Several news publications have been making much ado about a tactic the FBI used in 2007 to locate an individual suspected in a series of bomb-threats to Washington state high schools. The FBI created a fake news article, falsely representing it as an Associated Press publication, and sent a link to the suspect’s MySpace account. The article headline, which was directed at the suspect, was meant to entice him to go to the link. It worked. The suspect clicked on the link, which enabled the FBI to download malware on his computer and identify his location and Internet Protocol address. The suspect was subsequently arrested, charged and prosecuted in state court.
Newspapers and other media outlets have recently decried the FBI’s use of the AP’s name and brand recognition to further its purposes. The AP’s director of media relations noted in an October 2014 statement: “This ploy violated AP’s name and undermined AP’s credibility.” The Seattle Times complained that such action not only crosses the line, but erases it (the statement was made when the paper believed its publication was involved). The controversy is somewhat understandable: journalists want to ensure their perceived independence; they don’t want to be seen as a tool of the powers that be.
But media concern over the FBI’s use of the AP name may be slightly overstated. The FBI did not publish the fake news article for broad dissemination. It directed the article to one suspect only. Nor is it exactly unprecedented for investigators to hold themselves out as something they are not in order to gain the trust of and nab wrongdoers. Should all cool teens (however they self-describe these days) complain that Narcs are undermining their reputation and street cred? Without these undercover operations, a major tool to FBI investigations would be lost, not to mention fodder for the popular television series that made Johnny Depp famous. FBI and other enforcement agencies regularly use deception to catch criminals. Everyone knows this, including the wrongdoers at whom deceptive practices are targeted.
Some argue that there is a colorable difference between impersonating a fake individual or persona and impersonating the press. If the impersonation were on a large scale and were relatively public, the deception would be problematic. People wouldn’t know what journalism was credible and what journalism wasn’t (not that this isn’t already a subject a some debate…). But narrowly-focused operations directed exclusively at suspects who are the subject of a search warrant is a different scenario, and that’s the scenario that appears to be in play here. Where the FBI employs such tactics well enough into an investigation to support a search warrant, including having probable cause that the suspect is involved in criminal activity, using deception, which is an efficient way to locate the individual, doesn’t seem too alarming.
Of course, it is important to emphasize that legal process is everything. If the FBI were to disseminate fake news articles to gain computer access at the launch of an investigation, before it had a target, before it had probable cause, and before it had its actions approved judicially by a search warrant, such tactics would risk impacting innocent individuals and undermining news sources.
Court: Police Need Warrant to Search Phone. But Guess What? They Get to Keep Your Phone While They Get One.
Will cops still get access to cell phone data post arrest? You bet. Today’s Supreme Court decision just means they need to get permission from a judge before they start searching who you have been texting. And odds are very good, that permission will be granted.
In a unanimous decision authored by Chief Justice Roberts, the United States Supreme Court held that law enforcement officers may not conduct warrantlesssearches of cell phones that are seized incident to an arrest. But just because police cannot immediately search mobile phones, doesn’t mean they cannot immediately seize them in connection with an arrest. Indeed, the benefit of today’s decision by our country’s highest court may be limited to the two defendants who brought the case (and of course any similarly situated defendants).
The named defendant in Riley v California is David Riley. After Riley was stopped for a traffic violation, he was arrested and the police officer seized his cell phone incident to that arrest. When the officer accessed the data on the phone (without a search warrant), he noticed the repeated use of an identifier associated with the Bloods street gang. Later, a detective reviewed the cell phone records and noticed gang-related content, including a photo of Riley standing in front of a car that was used in a shooting weeks earlier. Riley was convicted of multiple crimes related to that shooting and received a sentence of 15 years to life.
The second case resolved today involved Brima Wurie, who had been arrested in connection with a drug sale. After Wurie’s arrest, police took him to the police station where officers confiscated his flip phone. A few minutes later, Wurie’s phone showed an incoming call from “my house.” The officers opened the phone, accessed the call log to determine the number of the incoming call, and then traced the number back to Wurie’s apartment, which they secured. After obtaining a search warrant, the officers searched the apartment and seized drugs, a gun, ammunition, and cash. At trial, Wurie was convicted on three drug-related counts and sentenced to more than twenty years in prison.
The key here to note is that in neither case did law enforcement obtain prior permission to search the cell phones belonging to Riley and Wurie. The narrow question presented to the Court therefore was whether it is permissible for law enforcement to search cell phone data incident to an arrest where no court has authorized such a search. In holding that such a search violates the Fourth Amendment of the US Constitution, the Court considered but rejected as not relevant prior cases where so-called “warrantless” searches passed constitutional muster. For example,
· In Chimel v. California, the Court recognized that the Fourth Amendment permits warrantless searches of the arrestee and areas within his immediate control if necessary to protect officer safety or to preserve evidence.
· In Arizona v. Gant, the Court held that officers may search a car incident to arrest if the arrestee is unsecured and within reaching distance of the passenger compartment or if the officer reasonably believes evidence of the crime of arrest may be found.
Because there were no such exigent circumstances present in Riley or Wurie’s arrest, the Court concluded that the need for cell phone data searches does not outweigh the corresponding intrusion on individual privacy, and thus a warrant was required. This of course is the right result. Digital cell phone data does not, by itself, of course, threaten officer safety. And a warrantless search of cell phone data is not necessary to preserve evidence. The Court recognized an individual’s privacy interest in digital cell phone data is considerable: cell phones have immense storage capacity, collect many types of records in one place, and often contain years’ worth of data.
In this regard, today’s decision is a victory for privacy rights. Law enforcement officers will not be permitted to conduct warrantless searches of cell phones for digital evidence. But if you are arrested, don’t assume law enforcement will let you keep your phone. Today’s decision may not allow for a warrantless search of your phone, but there is nothing prohibiting law enforcement from securing a phone post-arrest and seeking permission from a court to search it. And the chances that a court will grant such a request are close to 100%.
Last month, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) formally announced its cybersecurity initiative in a Risk Alert. The initiative followed up on OCIE’s announced prioritization of cybersecurity preparedness as part of its 2014 Examination Priorities. The initiative is also timely because the general public is becoming more conscious of cybersecurity risks and its dangers as they learn of major breaches at Target Corp., Neiman Marcus, Michaels Stores Inc., and other companies. The security of personal information is even more important at financial services companies, which often have a large amount of sensitive personal information about their customers.
The OCIE’s approach is refreshingly proactive: “OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” Further, the areas of cybersecurity assessment are quite broad and they cover “the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Importantly, the OCIE examination is detailed and specific about ensuring the adequacy and efficacy of cybersecurity measures. For example, the list of questions regarding identification of cybersecurity risks requires exact dates and times and is prefaced with “please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice…”.
Further, the OCIE examination questions require naming the person(s) conducting the cybersecurity measures and when those measures were last checked or implemented. For example, the questions on identification of risks/cybersecurity governance include:
- Who (business group/title) conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences, and in what month and year was the most recent assessment completed?
- Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
Similarly, the questions regarding a written cybersecurity incident response policy seeks a copy of the policy, the year it was most recently updated, whether there are tests to assess the policy, who conducts the tests, and when and by whom the last test was conducted. Likewise, the questions on event detection processes seek the month and year of the most recent test.
The examination questions also seek a summary of any actual cybersecurity incidents, the services affected, nature of the breach, the availability of services during the breach, and number of other questions about each cybersecurity incident. Notably, although the examination requires companies to provide a large amount of information, the SEC explicitly issued a disclaimer that the “factors are not exhaustive, nor will they constitute a safe harbor.”
Nonetheless, it is good to see the SEC take a proactive approach to the cybersecurity risks posed to financial institutions. Hopefully, this will flow down to other companies because cybersecurity is a hot-button topic that is very concerning to customers and unlikely to be fully resolved soon. With cooperation between government agencies and the private industry, we can be hopeful that cybersecurity risks can be mitigated. As SEC Chair White has noted, there is a “compelling need for stronger partnerships between the government and private sector” to address cybersecurity threats.
LinkedIn has filed a suit against John Does in response to a spate of “data scraping” perpetrated by unknown individuals, in violation of the website’s terms and conditions.This is the latest federal case in the Northern District of California in which a tech company seeks to enforce its contractual provisions through the criminal statute Computer Fraud and Abuse Act (CFAA).
Starting in May 2013, unidentified individuals unleashed automated software programs which bypassed LinkedIn’s security measures in order to create thousands of new member accounts. Once established, these new accounts could be used to view millions of LinkedIn member profiles. The software bots copied personal information off of those viewable pages, which contain extensive personal information. Although we can’t know exactly what the information was used for until the perpetrators are identified, these individuals could potentially use this personal information to steal members’ identities or conduct phishing or other scams.
LinkedIn has since disabled the bot-created accounts and implemented additional security measures to prevent a similar incident. The company instituted the “John Does” lawsuit in order to use the legal discovery process to serve subpoenas which may help identify the attackers. LinkedIn based its legal complaint, in part, on violations of the CFAA. But is the CFAA a sound legal basis on which LinkedIn can bring its claims?
The CFAA states that whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer” violates the CFAA and commits a crime. In this case, the bots created LinkedIn member accounts in order to view other LinkedIn member accounts and gather information. According to LinkedIn, the use of bots violates the terms and conditions that each user must agree to when opening an account. Did the drafters of the CFAA intend to reach this type of conduct? If LinkedIn is right, what appears to be conduct supporting a traditional breach of contract may become fodder for a potential criminal violation.
The Ninth Circuit addressed a somewhat similar issue in United States v. Nosal, a case in which a former employee, David Nosal, convinced some of his former colleagues to help him start a business by downloading customer lists from the former employer’s computer network. Although the employees had unrestricted access to the lists, their use of the lists violated the employer’s policy prohibiting the use of work computers for non-business purposes. The Department of Justice indicted Nosal under the CFAA for aiding and abetting this action. Nosal filed a motion to dismiss, which the district court granted. On appeal to the Ninth Circuit, the government argued that the CFAA applied to the employees’ use of the customer listseven though their access to the lists was permitted.
The Ninth Circuit rejected the government’s argument, stating that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”
By: Karl Smith and Casselle Smith
The value of Bitcoin, the hottest and most widely traded virtual currency, plunged a little over a week ago, after China’s central bank issued a statement that the government is banning financial institutions from trading in the virtual currency.The price of a single Bitcoinfell from roughly $1200 on December 5th to less than $600, early morning December 8th. Thereafter it recovered somewhat selling for around $700 as of December 16. At the time of this posting (12/18), the price had fallen once again to $571.
This time last year, Bitcoin were selling for roughly $13 apiece. Economists and financial experts have struggled to explain the meteoric rise price to investors and to a public increasingly interested in the virtual currency. In many ways, the soaring price for Bitcoin looks like a classic bubble: Speculators pay out of the nose for Bitcoin, hoping to unload them to an “even greater fool” who will come along later with the same plan. At first blush, this type of bubble appears to resemble a pyramid scheme that must inevitably collapse once all potential speculators have bought in.
Bitcoin, however, has important features that differentiate them from other bubble-prone assets. The fact that the crash coincided with a change in policy from the Chinese government makes it even more likely that the special features of Bitcoin have played an important role in their use.
The design of Bitcoin allows for almost completely secure and anonymous transactions. Users don’t have to trust that a bank or other financial intermediary will keep their information secret. For the most part, the very nature of a Bitcoin transaction does this. Consequently, the currency has attracted substantial interest from users engaged in illicit transactions. Some of these are of the kind familiar to American readers. The website Silk Road, for example, specialized in selling narcotics and accepting Bitcoin as payment; it has been shuttered by U.S. law enforcement.
The Chinese government’s ban on Bitcoin arose from a different sort of illicit transaction that is less familiar to Americans because it are designed to get around regulations that the United States does not impose… Here’s the rub: the Chinese government limits its citizens’ ability to invest outside of the country because it wishes to provide a large pool of capital available to Chinese industries. Since Chinese investors have limited choice, Chinese banks can offer them paltry rates of return that guarantee that the value of their investments will fail to keep up with inflation. Naturally, Chinese investors wanted a way out, and many of them turned to Bitcoin.
Chinese investors would buy Bitcoin using the local currency, the Yuan. They would then transfer the Bitcoin to a bank or other financial institution outside of China and have that institution sell the Bitcoin and invest the proceeds outside of China. When the investor was ready to cash in, she would simply instruct the financial institution to sell the foreign investments, use the proceeds to buy Bitcoin, and then transfer the Bitcoin back to her.
This loophole allowed Chinese investors to earn higher rates of return without being caught by the authorities. For a time, the Chinese government allowed the loophole to remain open. On Wednesday, however, the Chinese government banned financial institutions and, importantly, online platforms like Biadu.com, from doing any business in Bitcoin. Baidu is a Chinese search engine that, like Google,forms the backbone of how users connect online. Without Baidu’s help,finding someone to buy or sell Bitcoin in the first place becomes exponentially more difficult.
Fear that the Chinese market for Bitcoin would dry up seemed to lead speculators to dump the currency following the announcement. It also exposes the fundamental weakness of Bitcoin: while they allow enormous anonymity for users, connecting with a broadbase of other users requires using a platform which almost necessarily does not seek anonymity. If it did, potential users would not know of their existence.
Regulators don’t have to crackdown on users themselves but simply on the websites and platforms that connect them.
There is no readily apparent US or European analogue to the Chinese monetary policy that motivated the country’s crackdown. Hence, China’s stance does not necessarily indicate that an international sea change is afoot with respect to the legal nature of Bitcoin and other emerging virtual currencies. Nonetheless, to the extent that Bitcoin’s surge in value was precipitated by Chinese investors’ thirst for international investment capabilities, the recent crash highlights the currency’s deep vulnerability to changes in financial regulation around the world.
Karl Smith is the Creator and Chief Curator of Modeled Behavior, a leading international finance and economics blog currently hosted on Forbes. He blogs mostly on macroeconomics, rationality, philosophy, and futurism.
Last month, federal prosecutors in Nevada filed a motion to dismiss an indictment that shined a bright light on overly broad federal criminal statutes and the abuse of prosecutorial discretion in using them.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer.
The indictment alleged that Kane and Nestor used an exploit on video poker machines to defraud casinos and win money that they were not entitled to, which “exceeded their authorized access” on the machines in violation of the CFAA. Kane, who reportedly spent an extremely significant amount of time playing video poker, discovered a bug in the software of the video poker machine that allowed for him, and later his co-defendant Nestor, to achieve large payouts on certain slot machines through a series of moves where he switched games and made bets at different levels. There is absolutely nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access. The court agreed with the defendants and ruled in favor of their motion to dismiss the CFAA count in the indictment.
The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorizationor it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service.
In November, after filing nine stipulations to continue the trial date, the government filed a motion to dismiss the remaining conspiracy to commit wire fraud charges against both Kane and Nestor because “the government has evaluated the evidence and circumstances surrounding court one [wire fraud conspiracy] and determined that in the interest of justice it should not go forward with the case under the present circumstances.”
Although the charges were ultimately dismissed,the issue remains that these charges never should have been brought in the first place. Kane and Nestor had to deal with open criminal charges against them for nearly three years. There are proper uses for statutes such as the CFAA, but the people and the courts should demand that the government only use them for their intended purposes. Prosecutions taking broad and unjustified interpretations of these statutes are not justified.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime
Earlier this week, attorneys for convicted computer hacker Andrew “Weev” Auernheimer filed their opening brief in their appeal to the U.S. Court of Appeals for the Third Circuit to have his conviction overturned.
In 2010, Auernheimer’s co-defendant Daniel Spitler, who agreed to plead guilty in 2011, discovered a flaw in AT&T’s iPad user database, that he used to collect 114,000 email addresses. Auernheimer then disclosed those email addresses to Gawker, who published a redacted form of some of the account information. The disclosure of the email addresses attracted significant media attention and ultimately forced AT&T to change their security protocols.
Last November, Auernheimer was found guilty by a jury after a five day trial of violating the Computer Fraud and Abuse Act (CFAA) and conspiracy to gain unauthorized access to a computer without authorization. He was sentenced in March to 41 months imprisonment to be followed by three years of supervised release.
The CFAA prohibits accessing a computer without proper authorization, which is the same statute that Internet activist Aaron Swartz was convicted of violating. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service. Last month “Aaron’s Law” was introduced in Congress, which would amend the CFAA to prevent prosecutors from charging an individual with violation a company’s terms of service and from bringing multiple charges against an individual for the same act.
The government’s brief is due on July 22 and Auernheimer will then have the opportunity to file a reply brief by August 5.
We will know in a matter of months how the Third Circuit will rule on Auernheimer’s appeal and whether his conviction and sentence will be upheld. This case raises some very interesting issues on the scope of computer crime laws and prosecutorial discretion. Is the conduct of Auernheimer the type that we need to devote government resources to send a person with no criminal record to prison for a significant period of time?
President Obama’s February 12 State of the Union address included the announcement of an executive order intended to permit greater sharing of information about possible threats to the nation’s cyber security among private companies and between private companies and the government.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in the speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The executive order permits businesses to enter voluntary information-sharing agreements in which they provide the government with information about possible cyber threats to the grid. In return, the government is permitted to provide private companies with classified technical information.
This is an admirable goal, and we support the president’s efforts to keep the nation safe in this way. However, it’s not the end of the story.
Last year, legislation was introduced in Congress to provide protection from liability to companies that share information about possible cyber attacks with each other and with the government. That legislation, however, did not pass, and some form of it will be introduced again this year. Sen. Tom Carper (D-Del.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, has pledged to make a cyber security bill a high priority.
One important aspect of possible legislation of this type is whether it contains adequate safeguards to protect privacy. Last year, privacy advocates pointed out that in the name of protecting the nation against cyber threats, many versions of the bill contained provisions that allowed for “nearly unlimited monitoring of user data.”
If a final bill contains adequate privacy safeguards, we would support it, along with the executive order, as a means of keeping the nation safe.
In March 2012, a resolution was introduced in the U.S. House of Representatives that would urge the U.S. Permanent Representative to the United Nations to oppose any resolution that would regulate the Internet. It is unfortunate that it turns out to be necessary to forestall Internet regulation at the U.N. level, but that appears to be the case. We support this resolution.
The resolution, House Concurrent Resolution 114, was introduced by Rep. Michael McCaul (R-Tex.) and Rep. Jim Langevin (D-R.I.), co-chairs of the House Cybersecurity Caucus, in response to growing fears that some nations will seek to regulate and censor the Internet. The sponsors cited a September letter from China, Tajikistan, Russia, and Uzbekistan outlining their plan to introduce a United Nations resolution on Internet governance.
Rep. Langevin said in a statement, “The proposals by some nations to gain international approval of policies that could result in Internet censorship would be a significant setback for anyone who believes free expression is a universal right. It must be made clear that efforts to secure the Internet against malicious hacking do not need to interfere with this freedom and the United States will oppose any attempt to blur the line between the two.”
The resolution was referred to the House Committee on Foreign Affairs on March 26, 2012, and no action has occurred on it since then.
Internet freedom has been a hotly debated issue on Capitol Hill in recent months with the Senate’s Protection of Intellectual Property Act (PIPA) and the House’s Stop Online Privacy Act (SOPA) becoming the focus of protests that eventually helped defeat the bills.
The Issue of Internet privacy will soon be dealt with at the international level. The World Conference on International Telecommunications (WCIT) is scheduled for December 2012, and countries such as China and Russia are expected to try to expand the authority of the International Telecommunications Union (ITU). The ITU is the United Nations agency that is responsible for worldwide standards in telecommunications, including regulation of the Internet.
The proposals that are expected to be considered could dramatically affect the Internet. Russian Prime Minister Vladimir Putin said last June that his goal is to establish “international control over the Internet” through the ITU. Accordingly, it’s understandable that many Americans fear that other nations could employ a new regulatory scheme to censor the Internet and control access to information. One reason that some of the protesters were so strongly opposed to SOPA and PIPA was the fear that once tools exist for regulating Internet content, they can be prone to abuse.
Internet access improves the quality of life for people across the world and represents a triumph of freedom of expression. Any agreement like the ones expected to be sought at the WCIT could have dramatic chilling effects on the freedom of the Internet. We will keep you up to date on any movement in Congress or in the United Nations regarding Internet freedom.
One of the features of crimes committed over the Internet is that they may be committed from anywhere in the world where a defendant has access a computer. A current case in New York shows that extradition likewise can reach around the globe.
On April 19, 2012, Anton Ivanov was extradited from Estonia to face charges of conspiracy to commit wire fraud and computer intrusion, among other offenses, in the U.S. District Court for the Southern District of New York. Ivanov is one of a number of defendants accused of a technologically sophisticated scheme that used malware and other techniques to reroute Internet traffic to websites chosen by the defendants because they were paid for driving traffic to those websites. According to the government, more than four million computers located in over 100 countries were infected with the malware as part of the scheme, which allegedly netted millions of dollars for the defendants.
Victims’ computers allegedly became infected with the malware when they visited certain websites or downloaded certain software to view videos online. The malware enabled the defendants to digitally hijack internet searches by changing the DNS server settings on victims’ computers to reroute their searches to “rogue DNS servers” controlled and operated by the defendants. Victims were re-directed to unwanted websites either when they clicked on internet search links that they thought would take them to other websites (what the government refers to as “click hijacking”) or through advertisements that Ivanov and others allegedly substituted for advertisements that were supposed to appear on particular web pages (what the government calls “advertising replacement fraud”). Arrangements have been made to substitute legitimate servers for the rogue servers as a temporary remediation measure so that victims’ computers will not lose their ability to access websites.
Ivanov has not yet indicated what his defense will be to the charges. He faces a maximum sentence of 85 years in prison in the case, which is pending before U.S. District Judge Lewis A. Kaplan. His next court appearance is set for April 23, 2012. Ivanov’s co-defendants in the case include five other Estonian nationals also arrested in November 2011 who are in custody in Estonia, and one Russian national, who remains at large.
As the Internet continues to expand to include a greater portion of the global economy, the ability to reach enormous numbers of computers will create incentives for technologically savvy wrongdoers to manipulate Internet users for illegal purposes. This case shows that the scale on which Internet conduct operates will mean that affiliate marketers and others who direct traffic on the Internet will be the subject of scrutiny by federal authorities. Even companies that are engaged in legitimate Web-based businesses need to be aware of this possible scrutiny.