Cybercrime Review

1st Circuit holds that cell phone searches incident to arrest violate the 4th Amendment

2013-05-21T06:30:00.000-05:00

In United States v. Wurie, No. 11-1792 (1st Cir. 2013), the First Circuit held that the search of a cell phone incident to arrest categorically violates the Fourth Amendment. As a result, the court reversed the defendant's motion to suppress, vacated the conviction, and remanded the case.

While performing routine surveillance, a Boston police officer observed a man conducting what appeared to be a drug sale. The man was then stopped, and crack cocaine was found in his pocket. He was arrested, and upon arriving at the police station, two cell phones were confiscated from his person.

The phone soon thereafter received several calls, each displaying "my house" on the screen as the incoming caller. Police opened the call log and obtained the phone number for "my house." The number was entered into an online white pages directory, and officers then went to that location to "freeze" it while a search warrant was obtained. A large amount of drugs were seized from the home.

Before trial, the defendant moved to suppress the evidence obtained from his person and home, and the district court held that "[t]he search of Wurie's cell phone incident to his arrest was limited and reasonable." On appeal, the defendant reasserted his motion.

Having not yet dealt with the issue, the First Circuit extensively evaluated the potential effect of making cell phones searchable under the search incident to arrest exception. Here are a couple excerpts:

[Data stored on a phone] is the kind of information one would previously have stored in one's home and that would have been off-limits to officers performing a search incident to arrest.
Just as customs officers in the early colonies could use writs of assistance to rummage through homes and warehouses, without any showing of probable cause linked to a particular place or item sought, the government's proposed rule would give law enforcement automatic access to "a virtual warehouse" of an individual's "most intimate communications and photographs without probable cause" if the individual is subject to a custodial arrest, even for something as minor as a traffic violation.

As to whether the search was necessary to prevent destruction of evidence on the phone by remote wiping, the court discussed three methods for preserving the data and concluded:

Indeed, if there is a genuine threat of remote wiping or overwriting, we find it difficult to understand why the police do not routinely use these evidence preservation methods, rather than risking the loss of the evidence during the time it takes them to search through the phone. Perhaps the answer is in the government's acknowledgment that the possibility of remote wiping here was "remote" indeed.

Ultimately, the First found it necessary to create a uniform rule governing the search of cell phones incident to arrest, holding that "[a]llowing the police to search that data without a warrant any time they conduct a lawful arrest would, in our view, create 'a serious and recurring threat to the privacy of countless individuals.'"

The court did leave open the possibility for using the exigent circumstances exception in order to search a cell phone without a warrant, for example when there is a "compelling need to act quickly" such as to "locate a kidnapped child or to investigate a bombing plot or incident."

In a dissent, Judge Howard suggested a variety of reasons why the majority was incorrect, including that the caller from "my house" might have otherwise destroyed evidence in the home.

Featured Paper: Hacking Speech: Informational Speech And The First Amendment (Update)

2013-05-20T06:30:00.000-05:00

The Northwestern University Law Review's newest issue (a special edition recognizing Northwestern Law faculty member Martin Redish) offers an interesting piece by Andrea M. Matwyshyn titled "Hacking Speech: Informational Speech And The First Amendment." Dr. Matwyshyn is an assistant professor of legal studies and business ethics at the University of Pennsylvania’s Wharton School, a faculty affiliate of the Center for Technology, Innovation and Competition at the University of Pennsylvania School of Law, and an affiliate Scholar of the Center for Internet and Society at Stanford Law School. The abstract appears below:

The Supreme Court has never articulated the extent of First Amendment protection for instructional or “informational” speech—factual speech that may be repurposed for crime. As technology advances and traditional modes of speech become intertwined with code speech, crafting a doctrine that expressly addresses the First Amendment limits of protection for informational speech becomes pressing. Using the case study of “vulnerability speech”—speech that identifies a potentially critical flaw in a technological system but may indirectly facilitate criminality—this Article proposes a four-part “repurposed speech scale” for crafting the outer boundaries of First Amendment protection for informational speech.

Author's Update: I recently contacted Dr. Matwyshyn to expand a bit on her recent article for our readers. Here is what she had to say:

My goal with the article was to highlight existing gaps in the Supreme Court's jurisprudence that will present challenges as courts face future cases dealing with instructional/informational speech and technology. I also sought to propose one possible model for these judicial determinations. As vulnerability exploit markets, 3D printer drivers and other controversial categories of code become more prevalent, it is inevitable that a case of the type considered in the article will end up before the Supreme Court. The Court will then need to decide when, if ever, code crosses the line from protected speech into a regulable commodity and when, if ever, a release of code later used as part of a criminal enterprise constitutes a basis for criminal prosecution. I hope to reinvigorate the legal conversation around these topics.

7th Circuit dismisses CFAA civil claim for failure to satisfy $5,000 loss requirement

2013-05-14T05:00:00.000-05:00

This case focuses a bit more on the civil side of the Computer Fraud and Abuse Act (CFAA). In Modrowski v. Pogatto, the Seventh Circuit Court of Appeals demonstrates the importance of the value requirement of a civil suit under the CFAA. 18 U.S.C. § 1030(g) states, in relevant part, that

[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages . . .

Thus, a claimant who wishes to bring a civil suit under § 1030(c)(4)(A)(i)(I), as the plaintiff did in this case, must show that a CFAA violation resulted in the “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Now, under the CFAA, “loss . . . aggregating at least $5,000 in value” may seem quite easy. The CFAA broadly defines “loss,” 18 U.S.C. § 1030(e)(11), as

any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

As Modrowski demonstrates, the $5,000 loss requirement is essential to a civil claim under the CFAA, specifically § 1030(c)(4)(A)(i)(I). Leon Modrowski was fired as the property manager for TAQ Properties and Capps Management in 2008. During his employment, Modrowski had merged his personal and business Yahoo! email accounts. When Modrowski was terminated, the employer “locked” Modrowski out of his account, thus preventing Modrowski from accessing his personal e-mails. When access was finally granted, “Modrowski discovered that several years’ worth of his personal correspondence had vanished.” As a result, Modrowski filed numerous claims, including a civil suit under the CFAA.

The district court granted the defendant’s motion for summary judgment after Modrowski failed to amend his complaint “to elaborate on the economic harm caused by the defendant’s actions.” The district court found that Modrowski failed “to offer ‘any evidence in response to defendant[‘s] motion, let alone evidence sufficient to raise a triable issue of fact.’”

On appeal Modrowski argued that “his obligation to point to evidence in his favor was never triggered, because the defendants failed to meet their initial burden of production.” The court notes that the defendants did not attempt to provide “affirmative evidence that negates an essential element of [Modrowski’s] claim,” but were attempting, successfully, to “following a ‘somewhat trickier’ path to summary judgment by asserting that the “[Modrowski’s] evidence [was] insufficient to establish an essential element of [Modrowski’s] claim.” The court’s focus on a “representative element of Modrowski's claims,” the $5,000 loss requirement, attempts to highlight the shortcomings of Modrowski’s argument

To prevail on his Computer Fraud and Abuse Act claim, Modrowski would have had the burden of proving that the defendants' actions “caused [a] loss . . . during any 1-year period . . . aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i)(I). Were the defendants aiming affirmatively to negate that element—say, by asserting that the evidence irrefutably showed Modrowski's injury totaled only $2,500—the absence of citations to the evidence on record would be problematic. But that was not the defendants' strategy. They asserted that, if the case went to trial, Modrowski would be unable to produce evidence sufficient to meet his burden of proving that his injury exceeded $5,000. Modrowski counters that he was under no obligation to conduct formal discovery, and this is certainly true. See Praxair, Inc. v. Hinshaw & Culbertson, 235 F.3d 1028, 1032 (7th Cir. 2000) (“Discovery is costly and in cases in which the stakes are small, or there is a clearly dispositive legal argument, forbearing to conduct discovery is not negligence.”). But once the defendants pointed out the gap that they believed existed in Modrowski's case, he was obliged to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Modrowski could have come forward with affidavits from would-be business partners who were unable to contact him while he was locked out of his account; he could have submitted receipts reflecting the fees he paid to procure duplicates of lost financial and billing records; or perhaps he might have contented himself with a personal affidavit attesting to the number of hours he devoted to recovering his emails. See Butts v. Aurora Health Care, Inc., 387 F.3d 921, 925 (7th Cir. 2004) (court may consider self-serving affidavits at summary judgment if they are based on personal knowledge and set forth specific facts). Instead, he rested exclusively on his complaint, and this was plainly inadequate.

The $5,000 loss requirement for civil claims under the CFAA is a relatively broad requirement. However, as Modrowski highlights, a prospective claimant should be prepared to have some evidence that his or her loss can be valued at $5,000.

Interesting Note: Modrowski also brought a claim under the Stored Wire and Electronic Communications Act (18 U.S.C. § 2701) and the Federal Wire Tapping Act (18 U.S.C. § 2511). However, both were dismissed with prejudice by the district court because “Modrowski acknowledged that he voluntarily linked his personal account with the defendants' business account.”

Author's recommendation: Don't do that.

DOJ obtained Associated Press phone records; AP demands return and destruction of data

2013-05-13T22:26:00.001-05:00

The Associated Press announced today that the Justice Department obtained two months of telephone records from more than twenty AP office telephones just over a year ago. The DOJ notified the AP of the investigation on Friday. AP's President and CEO has "demanded the return of the phone records and destruction of all copies."

According to the AP, the process for obtaining records from news organizations is "strict."

A subpoena can be considered only after "all reasonable attempts" have been made to get the same information from other sources, the rules say. It was unclear what other steps, in total, the Justice Department might have taken to get information in the case.

A subpoena to the media must be "as narrowly drawn as possible" and "should be directed at relevant information regarding a limited subject matter and should cover a reasonably limited time period," according to the rules....

News organizations normally are notified in advance that the government wants phone records and then they enter into negotiations over the desired information. In this case, however, the government, in its letter to the AP, cited an exemption to those rules that holds that prior notification can be waived if such notice, in the exemption's wording, might "pose a substantial threat to the integrity of the investigation."

The full guidance from the DOJ is available in the department's United States Attorneys' Manual.

The investigation involves an attempt to find the source of a leak of classified information to the media.

Former Romney/Ryan intern charged with cyberstalking and internet extortion denied bail

2013-05-13T05:00:00.000-05:00

In United States v. Savader, 13-MJ-359 (E.D.N.Y. May 7, 2013), Magistrate Judge Gary R. Brown denied bail to Adam Savader because of the nature of his crimes (cyberstalking and internet extortion) and due to the "weaponized" nature of the cache of compromising pictures the defendant possesses. The court's reference to weaponization derived from the fact that the images of the 15 victims were in cloud storage, and thus "the cache of compromising photos, [could] be accessed from any Internet- enabled device on the planet," allowing Savader to perpetrate additional crimes or antagonize his victims further.

The Savader case was well publicized when it hit the news; see:

Politico, Adam Savader, ex-Romney intern, arrested for blackmail
New York Daily News, Former Romney campaign intern busted in nude-pics blackmail scheme

From the Politico article (to summarize):

A former intern for the 2012 Republican presidential ticket of Mitt Romney and Paul Ryan and for Newt Gingrich’s presidential campaign was charged with cyberstalking young women and blackmailing them into sending nude photos in federal court on Tuesday.
Adam Savader, a 21-year-old from Great Neck, N.Y., obtained nude photos of 15 different women and threatened to publish the photos unless the women sent him even more naked pictures, according to a criminal complaint. Some of the victims were Savader’s high school and college classmates.

The complaint was originally under seal, but was unsealed on April 23, 2013 by order of the court. The complaint plus additional documents from the E.D. of Michigan (where the charges were filed), can be viewed here:

Savader Docs (Complaint, Arrest Warrant, Docket, etc.)

While Savader was charged in Michigan, he lives in New York, hence the reason why the detention order (and reasoning) emanated from the Eastern District of New York. In beginning his determination, the EDNY Magistrate considered whether it was even proper to make a bail determination in New York instead of Michigan. In the end, the court held that the amended Rules of Criminal Procedure allowed the court to proceed, and indeed it makes sense to hold a bail hearing in the defendant's home district, where Savader could more easily provide information relevant to the bail hearing; namely, his community ties, etc.

As to the merits, the court noted that the case "present[ed] novel factual issues as well as the kind of legal challenges that often arise when applying traditional legal concepts to cases emanating from digital technology." I think that is the interesting part of this otherwise routine part of criminal procedure. What should the standard be for individuals charged with internet crimes, where access to a computer might be the only thing needed to perpetrate additional crimes, modify evidence, or in this case, antagonize victims further with compromising photos?

In this case, the court referred to it as a close call, but ended up siding with detention. I don't necessarily agree it was close. As the court noted: there were 15 victims, the defendant showed some acumen for technology (not enough to know Google Voice numbers can be tied to your IP address...), and the defendant held specific animus for some of the victims. Moreover, because the fruits of his alleged crimes were stored out on the internet, the temptation for him to access that material (for any reason at all, nefarious or otherwise), might have been too great (notwithstanding his family's assurances otherwise).

I will note that I think the analysis regarding bail should be different in hacking cases, where systems have been adequately secured and there is no further chance the defendant could reoffend. However, here, I don't think you can convincingly argue future crime/tampering/sexual gratification related to the cache of material is a non-issue.

Because I haven't seen much related to bail considerations for electronic crimes, I reproduce in full the court's reasoning, below:

Because the offenses charged do not appear to constitute crimes of violence as defined in the Bail Reform Act, see 18 U.S.C. §3156,3 the Government is limited to seeking detention under § 3142(f)(2)(B), to the extent it can establish that the defendant “presents a serious risk that [he] . . . will . . . threaten, injure, or intimidate, or attempt to threaten, injure, or intimidate, a prospective witness.” Thus, the determination turns on whether the defendant may attempt to threaten or intimidate potential witnesses, which, in this case, means the complaining victims.

Precise prediction of future human conduct represents an impossible task. Here, however, we can look at several indicators. First is the defendant’s capacity to threaten or intimidate the victims, both identified and unidentified. According to the Government’s proffer, agents uncovered evidence of an Internet cloud storage account that included files bearing names of the victims, presumably containing the photograph files used as part of the extortion. Notwithstanding the seizure of computer hardware from the defendant, the existence of this cloud storage suggests that, based on the information currently available, the defendant has possession of the cache of compromising photos, which can be accessed from any Internet- enabled device on the planet. Though electronic files do not generally constitute dangerous materials, in the context of this highly-unusual case, the defendant effectively “weaponized” these items, presenting a significant risk. Given the defendant’s demonstrated facility with computer technology, it would be all but impossible to fashion terms and conditions that would eliminate defendant’s access to these materials. Hence, like an individual with access to a secret cache of weapons, the defendant certainly maintains the capacity to intimidate or further injure the victims until these materials can be definitively located and secured.

The second factor is the defendant’s willingness to employ these materials to cause further harm to the victims. Of course, that he has done so in the past is one consideration. At the hearing, his counsel argued, persuasively, that the defendant would be a fool to violate a court directive contained in a release order, as it would mean almost certain return to jail. In addition, the mere exposure of the scheme may well make the defendant reticent to engage in additional similar conduct. As Justice Brandeis famously observed, “Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” However, the Government has presented evidence showing that this defendant – largely for reasons that are as yet undiscovered – maintained an animus against some of these victims for many years. Though the defendant is now 21, he has managed to hold a grudge against several victims since high school. This demonstrated drive on the part of the defendant forces me to conclude that there remains a serious risk that he will attempt to intimidate or further injure the victims, as long as those photos remain in his control.

Having concluded there is such a risk, the question is whether there are conditions which can remediate that risk. The Court notes that, at the bail hearing, defendant demonstrated substantial ties to the community. A large number of family members appeared at the bail hearing, representing three generations of his family, all of whom appeared willing and eager to assist in ensuring that the defendant will not engage in further wrongful conduct. According to his attorney, family members were willing to accompany him to school, attend classes with him, and take any other steps necessary to secure his release. Because of the unique circumstances of this case, I find that this support, though an important consideration, cannot overcome the serious risk of danger to the victims. As such, I directed the defendant be detained pending removal to the Eastern District of Michigan.

That said, I note that this was a close call, which could have easily resulted in a different outcome. As described above, these decisions must be made with deference to the charging district, which will have access to better information concerning the status of the compromising photographs, input from the victims, and the nature of the evidence. That court, therefore, will be in a far better position to evaluate the risk presented by the defendant, and should accord little weight to this determination.

NSA releases 642-page Internet research guide

2013-05-09T09:00:00.000-05:00

The National Security Agency recently released a 642-page guide titled "Untangling The Web: A Guide To Internet Research" under a Freedom of Information Act request. As the major purpose of the guide is to "help you understand how to use the Internet more efficiently," there isn't much in the document worth noting - perhaps made clear by the fact that the 642 pages are almost entirely unredacted.

There are sections about "Uncovering the 'Invisible' Internet" and "Internet Privacy and Security," but most of this information is common knowledge or significantly out of date (the guide was produced in 2007). However, the section on "Google Hacking" is interesting. Google hacking is "using clever but legal techniques to find information that doesn't belong on the public Internet." Here's one of the tips:

[S]earch by file type, site type, and keyword: many organizations store financial, inventory, personnel, etc., data in Excel spreadsheet format and often mark the information "Confidential," so a Google hacker looking for sensitive information about a company in South Africa might use a query such as:

[filetype:xls site:za confidential]

I wouldn't suggest spending time reading the whole thing, but it was worth a couple minutes. Maybe.

Breaking: Fed. judge denies motions to suppress in Rigmaiden; 4th Amendment, SCA case with Stingray use by FBI (Updated)

2013-05-08T14:16:00.001-05:00

In United States v. Rigmaiden, No. 2:08-cr-00814-DGC (D. Ariz. May 8, 2013), a federal district judge in Arizona denied all of the defendant's motions to suppress. The motions were related to searches, the FBI's use of Stingray, access to stored communications and IP addresses, etc. It is long, but worth the read. An excerpt (relating to the Fourth Amendment argument):

Given the unique circumstances of this case and the case law discussed above, the Court concludes that Defendant did not have a legitimate expectation of privacy in the aircard, laptop, or apartment procured through fraud. Defendant acquired these items by invading the privacy of the persons from whom he stole names, social security numbers, credit cards, and driver’s license numbers. Having utterly disregarded the privacy rights of Travis Rupard, Steven Brawner, and Andrew Johnson, not to mention the many other names used in his scheme, Defendant cannot now credibly argue that he had a legitimate expectation of privacy in the devices and apartment he acquired through the fraudulent use of their identities.

An excerpt (relating to the SCA argument):

Courts have rejected Defendant’s arguments that historical cell-site records cannot be obtained under the SCA. See, e.g., In re Application of U.S., 620 F.3d 304, 313 (3rd Cir. 2010) (holding that cell-site location information “is obtainable under a § 2703(d) order”); United States v. Graham, 846 F.Supp.2d 384, 396 (D. Md. 2012) (“It is well established that Section 2703(c)(1)(B) of the Stored Communications Act applies to historical cell-site location data.”); see also United States v. Skinner, 690 F.3d 772, 777 (6th Cir. 2012) (holding that locating defendant through a phone’s cell-site records is not a Fourth Amendment search). Contrary to Defendant’s arguments, federal courts consistently rely on Smith and Miller to hold that defendants have no reasonable expectation of privacy in historical cell-site data because the defendants voluntarily convey their location information to the cell phone company when they initiate a call and transmit their signal to a nearby cell tower, and because the companies maintain that information in the ordinary course of business. See United States v. Ruby, No. 12CR1073 WHQ, 2013 WL 544888, at *6 (S.D.Cal. February 12, 2013); Jones, 2012 WL 6443136, at *5 (D.D.C. 2012); Graham, 846 F.Supp.2d at 397-401; United States v. Madison, No. 11-60285-CR, 2012 WL 3095357, at * 8-9 (S.D.Fla. July 30, 2012).

...

Defendant argues that the government was able to use the cell-site information to effectively track his aircard from June 10 to July 18, 2008, a period of 38 days, and that this “prolonged surveillance” implicated his reasonable expectation of privacy. Doc. 824 at 215- 17. Defendant relies on United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), and United States v. Jones, 132 S.Ct. 945 (2012), but those decisions are inapposite. They do not address orders under the SCA, and the Supreme Court in Jones did not adopt the privacy theory advanced by Defendant.

...

In this case, a government agent, working in his office with the historical cell-site information and using mathematical and triangulation techniques, was able to calculate a general location for Defendant’s aircard during a 38-day period. The calculation narrowed the location of the aircard to one-quarter of a square mile. The Court cannot conclude that such use of cell-site information, obtained from a third party under the SCA, is tantamount to attaching a GPS device to a person’s vehicle. Calculations made from the historical cell- site information did not provide minute-by-minute intelligence on Defendant’s precise movements as did the GPS device in Maynard. The calculations merely identified a general area where the aircard was located – and stationary – for 38 days. The information was not used surreptitiously to track Defendant’s movements over an extended period without a warrant.

For some background, see:

--Kim Zetter, Wired, Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

--Vanessa Blum, The Recorder, Emails Detail Northern District's Use of Controversial Surveillance

Update 1:

--Here is the EFF/ACLU Amicus Brief in the case

Update 2:

--Kim Zetter's new post is up: Judge Allows Evidence Gathered From FBI’s Spoofed Cell Tower

Update 3:

--Orin Kerr has his take up, here: District Judges Divide on Long-Term Cell Phone Tracking Under the Fourth Amendment (he also discussed Powell another SCA/4th Amendment case)

Featured Paper: Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow

2013-05-08T13:13:00.001-05:00

Stephanie K. Pell has posted a new paper on SSRN entitled: "Jonesing for a Privacy Mandate, Getting a Technology Fix--Doctrine to Follow." Hat-tip to Chris Soghoian for mentioning it on Twitter. The article abstract is below:

While the Jones Court held unanimously that the government’s use of a GPS device to track Antoine Jones’ vehicle for 28 days was a Fourth Amendment search, the Justices disagreed on the facts and rationale supporting the holding. Beyond the very narrow trespassed-based search theory regulating the government’s attachment of a GPS device to Jones’ vehicle with the intent to gather information, the majority opinion does nothing to constrain government use of other tracking technologies, including cell phones, which merely involve the transmission of electronic signals without physical trespass. While the concurring opinions endorse application of the Katz reasonable expectation of privacy test to instances of government use of tracking technologies that do not depend on physical trespass, they offer little in the way of clear, concrete guidance to lower courts that would seek to apply Katz in such cases. Taken as a whole, then, the Jones opinions leave us still jonesing for a privacy mandate. As of the writing of this Article, Congress has not been successful in passing legislation that would regulate government use of tracking technologies. A third regulator of government power has emerged, however, in the form of technology itself, specifically in new(ish) methods an individual or group of individuals can use to make it more difficult, in some cases perhaps impossible, for law enforcement to obtain the information it seeks. While waiting for more definitive action from the courts and Congress, such “privacy enhancing” anonymization and encryption technologies can provide a temporary “fix” to the problem of ever-expanding police powers in the digital age, insofar as they make law enforcement investigations more difficult and expensive, thereby forcing law enforcement to prioritize some investigations and, perhaps, de-emphasize or drop others. Moreover, at a time when cybersecurity is a national security priority and recommended “best practices” include the use of encryption technologies to protect, among other things, US intellectual property, law enforcement is likely to face continued instances of “Going Dark” as it attempts to intercept communications in the face of the increasing availability and use of encryption technologies. As Congress considers possibilities for expanding law enforcement interception capabilities, it will be forced to accommodate the complex dualistic properties of technologies that, on one hand, bolster our national security against certain kind of threats while, on the other, they limit or thwart law enforcement’s ability to fulfill its traditional public safety function of investigating crimes.

"Revenge porn" website owner offers to close site if he raises $200,000

2013-05-08T06:30:00.000-05:00

There was a time when people ended a relationship and moved on with their lives. Nowadays, with digital cameras and the Internet, it is much easier to seek revenge for all of the wrongs you experienced. For those of you unaware, "revenge porn" is the term applied when a person posts nude images of someone they know on the Internet - often doing so after the end of a relationship.

Several revenge porn websites have come and gone, but one website owner has recently made headlines by offering to shut down his websites after he raises $200,000. According to Betabeat.com:

Mr. Brittain has devised a new scheme to flout the desires of victims who want him to take down their intimate photos. He and Is Anybody Down co-owner Chance Trahan have launched an Indiegogo campaign with a goal of $200,000, claiming that if they hit their goal they will officially shut down both sites. And they’ve named their campaign after revenge porn victim Holly Jacobs’ victim resource hub, End Revenge Porn.

Here are a few related links:

'I'm tired of hiding': Revenge-porn victim speaks out over her abuse after she claims ex posted explicit photos of her online
Criminalizing “revenge porn” - discussion of what different groups and legislatures are doing to try to shut it down
Revenge porn: the fight against the net's nastiest corner

Defendant argues WI child porn law unconstitutional; if you're texted CP and open it, are you guilty of possessing CP?

2013-05-07T16:53:00.001-05:00

Could someone texting you child porn, a text you unwittingly open, get you charged with a felony? Also, is it fair to charge adult males with child porn possession but not the underage females that texted the images to them, if they both technically possess child pornography? The case below raises both issues.

In State v. Perino, No.'s 2012-CF-0217, 2012-CM-0116 (Wis. Cir. Ct. filed Jan. 18 & Feb. 23, 2012) the defendant is charged with two counts of possessing child pornography (2012-CF-0217 - link has case history) and two counts of sex with a minor over age 16 (2012-CM-0116). In March of 2013, the defendant filed three motions to dismiss based on the following: (1) that the charged statute (Wis. Stats. § 948.12, see infra) is unconstitutionally vague and overbroad, as applied; (2) that the images are not "lewd" as required by the statute; and, (3) that the prosecutor is selectively prosecuting the case.

Copies of the Wisconsin Circuit Court documents:

1. Defendant's Motions
2. Prosecutor's Responses

The defendant was later indicted in federal court, as well, where he was "charged . . . with one count of producing child pornography and [the indictment] refers to two victims A and B. Four other counts appear to refer to the same former student in the state charges, and a sixth count seeks forfeiture of Perino's computers and cellphone." (Vielmetti, infra). You can find the indictment, here: E.D. Wisconsin Perino Indictment

State of Wisconsin Case

Wis. Stat. § 948.12 states:

948.12 Possession of child pornography.
(1m) Whoever possesses, or accesses in any way with the intent to view, any undeveloped film, photographic negative, photograph, motion picture, videotape, or other recording of a child engaged in sexually explicit conduct under all of the following circumstances may be penalized under sub. (3):
(a) The person knows that he or she possesses or has accessed the material.
(b) The person knows, or reasonably should know, that the material that is possessed or accessed contains depictions of sexually explicit conduct.
(c) The person knows or reasonably should know that the child depicted in the material who is engaged in sexually explicit conduct has not attained the age of 18 years.

Bruce Vielmetti has a good synopsis of the case in his Journal-Sentinel article - Lawyer wants girl charged for nude photos she sent to teacher:

The attorney for a former Hales Corners teacher facing charges he had sex with a female student has asked a judge to charge the girl with distributing child pornography - for sending nude photos of herself to the teacher.
...
Craig Perino was charged in Racine County in January 2012 with two counts of sex with child 16 or older, both misdemeanors. According to the complaint, he and the girl had encounters last year at his home in Waterford that involved drinking and intercourse.
A month later, prosecutors added two counts of possession of child pornography, both felony offenses, after nude photos of the girl were found on Perino's phone and computer. He has pleaded not guilty to all the charges.
…
Perino's attorney, John Birdsall, has moved to dismiss the child pornography charges on several grounds. He argues the statute is unconstitutionally vague and overbroad because it makes anyone who might open and view an unsolicited texted or emailed image of child pornography subject to criminal prosecution.

Birdsall also argues that the texted photos, while nude, are not "lewd" under the statute.

Finally, Birdsall asks that the charges be dismissed because they represent selective prosecution. His motion notes that the girl was 17 when she reported her sexual encounters with Perino and is 18 now. If the prosecutors believe the images amount to child pornography, the girl should be charged as an adult with producing, distributing and possessing them, the motion states.
…
Refusing to charge the girl, Birdsall argues, amounts to an admission by prosecutors that the images are not in fact lewd under the Wisconsin statute and therefore don't support the child porn charges against Perino.
…
In his responses to Birdsall's motions, Assistant District Attorney Robert Repischak argued that the issues were raised too late, that the question of whether the photos are lewd is one a jury should decide, and that Perino's constitutional challenge relies on hypothetical situations that differ from his own.

"The defendant seemingly forgets" that he told an investigator he had stored images on his employer's computer and deleted them once he learned of the investigation and that he "clearly . . . was not an unwitting recipient of the images at issue," Repischak said in his written response to the motions.

Part 1 (The Facts): CFAA case to test the EFF's proposed reform language

2013-05-06T11:45:00.000-05:00

In this first post I will outline the relevant facts of the Fidlar case and how the facts present an interesting issue for the proposed CFAA reform language of the EFF (and Rep. Lofgren). At the end of this post, I note EFF Attorney Hanni Fakhoury's initial take on the case.

In the second post I will offer my own take. I will then propose some changes to the reform language that would clarify the issue. I will conclude by taking a step back and opining on whether the CFAA should even apply to this kind of contractual dispute, and if so, in what circumstances. Spoiler - I will propose a presumption.

A case in the federal District Court for the Central District of Illinois is worth keeping an eye on if you are interested in the evolution of the CFAA from an anti-hacking statute to one used to enforce terms of service agreements, employee disloyalty, and also contractual disputes.

First, as a point of reference, consider the EFF's proposed language to amend the CFAA (emphasis added):

(6) The term “access without authorization” means to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data.

The term “without the express or implied permission” does not include access in violation of a duty, agreement, or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer.

This language was adopted in some form in Rep. Lofgren's CFAA reform bill. For Orin Kerr's take on these proposals, see here: Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples, and here: Drafting Problems With the Second Version of “Aaron’s Law” from Rep. Lofgren.

Back to the case at hand, here is the alleged offense in the complaint from Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 4:13-cv-4021 (C.D. Ill. Mar. 13, 2013) (emphasis added):

17. In or around 2012, LPS created one or more computer programs, the sole purpose of which were to mimic the interface between Fidlar’s user-interface software and Fidlar’s server software. The mimicked program allowed LPS to fraudulently present itself to Fidlar’s server software as though it had gained access through the Laredo user-interface, but without the attendant user controls.

18. Fidlar’s server software programs are designed to prevent Fidlar’s customers from accessing those servers by any means other than through Fidlar’s software.

19. Fidlar does not train, promote, or explicitly publish, nor intend to publish the techniques necessary to access Fidlar’s server software directly and circumvent the Fidlar user-interface software of Laredo or Tapestry.

20. Specifically, LPS created mimic software that allowed Defendant to fraudulently obtain documents electronically and search at a higher rate and volume than would otherwise be possible.

21. This mimic software program that LPS created, allowed Defendant to gain fraudulent access to Fidlar’s server software and bypass user controls embedded in the Laredo program. In this manner LPS fraudulently obtained documents that Fidlar server software had retrieved from governmental databases.

Later in the complaint, Fidlar alleges that LPS's use of this mimicked interface allowed LPS to access documents that they would normally have to pay for; caused a burden on Fidlar's servers that damaged their operations; prevented Fidlar from being able to track LPS's use; and, caused damages in excess of $80,000. Relating to damages, the complaint states: "As a result of Defendant’s unauthorized use of Fidlar’s computers and computer servers, Fidlar has been damaged in excess of $5,000 in the past calendar year. . . . To date, Fidlar has incurred economic damages in excess of $80,000 in attempting to determine the extent of Defendant’s fraudulent invasion of its computers and computer servers, and those damages are ongoing and increasing."

Fidlar’s complaint does not allege what specific section of 18 U.S.C. § 1030 LPS violated, but the language in the complaint reiterates the phrase "without authorization" (i.e. "Defendant has engaged in a pattern of unauthorized access of Fidlar’s computers and computer servers, in order to intentionally obtain information from Fidlar’s computers"); thus "without authorization" will be the focus of the analysis in my next post.

After reading the complaint, the next logical question is whether any language in the license agreement directly applies; it can be found here: Exhibit A - Fidlar Technologies Laredo End User Agreement. In my opinion it doesn't say much that is helpful to this dispute. The bulk of the agreement relates to Fidlar's protection of its intellectual property; I do not see any limiting language on how a customer may access the database. Feel free to correct me.

Unsurprisingly, LPS's side of the story is quite different. Its Motion to Dismiss for Failure to State a Claim (filed Apr. 8, 2013) (emphasis added & internal cites omitted, except where relevant) states:

Fidlar’s CFAA claim fails for two reasons: 1) LPS was authorized to access Fidlar’s computers, and 2) Fidlar does not allege that it suffered “damage” or “loss” as those terms are defined by the CFAA.

a. LPS was authorized to access Fidlar’s computers.

Fidlar’s complaint explicitly concedes that LPS has been a customer of Fidlar “since at least 2009 using the Laredo program and has installed the Laredo program on its own computers.” The complaint further admits, “LPS has purchased Laredo licenses in 76 counties where Fidlar has provides [sic] access to documents.” In other words, LPS had paid for and was granted authorization to access the data on Fidlar’s servers relating to those counties.

Even though LPS was authorized to access Fidlar’s servers, Fidlar complains that LPS went about it the wrong way. Specifically, LPS did not employ an individual to manually review the documents one at a time. Instead, LPS employed a computer program that allegedly circumvented controls that Fidlar claims were in place to “prevent customers from electronically capturing and downloading documents” instead of paying for copies.

As a matter of law, these allegations do not constitute “intentionally access[ing] a computer without authorization.” The term “without authorization” means “without any permission at all.” AtPac, Inc., 730 F. Supp. 2d at 1179 (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009)). On this issue, the decision in State Analysis, Inc. v. American Financial Services Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009) is particularly instructive. There were two defendants in State Analysis: the first was alleged to have accessed the plaintiff’s website using usernames and passwords that did not belong to it and to which it had never been given lawful access, while the second was alleged to have misused the passwords with which it had been entrusted. The court allowed the CFAA claim to proceed against the first defendant, but granted the second defendant’s motion to dimiss, explicitly holding that while use of an unauthorized password to access password- protected content may constitute a CFAA violation, a mere allegation that a defendant “used the information [which it had been given lawful authority to access] in an inappropriate way” did not state a claim for relief.

Fidlar wrongly contends that authorized access becomes unauthorized if the user violates contractual or embedded limitations on the use of the data (i.e., saves the images rather than printing them out). This is not the law. . . .

The logic here is simple. By its terms, the CFAA only addresses access to electronically stored data as opposed to the use of that data. . . . [FN1]

[FN1] - The only Seventh Circuit decision LPS could find that touches on the definition of “authorized access” is International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir.2006), but it is inapposite. In that case, the Court held that an employee’s authority to access his employer’s computers ceases when he decides to leave his job, go into competition against his employer, and abandon his duty of loyalty.

In short, LPS had authority to access Fidlar’s database of public records and Fidlar’s claim to the contrary is not plausible. LPS did not violate the CFAA merely by saving images of those public records instead of printing them. In fact, this conduct is not even a breach of Fidlar’s user agreement that a Laredo user must accept before accessing a county’s records through Laredo. A true and correct copy of a Fidlar user agreement is attached as Exhibit A, and the Court may consider it on a Rule 12(b)(6) motion because it is referenced in the complaint and Fidlar’s user agreement is central to Fidlar’s claim. . . . Nothing in the User Agreement prohibits any of the conduct alleged in the complaint. Thus, even if Fidlar attempted to rely on the User Agreement to argue that LPS lacked authorization to access the data in the manner that did, it would still not violate the CFAA.

b. Fidlar does not allege damage or loss under the CFAA.

...

Fidlar’s complaint does not even attempt to allege it suffered “damage.” Fidlar’s complaint only alleges that it became “aware of a strange usage pattern” related to LPS’s licenses, and as a result, “audited several LPS accounts to determine account activity.” Notably, Fidlar alleges that LPS’s conduct only “continues to threaten to overload those servers” and “continues to be able to disrupt Fidlar’s operations.” There is no allegation that LPS’s conduct actually caused Fidlar’s servers to crash, overload, or otherwise malfunction. Indeed, it is the lack of activity recorded on Fidlar’s servers that underlies its complaint.

Thus, Fidlar may only maintain a civil action for CFAA violations if it suffered a “loss.” As the statutory definition makes clear, its claim for unpaid printing charges is not recoverable. Lost revenue and consequential damages are only losses if they were caused by an interruption in service. 18 U.S.C. §1030(e)(11).

The only allegations in Fidlar’s complaint that even approach the definition of loss relate to its investigation into LPS’s access. This investigation, however, was not into an interruption in service, destruction of data, or impairment of a program. Instead, it was an investigation into unpaid printing charges and unmonitored usage. The cost of this type of investigation does not meet the statutory definition of loss.

The court has not yet ruled on LPS's motion to dismiss. There have been counterclaims, motions for temporary restraining orders, and issues related to discovery. If the MTD is denied (which seems likely), or granted before I get the next post up, I will pass that on immediately.

As stated above, I mentioned this case to Hanni Fakhoury, Staff Attorney at the Electronic Frontier Foundation. Here are his comments (emphasis added):

I read the complaint and the MTD portions re: the CFAA claim . . . sounds very much to me like Nosal (re: use v. access) and Facebook v. Power Ventures (https://www.eff.org/cases/facebook-v-power-ventures).

I think the issue comes down to whether LPS violated a code-based restriction on access to that data or a contractual restriction, and the complaint and MTD don't really shed much light on that point (other than to claim it wasn't a violation of the contractual terms of service). Interesting case and a good find. It also provides an opportunity for the court to decide whether Citrin applies beyond the employment context.

Assuming that the End User Agreement (Exhibit A) is the only document governing the relationship between Fidlar and LPS, I can't see how this comes down to a contractual dispute in isolation (or if that guides the court's decision much, except to say that the contract is void of informative language). Therefore, I see this as being forced under the CFAA and hence why the case should be interesting to watch.

Last note (if you didn't read the complaint in its entirety) - The other causes of action in the complaint are a violation of the Illinois Computer Tampering Statute and common law trespass to chattels.

Court overlooks "sloppiness" in GPS expert testimony; Others also address GPS and Jones issues

2013-05-02T06:40:00.000-05:00

Many courts continue to deal with GPS and Jones in interesting ways. Here are some summaries from recent cases:

In United States v. Khan, No. CR-S-10-175 (E.D. Cal. 2013), the defendant argued that inconsistencies between a GPS log and a report of active surveillance from law enforcement created doubts about the accuracy of the evidence. The court found that the "drafting is incredibly sloppy but its sloppiness is not material." Even if the GPS tracking data had not been used, probable cause would have still existed.

In Pina v. Morris, No. 09-11800 (D. Mass. 2013), Pina brought an action under the Federal Civil Rights Act, arguing various rights violations. At trial, the definition of the word "search" was given as "a government intrusion upon 'a reasonable expectation of privacy.'" Pina had argued that a "'trespass' definition" under Jones was necessary to complete the definition, but the court disagreed. In the civil suit, the court found that Pina did not meet the standard for a new trial and that "it is difficult to see how it would have made any difference."

In State v. Lagrone, No. 49A05-1203-CR-135 (Ind. Ct. App 2013), the officers had taken a package of marijuana from UPS, added a GPS device and parcel wire, and had the package delivered. They then followed the defendant to his home and forced entry into the home after the wire signaled that the package had been opened. Because the device was attached before it was in the defendant's possession, the tracking was only 10 minutes, and they were also visually surveilling him, Jones was distinguishable. Further, applying Jacobsen, the opening and repackaging of the package did not violate a privacy interest. Further, applying Knotts and Karo, the transmission of information did not violate the Fourth Amendment.

In United States v. $2,599.00 in US Currency, No. 7:11-CV-192-BR (E.D.N.C. 2013), the court held that the Supreme Court's decision in Jones "did not negate the long-held principle that an individual must show some subjective expectation of privacy in order to have a basis for challenging a search." The claimants were arguing that Jones gave them standing under its trespass theory because the person authorizing the search of a safe "did not have a key."

Forensic Fraud: Now Available on Daytime TV - A frank discussion about the admissibility of photo and video enhancement testimony

2013-05-01T05:30:00.000-05:00

For years, Hollywood has perpetuated the myth of photo and video enhancement. According to Hollywood and its all-too-convenient plot points, a mere click of a computer’s “enhance button” transforms any grainy image into a clear, focused picture with perfect resolution (there also has to be a serious woman in glasses looking over the person operating the computer’s shoulder shouting “enhance. . . enhance . . . enhance” in order for this to work). In reality, this is fundamentally impossible. Hollywood ignores the fact that every photographic image is composed of pixels, and once a photo is enhanced to where it is fully pixelated… all that the viewer can see are the pixels. You can see nothing but blocks of color, and one certainly cannot see something that was completely undetectable to the naked eye. The majority of the scientific community has been in on the joke, even generating Internet memes ridiculing Hollywood’s scientifically-inaccurate portrayal of video and photo enhancement. Unfortunately, American courts seem to be the only ones left out of the joke, frequently admitting video and photo enhancement evidence that is nary more than forensic fraud.

If movies were scientifically accurate...

I recently came across this type of evidence in an unexpected place: the Jodi Arias trial; and my trip to the most widely-publicized trial in the country led me to reflect upon video enhancement testimony, slippery slopes, and forensic fraud.

For those of you who have jobs, families, or hobbies, Jodi Arias’s murder trial is the trial du jour for bored housewives and retirees. Broadcast every weekday on Court TV for almost four months, the facts of the case are more tawdry than any romance novel lying at the bottom of the K-Mart bargain bin. Essentially, Jodi Arias dated Travis Alexander on-and-off for a few years. She was a good looking woman with a proclivity for stalking; he was an equally good looking man with a fatal attraction to crazy women. Sordid details about the couple’s sex life have become the thrust of the evidence at trial. Their relationship ended unamicably when Arias stabbed Alexander twenty-nine times, slit his throat from ear to ear, and shot him in the chest three times. Naturally, she claims the killing was self defense.

The trial is being held close to my hometown, and a friend invited me to ride with him to see it. Not one to miss government-funded panem et circenses and never having attended a high-profile trial, I agreed. Before I went to the trial, I had very little knowledge about the facts of the case. Anything I did know about it, I had gleaned from reports on my local news channel. But, after I arrived, the other attendees seemed more than excited to discuss the “complex legal issues” of the trial with me. In this situation, “complex legal issues” was a euphemism for Jodi Arias’s sex life, the great significance of a planned trip to Cancun in establishing a motive for the killing, and the prosecutor’s dashing good looks (personally, I do not see it). I did not have high hopes for my day at the trial, and my fellow spectators seemed more interested in fist fighting, criticizing the public defender’s tie, and getting the prosecutor to autograph their walking canes than an intellectual discussion about the current state of our justice system.

In any event, my fellow attendees informed me that I had picked a bad day to come to the trial. We would only get to see one naked picture of the victim that day, and we would not likely learn any new, salacious details about the couple’s sex life. The judge had scheduled a Rule 702 hearing for most of the morning. My interest was peaked. At issue was an expert’s enhancement of this photo:

Before the killing, Arias and Alexander took numerous pictures of each other in compromising positions. This photograph had been the last one Arias snapped of Alexander alive, the killing occurred mere seconds after she took the picture. The defense sought to admit the testimony of a photographic enhancement expert, who, by his own account, was able to enhance the photograph in order to see a clear reflection of Arias in the victim’s eye. According to the expert, Arias was standing a few feet away from Alexander, holding the camera with both hands at the time the picture was taken; and he further asserted that he could state with scientific certainty that she was not holding either a gun or a knife. There was no evidence corroborating the reliability of the expert’s testimony or establishing a statistical rate of error. In other words, defense counsel failed to show that this evidence conformed to the strictures of Rule 702. Thus, for the purposes of a 702 analysis, it is fact that this testimony was non-admissible pseudo-science.

The defense counsel thought this testimony was relevant to corroborate Arias’s theory of the case: that she had killed Alexander after she dropped his camera on the tile bathroom floor and he aggressively charged at her.

The “enhanced” eye reflection

The resulting image of Arias holding a camera. Looks like the Stay Puft Marshmallow from Ghostbusters to me.

The prosecutor balked at the admission of this evidence. According to him, the enhancement evidence was “voodoo” and “fantastical.” It is quite clear that, given a strict application of Rule 702, this evidence should not be admitted. Without the expert’s drawing, do you clearly see a figure holding a camera? Can you eliminate as a matter of scientific certainty that the figure is not also holding a gun or a knife?

In the end, the expert’s testimony was not admitted. After an hours-long, closed door hearing, the parties agreed to stipulate that Arias was not holding a gun or a knife when the picture was taken. Evidentiary crisis averted.

Yes, this is where the CSI Effect has left the state of evidence in America’s courtrooms. Based upon Hollywood plot-driven fiction, the American public, and thus the jury pool, has been convinced that any crime can be solved by a computer nerd and his trusty MacBook. It seems that the imagination, and not Rule 702, is the only limit upon what is admitted into courts. Experts are now “enhancing” the photographed reflection in people’s eyes.

Even if the evidence had been admitted at the Arias trial, the impact would be minimal. Arias admits to killing Alexander, and most of the evidence presented by defense counsel is aimed at mitigating the crime so that Arias escapes the electric chair. But, just because it would not cause a serious miscarriage of justice in this particular trial does not mean that it is a good omen. Unfortunately, the Arias trial may only be a harbinger of things to come. Whereas the evidence in Arias’s case was introduced to corroborate her self defense claim, there is a very dangerous flip-side to the CSI Effect: prosecutors armed with false or dubious “forensic” evidence using it to obtain slam dunk convictions. It is a story as old as time, or, at least, the CSI franchise. It is only a matter of time before prosecutors start hiring the Arias photo enhancement “expert” as well as other with even more dubious scientific chops. For example, it is an eventuality that prosecutors will seek to admit this expert to testify in child pornography cases, in order to identify the person who produced the contraband. The slippery slope of this type of evidence is scary, and the end result is not a good one. It will almost certainly result in innocent people serving jail time, as all non-scientific forensic testimony eventually does.

Mississippi dentist enhances video for body language with inaccuracy "less than ... Jesus"

Take, for example, the case of Leigh Stubbs and Tammi Vance in Lincoln County, Mississippi. After successfully completing a drug rehabilitation program, Stubbs and Vance decided to travel to Louisiana with their friend, Kim Williams. With Stubbs staying sober at the wheel, the women made pit stops at Williams’s boyfriend’s house for Oxycontin and various gas stations for beer. Unsurprisingly, the women did not make it to Louisiana according to schedule and got waylayed in Lincoln County, Mississippi. They decided to stay the night at the local Comfort Inn. The next day, Williams was completely unresponsive as a result of a drug overdose. Stubbs and Vance called the hotel front desk and performed CPR on Williams until paramedics arrived. When she arrived at the hospital, Williams was comatose and was suffering from various, odd injuries.

The district attorney decided to indict the women on four counts: (a ) conspiracy to possess morphine; (b) grand larceny; (c) unlawful possession of morphine; and (d) aggravated assault. The only problem? He had no evidence supporting the charges; the alleged victim could not remember a thing. Undeterred, the district attorney called Michael West, a Mississippi dentist who moonlit as a forensic witness for the prosecution. Really, there were no limits to the types of forensic testimony that Michael West was willing to supply to Mississippi prosecutors; he was the Wal-Mart of witnesses: he would testify a little bit about everything, but the quality of the testimony was not particularly good. He routinely testified as a wound pattern expert, a trace metals expert, a gun shot residue expert, a gunshot reconstruction expert (he once performed a ballistics analysis by shooting dogs from the pound), a crime scene investigator, a blood spatter expert, a "tool mark" expert, a fingernail scratch expert, and an expert in "liquid splash patterns." Most famously, he testified as a bite-mark expert, where he would match bite-marks on skin to plaster dentitions. As for his error rate when engaging in this “forensic science?” He testified that it was “something less than my Lord Jesus Christ.” How about that for meeting your burden under Rule 702?

The testimony West presented at Stubbs’s and Vance’s criminal trial was nothing short of unbelievable. Of course, being Michael West, he claimed to have found a bitemark on the alleged victim’s hip. To the surprise of absolutely no one, he was able to “match” it to one of the defendants. But, he did not stop at bitemark testimony. He also claimed to “enhance” a surveillance video of the hotel’s parking lot, using his home computer and Photoshop. He testified that his abilities to “enhance” the video allowed him to view Stubbs and Vance as they engaged in inculpatory acts, namely, lifting the Williams’s body from the in-bed toolbox of Stubbs’s truck and carrying it into the hotel room where she was discovered comatose and injured the following day. West then testified that using his enhancement software, he was able to determine that the figures entering and leaving the frame in the video were wearing different clothing (one wearing shorts, the other wearing blue jeans) and were two different women, thus incriminating both Stubbs and Vance.

West further claimed he could actually read the body language of one figure in the footage, that she appeared "anxious," and was exhibiting the sort of adrenaline-fueled "fight or flight" response one shows after committing a crime.

According to West, anyone with spare time and a home computer was qualified to be an expert witness in photo and video enhancement. “[Before,] I would have to send photographs off to the FBI . . . [and it would] cost us $20,000 to get them back and enhanced. Now you can sit at home, with your own computer, with $1000 software and do enhancements that used to only NASA could do . . . And that’s what we did in this case.”

Based entirely upon West’s testimony, Stubbs and Vance were convicted on all four counts and sentenced to forty-four years in the State penitentiary, the statutory maximum.

If you are thinking to yourself that West’s testimony smells fishier than a Long John Silver’s during Lent, that is because it is. Almost a decade after Stubbs’s and Vance’s convictions, Stubbs’s father filed a Freedom of Information Act request with the FBI, inquiring as to whether the Agency processed any of the evidence in his daughter’s case. The FBI returned a report it prepared after analyzing the surveillance footage, a report that was prepared before Michael West was hired to “enhance” the surveillance video. The Agency's report found nothing incriminating in the footage. It repeatedly points out that the quality of the recording is insufficient to tell for certain how many people are depicted in the video, much less determine their identities or what sort of clothing they're wearing. The report also makes no mention of anyone moving a "body."

The District Attorney did not turn over the FBI report to the defense pursuant to his constitutional obligations under Brady. After over ten years of incarceration, Stubbs’s and Vance’s convictions were overturned by the trial court of Lincoln County. The Circuit Court of Lincoln County has scolded the State for knowingly soliciting and introducing false evidence. When confronted with the fact that the FBI crime lab contradicted his video enhancement testimony, West attributed it to the fact that the FBI could not afford computers or Photoshop in order to reach his results. In a shameless move to save face, the Mississippi Attorney General’s Office has indicated that it intends to reprosecute the women based upon the original indictment, an indictment that was procured by presenting Dr. West’s bite mark and video enhancement testimony to the grand jury.

In the end, there are people like Michael West, who think that their 1999 Compaq Presario and copy of Photoshop makes them qualified experts, carving out a niche forensic analysis practices all over the country. Many trial judges are caught unawares about the limitations of video and photo enhancement. This evidence, which essentially amounts to forensic fraud, is admitted much more often than it is rejected. It seems, in the end, our societal fascination with CSI and like franchises has come at an extreme cost. We have compromised the integrity of our courts and sent innocent people to prison. And, it made last Monday a really boring day for housewives to attend the Arias trial.

[Editor's Note: The author is currently serving as a consultant for the Mississippi Innocence Project which is representing Leigh Stubbs.]

Jury: School principal Weindl not guilty of CP charges; case arose after FBI agent left spyware on son's school laptop

2013-04-30T11:03:00.001-05:00

From the Saipan Tribune (2/13/13): Weindl found not guilty:

A federal jury yesterday found former Whispering Palms School principal Thomas Weindl not guilty of charges of accessing child pornography websites using a Public School System-issued laptop.

For those unfamiliar with the case, here is my description from a previous post:

In United States v. Weindl, __ F.Supp __ (D. N.M.I. Nov. 20, 2012), a Northern Mariana Islands federal district court denied suppression of evidence obtained when spyware installed on school-owned laptop (assigned to an FBI agent's son and later used by the principal) sent child pornography (CP) reports (alerts) to the FBI agent - evidence that led to charges against the school principal (two counts of receiving CP and two counts of possession of CP). There are three relevant issues in the case: (1) whether the act of "accidental" failure to remove the spyware resulted in an "inadvertent search" or an intentional one, (2) whether the FBI agent was acting under the color of law when he opened and later investigated the reports he received from the spyware, and (3) whether Weindl had standing to assert a reasonable expectation of privacy in the spyware reports.

I had a chance to speak via email with Weindl's attorney, David Banes, last night; Banes indicated that he believed the turning point in the case was the testimony of his computer expert. He also mentioned that "we were able to show that the alleged porn sites constantly changed content" making it hard for the prosecution to prove that what Weindl allegedly browsed and viewed (at time A) was the same content when the page was accessed (assumedly by prosecutors) to serve as a basis for the charges (and evidence at the trial) (at time B). Finally, Banes noted that the defense was able to put on convincing evidence that eBlaster reports are not designed to be used as forensic evidence.

My previous posts on the case can be found below:

11/28/2012 - Principal caught with CP when FBI agent returns son's school laptop with spyware still on it; court denies suppression

12/3/2012 - Weindl - FBI agent spyware v. principal attracts attention and misinformation

12/5/2012 - Weindl (FBI agent's spyware vs. principal) - Why the court got it wrong

Jeffrey's differing take can be found here:

12/7/2012 - Weindl: Why the court got it right, and the FBI agent/father shouldn't be viewed as a government agent

Kashmir Hill at Forbes also wrote it up, here:

11/30/12 - An FBI Dad's Misadventures With Spyware Exposed School Principal's Child Porn Searches

Featured Paper: Cloud Computing Security and Privacy

2013-04-30T06:30:00.000-05:00

Cloud computing has been viewed by many as the next inevitable step towards a more efficient system for information management and storage. However, as our dependence on cloud computing continues to grow, many have started to examine the privacy, security, and legal ramifications that such a system creates. The Center for Applied Cybersecurity Research (CACR), located at Indiana University, has recently released a new white paper, Cloud Computing Security and Privacy, that examines the privacy and security risks associated with cloud dependence, as well as what should be done to create more secure and sustainable cloud-computing systems. The white paper was authored by Drew Simshaw, former information security fellow at CACR and current project manager and policy analyst with the Center for Law, Ethics, and Applied Research (CLEAR) in Health Information. I highly recommend taking a look at this white paper if you at all involved in cloud computing. The abstract appears below:

As the world’s data increase at unfathomable rates, individuals and organizations are seeking more convenient and cost effective ways to store and manage it. Many are turning to the cloud, recognizing its benefits, but failing to understand how it actually works. To confirm that cloud computing is no longer a fringe IT issue, one need look no further than President Obama’s re-election campaign, which was successful thanks in no small part to its utilization of Amazon’s cloud platform for a massive voter database. As cloud computing use continues to increase, security and privacy issues, as evidenced by recent events, should be considered so individuals and organizations can decide how best to store and manage their data. Although these events shed some light on measures that can be taken to reduce risk, they also demonstrate that bigger thinking is needed when it comes to improving security and privacy in the cloud. Therefore, as opportunity in the cloud expands and the stakes continue to rise, individuals, organizations, and cloud service providers must bear in mind the following security and privacy issues:

Creating a Bigger Target for Hackers

Government Access to Data in the Cloud

Data Access and Control in the Cloud

Cloud Service Outages and Human Error

Authentication

Encryption

In addition to being a guest author at Cybercrime Review, Andrew Proia is a research assistant to Professor Fred Cate, Director of the Center for Applied Cybersecurity Research. Andrew is also set to become a CACR Post-Doctoral fellow in information security law & policy later this year. All opinions expressed by the author are solely in his individual capacity.

District court finds CP restitution must be based on number of viewers rather than prior defendants

2013-04-29T06:30:00.000-05:00

In United States v. Hollister, the district court held that a determination of restitution to child pornography victims requires the damages to be divided by a count of the total number of viewers of the images as opposed to the common divisor of total number of prior defendants. No. 12-40041 (D. Kan. 2013). The decision is based on the Tenth Circuit's decision earlier this month on the issue.

The defendant had been convicted of distribution of child pornography of the "Cindy," "Vicky," and "Jan-Feb" series of images. As is common with these images, the victims sought restitution from the defendant. (See prior discussions on CP restitution here).

In the Tenth Circuit, like all other circuits except the Fifth, the restitution statute is interpreted to require "a showing that a victim’s losses are proximately caused by the defendant’s conduct." However, unlike other circuits holding similarly, the Tenth recently specified an unusual way to make the calculation for restitution:

In certain situations dividing a victim’s total damages by the number of end-viewers of child pornography may be sufficient to satisfy a proximate cause standard. For instance, a district court may determine that the pool of a victim’s provable losses are roughly equally caused by multiple defendants. However, in this case the district court did not make factual findings as to whether the number of judgments was approximately equal to the number of end-users or whether Benoit caused approximately the same amount of damages as other end-users.

Here, the district court struggled with the Tenth's approach, which was at odds with a citation to a Ninth Circuit case referenced in the Tenth's decision. In order to make a calculation, the court reasoned, the government must show the total number of viewers of the images as opposed to just the total number of defendants. "[U]nder this approach, the number of viewers may be unknowable or so high that any given defendant’s share of the restitution would be meaningless."

Such a calculation does appear to be the best method for making the a fair judgment of restitution, but as the district court reasoned, it makes "the determination of a divisor in the restitution calculation much more difficult."

However, because the victims did not provide information fulfilling the proximate cause requirement, the award of restitution was denied.

Wisconsin federal court forbids forced production of decrypted data on Fifth Amendment grounds

2013-04-25T06:30:00.001-05:00

The District Court for the Eastern District of Wisconsin held last week that compelled production of decrypted data violates the Fifth Amendment because it would require the suspect to admit to having access and control over the devices. In re The Decryption of a Seized Data Storage System, 13-M-449 (E.D. Wis. 2013).

The FBI seized 16 storage devices from the suspect, nine of which were encrypted. After four months of attempts to access the files, the government sought to force the suspect to "assist in the execution" of the search warrant by providing a decrypted copy of the files.

The predominant legal issue in such cases is the Fifth Amendment and whether or not the act of providing the decrypted files would be considered "testimonial." The issue has caused a split in district courts, but only the Eleventh Circuit has decided the issue at the appellate level, holding that forced production does violate the Fifth Amendment.

As distinguished from some other cases, the government here knew the encrypted drives contain files and had evidence to show that some of the filenames indicate they are images of child pornography. Further, the defendant has a computer science degree and works as a software developer, so he "may very well be capable of accessing the encrypted portions of the hard drives."

However, the deciding issue for the court was whether or not the suspect "has access to and control over the ... devices." Because he has not admitted to having access and control, he could not be compelled to provide the decrypted copy.

This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with “reasonably particularity”—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.

Thus, the government's attempt to compel production of the files was denied. Visit our encryption label to read about related cases on encryption and compelled production.

Breaking: Jury finds Nosal guilty in CFAA case on remand from 9th Circuit (Updated)

2013-04-24T13:50:00.000-05:00

From Vanessa Blum: Jury finds Nosal guilty on all counts, including 3 #CFAA charges. #cyberlaw

Our previous summary of the case can be found here: The CFAA on trial - the latest from the Nosal case on remand

Update:

Here's some additional coverage:

From Findlaw - 'Hacking' Case, Remanded by 9th, Results in Conviction

From Wired - Man Convicted of Hacking Despite Not Hacking

6th Circuit declines to extend Warshak reasoning to P2P

2013-04-23T06:20:00.000-05:00

In a recent unpublished opinion, the Sixth Circuit held that its 2010 opinion in Warshak should not be extended to provide a reasonable expectation of privacy for users sharing files over Limewire. United States v. Conner, No. 12-3210 (6th Cir. 2013).

The defendant was convicted of receipt and possession of child pornography after law enforcement tracked the sharing of child pornography images on Limewire to him. A sheriff's deputy had searched for file names associated with child pornography, and found the defendant's IP address sharing them over the peer-to-peer (P2P) network.

On appeal, the defendant argued that the Sixth Circuit's decision in United States v. Warshak made the "search" of his computer a violation of the Fourth Amendment. In Warshak, the Sixth held that it was a violation of the Fourth Amendment for the government to compel Warshak's ISP to produce his emails without obtaining a search warrant with a showing of probable cause. The e-mails were obtained under the Stored Communications Act, which the Sixth Circuit therefore declared unconstitutional as it relates to this issue.

As for the search conducted on Limewire in the present case, however, the Sixth didn't buy the defendant's argument. The issue was whether P2P sharing "is different in kind from e-mail," and the court decided it was:

Unlike these forms of communication, in which third parties have incidental access to the content of messages, computer programs like LimeWire are expressly designed to make files on a computer available for download by the public, including law enforcement. Peer-to-peer software users are not mere intermediaries, but the intended recipients of these files.

The defendant attempted to argue that he did not know the files would be publicly available, but the court also found that the record proved otherwise. He had made multiple attempts to keep the files private, but the court held that the failure only showed he was "ineffective at keeping [them] ... from being detected" and not that "he was unaware of a risk of being discovered."

Google Glass and the future of privacy

2013-04-22T08:05:00.000-05:00

With the expected public release of Google Glass later this year, we must all be wondering about the product's potential effects on privacy. It will be worn similarly to eyeglasses and will provide users with picture, message, and navigation capabilities - just to mention a few.

Jan Chipchase, Executive Creative Director of Global Insights at Frog Design recently wrote about the privacy considerations with technologies like Google Glass:

As a product that is both on-your-face and in-your-face, Glass is set to become a lightning rod for a wider discussion around what constitutes acceptable behavior in public and private spaces. The Glass debate has already started, but these are early days; each new iteration of hardware and functionality will trigger fresh convulsions. In the short term, Glass will trigger anger, name-calling, ridicule and the occasional bucket of thrown water (whether it’s ice water, I don’t know). In the medium term, as societal interaction with the product broadens, signs will appear in public spaces guiding mis/use and lawsuits will fly, while over the longer term, legislation will create boundaries that reflect some form of im/balance between individual, corporate and societal wants, needs and concerns.

Read similar articles from CNNTech, The Guardian, and TechNewsWorld.

The CFAA on trial - the latest from the Nosal case on remand

2013-04-20T10:30:00.000-05:00

Vanessa Blum from The Recorder has been covering the Nosal trial almost in its entirety. Her coverage has been fantastic, and can be found further below. We have also written extensively on the case for over a year. Our previous posts (for reference) can be found here:

9th Circuit Related Posts:

4/11/2012 - Jeffrey Brown, Ninth Circuit en banc adopts narrow reading of CFAA

4/16/2012 - Justin P. Webb, Why Nosal's dissent is surprisingly persuasive

Nosal on Remand Post:

3/13/2013 - Justin P. Webb, Nosal on remand - another reading of CFAA's "exceeds authorized access"; court denies motion to dismiss

Vanessa's ongoing coverage can be found here:

4/5/2013 - Amid Calls for Reform, a Rare Trial of Hacking Law

4/9/2013 - Lawyer Takes Stand in Hacking Case

4/15/2013 - Prosecutors Get Key Testimony From Ex-Lover in Hacking Trial

4/17/2013 - What Does 'Nosal' Mean for Nosal?

4/19/2013 - Korn/Ferry Hacking Case Sent to Jury

Three Virginia teens headed to trial for child pornography crimes for videos made on their cell phones

2013-04-19T12:00:00.000-05:00

As the Washington Post reports, three Virginia high school students are being taken to trial for child pornography crimes due to cell phone videos they made during sex.

[Fairfax County Commonwealth’s Attorney Ray Morrogh] declined to discuss the Fairfax County case, but authorities have said two 16-year-olds and a 15-year-old from West Springfield High School were charged with possession and distribution of child pornography in January after they filmed themselves engaging in sex acts with at least six teenage girls. A source with Fairfax County schools said the videos were filmed surreptitiously....

Rodney G. Leffler, an attorney for one of the boys, has said that all of the sex acts were consensual and that the 10 videos at the heart of the case were filmed at parties at the teenagers’ homes beginning in December 2011. He said that all of the girls eventually learned that they were being filmed and that the boys shared the videos among themselves but did not distribute them widely. It is not clear whether the videos were texted, e-mailed or sent by other means.

If convicted, the teens face up to 20 years in prison.

District court holds that lost profits--due to fraudulent bids, not service interruption or degradation--constitute “loss” under the CFAA

2013-04-19T07:00:00.000-05:00

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, continues to receive some uneven treatment by the courts. In Yoder & Frey Auctioneers, Inc. v. Equipmentfacts, LLC, No. 3:10 CV 1590, slip op. (N.D. Ohio Apr. 8, 2013), the United States District Court for the Northern District of Ohio ruled that a private claim under the CFAA could proceed even though the harm it alleged did not seem to flow directly from unauthorized access.

Background

The plaintiffs, Yoder & Frey, an equipment auctioneer, and RealTimeBid.Com (RTB), an online auction service provider, are business partners. They alleged that Equipmentfacts, defendant and one-time auction service provider to Yoder & Frey, accessed the company’s new RTB-provided auction portal, first with an old administrative account and then with the “stolen” account of a long-time Yoder & Frey customer. According to the complaint, Equipmentfacts used both of these accounts to post defamatory, negative statements on the auction portal’s built-in message board, and then used the latter to post “false bids” for items up for auction--eventually winning eighteen items for a total of $1,171,074, which it has not paid.

Equipmentfacts disputed the underlying facts, but also moved for summary judgment on the CFAA claim, arguing that the CFAA does not encompass the type of damage alleged, because the harm was not due to the unauthorized access, and on the alleged facts did not even occur until the winning bidder refused to pay. Its argument focused on the disconnect between the alleged unauthorized access and the accrual of harm, arguing that “damages not flowing from an interruption of service are not recoverable under the CFAA.” The court, however, was unimpressed, and focused on the type of harm alleged rather than its nexus to the alleged unauthorized activity. It found that “interruption of service” could be found even when the website and bidding software performed as designed.

Finding "loss" under the CFAA

Civil plaintiffs under the CFAA must plead “loss” of at least $5,000 (or one of a few other narrow requirements, inapplicable here). 18 U.S.C. § 1030(g); 18 U.S.C. § 1030(c)(4)(A)(i)(I). “Loss” is statutorily defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). The court analyzed the language and the legislative history of this provision to conclude that the CFAA claim could withstand summary judgment:

“Whether the alleged action left the system inoperable is too narrow a reading of the statute. An auction's high bidder, by definition, denies the other bidders the right to purchase that item at their bid price. . . . Fake bids deny the entire sale to both the auctioneer and the other bidders; particularly so when the auctioneer cannot discover the falsity of the high bid until the sale is long over. Depriving a business of potential sales is a loss contemplated by the CFAA. E.g., United States v. Schuster, 467 F.3d 614, 617 (7th Cir. 2006) (Affirming a restitution finding that the defendant was liable for the victim's loss of business productivity because he caused a computer attack that rendered the victim's system less available to customers)” (emphasis added).

While few would quarrel with the argument that some lost sales revenue is contemplated by the CFAA (e.g., sales lost during an outage caused by unauthorized access), the court’s analysis broadly implies that any sales revenue lost by an online portal is sufficient to show “loss” under the CFAA. Moreover, it seems to stray from its own citation. In Schuster (a criminal CFAA case that included restitution), the defendant conceded that his actions had impaired the availability of a system to other customers’ and the owner’s detriment, but here Equipmentfacts’ alleged unauthorized access to the bidding portal did not directly cause any harm. As its brief in support of its motion for summary judgment points out, the system remained functional throughout the alleged episode: RTB, in fact, conceded in deposition that there was no interruption in the availability or the integrity of the auction portal’s technical services whatsoever:

Q: So bidders could still place bids at the auction on your technology platform?
A: Yes.
Q: Even though there was someone allegedly placing false bids?
A: Correct.
. . .
Q: And the only thing that went wrong was that someone submitted a bid for which they had no intention of paying, right?
A: Yeah.

Now, this line of questioning by the defense attorney is slightly misleading, because the plaintiffs did not “only” allege that a bid was submitted by someone who never intended to pay; they also alleged that the false bid was submitted using the “stolen identity” of a long-time Yoder & Frey customer, and that Yoder & Frey approved each bidder before allowing them to participate in the auction. These facts might tie the alleged unauthorized access sufficiently closely to the “loss” required by the CFAA, but the court’s analysis does not follow this line of reasoning. Instead, it glosses over the distinction between placing a false bid in an online auction and using a stolen identity to participate in an online auction. The argument that a CFAA claim may be made on allegations of bidding online without intending to pay seems much more tenuous than the argument that a CFAA claim may be made on allegations of using a false identity to participate in an online auction, whether that bidder intended to pay for the items or not. The former claim, based on “false bids,” seems to be nothing more than a fraudulent, electronically concluded contract, which almost certainly falls outside the CFAA. Making such a claim based on falsely assuming the identity of a trusted customer seems much more like the type of conduct to which the CFAA was intended to apply. In a very confusing opinion, however, the court fails to distinguish these two very different issues.

Instead, its analysis seems to rely on its previous finding that the “[d]efendant’s alleged intentional disruption of even a portion of the online auction through surreptitiously submitted false bids interrupted the service of that site.” This portion of analysis considers false bids and bids submitted by means of a false identity (“surreptitiously submitted”) together, but the rest of that opinion seems to indicate that the court’s thinking hewed closer to the more tenuous false-bids analysis: “While the online auction was not totally thwarted, a number of individual online transactions were. As such, the auction website did not provide service to either Plaintiffs or the buyers and sellers in the auction while Defendants allegedly submitted false winning bids.” This line of inquiry requires the court to find that the bidding portal “did not provide service” even though it functioned exactly as designed, without any degradation or impairment of any of its functions.

This broad reading of the CFAA seems to extend “interruption of service” to include any thwarted commercial service--potentially, any electronically but fraudulently concluded contract. While it is possible that the authors of the CFAA contemplated such broad meaning, and, as the court points out, left “interruption of service” undefined, it is unclear why Congress would have intended to allow plaintiffs alleging fraudulent creation of contract to access CFAA remedies if the relevant contract was concluded electronically. And although construction of the CFAA has sometimes been controversial, this decision stands out for eschewing a narrow reading of CFAA liability (more here and here). If the court (and the plaintiff) had focused on illustrating the nexus between the alleged use of a stolen identity, which was trusted by the plaintiffs (and therefore approved as a bidder), and the lost commissions, it could have avoided muddying the waters with its analysis of “interruption of service.” As written, however, the opinion is unclear as to why this auctioneer’s harm had a sufficient nexus to any unauthorized access to warrant CFAA liability.

In addition to the CFAA claim, the complaint included claims based on common law fraud, common law trespass to chattels, and breach of contract. All of them survived the motion to dismiss. It will be interesting to see whether the parties settle, and if not, whether Yoder & Frey and its new service provider RTB can make the CFAA claim stick at trial.

Cybercrime Review welcomes Brad Edmondson as a guest writer

2013-04-18T19:25:00.000-05:00

I am very excited to announce Brad Edmondson will be joining Cybercrime Review. Brad will begin posting as a guest writer this week and plans to formally join Cybercrime Review as a permanent author over the summer. Please join me in welcoming Brad.

Brad is currently a 2L at Vanderbilt Law School and has developed an educational focus in the area of intellectual property law. Additionally, he is the incoming Senior Technology Editor for the Vanderbilt Journal of Entertainment and Technology Law. In 2008, Brad received his B.A. in Political Science from Tufts University. He also worked in the Tufts IT department in various roles during his undergraduate studies and, after receiving his undergraduate degree, continued working for the university as the Information Security Operations Team Lead. In the summer of 2012, he interned with Autodesk, a computer design software manufacturer and cloud design services provider. In 2013, he will intern with the MITRE Corporation, a nonprofit corporation that manages research and development programs for the federal government. In addition to his work experience, Brad also holds a GIAC certification in Information Security Fundamentals (GISF).

Brad’s passion in law centers on information security, privacy, technology's interaction with intellectual property, and cybercrime. In his downtime, he enjoys playing soccer, running, reading, and manually pulling espresso.

Tallinn Manual applies "international law norms" to cyber warfare

2013-04-17T14:30:00.000-05:00

It seems almost every day we see new reports of computer and network “attacks” allegedly perpetrated by nation states. China, Russia, and North Korea have all allegedly been involved in a variety of cyber attacks––and with the evidence mounting as to the now infamous Stuxnet attack, it can be safely assumed that the United States is not absent from this list. What cannot be assumed, however, is how these attacks fit into the complex set of policies, treaties, and international laws that govern national and international conflicts. Can a country use cyber operations to attack or defend another country? If so, to what extent can these cyber operations be used? How do we define a “cyber attack” under international law?

The Tallinn Manual On The International Law Applicable to Cyber Warfare (Cambridge University Press, 2013) attempts to answer these questions and many more just like them. The Tallinn Manual was made at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence and was authored by an “independent, international Group of Experts.” The result is a comprehensive guide that applies various international rules to cyber warfare. The group of experts, led by U.S Naval War College Professor and international law scholar Michael N. Schmitt, developed a set of “ninety-five ‘black-letter rules’” governing cyber warfare.

Contrary to some reports, the manual is by no means the official policy of NATO but is instead, as stated on the Cooperative Cyber Defence Centre of Excellence’s website, “an expression of opinions of a group of independent experts acting solely in their personal capacity.”

Despite such formalities, the manual is an important document for governments, students, and academics alike. The manual’s in-depth analysis provides a foundation for nations to build upon as they being to develop in and adapt to an increasingly cyber-dependent world. And while not an authoritative document, it will be interesting to see how the Tallinn Manual impacts the current discussions revolving around the continued escalation of cyber attacks by nations-states.

For a report on the Tallinn Manual, as well as an interview with one of the manual’s authors, Professor Thomas Wingfield, see Bernhard Warner’s Bloomberg article here.