FBI’s Network Investigative Technique

The term “network investigative technique,” or NIT, has been around for awhile as a catch-all term for the FBI’s digital investigation of non-public information from suspect’s computers.  An FBI affiliate worryingly admitted to Forbes that the government uses a “human wall” to screen collected data to try to protect privacy rights.

This technique is making a big splash recently through “Operation Pacifier.”  Through that operation, the FBI took control of a child porn site operating on Tor and allowed it to run for 13 days. The FBI modified the website’s code so that malware would download to users’ computers and sent their IP addresses, MAC addresses, and active username to the FBI.

A single magistrate judge in Virginia authorized the warrant, yet the operation was global in scope and uncovered approximately 1300 IP addresses. See Joseph Cox, The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers, Motherboard, Jan. 5, 2016.

Most of the warrant has been made public. See United States v. Lorente, No. 15-274, ECF Doc. No. 48-1 (W.D. Wash. Mar. 7, 2016). Defendants have filed motions to dismiss and to suppress, but so far, courts in Wisconsin and Washington have rejected those motions.

Lessig on the charges against Dotcom and Megaupload

kim dotcomThis morning, Kim Dotcom, accused by the Department of Justice of criminal copyright infringement, is in a New Zealand court to see if he will be extradited to the United States.

One of the things in Dotcom’s corner is testimony from Lawrence Lessig, a preeminent U.S. copyright scholar, and current presidential candidate. He argued to the court that the DOJ doesn’t have a legitimate case against Dotcom. Of course Lessig isn’t exactly a neutral party. As he acknowledged to the court, on top of being retained by Dotcom’s defense, he’s also advocated for copyright reform, co-founding Creative Commons.

But how’s his argument stack up? His first argument strikes at the heart of the DOJ’s theory, contending that the DOJ is improperly seeking to import the concept of secondary liability, recognized in MGM Studios Inc. v. Grokster, Ltd., to criminal law. This is “improper,” he contends, “because, in the United States, crimes must be clearly defined by the legislature and prosecutions are confined within express criminal statutes.” There is a fair argument to be made that this importing of principles from civil law violates the rule of lenity.

Lessig then takes aim at one specific allegation against Megaupload: that it failed to comply with DMCA take-down requests. Lessig explains that, if multiple users uploaded the same file, Megaupload would retain only one copy of the file, but would generate multiple URLs for each user who uploaded it. When Megaupload received take-down requests for one URL, Lessig argues, it should not have needed to take down all URLs linked to the same file, and even if it did, it should not face criminal liability for that action.

Lessig also takes on an even more controversial issue: whether U.S. copyright law extends to parties acting in other countries. Megaupload in fact had leased servers in the United States. But Lessig asserts that the Superseding Indictment doesn’t discuss this fact. Nor, he claims, does it allege that a directly infringing act occurred in this country.

Lessig then turns to what I believe is the core of Megaupload’s defense if it ultimately goes to trial in the United States: whether any of the defendants willfully violated copyright law. He notes that the willfulness standard “requires a stronger showing in a criminal copyright claim than in a civil claim.” (That is why claims of compliance with DMCA rules is a red herring in the Megaupload prosecution.) Lessig suggests that U.S. prosecutors are merely “[a]ttacking an ISP for generally bad or negligent policies or alleging how the ISP could be better, faster, or more precise in its takedown or repeat infringer policies is not enough.” And that, he contends, is not proper fodder for a criminal case.

Not all U.S. copyright scholar agree. James Grimmelman has observed that “If proven at trial, there’s easily enough in the indictment to prove criminal copyright infringement many times over.”

In a 2013 article, a co-author and I also suggested that, “if the facts alleged in the indictment are proved, the willfulness requirement will likely be met,” for the following reasons:

According to the indictment, the operators of Megaupload were just as intentional in their copyright infringement as The Pirate Bay, collecting advertising revenues generated by infringing content and exchanging incriminating emails showing that they knew about the infringement on their service. One operator joked to another that they “have a funny business . . . modern days pirates :),” to which his co-conspirator responded, “we’re not pirates, we’re just providing shipping services to pirates :).” Megaupload similarly sold premium access to unlimited streaming of uploaded content and financially rewarded users—even those previously caught uploading infringing material—for uploading popular content and for posting links to that same content on other websites. This practice not only increased traffic but also allowed Megaupload to avoid listing infringing videos directly on the site, concealing the scope of the infringing content on its servers. To rebut claims of infringement, Megaupload had instituted an “Abuse Tool,” allowing copyright holders to report, and purportedly remove, infringing content. But the indictment alleges that the company received millions of requests to remove infringing content and, “at best, only deleted the particular URL of which the copyright holder complained, and purposefully left the actual infringing copy of the copyrighted work on the Mega Conspiracy-controlled server and allowed access to the infringing work to continue.”

Lessig does a good job of showing the other side of these facts. But whether it is enough to defeat extradition is yet to be seen.

Also lurking in the background is the idea floated in the 2013 piece: just because prosecutors can, doesn’t mean they should.

Megaupload has not been convicted, and may never be, yet its business has been shut down, its assets frozen, its customers left unable to retrieve even lawfully stored data. Some of this smacks of the treatment of the King’s Messenger: punishment first, with trial after. … [W]hen the alleged conduct is egregious, and civil lawsuits are ineffective, then a criminal prosecution, with all its attendant hardships for the accused, may be warranted. But [those guidelines] are intended as limitations, not as a call to pursue more prosecutions. Because the powers of federal prosecutors are great, a reluctance to use those powers is a virtue that preserves liberty.

If the case survives today, then the court might consider employing the “substantial unoffending uses” test suggested here for evaluating the secondary criminal liability of providers of technology that has both criminal and non-criminal uses.

New Analysis of Big-City Crime Statistics

Scare Headlines Exaggerated The U.S. Crime Wave.” Or so argues an article published Friday at FiveThirtyEight—the data-heavy news outlet founded by political-prediction wunderkind Nate Silver.

In the article, Carl Bialik describes the results of examining the 2015 homicide data for 59 of the 60 biggest cities. He observes that, although there has been an overall increase of 16% in big-city homicides this year, “the picture varies a lot by city: Homicides are up 76 percent in Milwaukee, but down 43 percent in Boston. They’re also down in 19 other cities.” Moreover, the increase “doesn’t come close to reversing the long-term decline in homicides.”

Bialik goes on to explain that homicide rates regularly fluctuate, so we shouldn’t assume—as many media outlets have suggested—that a one-year murder spike in some big cities means a crime wave is afoot.

It was interesting to see the way this affects on-the-ground police work:

[Milwaukee police Chief Edward] Flynn is frustrated with the data disconnect faced by big-city police departments. Many of them employ data analysts and track their stats in real time — Flynn has 16 analysts, up from zero when he took over the department in 2008, and he rattled off his city’s crime stats from memory. Yet he and his peers must rely on informal exchanges and potentially skewed media reports to find out what crime trends those in other big departments are seeing.

Darrel Stephens, executive director of the Major Cities Chiefs Association, added the following:

You look at economic data, at labor data, at all kinds of data the government collects that is immediately available. …. We don’t have anything like that in policing.

The article thus ends with a call for local governments to share more crime data with each other, but also an acknowledgement of the difficulties of doing so. Seems like a worthy objective.

In the meantime, the words of the Avett Brothers:

If I get murdered in the city
Don’t go revenging in my name
One person dead from such is plenty
No need to go get locked away

Which states have the most federal immigration crimes per unauthorized immigrant?

The following map shows an estimated percentage of federal immigration cases per unauthorized immigrant for each state. It uses research from the Pew Research Center on estimated state unauthorized immigrant populations in 2012, and data from the U.S. Sentencing Commission for federal immigration offenses that same year. Untitled

I excluded five states—Maine, the Dakotas, Vermont, and Montana—because Pew could only determine that the unauthorized immigrant population in those states was less than 5,000, and the imprecision at those low value threw off the calculations.

Some interesting things to note: New Mexico had the highest level of federal prosecutions per unauthorized immigrant. The state’s 2012 unauthorized immigrant population was estimated at 70,000, and there were 2,097 federal immigration cases, for a rough estimate of nearly 3% of the unauthorized immigrants being prosecuted. In contrast, federal officials in New Jersey, which had a 2012 authorized immigrant population of around 525,000, prosecuted only 45 immigration cases that year (not even .01%). The average percentage was .24.

The “why” for these statistics is not cut and dry. It could be that immigration officials conduct more aggressive enforcement in some states. Or that federal prosecutors prosecute more of the offense brought to them. Or that there is some reason unauthorized immigrants are staying under the radar in certain places.

Here is a link to download an excel file with the statistics.

Excellent Profile of Cook County Jail as Mental Health Facility

There is an excellent article about Cook County Jail in the Atlantic this week entitled “America’s Largest Mental Hospital Is a Jail.” The article hits on some of the same points I made in this post from 2012 on the propriety of incarceration versus electronic monitoring for pretrial detainees, especially when nonviolent.

A few fascinating facts from the article:

  • Cook County Sheriff Tom Dart recently appointed a clinical psychologist as the executive director of the jail.  She “is currently the only mental health professional in charge of a major jail in the United States.”
  • “A study in 1990 found that 1 in 15 prisoners at Cook County Jail had some form of mental illness. Today, a conservative estimate is 1 in 3.”
  • The article calls the jail’s processing system “unusual, and possibly unique”: “After the normal post-bail intake procedure is complete, inmates file through a series of concrete cubicles staffed by a battalion of employees from the Cook County Health and Hospitals System. About 600 of the county hospital system’s 6,000 employees work at Cook County Jail. If the inmate is eligible, county officials can sign up him or her for CountyCare, a health insurance program for low-income Cook County residents created through the Affordable Care Act’s expansion of Medicaid. The assembly-line layout allows the county to process about 200 applications a day. Over 10,000 inmates have signed up so far.”

Review: The Internet Police

Internet Police by Nate AndersonI recently finished “The Internet Police: How Crime Went Online, and the Cops Followed” by Nate Anderson, who writes for Ars Technica, and I loved it. I found his writing compelling and the stories fascinating. I’m sure that my being a lawyer influenced the book’s appeal for me, as Anderson has a particular focus on legal proceedings. In chapter 8, for example, he discusses being the only reporter to sit through the entire retrial of a lady sued for copyright infringement. Anderson’s familiarity with the law shows throughout the book. He was generally spot on in his discussion of legal topics, and I especially appreciated how he highlighted the important role for federal judges in shaping society’s approach to technology. In fact, federal legal proceedings or decisions take center stage in roughly half of the book’s chapters.

The chapters are helpfully broken down based on topics, and each one tracks a major story throughout the whole chapter.  I particularly enjoyed the discussion of the federal takedown of the child-pornography website “The Cache” (chapter 2), and the efforts to take out Sanford “Spamford” Wallace (chapter 7). Further, the story of “Sealand” and HavenCo, which I had not been familiar with, was very entertaining (chapter 1). The section on copyright infringement also interested me because it touched on many of the same issues discussed in my upcoming article about Megaupload.

As for general themes in the book, one consistent emphasis is how private parties often lobby the federal government to take over efforts to police online activity because of the government’s perceived greater resources. Another is how the tools developed by online criminals are the same tools (with the same threat to privacy) law enforcement uses to track criminals down.

Finally, I liked Anderson’s discussion of the balance of chaos versus regulation on the Internet, and the pros and cons of swinging too far in either direction (too much chaos=child porn, credit-card fraud; too much regulation=no innovation, no privacy). His summary of this balance near the end of the book nicely showcases what could be called the book’s thesis: “Life is messy business on the Internet as it is everywhere else, and we’re never going to engineer the mess out of it. That doesn’t mean we ever accept crime, piracy, or boorish behavior, but we tolerate them online just as we tolerate a certain amount of drunk driving, tax fraud, or jaywalking. Many such problems could be nearly eliminated if we just tried hard enough—required breath tests before every car start, conducted audits on every tax return, posted cops at every corner. But the cost of total order is totalitarianism; the real challenge is making prudential judgments about how we weigh risks and rewards, costs and benefits, order and chaos.”

Social media and Chicago gangs

Kids off the Block Stone Markers with names IMG 4815
Bricks with names of young victims
I want to draw attention to an excellent article in the October issue of Wired Magazine about how social media is amping up the gang wars in Chicago.  The article starts by discussing Chief Keef and Lil JoJo, two rival rappers who taunted each other through YouTube and Twitter. Keef got a million-dollar record deal; JoJo was shot and killed.

Ben Austen, who wrote the article, interviewed people on the ground in Chicago: community leaders, local rappers and gang members, and cops.  I’ll just flag a few tidbits I found interesting; I encourage you to check out the whole article.

First, Austen starkly describes the difficulties facing Chicago law enforcement:

Last year more than 500 people were murdered in Chicago, a greater number than in far more populous cities such as New York and Los Angeles. The prevalence of gun crimes in Chicago is due in large part to a fragmentation of the gangs on its streets: There are now an estimated 70,000 members in the city, spread out among a mind-boggling 850 cliques, with many of these groupings formed around a couple of street corners or a specific school or park.

Second, for fans of The Wire, the HBO crime drama that ran from 2002 to 2008, Austen explains how the show’s depiction of gang-life, praised at the time for its “realistic portrayal of urban life,” is already outdated:

Harold Pollack, codirector of the University of Chicago Crime Lab, says that in every talk he gives about gangs, someone inevitably asks him about The Wire—wanting to know who is, say, the Stringer Bell of Chicago. But The Wire, based in part on David Simon’s Baltimore crime reporting in the 1980s and ’90s, is now very dated in its depiction of gangs as organized crime syndicates. For one thing, Stringer Bell would never let his underlings advertise their criminal activities, as a Central Florida crew did this spring when it posted on its public Facebook page that two of its members had violated their parole and been arrested for posing with guns on their personal Facebook pages. Even a few years ago, a member of, say, the Disciples would have been “violated”—physically punished—for talking about killings or publicly outing a fellow member. But today most “gangs” are without much hierarchical structure, and many of the cliques are only nominally tied to larger organizations.

Third, in telling a story about how police warned the family of a 12-year-old that Keef’s crew was posting threatening comments on a video the boy had posted insulting Keef, Austen touches on how “predictive policing” is far less exotic than critics often allege:

For a long time, criminal-justice experts have talked about predictive policing—the idea that you can use big data to sniff out crimes before they happen, conjuring up an ethically troublesome future like the one depicted in Steven Spielberg’s Minority Report. But in Chicago and other big cities, police are finding it’s much easier than that. Give people social media and they’ll tell you what they’re about to do.

Finally, Austen observes that insulting a rival crew is “so much easier to do online than face-to-face.” This comment, interestly, echoes the heartbreaking-but-hilarious interview Louis C.K. did this week with Conan O’Brien about why he won’t let his kids have smart phones: “They look at a kid and they go, ‘you’re fat,’ and then they see the kid’s face scrunch up and they go, ‘oh, that doesn’t feel good to make a person do that.’ But they got to start with doing the mean thing. But when they write ‘you’re fat,’ then they just go, ‘mmm, that was fun, I like that.'”

Quote: Nate Anderson on “Internet Police”

Internet Police by Nate Anderson[Y]ou really can’t differentiate between good and bad techniques on the Internet. What you get are techniques, and they can be used by anyone, for any purpose.

Nate Anderson, deputy editor for Ars Technica, in an interview yesterday with NPR’s Fresh Air promoting his new book “Internet Police: How Crime Went Online, and the Cops Followed.” Anderson went on to discuss how police are using tools developed by hackers to catch criminals.

The Hacker Ethic and Crime

CCCamp 2007 20
I’m working on a new piece about how criminal law deals with technology creators, especially when innovation leads to a certain lawlessness, as has occurred with the so-called Hacker Ethic. I’m posting some thoughts derived from Steven Levy’s book Hackers, to solicit any feedback the Internet might have to offer.

To understand the modern opposition to technologists as criminals, we must return to the dawn of the computer age, when a distinctly anti-authoritarianism view of technology emerged: the hacker ethic. In the early 60s, student programming hobbyists (later called “hackers”) at Massachusetts Institute of Technology developed a unique culture hailing the virtues of access to computer technology and freedom of information. These early hackers believed deeply in the ability to improve life through technology and resented barriers and bureaucracies that hindered their hands-on exploration and betterment of the world around them. This resentment came, in no small part, from contempt for the haughty guardians of MIT’s million-dollar mainframe IBM computers, the so-called “Hulking Giants,” from which they were prohibited with tinkering. Even computing time on less-valuable machines was precious, and the hackers were, in the early days, forced to scavenge time from “Officially Sanctioned Users.”

This mentality led to a veneration of decentralized experimentation, and a certain “willful blindness” to what hackers saw as inefficient restrictions.  In mischievous pursuit of exploration—though not malice—they probed flaws in MIT’s phone system, intentionally crashed the “Hulking Giants,” and ignored prohibitions on tampering with computer hardware. Having no concept of property rights, they often broke into university labs at night to sneak components, without ever considering it stealing. But in the same spirit, they shared their software creations without thought to passwords, royalties, or licenses, repeating their mantra that “information should be free.”

As the computer revolution spread, so did the hacker ethic. It first jumped coasts, where Californian “homebrew” computer enthusiasts, with an undercurrent of post-hippie activism, collaborated to bring computers to the people by hacking hardware and sharing software, even proprietary applications like Atari’s Pong. As the market for personal computers grew, some software creators began to complain; a young Bill Gates, in a widely circulated open letter to homebrew hackers, accused them of stealing. Although the hackers initially condemned Gates’s letter, many realized over time that selling computers and software could be immensely profitable, and a few, like Steve Wozniak with Apple Computer Company, used their hacker skills to become multi-millionaires. Eventually, the hacker ethic would be credited as inspiring the minds behind tech giants like Microsoft, Google, and Facebook.

Yet even as some hackers were becoming successful entrepreneurs, others entrenched themselves in the movement’s anticommercialism and disregard for property rights. This mentality was often expressed in noble (and perfectly legal) pursuits like Richard Stallman’s fervent evangelism about open-source software. But it also gave birth to a certain lawlessness that would land next-generation hackers in court and mar the term “hacker” with the connotation of “digital trespasser.”

Many times, this lawlessness took the form of antipathy toward copyright restrictions. A strong coalition of media companies and lawmakers, have pushed back on online filesharing, which they view as a significant threat to business. After a failed, high-profile attempt to criminally punish MIT student David LaMacchia for maintaining an online bulletin board with copyrighted software files, these forces successfully implemented strong prescriptions, embodied in the Digital Millennium Copyright Act, against the distribution of technology designed to circumvent Digital Rights Management technology. But peer-to-peer filesharing grew despite these efforts, propelled by hacker-led services, like Napster, many of which were eventually crushed by civil infringement lawsuits. These services typically tried to defend themselves on the grounds that they could not be liable for the infringing acts of their users merely by providing technology. But in Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., the Supreme Court rejected this argument concluding that “secondary” copyright infringers can be liable as long as they intended to promote infringement. This decision paved the way for criminal copyright actions against services like link-listing website NinjaVideo and cyberlocker Megaupload, both of which prosecutors alleged aided and abetted copyright infringement (see my forthcoming article on this topic).

Filesharing companies aren’t the only type of computer technology company to face criminal scrutiny. Programmer Robert Stuart was indicted in New York for violating a state law against gambling promotion by selling online-sportsbook software, even though his software is legal in other jurisdictions and he never accepted an illegal bet; his crime, if anything, is willful blindness to his customers’ activities. Other software providers have faced charges of aiding and abetting criminal activity by enabling users to generate spam emails in violation of the CAN-SPAM Act, facilitating child pornography and terrorism through distribution of digital currency, and allowing circumvention of copyright protections and paywalls for Internet service.

Hacker progenies also have pushed to its limit the notion that information should be free. In on ongoing, high-profile case, army intelligence analyst Bradley Manning was found guilty of severe criminal charges—and was charged (though found not guilty) of the capital charge of “aiding the enemy”—for leaking classified documents to the website WikiLeaks, which published them online. Another prominent, and controversial, example is hacker Aaron Schwartz, who committed suicide after his arrest and prosecution under the Computer Fraud and Abuse Act for using a computer program to download academic articles, which prosecutors alleged he intended to distribute, from the online repository JSTOR. The controversy surrounding both of these situations underscores the often fine line between hackerism and crime.

The Computer Fraud and Abuse Act, widely criticized as outdated, has caused particular trouble for hackers. Along with Aaron Schwartz was Andrew “weev” Auernheimer, found guilty under the Act for his role in discovering and informing the media about a flaw in AT&T’s security system. An appeal is ongoing, and many legal scholars believe he has a good chance of overturning his conviction.

I will continue to blog about this issue as I continue to research it. My goal, along with my coauthor, is to draw broad guidelines for courts to apply when addressing conspiracy and aiding and abetting charges brought against technology creators. Any thoughts?