Archive | Computer Crime Law

United States v. John and the Meaning of “Authorization” to Access a Computer

The federal computer crime statute criminalizes accessing a computer “without authorization” or “exceeding authorized access,” with the important caveat that no one seems to know what it mean to access a computer “without authorization” or to “exceed authorized access.” See 18 U.S.C. 1030. The concepts are particularly tricky in the case of a written restriction on computer access. If a computer owner gives you permission to access a computer for a particular purpose or in a particular way, and you access the computer in ways contrary to those express limitations, does that violation render the access unauthorized? This was the main issue in the Lori Drew case, involving the violation of MySpace’s Terms of Service: The Government’s theory in that case was that an Internet user who violates MySpace’s TOS was thereby accessing the computers without authorization. The District Judge tossed the charges on the ground that this theory would render the statute unconstitutionally vague.

Now consider the Fifth Circuit’s decision yesterday in United States v. John, authored by Judge Owen and joined by Judge Smith and Judge Haynes. John was an account manager at Citigroup who provided her half-brother with customer account information so he and his friends could run up fraudulent charges. In addition to charging John with credit card fraud and conspiracy — the obvious charges in such a case — the government also charged John with unauthorized access to Citigroup’s computers. The government’s theory was that by accessing Citigroup’s computers to further a fraud, in violation of Citigroup’s apparent policies that employees could access information only for work-related reasons, John had committed an unauthorized access. The jury convicted on all counts.

On appeal, John challenged her conviction for unauthorized access on the theory that she was authorized as an employee to access the computer, as [...]

Continue Reading 66

Legal Protection for Historical Cell-Site Records

Next week a panel of the Third Circuit will be hearing oral argument in a case that considers whether federal law requires a warrant for the government to obtain historical cell-site records. I blogged a bit about this when the District Court’s decision was handed down, and I thought I would say a bit more now that the issue is before the Court of Appeals.

As I mentioned when I blogged about this issue in 2008, I think the answer to this case is easy: A Terry-stop “specific and articulable facts” court order is required, but a probable cause search warrant is not. As a statutory matter, the Stored Communications Act is clear here. The cell-site records count as a “record concerning an electronic communication service” under 18 U.S.C. 2703(c). Under 18 U.S.C. 2703(c)(2), such records can be compelled with a Terry stop “specific and articulable facts” court order obtained under 18 U.S.C. 2703(d).

But is this standard unconstitutional? That is, does the Fourth Amendment require a warrant backed by the exclusionary rule instead of the lesser standard and lesser remedy Congress has chosen? In her amicus brief, Professor Susan Freiwald argues that the Fourth Amendment protects cell-site info, which would require a warrant. But I think that is pretty clearly wrong under the Supreme Court’s decision in Smith v. Maryland. A cell site signal is closely analogous to numbers dialed in Smith: It’s a signal that the user sends to the phone company that is necessary for the phone company to deliver the user’s calls. It is a necessary part of placing the call, and information that is necessarily transmitted to the phone company. Professor Freiwald relies on various authorities to try to get around Smith v. Maryland, but I don’t think any of [...]

Continue Reading 83

Plain View for Computer Searches Generates Two Circuit Splits in Two Days: United States v. Williams and United States v. Mann

Should courts adopt a new set of Fourth Amendment rules to regulate how the police can search computers for evidence? In particular, does the fact that so much electronic evidence outside the scope of a warrant can come into “plain view” during a computer search require a different approach to whether that evidence outside the scope of the warrant should be admitted?

Some courts have thought so. In the Tenth Circuit, for example, the usual objective test for admitting plain view evidence has been replaced by a subjective test designed to narrow the scope of plain view: Evidence outside the scope of a warrant is permitted in plain view only if the agent was subjectively looking for evidence within the scope of the warrant. And in the Ninth Circuit, the en banc court recently adopted a complex set of prophylactic rules to avoid admission of plain view evidence altogether in United States v. Comprehensive Drug Testing.

In the last two days, however, two circuits have handed down published decisions creating apparent circuit splits on both of these aspects of how the plain view exception applies to computer searches. Both of these circuits, the Fourth and the Seventh, reject the idea of adopting new rules for computer search and seizure.

1. United States v. Williams. The first decision is a Fourth Circuit opinion by Judge Niemeyer in United States v. Williams, expressly disagreeing with the Tenth Circuit’s plain view decision in United States v. Carey. Carey adopted a subjective test for the plain view exception to computer searches: Under that approach, the question is whether the agent who was searching through the computer was subjectively looking for evidence within the scope of the warrant. Judge Niemeyer disagreed:

Williams, relying on the Tenth Circuit’s opinion in United States v.

[...]
Continue Reading 28

United States v. Payton Update

Two weeks ago, I wrote a post seeking updates on United States v. Payton, a Ninth Circuit computer search and seizure decision that I think was wrongly decided. Howard Bashman notes that on Friday the Ninth Circuit handed own this seven-page order explaining what happened. It seems that there was interest in rehearing the case en banc from at least one member of the Ninth Circuit, but that mootness may have gotten in the way because the government concluded there were bigger fish to fry in the CA9 and did not seek rehearing. The court also concluded that it should not vacate its decision in light of the mootness, which I think was procedurally correct even though I think the decision itself was wrong. So the bottom line is that Payton stays on the books. [...]

Continue Reading 6

New Case on Computer Searches, Encryption, and Plain View: United States v. Kim

A federal district court in Texas recently handed down a new case on the scope of computer warrant searches that shows how important and yet uncertain the rules of computer search and seizure are these days: United States v. Kim, — F.Supp.2d —, 2009 WL 5185389 (S.D. Texas 2009). The case was handed down December 23 by District Judge Vanessa Gilmore.

Law enforcement agents were searching a computer with a warrant for evidence of computer hacking when they come across folders containing encrypted files with the suggestive titles such as “ForbiddenFruit”, “Illegal_Loli #”, and “Loli#”. The files were encrypted with “CryptaPix,” encryption software that is generally known as a way to encrypt image files. The agents requested a warrant to open the files and search for child pornography, but the magistrate rejected the warrant application on the ground that there was insufficient probable cause. The government decided to try to decrypt the files anyway under the authority of the warrant to search for evidence of computer hacking. It took two months, but eventually the government decrypted the images and found 840 images of child pornography.

The district court suppressed the child pornography images as being beyond the scope of the warrant. However, the court did not follow the subjective approach that several courts have used in the computer search and seizure context to measure the scope of the warrant. (Under the subjective approach, courts look to whether the agents subjectively was trying to stay within the scope of the warrant when he clicked on the file.) Instead, the court concluded that it was objectively unreasonable for the government to decrypt the images based on its alleged interest in searching for evidence of computer hacking:

Looking in the encrypted folders for evidence of Computer Intrusion was unreasonable for several reasons.

[...]
Continue Reading 64

Restitution for Victims of Child Pornography

Yesterday U.S. District Judge Patrick Schiltz of the District of Minnesota issued an interesting order regarding a restitution application in a child pornography case.   In his order, found here, Judge Schiltz chastises the government for failing to pursue restitution for child pornography cases in his district, even though Congress has made restitution mandatory in such cases.  Judge Schiltz wrote:

This Court has recently handled a number of other child-pornography cases in which the United States Probation Office has identified victims who are seeking restitution.  Notwithstanding the strict mandates of § 2259, the government has also declined to pursue restitution in those cases. Given the clear Congressional mandate that those convicted of child pornography offenses pay restitution to their victims, the Court will no longer accept silence from the government when an identified victim of a child-pornography offense seeks restitution.  If the government declines to seek restitution, the government will have to give the Court some explanation for its decision.

The statute that Judge Schiltz cites, found here, directs district courts to order restitution for the “full amount of the victim’s losses.”  In this particular case, a young girl who was raped and had pictures of the crime taken seeks several million dollars in restitution to pay for counseling and other expenses resulting from the crime. 

The victim has sought these damages not only from the defendant convicted in this case in Minnesota but more broadly from every defendant convicted of viewing the images taken of her  against her will.   For instance, she sought such restitution in Texas.  There, a federal district court judge ruled that she could not trace her injuries specifically to the particular defendant convicted in that case.  She sought mandamus relief in the Fifth Circuit, which held in a recent opinion that the district judge [...]

Continue Reading 45

DOJ Files Brief Supporting Super-En-Banc in CDT

Yesterday the Justice Department filed its Brief in Support of Rehearing En Banc By the Full Court in United States v. Comprehensive Drug Testing, the blockbuster computer search and seizure case I have blogged a lot about. From the introduction:

The en banc panel’s decision announced sweeping new rules for warrants to search computers that are having an immediate and detrimental effect on law enforcement efforts. In some districts, computer searches have ground to a complete halt, and, throughout the Circuit, investigations have been delayed or impeded. Magistrate judges are uniformly viewing compliance with the newly announced rules as mandatory, but they are implementing those rules in vastly different ways. All of this was unnecessary. The parties in these cases disagree about the proper resolution of the issues presented for decision, but they agree on one fundamental point: The new rules that the en banc panel announced for the issuance and execution of warrants to search computers were unnecessary to the issues presented in these cases.

The en banc panel stepped outside the proper role of an Article III court when it set forth detailed protocols that purport to bind, and that are being understood as binding, magistrate and district judges in future cases. The seminal issues surrounding computer searches should be resolved in actual controversies—not through “guidance” that “magistrate judges must be vigilant in observing.” Op. 11891-11892. On the merits, the detailed protocols announced by the en banc panel conflict with Supreme Court decisions interpreting the Fourth Amendment and the scope of a federal court’s supervisory power. If fully implemented, they also would conflict with amendments to the Federal Rules of Criminal Procedure that are scheduled to go into effect within days.

The United States is mindful that this Court has never granted full court en banc. Indeed,

[...]
Continue Reading 12

Computer Crime Law, Second Edition

I’m pleased to announce that the Second Edition of my Computer Crime Law casebook has just been published. A few quick points about it, for those who are interested in such things:

1. About 20% of the main cases are new, reflecting the dramatic caselaw development in the field since the 1st edition came out in 2006. Regular readers of the VC will be familiar with a bunch of the new cases, as I’ve blogged about several of them. The most recent case in the book is the Lori Drew case, handed down on August 28th (and edited down to about 5 pages instead of 32).

2. Despite the many new cases and notes, the book is just about the same length as before. The 1st edition was 665 pages plus the statutory materials in the appendix; the 2nd edition is 684 pages plus the statutory materials in the appendix. I didn’t want the book to become bloated, as can happen to successive editions, so I tried both to add in what was needed and to take out what was no longer as useful or relevant as before.

3. I’m finishing up a Teacher’s Manual for the book, and I will also soon have a free online Supplement available for the Spring 2010 semester to include the several important caselaw developments just in the last 2 or 3 months. [...]

Continue Reading 6