Friday, September 28, 2012

Lawyering tip: Don't post pictures of your client's underwear on your social networking pages

The Miami Herald reports that a Miami judge declared a mistrial in a murder case after the public defender posted a picture of the defendant's leopard print underwear on her Facebook page.

While the defendant's clothes for trial were being inspected by law enforcement, his attorney took a picture. She later posted the image on Facebook, suggesting that the garment (chosen by the defendant's family) was not "proper attire for trial." The image could only be viewed by the attorney's friends, but one of them reported it to the judge.

The defendant had previously requested new counsel on several occasions, and this time it was granted.

Wednesday, September 26, 2012

FTC settles with rent-to-own retailers over tracking buyers' locations and collecting keystrokes

Several retailers settled yesterday with the Federal Trade Commission on allegations of "capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes." The companies allowed buyers to rent-to-own the computers, and the software may have collected information on as many as 420,000 customers.

The software installed on the computers allowed a store to remotely disable the computer if it was stolen or if payments were not properly made. It also allowed location tracking, webcam activation, and collected a large amount of data including usernames, passwords, and SSNs.

The settlement forbids the companies to continue to use such software. They are allowed to continue location tracking but only with consent and notice.

The FTC's complaint is available here.

Thanks to Professor Chris Hoofnagle for the link.

Tuesday, September 25, 2012

IEEE information disclosure disaster - if you thought LinkedIn was bad...

Update: Not unexpectedly (always assume a breach occurred - my liar to truth ratio on these subjects hovers around 1:90, respectively) has confirmed the breach, per ZDNET - see here: IEEE admits password leak, says problem fixed.

A Russian computer programmer claims to have had access to logs from the IEEE ftp server, logins and passwords, and additional information. If the claim is true, this incident raises the bar on institutional negligence. See more information about the story, here. The users of the site are quite unique (and if the disclosure is true, the revealing of such information is scary):
Among the users who's [sic] information was exposed are researchers at NASA, Stanford, IBM, Google, Apple, Oracle and Samsung. IEEE's membership of over 340,000 is roughly half American (49.8 percent as of 2011). Other members reside in India, China and the Pacific Rim (23.4 percent) and Europe, the Middle East and Africa (18.3 percent). Some 8 percent of IEEE's membership constitute government employees, including the military. Most work in the private sector and academia.
The website has been set up to provide aggregate information regarding accounts from - including password distribution, who accessed the site, and a whole bunch of other information. Assumedly this was set up by the discoverer, or someone associated with that person.

IEEE is, for the uninitiated, a very well known entity - the Institute of Electrical and Electronics Engineers.

To say this is "plumber with leaky pipes" problem would be an understatement.  The IEEE has come up with many standards, not the least of which is 802.11. Yet they can't secure this type of information?

Friday, September 21, 2012

Minnesota court affirms CP conviction over argument the crimes were presented as strict liability crimes, reverses possession charges as lesser-included offenses

In State v. McCauley, No. A11-0606 (Minn. Ct. App. 2012), the Minnesota Court of Appeals reversed two convictions for possession of child pornography because they were lesser-included offenses of dissemination convictions. However, the court affirmed otherwise over an argument that the crimes were erroneously presented as strict liability crimes to the jury.

After observing that a Limewire user had downloaded what appeared to be child pornography, a local police officer obtained a search warrant to search the defendant's home. During the execution of the warrant, 63 images of child pornography were found, most of which were in his Limewire Shared folder. The defendant was convicted on two counts of dissemination of child pornography and 22 counts of possession.

On appeal, one of the defendant's arguments was that the possession and dissemination charges were presented as strict liability crimes to the jury. For the possession statute, the "knowing" requirement is placed on the "content and character" of the work rather than the actual possession. However, the court considered it implied - you cannot knowingly be aware of the content if you do not knowingly possess it, they reasoned. With the dissemination counts, however, the court held that a "knowing" requirement could not be similarly implied for dissemination. The court held, "[T]he state must prove that a defendant knew he was disseminating child pornography." However, it was not plain error nor did the court "believe the verdict would have been different." Thus, the defendant lost on his mens rea argument.

The defendant won, however, on an argument that two of his possession convictions were lesser-included offenses of the respective dissemination convictions. The possession convictions "corresponded to the two dissemination convictions" on the same dates.

Thus, the court affirmed the two dissemination convictions and twenty of the possession convictions, while reversing two.

As an aside, the appellate court made a point to mention (based on testimony at trial) that the defendant's computer had CCleaner installed on it and that "users often use CCleaner to get rid of illicit files, such as those containing child pornography." The statement seems akin to saying something like "a shredder is often used to illegally destroy evidence" during a trial for obstruction of justice. The blanket statement is both unhelpful and prejudicial. The notion that only criminals try to protect their sensitive data is one that our courts need to quickly overcome.

Wednesday, September 19, 2012

Article discusses pedophilia studies, societal response

For those of you who work in the cybercrime field, you are likely forced to deal with that one type of case that everyone hates to mention - crimes against children such as child pornography or exploitation. I have often told people that I study cybercrime, and they immediately ask what exactly that entails. It's easy to give a spiel listing crimes like identity theft and hacking, but mentioning child pornography is much too taboo for small talk. I often never mention it or it comes out in a whisper - despite it being a large part of our discussions on this blog.

These crimes invoke a certain response in people that is best left unprovoked. Many people have very strong opinions of hatred and disgust for pedophiles, and many of these opinions are grounded in personal experiences or knowledge of experiences of others close to them. It is, understandably, a very emotional issue. Acting on such emotions, we enact laws that seek to essentially quarantine pedophiles - whether by sex offender registries and notice or by civil commitment under the Adam Walsh Act.

Gawker writer Cord Jefferson recently wrote an article titled "Born This Way: Sympathy and Science for Those Who Want to Have Sex with Children." The post discusses the conflicts within pedophiles' minds themselves, society's response, and many studies concerning pedophilia. Here are a few patterns the studies have discovered:
  • Sexual abusers of children have an average IQ 10 points lower than sexual abusers of adults.
  • The age of the child victim is directly proportional to the abuser's IQ - the younger the child, the lower the abuser's IQ.
  • Child sexual abusers are shorter on average than adult abusers. They are also more likely to have performed badly in school and to have suffered head injuries as a child.
Jefferson also makes an excellent point in that because of the stigma of being a pedophile, many "sit silently on their secret desires, which is at best unhealthy for them, and at worst dangerous for children."

The article is an informative exploration of this issue and shows that there is a great deal about human sexuality that we do not yet fully understand.

Monday, September 17, 2012

Arizona appeals court holds no expectation of privacy violation for GPS surveillance, dissent argues otherwise

In State v. Estrella, No. 2 CA-CR 2011-0076 (Ariz. Ct. App 2012), the Arizona Court of Appeals held that the use of a GPS device on a vehicle without a warrant does not violate an individual's reasonable expectation of privacy.

The defendant was convicted of multiple drug crimes, and on appeal, he argued that the convictions should be reversed because of the warrantless use of a GPS device on a vehicle driven by him. The van was owned by his employer, and the device was placed on it while in a public parking lot. His motion to suppress at trial was denied.

However, the defendant had not made an argument under Jones' trespass theory at trial, but instead under a reasonable expectation of privacy argument. As such, the court reviewed the trespass theory only for fundamental error and considered it waived.

The appeals court held that the defendant had no reasonable expectation of privacy in the van. "[T]he remote electronic monitoring of a vehicle's movement on a public road is considerably less intrusive than a physical search of the vehicle's interior that may result in the seizure of some of its contents." The court also argues that he has no expectation of privacy in his movements and noted that "[t]his is true particularly where the government's monitoring is short-term" (citing Alito's concurrence in Jones). Thus, the evidence was not suppressed though some of the convictions were vacated on other grounds.

In a dissenting opinion, Judge Eckerstrom held that the use of GPS to track a person "intrudes upon a person's reasonable expectation of privacy."
My colleagues maintain that our result in this case is compelled by the Court's reasoning in Knotts that a person has "no reasonable expectation of privacy in his movements" on public roads. 460 U.S. at 281. But, in the context we address today—the GPS tracking of a person's movements on public roads—five justices of the Court have implicitly declined to adopt that part of Knotts's reasoning. See Jones, 132 S. Ct. at 964.... I, therefore, cannot agree that this aspect of Knotts must control our reasoning in this case.
Eckerstrom also declined to join Justice Alito in the belief that short-term monitoring would be constitutional without a warrant. "If we accept the premise that the sum total of a person's movements on a journey can disclose private features of their lives, then such private features may be discovered in monitoring of comparatively short duration as well as long."

Friday, September 14, 2012

District court finds no duty owed to copyright holders for unsecured wireless network owners

In AF Holdings, LLC v. Doe, No. C 12-2049 (N.D. Cal. 2012), the court held that a person owes no duty in securing their wireless network to a copyright holder whose works are illegally downloaded over the network.

AF Holdings claimed that Doe illegally downloaded their copyrighted video using an unsecured wireless network belong to Hatfield, Doe's co-defendant. Because Hatfield failed to secure his wireless network, AF Holdings sued him for negligence, arguing he "had a 'duty to secure his Internet connection,' and that he 'breached that duty by failing to secure his Internet connection.'"

The district court held that Hatfield had no duty to AF Holdings.
AF Holdings has not articulated any basis for imposing on Hatfield a legal duty to prevent the infringement of AF Holdings' copyrighted works, and the court is aware of none. Hatfield is not alleged to have any special relationship with AF Holdings that would give rise to a duty to protect AF Holdings' copyrights, and is also not alleged to have engaged in any misfeasance by which he created a risk of peril. 
The allegations in the complaint are general assertions that in failing to take action to "secure" access to his Internet connection, Hatfield failed to protect AF Holdings from harm. Thus, the complaint plainly alleges that Hatfield's supposed liability is based on his failure to take particular actions, and not on the taking of any affirmative actions. This allegation of non-feasance cannot support a claim of negligence in the absence of facts showing the existence of a special relationship.
The court also found that the claim is preempted under the Copyright Act.

Thursday, September 13, 2012

Louisiana appeals court finds expectation of privacy for text messages

In State v. Bone, No. 12-KA-34 (La. Ct. App. 2012), the Louisiana Court of Appeal held that where a person is the "exclusive user of a cell phone," they are entitled to a reasonable expectation of privacy in text messages sent and received from the phone. However, the mistake in denying evidence suppression was harmless error, and the conviction was affirmed.

The defendant was a suspect in a murder case, and law enforcement obtained a subpoena duces tecum to receive a printout of text messages he had sent and received from his phone. Several of the messages appeared to show his involvement in the murder.

On appeal, the defendant argued that his motion to suppress the text messages should not have been denied. The state argued "it had reasonable grounds to obtain the requested information." The defendant's motion, however, argued the records were obtained "without a showing of probable cause as required under the Electronic Communications Privacy Act." (That's not the standard, of course.) The state argued that the defendant had no reasonable expectation of privacy because:

(1) defendant is not the subscriber or owner of the cell phone number at issue; (2) the privacy policies issued by Sprint Nextel specifically warn customers that information may for certain reasons be disclosed to authorities; and (3) defendant admits in the messages he sent from his phone that he did not have a subjective expectation of privacy in the messages.
The Court of Appeal first found that the "defendant did not have a reasonable expectation of privacy in the call detail record log associated with his phone number." On the other hand, the court held otherwise with regard to the text messages.
The issue before this Court is not whether the state is permitted to obtain the content of text messages sent on a defendant’s cell phone; rather, the question in this case is the standard that the state must meet in order to obtain such information. We find that here, where defendant was the exclusive user of the cell phone and was permitted to use the phone for personal purposes, he had a reasonable expectation of privacy in the text messages sent and received on the cell phone and further find that the collection and review of the content of defendant’s text messages sent and received by that phone constituted a search which required a showing of probable cause.
Thus, the court held that the motion to suppress was erroneously denied. The decision was, however, harmless error as the messages were "simply corroborative of other competent evidence introduced at trial." The trial court decision was affirmed.

Wednesday, September 12, 2012

District court okays pre-Jones GPS use despite lack of binding precedent

In United States v. Oladosu, No. 10-056-01 S. (D.R.I. 2012), the Rhode Island federal district court held that pre-Jones use of a GPS device to track the defendant is saved by the Davis good faith rule despite a lack of binding precedent in the jurisdiction.

State police had installed a GPS device on the defendant's car and did not obtain a warrant prior to doing so. When asked why, the detective responded:
I'm not aware of any rules, regulations or laws that require us to obtain a search warrant prior to applying this GPS device. It's not a policy within the police department, of the North Providence Police Department or the Rhode Island State Police HIDTA task force to obtain a search warrant prior to putting an all-in-one device on.
The detective later replaced the batteries in the device at night while the car was parked in the defendant's driveway. The GPS device was on the defendant's vehicle from February 12, 2010 until March 30, 2010.

In many of these cases, courts have applied the Davis good faith rule only where binding precedent specifically allowed the use of GPS devices without a warrant. That was not the case in Rhode Island at the time the device was installed, and thus many courts would suppress the evidence. Here, however, the court held that the Davis rule is not quite so rigid.
If the agents in this case had placed the GPS after both Maynard and Judge Kozinksi's dissent ... the outcome here may have been different, and this Court might have concluded as [other] ... courts did, that the good faith exception should not apply. This is because, after Maynard and the Kozinski dissent, the law was unsettled and law enforcement officials in circuits where no binding precedent was present were arguably on notice that use of a GPS device may require a warrant. In this situation, it might not have been objectively reasonable for law enforcement to rely on the decisions of the Seventh, Eighth, and Ninth Circuits. It could be that proceeding to use a warrantless GPS in the face of emerging uncertainty would be a "reckless[] or grossly negligent disregard for Fourth Amendment rights." ... 
Here, just as in Baez and Leon, however, the requisite "culpability" of law enforcement is simply not there. This "absence of police culpability," to use Davis's words, "dooms" Oladosu's claim. ... At the time Detective DiFilippo attached the GPS to Defendant Oladosu's car, the United States Supreme Court had sanctioned the use of beeper technology without a warrant, and two circuits had ruled, in what appeared to be a growing consensus, that the beeper precedent was analogous and applicable to GPS use. 
Thus, the motion to suppress the GPS data evidence was denied. A Massachusetts federal district court has also ruled along these same lines in Baez (referenced above).

Tuesday, September 11, 2012

Student's suit for forced Facebook disclosure survives motion to dismiss; court finds reasonable expectation of privacy in Facebook messages

In R.S. v. Minnewaska Area Sch. Dist. No. 2149, 2012 U.S. Dist. LEXIS 126257 (D. Minn., Sept. 6, 2012), a federal district court refused to dismiss the case of a 12-year-old against a Minnesota school district for allegedly punishing her for statements made on her Facebook wall and forcing her to disclose her Facebook password to search through her profile.  The case involves multiple causes of action, most of which survived the motion to dismiss, including the First and Fourth Amendment claims.

A summation of the facts can be found here: Minnesota girl alleges school privacy invasion, and here:
12-year-old sues school district over Facebook profile search and with a hat tip to the Student Press Law Center, the original complaint can be found here and its article here.

While the court only has one side of the story, currently, the facts are pretty favorable for the plaintiff as described. In quick summary, it does not appear that her comments meet the requirements of Tinker to regulate student speech, nor did the school have a compelling reason to search her Facebook account.

Addressing the Fourth Amendment claim, the court first noted the distinction between Facebook wall posts (which would receive less protection depending on the settings) and messages, and ultimately held that with respect to the student's messages and profile information:
Based on Plaintiffs' complaint, at least some of the information and messages accessed by the school officials were in R.S.'s exclusive possession, protected by her Facebook password. R.S. controlled those items until she involuntarily relinquished her password. As with a private letter, the content of R.S.'s electronic correspondence was available only to her and her correspondent. The Court concludes, based on established Fourth Amendment precedent, that R.S. had a reasonable expectation of privacy to her private Facebook information and messages.
The court went on to explicitly equate Facebook messages with email, stating that "[t]he Court agrees that one cannot distinguish a password-protected private Facebook message from other forms of private electronic correspondence."

Finally, the court detailed the contours of school searches - that reasonableness in that context is determined under a lower standard due to the school environment - balancing the students reasonable expectation of privacy against the "substantial interest of teachers and administrators in maintaining discipline in the classroom and on school grounds." T.L.O. The court found nothing on the school's side of the scale to justify the search. The courts stated:
Based on the facts alleged in the complaint, the school officials had reason to believe that R.S. may have had a sex-related discussion with a classmate. Both R.S. and her classmate had already admitted as much to the school officials prior to the search. Plaintiffs contend that such an out-of-school discussion, even a "naughty" one, broke no law or school policies. 
At this stage, based on the facts alleged in Plaintiffs' complaint, the Court cannot disagree. It is difficult for the Court to discern what, if any, legitimate interest the school officials had for perusing R.S.'s private communications. . . . the school officials had no reason to believe that the search would return evidence of illegal behavior or violations of school policy. At this stage, there is no discernible school interest against which to balance R.S.'s reasonable expectation of privacy. 
I have to say, I am very interested to see the outcome of this case. I think the Fourth Amendment details are fascinating and I have paid close attention to First Amendment cases dealing with out-of-school speech so I'm hooked there, too.

If you are looking to brush up on recent school speech cases dealing with electronic speech and school intervention, look no further than the decisions of Layshock and J.S., recent cases from the Third Circuit which are laid out nicely in this student piece from the B.C. Law Review site by Paul Easton: SPLITTING THE DIFFERENCE: LAYSHOCK AND J.S. CHART A SEPARATE PATH ON STUDENT SPEECH RIGHTS.

Monday, September 10, 2012

GoDaddy gets torpedoed - Anonymous claims responsibility

GoDaddy's website and sites that it hosts have gone down as the result of an alleged attack by Anonymous. It's a pretty significant Denial of Service (DOS) attack and this incident is surely going to result in an FBI investigation - remember what happened after the Paypal DOS - Feds Arrest 14 ‘Anonymous’ Suspects Over PayPal Attack, Raid Dozens More. Hopefully, if they do find, arrest, and prosecute the offenders, they will do a better job of handling the evidence than they did in the Paypal case - see my post about that here: In Paypal DDOS case, government reprimanded for failure to analyze and return data in a timely fashion.

Anonymous claimed responsibility via Twitter.

GoDaddy has confirmed, via twitter that it is experiencing issues - see their twitter account here: GoDaddy

A CBS news story regarding the incident can be read, here: GoDaddy goes down, Anonymous claims responsibility.

(As I post this, I see that Cybercrime Review is down - not sure if this is a part of the GoDaddy lulz.)

Update 1: As I mentioned on Twitter @Cybercrimerev, it appears the attack was not Anonymous collectively, but AnonymousOwn3r individually. This tweet here (NSFW), shows some dissension in the Anonymous ranks - an unsurprising development since the group has never congealed into a fully aligned faction.  In my opinion, that is the greatest strength of Anonymous - anyone can pick up the torch.

Rhode Island court finds expectation of privacy in text messages, orders suppression for nearly all of state's evidence

In State v. Patino, P1-10-1155A (R.I. Super. Ct. 2012), the court ordered suppression of text messages sent by the defendant on a cell phone belonging to another person. The defendant had standing to challenge the search which, according to the court, was conducted in violation of the Fourth Amendment and not saved by any exception.

The case concerned the murder of the defendant's six-year-old son. The child's mother called 911 to report that her son was not breathing. An ambulance took the child to the hospital, and police remained at the home to speak to the parents. The mother took the officer through the house, and he noticed stripped beds and vomit. A cell phone in the house later made a beeping sound, and the officer picked up the phone to view the message. It was unattainable because of lack of credit, and after pressing another button, he was taken to the sent messages folder. He noticed the word "hospital" in a message and proceeded to read the entire message which read: "Wat if I got 2 take him 2 da hospital wat do I say and dos marks on his neck omg." From the reading of this message, an investigation continued, and the case for murder against the defendant was built.

In its 190 page opinion, the court began with a standing issue. The first issue was the fact that he only occasionally stayed at the apartment where the phone was found, but the court found that this did not remove his expectation of privacy. Another issue was that the phone itself was shared, and the defendant was not the main user. As a result, the court, analyzing the phone "not as a container but as an 'access point' to potentially boundless amounts of digital information," held that the standing issue was in the text messages themselves rather than the phone in general.

Next, the court held that the defendant had a subjective and objective expectation of privacy in the text messages stored on the phone and that the possibility that someone other than the intended recipient will see the message is not enough to remove the expectation. With regard to the third-party doctrine, the court held that "the third-party doctrine is ill-suited for contemporary forms of communication and thus should not wholly defeat an individual's expectation of privacy in the contents of his or her text messages." As a result, the defendant had standing to challenge the search.

The court quickly labeled the search of the phone as unconstitutional and noted that the search of the phone was also not excused by any exception to the Fourth Amendment. The crime was not one that commonly involves cell phones nor was the cell phone an instrument that posed a danger to police. Further, the officer's continued manipulation after the beeping was objectively unreasonable and did not involve exigency. The state also argued that the incriminating message was in plain view, but the affirmative act of pressing buttons defeated the argument. Also, despite having consent to be in the apartment, it was limited to, for example, "a search for items that might have caused ... [the child's] health condition" and not to cell phone content.

As a result, the text messages were unconstitutional and subject to suppression. The messages were used to produce an extensive investigation including other cell phones, phone records from phone companies, and written confessions. This evidence was fruit of the poisonous tree and not saved by inevitable discovery or independent source.

Friday, September 7, 2012

Civil liberties groups file amicus brief in recent Sixth Circuit cell phone pinging case

Last month, a Sixth Circuit panel held in United States v. Skinner that repeatedly pinging a cell phone in order to obtain its GPS coordinates was not a Fourth Amendment search. This week, the ACLU, CDT, EFF, and EPIC filed an amicus brief asking the Sixth Circuit to reconsider the case en banc.

Greg Nojeim, senior counsel for the Center for Democracy & Technology, wrote on CDT's blog that the panel decision was based on a misunderstanding
that cell phones normally "give off" GPS location information. Instead, mobile providers have to take a special step -- sending a signal to the phone to direct it to produce the GPS data. Unless they take that step, there is no location data at the provider for the government to seize. As a result, the court should not have analyzed the case under the third party records doctrine, which says a person has no Fourth Amendment interest in information shared with a third party.
The groups suggest that the Supreme Court's decision in Jones conflicts with Skinner insofar as Sotomayor and Alito's concurring opinions can be read together to provide Fourth Amendment protection even when tracking does not involve a trespass.

Neither concurring opinion set a firm guideline as to when an act of surveillance will be unreasonable under the Fourth Amendment, and this amicus brief suggests that Skinner's "three days of cell phone tracking should be considered 'prolonged.'" Jones's surveillance by GPS was for 28 days, clearly a prolonged search according to Alito.

Thursday, September 6, 2012

Jones II: DOJ files opposition to motion to suppress Jones's cell site data

Several months back, I mentioned that Antoine Jones, the defendant in the Supreme Court's Jones decision, is back in trial court after the high court's remand. The DOJ is now seeking to do with cell site data what it is not allowed to do with GPS information.

On Tuesday, the government filed its opposition to Jones's motion to suppress.

Here's the summary of the government's argument:
Defendant’s motion to suppress cell-site location records cannot succeed under any theory. To begin with, no reasonable expectation of privacy exists in the routine business records obtained from the wireless carrier in this case, both because they are third-party records and because in any event the cell-site location information obtained here is too imprecise to place a wireless phone inside a constitutionally protected space.  Even if defendant were able to establish a Fourth Amendment privacy interest, the government’s good-faith reliance upon judicial and statutory authorization here forecloses any claim for suppression.  
Finally, defendant expressly admits that the government lawfully relied upon the proper legal authority – 18 U.S.C. § 2703(d) – to obtain the disputed records. To the extent that defendant alleges that the government violated this (or other) statutes, his motion fails because no statutory suppression remedy is available. As a result, defendant’s motion must be denied.
The case is before the DC federal district court. The Electronic Frontier Foundation's brief is available here, and Jones' motion can be found here.

Wednesday, September 5, 2012

Romney's tax returns allegedly hacked - let the spin begin

Politics and cybercrime have frequently gone hand in hand, and apparently the trend continues. An unidentified hacking group claims to have "hacked" (as in duped) the facility that houses Romney's 1040s -  PricewaterhouseCooper - and obtained his records. The hacking group has posted a message on pastebin with information which can be found here.  There also appears to be an extortion attempt involved (although based on the money floating around political circles, this shouldn't be a high bar to meet if true).

A tactic such as this is interesting for a number of reasons -

1.  It occurred during the DNC - drawing attention away from the convention.
2.  It is unclear how either side will spin it (hypo: Republicans: Hackers are democrats and this shows their anarchist tendencies. Democrats: We had nothing to do with it, but wouldn't we all like to see the information?")
3.  This rises to a Secret Service cybercrime case, so the logistics will be fascinating.
4.  What will PWC's liability be in the event that the facts are true?
5.  How will this impact the race?
6.  How will such a social engineering attempt drive further tightening of physical security measures of similar firms.

Here's another link to the story: Hacker Group Claims to Have Romney’s Tax Returns

I'd love to see reader comments on this.

Highlighted Paper: "The Law of Cyber-Attack"

Furthering scholarship in this area, I'd like to draw attention to a new paper, revised today, entitled The Law of Cyber-Attack, which was written by a Yale grad, and has a great overview of the current landscape of cyber-attacks. It will be published in an upcoming issue of the California Law Review and deals specifically with nation-state attacks and national security issues - all intertwined with the current cyberlaw jurisprudence. It also includes normative proposals:

The abstract:
Cyber-attacks have become increasingly common in recent years. Capable of shutting down nuclear centrifuges, air defense systems, and electrical grids, cyber-attacks pose a serious threat to national security. As a result, some have suggested that cyber-attacks should be treated as acts of war. Yet the attacks look little like the armed attacks that the law of war has traditionally regulated. This Article examines how existing law may be applied—and adapted and amended—to meet the distinctive challenge posed by cyber-attacks. It begins by clarifying what cyber-attacks are and how they already are regulated by existing bodies of law, including the law of war, international treaties, and domestic criminal law. This review makes clear that existing law effectively addresses only a small fraction of potential cyber-attacks. The law of war, for example, provides a useful framework for only the very small number of cyber-attacks that amount to an armed attack or that take place in the context of an ongoing armed conflict. This Article concludes that a new, comprehensive legal framework at both the domestic and international levels is needed to more effectively address cyber-attacks. The United States could strengthen its domestic law by giving domestic criminal laws addressing cyber-attacks extra-territorial effect and by adopting limited, internationally permissible countermeasures to combat cyber-attacks that do not rise to the level of armed attacks or that do not take place during an ongoing armed conflict. Yet the challenge cannot be met by domestic reforms alone.

Federal court addresses applicability of Wiretap Act to wireless network packet sniffing, holds data is "publicly available"

An Illinois federal district court recently analyzed the Wiretap Act as it applies to packet sniffing and held that "the interception of communications sent over unencrypted Wi-Fi networks" does not violate the statute. In re Innovatio IP Ventures, LLC Patent Litigation, No. 11 C 9308 (N.D. Ill. 2012).

The plaintiff, Innovatio IP Ventures, LLC, brought suit against multiple companies for various patent infringement claims concerning the use of wireless Internet technology in the defendants' businesses (such a hotels and coffee shops). Innovatio sent technicians to defendants' businesses in order to collect information about the infringement. The packets they intercepted contained data about the network as well as "e-mails, pictures, videos, passwords, financial information, private documents" and other data transmitted by network users. Innovatio sought a preliminary ruling on the admissibility of the data.

After a discussion of how packets are transmitted in a wireless network and the meaning of the word "intercept" in the Wiretap Act, the court determined that the proper "question is not ... whether the networks are "readily available to the general public," but instead whether the network is configured in such a way so that the electronic communications sent over the network are readily available." The Wiretap Act provides an exception if the communications are publicly available (18 U.S.C. § 2511(g)(i)). The court concluded that the communications themselves are readily available because they are "open to such interference from anyone with the right equipment" - equipment available for a couple hundred dollars and the right open source software.

The court concluded:
Any tension between that conclusion and the public's expectation of privacy is the product of the law's constant struggle to keep up with changing technology. Five or ten years ago, sniffing technology might have been more difficult to obtain, and the court's conclusion might have been different. But it is not the court's job to update the law to provide protection for consumers against ever changing technology. Only Congress, after balancing any competing policy interests, can play that role.... Unless and until Congress chooses to amend the Wiretap Act, the interception of communications sent over unencrypted Wi-Fi networks is permissible.
An argument had also been made that the interception violated Pen Registers and Trap and Trace, but the court found that the argument was not properly briefed and declined to apply the statute. Thus, the court found the evidence to be admissible.

Tuesday, September 4, 2012

Slides from our recent webinar on encryption

Thanks to those of you who participated in our recent webinar on encryption technology and legal issues. For those of you who were unable to attend, below is a link to a PDF of the slides from the presentation. Please feel free to contact Justin or me if you have any questions.

Click here for the PDF.

Lawyer removed as counsel, alleged to have encouraged client to install spyware to aid custody/divorce proceeding

In Zang v. Zang, 2012 U.S. Dist. LEXIS 123383 (S.D. Ohio, August 30, 2012), the defendant's motion to disqualify plaintiff's counsel was granted due to Donald Roberts, the lawyer of the plaintiff (and former lawyer/brother-in-law of the defendant), allegedly being involved in encouraging the defendant to install spyware to aid in custody and divorce proceedings. The plaintiff (wife) in this matter is "asserting claims under the federal Wiretap Act, 18 U.S.C. § 2510 et seq., together with state law claims for invasion of privacy, conspiracy to commit invasion of privacy, and violations of the Ohio wiretap statute."

The facts as summarized by the court:
According to Mr. Zang, he confided in Roberts [the lawyer] that he suspected Ms. Zang of infidelity. Mr. Zang alleges that Roberts advised him to install a program called "Web Watcher" on the computer in the marital home, that Roberts assured him that he recommended this program to his other domestic relations clients, and that Roberts even suggested stores where Mr. Zang could find the software. After this conversation, Mr. Zang claims that he paid Roberts one dollar "as a retainer for his legal services." Mr. Zang then purchased and installed the Web Watcher program. 
Quite a strange set of facts, seeing as the attorney who was disqualified was the brother-in-law of the defendant, yet is now retained by Ms. Zang (plaintiff). Not surprisingly, Roberts (the attorney) denies ever being paid a $1 retainer by the defendant and offering such advice. Mr. Zang argues otherwise. (Side note: If the facts are true, Roberts will likely enjoy some time in front of the Ohio State Bar.)

To determine whether to disqualify Roberts, the court analyzed the rules of professional conduct in Ohio and held that because he would likely be called as a witness in the case and that his testimony was certainly material, and likely necessary, he could not be retained.

The court concluded:
Regardless whether reliance on the advice of counsel is a complete defense to a civil action brought under the wiretap statutes, this issue is relevant to any consideration of damages in this case. Both the federal and Ohio wiretap statutes provide for punitive damages in "appropriate" cases. 18 U.S.C. § 2520(b) and Ohio Rev. Code § 2933.65(A). Specifically, section§ [sic] 2520(b)(2) of the federal Wiretap Act "expressly permits the award of punitive damages when the aggrieved party demonstrates that a wanton, reckless or malicious violation of the Act has occurred." Smoot v. United Transp. Union, 246 F.3d 633, 647 (6th Cir. 2001) (internal quotes omitted). Thus, any evidence tending to show that Mr. Zang believed he was acting lawfully may be pertinent to the determination of whether he acted with the sufficient state of mind to make the award of punitive damages appropriate. Besides Mr. Zang, Roberts may be the only other witness who has personal knowledge on this point.
Stay tuned...

Monday, September 3, 2012

Another post-Jones GPS case on the calendar this week

This week, on September 6th, the Wisconsin Supreme Court is faced with a GPS tracking case - State v. Brereton. The issues are unique, and include a pre-textual stop to install the GPS tracking, seizure of the car, lies by law enforcement to conceal the process of installing the GPS tracker, and the interaction of GPS tracking with the holding of the United States Supreme Court in United States v. Jones.

I encourage you to read the case briefs. I am cited in the AG's response brief for a point that I noted as relevant but was certainly not the crux of my piece. As a personal note - I would side with the defendant in this case, but the reference to my piece is germane, nonetheless.  The AG cites me for the concept that it should not matter whether the GPS tracking is real-time or the GPS information must be downloaded with human intervention. In footnote 145 I state: "Judge Bell in United States v. Walker forecloses this GPS technology distinction in a notable way: 'That the officers here chose to use a specifically engineered GPS tracking device rather than merely duct-taping an iPhone to Defendant's bumper is of little moment. The technology in this case is in general use….' 771 F. Supp. 2d 803, 811 (W.D. Mich. 2011)." Clearly a reference to Kyllo, although I find it unconvincing.

The Defendant's Brief can be found here.

The Wisconsin Attorney General's Response Brief can be found here. (I am cited on pg. 33).

The Defendant's Reply Brief can be found here.

My law review article can be found in its entirety, here: Car-ving Out Notions of Privacy: The Impact of GPS Tracking and Why Maynard is a Move in the Right Direction

Revised federal model jury instructions address use of social media, Internet research

Last week, model jury instructions were released in an attempt to deter jurors from using social networking websites during trial.

"The judges recommended that jurors frequently be reminded about the prohibition on social media before the trial, at the close of a case, at the end of each day before jurors return home, and other times, as appropriate," said Judge Julie A. Robinson, chair of the Conference Committee on Court Administration and Case Management.

The new instructions include provisions warning jurors not to use the Internet for either research or communication throughout the trial.

Relevant parts of the instructions for before the trial read:
You, as jurors, must decide this case based solely on the evidence presented here within the four walls of this courtroom.  This means that during the trial you must not conduct any independent research about this case, the matters in the case, and the individuals or corporations involved in the case.  In other words, you should not consult dictionaries or reference materials, search the internet, websites, blogs, or use any other electronic tools to obtain information about this case or to help you decide the case. Please do not try to find out information from any source outside the confines of this courtroom.
I know that many of you use cell phones, Blackberries, the internet and other tools of technology.  You also must not talk to anyone at any time about this case or use these tools to communicate electronically with anyone about the case.  This includes your family and friends.  You may not communicate with anyone about the case on your cell phone, through e-mail, Blackberry, iPhone, text messaging, or on Twitter, through any blog or website, including Facebook, Google+, My Space, LinkedIn, or YouTube.  You may not use any similar technology of social media, even if I have not specifically mentioned it here.  I expect you will inform me as soon as you become aware of another juror’s violation of these instructions.
 Full instructions - including close of case instructions - can be read here.

Saturday, September 1, 2012

Five security tips IT personnel wish students knew

Security News Daily interviewed me for a piece on what I wished students knew about IT security, and I think it has great advice not just for students, but for anyone accessing the internet in general. It can be found here: 5 Security Tips IT personnel wish students knew.

The easiest way to stop cyber crime is to reduce the number of targets.