Website Banner Defeats Numerous Fourth Amendment Objections in CP Case

A federal district judge recently held in a child pornography (CP) case that the website's banner doubly defeated any Fourth Amendment objection to an investigator's use of the site to collect evidence of possession and distribution of CP. The case, United States v. Bode, No. 1:12-cr-00158-ELH (D. Md. Aug. 21, 2013), rests on evidence developed by a government investigator (Burdick) who was granted administrator-level access to a website where the defendant (Bode) was allegedly posting CP. The website in question (which has since been shut down) offered users a real-time chat service, including the ability to send messages and images to public chat rooms, as well as "privately" to individual users. The site logged timestamps, IP addresses, message contents, images, and public chat room history for review by its administrators, though individual users could not see or review their own usage history after a chat session was over. The website also required acceptance of its terms of service before allowing users to post or receive messages. Its terms read:

CHILD PORNOGRAPHY...
BEHIND EVERY PICTURE THERE IS PAIN!
HELP US REPORT IT! 

Posting photos, graphics or cartoons showing persons under 18 years of age is not allowed. Child pornography or other illegal material will immediately be reported to the posters [sic] local authorities. Requesting images of the above nature is not allowed. All posted pictures and conversations, public and private, are logged and supervised. [The website] may disclose these communications to the authorities at its discretion.

The final sentence (emphasis added) was appended at Burdick's request during his investigation, before the CP images at issue in the case were allegedly posted.

But first, the backstory: Burdick, an agent with the Department of Homeland Security's Immigration and Customs Enforcement (Child Exploitation Investigations Group), heard that users of this website were trading. Without getting a warrant or a court order, he began looking into the site and observed users posting CP using the chat service. Burdick checked with the website's domain name registrar to try to identify its operator and found that its administrator was located in Sweden. Since it is more complicated to serve process on a foreign entity (and it is unclear whether Burdick would have had the authority to do so), he emailed the site operator to ask for cooperation in his CP investigation. The site operator enthusiastically complied, giving Burdick an administrator-level account on the website so he could directly review the site's logs. Burdick used his administrative access to identify users who had been reported by others for (potentially) trading CP, and then began checking the logs generated by those particular users more carefully.

Eventually Burdick checked with an Assistant United States Attorney, who recommended that he ask for changes to the website's terms of service, italicized above. (The US Attorney's office also declined to use any evidence developed before the language was appended.) After the terms of service were changed, Burdick used the administrator function to save logs and images users sent to public chat rooms and as private messages to other users. Burdick collected evidence that a user had posted CP from what turned out to be defendant Bode's IP address. This eventually served as probable cause for a warrant to search his home and computers for CP, which revealed additional CP on Bode's computer.

Suppression Analysis

Bode moved to suppress all of the evidence against him as fruit of the poisonous tree, on grounds that Burdick's initial investigation violated the Fourth Amendment, the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., and the Wiretap Act, 18 U.S.C. § 2510 et seq. The court dealt with the Wiretap Act and SCA claims easily: neither statute includes a suppression remedy for information obtained from "electronic communications" like those here, while the Wiretap Act does include a suppression remedy for information obtained intercepted in real time from "wire or oral communication," at 18 U.S.C. § 2515. This made it easy for the court to conclude that when Congress did not include a suppression remedy for electronic communications, it did so with a specific intent not to create such a remedy. The court therefore declined to find an implied statutory right of suppression.

The constitutional claim, violation of the Fourth Amendment, is more interesting, since it could give rise to a suppression remedy (though somewhat ironically, constitutional suppression is a court-created remedy, see Weeks v. United States, 232 U.S. 383 (1914)). As a preliminary matter, the parties had conceded (for the purposes of the Fourth Amendment analysis in the motion at issue here) that the website had become the government's agent, by granting Burdick administrator-level access and changing the language of its banner at his request. Nevertheless, the court held that the banner to which Bode agreed in order to use the chat service constituted two separate grounds for eliminating any Fourth Amendment objections to Burdick's collection of evidence:

First, the banner defeated any reasonable expectation of privacy, which is a prerequisite for any protectable Fourth Amendment interest under Katz v. United States, 389 U.S. 347 (1967). The Bode court compared the banner's language to other cases in which a reasonable expectation of privacy had been at issue, finding that the added text ("[The website] may disclose these communications to the authorities at its discretion.") put the issue beyond doubt, as the AUSA had hoped: users had given up their expectations of privacy. Under this theory, no protectable privacy interest existed, and no constitutional "search" ever occurred, so there was no Fourth Amendment violation and no reason to suppress the resultant evidence.

Second, the court found that even if a search had occurred, the banner indicated consent to that search. Bode tried to argue that his consent had been limited in scope to investigation by the website operator, not the government, but the court was having none of it, instead finding that there was "no meaningful distinction" between the consent Bode had given (for the website operator to turn over information to the authorities) and what actually happened (the operator creating an administrator account for the investigator). This consent was therefore sufficient to allow Burdick's collection of evidence even if it was a Fourth Amendment search.

The government also argued that the website operator had "common authority" to consent to searches of its logs, but the court did not address this argument, having already found two grounds for denying Bode's motion to suppress. Had the court addressed the issue, it probably would have been able to find the site administrator, which had the right to examine its logs, also had the right to authorize their search under the common authority doctrine of United States v. Matlock, 415 U.S. 164 (1974) (finding common authority over shared room sufficient) and Frazier v. Cupp, 394 U.S. 731 (1969) (finding shared use of a duffel bag sufficient). In fact, since the operator could view the logs while ordinary users could not, I found this to be the government's strongest argument, and I am not sure why the court did not even address it.

Conclusion

In any event, this one banner did quite a bit of work: the court's denial of suppression almost certainly means Bode is out of arguments and will be convicted. And it likely means other users of the site will be (or already have been) prosecuted for similar crimes: one of Burdick's emails thanking the website operator for cooperating with the investigation mentioned that he had found "roughly 25 users" in the United States violating CP laws. So, while the website might be gone, the text of its banner may have even more work to do in the courts.

A Footnote

The Bode court also notes that the website operator who was willing to help with the investigation -- seemingly a decent character -- was later tried, convicted, and imprisoned in the Philippines for sex trafficking.

Read More

House holds hearing on ECPA revisions, new Senate bill seeks to require probable cause for content

If you missed yesterday's House hearing on the Electronic Communications Privacy Act, the testimony is available here by video and here by written testimony. Witnesses included Elana Tyrangiel (DOJ), Orin Kerr (GW Law), Richard Littlehale (Tenn. Bureau of Investigation), and Richard P. Salgado (Google).

Here's a brief summary of each witness's testimony:

• Tyrangiel - The 180-day rule under the ECPA should be abolished, and opened emails should not be treated differently from those which are unopened. Also, addressing information in e-mails should be available with a subpoena similar to that of telephone calls. The standard for 2703(d) orders should be clarified (must a court issue the order with specific and articulable facts or can probable cause be required?). "It is important that any proposed changes to ECPA take into account the ability of civil regulators and litigators to compel disclosure of information from providers."
• Kerr - Outlined five problems with the statute, including the 180-day rule, the fact that there is no protection for search engine requests, the uncertain scope of warrant requirements (through court opinions like Theofel and Jennings), the statute's failure to satisfy the Fourth Amendment, and the need for particularity, minimization, and non-disclosure rules.
• Littlehale - Carriers should be required to keep all communications for one year. "There can be no question that some of that information holds the keys to finding an abducted child, apprehending a dangerous fugitive, or preventing a terrorist attack." Any attempt to require probable cause "should be accompanied by provisions that ensure accountability and prompt response by service providers."
• Salgado - ECPA should be updated, abolishing the 180-day rule and adopting Warshak's warrant requirement for e-mail content.

Also in ECPA news yesterday, Senators Patrick Leahy (D) and Mike Lee (R) filed legislation to update the statute, abolishing the 180-day rule, requiring probable cause to obtain content, and ordering notification to individuals within 10 days of disclosure.

Read More

What the Stored Communications Act would look like after Rep. Lofgren's ECPA reform bill (H.R. 983)

I wrote previously about Rep. Lofgren (and others) proposing a modification to the Stored Communications Act (SCA) as well as an addition to the ECPA regarding disclosure of geolocation information; that post can be found, here: Quick details on H.R. 983, the ECPA reform bill announced today.

I decided to update the relevant portions of the SCA (18 U.S.C. 2701-2705) with the modifications in H.R. 983. You can see the bill and my markup, below (original from Cornell's LII):

18 USC § 2701 - Unlawful access to stored communications

(a) Offense.— Except as provided in subsection (c) of this section whoever—

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

(b) Punishment.— The punishment for an offense under subsection (a) of this section is—

(1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State—

(A) a fine under this title or imprisonment for not more than 5 years, or both, in the case of a first offense under this subparagraph; and

(B) a fine under this title or imprisonment for not more than 10 years, or both, for any subsequent offense under this subparagraph; and

(2) in any other case—

(A) a fine under this title or imprisonment for not more than 1 year or both, in the case of a first offense under this paragraph; and

(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under this subparagraph that occurs after a conviction of another offense under this section.

(c) Exceptions.— Subsection (a) of this section does not apply with respect to conduct authorized—

(1) by the person or entity providing a wire or electronic communications service;

(2) by a user of that service with respect to a communication of or intended for that user; or

(3) in section 2703, 2704 or 2518 of this title.

18 USC § 2702 - Voluntary disclosure of customer communications or records

(a) Prohibitions.— Except as provided in subsection (b) or (c)—

(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and

(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service;

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and

(3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge to any governmental entity the contents of communication covered by subsection (a) of section 2703 or any a record or other information pertaining to a subscriber to or customer or user of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.

(b) Exceptions for disclosure of communications.— A provider described in subsection (a) may divulge the contents of a communication—

(1) to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient;

(2) as otherwise authorized in section 2517, 2511 (2)(a), or 2703 of this title;

(3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service;

(4) to a person employed or authorized or whose facilities are used to forward such communication to its destination;

(5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;

(6) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A;

(7) to a law enforcement agency—

(A) if the contents—

(i) were inadvertently obtained by the service provider; and

(ii) appear to pertain to the commission of a crime; or

[(B) Repealed. Pub. L. 108–21, title V, § 508(b)(1)(A),Apr. 30, 2003, 117 Stat. 684]

(8) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.

(c) Exceptions for Disclosure of Customer Records.— A provider described in subsection (a) may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection (a)(1) or (a)(2))—

(1) as otherwise authorized in section 2703;

(2) with the lawful consent of the customer or subscriber;

(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;

(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;

(5) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 2258A; or

(6) to any person other than a governmental entity.

(d) Reporting of Emergency Disclosures.— On an annual basis, the Attorney General shall submit to the Committee on the Judiciary of the House of Representatives and the Committee on the Judiciary of the Senate a report containing—

(1) the number of accounts from which the Department of Justice has received voluntary disclosures under subsection (b)(8); and

(2) a summary of the basis for disclosure in those instances where—

(A) voluntary disclosures under subsection (b)(8) were made to the Department of Justice; and

(B) the investigation pertaining to those disclosures was closed without the filing of criminal charges.

18 USC § 2703 - Required disclosure of customer communications or records

(a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service or remote computing service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, that is stored, held, or maintained by that service, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. Within three days after a governmental entity receives such contents from a service provider pursuant to this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail, or other means reasonably calculated to be effective as specified by the court issuing the warrant to the subscriber, customer, or user a copy of the warrant and a notice that includes the information referenced in section 2705(a)(4)(A) and (B)(i), except that delayed notice may be provided, pursuant to section 2705 of this title. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

(b) Contents of Wire or Electronic Communications in a Remote Computing Service.—

(1) A governmental entity may require a provider of remote computing service to disclose the contents of any wire or electronic communication to which this paragraph is made applicable by paragraph (2) of this subsection—

(A) without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction; or

(B) with prior notice from the governmental entity to the subscriber or customer if the governmental entity—

(i) uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or

(ii) obtains a court order for such disclosure under subsection (d) of this section;

except that delayed notice may be given pursuant to section 2705 of this title.

(2) Paragraph (1) is applicable with respect to any wire or electronic communication that is held or maintained on that service—

(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such remote computing service; and

(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing.

(c) Records Concerning Electronic Communication Service or Remote Computing Service.—

(1) A governmental entity may require a provider of electronic communication service or remote computing service to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity—

(A) obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction;

(B) obtains a court order for such disclosure under subsection (d) of this section;

(C) has the consent of the subscriber or customer to such disclosure;

(D) submits a formal written request relevant to a law enforcement investigation concerning telemarketing fraud for the name, address, and place of business of a subscriber or customer of such provider, which subscriber or customer is engaged in telemarketing (as such term is defined in section 2325 of this title); or

(E) seeks information under paragraph (2).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the—

(A) name;

(B) address;

(C) local and long distance telephone connection records, or records of session times and durations;

(D) length of service (including start date) and types of service utilized;

(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

(F) means and source of payment for such service (including any credit card or bank account number),

of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

(3) A governmental entity receiving records or information under this subsection is not required to provide notice to a subscriber or customer.

(d) Requirements for Court Order.— A court order for disclosure under subsection (b) or (c) may be issued by any court that is a court of competent jurisdiction and shall issue only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation. In the case of a State governmental authority, such a court order shall not issue if prohibited by the law of such State. A court issuing an order pursuant to this section, on a motion made promptly by the service provider, may quash or modify such order, if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider.

(e) No Cause of Action Against a Provider Disclosing Information Under This Chapter.— No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter.

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

(g) Presence of Officer Not Required.— Notwithstanding section 3105 of this title, the presence of an officer shall not be required for service or execution of a search warrant issued in accordance with this chapter requiring disclosure by a provider of electronic communications service or remote computing service of the contents of communications or records or other information pertaining to a subscriber to or customer of such service.

18 USC § 2704 - Backup preservation

(a) Backup Preservation.—

(1) A governmental entity acting under section 2703 (b)(2) may include in its subpoena or court order a requirement that the service provider to whom the request is directed create a backup copy of the contents of the electronic communications sought in order to preserve those communications. Without notifying the subscriber or customer of such subpoena or court order, such service provider shall create such backup copy as soon as practicable consistent with its regular business practices and shall confirm to the governmental entity that such backup copy has been made. Such backup copy shall be created within two business days after receipt by the service provider of the subpoena or court order.

(2) Notice to the subscriber or customer shall be made by the governmental entity within three days after receipt of such confirmation, unless such notice is delayed pursuant to section 2705 (a).

(3) The service provider shall not destroy such backup copy until the later of—

(A) the delivery of the information; or

(B) the resolution of any proceedings (including appeals of any proceeding) concerning the government’s subpoena or court order.

(4) The service provider shall release such backup copy to the requesting governmental entity no sooner than fourteen days after the governmental entity’s notice to the subscriber or customer if such service provider—

(A) has not received notice from the subscriber or customer that the subscriber or customer has challenged the governmental entity’s request; and

(B) has not initiated proceedings to challenge the request of the governmental entity.

(5) A governmental entity may seek to require the creation of a backup copy under subsection (a)(1) of this section if in its sole discretion such entity determines that there is reason to believe that notification under section 2703 of this title of the existence of the subpoena or court order may result in destruction of or tampering with evidence. This determination is not subject to challenge by the subscriber or customer or service provider.

(b) Customer Challenges.—

(1) Within fourteen days after notice by the governmental entity to the subscriber or customer under subsection (a)(2) of this section, such subscriber or customer may file a motion to quash such subpoena or vacate such court order, with copies served upon the governmental entity and with written notice of such challenge to the service provider. A motion to vacate a court order shall be filed in the court which issued such order. A motion to quash a subpoena shall be filed in the appropriate United States district court or State court. Such motion or application shall contain an affidavit or sworn statement—

(A) stating that the applicant is a customer or subscriber to the service from which the contents of electronic communications maintained for him have been sought; and

(B) stating the applicant’s reasons for believing that the records sought are not relevant to a legitimate law enforcement inquiry or that there has not been substantial compliance with the provisions of this chapter in some other respect.

(2) Service shall be made under this section upon a governmental entity by delivering or mailing by registered or certified mail a copy of the papers to the person, office, or department specified in the notice which the customer has received pursuant to this chapter. For the purposes of this section, the term “delivery” has the meaning given that term in the Federal Rules of Civil Procedure.

(3) If the court finds that the customer has complied with paragraphs (1) and (2) of this subsection, the court shall order the governmental entity to file a sworn response, which may be filed in camera if the governmental entity includes in its response the reasons which make in camera review appropriate. If the court is unable to determine the motion or application on the basis of the parties’ initial allegations and response, the court may conduct such additional proceedings as it deems appropriate. All such proceedings shall be completed and the motion or application decided as soon as practicable after the filing of the governmental entity’s response.

(4) If the court finds that the applicant is not the subscriber or customer for whom the communications sought by the governmental entity are maintained, or that there is a reason to believe that the law enforcement inquiry is legitimate and that the communications sought are relevant to that inquiry, it shall deny the motion or application and order such process enforced. If the court finds that the applicant is the subscriber or customer for whom the communications sought by the governmental entity are maintained, and that there is not a reason to believe that the communications sought are relevant to a legitimate law enforcement inquiry, or that there has not been substantial compliance with the provisions of this chapter, it shall order the process quashed.

(5) A court order denying a motion or application under this section shall not be deemed a final order and no interlocutory appeal may be taken therefrom by the customer.

18 USC § 2705 - Delayed notice

(a) Delay of Notification.—

(1) A governmental entity acting under section 2703 (b) 2703(a) of this title may—

(A) where a court order warrant is sought, include in the application a request, which the court shall grant, for an order delaying the notification required under section 2703(b) 2703(a) of this title for a period not to exceed ninety days, if the court determines that there is reason to believe that notification of the existence of the court order warrant may have an adverse result described in paragraph (2) of this subsection; or

(B) where an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury subpoena is obtained, delay the notification required under section 2703 (b) of this title for a period not to exceed ninety days upon the execution of a written certification of a supervisory official that there is reason to believe that notification of the existence of the subpoena may have an adverse result described in paragraph (2) of this subsection.

(2) An adverse result for the purposes of paragraph (1) of this subsection is—

(A) endangering the life or physical safety of an individual;

(B) flight from prosecution;

(C) destruction of or tampering with evidence;

(D) intimidation of potential witnesses; or

(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

(3) The governmental entity shall maintain a true copy of certification under paragraph (1)(B).

(4) Extensions of the delay of notification provided in section 2703 of up to ninety days each may be granted by the court upon application, or by certification by a governmental entity, but only in accordance with subsection (b) of this section.

(5) Upon expiration of the period of delay of notification under paragraph (1) or (4) of this subsection, the governmental entity shall serve upon, or deliver by registered or first-class mail or other means reasonably calculated to be effective as specified by the court issuing the warrant to, the customer or subscriber a copy of the process or request warrant together with notice that—

(A) states with reasonable specificity the nature of the law enforcement inquiry; and

(B) informs such customer or subscriber—

(i) that information maintained for such customer or subscriber by the service provider named in such process or request was supplied to or requested by that governmental authority and the date on which the supplying or request took place;

(ii) that notification of such customer or subscriber was delayed;

(iii) what governmental entity or court made the certification or determination pursuant to which that delay was made; and

(iv) which provision of this chapter allowed such delay.

(6) As used in this subsection, the term “supervisory official” means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency’s headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney’s headquarters or regional office.

(b) Preclusion of Notice to Subject of Governmental Access.— A governmental entity acting under section 2703, when it is not required to notify the subscriber or customer under section 2703 (b)(1), or to the extent that it may delay such notice pursuant to subsection (a) of this section, may apply to a court for an order commanding a provider of electronic communications service or remote computing service to whom a warrant, subpoena, or court order is directed, for such period as the court deems appropriate, not to notify any other person of the existence of the warrant, subpoena, or court order. The court shall enter such an order if it determines that there is reason to believe that notification of the existence of the warrant, subpoena, or court order will result in—

(1) endangering the life or physical safety of an individual;

(2) flight from prosecution;

(3) destruction of or tampering with evidence;

(4) intimidation of potential witnesses; or

(5) otherwise seriously jeopardizing an investigation or unduly delaying a trial.

Read More

Quick details on H.R. 983, the ECPA reform bill announced today

From House Representative Zoe Lofgren's release:

Reps. Zoe Lofgren (D-San Jose), Ted Poe (R-TX) and Suzan DelBene (D-WA) today introduced bipartisan legislation modernizing the 1986 Electronic Communications Privacy Act (ECPA. Consumers and businesses are increasingly using cloud computing and location-based services, but the law has failed to keep pace with technology – leading to weak and convoluted privacy protections from government access to user data. The bill, H.R. 983, the Online Communications and Geolocation Protection Act, would strengthen the privacy of Internet users and wireless subscribers from overbroad government surveillance by requiring the government to get a warrant based on probable cause before intercepting or forcing the disclosure of electronics communications and geolocation data.

A copy of the bill can be found here: H.R. 983 - Online Communications and Geolocation Protection Act

A summary (section by section) of the major changes can be found here: H.R. 983 Summary of Changes 

The bill requires, inter alia, a warrant for GPS tracking and CSLI tracking, with limited exceptions (FISA, emergency, consent, etc.). Another section from the Rep. Lofgren's release sums it up nicely:

Rep. Lofgren's Online Communications and Geolocation Protection Act would apply Constitutional privacy guarantees under the Fourth Amendment to an individual's digital communications and location data while minimizing the impact on law enforcement investigations. The bill would: 

Require the government to obtain a warrant to access to wire or electronic communications content; 

Require the government to obtain a warrant to intercept or force service providers to disclose geolocation data; 

Preserve exceptions for emergency situations, foreign intelligence surveillance, individual consent, public information, and emergency assistance; 

Prohibit service providers from disclosing a user's geolocation information to the government in the absence of a warrant or exception;

Prohibit the use of unlawfully obtained geolocation information as evidence; 

Provide for administrative discipline and a civil cause of action if geolocation information is unlawfully intercepted or disclosed.

Read More

Google report details law enforcement requests for data

Google released it's Transparency Report yesterday, detailing law enforcement requests for users' data from July to December 2012.

The report shows that 68 percent of requests were for "user-identifying information" obtained through a subpoena. Twenty-two percent were probable cause search warrants. Throughout the six-month period, 21,389 requests were received by Google.

According to Wired, Google requires a probable cause search warrant before it gives over actual content, despite the 2703(d) provision in the Electronic Communications Privacy Act which allows for most data to be obtained with a lesser showing (depending on the federal circuit).

Read More

Federal court addresses applicability of Wiretap Act to wireless network packet sniffing, holds data is "publicly available"

An Illinois federal district court recently analyzed the Wiretap Act as it applies to packet sniffing and held that "the interception of communications sent over unencrypted Wi-Fi networks" does not violate the statute. In re Innovatio IP Ventures, LLC Patent Litigation, No. 11 C 9308 (N.D. Ill. 2012).

The plaintiff, Innovatio IP Ventures, LLC, brought suit against multiple companies for various patent infringement claims concerning the use of wireless Internet technology in the defendants' businesses (such a hotels and coffee shops). Innovatio sent technicians to defendants' businesses in order to collect information about the infringement. The packets they intercepted contained data about the network as well as "e-mails, pictures, videos, passwords, financial information, private documents" and other data transmitted by network users. Innovatio sought a preliminary ruling on the admissibility of the data.

After a discussion of how packets are transmitted in a wireless network and the meaning of the word "intercept" in the Wiretap Act, the court determined that the proper "question is not ... whether the networks are "readily available to the general public," but instead whether the network is configured in such a way so that the electronic communications sent over the network are readily available." The Wiretap Act provides an exception if the communications are publicly available (18 U.S.C. § 2511(g)(i)). The court concluded that the communications themselves are readily available because they are "open to such interference from anyone with the right equipment" - equipment available for a couple hundred dollars and the right open source software.

The court concluded:

Any tension between that conclusion and the public's expectation of privacy is the product of the law's constant struggle to keep up with changing technology. Five or ten years ago, sniffing technology might have been more difficult to obtain, and the court's conclusion might have been different. But it is not the court's job to update the law to provide protection for consumers against ever changing technology. Only Congress, after balancing any competing policy interests, can play that role.... Unless and until Congress chooses to amend the Wiretap Act, the interception of communications sent over unencrypted Wi-Fi networks is permissible.

An argument had also been made that the interception violated Pen Registers and Trap and Trace, but the court found that the argument was not properly briefed and declined to apply the statute. Thus, the court found the evidence to be admissible.

Read More

Appellate court addresses multiple issues in CP case

A recent Eleventh Circuit case presents a myriad of issues. In United States v. Cray, the defendant appealed his convictions of receipt and possession of child pornography. 450 Fed. Appx. 923 (11th Cir. 2012). He had subscribed to a website providing child pornography for $79.99 per month, and law enforcement tracked his actions on the site back to his ISP account. Among his arguments for reversal were:

• An argument that obtaining his IP subscriber information was a violation of the Wiretap Act, and thus suppression of the information was warranted. As the court noted, there is no suppression remedy under the Wiretap Act. (Also, obtaining such information is clearly not a wiretap under ECPA.)
• An expert witness should not have been allowed to testify that "Cray personally operated his laptop to access a child pornography website while in Dover, Delaware." The court found this testimony to be reliable and appropriate although the expert was not personally aware of the act.
• Admission of testimony concerning geographic location of IP addresses was not inadmissible hearsay under plain error review.
• Presentation of videos from the child pornography website to the jury was appropriate despite the fact that the videos were not located on the defendant's computer. They were relevant to show the defendant's "intent to receive and access ... child pornography" and to prove they "were actually child pornography."
• Summary chart matching "filenames found in [defendant's] laptop registry with files accessed on the Website by a subscriber using Cray's name and information" were appropriate for presentation to the jury because the information had already been established, defendant had opportunity to cross-examine, and the court provided limiting instructions to the jury.

Therefore, the trial court decision was affirmed.

Read More

Tracking computer usage, free credit monitoring, and digital forensics guides from corporations

I have collected several random stories recently that do not deserve their own post alone, but that I thought should be shared.

• From Lifehacker, this post shows you how to see if someone has been using your computer when you were not around. Using the Windows Event Viewer, users can see system logs detailing each time the computer boots or wakes from sleep or hibernation.
• This isn't an endorsement nor do I really know much about this service, but Lifehacker did an article about Credit Karma, a credit monitoring service that notifies you of changes via e-mail. The service once restricted its number of users, but it is now free to anyone who registers. WSJ, NYT, CNN, and others have also recommended the service.
• SANS's Computer Forensics website provides links to corporate handbooks for digital forensics investigators from companies like Microsoft, eBay, MySpace, and more. Some of the information is outdated, but it may give you an idea as to what is required and who to contact.

Read More

Ninth Circuit finds standing to challenge government's alleged communications dragnet

In a lawsuit alleging "widespread warrantless eavesdropping" in violation of the Foreign Intelligence Surveillance Act, the Electronic Communications Privacy Act, and the Stored Communications Act, the Ninth Circuit has reversed and remanded the lower court dismissal on standing grounds. Jewel v. NSA, 673 F.3d 902 (2011).

The suit, backed by the Electronic Frontier Foundation, alleged "that the government[] operated a "dragnet collection" of communications records by 'continuously soliciting and obtaining the disclosure of all information in AT&T's major databases.'" The district court dismissed the compliant, finding that Jewel's complaint failed by not "specifically linking any of the plaintiffs to the alleged surveillance activities."

Of course, the issue is whether Jewel could demonstrate a "sufficiently concrete and specific injury" in order to have standing. The court found that the complaint "described in detail the ... equipment used ... at the particular AT&T facility" and that she "alleged with particularity that her communications were part of the dragnet."

RELATED CASE: The Ninth Circuit also decided, in a separate opinion, that § 802 of the Foreign Intelligence Surveillance Act, which immunizes telecommunications companies from cooperating with the government's investigations, is constitutional. In re NSA Telcoms. Records Litig., 2011 U.S. App. LEXIS 25949 (2011).

Read More

Court applies exception provision of federal Wiretap Act

In a recent wiretapping case, the court made a brought up an important Wiretap Act provision that should be clarified. The plaintiff learned that his conversation with a J.P. Morgan Chase Bank employee had been recorded by the company. The court holds that under the federal Wiretap Act, the plaintiff cannot state a claim. "The statute prohibits an interception that is 'for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.' 18 U.S.C. § 2511(2)(d). Courts have interpreted this provision to require that the 'interceptor intend to commit a crime or tort independent of the act of recording itself.' Caro v. Weintraub, 618 F.3d 94 (2d Cir. 2010).

While the court is correct in its analysis, it is important to mention that Caro and the Wiretap Act both state this requirement only "where [the wiretapper] is a party to the communication or where one of the parties to the communication has given prior consent to such interception." 18 U.S.C. § 2511(2)(d). Thus, if a party to the conversation records it for the purpose of committing a crime or tort, they have also violated the federal Wiretap Act.

The case is Berk v. J.P. Morgan Chase Bank, N.A., 2011 U.S. Dist. LEXIS 143510 (E.D. Pa. 2011).

Read More

SCA's protections apply to foreign citizens

Just a quick rule: According to a recent ruling by the Ninth Circuit, the SCA's application to "all persons ... means any person, including foreign citizens." A party was trying to obtain Hotmail e-mails from an Australian citizen, but Microsoft objected, arguing that the SCA prevents it. (Suzlon Energy Ltd. v. Microsoft Corp., 2011 U.S. App. LEXIS 20018 (9th Cir. 2011)).

Read More

LoJack interception declared wiretap under ECPA

An Ohio district court recently found that using LoJack software to gain remote access to a stole computer may violate the Electronic Communications Privacy Act (ECPA).

In Clements-Jeffrey v. City of Springfield, Ohio, 2011 WL 3678397 (S.D. Ohio 2011), the school district was being sued for violation of the ECPA. After learning that the laptop was stolen, recover officers began to intercept email, record keystrokes, and capture screen shots. Ultimately, they were led to the new owner (a substitute teacher with the school) who did not realize the laptop had been stolen, but had purchased it from a student.

The court held that it would be okay to report IP addresses or geographic location, but that the wiretapping that occurred in this case was a violation of the ECPA. Further, "[t]he ECPA carves out no exception allowing a private entity to intentionally intercept electronic communications for the purpose of gathering information to facilitate recovery of a stolen laptop." The court also denied an existence of a good faith defense.

Read More