Technology and the Guilty Mind: When Do Technology Providers Become Criminal Accomplices?

This is new story art for my article examining when the proprietors of technology with criminal uses aid and abet their users’ crimes. The aim is to help courts, prosecutors, and technologists draw the line between joining a criminal enterprise and merely providing technology with criminal uses. The article explains the legal doctrines underlying this type of liability and provides examples of at-risk technologies, including spam software, file-sharing services, and anonymity networks like Tor.

FBI’s Network Investigative Technique

The term “network investigative technique,” or NIT, has been around for awhile as a catch-all term for the FBI’s digital investigation of non-public information from suspect’s computers.  An FBI affiliate worryingly admitted to Forbes that the government uses a “human wall” to screen collected data to try to protect privacy rights.

This technique is making a big splash recently through “Operation Pacifier.”  Through that operation, the FBI took control of a child porn site operating on Tor and allowed it to run for 13 days. The FBI modified the website’s code so that malware would download to users’ computers and sent their IP addresses, MAC addresses, and active username to the FBI.

A single magistrate judge in Virginia authorized the warrant, yet the operation was global in scope and uncovered approximately 1300 IP addresses. See Joseph Cox, The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers, Motherboard, Jan. 5, 2016.

Most of the warrant has been made public. See United States v. Lorente, No. 15-274, ECF Doc. No. 48-1 (W.D. Wash. Mar. 7, 2016). Defendants have filed motions to dismiss and to suppress, but so far, courts in Wisconsin and Washington have rejected those motions.

Lessig on the charges against Dotcom and Megaupload

kim dotcomThis morning, Kim Dotcom, accused by the Department of Justice of criminal copyright infringement, is in a New Zealand court to see if he will be extradited to the United States.

One of the things in Dotcom’s corner is testimony from Lawrence Lessig, a preeminent U.S. copyright scholar, and current presidential candidate. He argued to the court that the DOJ doesn’t have a legitimate case against Dotcom. Of course Lessig isn’t exactly a neutral party. As he acknowledged to the court, on top of being retained by Dotcom’s defense, he’s also advocated for copyright reform, co-founding Creative Commons.

But how’s his argument stack up? His first argument strikes at the heart of the DOJ’s theory, contending that the DOJ is improperly seeking to import the concept of secondary liability, recognized in MGM Studios Inc. v. Grokster, Ltd., to criminal law. This is “improper,” he contends, “because, in the United States, crimes must be clearly defined by the legislature and prosecutions are confined within express criminal statutes.” There is a fair argument to be made that this importing of principles from civil law violates the rule of lenity.

Lessig then takes aim at one specific allegation against Megaupload: that it failed to comply with DMCA take-down requests. Lessig explains that, if multiple users uploaded the same file, Megaupload would retain only one copy of the file, but would generate multiple URLs for each user who uploaded it. When Megaupload received take-down requests for one URL, Lessig argues, it should not have needed to take down all URLs linked to the same file, and even if it did, it should not face criminal liability for that action.

Lessig also takes on an even more controversial issue: whether U.S. copyright law extends to parties acting in other countries. Megaupload in fact had leased servers in the United States. But Lessig asserts that the Superseding Indictment doesn’t discuss this fact. Nor, he claims, does it allege that a directly infringing act occurred in this country.

Lessig then turns to what I believe is the core of Megaupload’s defense if it ultimately goes to trial in the United States: whether any of the defendants willfully violated copyright law. He notes that the willfulness standard “requires a stronger showing in a criminal copyright claim than in a civil claim.” (That is why claims of compliance with DMCA rules is a red herring in the Megaupload prosecution.) Lessig suggests that U.S. prosecutors are merely “[a]ttacking an ISP for generally bad or negligent policies or alleging how the ISP could be better, faster, or more precise in its takedown or repeat infringer policies is not enough.” And that, he contends, is not proper fodder for a criminal case.

Not all U.S. copyright scholar agree. James Grimmelman has observed that “If proven at trial, there’s easily enough in the indictment to prove criminal copyright infringement many times over.”

In a 2013 article, a co-author and I also suggested that, “if the facts alleged in the indictment are proved, the willfulness requirement will likely be met,” for the following reasons:

According to the indictment, the operators of Megaupload were just as intentional in their copyright infringement as The Pirate Bay, collecting advertising revenues generated by infringing content and exchanging incriminating emails showing that they knew about the infringement on their service. One operator joked to another that they “have a funny business . . . modern days pirates :),” to which his co-conspirator responded, “we’re not pirates, we’re just providing shipping services to pirates :).” Megaupload similarly sold premium access to unlimited streaming of uploaded content and financially rewarded users—even those previously caught uploading infringing material—for uploading popular content and for posting links to that same content on other websites. This practice not only increased traffic but also allowed Megaupload to avoid listing infringing videos directly on the site, concealing the scope of the infringing content on its servers. To rebut claims of infringement, Megaupload had instituted an “Abuse Tool,” allowing copyright holders to report, and purportedly remove, infringing content. But the indictment alleges that the company received millions of requests to remove infringing content and, “at best, only deleted the particular URL of which the copyright holder complained, and purposefully left the actual infringing copy of the copyrighted work on the Mega Conspiracy-controlled server and allowed access to the infringing work to continue.”

Lessig does a good job of showing the other side of these facts. But whether it is enough to defeat extradition is yet to be seen.

Also lurking in the background is the idea floated in the 2013 piece: just because prosecutors can, doesn’t mean they should.

Megaupload has not been convicted, and may never be, yet its business has been shut down, its assets frozen, its customers left unable to retrieve even lawfully stored data. Some of this smacks of the treatment of the King’s Messenger: punishment first, with trial after. … [W]hen the alleged conduct is egregious, and civil lawsuits are ineffective, then a criminal prosecution, with all its attendant hardships for the accused, may be warranted. But [those guidelines] are intended as limitations, not as a call to pursue more prosecutions. Because the powers of federal prosecutors are great, a reluctance to use those powers is a virtue that preserves liberty.

If the case survives today, then the court might consider employing the “substantial unoffending uses” test suggested here for evaluating the secondary criminal liability of providers of technology that has both criminal and non-criminal uses.

DOJ Says: Search Warrants for Cell-Site Simulators

This week, the Department of Justice issued an important “enhanced policy for use of cell-site simulators” (also known as stingrays, triggerfish, or IMSI catchers). The document essentially admits what many have criticized about the devices—that they “force every cell phone in a region to connect to them; so if a government stingray drives past your office, it will collect the signal of your phone as well as the government’s target.” In the DOJ’s words: “When used to locate a known cellular device, a cell-site simulator initially receives the unique identifying number from multiple devices in the vicinity of the simulator. Once the cell-site simulator identifies the specific cellular device for which it is looking, it will obtain the signaling information relating only to that particular phone. When used to identify an unknown device, the cell-site simulator obtains signaling information from non-target devices in the target’s vicinity for the limited purpose of distinguishing the target device” (emphasis added).

Before the new policy, police routinely disguised use of stingrays by using them under the auspices of a “pen register” order. But scholars argue that these devices are capable of much more than pen registers, which are devices that merely record “numbers called from a particular telephone line.

Under the enhanced guidelines, agents are instructed to obtain a search warrant before using a stingray. On top of that, the search-warrant applications are to disclose certain information about the technology. This includes notifying the judge that the devices can sweep up “unique identifiers” from non-targeted phones and disrupt service to those phones.

The policy further instructs that “cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3).”

Time will tell if this enhanced policy will move the needle on the secretive nature of these devices. As EFF notes, “[u]ntil recently, law enforcement’s use of Stingrays has been shrouded in an inexplicable and indefensible level of secrecy.”

Interactive Tool for Criminal Justice Reform: The Prison Population Forecaster

Check out this interesting new feature produced by the Urban Institute to showcase the potential effect of different types of reforms for decreasing mass incarceration. The Urban Institute explains:

The tool currently uses data from 15 states, representing nearly 40 percent of the national prison population, to forecast population trends and project the impact of changes on rates of admission or lengths of stay in prison.

Using the tool, we can see that in some states, limiting prison admissions to only new crimes and diverting parole and probation revocations will substantially reduce the number of people behind bars. Other states can stem prison growth by tackling how they address drug and property offenses. Still others may discover that modest reductions in time served for violent offenses are necessary.

As promoting this feature in the New York Times, “When President Obama, the Koch Brothers, the American Civil Liberties Union and Newt Gingrich all agree on an issue, you know that something important may be happening.”

   EMBED :: VIEW THE FULL FEATURE

 

Excellent Profile of Cook County Jail as Mental Health Facility

There is an excellent article about Cook County Jail in the Atlantic this week entitled “America’s Largest Mental Hospital Is a Jail.” The article hits on some of the same points I made in this post from 2012 on the propriety of incarceration versus electronic monitoring for pretrial detainees, especially when nonviolent.

A few fascinating facts from the article:

  • Cook County Sheriff Tom Dart recently appointed a clinical psychologist as the executive director of the jail.  She “is currently the only mental health professional in charge of a major jail in the United States.”
  • “A study in 1990 found that 1 in 15 prisoners at Cook County Jail had some form of mental illness. Today, a conservative estimate is 1 in 3.”
  • The article calls the jail’s processing system “unusual, and possibly unique”: “After the normal post-bail intake procedure is complete, inmates file through a series of concrete cubicles staffed by a battalion of employees from the Cook County Health and Hospitals System. About 600 of the county hospital system’s 6,000 employees work at Cook County Jail. If the inmate is eligible, county officials can sign up him or her for CountyCare, a health insurance program for low-income Cook County residents created through the Affordable Care Act’s expansion of Medicaid. The assembly-line layout allows the county to process about 200 applications a day. Over 10,000 inmates have signed up so far.”

Rosemond v. United States & technology providers

Yesterday, the Supreme Court issued its decision in Rosemond v. United States, which addresses the culpability of a man who was charged with aiding and abetting another person’s use of a gun in relation to a drug offense.  The court decided that he is liable if he knew ahead of time that one of the people he drove to a drug deal with had brought a gun.

In reaching that result, Justice Kagan, writing for the majority, re-addressed some fundamental principles of aiding and abetting law (Rory Little at SCOTUSblog calls the decision “a primer on aiding and abetting law”). Since I recently co-authored an article on the aiding and abetting liability of technology providers, this decision was of particular interest.

The article addresses the lingering confusion over whether the mens rea for aiding and abetting is “shared purpose” or “knowing assistance.” Justice Kagan serves up a sort of blending of the two ideas, which is common among appellate courts. Justice Alito, in dissent, writes that he wishes the court would have addressed the two differing standards, but instead “refers interchange­ably to both of these tests and thus leaves our case law in the same, somewhat conflicted state that previously existed.”  Justice Alito also says, however, that he thinks the difference between the tests is “slight.”

The point in our article is that this slight distinction can have important implications for technology providers who may be at risk of being considered accomplices of their users’ crimes. Rosemond certainly adds to the conversation about that topic, but doesn’t do much to answer the question. In fact, the Court, in footnote 8, expressly takes no view on “defendants who incidentally facilitate a criminal venture rather than actively participate in it,” as with “the owner of a gun store who sells a firearm to a criminal, knowing but not caring how the gun will be used.” This hypothetical strikes at the heart of the concerns faced by technology providers.

Interestingly, Justice Scalia joined the majority opinion except for footnotes 7 and 8. The Volokh Conspiracy has an interesting discussion about how, and why, that happened, as does DailyKos.)

In other news, our article, and its title, are featured on BookForum’s Omnivore blog today.

New Podcast on Criminal Liability of Tech Companies

There’s a new discussion up at “The Law Review,” a podcast run by legal research company Fastcase, discussing some of the ideas in my recent article, Technology and the Guilty Mind, about the potential criminal liability of technology providers for aiding and abetting their users. The guest for the conversation is Fastcase CEO Ed Walters.

The part that addresses the article starts around the 12-minute mark with a dialogue on Judge Posner’s hypothetical (discussed in the paper) about a dress seller who knows his client is using his dresses in her prostitution business. The  conversation then focuses on how doctrine about knowing assistance of criminals may apply to tech companies in the communications industry (like Fastcase).  Thanks to Fastcase for highlighting the article!

Update on Kim Dotcom Extradition

Kim Dotcom crowdThere’s been two significant developments this week in the ongoing effort to extradite Kim Dotcom (the CEO of the now-defunct Megaupload) from New Zealand to the United States to face criminal charges of copyright infringement. I’ve been following the proceedings since co-authoring Criminal Copyright Enforcement Against Filesharing Services, 15 North Carolina Journal of Law and Technology 101 (2013).

First, there is a development in regard to fallout from the January 2012 raid on Dotcom’s mansion conducted by New Zealand police, at the request of U.S. authorities.  Dotcom audaciously mocked the raid at the launch event for his new service “Mega” in January 2013 by staging “a raid re-enactment complete with helicopters marked ‘FBI,’ and dancing girls clad in military-style dress (but with miniskirts).”

Meanwhile, Dotcom has challenged the search warrant underlying the raid in New Zealand courts. This had some success. First, the Prime Minister apologized to Dotcom for the government spying on him. Then, in November 2013, a New Zealand High Court Judge ruled that the search warrants used in the raid were not proper because they were just “general warrants” and thus “did not adequately describe the offences to which they related.”

This week, however, Dotcom has faced a set back. On February 19, an appellate court issued a decision disagreeing with the High Court Judge’s analysis and concluding that the warrants were valid. You can read the appellate decision here.  Dotcom has vowed on Twitter to appeal to the New Zealand Supreme Court. But as noted by the Independent, “[t]he decision will benefit US prosecutors who say the Megaupload website has cost film studios and record companies more than $500 million (£300 million) and generated more than $175 million in criminal proceeds by letting users store and share copyrighted material, such as movies and TV shows.”

Second, the extradition hearing for Dotcom that was scheduled for April 2014 was delayed on February 25, with a new date yet to be set. It’s already been delayed before. The delay is probably meant to allow time for the proceedings about the search warrant to resolve. But Dotcom, in his standard provocative manner, has”accuse[d] the New Zealand government of interfering in the judicial process, to delay the hearings until after the country’s election, due in either October or November,” according to The Register.

Third, as a bonus, Dotcom gave an interview this week to Complex Tech in which he mouths off about the charges against him. He complains that Google has had many more takedown requests related to pirated links than Megaupload ever had, but yet is still in business. Of course, as my paper explains, Megaupload’s real problem wasn’t the number of takedown requests it received, it’s that prosecutors allege that the company either ignored those requests or helped facilitate the re-posting of pirated material.

Finally, Dotcom also mentions in the interview some sort of tripped-out new file service “called Meganet, which is basically kind of like a fluid ocean of data where whatever glass of water you dump into it you can never extract from it anymore, and you kind of just meet the water in the ocean somewhere.” We’ll see where that goes.