Wednesday, May 29, 2013

Wisconsin federal magistrate reverses on forced production of decrypted data after government presents new evidence

Late last month, a federal magistrate judge denied the forced production of decrypted data from a defendant's hard drives. Last week, the judge changed his mind after the government presented new evidence.

In the initial order, the court made the "close call" to deny the production because the government did not have enough evidence concerning the defendant's access and control, nor did they actually know what was on the hard drives, though some file names indicated the presence of child pornography.

Since that time, the FBI was able to decrypt one of the drives which contained over 700,000 files including "numerous files which constitute child pornography." It also contained "detailed personal financial records and documents belonging to" the defendant and "dozens of personal photographs" of him.

The judge determined that this new evidence makes it a "foregone conclusion" that the defendant has "access to and control over the encrypted storage drives." As such, the defendant was ordered to "enter the appropriate password ... so as to decrypt those drives" or to otherwise make "available for [law enforcement's] examination a decrypted copy of the data."

Tuesday, May 28, 2013

A deeper look at United States v. Vargas, the case concerning the NYPD detective accused of violating the CFAA

The recent allegations against New York Police Department detective Edwin Vargas have been making headlines recently, and were the subject of a recent press release by the U.S. Attorney's Office for the Southern District of New York. The press release announced that on May 20, 2013, a complaint was filed in the Southern District of New York alleging that Vargas had committed two offenses under the Computer Fraud and Abuse Act, 18 U.S.C §1030.  Below, I take a look at the two counts and offer some thoughts on the "Unlawful Access of Law Enforcement Database" allegation (count two).

The first count alleges that Vargas and other “known and unknown" defendants "willfully and knowingly combined, conspired, confederated, and agreed together and with each other to engage in computer hacking.” Specifically, the complaint alleges that Vargas conspired with individuals associated with an "e-mail hacking service" to violate §1030(a)(2)(C). That section under the CFAA, for context, states in relevant part
Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished as provided in subsection (c) of this section. 
The CFAA also provides as an offense, in §1030(b), any attempted violations or conspiracy to commit violations of the Act. According to the complaint, Vargas “paid certain e-mail hacking services to hack into numerous e-mail accounts . . . in order to obtain the log-in credentials for those accounts.” The complaint continues
In total, Vargas ordered hacks of at least 43 personal e-mail accounts belonging to at least 30 different individuals including 21 who are affiliated with the NYPD; of those 21, 19 are current NYPD officers, one is a retired NYPD officer, and one is current NYPD administrative staff. Vargas accessed at least one personal email account belonging to a current NYPD officer after receiving the account's log-in credentials from the hacking service. 
While the first count contains allegations that one would typically associate with a criminal hacking statute like the CFAA, the second count is a bit more interesting. According to the allegations in the complaint, Vargas
intentionally and knowingly accessed a computer without authorization and exceeded authorized access and thereby obtained information from a department and agency of the United States, [specifically], Vargas accessed, and obtained information from the federal National Crime Information Center ("NCIC") database, without authorization, and exceeding the scope of his authority. 
Vargas’ alleged actions are believed to have violated §1030(a)(2)(B) of the CFAA, which states in relevant part
Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any department or agency of the United States . . . shall be punished as provided in subsection (c) of this section. 
This allegation centers on Vargas accessing the NCIC database to gain information on fellow NYPD officers (referred to as “Victim 2” and “Victim 3” in the complaint). According to the complaint, FBI Special Agent Samad Shaheani states
From my discussions with NYPD representatives, I have learned that on or about November 5, 2011, Edwin Vargas . . . accessed the NCIC database and obtained information about Victim 2 and Victim 3. Based on my review of the records provided by the NYPD, I have learned that at the time that he accessed the NCIC database, Vargas was in his precinct in the Bronx. I have learned that Vargas did not have authorization to perform those searches or to access that information about Victim 2 or Victim 3. 
Much of the complaint focuses on the e-mail hacking allegations featured in the first count. However, I have my reservations on whether the second count can hold up. I recently reported on a Southern District of New York case, JBCHoldings v. Pakter, in which the court applied a narrow interpretation of “without authorization” and “exceeds authorization.” As I stated,
In applying the plain meaning of the term “without authorization” the court found that “an employee ‘accesses a computer without authorization’ when he does so without permission to do so. This definition plainly speaks to permitted access, not permitted use.” The court also found the CFAA’s statutory definition of “exceeds authorized access” was inherently similar to the plain meaning of “without authorization” stating, “[b]y its plain terms, this definition also speaks to access, not use.” 
A similar application might come into play in the case against Vargas. While JBCHoldings was a civil case, the court's application of “without authorization” and “exceeds authorized access” might hold some weight as this case moves forward (however, as the court JBCHoldings observed "[d]istrict courts within the Second Circuit have taken opposing views [as to the meaning of “without authorization” and “exceeds authorized access]”). Its true that Vargas might not have had “authorization to perform those searches” or to “access that information,” as the complaint alleges, but the question to consider would be whether Vargas, as in NYPD detective, was generally given access through his employment to use the the NCIC system. Did Vargas simply misuse the information from the NCIC system that he had the right to access through his employment? If so, that might make the second count against Vargas a bit more challenging. I’ll be interested to see how this case progresses.

What do you think? Feel free to sound off in the comments.

Thursday, May 23, 2013

9th Circuit orders hard drive reformatting just in case hard drives contained encrypted files

The Ninth Circuit recently upheld an order allowing the government to reformat the hard drives on a computer before returning them because the drives might have contained encrypted files, and those encrypted files might have violated the defendant's supervised release. (United States v. Spink, No. 12-30068 (9th Cir. 2013)).

The defendant had been accused of violating the terms of his supervised release by use of his computer by possessing images of bestiality or zoophilia (he had previously owned at least 52 such websites). However, it appears as though the computers had either been erased, or the defendant had encrypted files on the computer. As no evidence was apparently found (from the little facts in the opinion), the computers had been ordered to be returned.

However, after the order, the government argued that they should be able to erase the hard drives in case there were files encrypted on the drive that would violate the defendant's release.
The government professed that it could not determine whether the computers' hard drives appeared to be blank because they had been erased or because they contained encrypted information that the government could not access.
The Ninth Circuit affirmed the decision to allow the hard drives to be erased, holding:
If the hard drives have been erased, there is no harm to Spink from the government wiping the hard drives again before it returns the computers. However, if there is encrypted data, Spink presumably has the ability to access those materials, and he has not offered to access the files in the presence of the Probation Office. Moreover, if the hard drives contain encrypted materials, those materials are likely to be the type of materials that Spink is prohibited from possessing under the conditions of his supervised release.
As I've argued many times before, I think the assumption that encryption is only used to do illegal or improper acts is erroneous and a very harmful idea for courts to consider. Does a locked door to your house imply that you are hiding illegal items in your home?

Tuesday, May 21, 2013

1st Circuit holds that cell phone searches incident to arrest violate the 4th Amendment

In United States v. Wurie, No. 11-1792 (1st Cir. 2013), the First Circuit held that the search of a cell phone incident to arrest categorically violates the Fourth Amendment. As a result, the court reversed the defendant's motion to suppress, vacated the conviction, and remanded the case.

While performing routine surveillance, a Boston police officer observed a man conducting what appeared to be a drug sale. The man was then stopped, and crack cocaine was found in his pocket. He was arrested, and upon arriving at the police station, two cell phones were confiscated from his person.

The phone soon thereafter received several calls, each displaying "my house" on the screen as the incoming caller. Police opened the call log and obtained the phone number for "my house." The number was entered into an online white pages directory, and officers then went to that location to "freeze" it while a search warrant was obtained. A large amount of drugs were seized from the home.

Before trial, the defendant moved to suppress the evidence obtained from his person and home, and the district court held that "[t]he search of Wurie's cell phone incident to his arrest was limited and reasonable." On appeal, the defendant reasserted his motion.

Having not yet dealt with the issue, the First Circuit extensively evaluated the potential effect of making cell phones searchable under the search incident to arrest exception. Here are a couple excerpts:
  • [Data stored on a phone] is the kind of information one would previously have stored in one's home and that would have been off-limits to officers performing a search incident to arrest.
  • Just as customs officers in the early colonies could use writs of assistance to rummage through homes and warehouses, without any showing of probable cause linked to a particular place or item sought, the government's proposed rule would give law enforcement automatic access to "a virtual warehouse" of an individual's "most intimate communications and photographs without probable cause" if the individual is subject to a custodial arrest, even for something as minor as a traffic violation.
As to whether the search was necessary to prevent destruction of evidence on the phone by remote wiping, the court discussed three methods for preserving the data and concluded:
Indeed, if there is a genuine threat of remote wiping or overwriting, we find it difficult to understand why the police do not routinely use these evidence preservation methods, rather than risking the loss of the evidence during the time it takes them to search through the phone. Perhaps the answer is in the government's acknowledgment that the possibility of remote wiping here was "remote" indeed.
Ultimately, the First found it necessary to create a uniform rule governing the search of cell phones incident to arrest, holding that "[a]llowing the police to search that data without a warrant any time they conduct a lawful arrest would, in our view, create 'a serious and recurring threat to the privacy of countless individuals.'"

The court did leave open the possibility for using the exigent circumstances exception in order to search a cell phone without a warrant, for example when there is a "compelling need to act quickly" such as to "locate a kidnapped child or to investigate a bombing plot or incident."

In a dissent, Judge Howard suggested a variety of reasons why the majority was incorrect, including that the caller from "my house" might have otherwise destroyed evidence in the home.

Monday, May 20, 2013

Featured Paper: Hacking Speech: Informational Speech And The First Amendment (Update)

The Northwestern University Law Review's newest issue (a special edition recognizing Northwestern Law faculty member Martin Redish) offers an interesting piece by Andrea M. Matwyshyn titled "Hacking Speech: Informational Speech And The First Amendment." Dr. Matwyshyn is an assistant professor of legal studies and business ethics at the University of Pennsylvania’s Wharton School, a faculty affiliate of the Center for Technology, Innovation and Competition at the University of Pennsylvania School of Law, and an affiliate Scholar of the Center for Internet and Society at Stanford Law School. The abstract appears below:
The Supreme Court has never articulated the extent of First Amendment protection for instructional or “informational” speech—factual speech that may be repurposed for crime. As technology advances and traditional modes of speech become intertwined with code speech, crafting a doctrine that expressly addresses the First Amendment limits of protection for informational speech becomes pressing. Using the case study of “vulnerability speech”—speech that identifies a potentially critical flaw in a technological system but may indirectly facilitate criminality—this Article proposes a four-part “repurposed speech scale” for crafting the outer boundaries of First Amendment protection for informational speech.

Author's Update: I recently contacted Dr. Matwyshyn to expand a bit on her recent article for our readers. Here is what she had to say:
My goal with the article was to highlight existing gaps in the Supreme Court's jurisprudence that will present challenges as courts face future cases dealing with instructional/informational speech and technology. I also sought to propose one possible model for these judicial determinations. As vulnerability exploit markets, 3D printer drivers and other controversial categories of code become more prevalent, it is inevitable that a case of the type considered in the article will end up before the Supreme Court. The Court will then need to decide when, if ever, code crosses the line from protected speech into a regulable commodity and when, if ever, a release of code later used as part of a criminal enterprise constitutes a basis for criminal prosecution. I hope to reinvigorate the legal conversation around these topics.

Tuesday, May 14, 2013

7th Circuit dismisses CFAA civil claim for failure to satisfy $5,000 loss requirement

This case focuses a bit more on the civil side of the Computer Fraud and Abuse Act (CFAA). In Modrowski v. Pogatto, the Seventh Circuit Court of Appeals demonstrates the importance of the value requirement of a civil suit under the CFAA. 18 U.S.C. § 1030(g) states, in relevant part, that
[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages . . .
Thus, a claimant who wishes to bring a civil suit under § 1030(c)(4)(A)(i)(I), as the plaintiff did in this case, must show that a CFAA violation resulted in the “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Now, under the CFAA, “loss . . . aggregating at least $5,000 in value” may seem quite easy. The CFAA broadly defines “loss,” 18 U.S.C. § 1030(e)(11), as
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.
As Modrowski demonstrates, the $5,000 loss requirement is essential to a civil claim under the CFAA, specifically § 1030(c)(4)(A)(i)(I). Leon Modrowski was fired as the property manager for TAQ Properties and Capps Management in 2008. During his employment, Modrowski had merged his personal and business Yahoo! email accounts. When Modrowski was terminated, the employer “locked” Modrowski out of his account, thus preventing Modrowski from accessing his personal e-mails. When access was finally granted, “Modrowski discovered that several years’ worth of his personal correspondence had vanished.” As a result, Modrowski filed numerous claims, including a civil suit under the CFAA.

The district court granted the defendant’s motion for summary judgment after Modrowski failed to amend his complaint “to elaborate on the economic harm caused by the defendant’s actions.” The district court found that Modrowski failed “to offer ‘any evidence in response to defendant[‘s] motion, let alone evidence sufficient to raise a triable issue of fact.’”

On appeal Modrowski argued that “his obligation to point to evidence in his favor was never triggered, because the defendants failed to meet their initial burden of production.” The court notes that the defendants did not attempt to provide “affirmative evidence that negates an essential element of [Modrowski’s] claim,” but were attempting, successfully, to “following a ‘somewhat trickier’ path to summary judgment by asserting that the “[Modrowski’s] evidence [was] insufficient to establish an essential element of [Modrowski’s] claim.” The court’s focus on a “representative element of Modrowski's claims,” the $5,000 loss requirement, attempts to highlight the shortcomings of Modrowski’s argument
To prevail on his Computer Fraud and Abuse Act claim, Modrowski would have had the burden of proving that the defendants' actions “caused [a] loss . . . during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). Were the defendants aiming affirmatively to negate that element—say, by asserting that the evidence irrefutably showed Modrowski's injury totaled only $2,500—the absence of citations to the evidence on record would be problematic. But that was not the defendants' strategy. They asserted that, if the case went to trial, Modrowski would be unable to produce evidence sufficient to meet his burden of proving that his injury exceeded $5,000. Modrowski counters that he was under no obligation to conduct formal discovery, and this is certainly true. See Praxair, Inc. v. Hinshaw & Culbertson, 235 F.3d 1028, 1032 (7th Cir. 2000) (“Discovery is costly and in cases in which the stakes are small, or there is a clearly dispositive legal argument, forbearing to conduct discovery is not negligence.”). But once the defendants pointed out the gap that they believed existed in Modrowski's case, he was obliged to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Modrowski could have come forward with affidavits from would-be business partners who were unable to contact him while he was locked out of his account; he could have submitted receipts reflecting the fees he paid to procure duplicates of lost financial and billing records; or perhaps he might have contented himself with a personal affidavit attesting to the number of hours he devoted to recovering his emails. See Butts v. Aurora Health Care, Inc., 387 F.3d 921, 925 (7th Cir. 2004) (court may consider self-serving affidavits at summary judgment if they are based on personal knowledge and set forth specific facts). Instead, he rested exclusively on his complaint, and this was plainly inadequate.
The $5,000 loss requirement for civil claims under the CFAA is a relatively broad requirement. However, as Modrowski highlights, a prospective claimant should be prepared to have some evidence that his or her loss can be valued at $5,000.

Interesting Note: Modrowski also brought a claim under the Stored Wire and Electronic Communications Act (18 U.S.C. § 2701) and the Federal Wire Tapping Act (18 U.S.C. § 2511). However, both were dismissed with prejudice by the district court because “Modrowski acknowledged that he voluntarily linked his personal account with the defendants' business account.”

Author's recommendation: Don't do that.

Monday, May 13, 2013

DOJ obtained Associated Press phone records; AP demands return and destruction of data

The Associated Press announced today that the Justice Department obtained two months of telephone records from more than twenty AP office telephones just over a year ago. The DOJ notified the AP of the investigation on Friday. AP's President and CEO has "demanded the return of the phone records and destruction of all copies."

According to the AP, the process for obtaining records from news organizations is "strict."
A subpoena can be considered only after "all reasonable attempts" have been made to get the same information from other sources, the rules say. It was unclear what other steps, in total, the Justice Department might have taken to get information in the case. 
A subpoena to the media must be "as narrowly drawn as possible" and "should be directed at relevant information regarding a limited subject matter and should cover a reasonably limited time period," according to the rules....
News organizations normally are notified in advance that the government wants phone records and then they enter into negotiations over the desired information. In this case, however, the government, in its letter to the AP, cited an exemption to those rules that holds that prior notification can be waived if such notice, in the exemption's wording, might "pose a substantial threat to the integrity of the investigation."
The full guidance from the DOJ is available in the department's United States Attorneys' Manual.

The investigation involves an attempt to find the source of a leak of classified information to the media.

Former Romney/Ryan intern charged with cyberstalking and internet extortion denied bail

In United States v. Savader, 13-MJ-359 (E.D.N.Y. May 7, 2013), Magistrate Judge Gary R. Brown denied bail to Adam Savader because of the nature of his crimes (cyberstalking and internet extortion) and due to the "weaponized" nature of the cache of compromising pictures the defendant possesses. The court's reference to weaponization derived from the fact that the images of the 15 victims were in cloud storage, and thus "the cache of compromising photos, [could] be accessed from any Internet- enabled device on the planet," allowing Savader to perpetrate additional crimes or antagonize his victims further.

The Savader case was well publicized when it hit the news; see:

Politico, Adam Savader, ex-Romney intern, arrested for blackmail
New York Daily News, Former Romney campaign intern busted in nude-pics blackmail scheme

From the Politico article (to summarize):
A former intern for the 2012 Republican presidential ticket of Mitt Romney and Paul Ryan and for Newt Gingrich’s presidential campaign was charged with cyberstalking young women and blackmailing them into sending nude photos in federal court on Tuesday.
Adam Savader, a 21-year-old from Great Neck, N.Y., obtained nude photos of 15 different women and threatened to publish the photos unless the women sent him even more naked pictures, according to a criminal complaint. Some of the victims were Savader’s high school and college classmates.
The complaint was originally under seal, but was unsealed on April 23, 2013 by order of the court. The complaint plus additional documents from the E.D. of Michigan (where the charges were filed), can be viewed here:

Savader Docs (Complaint, Arrest Warrant, Docket, etc.)

While Savader was charged in Michigan, he lives in New York, hence the reason why the detention order (and reasoning) emanated from the Eastern District of New York. In beginning his determination, the EDNY Magistrate considered whether it was even proper to make a bail determination in New York instead of Michigan. In the end, the court held that the amended Rules of Criminal Procedure allowed the court to proceed, and indeed it makes sense to hold a bail hearing in the defendant's home district, where Savader could more easily provide information relevant to the bail hearing; namely, his community ties, etc.

As to the merits, the court noted that the case "present[ed] novel factual issues as well as the kind of legal challenges that often arise when applying traditional legal concepts to cases emanating from digital technology." I think that is the interesting part of this otherwise routine part of criminal procedure. What should the standard be for individuals charged with internet crimes, where access to a computer might be the only thing needed to perpetrate additional crimes, modify evidence, or in this case, antagonize victims further with compromising photos?

In this case, the court referred to it as a close call, but ended up siding with detention. I don't necessarily agree it was close. As the court noted: there were 15 victims, the defendant showed some acumen for technology (not enough to know Google Voice numbers can be tied to your IP address...), and the defendant held specific animus for some of the victims. Moreover, because the fruits of his alleged crimes were stored out on the internet, the temptation for him to access that material (for any reason at all, nefarious or otherwise), might have been too great (notwithstanding his family's assurances otherwise).

I will note that I think the analysis regarding bail should be different in hacking cases, where systems have been adequately secured and there is no further chance the defendant could reoffend. However, here, I don't think you can convincingly argue future crime/tampering/sexual gratification related to the cache of material is a non-issue.

Because I haven't seen much related to bail considerations for electronic crimes, I reproduce in full the court's reasoning, below:
Because the offenses charged do not appear to constitute crimes of violence as defined in the Bail Reform Act, see 18 U.S.C. §3156,3 the Government is limited to seeking detention under § 3142(f)(2)(B), to the extent it can establish that the defendant “presents a serious risk that [he] . . . will . . . threaten, injure, or intimidate, or attempt to threaten, injure, or intimidate, a prospective witness.” Thus, the determination turns on whether the defendant may attempt to threaten or intimidate potential witnesses, which, in this case, means the complaining victims. 
Precise prediction of future human conduct represents an impossible task. Here, however, we can look at several indicators. First is the defendant’s capacity to threaten or intimidate the victims, both identified and unidentified. According to the Government’s proffer, agents uncovered evidence of an Internet cloud storage account that included files bearing names of the victims, presumably containing the photograph files used as part of the extortion. Notwithstanding the seizure of computer hardware from the defendant, the existence of this cloud storage suggests that, based on the information currently available, the defendant has possession of the cache of compromising photos, which can be accessed from any Internet- enabled device on the planet. Though electronic files do not generally constitute dangerous materials, in the context of this highly-unusual case, the defendant effectively “weaponized” these items, presenting a significant risk. Given the defendant’s demonstrated facility with computer technology, it would be all but impossible to fashion terms and conditions that would eliminate defendant’s access to these materials. Hence, like an individual with access to a secret cache of weapons, the defendant certainly maintains the capacity to intimidate or further injure the victims until these materials can be definitively located and secured. 
The second factor is the defendant’s willingness to employ these materials to cause further harm to the victims. Of course, that he has done so in the past is one consideration. At the hearing, his counsel argued, persuasively, that the defendant would be a fool to violate a court directive contained in a release order, as it would mean almost certain return to jail. In addition, the mere exposure of the scheme may well make the defendant reticent to engage in additional similar conduct. As Justice Brandeis famously observed, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” However, the Government has presented evidence showing that this defendant – largely for reasons that are as yet undiscovered – maintained an animus against some of these victims for many years. Though the defendant is now 21, he has managed to hold a grudge against several victims since high school. This demonstrated drive on the part of the defendant forces me to conclude that there remains a serious risk that he will attempt to intimidate or further injure the victims, as long as those photos remain in his control. 
Having concluded there is such a risk, the question is whether there are conditions which can remediate that risk. The Court notes that, at the bail hearing, defendant demonstrated substantial ties to the community. A large number of family members appeared at the bail hearing, representing three generations of his family, all of whom appeared willing and eager to assist in ensuring that the defendant will not engage in further wrongful conduct. According to his attorney, family members were willing to accompany him to school, attend classes with him, and take any other steps necessary to secure his release. Because of the unique circumstances of this case, I find that this support, though an important consideration, cannot overcome the serious risk of danger to the victims. As such, I directed the defendant be detained pending removal to the Eastern District of Michigan. 
That said, I note that this was a close call, which could have easily resulted in a different outcome. As described above, these decisions must be made with deference to the charging district, which will have access to better information concerning the status of the compromising photographs, input from the victims, and the nature of the evidence. That court, therefore, will be in a far better position to evaluate the risk presented by the defendant, and should accord little weight to this determination.

Thursday, May 9, 2013

NSA releases 642-page Internet research guide

The National Security Agency recently released a 642-page guide titled "Untangling The Web: A Guide To Internet Research" under a Freedom of Information Act request. As the major purpose of the guide is to "help you understand how to use the Internet more efficiently," there isn't much in the document worth noting - perhaps made clear by the fact that the 642 pages are almost entirely unredacted.

There are sections about "Uncovering the 'Invisible' Internet" and "Internet Privacy and Security," but most of this information is common knowledge or significantly out of date (the guide was produced in 2007). However, the section on "Google Hacking" is interesting. Google hacking is "using clever but legal techniques to find information that doesn't belong on the public Internet." Here's one of the tips:
[S]earch by file type, site type, and keyword: many organizations store financial, inventory, personnel, etc., data in Excel spreadsheet format and often mark the information "Confidential," so a Google hacker looking for sensitive information about a company in South Africa might use a query such as:
[filetype:xls site:za confidential]
I wouldn't suggest spending time reading the whole thing, but it was worth a couple minutes. Maybe.

Wednesday, May 8, 2013

Breaking: Fed. judge denies motions to suppress in Rigmaiden; 4th Amendment, SCA case with Stingray use by FBI (Updated)

In United States v. Rigmaiden, No. 2:08-cr-00814-DGC (D. Ariz. May 8, 2013), a federal district judge in Arizona denied all of the defendant's motions to suppress. The motions were related to searches, the FBI's use of Stingray, access to stored communications and IP addresses, etc. It is long, but worth the read. An excerpt (relating to the Fourth Amendment argument):
Given the unique circumstances of this case and the case law discussed above, the Court concludes that Defendant did not have a legitimate expectation of privacy in the aircard, laptop, or apartment procured through fraud. Defendant acquired these items by invading the privacy of the persons from whom he stole names, social security numbers, credit cards, and driver’s license numbers. Having utterly disregarded the privacy rights of Travis Rupard, Steven Brawner, and Andrew Johnson, not to mention the many other names used in his scheme, Defendant cannot now credibly argue that he had a legitimate expectation of privacy in the devices and apartment he acquired through the fraudulent use of their identities.
An excerpt (relating to the SCA argument):
Courts have rejected Defendant’s arguments that historical cell-site records cannot be obtained under the SCA. See, e.g., In re Application of U.S., 620 F.3d 304, 313 (3rd Cir. 2010) (holding that cell-site location information “is obtainable under a § 2703(d) order”); United States v. Graham, 846 F.Supp.2d 384, 396 (D. Md. 2012) (“It is well established that Section 2703(c)(1)(B) of the Stored Communications Act applies to historical cell-site location data.”); see also United States v. Skinner, 690 F.3d 772, 777 (6th Cir. 2012) (holding that locating defendant through a phone’s cell-site records is not a Fourth Amendment search). Contrary to Defendant’s arguments, federal courts consistently rely on Smith and Miller to hold that defendants have no reasonable expectation of privacy in historical cell-site data because the defendants voluntarily convey their location information to the cell phone company when they initiate a call and transmit their signal to a nearby cell tower, and because the companies maintain that information in the ordinary course of business. See United States v. Ruby, No. 12CR1073 WHQ, 2013 WL 544888, at *6 (S.D.Cal. February 12, 2013); Jones, 2012 WL 6443136, at *5 (D.D.C. 2012); Graham, 846 F.Supp.2d at 397-401; United States v. Madison, No. 11-60285-CR, 2012 WL 3095357, at * 8-9 (S.D.Fla. July 30, 2012).
...
Defendant argues that the government was able to use the cell-site information to effectively track his aircard from June 10 to July 18, 2008, a period of 38 days, and that this “prolonged surveillance” implicated his reasonable expectation of privacy. Doc. 824 at 215- 17. Defendant relies on United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), and United States v. Jones, 132 S.Ct. 945 (2012), but those decisions are inapposite. They do not address orders under the SCA, and the Supreme Court in Jones did not adopt the privacy theory advanced by Defendant.
...
In this case, a government agent, working in his office with the historical cell-site information and using mathematical and triangulation techniques, was able to calculate a general location for Defendant’s aircard during a 38-day period. The calculation narrowed the location of the aircard to one-quarter of a square mile. The Court cannot conclude that such use of cell-site information, obtained from a third party under the SCA, is tantamount to attaching a GPS device to a person’s vehicle. Calculations made from the historical cell- site information did not provide minute-by-minute intelligence on Defendant’s precise movements as did the GPS device in Maynard. The calculations merely identified a general area where the aircard was located – and stationary – for 38 days. The information was not used surreptitiously to track Defendant’s movements over an extended period without a warrant. 
For some background, see:

--Kim Zetter, Wired, Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

--Vanessa Blum, The Recorder, Emails Detail Northern District's Use of Controversial Surveillance

Update 1:

--Here is the EFF/ACLU Amicus Brief in the case

Update 2:

--Kim Zetter's new post is up: Judge Allows Evidence Gathered From FBI’s Spoofed Cell Tower

Update 3:

--Orin Kerr has his take up, here: District Judges Divide on Long-Term Cell Phone Tracking Under the Fourth Amendment (he also discussed Powell another SCA/4th Amendment case)

Featured Paper: Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow

Stephanie K. Pell has posted a new paper on SSRN entitled: "Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow." Hat-tip to Chris Soghoian for mentioning it on Twitter. The article abstract is below:
While the Jones Court held unanimously that the government’s use of a GPS device to track Antoine Jones’ vehicle for 28 days was a Fourth Amendment search, the Justices disagreed on the facts and rationale supporting the holding. Beyond the very narrow trespassed-based search theory regulating the government’s attachment of a GPS device to Jones’ vehicle with the intent to gather information, the majority opinion does nothing to constrain government use of other tracking technologies, including cell phones, which merely involve the transmission of electronic signals without physical trespass. While the concurring opinions endorse application of the Katz reasonable expectation of privacy test to instances of government use of tracking technologies that do not depend on physical trespass, they offer little in the way of clear, concrete guidance to lower courts that would seek to apply Katz in such cases. Taken as a whole, then, the Jones opinions leave us still jonesing for a privacy mandate. As of the writing of this Article, Congress has not been successful in passing legislation that would regulate government use of tracking technologies. A third regulator of government power has emerged, however, in the form of technology itself, specifically in new(ish) methods an individual or group of individuals can use to make it more difficult, in some cases perhaps impossible, for law enforcement to obtain the information it seeks. While waiting for more definitive action from the courts and Congress, such “privacy enhancing” anonymization and encryption technologies can provide a temporary “fix” to the problem of ever-expanding police powers in the digital age, insofar as they make law enforcement investigations more difficult and expensive, thereby forcing law enforcement to prioritize some investigations and, perhaps, de-emphasize or drop others. Moreover, at a time when cybersecurity is a national security priority and recommended “best practices” include the use of encryption technologies to protect, among other things, US intellectual property, law enforcement is likely to face continued instances of “Going Dark” as it attempts to intercept communications in the face of the increasing availability and use of encryption technologies. As Congress considers possibilities for expanding law enforcement interception capabilities, it will be forced to accommodate the complex dualistic properties of technologies that, on one hand, bolster our national security against certain kind of threats while, on the other, they limit or thwart law enforcement’s ability to fulfill its traditional public safety function of investigating crimes.

"Revenge porn" website owner offers to close site if he raises $200,000

There was a time when people ended a relationship and moved on with their lives. Nowadays, with digital cameras and the Internet, it is much easier to seek revenge for all of the wrongs you experienced. For those of you unaware, "revenge porn" is the term applied when a person posts nude images of someone they know on the Internet - often doing so after the end of a relationship. 

Several revenge porn websites have come and gone, but one website owner has recently made headlines by offering to shut down his websites after he raises $200,000. According to Betabeat.com:
Mr. Brittain has devised a new scheme to flout the desires of victims who want him to take down their intimate photos. He and Is Anybody Down co-owner Chance Trahan have launched an Indiegogo campaign with a goal of $200,000, claiming that if they hit their goal they will officially shut down both sites. And they’ve named their campaign after revenge porn victim Holly Jacobs’ victim resource hub, End Revenge Porn.
Here are a few related links:

Tuesday, May 7, 2013

Defendant argues WI child porn law unconstitutional; if you're texted CP and open it, are you guilty of possessing CP?

Could someone texting you child porn, a text you unwittingly open, get you charged with a felony? Also, is it fair to charge adult males with child porn possession but not the underage females that texted the images to them, if they both technically possess child pornography? The case below raises both issues.

In State v. Perino, No.'s 2012-CF-0217, 2012-CM-0116 (Wis. Cir. Ct. filed Jan. 18 & Feb. 23, 2012) the defendant is charged with two counts of possessing child pornography (2012-CF-0217 - link has case history) and two counts of sex with a minor over age 16 (2012-CM-0116). In March of 2013, the defendant filed three motions to dismiss based on the following: (1) that the charged statute (Wis. Stats. § 948.12, see infra) is unconstitutionally vague and overbroad, as applied; (2) that the images are not "lewd" as required by the statute; and, (3) that the prosecutor is selectively prosecuting the case.

Copies of the Wisconsin Circuit Court documents:

1. Defendant's Motions
2. Prosecutor's Responses

The defendant was later indicted in federal court, as well, where he was "charged . . . with one count of producing child pornography and [the indictment] refers to two victims A and B. Four other counts appear to refer to the same former student in the state charges, and a sixth count seeks forfeiture of Perino's computers and cellphone." (Vielmetti, infra). You can find the indictment, here: E.D. Wisconsin Perino Indictment

State of Wisconsin Case

Wis. Stat. § 948.12 states:
948.12  Possession of child pornography.
(1m) Whoever possesses, or accesses in any way with the intent to view, any undeveloped film, photographic negative, photograph, motion picture, videotape, or other recording of a child engaged in sexually explicit conduct under all of the following circumstances may be penalized under sub. (3):
     (a) The person knows that he or she possesses or has accessed the material.
     (b) The person knows, or reasonably should know, that the material that is possessed or accessed contains depictions of sexually explicit conduct.
     (c) The person knows or reasonably should know that the child depicted in the material who is engaged in sexually explicit conduct has not attained the age of 18 years.
Bruce Vielmetti has a good synopsis of the case in his Journal-Sentinel article - Lawyer wants girl charged for nude photos she sent to teacher:
The attorney for a former Hales Corners teacher facing charges he had sex with a female student has asked a judge to charge the girl with distributing child pornography - for sending nude photos of herself to the teacher.
...
Craig Perino was charged in Racine County in January 2012 with two counts of sex with child 16 or older, both misdemeanors. According to the complaint, he and the girl had encounters last year at his home in Waterford that involved drinking and intercourse.
A month later, prosecutors added two counts of possession of child pornography, both felony offenses, after nude photos of the girl were found on Perino's phone and computer. He has pleaded not guilty to all the charges.

Perino's attorney, John Birdsall, has moved to dismiss the child pornography charges on several grounds. He argues the statute is unconstitutionally vague and overbroad because it makes anyone who might open and view an unsolicited texted or emailed image of child pornography subject to criminal prosecution. 
Birdsall also argues that the texted photos, while nude, are not "lewd" under the statute. 
Finally, Birdsall asks that the charges be dismissed because they represent selective prosecution. His motion notes that the girl was 17 when she reported her sexual encounters with Perino and is 18 now. If the prosecutors believe the images amount to child pornography, the girl should be charged as an adult with producing, distributing and possessing them, the motion states.

Refusing to charge the girl, Birdsall argues, amounts to an admission by prosecutors that the images are not in fact lewd under the Wisconsin statute and therefore don't support the child porn charges against Perino.

In his responses to Birdsall's motions, Assistant District Attorney Robert Repischak argued that the issues were raised too late, that the question of whether the photos are lewd is one a jury should decide, and that Perino's constitutional challenge relies on hypothetical situations that differ from his own. 
"The defendant seemingly forgets" that he told an investigator he had stored images on his employer's computer and deleted them once he learned of the investigation and that he "clearly . . . was not an unwitting recipient of the images at issue," Repischak said in his written response to the motions.


Monday, May 6, 2013

Part 1 (The Facts): CFAA case to test the EFF's proposed reform language

In this first post I will outline the relevant facts of the Fidlar case and how the facts present an interesting issue for the proposed CFAA reform language of the EFF (and Rep. Lofgren). At the end of this post, I note EFF Attorney Hanni Fakhoury's initial take on the case. 

In the second post I will offer my own take. I will then propose some changes to the reform language that would clarify the issue. I will conclude by taking a step back and opining on whether the CFAA should even apply to this kind of contractual dispute, and if so, in what circumstances. Spoiler - I will propose a presumption.

A case in the federal District Court for the Central District of Illinois is worth keeping an eye on if you are interested in the evolution of the CFAA from an anti-hacking statute to one used to enforce terms of service agreements, employee disloyalty, and also contractual disputes.

First, as a point of reference, consider the EFF's proposed language to amend the CFAA (emphasis added):
(6) The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.  
The term “without the express or implied permission” does not include access in violation of a duty, agreement, or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer.
This language was adopted in some form in Rep. Lofgren's CFAA reform bill. For Orin Kerr's take on these proposals, see here: Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples, and here: Drafting Problems With the Second Version of “Aaron’s Law” from Rep. Lofgren.

Back to the case at hand, here is the alleged offense in the complaint from Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 4:13-cv-4021 (C.D. Ill. Mar. 13, 2013) (emphasis added):
17. In or around 2012, LPS created one or more computer programs, the sole purpose of which were to mimic the interface between Fidlar’s user-interface software and Fidlar’s server software. The mimicked program allowed LPS to fraudulently present itself to Fidlar’s server software as though it had gained access through the Laredo user-interface, but without the attendant user controls. 
18. Fidlar’s server software programs are designed to prevent Fidlar’s customers from accessing those servers by any means other than through Fidlar’s software. 
19. Fidlar does not train, promote, or explicitly publish, nor intend to publish the techniques necessary to access Fidlar’s server software directly and circumvent the Fidlar user-interface software of Laredo or Tapestry. 
20. Specifically, LPS created mimic software that allowed Defendant to fraudulently obtain documents electronically and search at a higher rate and volume than would otherwise be possible. 
21. This mimic software program that LPS created, allowed Defendant to gain fraudulent access to Fidlar’s server software and bypass user controls embedded in the Laredo program. In this manner LPS fraudulently obtained documents that Fidlar server software had retrieved from governmental databases. 
Later in the complaint, Fidlar alleges that LPS's use of this mimicked interface allowed LPS to access documents that they would normally have to pay for; caused a burden on Fidlar's servers that damaged their operations; prevented Fidlar from being able to track LPS's use; and, caused damages in excess of $80,000. Relating to damages, the complaint states: "As a result of Defendant’s unauthorized use of Fidlar’s computers and computer servers, Fidlar has been damaged in excess of $5,000 in the past calendar year. . . . To date, Fidlar has incurred economic damages in excess of $80,000 in attempting to determine the extent of Defendant’s fraudulent invasion of its computers and computer servers, and those damages are ongoing and increasing."

Fidlar’s complaint does not allege what specific section of 18 U.S.C. § 1030 LPS violated, but the language in the complaint reiterates the phrase "without authorization" (i.e. "Defendant has engaged in a pattern of unauthorized access of Fidlar’s computers and computer servers, in order to intentionally obtain information from Fidlar’s computers"); thus "without authorization" will be the focus of the analysis in my next post.

After reading the complaint, the next logical question is whether any language in the license agreement directly applies; it can be found here: Exhibit A - Fidlar Technologies Laredo End User Agreement. In my opinion it doesn't say much that is helpful to this dispute. The bulk of the agreement relates to Fidlar's protection of its intellectual property; I do not see any limiting language on how a customer may access the database. Feel free to correct me.

Unsurprisingly, LPS's side of the story is quite different. Its Motion to Dismiss for Failure to State a Claim (filed Apr. 8, 2013) (emphasis added & internal cites omitted, except where relevant) states:
Fidlar’s CFAA claim fails for two reasons: 1) LPS was authorized to access Fidlar’s computers, and 2) Fidlar does not allege that it suffered “damage” or “loss” as those terms are defined by the CFAA.
a. LPS was authorized to access Fidlar’s computers. 
Fidlar’s complaint explicitly concedes that LPS has been a customer of Fidlar “since at least 2009 using the Laredo program and has installed the Laredo program on its own computers.” The complaint further admits, “LPS has purchased Laredo licenses in 76 counties where Fidlar has provides [sic] access to documents.” In other words, LPS had paid for and was granted authorization to access the data on Fidlar’s servers relating to those counties.
Even though LPS was authorized to access Fidlar’s servers, Fidlar complains that LPS went about it the wrong way. Specifically, LPS did not employ an individual to manually review the documents one at a time. Instead, LPS employed a computer program that allegedly circumvented controls that Fidlar claims were in place to “prevent customers from electronically capturing and downloading documents” instead of paying for copies. 
As a matter of law, these allegations do not constitute “intentionally access[ing] a computer without authorization.” The term “without authorization” means “without any permission at all.” AtPac, Inc., 730 F. Supp. 2d at 1179 (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009)). On this issue, the decision in State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009) is particularly instructive. There were two defendants in State Analysis: the first was alleged to have accessed the plaintiff’s website using usernames and passwords that did not belong to it and to which it had never been given lawful access, while the second was alleged to have misused the passwords with which it had been entrusted. The court allowed the CFAA claim to proceed against the first defendant, but granted the second defendant’s motion to dimiss, explicitly holding that while use of an unauthorized password to access password- protected content may constitute a CFAA violation, a mere allegation that a defendant “used the information [which it had been given lawful authority to access] in an inappropriate way” did not state a claim for relief. 
Fidlar wrongly contends that authorized access becomes unauthorized if the user violates contractual or embedded limitations on the use of the data (i.e., saves the images rather than printing them out). This is not the law. . . .
The logic here is simple. By its terms, the CFAA only addresses access to electronically stored data as opposed to the use of that data. . . . [FN1]
[FN1] - The only Seventh Circuit decision LPS could find that touches on the definition of “authorized access” is International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir.2006), but it is inapposite. In that case, the Court held that an employee’s authority to access his employer’s computers ceases when he decides to leave his job, go into competition against his employer, and abandon his duty of loyalty.
In short, LPS had authority to access Fidlar’s database of public records and Fidlar’s claim to the contrary is not plausible. LPS did not violate the CFAA merely by saving images of those public records instead of printing them. In fact, this conduct is not even a breach of Fidlar’s user agreement that a Laredo user must accept before accessing a county’s records through Laredo. A true and correct copy of a Fidlar user agreement is attached as Exhibit A, and the Court may consider it on a Rule 12(b)(6) motion because it is referenced in the complaint and Fidlar’s user agreement is central to Fidlar’s claim. . . . Nothing in the User Agreement prohibits any of the conduct alleged in the complaint. Thus, even if Fidlar attempted to rely on the User Agreement to argue that LPS lacked authorization to access the data in the manner that did, it would still not violate the CFAA. 
b. Fidlar does not allege damage or loss under the CFAA.
... 
Fidlar’s complaint does not even attempt to allege it suffered “damage.” Fidlar’s complaint only alleges that it became “aware of a strange usage pattern” related to LPS’s licenses, and as a result, “audited several LPS accounts to determine account activity.” Notably, Fidlar alleges that LPS’s conduct only “continues to threaten to overload those servers” and “continues to be able to disrupt Fidlar’s operations.” There is no allegation that LPS’s conduct actually caused Fidlar’s servers to crash, overload, or otherwise malfunction. Indeed, it is the lack of activity recorded on Fidlar’s servers that underlies its complaint. 
Thus, Fidlar may only maintain a civil action for CFAA violations if it suffered a “loss.” As the statutory definition makes clear, its claim for unpaid printing charges is not recoverable. Lost revenue and consequential damages are only losses if they were caused by an interruption in service. 18 U.S.C. §1030(e)(11).
The only allegations in Fidlar’s complaint that even approach the definition of loss relate to its investigation into LPS’s access. This investigation, however, was not into an interruption in service, destruction of data, or impairment of a program. Instead, it was an investigation into unpaid printing charges and unmonitored usage. The cost of this type of investigation does not meet the statutory definition of loss. 
The court has not yet ruled on LPS's motion to dismiss. There have been counterclaims, motions for temporary restraining orders, and issues related to discovery. If the MTD is denied (which seems likely), or granted before I get the next post up, I will pass that on immediately.

As stated above, I mentioned this case to Hanni Fakhoury, Staff Attorney at the Electronic Frontier Foundation. Here are his comments (emphasis added):
I read the complaint and the MTD portions re: the CFAA claim . . . sounds very much to me like Nosal (re: use v. access) and Facebook v. Power Ventures (https://www.eff.org/cases/facebook-v-power-ventures). 
I think the issue comes down to whether LPS violated a code-based restriction on access to that data or a contractual restriction, and the complaint and MTD don't really shed much light on that point (other than to claim it wasn't a violation of the contractual terms of service). Interesting case and a good find. It also provides an opportunity for the court to decide whether Citrin applies beyond the employment context.
Assuming that the End User Agreement (Exhibit A) is the only document governing the relationship between Fidlar and LPS, I can't see how this comes down to a contractual dispute in isolation (or if that guides the court's decision much, except to say that the contract is void of informative language). Therefore, I see this as being forced under the CFAA and hence why the case should be interesting to watch.

Last note (if you didn't read the complaint in its entirety) - The other causes of action in the complaint are a violation of the Illinois Computer Tampering Statute and common law trespass to chattels.

Thursday, May 2, 2013

Court overlooks "sloppiness" in GPS expert testimony; Others also address GPS and Jones issues

Many courts continue to deal with GPS and Jones in interesting ways. Here are some summaries from recent cases:

In United States v. Khan, No. CR-S-10-175 (E.D. Cal. 2013), the defendant argued that inconsistencies between a GPS log and a report of active surveillance from law enforcement created doubts about the accuracy of the evidence. The court found that the "drafting is incredibly sloppy but its sloppiness is not material." Even if the GPS tracking data had not been used, probable cause would have still existed.

In Pina v. Morris, No. 09-11800 (D. Mass. 2013), Pina brought an action under the Federal Civil Rights Act, arguing various rights violations. At trial, the definition of the word "search" was given as "a government intrusion upon 'a reasonable expectation of privacy.'" Pina had argued that a "'trespass' definition" under Jones was necessary to complete the definition, but the court disagreed. In the civil suit, the court found that Pina did not meet the standard for a new trial and that "it is difficult to see how it would have made any difference."

In State v. Lagrone, No. 49A05-1203-CR-135 (Ind. Ct. App 2013), the officers had taken a package of marijuana from UPS, added a GPS device and parcel wire, and had the package delivered. They then followed the defendant to his home and forced entry into the home after the wire signaled that the package had been opened. Because the device was attached before it was in the defendant's possession, the tracking was only 10 minutes, and they were also visually surveilling him, Jones was distinguishable. Further, applying Jacobsen, the opening and repackaging of the package did not violate a privacy interest. Further, applying Knotts and Karo, the transmission of information did not violate the Fourth Amendment.

In United States v. $2,599.00 in US Currency, No. 7:11-CV-192-BR (E.D.N.C. 2013), the court held that the Supreme Court's decision in Jones "did not negate the long-held principle that an individual must show some subjective expectation of privacy in order to have a basis for challenging a search." The claimants were arguing that Jones gave them standing under its trespass theory because the person authorizing the search of a safe "did not have a key."

Wednesday, May 1, 2013

Forensic Fraud: Now Available on Daytime TV - A frank discussion about the admissibility of photo and video enhancement testimony


For years, Hollywood has perpetuated the myth of photo and video enhancement.  According to Hollywood and its all-too-convenient plot points, a mere click of a computer’s “enhance button” transforms any grainy image into a clear, focused picture with perfect resolution (there also has to be a serious woman in glasses looking over the person operating the computer’s shoulder shouting “enhance. . . enhance . . . enhance” in order for this to work).  In reality, this is fundamentally impossible.  Hollywood ignores the fact that every photographic image is composed of pixels, and once a photo is enhanced to where it is fully pixelated… all that the viewer can see are the pixels.  You can see nothing but blocks of color, and one certainly cannot see something that was completely undetectable to the naked eye. The majority of the scientific community has been in on the joke, even generating Internet memes ridiculing Hollywood’s scientifically-inaccurate portrayal of video and photo enhancement.  Unfortunately, American courts seem to be the only ones left out of the joke, frequently admitting video and photo enhancement evidence that is nary more than forensic fraud.

If movies were scientifically accurate...

I recently came across this type of evidence in an unexpected place: the Jodi Arias trial; and my trip to the most widely-publicized trial in the country led me to reflect upon video enhancement testimony, slippery slopes, and forensic fraud.

For those of you who have jobs, families, or hobbies, Jodi Arias’s murder trial is the trial du jour for bored housewives and retirees.  Broadcast every weekday on Court TV for almost four months, the facts of the case are more tawdry than any romance novel lying at the bottom of the K-Mart bargain bin.  Essentially, Jodi Arias dated Travis Alexander on-and-off for a few years.  She was a good looking woman with a proclivity for stalking; he was an equally good looking man with a fatal attraction to crazy women. Sordid details about the couple’s sex life have become the thrust of the evidence at trial.  Their relationship ended unamicably when Arias stabbed Alexander twenty-nine times, slit his throat from ear to ear, and shot him in the chest three times.  Naturally, she claims the killing was self defense.

The trial is being held close to my hometown, and a friend invited me to ride with him to see it.  Not one to miss government-funded panem et circenses and never having attended a high-profile trial, I agreed.   Before I went to the trial, I had very little knowledge about the facts of the case.  Anything I did know about it, I had gleaned from reports on my local news channel.  But, after I arrived, the other attendees seemed more than excited to discuss the  “complex legal issues” of the trial with me.  In this situation, “complex legal issues” was a euphemism for Jodi Arias’s sex life, the great significance of a planned trip to Cancun in establishing a motive for the killing, and the prosecutor’s dashing good looks (personally, I do not see it).   I did not have high hopes for my day at the trial, and my fellow spectators seemed more interested in fist fighting, criticizing the public defender’s tie, and getting the prosecutor to autograph their walking canes than an intellectual discussion about the current state of our justice system.

In any event, my fellow attendees informed me that I had picked a bad day to come to the trial.  We would only get to see one naked picture of the victim that day, and we would not likely learn any new, salacious details about the couple’s sex life. The judge had scheduled a Rule 702 hearing for most of the morning.  My interest was peaked. At issue was an expert’s enhancement of this photo:

Before the killing, Arias and Alexander took numerous pictures of each other in compromising positions. This photograph had been the last one Arias snapped of Alexander alive, the killing occurred mere seconds after she took the picture.  The defense sought to admit the testimony of a photographic enhancement expert, who, by his own account, was able to enhance the photograph in order to see a clear reflection of Arias in the victim’s eye.  According to the expert, Arias was standing a few feet away from Alexander, holding the camera with both hands at the time the picture was taken; and he further asserted that he could state with scientific certainty that she was not holding either a gun or a knife.  There was no evidence corroborating the reliability of the expert’s testimony or establishing a statistical rate of error.   In other words, defense counsel failed to show that this evidence conformed to the strictures of Rule 702.  Thus, for the purposes of a 702 analysis, it is fact that this testimony was non-admissible pseudo-science.

The defense counsel thought this testimony was relevant to corroborate Arias’s theory of the case: that she had killed Alexander after she dropped his camera on the tile bathroom floor and he aggressively charged at her.

The “enhanced” eye reflection
The resulting image of Arias holding a camera.  Looks like the Stay Puft Marshmallow from Ghostbusters to me.

The prosecutor balked at the admission of this evidence.  According to him, the enhancement evidence was “voodoo” and “fantastical.”  It is quite clear that, given a strict application of Rule 702, this evidence should not be admitted.  Without the expert’s drawing, do you clearly see a figure holding a camera?  Can you eliminate as a matter of scientific certainty that the figure is not also holding a gun or a knife?

In the end, the expert’s testimony was not admitted.  After an hours-long, closed door hearing, the parties agreed to stipulate that Arias was not holding a gun or a knife when the picture was taken.  Evidentiary crisis averted.

Yes, this is where the CSI Effect has left the state of evidence in America’s courtrooms.  Based upon Hollywood plot-driven fiction, the American public, and thus the jury pool, has been convinced that any crime can be solved by a computer nerd and his trusty MacBook.  It seems that the imagination, and not Rule 702, is the only limit upon what is admitted into courts.  Experts are now “enhancing” the photographed reflection in people’s eyes.

Even if the evidence had been admitted at the Arias trial, the impact would be minimal.   Arias admits to killing Alexander, and most of the evidence presented by defense counsel is aimed at mitigating the crime so that Arias escapes the electric chair.  But, just because it would not cause a serious miscarriage of justice in this particular trial does not mean that it is a good omen. Unfortunately, the Arias trial may only be a harbinger of things to come.  Whereas the evidence in Arias’s case was introduced to corroborate her self defense claim, there is a very dangerous flip-side to the CSI Effect: prosecutors armed with false or dubious “forensic” evidence using it to obtain slam dunk convictions.  It is a story as old as time, or, at least, the CSI franchise.  It is only a matter of time before prosecutors start hiring the Arias photo enhancement “expert” as well as other with even more dubious scientific chops.  For example, it is an eventuality that prosecutors will seek to admit this expert to testify in child pornography cases, in order to identify the person who produced the contraband.  The slippery slope of this type of evidence is scary, and the end result is not a good one.  It will almost certainly result in innocent people serving jail time, as all non-scientific forensic testimony eventually does.

Mississippi dentist enhances video for body language with inaccuracy "less than ... Jesus"

Take, for example, the case of Leigh Stubbs and Tammi Vance in Lincoln County, Mississippi.  After successfully completing a drug rehabilitation program, Stubbs and Vance decided to travel to Louisiana with their friend, Kim Williams.  With Stubbs staying sober at the wheel, the women made pit stops at Williams’s boyfriend’s house for Oxycontin and various gas stations for beer.  Unsurprisingly, the women did not make it to Louisiana  according to schedule and  got waylayed in Lincoln County, Mississippi.   They decided to stay the night at the local Comfort Inn.   The next day, Williams was completely unresponsive as a result of a drug overdose.  Stubbs and Vance called the hotel front desk and performed CPR on Williams until paramedics arrived.  When she arrived at the hospital, Williams was comatose and was suffering from various, odd injuries.

The district attorney decided to indict the women on four counts: (a ) conspiracy to possess morphine; (b) grand larceny; (c) unlawful possession of morphine; and (d) aggravated assault.  The only problem?  He had no evidence supporting the charges; the alleged victim could not remember a thing.   Undeterred, the district attorney called Michael West, a Mississippi dentist who moonlit as a forensic witness for the prosecution.   Really, there were no limits to the types of forensic testimony that Michael West was willing to supply to Mississippi prosecutors; he was the Wal-Mart of witnesses: he would testify a little bit about everything, but the quality of the testimony was not particularly good.  He routinely testified as a wound pattern expert, a trace metals expert, a gun shot residue expert, a gunshot reconstruction expert (he once performed a ballistics analysis by shooting dogs from the pound), a crime scene investigator, a blood spatter expert, a "tool mark" expert, a fingernail scratch expert, and an expert in "liquid splash patterns."  Most famously, he testified as a bite-mark expert, where he would match bite-marks on skin to plaster dentitions.  As for his error rate when engaging in this “forensic science?”  He testified that it was “something less than my Lord Jesus Christ.”  How about that for meeting your burden under Rule 702?

The testimony West presented at Stubbs’s and Vance’s criminal trial was nothing short of unbelievable.  Of course, being Michael West, he claimed to have found a bitemark on the alleged victim’s hip.  To the surprise of absolutely no one, he was able to “match” it to one of the defendants.  But, he did not stop at bitemark testimony.  He also claimed to “enhance” a surveillance video of the hotel’s parking lot, using his home computer and Photoshop.  He testified that his abilities to “enhance” the video allowed him to view Stubbs and Vance as they engaged in inculpatory acts, namely, lifting the Williams’s body from the in-bed toolbox of Stubbs’s truck and carrying it into the hotel room where she was discovered comatose and injured the following day.  West then testified that using his enhancement software, he was able to determine that the figures entering and leaving the frame in the video were wearing different clothing (one wearing shorts, the other wearing blue jeans) and were two different women, thus incriminating both Stubbs and Vance.

West further claimed he could actually read the body language of one figure in the footage, that she appeared "anxious," and was exhibiting the sort of adrenaline-fueled "fight or flight" response one shows after committing a crime.

According to West, anyone with spare time and a home computer was qualified to be an expert witness in photo and video enhancement. “[Before,] I would have to send photographs off to the FBI . . . [and it would] cost us $20,000 to get them back and enhanced. Now you can sit at home, with your own computer, with $1000 software and do enhancements that used to only NASA could do . . . And that’s what we did in this case.”

Based entirely upon West’s testimony, Stubbs and Vance were convicted on all four counts and sentenced to forty-four years in the State penitentiary, the statutory maximum.

If you are thinking to yourself that West’s testimony smells fishier than a Long John Silver’s during Lent, that is because it is.  Almost a decade after Stubbs’s and Vance’s convictions, Stubbs’s father filed a Freedom of Information Act request with the FBI, inquiring as to whether the Agency processed any of the evidence in his daughter’s case. The FBI returned a report it prepared after analyzing the surveillance footage, a report that was prepared before Michael West was hired to “enhance” the surveillance video. The Agency's report found nothing incriminating in the footage. It repeatedly points out that the quality of the recording is insufficient to tell for certain how many people are depicted in the video, much less determine their identities or what sort of clothing they're wearing. The report also makes no mention of anyone moving a "body."

The District Attorney did not turn over the FBI report to the defense pursuant to his constitutional obligations under Brady.   After over ten years of incarceration, Stubbs’s and Vance’s convictions were overturned by the trial court of Lincoln County.  The Circuit Court of Lincoln County has scolded the State for knowingly soliciting and introducing false evidence.  When confronted with the fact that the FBI crime lab contradicted his video enhancement testimony, West attributed it to the fact that the FBI could not afford computers or Photoshop in order to reach his results. In a shameless move to save face, the Mississippi Attorney General’s Office has indicated that it intends to reprosecute the women based upon the original indictment, an indictment that was procured by presenting Dr. West’s bite mark and video enhancement testimony to the grand jury.

In the end, there are people like Michael West, who think that their 1999 Compaq Presario and copy of Photoshop makes them qualified experts, carving out a niche forensic analysis practices all over the country.  Many trial judges are caught unawares about the limitations of video and photo enhancement.  This evidence, which essentially amounts to forensic fraud, is admitted much more often than it is rejected.  It seems, in the end, our societal fascination with CSI and like franchises has come at an extreme cost.  We have compromised the integrity of our courts and sent innocent people to prison.  And, it made last Monday a really boring day for housewives to attend the Arias trial.

[Editor's Note: The author is currently serving as a consultant for the Mississippi Innocence Project which is representing Leigh Stubbs.]