Miss. Attorney General wants Google to do more to fight intellectual property violations

Mississippi Attorney General Jim Hood is working to force Google to enact protections for intellectual property.

According to the Associated Press, Hood, intellectual property committee chair and president-elect of the National Association of Attorneys General (NAAG), is wanting Google to work harder to remove illegally copied materials from their search engine.

"They're still not helping on music, movies, software," Hood said, even citing a case where someone bought fake contact lenses that damaged an eye.

Earlier this year, several attorneys general including Hood encouraged Google to modify their search engine to make it more difficult to find prescription drugs online. As part of the modification, Google removed autocomplete results related to such sites.

Hood and NAAG have gone after Google prior to these occasions, and with Hood leading the organization in the coming year, you can expect to see an even stronger emphasis on cybercrime beginning next June.

Read More

Listen in to cyberbullying, sexting discussion

Update: The discussion can be found in the MPB archive here: http://mpbonline.org/inlegalterms/lt102913/.

Be sure to tune in tomorrow morning (Oct. 29) at 10am (CDT) for a discussion about cyberbullying, sexting, and digital stalking and harassment with cybercrime expert Priscilla Grantham.

Here's the link to listen live to Mississippi Public Broadcasting: http://mpbonline.org/Programs/listen_live.

Priscilla and I were colleagues at the National Center for Justice and the Rule of Law where she was a senior research attorney and taught courses related to the Fourth Amendment, cybercrime, and ICAC for judges, prosecutors, and law enforcement.

Read More

New CFAA Case: Complaint alleges "crippling, simultaneous, mass departure," along with destruction of documents and data

On 10/8/13 an interesting new complaint was filed \alleging, inter alia, violations of the CFAA. An order in the case was recently issued, summarizing the dispute as follows: "the very core of Cunningham Lindsey’s claims and request for a preliminary injunction is that Vericlaim intentionally and unlawfully focused its efforts at recruiting and encouraging a mass exodus of Cunningham Lindsey employees during the late summer of 2013."

The Complaint outlines more fully the claims of Cunningham Lindey against Bonanni et. al (including Vericlaim), describing the mass exodus and destruction of files (where the CFAA claim arises). Below are some excerpts from the complaint:

The case is Cunningham Lindsey v. Bonanni, No. 1:13-CV-2528 (M.D. P.A. Oct. 22, 2013); the previous link is to the Oct. 22nd order.

Complaint - Filed 10/8/13

Pl.'s Motion for a Temporary Restraining Order - Filed 10/8/13

Read More

Featured Paper: The Legislative Response to Mass Police Surveillance

Stephen Rushin has a forthcoming paper in the Brooklyn Law Review entitled: The Legislative Response to Mass Police Surveillance.

The abstract is below:

Police departments have rapidly adopted mass surveillance technologies in an effort to fight crime and improve efficiency. I have previously described this phenomenon as the growth of the digitally efficient investigative state. This new technological order transforms traditional law enforcement by improving the efficiency of everyday policing activities and retaining copious amounts of data on both suspicious and unsuspicious behavior. Empirical evidence shows that police surveillance technologies are common and rapidly expanding in urban America. In the absence of legislative action, police departments have adopted widely disparate internal policies. The Supreme Court had the opportunity to reign in the scope of police surveillance in Jones v. United States. But the Court could not agree on whether technological improvements in efficiency transform an otherwise legal policing tactic into an unconstitutional search. Nor could the Court agree on whether a person may have a reasonable expectation to privacy in public movement. Post-Jones, the jurisprudence of police surveillance emerged as incoherent as ever.  

I have previously argued that the judiciary should regulate police surveillance technologies. While it remains possible that the judiciary will someday make such a doctrinal shift, the immediate responsibility for regulating police surveillance technology falls on state legislatures. In this Article, I offer a model statute to regulate mass police surveillance. The model statute limits indiscriminate data collection. It also caps data retention for personally identifiable information. It excludes from criminal court any locational evidence obtained in violation of the statute. And it gives the state attorney general authority to bring suit against police departments that fail to abide by the law. This legislation would give discretion to police departments to craft data policies fitting their city’s unique needs, while also encouraging consistency and fairness.

Read More

Third Circuit: Warrant required for GPS tracking (Katzin); answers what Sup. Ct. reserved in Jones

The Third Circuit issued its opinion in United States v. Katzin, today, holding that a warrant based on probable cause must be obtained by law enforcement to track a car with GPS (to comport with the Fourth Amendment). This is the first circuit court decision to plow head on into the issue the Supreme Court reserved judgment on in United States v. Jones. The majority opinion was written by Judge Greenaway, Jr, with a concurrence in part/dissent in part by Judge Van Antwerpen. The opinion is quite lengthy - 61 pages for the majority, 55 for the concurrence/dissent.

A previous post of mine compiled all of the Katzin case materials; that post can be found here:
Case Prep (all briefs & materials): US v. Katzin - GPS case before Third Circuit on Tuesday 3/19/13

The majority opinion spills a lot of ink reviewing the precedent from other circuits, including a detailed analysis of Maynard (affirdmed sub nom. United States v. Jones). And, of course, Mosaic Theory is discussed (Orin's article on Mosaic Theory is cited in the concurrence/dissent).

My law review article on Mosaic Theory is here:
Justin P. Webb, Car-ving Out Notions of Privacy: The Impact of GPS Tracking and Why Maynard is a Move in the Right Direction, 95 Marq. L. Rev. 751 (2011).

Orin's is here:
Orin Kerr, The Mosaic Theory of the Fourth Amendment, 110 Mich. L. Rev. 311 (2012).


Other coverage:

Cyrus Farivar at Ars Technica has a write up, here:
Appellate court: Nope, feds can’t just GPS track your car without a warrant

Kim Zetter at Threat Level:
Court Rules Probable-Cause Warrant Required for GPS Trackers

The ACLU has a write-up of the case on their blog:
VICTORY! Federal Appeals Court Rules Warrant Required for GPS Tracking

Orin Kerr has indicated he's going to have a post on the case on the Volokh Conspiracy soon.
Update (3am) - here it is: Third Circuit Requires Warrant for GPS Monitoring and Limits Good-Faith Exception in United States v. Katzin

Read More

Featured Papers: iOS Anti-Forensics, Google Drive Forensics, and Cell Phone Searches

Here's a roundup of new papers on SSRN:

IOS Anti-Forensics: How Can We Securely Conceal, Delete and Insert Data?

Abstract:

With increasing popularity of smart mobile devices such as iOS devices, security and privacy concerns have emerged as a salient area of inquiry. A relatively under-studied area is anti-mobile forensics to prevent or inhibit forensic investigations. In this paper, we propose a "Concealment" technique to enhance the security of non-protected (Class D) data that is at rest on iOS devices, as well as a "Deletion" technique to reinforce data deletion from iOS devices. We also demonstrate how our "Insertion" technique can be used to insert data into iOS devices surreptitiously that would be hard to pick up in a forensic investigation.

Google Drive: Forensic Analysis of Cloud Storage Data Remnants

Abstract:

Cloud storage is an emerging challenge to digital forensic examiners. The services are increasingly used by consumers, business, and government, and can potentially store large amounts of data. The retrieval of digital evidence from cloud storage services (particularly from offshore providers) can be a challenge in a digital forensic investigation, due to virtualisation, lack of knowledge on location of digital evidence, privacy issues, and legal or jurisdictional boundaries. Google Drive is a popular service, providing users a cost-effective, and in some cases free, ability to access, store, collaborate, and disseminate data. Using Google Drive as a case study, artefacts were identified that are likely to remain after the use of cloud storage, in the context of the experiments; on a computer hard drive and Apple iPhone3G, and the potential access point(s) for digital forensics examiners to secure evidence.

Cell Phone Searches in a Digital World: Blurred Lines, New Realities and Fourth Amendment Pluralism

Abstract:

State and federal courts are split over whether cell phone searches incident to a lawful arrest are permissible under the Fourth Amendment. The Supreme Court has the opportunity to create uniformity by accepting a certiorari petition in a cell phone search incident to arrest case, either United States v. Wurie or Riley v. California. The Court should do so to create an analysis that incorporates sensory enhancing technology, not avoids it, as it has done to date. 

The split in case law evidences a central contradiction. Fourth Amendment rules need to be predictable and based on clear guidelines for effective and safe crime interdiction. Technological advances cloud the application of the rules by introducing new facts into the calculus, facts that separate form from function and transform the analysis. In the past, as evidenced by search cases Katz and Jones, and exception cases for searches incident to lawful arrest, Chimel and Robinson, the Supreme Court analysis tended to be based on abstract and grand theory, which has led to a form of Gresham’s Law of constitutional application, where general principles often end up marginalizing specific provisions. Because of advancing technology, however, Fourth Amendment protection has been eroding, as predicted in Kyllo. Searches of cell phones incident to lawful arrests can provide a huge source of discretionary information for police, and searches of "smart" phones without cause can seem like a fishing expedition. Comparisons and analogues have not worked. Neutral narratives have been fractured and unsatisfying. 

This paper suggests using local structures accommodating post-digital technology instead of pre-digital comparisons like containers and walls and doors. Facts, and new realities, matter. In essence, analyses should incorporate the capabilities of the technology in question. The new doors and walls of the advancing technology era create new privacy encroachments, including nondiscoverable information without permission, but are still guided by the same textual and Framers’ intent considerations, such as invasiveness, duration and intent of the government conduct, as well as the nature and impact of the invasion. In light of this calculus, cell phone searches incident to a lawful arrest generally should require some sort of independent and legitimate reason to search the device, a search of which does not fit neatly into existing rationales of container, officer safety, or destruction of evidence. 

Read More

Wisconsin Supreme Court hears oral arguments in cell phone tracking case, State v. Tate

On October 9th, the Wisconsin Supreme Court heard oral arguments in State v. Tate, a case addressing whether the lower court properly denied defendant's motion to suppress evidence from a warrant that allowed police to track the location of the defendant's cell phone.

The defendant frames the issue of the case in his brief (attached below) as follows

Police obtained a court order to track a cell phone because the person in possession of the phone was suspected of a homicide. However, neither the location  data itself, nor the phone’s location, nor the location of the person in possession of the phone constituted evidence of a crime. As one federal district court recently described the scenario, police asked “to use location data in a new way—not to collect evidence of a crime, but solely to locate” a suspect. MD Prospective, infra, 849 F. Supp. 2d 526, 530 (D. Md. 2011).

Issues: Was there statutory authority for the Order? Did the Order violate the State and Federal Constitutions? The lower courts concluded that the Order was permissible.

The State's response (attached below) frames the issue as follows

Issues: Was the judicial order authorizing the police to track a cell phone belonging to defendant-appellant-petitioner Bobby L. Tate a valid search warrant?

Here are links to the Wisconsin Court of Appeals decision, the Defendant's Brief, the State's Response, and the Defendant's Reply.

Additionally, here is a link to the audio of the oral arguments (.WMA)

Read More

Recent Journal of Criminal Law & Criminology issue focuses on cybercrime

Volume 103, Issue 3 of the Journal of Criminal Law & Criminology, a student-run publication at Northwestern University School of Law, features a variety of articles tackling the complexities of cybercrime. The issue is the culmination of a Symposium held at Northwestern University on February 1, 2013. As the Symposium Editor, Lily Katz, states in her Forward, the Symposium intended to address the "important conceptual, doctrinal, and empirical legal questions" raised by cybercrime.

The issue features a great line-up of authors addressing a variety of topics. For instance, Professor David Thaw, a visiting Assistant Professor at the University of Connecticut School of Law, "examines the tension" between the two differing viewpoints on "whether private contracts, such as website terms of use or organizational acceptable use policies should be able to define the limits of authorization and access for purposes of criminal sanctions under the CFAA." The piece authored by Professor Derek Bambauer, an Associate Professor at the University of Arizona James E. Rogers College of Law, takes a somewhat broad look at the interests of privacy and security. Professor Bambauer argues that "security and privacy can, and should, be treated as distinct concerns" and that "separating privacy from security has important practical consequences."

The recent issue of the Journal of Criminal Law & Criminology provides some great articles worth checking out. Here are the links to the articles

Lily Katz, Foreword, 103 J. Crim. L. & Criminology 663 (2013) 

Derek E. Bambauer, Privacy Versus Security, 103 J. Crim. L. & Criminology 667 (2013)

Thomas P. Crocker, Order, Technology, and the Constitutional Meanings of Criminal Procedure, 103 J. Crim. L. & Criminology 685 (2013)

David Gray, Danielle Keats Citron, & Liz Clark Rinehart, Fighting Cybercrime After United States v. Jones, 103 J. Crim. L. & Criminology 745 (2013)

Stephen E. Henderson, Real-Time and Historic Location Surveillance After United States v. Jones: An Administrable, Mildly Mosiac Approach, 103 J. Crim. L. & Criminology 803 (2013)

Andrew E. Taslitz, Cybersurveillance Without Restraint? The Meaning and Social Value of the Probable Cause and Reasonable Suspicion Standards in Governmental Access to Third-Party Electronic Records, 103 J. Crim. L. & Criminology 839 (2013)

David Thaw, Criminalizing Hacking, not Dating: Reconstructing the CFAA Intent Requirement, 103 J. Crim. L. & Criminology 907 (2013)

Jessica E. Notebaert, Comment, The Search For a Constitutional Justification For The Noncommercial Prong of 18 U.S.C. § 2423(C), 103 J. Crim. L. & Criminology 949 (2013)

John A. Stratford, Comment, Adventures on the Autobahn and Infobahn: United States v. Jones, Mandatory Data Retention, and a More Reasonable “Reasonable Expectation of Privacy”, 103 J. Crim. L. & Criminology 985 (2013)

Read More

Ohio appellate court affirms motion to suppress regarding GPS evidence

The Court of Appeals of Ohio recently held that in the absence of a binding precedent, evidence obtained as a result of an improperly used GPS device should not be allowed in court under the Davis good faith rule. State v. Allen, 2013 Ohio 4188 (Ohio Ct. App. 2013).

Since the decision in United States v. Jones, the most debated GPS-related issue has been what to do in situations where a GPS device was used prior to the Supreme Court's decision without a search warrant in the absence of binding precedent. Some courts have held that the overwhelming trend was for there to be no warrant requirement, allowing the evidence to be used under the Davis good faith rule.

Other courts, such as the Court of Appeals of Ohio in Allen, have held that in the absence of binding law on the issue, the evidence cannot be used at trial.

[A]lthough the State urges an opposing view, we join with the Second and Eleventh Districts, who have now spoken on the issue, to underscore that the good-faith exception to the exclusionary rule is not available if there was no binding precedent in the jurisdiction. Thus, we decline to adopt the position the State urges that we broadly interpret Davis to allow an exception when non-binding precedence from other jurisdictions exist.

The state had argued that the detectives acted in good faith by asking prosecutors if a warrant was necessary. However, the court found that to be insufficient in order to hold that the defendant's Fourth Amendment rights had not been violated.

It has not been lost on this court that in addition to not obtaining a warrant prior to attaching the GPS tracking device to Allen's vehicle, the Lyndhurst detectives crossed into another jurisdiction by going into another county, under the cover of night, and entered a gated community to surreptitiously attach the device at issue. Thus, had a reckless wanton analysis been necessary, instead of Davis's application in the wake of Jones, it is arguably that the State's good-faith argument would have been tarnished by the procedure the Lyndhurst detectives employed to attach the GPS tracking device to Allen's vehicle.

Thus, the trial court's grant of the motion to suppress was affirmed.

Read More

CFAA claim dismissed in Givaudan Fragrances Corp. v. Krivda

On September 26, 2013, the court in Givaudan Fragrances Corp. v. Krivda issued an order dismissing Givaudan's claim that one of its former employees, James Krivda, violated the Computer Fraud and Abuse Act (18 U.S.C. § 1030). This dismissal, granted by Judge Peter Sheridan of the District Court of New Jersey, provides yet another example of a court distinguishing between “unauthorized use of information” and the “unauthorized access to information” when interpreting the CFAA.

According to the court order (and this 2009 opinion, which provides a much more detailed factual summary), Krivda was a perfumer at Givaudan Fragrances, “a manufacturer of fragrances for consumer products and the fine fragrance industry.” In April of 2008, Krivda resigned from Givaudan to take a position with a Givaudan competitor, MANE International. Givaudan alleged that, prior to his departure, Krivda printed over 500 confidential fragrance formulas from Givaudan’s management database. Displeased with Krivda’s explanation as to why he printed the formulas just days prior to his departure from the company, Givaudan filed a complaint against Krivda.

Specifically, Givaudan’s complaint alleged, amoung other claims, that Krivda violated § 1030(a)(4) of the CFAA, which holds liable a person who

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period

Krivda moved for partial summary judgment to dismiss the CFAA claim. Krivda argued that, as a perfumer for Givaudan, he was provided access to the formula management database and therefore did not "access a protected computer without authorization" or "exceed authorized access." Givaudan argued that, while Krivda had access to the database, he was not authorized to "review and print" formulas maintained on their database.

In granted Krivda’s motion, the court stated that “the Computer Fraud and Abuse Act § 1030(a)(4), prohibits the unauthorized access to information rather than unauthorized use of such information."  “The inquiry” the court stated, “depends not on the employee's motivation for accessing the information, but rather whether the access to that information was authorized.” The court concluded that Krivda’s authorization to access the database ended its CFAA inquiry.

Here, Krivda was authorized to access that information, namely, Givaudan's computerized formula management database system, a fact Givaudan does not dispute. . . . [T]he term "exceeds authorized access," refers to one who had access to part of a system and then accessed other parts of the computer system to which he had no permissible access. Here Krivda had permissible access to the formula management database system. Givaudan's proposition that Krivda could not "review and print" does not fall within the definition of exceeds authorized access. In applying the summary judgment standard and utilizing Givaudan's version of the facts, it is clear that Krivda had access to the computerized formula management system, and Krivda entered areas to which he had access. Summary judgment is granted . . . .

The “use” vs “access” distinction has been a common discussion among courts faced with interpreting the CFAA, particularly in the employee context. A few months back, I wrote a post discussing a Southern District of New York case, JBCHoldings v. Pakter, in which the court determined that the plain meaning of “without authorization” and “exceeds authorized access” “plainly speaks to permitted access, not permitted use.” However, I also discussed how some circuits have adopted a broader interpretation of the CFAA, in which the misuse of information by an employee would satisfy the statute's terminology. In the criminal context, I touched on this issue a bit when discussing Untied States v. Vargas, where a NYPD officer was charged under the CFAA for, among other claims, conducting improper searches on the precincts’ NCIC system to gain information on fellow NYPD officers.

For a more detailed look on the issue, I would suggest this recent Comment by JD candidate Alden Anderson, The Computer Fraud and Abuse Act: Hacking Into The Authorization Debate, published in this summer's issue of Jurimetrics: The Journal of Law, Science, and Technology.

Read More

District court holds that parody social media accounts do not violate the CFAA

In Matot v. CH, No. 6:13-cv-153 (D. Ore. 2013), the district court held that the creation of parody social media accounts does not violate the Computer Fraud and Abuse Act (CFAA).

Last year, the Ninth Circuit adopted a reading of the CFAA that does not allow for the law to be applied to the violation of a website's terms of service. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). A broad reading would allow such violations (for example, falsifying your age on a dating website) to be punishable under the CFAA through criminal and civil action. Some courts have adopted the broad reading (United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

In Matot, the plaintiff argued that the "defendants created false social media profiles in his name and likeness," violating the "without authorization" provision of the CFAA. The district court, however, found the argument to go against the Ninth Circuit's interpretation of the CFAA and the rule of lenity.

Read More

Illinois App. Ct.: Defendant not guilty on two counts of CP possession for storing same image twice in the same medium

In State v. Sedelsky, No. 2-1-1042 (Ill. App. Ct. 2013), an Illinois appellate court held that the conviction for two counts of possession of child pornography cannot stand when the counts are "based on possession of an identical image stored in the same digital medium." The two images were saved under two different file names - yngbigirl1_0_50465483.jpg and yngbigirl1_0_50577108.jpg.

The appellate court found that the statute was "unclear" on this issue, requiring the court to "adopt a construction that favors defendant."

We agree with the logic in Carter and Liberty that possession of "any *** depiction by computer" is ambiguous as to whether a defendant may be charged separately with possessing a duplicate image in the same medium. Here, the facts demonstrated only that the image was saved twice to the same medium and at nearly the same point in time. We disagree with the State's assertion that defendant separately uploaded the image from his cell phone. It is not clear from the facts whether the image was uploaded more than once, from more than one website, or from more than one source. The facts lead only to the inference that the image was saved twice, as the Mbuzzy records show only that 25 "media_upload" files were sent from defendant's phone to his Mbuzzy account within a 4-minute timespan. The State did not present any evidence that defendant uploaded the image from his phone on separate occasions. It is not clear whether defendant affirmatively uploaded the image twice and saved it twice, or merely saved the image twice. The State also did not present evidence that the image was saved anywhere other than in defendant's Mbuzzy account.

Read More

On remand, federal judge increases young CP offender sentence, notes guidelines 'unnecessarily crush the lives of our young'

More than two years ago, then 89-year-old U.S. District Judge Jack Weinstein ruled in a 401-page opinion that imposing the statutory minimum five-year sentence to a 19-year-old offender was "cruel and unusual" punishment, and Judge Weinstein chose to ignore the law on constitutional grounds. The Second Circuit recently reversed his decision, and he reluctantly changed the sentence.

Upon resentencing the defendant in the remand, Judge Weinstein did not issue a similarly lengthy opinion, but he chose to restate some of his main arguments.

The effect of harsh minimum sentences in cases such as C.R.'s is, effectively, to destroy young lives unnecessarily. The ancient analog of our modern destruction of youngsters by cruel, unnecessarily destructive and self-defeating, long minimum prison sentences, was physically sacrificing them to ancient gods for the supposed benefit of society. Leviticus 18:21 (King James ed.) warns, "[T]hou shalt not let any of thy [children] pass through the fire to Molech." See W. Gunther Plaut et al., The Torah: A Modern Commentary, 149 n.1, 883 (1981) (ancient human sacrifice of children); Maimonedes Mishneh Torah, 116 (Rabbi Eliyahu trans. with commentaries and notes, Moznaim Publ'g. Corp. 2001) ("[A] person who gives his descendants to Molech" is executed by stoning.). And a pillar of major religions is the banning of the sacrifice of children. Genesis 22:12-13; see Plaut et al., at 149 ("[R]eligion . . . rejects the sacrifice of a [mortal] son . . . ."). Yet we continue using the criminal law to unnecessarily crush the lives of our young.

Judge Weinstein also issued a plea for the guidelines to be changed.

Where, as here, in the opinion of a ruling appellate court, the trial court has exceeded its power, at least the matter has been brought to the government's and public's attention, so that in due course, in our caring democracy, future injustices of this kind will be avoided.

Read More

2nd Cir. vacates CP producer's penis measurement sentencing condition imposed for failing to give notice of move

In 2001, Alabama resident David McLaurin was convicted of producing child pornography and sentenced to ten years in prison. Most of the time was suspended, but he later served more time for failing to notify the state when he moved to a different county. He moved to Vermont in 2011, notified the authorities of the move, but he did not fill out the proper paperwork which violated the Sex Offender Registration and Notification Act.

McLaurin was found "unlikely to reoffend again" but was sentenced to prison and supervised release for the paperwork issue. A part of his supervised release included "plethysmograph examinations." The procedure "involves placing a pressure-sensitive device around a man’s penis, presenting him with an array of sexually stimulating images, and determining his level of sexual attraction by measuring minute changes in his erectile responses." It may or may not first require the subject to masturbate in order to get a baseline. Even better - the test was designed by the Czechoslovakian government "to identify and 'cure' homosexuals."

Before the Second Circuit, McLaurin argued that the test was "unnecessary, invasive, and unrelated to the sentencing factors." The government argued that "the size of the erection is ... of interest to government officials because it ostensibly correlates with the extent to which the subject continues to be aroused by the pornographic images."

The appeals court, noting that "[a] person, even if convicted of a crime, retains his humanity," held that the procedure violates McLaurin's rights, vacated the condition, and remanded the case to district court. Here's an excerpted outline of their reasoning:

• The condition of supervised release at issue is a sufficiently serious invasion of liberty such that it could be justified only if it is narrowly tailored to serve a compelling government interest.... “[[T]]here is a line at which the government must stop. Penile plethysmography testing crosses it."
• In other words, the Government has made no showing that this exceedingly intrusive procedure has any therapeutic benefit, and none is apparent to us.
• The procedure inflicts the obviously substantial humiliation of having the size and rigidity of one’s penis measured and monitored by the government under the threat of reincarceration for a failure to fully cooperate.
• The goal of correctional treatment during supervised release is properly directed at conduct, not at daydreaming.
• The testing could not help to protect the public unless the results were used to justify further detention or more restrictive conditions of release. But that could not occur because McLaurin had already received a fixed term of incarceration followed by a fixed term of supervised release, neither of which could be altered by 2 a poor test score. 
• [W]e also find it odd that, to deter a person from committing sexual crimes, the Government would use a procedure designed to arouse and excite a person with depictions of sexual conduct closely related to the sexual crime of conviction.
• We fail to see any reasonable connection between this defendant, his conviction more than a decade ago, his failure to fill out paperwork, and the government-mandated measurement of his penis.

The case is United States v. McLaurin, No. 12-3514 (2d Cir. 2013).

Read More

Court dismisses most of teen's suit for use of bikini-clad photo from Facebook in high school "Internet Safety" class

(Updated 10/9/13 - see end of post)

** Relevant documents: Complaint, Def. Renewed Rule 12(b)(6) MTD, Pl. Opp. to MTD, and Order **

A federal court on Sept. 30th granted a motion to dismiss (in large part) a Georgia teen's lawsuit for multiple causes of action arising out of a Technology Instructor's use of a photo of her he obtained from her Facebook page; the photo was used in an "Internet Safety" class to illustrate that what you post online does not go away. The powerpoint the instructor used included the teen's name on a slide with her picture (the picture was of her in a bikini standing next to Snoop Dog (aka Snoop Lion)). The case is Chaney v. Fayette County Public School District, No. 13-CV-89-TCB (N.D. G.A. Sept. 30, 2013).

The powerpoint slides are below (I cropped out Chaney to prevent further reproduction) - 

The court juxtaposed the instructor's intention with Chelsea Chaney's as follows:

The presentation was designed to illustrate the permanent nature of social media postings and how those postings could be embarrassing if published by third parties. Part of the presentation included a slide of a cartoon depicting a daughter approaching her mother about the mother’s Facebook page from years past, which listed the mother’s hobbies as “body art, bad boys, and jello shooters.” Chaney alleges that the obvious implication of this cartoon was the mother was humiliated by this Facebook posting, which according to Chaney labeled her as a “sexually-promiscuous, anti-establishment[] abuser of alcohol.”

Chaney alleged in the suit that the "unauthorized" use of her picture "violated her constitutional right to privacy under the Fourth and Fourteenth Amendments as well as several rights afforded her by state law." She sued the school district and the instructor in their official capacities - these were the claims dismissed by the Sept. 30th order above - and the instructor in his individual capacity (that claim has not been dismissed). 

The New York Daily News wrote a piece about this case in June: Georgia teen wants $2 million after school uses Facebook photo without permission. From the heading:

When bikini-clad Chelsea Chaney posed next to a cutout of Snoop Dogg during a family vacation, she had no idea that the photo would be shown to hundreds of strangers at a Fayette County Schools district seminar. An administrator used the photo to demonstrate the dangers of posting to social media.

The court found Chaney's Facebook setting allowing friends of her friends to see her pictures to constitute disclosure under the third-party doctrine, eliminating her reasonable expectation of privacy. The court, addressing the Fourth Amendment claim, stated:

Chaney contends that her privacy-setting choice of “friends and friends of friends” was “semi-private” and that her Facebook page was accessibly “only to those people she had specifically approved.” Thus, she contends that the District improperly searched her Facebook page and stole, i.e., illegally seized, her picture. However, Chaney fails to acknowledge the lack of privacy afforded her by her selected Facebook setting. While Chaney may select her Facebook friends, she cannot select her Facebook friends’ friends. By intentionally selecting the broadest privacy setting available to her at that time, Chaney made her page available to potentially hundreds, if not thousands, of people whom she did not know (i.e., the friends of her Facebook friends). 

“The Supreme Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”

...  

...Chaney surrendered any reasonable expectation of privacy when she posted a picture to her Facebook profile, which she chose to share with the broadest audience available to her. Thus, Chaney cannot show that society would be willing to recognize her expectation of privacy as legitimate.

The court also dismissed Chaney's argument that her outfit (bikini) and that she was a minor at the time had any bearing on the analysis.

The court then went on to the Fourteenth Amendment due process claim, noting that "zones of privacy" have been judicially recognized, but "[n]owhere in these protected areas may [appellant] find a constitutional right to be free from public embarrassment or damage to his reputation." The court pointed out that Chaney claims did not rise to a "constitutional magnitude" and instead "most appropriately arise under state tort law."

The court then proceeded to find the two defendants in their official capacity immune from suit, regardless, which would have defeated the claims without the preceding analysis.

Thus, the school district's (and the instructor's) Rule 12b(6) motion to dismiss was granted for all causes of action against them in their official capacities.

Side note: this was clearly a terrible judgment call on the instructor's part and by the school district (since it appears they OK'd it). That said, it's hard to argue the instructor didn't get his point across.

The following is an interview with the plaintiff Chelsea Chaney:



Update 1:
A few things:
(1) I know it appears silly to crop out Chaney in the Powerpoint considering the image of her and Snoop Dogg (Snoop Lion) is the first thing that Google returns when you search for her name (and is included in the public filings for the case), but Venkat's write-up (see below) echoed my uneasiness about posting it ("With some reluctance, we're sharing a link to a page where you can find the photo.")

(2) I found it odd that Chaney's lawyer chose not to address the state tort claims in his brief in opposition to the motion to dismiss, even if sovereign immunity was a slam dunk

(3) Derek Black chose an interesting title for his write-up about the case on the Education Law Prof Blog: "Facebook Users Beware: The Principal Might Not Punish You, But He Can Ridicule You."(link below). A few thoughts on his use of the word "ridicule" (purely academic, not to criticize):

Can school district employees really "ridicule" you? The answer is not unequivocally yes because if the ridicule arises from a discretionary act, and the student can prove "actual malice," the claim would not be barred by the Georgia Tort Claims Act (or analogous statutes) providing immunity to schools/public officials/etc. (Black points this out at the bottom of his write-up). More importantly, though, is "ridicule" really what happened here? I don't see any evidence the use of the photo was to "mak[e] fun of someone or something in a cruel or harsh way." As I noted, there was an educational message tied to the use of the photo (admittedly, delivered in a ill-conceived way); the photo was not used to "ridicule" or opine on a non-pedagogical point (for example, to attack Chaney's choice of rapper, clothes, or lifestyle), and at least to me, that is a meaningful distinction. The take home message from the case is much more that Facebook users should worry about the impact their social media personas could have on their lives (i.e. striking the correct balance of privacy and communicative freedom in an interconnected and ever evolving technological age), and much less that they should beware of principals snooping for photos with which to "ridicule" them (a small, downstream derivative of the larger issue).

Other write-ups:
Venkat Balasubramani, Organizing an “Internet Safety” Presentation? Don't Troll Through Students' Facebook Accounts Looking for Bikini Photos

Molly DiBianca, No Privacy Claim for Use of Student Facebook Picture

Derek Black, Facebook Users Beware: The Principal Might Not Punish You, But He Can Ridicule You

Comments from Reddit about this story

Some of the original coverage when the suit was filed:
CNET, Student sues after school uses Facebook bikini pic in seminar

Cosmopolitan, How This Bikini Photo Sparked a $2 Million Lawsuit

Huffington Post, Chelsea Chaney Sues Georgia School District For Using Facebook Photo Of Her In A Bikini

Policy Mic, School Uses Student's Bikini Picture to Promote Social Media Safety

Read More

2nd Circuit reverses decision to hold defendant jointly and severally liable for child pornography victim's losses

In United States v. Lundquist, No. 11-5379 (2d Cir. 2013), the Second Circuit held that a child pornography possessor could not be held jointly and severally liable for harm to the victim.

Lundquist was convicted of receipt and possession of child pornography. Among the images in his possession was one of the "Amy" series. Amy was victimized by her uncle and has sought for years to obtain restitution from those who continue to download images of her. Her total damages have been calculated at $3,381,159.

Courts have debated many issues regarding restitution under the federal child pornography statutory scheme, including whether proximate cause is required and how the restitution is calculated. Some jurisdictions hold possessors jointly and severally liable (in this case, meaning they can be held liable for the entire amount of damages) while others assess damages at only a fraction of the total (such as dividing it by the total number of defendants convicted for possessing images of the same victim).

In Lundquist, the district court held that the defendant should be ordered to pay the full amount of Amy's losses. The Second Circuit, however, found that the defendant was not the cause of "all of [Amy's] losses" as the $3 million is so high "primarily because there are so many people viewing her images."

The appeals court, however, acknowledged the benefits of joint and several liability, but suggested instead bringing a civil suit rather than seeking mandatory restitution.

We understand, as a policy matter, why joint and several liability is an appealing option in this type of case. Joint and several liability would permit the victims of child pornography to collect their full losses from any well-heeled defendant, rather than require them to pursue defendants who may be, or later become, insolvent. Such an approach would also place the onus on guilty defendants to seek contribution from each other, rather than require the innocent victims to request restitution from each defendant.

We sympathize with these policy arguments and acknowledge that joint and several liability might be appropriate if Amy had brought a civil tort action against those who downloaded images of her abuse.

The Second Circuit also held that several types of losses could not be included in the total calculation. First, "Lundquist cannot be ordered to make restitution for harm that Amy's uncle's conduct proximately caused." Also, because the defendant obtained the images of Amy in 2010, he could not be held liable for therapy costs "incurred in 2009 or earlier."

Read more about restitution for Amy in previous Cybercrime Review posts.

Read More

Federal Ct. in web scraping case: accusations of "hacking" and "theft" could be defamatory, but privileged under facts

** All docs for the case here:  Def. Motion for Summary Judgment, Motion in Opposition to SJ, Def. Reply to Pl. Opp, and the Order/Memorandum Opinion **

Can accusing someone of harvesting data from a publicly accessible webpage, by referring to that conduct as "hacking" and/or "theft," be a defamatory statement? Under the facts noted below, a federal court just said "yes," but ultimately found the statements privileged. There is an interesting discussion in the opinion about "protecting" website data with an exclusion in robots.txt (although, as an aside, robots.txt doesn't protect much of anything), and whether that choice to exclude makes any legal difference. The court also discusses the unsettled nature of CFAA law at the time the statement was made; to the court, the muddled precedent regarding whether scraping public web data was a CFAA violation was germane to determining if an accusation of "hacking" was accurate (i.e. a legal cause of action under the CFAA could be sustained).

As an initial matter, here is Mirriam-Webster Online's definition of "hack":

intransitive verb
...
4
a :  to write computer programs for enjoyment
b :  to gain access to a computer illegally

noun (1)
...
6
:  a usually creative solution to a computer hardware or programming problem or limitation 

And, the Free Dictionary's:

hack 1  (hk)
v. hacked, hack·ing, hacks
v.tr.
...
3.
a. Informal To alter (a computer program): hacked her text editor to read HTML.
b. To gain access to (a computer file or network) illegally or without authorization: hacked the firm's personnel database.
…
v.intr.
…
a. To write or refine computer programs skillfully.
b. To use one's skill in computer programming to gain illegal or unauthorized access to a file or network: hacked into the company's intranet.
...
The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 by Houghton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rights reserved. 

hack1
vb
...
7. (Electronics & Computer Science / Computer Science) to manipulate a computer program skilfully, esp, to gain unauthorized access to another computer system
...
Collins English Dictionary – Complete and Unabridged © HarperCollins Publishers 1991, 1994, 1998, 2000, 2003

And from the Oxford English Dictionary, Copyright © 2013 Oxford University Press

"hacking"
1.
...
 d. The use of a computer for the satisfaction it gives; the activity of a hacker (hacker n. 3). colloq. (orig. U.S.).
1976   J. Weizenbaum Computer Power & Human Reason iv. 118   The compulsive programmer spends all the time he can working on one of his big projects. ‘Working’ is not the word he uses; he calls what he does ‘hacking’.
1984   Times 7 Aug. 16/2   Hacking, as the practice of gaining illegal or unauthorized access to other people's computers is called.
1984   Sunday Times 9 Dec. 15/2   Hacking is totally intellectual—nothing goes boom and there are no sparks. It's your mind against the computer.

In Tamburo v. Dworkin, -- F.Supp.2d -- (N.D. Ill. Sept. 26, 2013), Judge Joan B. Gottschall granted Henry (another named defendant) motion for summary judgment; the causes of action against Dworkin were (1) tortious interference with a contractual relationship, (2) tortious interference with prospective economic damage, (3) defamation per se, and (4) defamation per quod.

The court stated the facts as follows:

The essential facts in this 2004 case are undisputed. Defendant Kristen Henry, a dog breeder and computer programmer, spent almost five years creating an extensive database of dog pedigrees, which she made freely available for use by fellow breeders through her web site. Plaintiffs John Tamburo and Versity Corporation (“Versity”) used an automated web browser to harvest the data from Henry’s website. They incorporated it into software which they attempted to sell to dog breeders for a profit. Henry was outraged. When the plaintiffs spurned her requests to cease using her data, she reached out to the dog breeding community, through emails and online messages, for assistance in responding to the plaintiffs’ misappropriation of her work. This lawsuit arose from her statements.

Henry (defendant) accused Tamburo of "hacking" in a Freerepublic.com article, as well as in an email; Henry also made various statements to a dog enthusiast message board using the words "theft" and "steal." One of the statements read: "[Tamburo] has written an agent robot to go to these individual sites and steal certain files...that were not offered to them except through a query user interface for page by page query of a single dog’s pedigree at a time."

Addressing the defamation allegations, the court analyzed whether the statements were non-actionable because they were either substantially true or protected by privilege. The court first discussed the defendant's use/lack thereof of robots.txt, which the court refers to as "the Robot Exclusion Standard." The court stated:

The parties dispute whether Tamburo and Versity evaded security measures to access Bonchien.com. Henry contends that a user could access the data on her site only through a query based search, by entering an individual dog name and the generations of ancestry to be displayed. Tamburo, however, states that the data could also be accessed through the site’s URL. He states in his affidavit that Henry admitted during her deposition that the URL used by the Data Mining Robot to access the web site was plainly visible, and that her allegations that the plaintiffs accessed data from non-public areas of the web site were false. 

Henry states in an affidavit that she did not give Tamburo or Versity express permission to access and gather the data on her website by any automated means, such as the Data Mining Robot. She contends that she placed a “robots.txt” header on the site to keep robots from indexing the site. The robots.txt protocol, or Robot Exclusion Standard, is a convention “to instruct cooperating web crawlers not to access all or part of a website that is publicly viewable. If a website owner uses the robots.txt file to give instructions about its site to web crawlers, and a crawler honors the instruction, then the crawler should not visit any pages on the website. The protocol can also be used to instruct web crawlers to avoid just a portion of the website that is segregated into a separate directory.”

As for allegedly defamatory statements regarding stealing of data, the court found them "substantially true." Here is the court's logic:

Tamburo argues that Henry’s statements that he stole from her are false because he did not commit theft. He did not delete or remove data from Henry’s site (thus depriving her of her property), Henry had made her data freely available, and no robots.txt file was visible on her site at the time the Data Mining Robot copied information on the site. According to Tamburo, because the data was not protected, either legally or by security protections on Henry’s web site, he could not have committed theft by appropriating it. 

Even so, the court concludes that no reasonable jury could find that Henry’s statements were not substantially true. ... It may be true that Tamburo could not be prosecuted or held liable for his actions because the data was publicly available and not protected by adequate security measures. But Tamburo’s argument relies on a narrow legal meaning of “theft.” Under Illinois law, the court must consider whether Henry’s use of the word “theft” is reasonably susceptible to a non- defamatory construction. (citation omitted) It is. To a lay person such as Henry, “theft” can also mean the wrongful act of taking the property of another person without permission. The data Henry had collected could be reasonably understood as her property—she had collected it, and it was her work in compiling it that gave it value. She did not give Tamburo permission to copy it and sell access to it. Although Henry might not be able to successfully sue Tamburo for using her data in this way, the gist of her statements was true: he took the data without her permission.

I can't say I agree with this -- the holding, in essence, means that anyone copying and pasting data from another individuals website is "stealing" that data if pre-approved permission isn't obtained. To me, the choice to post information on the internet, available to anyone in the world, means you assume the risk that your now "public" information will be used by others. You can't steal what is given away for free. And theft normally involves some deprivation of a property interest; what was the website owner deprived of, other than control of the information. Control which was given up when it was posted on the web.

Ultimately, the court held the statements were covered by privilege because "they related to her interests in protecting the substantial time and effort spent accumulating her data and in making it freely available to the community of Schepperke breeders, to promote the health of the breed. She also had an interest in ensuring that her data was presented in a certain way and in controlling the manner in which it could be accessed. Furthermore, the statements were published to people who likewise had an interest in the way in which the dog pedigree data was made available, and they involved a public interest in how access to information available on the internet is regulated."

Also, relating to privilege, the court discussed the current state of CFAA law at the time:

...Henry was a lay person, and the record shows plainly that as of May 4 and 5, 2004, when she made the statements that her data was “stolen,” Henry believed that Tamburo had stolen her data and was attempting to determine whether the law afforded her any protection against that theft. 

Moreover, even had Henry immediately consulted with an attorney, no such actual knowledge that Tamburo’s actions were lawful would have been revealed. Rather, in May 2004, the law governing the automated harvesting of data from web sites was unsettled. For example, a number of courts had held that website owners might have a remedy under the Computer Fraud and Abuse Act (“CFAA”) against defendants who had accessed information on their websites using automated harvesting. (citation omitted) In 2003, the First Circuit reversed a district court that had issued an injunction pursuant to the CFAA against a company using an automated “web scraper” to copy pricing information from a travel website. The district court had relied in part on “the fact that the website was configured to allow ordinary visitors to the site to view only one page at a time.” (citation omitted) The First Circuit disagreed and noted, “It is . . . of some use for future litigation . . . in this circuit to indicate that, with rare exceptions, public website providers ought to say just what non-password protected access they purport to forbid.” ...

The First Circuit’s opinion suggests that it is unlikely Henry could have pursued a CFAA claim, given the state of the law, and Tamburo is correct that a collection of data is normally not subject to copyright protections. See Feist Publ’ns v. Rural Tel. Serv. Co., 499 U.S. 340, 364 (1991) (noting that “copyright rewards originality, not effort”). Even so, further investigation on Henry’s part would not have revealed that Tamburo’s actions were undisputedly legal or illegal. Thus, even if Henry’s lawyer advised her that Tamburo had acted legally and that she did not have a remedy against him, such advice is not dispositive as to whether she abused the qualified privilege in making the statements in question. Henry was entitled to disagree with the lawyer about whether Tamburo had any right to access her database, another lawyer might have held a different opinion, and her statements were made as part of her efforts to seek help in protecting her interests. Thus, the fact that the law has evolved in a way that does not protect Henry’s years of work is not evidence that she made the statements about Tamburo’s theft with “a high degree of awareness of the[ir] probable falsity or entertaining serious doubts as to [their] truth.” (citation omitted)

Finally, addressing hacking, the court stated:

Tamburo argues that Henry’s statement that he committed “hacking” and that he took data from non-public areas of her website are defamatory because they imply illegal activity. He claims that the statements are false because he did not evade any security measures employed on Henry’s site, and no prohibition on robotic browsing was visible on the site.
The statements that Tamburo “wrote an agent robot to take specific files off of specific sites” and that the “files were not in a public venue” are substantially true and thus not actionable. Although Tamburo argues that the files were accessible to him through a URL, it is undisputed that Henry’s site was designed to allow the user to search manually for the pedigree of an individual dog. Nothing in the record indicates that Henry intended to make the entire database available to the public. The “gist” of the statements is therefore true. (citation omitted)

As to the word “hacking,” Henry argues that the term is susceptible to innocent construction because “the term has positive connotations,” implying the development of “a creative solution” to a computer problem. (citation omitted)) The innocent construction rule “requires a court to consider the statement in context and give the words of the statement, and any implications arising from them, their natural and obvious meaning.” (citation omitted) Courts “are to interpret the words of the statement as they appear to have been used and according to the idea they were intended to convey to a reader of reasonable intelligence,” and “should avoid straining” to give a term an innocent meaning. (citation omitted). Although Henry proposes that the word “hacking” can be used to convey an innocent meaning, it is clear from the context of her statement that she meant to imply that the way Tamburo accessed her database was unethical or illegal, not “creative.” Thus, the word, as used by Henry, was defamatory. 

Even so, the statement is protected by the same qualified privilege that renders Henry’s statements about theft non-actionable. Tamburo has presented no evidence showing that Henry abused the privilege. Although she admitted during her deposition that Tamburo had not evaded any security measures on her site, nothing in the record indicates that, at the time she made the statement about “hacking,” on May 5, 2004, she had serious doubts about the truth of the statement. Rather, the evidence shows that Henry designed her website to make data available to the public through a query search, which would provide information about one dog pedigree at a time. There is no dispute that this was the way Henry intended the site to be used, and that Tamburo instead accessed the site in a way that allowed him to copy Henry’s entire database.

Read More

Recent News: Lavabit, Silk Road, and Calif. revenge porn bill

Lavabit used 4-point type in attempt to prolong Snowden SSL key release
Edward Snowden's e-mail provider, now-defunct Lavabit, attempted to defy the government's request for Snowden's SSL keys by printing the 2,560 characters in 11 pages of 4-point type. That way, the FBI would have to retype the key manually. Read more from Wired.

Silk Road closed by FBI, others promptly take its place
The FBI shut down Silk Road earlier this week, but the Huffington Post reports that many alternatives exist, and black market vendors have already made the move.

“I am now offering all of my inventory at a discounted rate due to the fall of SR!” wrote [a] vendor at Black Market Reloaded.

Read past Cybercrime Review posts about Silk Road here.

California bans revenge porn
California governor Jerry Brown recently signed into law a bill that could punish violators with up to six months in jail and a $1,000 fine for posting revenge porn. Revenge porn is when a person posts sexual photos of an ex on the Internet in an act of revenge.

Read more about the law from CNN, and more about revenge porn in an earlier Cybercrime Review post.

Read More

EFF files amicus brief in Massachusetts cell site data case

The Electronic Frontier Foundation recently filed an amicus brief in a Massachusetts appellate case regarding cell site location data. The trial court in Commonwealth v. Augustine had suppressed two weeks' worth of cell site data, finding that a search warrant was necessary to obtain it. The government then appealed.

According to the EFF release:

In our amicus brief, we urge the SJC to affirm the trial court, arguing that people maintain a reasonable expectation of privacy in their location—even their public movements—since society would deem it unlikely that anything more than small, discrete movements would be observed at a time.... 

Even the SJC itself has been a leader on location privacy. Earlier this year, it ruled in Commonwealth v. Rousseau that a passenger in a car had standing to challenge GPS surveillance because everyone, regardless of whether they are the car's owner or not, has an expectation of privacy in their location.

We hope that the SJC will extend Rousseau, recognize that the third party doctrine does not apply to invasive cell site monitoring, and require police obtain a search warrant to track a person's location through their cell phone.

Read the EFF amicus brief by clicking here.

Read More