District court holds that parody social media accounts do not violate the CFAA

In Matot v. CH, No. 6:13-cv-153 (D. Ore. 2013), the district court held that the creation of parody social media accounts does not violate the Computer Fraud and Abuse Act (CFAA).

Last year, the Ninth Circuit adopted a reading of the CFAA that does not allow for the law to be applied to the violation of a website's terms of service. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). A broad reading would allow such violations (for example, falsifying your age on a dating website) to be punishable under the CFAA through criminal and civil action. Some courts have adopted the broad reading (United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

In Matot, the plaintiff argued that the "defendants created false social media profiles in his name and likeness," violating the "without authorization" provision of the CFAA. The district court, however, found the argument to go against the Ninth Circuit's interpretation of the CFAA and the rule of lenity.

Read More

Website Banner Defeats Numerous Fourth Amendment Objections in CP Case

A federal district judge recently held in a child pornography (CP) case that the website's banner doubly defeated any Fourth Amendment objection to an investigator's use of the site to collect evidence of possession and distribution of CP. The case, United States v. Bode, No. 1:12-cr-00158-ELH (D. Md. Aug. 21, 2013), rests on evidence developed by a government investigator (Burdick) who was granted administrator-level access to a website where the defendant (Bode) was allegedly posting CP. The website in question (which has since been shut down) offered users a real-time chat service, including the ability to send messages and images to public chat rooms, as well as "privately" to individual users. The site logged timestamps, IP addresses, message contents, images, and public chat room history for review by its administrators, though individual users could not see or review their own usage history after a chat session was over. The website also required acceptance of its terms of service before allowing users to post or receive messages. Its terms read:

CHILD PORNOGRAPHY...
BEHIND EVERY PICTURE THERE IS PAIN!
HELP US REPORT IT! 

Posting photos, graphics or cartoons showing persons under 18 years of age is not allowed. Child pornography or other illegal material will immediately be reported to the posters [sic] local authorities. Requesting images of the above nature is not allowed. All posted pictures and conversations, public and private, are logged and supervised. [The website] may disclose these communications to the authorities at its discretion.

The final sentence (emphasis added) was appended at Burdick's request during his investigation, before the CP images at issue in the case were allegedly posted.

But first, the backstory: Burdick, an agent with the Department of Homeland Security's Immigration and Customs Enforcement (Child Exploitation Investigations Group), heard that users of this website were trading. Without getting a warrant or a court order, he began looking into the site and observed users posting CP using the chat service. Burdick checked with the website's domain name registrar to try to identify its operator and found that its administrator was located in Sweden. Since it is more complicated to serve process on a foreign entity (and it is unclear whether Burdick would have had the authority to do so), he emailed the site operator to ask for cooperation in his CP investigation. The site operator enthusiastically complied, giving Burdick an administrator-level account on the website so he could directly review the site's logs. Burdick used his administrative access to identify users who had been reported by others for (potentially) trading CP, and then began checking the logs generated by those particular users more carefully.

Eventually Burdick checked with an Assistant United States Attorney, who recommended that he ask for changes to the website's terms of service, italicized above. (The US Attorney's office also declined to use any evidence developed before the language was appended.) After the terms of service were changed, Burdick used the administrator function to save logs and images users sent to public chat rooms and as private messages to other users. Burdick collected evidence that a user had posted CP from what turned out to be defendant Bode's IP address. This eventually served as probable cause for a warrant to search his home and computers for CP, which revealed additional CP on Bode's computer.

Suppression Analysis

Bode moved to suppress all of the evidence against him as fruit of the poisonous tree, on grounds that Burdick's initial investigation violated the Fourth Amendment, the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., and the Wiretap Act, 18 U.S.C. § 2510 et seq. The court dealt with the Wiretap Act and SCA claims easily: neither statute includes a suppression remedy for information obtained from "electronic communications" like those here, while the Wiretap Act does include a suppression remedy for information obtained intercepted in real time from "wire or oral communication," at 18 U.S.C. § 2515. This made it easy for the court to conclude that when Congress did not include a suppression remedy for electronic communications, it did so with a specific intent not to create such a remedy. The court therefore declined to find an implied statutory right of suppression.

The constitutional claim, violation of the Fourth Amendment, is more interesting, since it could give rise to a suppression remedy (though somewhat ironically, constitutional suppression is a court-created remedy, see Weeks v. United States, 232 U.S. 383 (1914)). As a preliminary matter, the parties had conceded (for the purposes of the Fourth Amendment analysis in the motion at issue here) that the website had become the government's agent, by granting Burdick administrator-level access and changing the language of its banner at his request. Nevertheless, the court held that the banner to which Bode agreed in order to use the chat service constituted two separate grounds for eliminating any Fourth Amendment objections to Burdick's collection of evidence:

First, the banner defeated any reasonable expectation of privacy, which is a prerequisite for any protectable Fourth Amendment interest under Katz v. United States, 389 U.S. 347 (1967). The Bode court compared the banner's language to other cases in which a reasonable expectation of privacy had been at issue, finding that the added text ("[The website] may disclose these communications to the authorities at its discretion.") put the issue beyond doubt, as the AUSA had hoped: users had given up their expectations of privacy. Under this theory, no protectable privacy interest existed, and no constitutional "search" ever occurred, so there was no Fourth Amendment violation and no reason to suppress the resultant evidence.

Second, the court found that even if a search had occurred, the banner indicated consent to that search. Bode tried to argue that his consent had been limited in scope to investigation by the website operator, not the government, but the court was having none of it, instead finding that there was "no meaningful distinction" between the consent Bode had given (for the website operator to turn over information to the authorities) and what actually happened (the operator creating an administrator account for the investigator). This consent was therefore sufficient to allow Burdick's collection of evidence even if it was a Fourth Amendment search.

The government also argued that the website operator had "common authority" to consent to searches of its logs, but the court did not address this argument, having already found two grounds for denying Bode's motion to suppress. Had the court addressed the issue, it probably would have been able to find the site administrator, which had the right to examine its logs, also had the right to authorize their search under the common authority doctrine of United States v. Matlock, 415 U.S. 164 (1974) (finding common authority over shared room sufficient) and Frazier v. Cupp, 394 U.S. 731 (1969) (finding shared use of a duffel bag sufficient). In fact, since the operator could view the logs while ordinary users could not, I found this to be the government's strongest argument, and I am not sure why the court did not even address it.

Conclusion

In any event, this one banner did quite a bit of work: the court's denial of suppression almost certainly means Bode is out of arguments and will be convicted. And it likely means other users of the site will be (or already have been) prosecuted for similar crimes: one of Burdick's emails thanking the website operator for cooperating with the investigation mentioned that he had found "roughly 25 users" in the United States violating CP laws. So, while the website might be gone, the text of its banner may have even more work to do in the courts.

A Footnote

The Bode court also notes that the website operator who was willing to help with the investigation -- seemingly a decent character -- was later tried, convicted, and imprisoned in the Philippines for sex trafficking.

Read More

Cop's 1st Amendment retaliation claim fails; court does hold emails to news outlets were speech as citizen

In Smith v. County of Suffolk & Richard Dormer, CV 10-1397 (E.D.N.Y. Feb. 27, 2013), a federal district court held that a police officer's emails to outside news entities, which resulted (in part) in disciplinary actions against him, could not sustain a 1st Amendent retaliation claim under 42 U.S.C. 1983, the 1st Amendment itself, and Article 1, Section 8 of the New York Constitution. The "plaintiff claim[ed] he was retaliated against for his use of a police computer 'to speak his mind and express his opinion to members of the news media' about (1) the Department's policy of arresting unlicensed drivers and whether that policy contributed to racial profiling, and (2) the Martin Tankleff case."

First, it should be noted that these types of claims rarely succeed, because of the litany of elements a plaintiff must prove. The court summarized the test as follows:

Where, as here, a public employee brings a First Amendment retaliation claim, he must "bring forth evidence showing that he has engaged in protected First Amendment activity, he suffered an adverse employment action, and there was a causal connection between the protected activity and the adverse employment action." . . . If plaintiff can produce evidence supporting these three elements, the defendants can, nonetheless, prevail on their motion for summary judgment if the defendants are able to establish (1) that the same adverse employment action would have occurred "even in the absence of the protected speech," Mount Healthy City School Dist. Bd. of Educ. v. Doyle, 429 U.S. 274, 278, 97 S. Ct. 568, 50 L. Ed. 2d 471 (1977); . . ., or alternatively, (2) that the employee's speech was likely to disrupt the government's activities and the harm caused by the disruption outweighs the First Amendment value of the plaintiff's speech . . .The latter defense is known as the Pickering balancing test and is a question of law for the court. . . . Finally, even if the defendants prevail in the Pickering balance, plaintiff may still "carry the day" if he can show that the motivation for the adverse action was "retaliation for the speech itself, rather than for any resulting disruption." Reuland v. Hynes, 460 F.3d 409, 415 (2d Cir. 2006).

The interesting part of this case is that the plaintiff actually survived the Garcetti portion of the analysis; the court held that the plaintiff's communications to outside media organizations were done outside the scope of his employment and thus the speech was that of a citizen. This despite the fact that the information he was providing was about events intertwined with the police, and that he used the department's technology resources to "tip-off" outside media sources. The conduct in question was:

In the course of the forensic investigation, Sergeant Luciano discovered that a large number of e-mails from plaintiff's Departmental e-mail account were sent to various outside sources, including the news media, for non-business and/or personal reasons. . . . One such e-mail was to Christine Armario of Newsday on May 29, 2007, wherein plaintiff stated that with respect to the Suffolk County Police Department's policy concerning the arrests of unlicensed drivers, the Police Department was about to undertake a program that would lead to ethnic discrimination. . . In a further e-mail to Christine Armario on July 8, 2007, plaintiff criticized the Police Department and Chief Ponzo, stating "[y]ou let Chief Ponzo get away with that one in six comment and you've now given him a platform to perpetuate this myth. This has always been about racial profiling and you've been bamboozled into believing it's a safety issue. That is an obvious lie." . . . The investigation also uncovered an e-mail sent by plaintiff on January 16, 2007 to Jeffrey Toobin, a CNN commentator, giving him a "tip" about the Martin Tankleff case wherein he stated that the homicide detective may have helped planned the murder, orchestrated the cover up and had committed perjury; that the district attorney was up to his ears in ethical conflicts and appeared to be protecting the actual murderers; and that there was a long history of abuses by the Suffolk County Police Homicide Squad. . . .Plaintiff signed each of these e-mails as "Lieutenant Raymond F. Smith, Sixth Precinct." . . . 

The court quickly dispensed with the analysis of whether the speech involved matters of public concern, citing to a case holding that: "Where a public employee's speech concerns a government agency's breach of the public trust, as it does here, the speech relates to more than a mere personal grievance and therefore falls outside Garcetti's restrictions." The court then went on to analyze whether the emails to outside news organizations were speech as a citizen, or as an employee. The Court utilized the framework given in the 2nd Circuit case Weintraub, noting at the outset the major dilemma of whether "the speech at issue . . . was made 'pursuant to' plaintiff's official duties as a police officer or as a citizen":

On the one hand, Smith's speech occurred in the workplace, utilizing a police computer during work hours, bore an official signature reflecting plaintiff's position as Lieutenant Raymond F. Smith in the Sixth Precinct, and related to information concerning the plaintiff's employment as a police officer. On the other hand, Smith engaged in speech for which there is a "relevant citizen analogue" when he sent external e-mails outside the chain of command to the press and media. Weintraub, 593 F.3d at 203. In addition, the content of the speech was not directed toward the proper performance of plaintiff's own ability to execute his specific job duties as a police officer, but rather can be characterized as a broader policy-related commentary on the Department's policies and operations.

The court found it pertinent that "plaintiff's e-mails  referred to alleged misconduct, inefficiencies and corruption extending outside his own personal duties, and in the case of the e-mail regarding Martin Tankleff, affected a closed case in another department with which he had no personal interaction or job connection." The question is, does that really make the speech fall outside of his official duties as a police officer? The court said yes. In doing so, the court stated that the argument that "Smith's speech cannot be protected by the First Amendment because he used information acquired from his employment" was misplaced. As justification for this, and relying on Griffin v. City of New York, 880 F. Supp. 2d 384, 2012 WL 3090295(E.D.N.Y. 2012), the court opined:

the fact that a member of the general public would not have inside knowledge of alleged misconduct was "exactly the point[]"[in Griffin] because "[s]uch speech must necessarily be protected by the First Amendment to protect the public's significant First Amendment interest in receiving information about the functioning of government, to which they otherwise would not be privy." . . .Were [public employees] not able to speak on [the operation of their employers], the community would be deprived of informed opinions on important public issues. The interest at stake is as much the public's interest in receiving informed opinion as it is the employee's own right to disseminate it.  

To me, this is quite an expansive reading of Garcetti and the related jurisprudence in the area. The justification that the speech could be characterized as "a broader policy-related commentary on the Department's policies and operations" seems to pry open the door many thought shut after Garcetti. I like it, I just don't know how legally sound it is.

However, in the end, it did not matter because the court found that prior disciplinary actions against the plaintiff showed that the adverse employment decisions undertaken against him would have occurred regardless of the media contact noted above. So, a giant free speech win for a public employee, followed by the typical outcome in these types of cases - loss on summary judgment.

Read More

Weindl (FBI agent's spyware vs. principal) - Why the court got it wrong

In this second post, I will explain my reasons for believing the court's reasoning in Weindl was flawed. The Weindl case, as a quick recap, involved a principal (Weindl) who was caught with child pornography after using a laptop assigned to the son of an FBI agent (Auther); the laptop was returned by Auther with spyware on it. For my original write-up of the facts of the case, see: Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression. I also wrote a quick follow-up post about the coverage and misinformation regarding the case after I wrote about it. That can be found here: Weindl - FBI agent spyware v. principal attracts attention and misinformation.

First, let me address the "smell test." It seems extremely odd that when Auther took the computer to the FBI and asked "fellow agents for advice on how to wipe it clean" they "tried to remove all the files but were unsuccessful." Two things: (1) the FBI investigates a significant number of "cyber" cases using forensics techniques to recover deleted files and search through hard drives, uncover steganography, and analyze complex network traffic. Yet, they can't wipe a hard drive - something that a simple Google search will tell you how to do? Also, (2) Auther paid for and installed the spyware, knew the "hot-keys" to access the information it collected, and set it up to email him reports. Yet, once again, he could not uninstall that program, the most cognizable change he made to a machine he did not own?

In addition, he took it to a computer store to wipe all of the files, with a service order showing "reimage" and "clean out files" as the work to be done. I accept that a local service may not have been aware of the spyware to look for it in the first place, but reimage means just that, start all over again.  And, more interestingly, Auther did not even mention that he installed spyware on the computer to the computer shop. Wouldn't that program be the first thing you would mention when cleaning up a computer?

Also, the court seemed to be quite deferential to Auther when it accepted the argument that he was more concerned about leaving than investigating the principal. Perhaps that is true, but is it not equally likely that he suspected the principal of questionable activities and, before leaving, wanted to confirm his suspicions? After all, the FBI agent did say that he was aware of the Sandusky case and that what happened at Penn State motivated some of his later actions. That coupled with the two-time failure to remove the spyware smells funny.

But lets assume that all of the facts are true - just as the court did. I find it questionable that the court omitted any discussion regarding the license agreement of eBlaster, which requires you to agree to "use [eBlaster] only on a computer you own," an agreement Auther clearly violated when he installed it on a school-loaned laptop. The court also breezes over the likelihood that Auther violated policies of the school or the PSS laptop loaner program. I point this out because Auther is permitted to walk all over policies and procedures carte blanche, but Weindl's use of the laptop in likely violation of the rules of the loaner program was sufficient to wipe out his expectation of privacy completely. More on that later.

I think one of the most glaring errors of the court is the reasoning that opening the first four emails was not a search and instead was inadvertent conduct not under the color of law.  First, the court found that the search was only the activity of the spyware program collecting the data, and did not include the person on the other end viewing that information. I am not convinced you can draw such a black and white line. The Fourth Amendment (and by proxy the protection of privacy) has been held to protect against the intrusion of the process of a search as well as the discovery of the information it provides. If the latter were not an aim, the Fourth Amendment would never have been extended outside of property notions, as it was in Katz.

Thus, Auther's decision to open an email with a subject line that clearly indicated the email regarded information collected after he had returned the PC should have been held a search. Moreover, knowledge that the email could not regard his own or his son's activity does not make opening the email inadvertent. The definition of inadvertent is: "not focusing the mind on a matter : inattentive." The case indeed indicated that Auther recognized that the emails were providing information they should not have been because he believed the program had been removed and the computer was no longer in his possession. An example is illustrative: If I move into a new house on Royal Avenue on Tuesday, and on Friday I get a package addressed to "our lifelong neighbors on Royal Avenue," opening that package would not be inadvertent. I clearly know that I do not constitute the "neighbor" the package was intended for, since I moved in three days prior. Auther's opening of the email is no different. The subject line contained prima facie evidence that it was not intended for him and arose from improper means. Thus, the only reason he could have to open it would be to pry.

I am willing to concede, however, that one might reasonably argue that opening the first email would be inadvertent. Maybe he wasn't paying attention to the subject line. But, after reading the first, he should have known something was awry. To open the other three emails, after reading the first, would indicate one very important thing: that he was now acting as an officer of the law because of the information the email contained (evidence of someone accessing child pornography). To go back to my example, if I opened the first package without paying particular attention to the address line that said "to our lifelong neighbors on Royal Avenue," it may be reasonable to say I was just careless (or it was inadvertent). However, if inside that box are pictures of a family that I don't know, then when three more packages arrive addressed the same way and similar in appearance, a reasonable person would not open them. They would instead return them to whomever delivered them. Or, in Auther's case, contact the principal or the PSS program and indicate that the spyware he installed without authorization from either the school program or the software author was in fact still installed and had generated an email to him. An interesting question raised by the case is: if the spyware email hadn't contained evidence of CP access, would he have called the school to raise the flag on the spyware? One would think so.

The last significant problem with the case is the court's decision to deny standing to Weindl on the reasonable expectation of privacy issue. The court stated:

Sometimes, people delude themselves into thinking that they have a right to things that don't belong to them. . . . No evidence indicates that Weindl had a right to use, or himself had permission to use, a PSS laptop, even for school-related activities. Auther turned his son's laptop in to Weindl in Weindl's capacity as an agent for the school, not for Weindl's personal use.

Even if Weindl had a subjective (albeit unrealistic) expectation of privacy in the PSS laptop, it was not an expectation that society is prepared to endorse. An expectation of privacy does not become objectively reasonable just because a person hides someone else's property away in his office desk and does not let anyone else use it. A person cannot have a reasonable expectation of privacy in a computer he stole or obtained by fraud. 

The court justifies the last paragraph on two reasonable expectation of privacy cases: one involving a stolen computer (Wong), and one involving a computer obtained by fraud (Caymen). The court then states that "Weindl's case is similar to Wong and Caymen. Weindl misappropriated school property for his own personal use. Whatever expectation of privacy he developed in the contents of the laptop's hard drive and the keystrokes of Internet searches is not a legitimate one that society is prepared to accept. . . . The laptop was not assigned to Weindl and was not his office computer." I find the comparison to Wong and Caymen to be ill-advised. In both cases, the individual had either been convicted, or charged with obtaining the device by illegal means. Weindl did nothing of the sort, here. Additionally, in Caymen, where the defendant obtained the laptop by fraud, the court based its holding on cases from sister circuits regarding stolen cars. There is a theme here: stolen. Weindl did not steal, nor obtain anything by fraud. While he may not have had permission, he certainly was not doing anything illegal.

The Caymen court pointed out that a person who has stolen something lacks the property interests an owner has (the bundle of sticks) that define property ownership. Can the same be said for the laptop, here? Arguably, no. Weindl was permitted to have constructive possession of the laptop - something a thief would never have. Also, if the laptop had been stolen from the FBI agent's son and then recovered, it would likely have been returned to the principal (or someone under his authority). Granted, he lacked other property rights like the right to sell, but to analogize the computer to stolen property is off target.

Lastly, I believe the court was correct, technically, about the application of the Federal Wiretap Act: namely, that suppression is only for wire and aural communications in criminal cases. However, I find it fantastical to argue that placing spyware on an individual's computer isn't wiretapping. That the court had to cite to a 1978 case in support of this part of the holding is a clear illustration of the lack of coverage in this area. I hope that these facts present an opportunity for the 9th Circuit to directly address the issue and clarify that a "wire" communication should include such conduct. (Although maybe it is a legislative task, since to include what could be characterized as "electronic communications" within "wire communications" would arguably construe the civil portion of the law addressing "electronic communications" superfluous, something courts are reticent to do).

I am excited to see how the 9th Circuit handles this case. The facts of Weindl illustrate, as many other technologically centered cases do, the "play in the joints" of the law. And, with respect to the Wiretap Act, reflects the anachronistic nature of some federal statutes as applied to emerging technologies.

Read More