Criminal accomplice liability for “PhaaS” providers?

Wired Magazine‘s “Jargon Watch” this month had an interesting new term, “PhaaS,” defined as follows:

Based on software-as-a-service (SaaS) business models, PhaaS packages, sold on the dark web, provide everything a newbie cyber-criminal needs to run a phishing con, including templates for scams, fake web pages, and access to servers. One even offers tech support and tutorials.

This new “service” dovetails with a category of technology discussed in my 2015 article on accomplice liability for technology providers:  technology designed for illegal use. There, the example was email spam software, but the principle is the same for Phaas providers.

You see, there are varied levels of involvement a software developer may have with a criminal organization. In particular, there are different considerations for the programmer who sells software knowing but not caring that a person will use it to violate the law, versus the programmer who designs software for criminal purposes.

As an example of the latter, consider Jerome O’Hara and George Perez, programmers for Bernie Madoff. I argued that this is the easiest case, because “[d]esigning a tool for use in a particular crime and giving it to a known purveyor of that crime” almost certainly subjects a person to liability as an accomplice. “The act of design for indictable use implies purposive attitude and a desire to aid the crime’s commission, and the provision to the known criminal is an act of association with the venture. It was likely similar reasoning that, in March 2014, led the jury in the case of Madoff’s programmers, who had worked for him for more than a decade, to find them guilty of conspiring to commit securities fraud.”

I suspect most PhaaS providers would fall under this category.

On the other hand, the question of whether the knowing sale of software capable of both legal and illegal use to a criminal is a criminal offense is harder. The Supreme Court, in Rosemond v. United States, expressly left open the question of accomplice liability for “defendants who incidentally facilitate a criminal venture rather than actively participate in it.” The Court added:

A hypothetical case is the owner of a gun store who sells a firearm to a criminal, knowing but not caring how the gun will be used. We express no view about what sort of facts, if any, would suffice to show that such a third party has the intent necessary to be convicted of aiding and abetting.

For such a PhaaS provider, one who knowingly sells to criminals but doesn’t care, to determine guilt, the court or jury would need to examine the range of the software’s legitimate uses and what exactly the provider knew about the purchaser. If the software is broadly sold for legitimate uses–say, sales to companies that test for cyber-security–then even if the PhaaS provider somehow knew a purchaser’s nefarious purpose, the provider might be innocent.

To understand why, consider this hypothetical from Judge Richard Posner:

Suppose you own and operate a store that sells women’s clothing. Every month the same young woman buys a red dress from your store. You happen to know that she’s a prostitute and wears the dress to signal her occupation to prospective customers. By selling her the dress at your normal price you assist her illegal activity, and probably you want the activity to succeed since if it fails she’ll stop buying the dress and your income will be less. But you are not an aider and abettor of prostitution because if you refused to sell to her she would buy her red dress from another clothing store, one whose proprietor and staff didn’t know her profession. So you’re not really helping her or promoting prostitution, as you would be if you recommended customers to her in exchange for a commission.

In the same way, if the PhaaS software had  “substantial unoffending uses,” then the provider shouldn’t be expected to police the use of the software. But if, as I suspect is the case, the software is capable of chiefly one use, and that use is criminal, then the PhaaS provider risks criminal punishment as an accomplice.

911 Calls in Criminal Cases

Image result for 911 call system poster

I’m working on a new piece about 911 calls and their unique place in criminal law.  Interestingly, the first federal appellate decisions mentioning 911 calls in criminal cases occurred in the mid-1980s, and there were only one or two per year. But then from 2012 to 2016, no less than 47 federal criminal appeal decisions per year, on average, involved 911 calls in some form or another. Even critical Supreme Court decisions, like the reasonable suspicion standard for anonymous calls from Navarette v. California, and the Confrontation Clause analysis from Davis v. Washington, hinge on unique perceived aspects of 911 systems.

There are four major areas of law I’ve identified where 911 calls play an out-sized role: (1) reasonable suspicion from anonymous tips, (2) the emergency aid exception to the warrant requirement, (3) the Confrontation Clause, and (4) hearsay.

I’ve also identified at least six problems with courts relying on with 911 technology in its current state: (1) outdated technology reducing location ability, (2) a shocking number of hang ups or pocket dials, (3) spoofing, (4) swatting, (5) inactive phones that can still dial 911, and (6) texting.

These problems, I argue, squarely undermine judicial faith in the reliability of calls placed through the 911 system. Any thoughts are welcome.

Court rules Dotcom extraditable

I’ve been following the Kim Dotcom saga since 2013, when I analyzed the government’s efforts to criminally prosecute filesharing services. There’s been no big news on that front since then. It seems the government is content to focus on extraditing the members of Megaupload.

Well, this week brought a major setback for Kim Dotcom’s efforts to avoid prosecution in the United States, as he lost his appeal challenging his extradition order.  As reported by the BBC:

The High Court agreed with the defence that the accused could not be extradited on the basis of alleged copyright infringement, since “online communication of copyright protected works to the public is not a criminal offence in New Zealand”.

However they can be extradited on the fraud charges, he said, as they are crimes in New Zealand.

The ruling does not determine the defendants’ guilt or innocence, merely that they can be sent to the US for trial.

This is far from the end of the road, as reported on TechCrunch:

Once again, Dotcom plans to appeal the ruling, which could send the case to the Court of Appeal and perhaps even the New Zealand Supreme Court. In an interview with the New Zealand Herald, Dotcom predicted there are still another two years of legal battles ahead.

 

Trump’s judicial criticism is dangerously reckless

Artists-impressions-of-Lady-Justice, (statue on the Old Bailey, London)
This is Donald Trump’s tweet from Saturday, mocking a federal judge who halted his travel ban for refugees:

One of my biggest fears about President Trump was that he would try to undermine the judiciary if it pushed back on his orders. Our federal judges are, across the board, extremely high caliber. To insult this judge, who was appointed by President Bush, as a “so-called judge” is needlessly disrespectful and dangerous. To those who support Trump, please don’t follow him down this misguided path of disparaging our federal judiciary.

To be clear, I often disagree with judges’ decisions. But not with their authority or integrity based solely on a ruling I disagree with. Will Baude pointed this out over at Volokh Conspiracy:

There have been occasions when officials questioned not just the courts’ decisions but also their authority — Attorney General Bates’s discussion of judicial authority during the Civil War may be the most important example — but this is rarer. And while the difference between the two is sometimes fuzzy, and may seem minor, it is deadly serious.

If the court has authority, then the parties are legally required to follow its judgment: even if it is wrong; even if it is very wrong; even if the President does not like it. But if the court does not have authority, then perhaps it can be defied. So the charge of a lack of authority is a much more serious one. It is the possible set-up to a decision to defy the courts — a decision that is unconstitutional if the court does indeed have authority to decide the case.

A friend compared this to President Obama’s 2010 State of the Union, in which he criticized the Citizens United decision in front of Supreme Court Justices in attendance. That is an interesting comparison, and I think it underscores why Trump’s tweet is so reckless.

I looked back at Obama’s remarks. He didn’t attack the legitimacy of the institution (i.e., “so-called” judge). He made a cogent policy argument for why he thought Congress should act in the wake of the Court’s decision. He also was careful to preface his comments with “With all due deference to separation of powers.”

Trump’s remarks are kneejerk and crass, and appear aimed to sow the seeds among his supporters that judges who oppose him are the enemy.

Here’s Obama’s full remarks, for comparison:

With all due deference to separation of powers, last week the Supreme Court reversed a century of law that I believe will open the floodgates for special interests –- including foreign corporations –- to spend without limit in our elections. I don’t think American elections should be bankrolled by America’s most powerful interests, or worse, by foreign entities. They should be decided by the American people. And I’d urge Democrats and Republicans to pass a bill that helps to correct some of these problems.

You won’t get a fight from me on the fact that there are very good arguments to be made that executive authority is run amok. But until now, when challenged in court, the executive has allowed the system to follow its normal course, without ad hominem attacks on the judges involved. I think Democrats would be smart to get Gorsuch to condemn this stuff and stand up for the judicial system during his confirmation hearing. Eric Posner suggested something similar in the New York Times:

[Gorsuch] is the only judge in whom the president has publicly expressed confidence — by nominating him to a judicial position. A rebuke from Judge Gorsuch would be a stinging blow. It would, or at least might, protect the judiciary from further attacks from Mr. Trump for years to come.

Posner pulled out a quote from one of Judge Gorsuch’s opinions, In Re Renewable Energy Development Corp., 792 F. 3d 1274, 1277-78 (10th Cir. 2015) (citations omitted), that is too apt not to share:

[T]he framers lived in an age when judges had to curry favor with the crown in order to secure their tenure and salary and their decisions not infrequently followed their interests. Indeed,  the framers cited this problem as among the leading reasons for their declaration of independence. And later they crafted Article III as the cure for their complaint, promising there that the federal government will never be allowed to take the people’s lives, liberties, or property without a decisionmaker insulated from the pressures other branches may try to bring to bear.  To this day, one of the surest proofs any nation enjoys an independent judiciary must be that the government can and does lose in litigation before its “own” courts like anyone else.

The data doesn’t back up the refugee ban

Leo Gestel Vluchtende Belgen 1914
Lately, I’m a Facebook junkie. I can’t stop reading everyone’s passionate posting, pro and con, about this refugee ban. I think it is worthwhile to share some of the best research on this topic I’ve discovered.

Cato Institute’s Terrorism and Immigration: A Risk Analysis 

First, I explored evidence on the real risk refugees pose. A Cato Institute study found that an American’s chance of being killed by a refugee is  1 in 3.64 billion. That study concludes the following:

Foreign-born terrorism on U.S. soil is a low-probability event that imposes high costs on its victims despite relatively small risks and low costs on Americans as a whole. From 1975 through 2015, the average chance of dying in an attack by a foreign-born terrorist on U.S. soil was 1 in 3,609,709 a year. For 30 of those 41 years, no Americans were killed on U.S. soil in terrorist attacks caused by foreigners or immigrants. Foreign-born terrorism is a hazard to American life, liberty, and private property, but it is manageable given the huge economic benefits of immigration and the small costs of terrorism. The United States government should continue to devote resources to screening immigrants and foreigners for terrorism or other threats, but large policy changes like an immigration or tourist moratorium would impose far greater costs than benefits.

Pew Research Forum Refugee Stats

Pew Research also put out a few useful fact briefings. The number of total refugees from all countries last year was pretty low, capped at 110,000 per year under Obama (and that was the highest number since 1994). And the screening process took 18 to 24 months. Here are Pew’s other points:

1. Historically, the total number of refugees coming to the U.S. has fluctuated along with global events and U.S. priorities.

2. The U.S. admitted 84,995 refugees in the fiscal year ending in September 2016, the most in any year during the Obama administration.

3. In fiscal 2016, the highest number of refugees from any nation came from the Democratic Republic of Congo.

4. Nearly 39,000 Muslim refugees entered the U.S. in fiscal 2016, the highest number on record …

5. California, Texas and New York resettled nearly a quarter of all refugees in fiscal 2016, together taking 20,738 refugees.

6. The U.S. public has seldom approved of accepting large numbers of refugees.

The numbers in the U.S. pale in comparison to the 1.3 million refugees who flooded Europe in 2015 (which Trump supporters are pointing to as a reason for his order). Turkey has more than 2.5 million Syrian refugees. Lebanon has 1 million. In mid-2015, the United States ranked 75th for refugees per 1,000 inhabitants.  Trump has now lowered the number per year to just 50,000 for all refugees (that’s on top of the ban).

Charles Kurzman’s and David Schanzer’s Risk Assessment

Also, there seems to be many more pressing risks of violence in the United States. According to research from Charles Kurzman and David Schanzer, since 9/11, white-supremacists and right-wing extremists actually committed more domestic terrorist acts than radicalized Muslims, though attacks by radical Muslims killed slightly more people. Yet no one is proposing we detain white supremacists to protect the country.  And no attacks have occurred from refugees coming from the countries Trump banned. The San Bernardino shooter was born in Chicago, to Pakistani parents. The Pulse Nightclub shooter was born in New York, to Afghan parentsThe Boston Bomber was born in Chechnya.

The data doesn’t back up this ban.

Trump’s cruel and arbitrary refugee order

20151030 Syrians and Iraq refugees arrive at Skala Sykamias Lesvos Greece 2

​This executive order is heartbreaking.

When I lived in Atlanta about 7 years ago, I mentored two refugee brothers from Iran through the International Rescue Committee. They were members of a persecuted minority. They taught me far more than I taught them. They were so generous, kind, and hardworking. They invited me in their home. Fed me. Shared their lives and culture. The elder brother worked long hours at Target, stacking shelves. He looked out for his younger brother, who was still in high school. Each weekend, he cooked a big batch of a meat and rice dish (mostly rice), and he always offered me some. Their parents hadn’t come with them. But it was worth it for them to escape a society where they faced little future.

This is a cruel and arbitrary decision.

The order has refugees detained at airports, including “an Iranian scientist headed to a lab in Boston, an Iraqi who had worked as an interpreter for the United States Army, and a Syrian refugee family headed to a new life in Ohio.”

Worse yet, there’s no evidence this ban is needed, as reported in Christianity Today:

There is a 1 in 3.64 billion per year chance that you will be killed by a refugee in a given year. If those odds concern you, please do not get in a bathtub, car, or even go outside. And, for contrast, there were 762 tragic murders in Chicago alone last year comparted to 0 people who were killed last year (or ever since the mid-70s) by a refugee-perpetrated terrorist attack.

And it not only hurts these refugees, it sends an awful message:

If America bans refugees, it makes a statement to the world that we don’t want to make. It is the picture of someone who sits, arms crossed and turned away, with a raised eyebrow and a ready attack on the helpless, the homeless, the broken.

I hope immigration advocates find a way for the courts to step in to stop this vile policy.

Technology and the Guilty Mind: When Do Technology Providers Become Criminal Accomplices?

This is new story art for my article examining when the proprietors of technology with criminal uses aid and abet their users’ crimes. The aim is to help courts, prosecutors, and technologists draw the line between joining a criminal enterprise and merely providing technology with criminal uses. The article explains the legal doctrines underlying this type of liability and provides examples of at-risk technologies, including spam software, file-sharing services, and anonymity networks like Tor.