events potentially relevant to [a] later criminal prosecution." Thus, the admission without the opportunity to confront violated the defendant's rights.
  • The defendant also argued that CyberTipline Reports from NCMEC were testimonial because the reports were based on information contained in the Yahoo! reports. The government argued they were not statements of NCMEC because they simply forwarded Yahoo!'s report to law enforcement  The court found them to be testimonial.
Because the defendant did not have the opportunity to confront witnesses for the testimonial statements, the court reversed five of the convictions, finding the error not to have been harmless. 

A dissent by Judge Howard argued that the use of the CyberTipline Reports did not violate the Confrontation Clause as the defendant has no right "to cross-examine the person(s) who actually located the stored digital images and created a corresponding archive associated with each user name photo album."

Thursday, November 22, 2012


Just wanted to write a quick note to thank all of you for reading Cybercrime Review. Justin and I are very appreciative for you continuing to read and for your encouragement, and we hope you'll continue to come back as we have some great things planned for Cybercrime Review's future.

Happy Thanksgiving to all of you, and be sure to be extra careful deep frying your turkey!

Congratulations to Jeffrey - he won 2nd place (and $2500) in the Shannon Bybee Scholarship Award

Please join me in congratulating Jeffrey on his latest achievement. He was informed yesterday that he was awarded runner-up in the International Association of Gaming Advisors (IAGA) competition for the Shannon Bybee Scholarship Award. His paper entitled "Cyber Thieves in Online Casinos" was determined by a committee of IAGA member attorneys to be of "outstanding merit," a fitting description which brings with it the honor of publication on the IAGA's website. Along with the publication, Jeffrey will receive a check for $2500.

Congrats Jeffrey.

Wednesday, November 21, 2012

"Egregious spoliation conduct" of plaintiff, who used various pieces of software to scrub his computer, results in claim forfeiture

Update: I've placed a link to the case in the write-up

In Taylor v. Mitre Corp., 2012 U.S. Dist. LEXIS 162854 (E.D. Va. September 10, 2012), the plaintiff in an employment related suit (FMLA and ADA claims), through "egregious spoliation conduct" - use of CCleaner, Evidence Eliminator, and a sledge hammer - had his suit tossed out and forfeited his claims.

The action was brought before the court on a Motion for Sanctions, filed by the defendant, after Mitre Corp. discovered (through a court ordered forensic examination of the plaintiff's computer) that the defendant had knowingly deleted large swaths of files on his new computer. The plaintiff was also requested to produce an old HP laptop that he had used during his employment with Mitre and which had significant litigation related information on it. The plaintiff, however, indicated that he had tried to back up the computer, only getting 30-40% of the files off, before taking a sledgehammer to the computer and taking it to the dump.

Aware of the plaintiff's new Dell computer, the court ordered a computer inspection of the Dell to discover any related evidence. The court described what happened next:
 E-mails between Plaintiff and his counsel illustrate Plaintiff's frustration with the Court's consideration of a mandatory computer inspection. For example, on May 30, 2012, in an e-mail to counsel, Plaintiff said, "As a computer expert very familiar with forensic examinations, I find this overly invasive and unwarranted" and that he and his wife would "not submit to a voluntary submission of [their] electronic devices without a court order."  Plaintiff goes on to say that if his counsel returned with a court order requiring inspection of his laptop he "will either not provide the devices or [he] will move all non-sensitive files to a CD and wipe the drive." . . . At the conclusion of the e-mail he jokes that "an electrical surge just fried my computer and a 50 pound anvil fell over and landed on it" and asks "what penalties [he would] suffer from a contempt of court citation."
The attorney client emails above were discoverable due to the fraud exception to the privilege.  After the court order was clarified to fall under FRCP 34, a forensics firm conducted a keyword search on the computer, but the defendant refused to allow it to be imaged.

The forensic company then ran various forensics programs on the computer and discovered a plethora of evidence showing the plaintiff's spoliation activity. The day the plaintiff heard about the court order for inspection, he bought Evidence Eliminator, which overwrites files on the computer to make them unable to be recovered upon forensic examination. However, the plaintiff did not make any attempt to remove the program after using it, so it was easy to confirm he had in fact done so. Additionally, he had run CCleaner (which cleans temporary internet files), to destroy additional evidence, to the tune of approximately 16K files being deleted. Finally, in another effort to avoid discovery, he used Private Browsing to ensure browsing history would be erased when the browser was exited.

The court was not pleased, and dismissed the case and ordered forfeiture of the plaintiff's claims - the harshest sanction possible. This was a ruling based on all of the activities the plaintiff took, willfully to destroy evidence - taking a sledgehammer to the old PC, using CCleaner, private browsing, and most especially, using Evidence Eliminator. With regard to the latter, the court stated:
This Court cannot, and will not, tolerate the use of such a program by a plaintiff in litigation—in the middle of the discovery—who had knowledge that his computer was about to be searched pursuant to a Court order. The undersigned Magistrate Judge concludes that downloading and running of Evidence Eliminator just days after finding out about the Court-ordered computer inspection constituted willful spoliation of evidence.
The court went on to say that the conduct noted above highly prejudiced the defendant, and to let the suit proceed after such willful conduct, would be to the detriment of the defendants.

My question is - how could a self-described computer expert not know he would get caught?