Category Archives: Computer Crime

No Fourth Amendment violation when government looked at Facebook profile using friend’s account

U.S. v. Meregildon, — F.Supp.2d —, 2012 WL 3264501 (S.D.N.Y. August 10, 2012)

The government suspected defendant was involved in illegal gang activity and secured the assistance of a cooperating witness who was a Facebook friend of defendant. Viewing defendant’s profile using the friend’s account, the government gathered evidence of probable cause (discussion of past violence, threats, and gang loyalty maintenance) which it used to swear out a search warrant.

What you do on Facebook is almost guaranteed to come back and bite you in the ass.

Defendant argued that the means by which the government obtained the probable cause evidence – by viewing content protected by defendant’s Facebook privacy settings – violated defendant’s Fourth Amendment rights. The court denied defendant’s motion to suppress.

It held that where Facebook privacy settings allowed viewership of postings by friends, the Government could access them through a friend/cooperating witness without violating the Fourth Amendment. The court compared the scenario to how a person loses his legitimate expectation of privacy when the government records a phone call with the consent of a cooperating witness who participates in the call. It held that defendant’s legitimate expectation of privacy ended when he disseminated posts to his Facebook friends because those friends were then free to use the information however they wanted, including sharing it with the government.

Photo credit: Flickr user Poster Boy NYC under this Creative Commons license.

Did a Facebook breakup cause a murder?

According to this news report, a man in Martinsville, Indiana allegedly shot the mother of his 14-month-old daughter after the woman broke up with him through Facebook. Though one should not jump to concluding that Facebook caused this murder, we are left to consider whether the nature of social media communications contributed to the alleged killer’s motivation.

public breakup

Breaking up is supposed to be a private event. Though we do not know the precise means the woman used to communicate the breakup (was it a private message or an IM, or was it more public like a status update or wall post?), one cannot help but notice the incongruity of using a social media platform to communicate a sensitive matter. Equally intriguing as the breakup is the man’s alleged apology in advance that he posted to Facebook before the murder.

Social media, just like any technology, gives us choices. Stories like this show how, in certain circumstances, human nature may not always be up to the task of making the right decisions when that process is affected by a novel context like the seemingly public context of Facebook.

Photo courtesy Flickr user Unlisted Sightings under this license.

Alleged voyeur boss cannot pursue Computer Fraud and Abuse Act claim

Bashaw v. Johnson, 2012 WL 1623483 (D.Kan. May 9, 2012)

Some employees filed suit after they learned that their boss — who required them to wear skirts to work — allegedly installed the Cam-u-flage video surveillance app on his iPhone and iPad to surreptitiously capture upskirt shots of plaintiffs at work.

The boss filed a counterclaim under the Computer Fraud and Abuse Act (CFAA), claiming that plaintiffs deleted data from his iDevices without authorization. Plaintiffs moved to dismiss this counterclaim. The court granted the motion.

The court held that the boss failed to allege the nature of his alleged damages within the meaning of the CFAA, and that he failed to sufficiently allege a qualified loss as defined by the statute.

As for damage, the court found that the mere allegation that data had been erased, without identifying which data, did not meet the plausibility requirement to survive a motion to dismiss. (Hmm. I wonder what data the plaintiff-employees would have wanted to delete?)

On the question of loss, the employer alleged that such calculation “would exceed” the CFAA threshold of $5,000. But he did not allege that he actually incurred losses in that amount. He did not mention any investigative or response costs, nor did he allege any lost revenues or other losses due to an interruption in service.

Photo credit: Magic Madzik

Video: This Week in Law Episode 150

Had a great time hosting This Week in Law Episode 150, which we recorded on February 24. (Thanks to Denise Howell for handing over the hosting reins while she was off for the week.) It was a really fun conversation with three very smart panelists — Mike Godwin, Greg Sergienko and Jonathan Frieden. We talked about copyright and free speech, encryption and the Fifth Amendment, and the state of internet privacy.

If you’re not a regular listener or viewer of This Week in Law, I hope you’ll add it to your media diet. I’m on just about every week (sometimes I’m even referred to as a co-host of the show). We record Fridays at 1pm Central (that’s 11am Pacific, 2pm Eastern). The live stream is at http://live.twit.tv and the page with all the past episodes and various subscription options is http://twit.tv/twil.

No restraining order against uncle posting family photos on Facebook

Court refuses to consider common law invasion of privacy tort to support restraining order under Minnesota statute.

Olson v. LaBrie, 2012 WL 426585 (Minn. App. February 13, 2012)

Appellant sought a restraining order against his uncle, saying that his uncle engaged in harassment by posting family photos of appellant (including one of him in front of a Christmas tree) and mean commentary on Facebook. The trial court denied the restraining order. Appellant sought review with the state appellate court. On appeal, the court affirmed the denial of the restraining order.

It found that the photos and the commentary were mean and disrespectful, but that they could not form the basis for harassment. The court held that whether harassment occurred depended only on a reading of the statute (which provides, among other things, that a restraining order is appropriate to guard against “substantial adverse effects” on the privacy of another). It was not appropriate, the court held, to look to tort law on privacy to determine whether the statute called for a restraining order.

Are nonpirate Megaupload users entitled to compensation from the government?

If I left my coat in a taxi that was later impounded because, unknown to me, the driver was transporting heroin in the trunk, would I be left out in the cold?

People who used Megaupload to lawfully store and transfer files are rightfully upset that their stuff is unavailable after last week’s raid. Some groups in other countries say they are going to sue the U.S. government. Would a lawsuit like that get anywhere in a U.S. court?

The Fifth Amendment — best known for its privilege against self-incrimination — says that “private property [shall not] be taken for public use, without just compensation”. (You can impress your legally-trained friends at parties by confidently and casually referring to the Takings Clause.) Does the Takings Clause give innocent Megaupload users a right to be paid the value of the files they are being deprived of while the feds use the servers on which those files are stored to prove their case against Kim Dotcom and company?

Back in 2008, Ilya Somin and Orin Kerr had a conversation on the Volokh Conspiracy discussing this question of whether the Fifth Amendment protects innocent third parties who lose property in a criminal investigation. If you read that commentary you will see that a case over the Megaupload takedown might be tough for a number of esoteric reasons, not the least of which is Supreme Court precedent.

There are some face-value problems with a case like this as well. Has the government taken the property for a “public use”? One could argue that the reason the servers (including the innocent content) were seized was for the so-called public good of going after piracy. But then the innocent content is not being “used” in connection with the prosecution — it just happens to be there.

I do not pretend to know the answers to this inquiry, and I’m relying on sharper Constitutional minds than mine to leave some good comments. (If you know Ilya Somin or Orin Kerr, send them a link to this post!) All I know is that it does not seem fair that users of the cloud should so easily be deprived in the name of law enforcement.

 

Enhanced by Zemanta

Ordering defendant to decrypt hard drive did not violate her Fifth Amendment rights

U.S. v. Fricosu, 10-CR-00509 (D. Colo. January 23, 2012)

Pursuant to a warrant, federal agents seized defendant’s laptop from her home. When investigators turned it on, they saw the hard drive’s contents were encrypted using PGP Desktop. Defendant would not voluntarily turn over the password to decrypt the drive, so the Government filed an application under the All Writs Act to require defendant to “assist” in the execution of the search warrant. Defendant objected, asserting her privilege against self-incrimination under the Fifth Amendment.

The court rejected defendant’s arguments, granted the Government’s application and ordered defendant to provide an unencrypted copy of the hard drive. It found that the situation did not implicate defendant’s Fifth Amendment rights.

The Fifth Amendment provides that no person shall be compelled in any
criminal case to be a witness against himself. For the most part, this privilege only covers testimony. But an act that implicitly communicates a statement of fact may be within the purview of the privilege as well. For example, producing a document (or electronic data, for that matter) is an acknowledgment that the material:

  • exists
  • is in the possession or control of the producer
  • is authentic (i.e., is what it purports to be)

The court held that defendant’s Fifth Amendment rights were not implicated because providing an unencrypted copy of the hard drive did not serve to accomplish any of the three points listed above.

The feds had confiscated the computer, so they knew of the location and existence of the computer files. (The court found that the fact that investigators did not know the specific content of any specific files on the computer did not matter.) And as for the authenticity of the computer files, the government would presumably be able to do that in other ways. Among other things, the computer was found in defendant’s bedroom. Information on the screen that showed up when it was turned on contained defendant’s first name. And perhaps most damningly, investigators had a taped phone conversation between defendant and her ex-husband discussing the computer and the fact it was password protected.

Video: my appearance on the news talking about isanyoneup.com

Last night I appeared in a piece that aired on the 9 o’clock news here in Chicago, talking about the legal issues surrounding isanyoneup.com. (That site is definitely NSFW and I’m not linking to it because it doesn’t deserve the page rank help.) The site presents some interesting legal questions, like whether and to what extent it is shielded by Section 230 of the Communications Decency Act for the harm that arises from the content it publishes (I don’t think it is shielded completely). The site also engages in some pretty blatant copyright infringement, and does not enjoy safe harbor protection under the Digital Millennium Copyright Act.

Here’s the video:

Impostor bids in online auction sufficient allegation of interrupted service under CFAA

Yoder v. Equipmentfacts, 2011 WL 2433504 (N.D.Ohio June 14, 2011)

[This is a post by Jackson Cooper. Jackson graduated from DePaul University College of Law in May 2011 with a certificate in intellectual property and information technology law. Jackson also recently passed the Kentucky bar exam and will begin practicing soon. You can find him online at jacksonccooper.com or follow him on Twitter at @jacksoncooper.]

The plaintiffs here were an auction company and a firm employed to assist them with running a private online auction.  They sued the defendant, a firm previously employed by the auction company to assist them with running online auctions.  The plaintiffs  alleged violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, stemming from the defendant’s unauthorized access to a private auction conducted by the plaintiffs after the defendant’s relationship with the auction company was terminated.  According to the plaintiffs, the defendant made unauthorized access to the auction system using an administrative user name and password to post negative comments, and later impersonated a customer in order to place fraudulent bids as that customer.  The plaintiffs further alleged that the defendant, posing as a customer, won auctions for over one million dollars of equipment and failed to pay on those winning bids.

The defendant asked the court to dismiss the CFAA claim, challenging the plaintiffs’ pleadings on the issue of “loss” as defined by the CFAA. The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Plaintiffs alleged lost commission resulting from the defendant’s fraudulent bids and resulting failed auctions.  Defendant claimed that the small scale sabotage as at issue here did not satisfy the “interruption of service” requirement, and therefore could not support the claimed violation of the CFAA.

The court, noting the lack of a definition of “interruption of service” in the statute and the lack of case law dealing with disruptions of this type, treated the issue as one of first impression.  The court concluded that the disruption alleged here was sufficient to support the “interruption of service” requirement in the CFAA.

The court found that the defendant’s alleged “intentional disruption of even a portion of the online auction” constituted an interruption of the service of the site. Although the auction system was not taken offline by defendant’s alleged activities, the court found that thwarting individual transactions and the resulting denial of service to plaintiffs and their customers was an interruption as envisioned by the statute.

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.