New Details Emerge On Adam Swartz Computer Fraud Prosecution

This week’s must read story is the Boston Globe’s investigation of MIT’s role in the prosecution of Adam Swartz.

Swartz committed suicide instead of facing trial on multiple charges of violating the Computer Fraud and Abuse Act.  He faced about 50 years in prison if convicted of crimes relate to the downloading of academic journal articles in a computer closet at Massachusetts Institute of Technology.  The case became controversial because Swartz faced heavy charges despite the  government’s admission that he had no plans to use the articles for personal gain, but instead may have been trying to further his goal of open access.

The article notes how MIT both assisted the prosection in gathering evidence against Swartz, and at times seemed indifferent to the prosecution:

MIT never encouraged Swartz’s prosecution, and once told his prosecutor they had no interest in jail time. However, e-mails illustrate how MIT energetically assisted authorities in capturing him and gathering evidence — even prodding JSTOR to get answers for prosecutors more quickly — before a subpoena had been issued.

In a handful of e-mails, individual MIT employees involved in the case aired sentiments that were far from neutral. One, for example, gushed to prosecutor Stephen P. Heymann about the quality of the indictment of Swartz.

More:

The documents say little about what MIT was thinking and doing once the case morphed from an investigation into an active prosecution. But MIT’s own report on the case raises serious questions about the wisdom of MIT’s neutrality stance.

The Swartz case drew attention, particularly after Swart’s suicide, to the dangers posed by prosecutorial overcharging in order to coerce a plea deal.

Federal Judge Criticizes Overbroad Search of Email Records

A federal judge “admonished the Justice Department for repeatedly requesting overly broad searches of people’s email accounts, a practice that he called ‘repugnant’ to the Constitution.”

Magistrate Judge John M. Facciola criticized the government when it requested a significant number of emails in a kickback investigation.

The problem was not that the government was seeking emails related to criminal activity, but that the government sought “every email, contact, picture and transaction record” from the subject.

The government has aggressively pursued emails stored by third parties, such as Google, Yahoo! or, in this case, Apple.

This is not new.  Back in 2010, I highlighted a Sixth Circuit case that suggested people had broader privacy interests in emails, even when the emails are stored on servers owned by third parties.

Fifth Amendment Does Not Protect Against Disclosure of Facebook Posts and Messages

A federal bankruptcy court has held that the Fifth Amendment does not protect against the compelled disclosure Facebook messages and other electronic messages — even if the content of those messages could be incriminating.

The case is in re Welsh.  Case No. 13-02457-8-SWH. United States Bankruptcy Court, E.D. North Carolina, Raleigh Division.

The bankruptcy court was involved in resolving a state court case for alienation of affection, criminal conversation and defamation arising out of an alleged affair between the debtor and the plaintiff’s former wife.

Continue reading

Fifth Amendment Does Not Protect Against Network Administrator Disclosing Passwords

A California court has upheld the conviction of a network administrator who refused to provide network passwords after he was relieved of duty.

The case is People v. Childs, Cal: Court of Appeal, 1st Appellate Dist., 4th Div. 2013

The defendant was convicted of disrupting or denying computer services to an authorized user.   The defendant was employed as the principal network engineer for Department of Telecommunications and Information Services (DTIS) of the City and County of San Francisco.

In 2005, he was assigned to configure, implement and administer the city’s then-new fiber-optic wide area network.  To protect the security of this critical infrastructure, all configurations were confidential.  Starting in spring 2007, only the defendant had administrative access.  Later, he was reassigned.  When asked to user IDs and passwords, the Defendant first said that he no longer had administrative access.  Later, he provided incorrect passwords that did not allow access to the network.

Finally, the defendant, through his attorney, gave the correct passwords and backup configurations to the Mayor Gavin Newsom.  However, for 12 days DTIS was effectively locked out of the network.

The state’s case was premised on the idea that the defendant “acted as if he—not the city—owned the FiberWAN network and that he believed that his sole access to the computer system gave him job security.”

The issue highlighted here is the defendant’s contention that his privilege against self-incrimination by the admission of evidence that he failed to divulge his user name and password after being arrested.  The argument was that he had a constitutional right to remain silent—to decline to provide the information that the city sought.

The court rejected this argument, concluding that the privilege against self-incrimination does not apply.  The court noted:  “This privilege bars the state from compelling a person to be a witness against him or herself. It does not bar all compelled disclosures, even if those disclosures might lead to criminal prosecution.”

The court reasoned that the “privilege does not apply if the incriminating disclosure is required for compelling, broadly applied reasons unrelated to criminal law enforcement.”  In this case, the disclosure of the passwords was required to allow DTIS administrative access to its computer system.  This was not an inherently criminal investigation. Instead, the disclosures served a compelling business and governmental interests, not law enforcement.

The court concluded that “for DTIS to require its outgoing computer system administrator to reveal access codes necessary to allow the new system administrator to perform those functions is not the type of disclosure protected by the privilege against self-incrimination.”

As Predicted Here: Court Says Facebook “Likes” Are Protected by First Amendment

Two years ago, I wrote an LTN article “The Social Media/First Amendment Face Off.”  I suggested that the First Amendment freedom of speech protects people from investiagtsion of their Facebook Likes.

Then, in August 2012, I wrote a long analysis of this issue.  I concluded that

likes on Facebook, just like status update histories, postings, friend and group listings, IP logs, and private messages, can provide a “map of association” of all of the contacts, associates, colleagues, and friends of users.

 

The Supreme Court has recognized a privilege, grounded in the First Amendment right of association, not to disclose information when disclosure may impede the rights of speech and assembly.

Yesterday: validation.  A Federal Appeals Court ruled that the First Amendment protects Facebook “likes.”  The court said, Liking something — in this case a political issue, is the “Internet equivalent of displaying a political sign in one’s front yard, which the Supreme Court has held is substantive speech.”

More to Come . . .

NSA Collection of Phone Records May Be Unconstitutional. Possibly Violates Fourth and First Amendment.

The New York Times is reporting that the NSA and the Federal Government “is secretly carrying out a domestic surveillance program under which it is collecting business communications records involving Americans.”  The records obtained include call logs.  It is unclear how widespread the record collecting is, and whether it includes residential or cellphone services.

The law as written, including in the Patriot Act, permits this.

The key unanswered question: is a government law that permits law enforcement to obtain cell phone records from many, or all, users permissible under the Constitution.

Here are some initial thoughts.

Fourth Amendment 

The Fourth Amendment provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause . . . .”

The Supreme Court has explained that the fundamental purpose of the Fourth Amendment “is to safeguard the privacy and security of individuals against arbitrary invasions by government officials.” Camara v. Mun. Ct., 387 U.S. 523, 528 (1967).

However, the courts have created a number of exceptions to the Fourth Amendment, so that many government actions that appear to gather personal information are not considered to be “unreasonable” and therefore subject to Fourth Amendment scrutiny.

The Supreme Court has explained that a search occurs, and the Fourth Amendment is implicated, when the government intrudes on an expectation of privacy that society is prepared to consider reasonable.  In evaluating this test, courts ask two questions:  (1) has the person demonstrated an expectation of privacy; and (2)is society willing to recognize that expectation as reasonable.

The first question is likely easy.  Most people expect that phone records are be shielded from public scrutiny.  There likely is some language in the cell phone provider agreements that address this issue.  Verizon, for example, has a privacy policy which states:  “Verizon does not sell, license or share information that individually identifies our customers with others outside of Verizon for non-Verizon purposes without your consent.”

The second question is much more complicated.

The courts have generally held that the Fourth Amendment provides little to no protection for data stored by third parties.  The most famous case is United States v Miller.  Miller concerned bank records.  In that case, the Supreme Court held the Fourth Amendment did not apply to information voluntarily provided to a third party.

There are three key differences between this situation and Miller. 

First, a key to Miller was that the information sought was business records, not likely to reveal personal information.   Cell phone records can reveal a significant amount of personal information – phone calls to friends, doctor’s offices, mental health professionals, business colleagues – can all provide clues about the most intimate details of a person’s life.  A better example is United States v. Warship.  In that case, a federal appeals court found that emails were subject to the Fourth Amendment even if they are in the possession of a third party Internet Service Provider, like Gmail or Hotmail.

Second, the amount of data collected allows the government to draw conclusions about the private lives of people from aggregated data that could not be drawn from discrete sets of records.

Courts are likely to perceive a difference between gathering a reviewing months of calls for numerous users and reviewing the records of one individual.  The aggregation of seemingly innocent pieces of data allows a clever observer to determine a person’s private contacts and routine.  This is because, as some of the Supreme Court Justices recognized in reviewing the warrantless use of use GPS tracking devices, the whole of one’s movements reveals more than does the sum of its parts.  With aggregated call data, an observer can use patterns of calls to reveal details about a person that might not available from a single action or transaction.  For example, one call to a physician doesn’t mean much, but multiple calls to a physician could allow an observer to infer a medical condition.

Third, the gathering of cell phone records could permit law enforcement to conduct surveillance beyond a targeted investigation into certain crimes. Instead, the program could permit law enforcement to undertake surveillance of a particular individual over an extended period of time in the hope of piecing together evidence of illegal conduct, including evidence of illegal conduct that was not even suspected prior to the surveillance.  This is the point I made in a law review article examining GPS tracking cases before the Supreme Court in the Jones case found that the practice violated the Fourth Amendment.

First Amendment

The government program of obtaining cell phone records can provide a “map of association” of all of the contacts, associates, colleagues, and friends of users.  Indeed, this could be the purpose.

The Supreme Court has recognized a privilege, grounded in the First Amendment right of association, not to disclose information when disclosure may impede the rights of speech and assembly.  This First Amendment check on government investigative activities was most famously explored in the United States Supreme Court in NAACP v. Alabama.  In NAACP, the state of Alabama sought to compel the NAACP to reveal the names and addresses of all its Alabama members and agents.  The Court held that the constitutional right of association – which is tied to the rights of speech and assembly – could protect those who join groups from state scrutiny.  The Court explained, “It is hardly a novel perception that compelled disclosure of affiliation with groups engaged in advocacy may constitute . . . [an] effective a restraint on freedom of association. . . .  Inviolability of privacy in group association may in many circumstances be indispensable to preservation of freedom of association, particularly where a group espouses dissident beliefs.”

In regards to the NAACP, the court feared that compelled disclosure of the organization’s membership list might “induce members to withdraw from the Association and dissuade others from joining it because of fear of exposure of their beliefs shown through their associations and of the consequences of this exposure.”

The right to withhold lists of members in a group is not, however, absolute.  Rather, the right must be balanced against the government interest.  The extent of the First Amendment argument was tested in a case involving Julian Asante’s Wikileaks website.  In Re: §2703(d) Order, No. No. 1:11dm00003, E.D. Virginia 2011.  In order to aid in the investigation of possible criminal charges arising out of the recent Wikileaks disclosures, the government sought a court order requiring Twitter to turn over the customer information of various users suspected to have been involved in the disclosures.  (The government did not seek to obtain the contents of any communications.)

The users argued that the order violated the First Amendment.  They argued that allowing the government to obtain records of this information would have a chilling effect on the willingness of people to post information on Twitter, or to follow certain users.  The court rejected this argument, in large part because the users had already made their Twitter posts and associations publicly available.

Persons in private or restricted groups have a stronger argument that the disclosure may have a chilling effect on the willingness of others to be associated with the group.  In addition, courts will be more likely to be protective of records that reveal political or religious affiliations – purposes already within the core of the First Amendment protections.

 

First Circuit Limits Searches of Cell Phones Incident to Arrest

In a significant decision, the United State First Circuit Court of Appeals has held that the police, after seizing a cell phone from an individual’s person as part of his lawful arrest, can not search the phone’s data without a warrant.  The case addresses the the boundaries of the Fourth Amendment search-incident-to-arrest exception.

Note: This is an issue I have written about extensively, including a 2010 law review article:  Doctrinal Collapse: Smart Phones Cause Courts to Reconsider Fourth Amendment Searches of Electronic Devices. University of Memphis Law Review, Vol. 41, p. 233 (2010). Download .pdf

The case is United States of America v. Brima Wurie, No. 11-1792, United States Court of Appeals, First Circuit.

The case began in 2007 when a Boston Police Department Detective  was performing routine surveillance in South Boston. He observed the Defendant stop in the parking lot of a convenience store, pick up a man later identified, and engage in what the detective believed was a drug sale in the car.  The Detective and another officer stopped the other man and found two plastic bags containing crack cocaine in his pocket.

Continue reading

Government Can Read Credit Card Magnetic Strips Without A Warrant

A federal court recently considered whether the warrantless reading of magnetic strips on the backs of credit and debit cards by United States Secret Service agents violates the Fourth Amendment of the United States Constitution’s prohibition against unreasonable searches and seizures.

The case is UNITED STATES OF AMERICA v. OLADIPO ALABI And KEHINDE OGUNTOYINBO, Defendants, No. CR 11-2292 JB, D. New Mexico, April 2, 2013.

The case started in April 2011.  A New Mexico State Police Officer stopped the defendants rental car because of expired license plates.   The officer gave the driver a warning and then obtained a limited consent to search the rental vehicle and luggage. As a result of the search, the officer seized, among other things, thirty-one credit and debit cards.  The office also seized: (I) approximately sixty-seven Wal-Mart cash cards valued at $1,650.00; (ii) approximately $5,673.00 in cash; (iii) two laptop computers; (iv) six cellular telephones; (v) a bundle of paperwork which contained a list of approximately 500 names with birth dates, Social Security numbers, addresses, and telephone numbers; and (vi) two Louis Vuitton bags.

The Defendants were arrested on state charges related to identity theft. The United States Secret Service subsequently became involved.  A special Agent proceeded to scan and search each of the individual credit and debit cards to obtain the electronic information on the magnetic strips.  The court found that the magnetic strip on the back of a credit/debit card “contains three tracks on which data may be stored.” The information stored on the magnetic strip includes (i) the primary account number; (ii) the card-owner’s name; and (iii) the expiration date.  Most card readers do not read the third line of data.

The court noted that the strips can be reprogrammed for a fraudulent purpose:  “To enable a person to commit credit card theft/fraud, the original information on the back of a credit or debit card is replaced with the data taken from another person’s card’s magnetic strip, so that the card is still able to be processed by a card reader, but is processed to a person’s account other than the cardholder identified on the front of the recoded card.”   A witness explained that “a person presents a credit card to a store clerk, then if the clerk asks for identification, the person will show his or her own license, which contains the same name as embossed on the front of the card, and then “the clerk would then run the credit card through a reader that sends the billing information off to the bank. The bank doesn’t see what’s on the front of the credit card nor what’s [on] the driver’s license,” so it can charge the purchase to a person different from the cardholder named on the front of the card.

Out of the thirty-one credit/debit cards found in the Defendants’ possession, nine cards contained different information on the magnetic strips than reflected on the fronts of those cards.  There was no evidence that any of the thirty-one credit and debit cards found in the Defendants’ possession have been used.

The court found that “scanning the credit and debit cards’ magnetic strips was not a search for Fourth Amendment purposes.”  The court reasoned that the search does not violate the Supreme Court’s trespass-based search approach, and that it did not compromise any legitimate interest in privacy.

Continue reading