Monday, November 25, 2013

Video of Wisconsin Legislature (Committee on Judiciary and Labor) public hearing on AB462/SB367 criminalizing "revenge porn"

Skip to 4:06:50 to hear the short, non-controversial "public hearing" on the Wisconsin "revenge porn" bill. Notably, the representatives noted that the bill was drafted with input with Mary Ann Franks. I find that interesting, given that I called the bill overbroad and noted that it does not in fact follow the model statute proposed by Professor Franks. My post criticizing the bill is here: Wisconsin's "revenge porn" bill goes too far. Hypos to ponder and why the legislature should look to Professor Franks

Video:
11.20.13 | Senate Committee on Judiciary and Labor
Agenda: On November 20, 2013, the Senate Committee on Judiciary and Labor held a public hearing at the state Capitol on the following items: Senate Bill 167, relating to actions for damages caused by wind energy systems; Senate Bill 367, relating to distributing a sexually explicit image without consent and providing a penalty.

**Skip to 4:06:50**

Must Read: Andrew Tutt, The New Speech; thought provoking article about government's restriction of online speech, 1st Amendment implications

Andrew Tutt has an article up on SSRN about online speech entitled The New Speech, forthcoming in the Hastings Constitutional Law Quarterly. The abstract is below:
Could the government prevent Facebook from deleting an individual’s Facebook account without first following government-prescribed procedures? Intervene to require Google to conduct its search engine rankings in a certain manner, or subject Google to legal liability for wrongful termination or exclusion? Require social networks and search engines to prominently reveal the criteria by which their algorithms sort, order, rank, and delete content? Demand that some user information or data be deleted, withheld, made inalienable, non-transferable, ungatherable or uncollectable? Engage in detailed regulation of the intellectual property and privacy relationships that inhere between individual users and the platforms they engage? 
Each of these questions implicates the First Amendment, and as each question reveals, the same stresses that strained the institution of property when Charles Reich wrote The New Property in 1964 confront digital speech in 2014. The most important “speech” of the next century will be generated, intermediated, transformed, and translated by massive computers controlled by powerful institutions: petitions in front of the shopping mall replaced with “Likes” on Facebook and “Votes” on Reddit; sports leagues replaced by leagues of Counter-Strike and Call of Duty; broadcast and cable news replaced by interactive, algorithmically-generated, computer-curated granularly distributed news memes spread via blogs and aggregators.  
As more of the activities that were once exclusively the province of the physical world become the province of the digital, more of the issues that once confronted the distribution and allocation of rights in property will confront the distribution and allocation of rights in speech. While the great speech debates of the twentieth century were about the content of speech — that is, what one could say — the great speech debate of the twenty-first century will be about what counts as speech and whose speech counts. Will it be that of institutions and algorithms, or individuals and organic communities? 
These are questions courts are already confronting and they are getting the answers wrong. In contrast to scholars who by turns either deemphasize the transformative nature of the New Speech or argue that courts will have little impact on its growth, this Article argues that potentially critical judicial missteps are already occurring. Just as the needs of modern industrial society were delayed and often stymied by the judiciary of the early twentieth century, if we fail to consider the implications of the speech decisions courts make now, the needs of the modern information society may be delayed and stymied by the judiciary of the early twenty-first.
This Article is an effort to explore the ways in which speech platforms represent a new challenge to the First Amendment, one that will require it to bend if we are to prevent the Lochnerization of the Freedom of Speech. It ties together various threads — the power of automation, the centrality and power of Internet media platforms, the doctrines developing in the courts, the actual acts of censorship in which these platforms regularly engage, and the core purposes the First Amendment was designed to serve — to make a sustained argument that we must think seriously about restructuring and dejudicializing the First Amendment if we are to avoid seeing the First Amendment transformed into a powerful shield for the very sorts of censorship it was written to prevent.

Thursday, November 21, 2013

Second Circuit finds sentencing enhancement only applicable with proof defendant knowingly placed CP in shared folder

The Second Circuit recently held that a two-level enhancement for distribution of child pornography can only be applied if the defendant "knowingly plac[ed] child pornography files in a peer-to-peer sharing folder." United States v. Reed, No. 11-4820 (2d Cir. 2013).

Under Section 2G2.2(b)(3), the Sentencing Guidelines allow a five-level enhancement for distribution "for the receipt, or expectation of receipt, of a thing of value, but not for pecuniary gain." Otherwise, a two-level enhancement applies. Under Second Circuit law, however, a knowledge requirement exists:
[T]he defendant must know that depositing files into the folder will make the files available to others. Indeed, we observed that the record in Reingold made "plain that [defendant] . . . knew from the start that distribution was a necessary condition of receipt . . . and, with that knowledge, took deliberate and purposeful actions to effect that distribution."
Because the district court did not determine if the defendant shared files knowingly, they vacated the sentence and remanded it for further proceedings.
We acknowledge that there is evidence in the record that Reed was a sophisticated and long-time computer user. While these facts arguably could support an inference that Reed knew he was placing files in a peer-to-peer sharing folder, the district court did not make such a finding, as Reingold requires.

Tuesday, November 19, 2013

Pa. Supreme Court justice suggests in concurrence that mandatory minimum for repeat offenders should be evaluated

In Commonwealth v. Baker, No. 1 MAP 2012 (Pa. 2013), the Pennsylvania Supreme Court analyzed whether a 25-year minimum prison sentence is unconstitutional when applied to a defendant's second conviction for possession child pornography. Finding it not to be grossly disproportionate, the court affirmed the conviction.

The defendant was first convicted for possession in 2001, and later in 2007, police received a tip from NCMEC that he had received images of child pornography.

In a concurring opinion, three justices agreed that the sentence is not unconstitutional, but they suggested that the state should apply a different standard than the one used to apply the Eighth Amendment. Instead, the "comparative punishment scheme" should apply.
In short, the overall legislative framework logically recognizes differences in levels of gravity as between sexually assaulting a child (most serious), the filming of such crimes (next most serious), and distributing or possessing the resulting child pornography (third most serious). The recidivist provision, however, draws no such distinctions, and treats the third most serious offense the same as the most serious one. An individual such as appellant, who is convicted of possessing child pornography for the second time, is mandated to serve a least five more years of prison time than the maximum term allowable for a first time child rapist.
By way of further comparison, second time violent offenses such as third degree murder, voluntary manslaughter, manslaughter of a law enforcement officer, third degree murder involving an unborn child, aggravated assault, terrorism, human trafficking, burglary, robbery, drug delivery resulting in death, arson and criminal solicitation to commit murder each carry mandatory minimum sentences of only ten years. 42 Pa.C.S. § 9714(a), (g). Under the legislative scheme, an individual such as appellant, who is convicted of possessing child pornography for the second time, but through no act of violence, is mandated to serve at least fifteen more years of prison time than the minimum term required for a second time violent offender. 
There appears to be a rational and carefully calibrated legislative scheme of offense gradation and punishment for first time sex offenders, which disappears when it comes to recidivist offenders. Even aside from potential constitutional concerns, I would invite the General Assembly to examine the issue.

Monday, November 18, 2013

Featured Paper: Siri, Can You Keep a Secret? A Balanced Approach to Fourth Amendment Principles and Location Data

Frank Lin, a 3L at the University of Oregon, has a new law review article out entitled "Siri, Can You Keep a Secret? A Balanced Approach to Fourth Amendment Principles and Location Data."

I asked him to comment on his motivation for the article and he responded as follows:
I was drawn to this topic because privacy is one of the most important issues facing the American public today and it is one that has recently come to the forefront of public policy discourse. The rapid development and accessibility of technology has allowed Americans to reach new levels of interconnectivity. The implication of this is that, whether intentional or not, more details about our lives are being shared with public and private actors. The application of Fourth Amendment protection in a world where our access to privacy is quickly evolving poses a challenge for courts and law enforcement, especially in the context of location data. To this end, I wanted to advocate for an approach that is easily applicable, and more importantly, one that balances legitimate government interests and privacy concerns of the People.
An excerpt from his introduction:
The Fourth Amendment to the United States Constitution provides the right for “people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Underlying this phrase are guiding principles that have deep roots reaching as far as the Roman Empire. For instance, Roman statesman Cicero stated, “[w]hat is more inviolable . . . than the house of a citizen[?] . . . This place of refuge is so sacred to all men, that to be dragged from thence is unlawful.” 
But how do historic principles apply to modern society? The Fourth Amendment traditionally protected papers located in homes or in luggage. Today, however, information is no longer constrained to fading parchment. Information and methods of communication have transcended into a digital era, where ideas and beliefs reside in computer systems in distant locations that are maintained by third parties. Thus, it is not always clear how the Fourth Amendment applies to the information age.

Some worry that law enforcement’s use of location data can pose an objective harm, as they fear that the government will subject the public to non-stop surveillance. Judge Flaum from the Seventh Circuit noted that “[t]he constitutional ill of prolonged or mass use of GPS technology would not necessarily be based on the information acquired by the device but on the fact of the government’s gaze.” 
The legality of law enforcement’s use of location data remains ambiguous in the absence of clear direction from either the judiciary or the legislature. Further, the majority of the existing scholarship on the subject remains unworkably vague and hostile toward the government’s use of location data to aid in the investigation and prosecution of crime. This Comment proposes a standard for government access to location data that is not only practical, but also one that balances the legitimate interests of law enforcement and the privacy concerns of citizens. 

Thursday, November 14, 2013

D.C.'s "ShotSpotter" gunshot detection system captures 39,000 gunshots in 8-year period

The District of Columbia installed "300 acoustic sensors across 20 square miles of the city" nearly a decade ago in a project called "ShotSpotter". The system has detected 39,000 gunshots in the system's eight-year history. According to the Washington Post,
ShotSpotter is also linked to a system of closed-circuit cameras, which police hope will capture the aftermath of shootings in real time. To guard against vandalism, officials do not publicize the sensors’ appearance or reveal their locations. 
ShotSpotter information is “not frequently used at trials” but has helped prosecutors establish the number or sequence of shots, the time of gunfire and whether more than one gun was fired, said William Miller, spokesman for the U.S. attorney’s office.
A zoom-able map is also available here from the Post.

Wednesday, November 13, 2013

Fed Ct: A cell phone is not a container (i.e. conventional wardrobe), but Narnia (the magical wardrobe); police need a warrant to enter the portal

[[  The case is United States v. Mayo, No. 2:13-CR-48 (D. Vt. Nov. 6, 2013). (the link here is to the order denying suppression - more on that below).

Defendant's Motion to Suppress
Government's Opposition to MTS
Def. Response to Gov't Opposition to MTS
Def. Post-Suppression Hearing Memo
Gov't Post- Suppression Hearing Memo
Def.'s Supplemental Filing re: the Katzin decision ]]

****
A Vermont Federal District Court, by rejecting the idea that cell phones are "containers" under the Fourth Amendment, took a noticeable step away from the judicial propensity to force today's technology into property-based notions of the Fourth Amendment (see, e.g., the constable in Jones) in a misguided attempt to address emerging technology. While law will never keep pace with technology's march onward, and at times we must rely on the open texture of the law (see H.L.A. Hart), it is always refreshing to see the judiciary recognize that strained reverse engineering of anachronistic precedent must yield when the prevailing analogy becomes unmoored from the underlying legal issue. The court held that warrantless searches of cell phones, incident to arrest or under the automobile exception to the Fourth Amendment, were unconstitutional.

The court recognized, in reaching its holding, that the amount of information a cell phone could contain is limitless, taking into consideration that cell phones can now access/store information in the cloud (vastly expanding their on-board/physical storage capabilities); that alone, the court noted, was sufficient to distinguish a cell phone from a container. The end result:
the Court chooses to adopt a bright-line rule here: cell phones properly seized pursuant to the search-incident-to-arrest exception or the automobile exception cannot be searched without a warrant. Case-by-case analysis is not appropriate in this context, and the Government has not demonstrated any reason that such a warrant requirement would be unduly burdensome.  As a result, the Court hereby holds that law enforcement must obtain a warrant before performing such searches in the future.

…the Fourth Amendment requires that law enforcement obtain a warrant before performing a forensic search of lawfully seized cell phones.
The court's reasoning  (quoted at length because it is fascinating, both in a legal and literary sense):
The physical containers at issue in Robinson and Belton, and, indeed, even the cell phones in Finley, could not begin to approximate the amount of information that may be stored on a cell phone today. The Government states again and again in its briefings and at the hearings that the only difference between cell phones and conventional containers is that cell phones are “capable of storing large amounts of information.” Gov’t Post- Hr’g Mem. Mot. Suppress 13. The Government posits that this capability does not justify any differentiation between cell phones and traditional containers, but, in the Court’s view, this is precisely the factor that makes all the difference. The container analogy fundamentally fails to address the magnitude of modern cell phone storage capacity. Furthermore, it fails to consider the fact that many modern smartphones can access the Internet, opening up limitless additional storage. Because of these capabilities, modern cell phones can no longer fit comfortably within the Supreme Court’s original conception of a “container.” ... 
Several courts have recognized the storage capacity of modern cell phones as a basis for refusing to permit a warrantless search.  Most notably, the First Circuit recently determined that the search-incident-to-arrest doctrine “does not authorize the warrantless search of data on a cell phone seized from an arrestee’s person.” Wurie, 728 F.3d at 13. A significant concern underlying the First Circuit’s decision was the amount of information that would be accessible via a cell phone search. Id. at 9 (noting that individuals today “store much more personal information on their cell phones than could ever fit in a wallet, address book, briefcase, or any of the other traditional containers that the government has invoked”); see also Park, 2007 WL 1521573, at *9 (suppressing evidence from a warrantless search of defendant’s cell phone and analogizing modern cell phones to computers); State v. Smith, 920 N.E.2d 949, 954 (Ohio 2009) (“Even the more basic models of modern cell phones are capable of storing a wealth of digitized information wholly unlike any physical object found within a closed container. We thus hold that a cell phone is not a closed container for purposes of a Fourth Amendment analysis.”). 
The Government, in its continued attempt to downplay the quantity of information available on a cell phone, argues that the amount of data available should not matter because exceptions to the warrant requirement have been applied to large vehicles and motor homes. Gov’t Post-Hr’g Mem. 13 (citing California v. Carney, 471 U.S. 386, 388-89 (1985) (applying the automobile exception to a motor home); United States v. Gagnon, 373 F.3d 230, 240 (2d Cir. 2004) (tractor-trailer); United States v. Cruz, 834 F.2d 47 (2d Cir. 1987) (tractor-trailer truck)). This analogy demonstrates the Government’s misconstruction of the problem: the issue is not how large the container is, but that in the context of cell phones there is no limit to what the purported “container” may contain. See Schlossberg v. Solesbee, 844 F. Supp. 2d 1165, 1169 (D. Or. 2012) (finding that warrantless search of a digital camera violated the Fourth Amendment in part because “the storage capability of an electronic device is not limited by physical size as a container is”). Because modern cell phones can connect to the Internet, their storage capacity is nearly infinite. A tractor-trailer may be much larger than a sedan, but it still has tangible confines. A cell phone, by contrast, has no defined boundaries. Thus, allowing warrantless searches of cell phones pursuant to the search-incident-to-arrest exception would provide law enforcement with a giant exception to the warrant requirement without any limiting principles. 
Consider, for purposes of illustration, C.S. Lewis’s famous wardrobe. See C.S. Lewis, The Lion, the Witch, and the Wardrobe (1950). There is no question that the search-incident-to-arrest doctrine extends to a conventional wardrobe (in the unlikely event that one is found in a vehicle or on an arrestee). While this would be a search much more intrusive than Robinson’s cigarette pack, it still fits within the container doctrine because it has easily discernible limits: the container is large, but it is contained. Contrast this with the eponymous cabinetry in The Lion, the Witch, and the Wardrobe. Because the magical wardrobe is also a container, the Government would argue that it also fits within Robinson and Belton. However, this particular wardrobe also serves a second function. It opens up to another world, and because of this, it ceases to be merely a container—it is also a portal. Today’s cell phones, with their capacity to reach the Internet, the cloud, and to store millions of documents and photographs, can no longer analogize to a run- of-the-mill wardrobe. Instead, they are also a portal: a portal to the vast cosmos of the Internet. ... If the container rule were to apply to such a portal, a container search of Lewis’s wardrobe would extend to all of Narnia. But where a physical object is a portal to another world, there is a critical difference between a search of the object and a search of the worlds “contained” within the object. 
Thus, it is simply inappropriate to analogize cell phones to cigarette packs, purses, and address books; the more apt comparison is to computers. . . . Courts have consistently found analogies between computers and conventional containers to be problematic. For example, the Tenth Circuit found that “analogies to closed containers or file cabinets may lead courts to ‘oversimplify a complex area of Fourth Amendment doctrines and ignore the realities of massive modern computer storage.’” United States v. Carey, 172 F.3d 1268, 1275 (10th Cir. 1999) (quoting Raphael Winick, Searches and Seizures of Computers and Computer Data, 8 Harv. J.L. & Tech. 75, 104 (1994))(further citations omitted). 
The Government alternately seeks to justify the warrantless cell phone search as a container search under the automobile exception (as distinct from the vehicular prong of the search- incident-to-arrest doctrine). Gov’t Opp’n 7–8. However, the container rule under the automobile exception does not compel a different conclusion. The automobile exception allows law enforcement to search a vehicle and its contents that may conceal the objects of a search without a warrant so long as there is probable cause. Wyoming v. Houghton, 526 U.S. 295, 301 (1999) (quoting Ross, 456 U.S. at 823) (finding that the automobile exception “justifies the search of every part of the vehicle and its contents that may conceal the object of the search”). Several district courts have found that this exception extends to the warrantless search of a cell phone found in a vehicle searched with probable cause, so long as there is probable cause to believe the phone contained evidence of a crime. (citations omitted) 
These courts, like the courts in the search-incident-to- arrest context, all found that the searches were constitutional by analogizing cell phone searches to container searches. (citations omitted). Because the Court finds that this container analogy is no longer workable, the automobile exception does not require a different analysis. Instead, cell phones seized pursuant to the automobile exception, like those under the search-incident-to-arrest doctrine, are also properly analogized to computers, not containers. 
Not only have cell phones outgrown the original conception of a conventional container under the search-incident-to-arrest and automobile exceptions, but warrantless cell phone searches also can no longer be justified by the rationales underlying these exceptions. In Wurie, the First Circuit found that the Government could not demonstrate that warrantless cell phone searches are “ever necessary to protect arresting officers or preserve destructible evidence.” Wurie, 728 F.3d at 13 (citing Chimel, 395 U.S. at 763).

Wurie’s concern with “general evidence-gathering” is plainly applicable to this case. The search of Mayo’s cell phones was very invasive and performed without any limitations on law enforcement. Furthermore, it was not justified by the rationales underlying the search-incident-to-arrest and automobile exception doctrines. In fact, the Government has not demonstrated that such intrusive warrantless searches are ever necessary absent exigent circumstances. The search-incident-to- arrest exception “derives from interests in officer safety and evidence preservation.” Gant, 556 U.S. at 338 (citing Robinson, 414 U.S. at 230–234; Chimel, 395 U.S. at 763). Similarly, the automobile exception is rooted in the need to preserve evidence. See Ross, 456 U.S. at 806-07 (noting that in the automobile context, “immediate intrusion is necessary if police officers are to secure . . . illicit substance[s]”). Obviously, officer safety considerations are not implicated here. However, the Government has not demonstrated that such searches are necessary for evidence preservation either. 
In the past, courts have allowed warrantless cell phone searches because they found it necessary to allow police officers to search a cell phone based on the need to preserve evidence. (citations omitted). However, once law enforcement has seized and secured a cell phone, the risks regarding evidence preservation diminish. While courts have voiced concerns about the danger that internal data could be remotely erased, see Flores-Lopez, 670 F.3d at 807-08, there are simple methods available to protect a seized cell phone from remote modification. For example, in Vermont, it is state law enforcement’s practice to turn seized smartphones to “airplane” mode to disconnect them from outside interference, or to place them in a device that protects the phone from outside disruption. Suppression Hr’g Tr. 11:25-12:6, 13:14-20, Sept. 30, 2013. Thus, the Government has not shown that evidence preservation considerations justify the warrantless search of a seized cell phone.
Moreover, the Government has not demonstrated that it would be an undue hardship for federal law enforcement to obtain a warrant before performing forensic analysis on a cell phone. Indeed, this is already standard operating procedure for Vermont state law enforcement.  
…Thus, the Court finds that Mayo’s Fourth Amendment rights were violated when law enforcement searched his phone without a warrant.
For those who read the foregoing language as a slam dunk, I suggest you hold your applause. While the court announced a prophylactic rule for the future, the defendant here was torpedoed by the Good Faith Exception (despite an admirable attempt to avail himself of the recently published Katzin opinion from the Third Circuit - see more Cybercrime Review posts, here: Katzin Coverage). The court's reasoning on the Good Faith argument:
... the Third Circuit declined to apply the good faith exception where police relied on out-of- circuit precedent. Katzin, 2013 WL 5716367, at *16-17. Mayo cites Katzin to argue that the good faith exception should not apply in this case because there is no on-point authority from the Supreme Court or the Second Circuit. 
In Katzin, however, there was a significant circuit split on the issue in question. . . .Thus, law enforcement would not have been able to reasonably rely on out-of-circuit precedent, as there was no consensus. In other words, the law could easily be characterized as the type of “unsettled” law contemplated by Justice Sotomayor’s concurrence. In this case, by contrast, there was no circuit split as of March 2013; all of the circuits to address the issue had permitted such searches. While there was no binding Second Circuit authority, law enforcement acted reasonably in reliance on a general out-of-circuit consensus. Because Katzin is distinguishable from this case, the Court finds that application of the good faith exception remains appropriate.
I questioned this type of argument in a previous post (see here: OH App Ct: Warrantless GPS tracking OK despite no precedent; My take on the "good" left in the good faith exception), so I won't belabor the point further, except to say that I take issue with out-of-circuit precedent providing sufficient "cover" to allow Fourth Amendment protections (or, if you please, Fourth Amendment restrictions on permissible law enforcement methods) to rise or fall with assurances that law enforcement understood existing non-precedential law and decided to act based on such notions instead of shooting from the hip.

Again, stripped of all of the rhetoric, I find this opinion important because it advances a conception of technology I have repeatedly argued for - one that sheds physical analogies that are ill suited to cyberspace and analogies which, standing alone, call for further judicial acknowledgment, or legislative action to ameliorate the growing distance between law and technology.

Tuesday, November 12, 2013

District Court: NCMEC violated 4th Amendment by opening image obtained after AOL matched hash values

In United States v. Keith, No. 11-10294 (D. Mass. 2013), the court held that after AOL submitted to the National Center for Missing and Exploited Children (NCMEC) an image possibly containing child pornography, NCMEC violated the Fourth Amendment by opening the image.

AOL maintains a database of hash values of images that have been classified by AOL employees as child pornography. When employees are alerted that an image matches hash values in the database, a report is filed with NCMEC. No AOL employee opens the image to verify it contains child pornography before the report is filed. A NCMEC employee then opens the image, verifies that it meets the federal definition of child pornography, and gets in touch with local law enforcement to pass on the evidence.

Here, a suspect image was sent through AOL, a report was filed, and NCMEC contacted Massachusetts police. Several months later, the defendant took his computer to Staples for repair, and employees notified New Hampshire police that child pornography was found on the laptop. The New Hampshire police shared the information with Massachusetts police, and relying on the NCMEC evidence and police report from New Hampshire police, a search warrant was obtained and executed. Now charged with distribution and possession of child pornography, the defendant seeks to suppress the evidence.

The district court first decided that the hash value matching conducted by AOL did not make AOL a government agent because they were conducting the search for their own purposes. Then, NCMEC did act as a government agent through its "partnership ... with the government," and in examining the contents of the image, they violated the Fourth Amendment. AOL's matching the hash values did "not convey any information about the contents of the file." The viewing of the file by NCMEC "was not authorized by a duly issued warrant."

However, the court continued, holding that probable cause existed for the search purely as a result of the New Hampshire police report regarding the child pornography found by Staples. The court also held that NCMEC and law enforcement were acting in good faith, and as such, "the exclusionary rule should not be applied to suppress the fruits of the search."

Monday, November 11, 2013

State Senator Jeff Brandes introduces bill to amend Florida's Computer Crimes Act

On November 5th, Florida State Senator Jeff Brandes (R- Dist. 22) introduced legislation that would amend Florida’s Computer Crimes Act (Fla. Stat. § 815.01–07) (the "FCCA"). While only just introduced and likely subject to further amendments, the Bill (SB 364) provides a few noteworthy changes to the state's current computer crimes statute.

I was able to speak with Senator Brandes about the substance of his Bill and his decision to amend the FCCA. Senator Brandes started looking into the effectiveness of Florida’s computer crimes law after hearing a recent story out of Texas. Back in August, a Texas native, Marc Gilbert, was startled to find a stranger screaming expletives to his 2-year-old daughter through the family’s internet-connected baby monitor. It was later discovered that Gilbert's baby monitor had been hacked, allowing a stranger to take over the device (great coverage of this story can be found by Forbes’ Kashmir Hill here and here). After hearing of Gilbert's story, Senator Brandes wondered whether Florida’s laws would have effectively addressed such activity, and if not, what would be needed to do so. Those questions, and the many discussions that would follow, eventually led to the introduction of Florida Senate Bill 364.

According to Senator Brandes, Florida’s Computer Crimes Act has not been substantially amended in about ten years. This Bill, in turn, proposes a number of amendments intended to "update" the FCCA in order to more effectively respond to our evolving technological environment. When discussing the Bill, Senator Brandes stated that (in addition to deterring would-be baby monitor hackers) he wanted to specifically address the unauthorized access of medical devices and public utilities. “We thought these were two areas that needed to be raised to a higher standard,” Senator Brandes stated. The Bill's language, including the addition of an entirely new section specific to the unauthorized access of public utility computer systems, reflects the Senator’s objectives.

So what, specifically, has Senator Brandes proposed? Here are a few highlights of the Bill’s current language.

Definitions

In addition to rewording the FCCA’s definition of “computer network” (§ 815.03(4)), the Bill would also add a new definition: “electronic device.” Under the current language of the Bill, “electronic device” is defined as
“a device that is capable of communicating across a computer network with other computers or devices for the purpose of transmitting, receiving, or storing data.”
The Bill would also include definitions specific to section § 815.06, “Offenses against computer users” (amended to be titled “Offenses against users of computer networks and electronic devices”). What seems to be an effort to improve clarity, the section’s use of the term “person” would now specifically include
(a) “an individual,”

(b) “A partnership, corporation, association, or other entity doing business in this state, or an officer, agent, or employee of such an entity;” or

(c) “An officer, employee, or agent of the state or a county, municipality, special district, or other political subdivision whether executive, judicial, or legislative, including, but not limited to, a department, division, bureau, commission, authority, district, or agency thereof.”
Computer Crimes

The newly defined “electronic device” would then be included into many of the Act’s substantive criminal offensives, including the FCCA’s “offenses against intellectual property” (specifically added in § 815.04(1), (2)) and “offenses against computer users” (specifically added in § 815.06(2)(a),(c),(d), and (e)). So, for example, a person who willfully, knowingly, and without authorization, accesses an electronic device with knowledge that such access is unauthorized, would violate the proposed § 815.06(2)(a).

In addition, § 815.06 would be expanded to include a number of additional offenses. One small change would be the additional language in § 815.06(2)(b). The current language of the statute compared to the Bill’s amended language highlights the subtle (yet possibly significant) proposal:
(2) A person commits an offense against users of computer networks or electronic devices if he willfully, knowingly, and without authorization: 


CURRENT LANGUAGE: (b) Disrupts or denies or causes the denial of computer system services to an authorized user of such computer system services, which, in whole or part, is owned by, under contract to, or operated for, on behalf of, or in conjunction with another; 

AMENDED LANGUAGE: (b) Disrupts or denies or causes the denial of the ability to transmit data computer system services to or from an authorized user of such computer system or computer network services, which, in whole or in part, is owned by, under contract to, or operated for, on behalf of, or in conjunction with another;
A much more substantive addition is the Bill's new § 815.06(2)(f), which would now criminalize unauthorized audio or video surveillance. Specifically, the Bill would amend the FCCA to now read:
(2) A person commits an offense against users of computer networks or electronic devices if he willfully, knowingly, and without authorization:
. . .
(f) Engages in audio or video surveillance of an individual without that individual's knowledge by accessing any inherent feature or component of a computer, computer system, computer network, or electronic device, including accessing the data or information of a computer, computer system, computer network, or electronic device that is stored by a third party.
The offense would, however, provide an exception for individuals acting "pursuant to a search warrant," under "an exception to a search warrant authorized by law," or "within the scope of his or her lawful employment." 

Offense against “Public Utilities”

Another major proposal is the addition of an entirely new offense: “Offenses against public utilities.” The new section, § 815.061, would borrow the definition of “public utilities” currently found in §366.02(1):
“Public utility” means every person, corporation, partnership, association, or other legal entity and their lessees, trustees, or receivers supplying electricity or gas (natural, manufactured, or similar gaseous substance) to or for the public within this state; but the term “public utility” does not include either a cooperative now or hereafter organized and existing under the Rural Electric Cooperative Law of the state; a municipality or any agency thereof; any dependent or independent special natural gas district; any natural gas transmission pipeline company making only sales or transportation delivery of natural gas at wholesale and to direct industrial consumers; any entity selling or arranging for sales of natural gas which neither owns nor operates natural gas transmission or distribution facilities within the state; or a person supplying liquefied petroleum gas, in either liquid or gaseous form, irrespective of the method of distribution or delivery, or owning or operating facilities beyond the outlet of a meter through which natural gas is supplied for compression and delivery into motor vehicle fuel tanks or other transportation containers, unless such person also supplies electricity or manufactured or natural gas. 
Specifically, the new § 815.061 would include the following offenses and penalties:
(2) A person may not willfully, knowingly, and without authorization:

(a) Gain access to a computer, computer system, computer network, or electronic device owned, operated, or used by a public utility while knowing that such access is unauthorized.

(b) Physically tamper with, insert software into, or otherwise transmit commands or electronic communications to a computer, computer system, computer network, or electronic device which cause a disruption in any service delivered by a public utility.

(3)(a) A person who violates paragraph (2)(a) commits a felony of the third degree, punishable as provided in § 775.082, § 775.083, or § 775.084.

(b) A person who violates paragraph (2)(b) commits a felony of the second degree, punishable as provided in § 775.082, § 775.083, or § 775.084.
Penalties

The Bill would also add to the current penalties under the FCCA. The Bill would make it a second degree felony for any individual who violates § 815.06(2), and his or her actions
“intentionally interrupt[] the transmittal of data to or from, or gains unauthorized access to, a computer, computer system, computer network, or electronic device belonging to any mode of public or private transit, as defined in § 341.031.”
Additionally, the Bill would make it a first degree felony for any individual who violates § 815.06(2), and his or her actions
“disrupt[] a computer, computer system, computer network, or electronic device that affects medical equipment used in the direct administration of medical care or treatment to a person.”  
Conclusion

Overall, these amendments would provide some significant changes to Florida's Computer Crimes Act. As I stated, this Bill is still in its infancy and will likely be subject to numerous changes as it makes its way through the Florida Legislature (or as Senator Brandes put it, the Bill is still likely to be "heavily vetted").

I'll be interested to see the reaction of those in the computer crimes field once they have an opportunity to read Senator Brandes' proposal. With much of the cybersecurity debate focusing on critical infrastructure protection, specific criminal statutes that prohibit the unauthorized access of public utilities' computer systems might become a popular addition to many state computer crime statutes. Some states already have specific references to public and private utilities in their computer crime statutes (for example West Virginia Code § 61-3C-14 and Illinois 720 ILCS 5/17-52). However, Senator Brandes' proposal seemed to be much more in-depth, and that's just the "public utilities" addition. The specification of "electronic devices," the heightened penalties for tampering with medical devices, and the language in the proposed "unauthorized audio or video surveillance" crime are all proposals that I'm definitely keeping an eye on.



Author's Note: I would like to thank Florida State Senator Jeff Brandes for taking the time to speak with me about Florida Senate Bill 364. I have no doubt that the Senator's time is precious, so for him to take the time that he did to humor a cybercrime law nerd like myself was much appreciated.  Thank you, Senator.

Saturday, November 9, 2013

Case files (briefs + argument) for two key cases before Mass. Sup. Ct.: forced decryption (5th Amendment) and cell site location

The Massachusetts Supreme Judicial Court has two cases before it to keep an eye on. Summaries from the court, briefs, and links to oral argument are below.

SJC-11358
Commonwealth v. Gelfatt
Criminal; Self-incrimination-- Whether the Commonwealth's request in a criminal case for a court order compelling the defendant to enter his encryption key to access information on a computer seized by the Commonwealth violates the defendant's rights against self-incrimination.

Appellant Commonwealth Brief
Appellee Gelfgatt Brief
Appellant Commonwealth Reply Brief
ACLU Foundation Brief
Amicus Criminal Defense Lawyers Brief
Amicus Criminal Defense Laywes Brief [sic] (In support and joined by NACDL)
Amicus FL Dept Of Law Enforcement Brief
Amicus Opderbeck Brief

Notable events:
11/05/2013 --- Oral argument held. (Ireland, C.J., Spina, J., Cordy, J., Botsford, J., Gants, J., Duffly, J., Lenk, J.).

Oral Argument Video

SJC-11482
Commonwealth v. Augustine
Search and Seizure-- In a murder prosecution, the Commonwealth is appealing a Superior Court judge's order allowing the defendant's motion to suppress historic cell site location information relating to the defendant's cellular phone number; the District Attorney's Office obtained the information in connection with a murder investigation without a search warrant by means of a judicial order pursuant to a federal statute.

Notable events:
10/10/2013 --- Oral argument held. (Ireland, C.J., Spina, J., Cordy, J., Botsford, J., Gants, J., Duffly, J., Lenk, J.).

Oral Argument Video

10/24/2013 --- #18 ORDER (By the Court): Before the court in this case is the Commonwealth's appeal pursuant to G. L. c. 278, § 28E, and Mass. R. Crim. P. 15(a)(2), from a decision of a Superior Court judge granting the defendant's motion to suppress evidence, including records that would show [the] defendant's location at a particular time, obtained pursuant to a warrantless search and seizure of cell phone records pertaining to a telephone number that, it appears, was used exclusively by the defendant. It is not disputed that some or all of the evidence in question referred to as cell site location information (CSLI) -- was obtained by the Commonwealth from Sprint Spectrum, an electronic communications service provider, pursuant to a Superior Court order issued pursuant to 18 U.S.C. § 2703(d)(§ 2703(d) order). The defendant has been provided with a copy of the CSLI that is at issue, but no copy was included in the motion record before the Superior Court and no copy has been included in the record on appeal. This case was argued before this court on October 10, 2013. The court is of the view that the CSLI obtained pursuant to the § 2703(d) order that is the subject of the defendant's motion to suppress may assist the court in its understanding and consideration of the issues raised in the Commonwealth's appeal. The court hereby directs the single justice to hold a hearing on the question whether the appellate record should be expanded to include the CSLI evidence, and if so, what conditions may be appropriate to adopt with respect to such an expansion. The single justice will provide the full court with a recommendation concerning what, if any, order should issue. Counsel is to confer with the Clerk of this court to schedule the hearing.

Thursday, November 7, 2013

Wisconsin's "revenge porn" bill goes too far. Hypos to ponder and why the legislature should look to Professor Franks

The Wisconsin legislature recently proposed a "revenge porn" bill (Assembly Bill 462, full text here: https://docs.legis.wisconsin.gov/2013/related/proposals/ab462.pdf). While I applaud the Wisconsin legislature for addressing an issue that has garnered national attention, I interpret the current proposal (unless I am missing something, and I encourage you to prove me wrong), to criminalize a whole host of conduct having nothing to do with revenge porn. (Of course, if the proposed bill ends up becoming law, the text introduced here may vanish in the final Act; that said, I was still quite surprised that such ambiguous and broad language was proposed in the first instance).

Here is the relevant text:
942.09 (3m) (a) Whoever, without the consent of the person represented,
reproduces, distributes, exhibits, publishes, transmits, or otherwise disseminates a
representation of a nude or partially nude person or of a person engaging in sexually
explicit conduct is guilty of a Class A misdemeanor. The consent of the person
represented to the capture of the representation or to the possession of the
representation by the actor is not a defense to a violation of this subsection. 
…(various non-controversial exceptions) 
(c) This subsection does not apply if the person represented consented to the
reproduction, distribution, exhibition, publication, transmission, or other
dissemination of the representation for commercial purposes.
This language, to me, omits key words in the model state statute Professor Franks proposes and, by doing so, is overbroad. My reasoning (with hypotheticals calling the language into question):
(1) I think the obvious flaw is omission of a scienter requirement (particularly “intentionally”). If I take a nude photo of my girlfriend with her consent, but accidentally email it to my friend instead of a photo of a wet kitten, I violate this statute. 
(2) The more interesting flaw (and one that implicates the 1st Amendment, perhaps), is that it might criminalize merely emailing any non-commercial pornographic picture. So, if I spend my nights surfing porn and emailing the best photos I find to my friends, but I cannot prove that I had the consent of the person represented to send that image, am I committing a crime? And, moreover, how does one know if they can be saved by subsection (c) — i.e. how does one determine if a pornographic photo was consented to for commercial purposes? (Most images lack any identifying origin). Amateur pornography (and nude self-expression/artistic work) may not be commercial in nature; so, if my neighbor is a free spirit and loves to mail me artistic nude photos taken consensually by her friend, am I committing a crime if I photocopy the picture (reproduce it) for my own personal use (without her consent)? 
(3) Also, I saw an amendment to the bill proposing that “fine art” be exempt from the statute. This makes sense because as the language stands, displaying nude paintings of anyone without their consent runs afoul of the existing language. But, even exempting fine art, if I create a pencil sketch of a female nude model (arguably a representation of her without a statutory definition of “representation”) and show it at an art exhibit without her consent, is that a violation? (this example supposes, correctly, that no one would consider my sketches (or paintings) as “fine art”). The hypo is equally applicable to a photo I suppose. 
(4) One last set (these are less about Wisconsin’s statute and more about the enforcement of any such "revenge porn" statute). What if the nude person in the representation is now dead? If my girlfriend dies in a car accident with her secret lover and, to get back at her for the infidelity, I post all of our intimate photos online, is that a crime? (I think I lean towards yes, but how does one prove she did not consent?) Alternatively, if my grandmother leaves me a nude photo of her in her will and I post it to my Facebook page, crime? (My grandmother's consent is impossible to prove; however, can my grandfather's abhorrence at my conduct serve as the predicate for a violation of the Wisconsin statute?).
Do not take my criticism of the Wisconsin proposal as a condemnation of statutes like this. But, criminalizing any conduct requires a statute narrowly drafted to achieve the overarching goal without: (1) criminalizing conduct not contemplated by the legislature (see, e.g., the CFAA); (2) infringing on protected First Amendment rights; and (3) punishing conduct that misses the "revenge" part of "revenge porn."

The last point is worth elaborating on. "Revenge" is defined in a variety of ways,  see, e.g., the Free Dictionary depending on the context. But, the substance of the word "revenge" is not hard to discern when it is used as a weapon against another; for example, "revenge, reprisal, retribution, [and] vengeance suggest a punishment or injury inflicted in return for one received. [R]evenge is the carrying out of a bitter desire to injure another for a wrong done to oneself or to those who are close to oneself: to plot revenge for a friend's betrayal." Id. Legislatures took notice of "revenge porn" after tragic events and horrific stories popped up on the internet about individuals (often female) being tormented by ex-lovers wishing to exact punishment for real or perceived harm. The nationwide legislative focus on a this sociological phenomenon is, to be sure, quite encouraging. 

However, Wisconsin's current proposal reinforces the well-founded fear of many (including organizations like the EFF and ACLU) that statutes intended to cure "revenge porn," without careful drafting, might overreach and infringe on First Amendment rights. My overarching fear is that legislative bodies will get lost in the morality of pornography (or personal conceptions of permissible social interactions), instead of focusing on the "easy win"  a narrow statute intended to prevent revenge porn's abhorrent invasion of privacy might provide. 

Additionally, notwithstanding the considerations above, it cannot be ignored that a digital photograph published to the internet exists long after the subject of the photo is gone. Digital photos can be cached, preserved as screenshots, or archived by third-party sites like the Wayback Machine. Part of the "revenge" inherent in revenge porn is that the person possessing the nude/pornographic picture is well aware of the above considerations and ignores them as part of the intent to exact revenge.

That said, I must admit that I disagree with the California revenge porn statute; I do not understand requiring something more than "intent" (i.e., an intent to harm as the CA statute reads) to criminalize "revenge porn." While the mens rea for revenge porn might persist as a point of contention, my take is that: an intent to harm rquirement is unnecessarily restrictive; but, at the other end of the spectrum, no scienter requirement (as is the case in Wisconsin AB462) is impermissibly overbroad (see supra).

I don't have all the answers, but my suggestion is that the Wisconsin Legislature look to the wording Professor Franks has proposed as a method to revise the current proposal.

EFF files amicus brief in Massachusetts forced decryption case

The Electronic Frontier Foundation recently filed an amicus brief in a Massachusetts case on appeal concerning whether a court can force a defendant to decrypt a computer.

Here's an excerpt from the press release:
Leon Gelfgatt was charged with forgery and the government, with a search warrant, seized a number of his electronic devices. Law enforcement couldn't break the encryption that protected the devices, so it went to court, asking a judge to order Gelfgatt to decrypt the devices for them. The Fifth Amendment protects a person from being forced to testify against themselves and so the government promised not to look at the encryption key—the "testimony" in their eyes—but nonetheless wanted the ability to use the unencrypted data against Gelfgatt. The judge denied the government's request, ruling that forcing Gelfgatt to decrypt the devices would violate the Fifth Amendment.
The government appealed that decision and the case is now before the Massachusetts Supreme Judicial Court, where we filed an amicus brief with the ACLU and the ACLU of Massachusetts.
Read the EFF's amicus brief for Commonwealth v. Gelfgatt here.

To read other Cybercrime Review posts on forced data decryption, view our encryption label.

Wednesday, November 6, 2013

OH App Ct: Warrantless GPS tracking OK despite no precedent; My take on the "good" left in the good faith exception

In State v. Johnson, 2013-Ohio-4865 (App. Ct. Nov. 4, 2013), the Twelfth Appellate District of Ohio upheld the warrantless GPS tracking (pre-Jones) of a defendant's vehicle by construing the Davis good faith exception widely. The court held that the absence of binding appellate precedent in Ohio authorizing warrantless GPS tracking was not outcome determinative; cases construing Davis narrowly typically hold the exact opposite (under the theory that there is no rational basis for good faith without primary law backing up the actions of law enforcement, even if the legal basis for the good faith is later overturned).

Instead, to determine if the good faith exception applied, the court analyzed the state of GPS tracking law at the time the tracker was placed (the court noted there wasn't much law except the antiquated beeper cases - Knotts and Karo, plus non-binding, but jurisdictionally related 7th Circuit precedent), as well as statements by law enforcement indicating common practices and understandings regarding the use of such technology. The court noted that by analyzing Davis this way, it was adopting a case-by-case, factual approach (which isn't novel - other courts have also tackled the issue similarly).

After addressing the facts of the case and surveying the law (or lack thereof) in Ohio at the time, the court found that the good faith exception still applied because the Sheriff's office had not "acted with a 'deliberate,' 'reckless,' or 'grossly negligent' disregard for [the defendant's] Fourth Amendment rights." The quoted language, which the court applies in a totality of the circumstances/balancing approach, is taken directly from the Davis opinion (however the Supreme Court never adopted this standard, so its use here is somewhat tenuous).

As Orin Kerr noted after the recent Katzin decision, courts faced with pre-Jones GPS tracking will continue to disagree about the scope of the good faith exception; most notably when no binding appellate precedent exists. I, like Orin, am no fan of the good faith exception but I can swallow opinions upholding warrantless GPS tracking when appellate precedent exists. There is a convincing argument for this view because law enforcement isn't charged with mentally adjudicating constitutional issues before proceeding with tactics to catch criminals that have authorization in the jurisdiction.

However, a wide view of Davis (that does not turn on binding precedent) negates, to some degree, the force of the Fourth Amendment; namely, that fundamental protections of the Constitution can be subverted if:
(1) we assume (irrationally, I believe) that law enforcement has extrapolated 1980's beeper cases to new technology before using it (as this opinion does);
(2) courts accept the argument that good faith can be based on anecdotal evidence (i.e., the officer's "belief that a warrant was unnecessary was not unfounded given the legal landscape that existed at the time the GPS device"; the court reaches this conclusion from the officer's testimony that "it was kind of common knowledge among other drug units or talking to other drug units that as long as the GPS is not hard wired, as long as it is placed on - - in a public area, removed in a public area, it is basically a tool or an extension of surveillance");
(3) we have faith that judgments made without primary law or judicial approval are respective of rights if an officer acts only after "consulting with fellow officers, other law enforcement agencies, and a prosecutor"; and
(4) we can accept a "free-floating culpability requirement" (as Orin Kerr describes it) that almost assures that the good faith exception will nearly swallow the rule.

I think (4) is the most troubling because I can't conjure a situation (other than a crazy law school hypo) where a court might find "'deliberate,' 'reckless,' or 'grossly negligent' disregard for...Fourth Amendment rights" in the absence of binding appellate precedent.




Tuesday, November 5, 2013

Court finds evidence obtained with GPS violates 4th Amend., does not fit good faith exception, but still not subject to suppression

In United States v. Taylor, 1:12-cr-00042 (S.D. Ind. 2013), the district court held that evidence obtained as a result of GPS tracking on a vehicle violated the Fourth Amendment and, while it is not subject to admission under the Davis good faith exception, the evidence may still be used because it was objectively reasonable for law enforcement to rely the judicial authorization.

Police sought to put a GPS device on the defendant's vehicle after receiving a tip that the defendant was in possession of cocaine. The judicial authorization from a state court gave law enforcement the ability to use GPS tracking for sixty days and allowed it to "be powered either by an internal battery or by connecting [the GPS Unit] to the battery of the vehicle." Using the tracking, police were able to find a storage unit rented by the defendant, and after a narcotics dog gave a positive indication, cocaine was found during a search of the unit.

The defendant was charged with possession of cocaine and filed a motion to suppress the evidence because, he argued, it was obtained in violation of his Fourth Amendment rights. The federal district court agreed, finding that under United States v. Jones, the use of the GPS device without a warrant was a violation of the Fourth Amendment.

In many recent cases, however, despite such a decision, courts have often held that the Davis good faith exception would still allow the evidence to be used., but that was not the case here. The district court held that Davis applies when suppression would not deter wrongful police conduct. Here, suppression would "create an incentive for law enforcement 'to err on the side of constitutional behavior.'"

Nonetheless, the court found that suppression was not appropriate because it was objectively reasonable for police to rely on the judicial authorization they had received.
Instead of unilaterally deciding that they could attach the GPS Unit to Mr. Taylor's car, law enforcement sought and received judicial authorization to use the GPS Unit from the Marion Superior Court. 
When, as here, law enforcement officers seek judicial authorization for their actions—a step that courts should not discourage—and they receive such authorization, it is objectively reasonable for them to believe that the authorized actions do “not violate the Fourth Amendment.”

Monday, November 4, 2013

Wired, ABA Journal publish articles on revenge porn

Wired and the ABA Journal have both recently published good articles on the subject of revenge porn. If those legal issues interest you at all, you should be sure to check these out:

ABA Journal - "Victims are taking on ‘revenge porn’ websites for posting photos they didn’t consent to"
[T]here’s no clear legal avenue to penalize posters of revenge porn. Only two states, California and New Jersey, make it illegal to post a sexual photo online without the subject’s consent. Though experts say revenge porn may violate other state statutes, it’s common for police to say no law was broken unless the picture is child porn, of those under 18 when a photo was taken.
We do not need to choose between the internet and women, or between free speech and feminism. These are false and unnecessary dichotomies. Refusing to criminalize revenge porn would not make us misogynists. It would instead make us prudent.
Also, feel free to check out past Cybercrime Review posts about revenge porn.

Friday, November 1, 2013

Zurich can't dodge $1M+ liability for credit card hack of insured bank; Court finds fraud coverage impermissibly swallowed by exclusion

(I should note that I wouldn't normally post on a case like this. But, considering that "cyber insurance" is a hot topic, I thought it appropriate given the interesting facts)

In First Bank of Delaware v. Fidelity & Deposit Co. of Maryland, No. N11C-08-221 MMJ (Del. Super. Ct. Oct. 30, 2013), a Delaware court held that Fidelity (now Zurich), could not avoid liability for a hack of its insured (First Bank) which resulted in monetary assessments against the bank (for fraudulent use of the credit cards), brought by Visa and Mastercard. The court found the insurance contract unambiguous, but balked at Fidelity's attempt to construe its insurance contract in a manner that allowed a coverage exclusion to swallow the original grant of coverage. Harkening to my days in insurance law, it is axiomatic that contracts are construed against the drafter. As a result, the superior court's opinion granted First Bank's motion for summary judgment on both of its breach of contract causes of action; Fidelity was found in breach of contract for denying reimbursement for the aforementioned assessments.

The facts, as described by the court:
The primary issue in this case is whether First Bank’s insurance policy provides coverage for losses incurred in connection with a data breach incident. Fidelity issued the D & O SelectPlus Insurance Policy (“Policy”) to First Bank
(that policy, by the way, can be found here: Zurich Private Company Select); continuing:
First Bank had a relationship with a company then known as Transend, LLC (“Transend”) for certain card transactions. Transend had a similar relationship with Data Access Systems (“DAS”). Transend introduced First Bank to DAS. First Bank provided DAS with access to the Visa and MasterCard networks.

First Bank was liable for any losses or expenses caused by its agents under the Visa and MasterCard agreements designating First Bank as a principal member of the networks.

DAS’s web server terminal was hacked on or about May 17, 2008. The hackers gained access to debit card numbers and the corresponding personal identification numbers. Millions of dollars of unauthorized withdrawals were taken from customer accounts as a result of the data breach. DAS hired VeriSign, a computer forensics firm, to investigate the hacking. VeriSign concluded that DAS was not in compliance with PDI DSS, the security standard required by the Visa and MasterCard agreements.
After the breach, First Bank was assessed fees by both Visa and Mastercard which, together, totaled over $1M. First Bank asserted that their policy with Fidelity covered such losses; Fidelity disagreed and denied coverage.

The court proceeds to analyze the insurance contract and the various clauses. Prior to the analysis of "Exclusion M," the outcome looked promising for Fidelity. But, as always, the other shoe dropped. The court:
Section 4 Exclusion M 
Section 4 contains a list of exclusions from coverage. Exclusion M provides that the Insurer shall not be liable for any claim against the insured based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data or in any credit, debit, charge, access, convenience, customer identification or other card, including, but not limited to the card number.”

Fidelity contends Exclusion M applies and therefore Fidelity is not liable for First Bank’s losses. Fidelity argues that the Visa and MasterCard assessments are excluded from coverage because the assessments arise from the fraudulent use of data by the hackers.

Fidelity argues that there is a meaningful link between the hackers’ fraudulent use of the breached data and the Visa and MasterCard assessments. DAS’s computer system was breached, and the data obtained as fraudulently used to make unauthorized withdrawals. Visa and MasterCard incurred costs associated with this fraudulent use of credit cardholder data. First Bank assumed liability for these costs in its agreements with Visa and MasterCard. Fidelity concludes that the Visa and MasterCard assessments arise from the fraudulent use of data as contemplated by Exclusion M. Therefore, Fidelity is not liable for these losses.

While Fidelity argues that the assessments arose from the fraudulent use of data, First Bank argues that the assessments are based on First Bank’s failure to ensure that DAS was PCI DSS compliant. The Court finds that First Bank’s failure to ensure PCI DSS compliance may qualify as a parallel basis for the assessments. 
Fidelity has met its initial burden of demonstrating that Exclusion M applies. Therefore, the burden shifts back to First Bank to prove that an exception to the exclusion applies. First Bank contends that Exclusion M does not apply because: (1) Exclusion M is unintelligible and ambiguous; and (2) application would render coverage illusory.

The Court finds that Exclusion M is somewhat unclear grammatically. Nevertheless, it is clear that the first half of the clause — “based upon or attributable to or arising from the actual or purported fraudulent use by any person or entity of any data” — is intended to exclude the “fraudulent use” of data, however fraud occurs.

First Bank [also] contends that the application of Exclusion M renders the coverage grant illusory. First Bank argues that coverage for unauthorized use and unauthorized access to data in the definition of “Loss Event” includes claims resulting from the fraudulent use of data. First Bank notes the difficulty of finding an example of unauthorized use or access that does not contain some element of fraud. . . . 
Fidelity asserted at oral argument that “fraudulent,” as used in Exclusion M, is distinct from “unauthorized” in the definition of a Loss Event. Fidelity’s distinction is that “unauthorized” is broader and covers unintentional and mistaken use or access. Fidelity contends that the two provisions can be reconciled to provide coverage for losses resulting from the non-fraudulent unauthorized use of data. . . .
The Court finds that the language in Exclusion M is unambiguous in its attempt to exclude coverage for the fraudulent use of data. The Court finds that Fidelity has met its burden to prove the elements of the exclusion by showing a meaningful link between the fraudulent use of data and the claims at issue. However, when the burden shifts back to First Bank to prove that Exclusion M should not be applied, the Court considers that a grant of coverage should not be swallowed by an exclusion. The principle that a grant of coverage should not be rendered illusory protects the reasonable expectations of the purchaser. 
The Court finds that applying Exclusion M would swallow the coverage granted under Section 4.III(L)(1) for “any unauthorized use of, or unauthorized access to electronic data . . . with a computer system.” It is theoretically possible that an example of non-fraudulent unauthorized use of data exists. However, in the context of this Policy, all unauthorized use could be, to some extent, fraudulent. The abstract possibility of some coverage surviving the fraud exclusion is not sufficient to persuade the Court to apply an exclusion that is almost entirely irreconcilable with the Loss Event coverage.

 

Exiting CTO who copied source code and company files wins dismissal of CFAA claim; Thoughts on the CFAA post-Nosal

Viral Tolat, ex-CTO of Integral Development Company, is accused by his former company of copying gigabytes of source code and confidential files on his way out the door to a position with another company. He copied the source code to multiple places and uploaded some of the data to his personal Google Docs account. In Integral's First Amended Complaint, it alleged, inter alia, that Tolat violated the CFAA (and the analogous Cali statute) by misappropriating Integral data in derogation of the company's confidentiality policy and Tolat's employment agreement; Integral also alleged that Tolat "exceeded authorized access" because he had no "legitimate reason" to copy the source code (Tolat knew next to nothing about programming).

A federal judge in the N.D. Cal. did not buy Integral's allegations of "hacking" and granted Tolat's motion to dismiss those claims; the court's holding was based on United States v. Nosal's narrow reading of the CFAA. The court reiterated the premise in Nosal that the CFAA was meant to criminalize unauthorized access to information, not the misappropriation of information obtained through authorized access. 

The order granting Tolat's motion to dismiss the hacking claims is here: Integral Dev. Co. v. Tolat, No: 3:12-CV-06575-JSW (N.D. Cal. Oct. 25, 2013).

In holding, as a matter of law, that the CFAA did not apply to Tolat's conduct, the court stated:
The Ninth Circuit has rejected the contention that the terms "exceeds authorized access" within the meaning of the CFAA applies where someone has access to a computer's information but is limited in permissible use of that information. The plain language of the CFAA "target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation."
Integral does not and cannot allege that Tolat gained improper or unauthorized access to Integral's computers for illegitimate purpose. Rather, Integral alleges that Tolat "copied, downloaded and removed numerous Integral source code files . . . when he clearly had no legitimate reason to do so." Integral does not allege that Tolat used improper methods to gain access to the source code, but rather concedes, as it must, that at the time of the alleged acquisition of the materials, Tolat was working for Integral and had access to virtually all of Integral's trade secret information and confidential and proprietary intellectual property. (citations in entire quote omitted)  
Integral argued strenuously, in its brief opposing Tolat's Motion to Dismiss, that the company had a written confidentiality policy that Tolat was aware of and clearly violated when he uploaded company files and source code (trade secrets) to "the cloud" (i.e. his personal Google Docs). And thus, the argument continued, the existence of the policy and the knowing violation by Tolat was sufficient to create civil liability under the CFAA. The court's opinion, which ultimately held the CFAA inapplicable, summarily rejected Integral's argument by simply ignoring it altogether. I interpret the court's failure to even touch the merits of this argument as an implicit rejection of the "wide" interpretation of the CFAA Integral attempted to forward.

Wide interpretations of the CFAA have, in the most general sense, attempted to define liability (civil or criminal) for "hacking" by tying the statute (or defining the scope of it, at least in part) to the policies or terms of service drafted by private parties. The fundamental flaw in the wide approach is the unmooring of the CFAA from its original legislative purpose - real hacking; a wide interpretation also injects fluctuation into the law (or, perhaps, constitutes a "slippery slope"), allowing a serious federal crime to evolve whenever corporate policies or terms of service change (often at the whim of in-house counsel or in response to information technology changes).

Conversely, narrow interpretations of the CFAA reject (correctly, I would argue) any attempt to expand the scope of the CFAA beyond the purpose for which it was enacted. This is the interpretation of the CFAA I have consistently argued for and is the one adopted by the 9th Circuit in Nosal (an opinion that, to be clear, was binding on the court here).

The CFAA has become a flawed statute through no fault of its own. It is merely an antiquated remnant of a different era, poorly suited to address an area of law (and technology) that is constantly evolving at an incredible pace. The CFAA is, by analogy, the abacus in a room full of iPhone 5Ss. Attempting to fix the CFAA through ever wider interpretations of its scope is, to be honest, nothing more than the judiciary answering the CFAA's anachronism with acquiescence. This acquiesce is not innocuous, however. It carries with it a dangerous and misguided solution: granting legislative fiat over the CFAA's scope to private entities instead of Congress.

The rest of the documents for the case:

First Amended Complaint

Defendant's Motion to Dismiss, inter alia, the hacking claims

Plaintiff's Opposition to the MTD

Defendant's Reply to the Plaintiff's Opposition