LawMeme LawMeme Yale Law School  
LawMeme
Search LawMeme [ Advanced Search ]
 
 
 
 
Life Sentences for Child Porn Busters?
Posted by Steven Wu on Thursday, November 14 @ 14:40:10 EST Computer Crime
I was going to post these stories separately, since for the most part they deal with different issues, but the overlap is interesting enough to post them together.

On News.com, we hear that the House has inserted the Cyber Security Enhancement Act (CSEA) into the Homeland Security bill, which was approved 299-121 yesterday evening. The CSEA is obviously inspired by fears that terrorists will launch cyberattacks on America, disabling our "economy and critical infrastructure." (See an accompanying committee report.) And to enforce its aims, the CSEA imposes up to life sentences for convicted hackers. (Read the News.com article here.)

It's hard to read the CSEA without envisioning evil hackers intent on bringing down the Land of the Free. But it's worthwhile to remember that hackers (even foreign ones) can also do good. Case in point: As reported by Orin Kerr on the Cybercrime listserv, a computer hacker in Istanbul, Turkey, went onto a child porn newsgroup and uploaded a file containing the subseven trojan horse virus. The virus allowed the hacker to search the computers of newsgroup members who downloaded his file. Whenever the hacker found child pornography, he would fire off an email to law enforcement agencies--and, acting on his tips, the police found and arrested several people who were (basically) torturing and raping children, and taking pictures of it.

Unfortunately, a district court in Virginia ruled earlier this month that evidence found as a result of the hacker's tips will be excluded from trial since the hacker was acting as a government agent, and thus his searches violated the Fourth Amendment. Read Orin Kerr's email here for more on this front.

Also, see "Read more..." for my summary of the Virginia case, United States v. Jarrett.

The case about the foreign hacker is UNITED STATES OF AMERICA v. WILLIAM ADDERSON JARRETT, 2002 U.S. Dist. LEXIS 21757, 2002 WL 31496302 (E.D.Va. Nov. 1, 2002). It doesn’t seem to be available on the web yet, so here’s a longish summary, with some brief thoughts at the bottom.

The Facts

The Steiger Case

July 16, 2000: Captain Kevin Murphy of the Montgomery, Alabama, police department received an unsolicited email from "Unknownuser." The email subject was, "This is urgent," and contained the following text, with an accompanying picture:

I found a child molester on the net. I'm not sure if he is abusing his own child or a child he kidnapped. He is from Montgomery, Alabama. As you see he is torturing the kid. She is 5-6 y.o. His face is seen clearly on some of the pictures. I know his name, internet account, home address and I can see when he is online. What should I do? Can I send all the pics and info I have to these emails? Regards P.S. He is a doctor or paramedic.

Shortly thereafter, Murphy contacted the FBI.

July 17: Murphy responded by email, asking Unknownuser to call Murphy at his office. But Unknownuser demurred, saying he was from Istanbul, Turkey, didn't speak good English, and couldn't afford the overseas call. Murphy replied by asking Unknownuser to keep sending as much information as he could.

July 17-20: Unknownuser sent Murphy information about "the suspect's internet account information, the phone numbers used to access the internet, and the suspect's name [Bradley J. Steiger], address, and facsimile number." Upon a request from Murphy, Unknownuser also sent the suspect's IP address. Unknownuser then sent information about Steiger's financial information, including his checking account.

At some point during this time, the FBI informed Murphy that Unknownuser had accessed Steiger's computer by hacking into the computer through the Internet. Murphy knew that hacking was illegal under federal and Alabama law, but he did not inform Unknownuser about this, nor did he ask Unknownuser to stop.

August 7: With the help of Unknownuser's evidence, and law enforcement's own investigations, the FBI obtained a search warrant for Steiger's residence and seized his computer. But the computer was password-encrypted, so, at the request of the FBI, Murphy emailed Unknownuser to see if Unknownuser could help with obtaining the password.

August 9-11: Unknownuser said he was on vacation, but he was willing to tell Murphy whatever Murphy needed as soon as vacation ended. However, Murphy did not respond, and the FBI broke into the computer on their own.

The Interim

August 11, 2000 - December 3, 2001: Murphy did not correspond with Unknownuser again. But Bradley Steiger was convicted in July 2001 on child exploitation and child pornography charges and sentenced to 17.5 years in prison. (See here, search for "Steiger.")

During this time the FBI also tried hard to get into personal contact with Unknownuser. They were finally able to reach him over the phone. Evidence shows that during this series of contacts, the FBI thanked Unknownuser for his help, and encouraged Unknownuser to do more of the same searches to help catch other child pornographers. The FBI assured Unknownuser that he would not be prosecuted--in fact, law enforcement officials were grateful for his help. Unknownuser also revealed a great deal about his methods, including his use of the subseven trojan horse virus. Through it all, however, Unknownuser steadfastly refused to provide his identity, or to meet in person. The FBI responded to this refusal by thanking him again, telling him to check his email periodically in case the FBI sent more requests, asking him to forward any more images from Steiger's computer, and reminding Unknownuser that the FBI would be "available" if Unknownuser wanted to bring "other information" forward.

The Jarrett Case

December 3, 2001: Unknownuser emailed Murphy again, saying he had information on another child molester, William Jarrett (defendant in this case). Unknownuser asked Murphy to contact the FBI, which Murphy did. The same FBI agents from the Steiger then became involved in the Jarrett case. Murphy emailed Unknownuser and asked him to "send whatever information you have regarding this criminal complaint," knowing full well that Unknownuser was probably using the same methods here as he used earlier.

December 4: Unknownuser sent a slew of emails and files to Murphy containing all the evidence he had gathered from Jarrett's computer, along with personal information about Jarrett.

December 13: A criminal complaint and search warrant were filed against Jarrett, citing Unknownuser’s information. A search was conducted, and Jarrett was arrested.

December 19: Several emails between the FBI and Unknownuser closed with an invitation to Unknownuser to contact the FBI with "any additional information about violations of our laws."

The Court’s Conclusions

Despite the length of the facts, the court’s reasoning is relatively brief.

  1. "The Fourth Amendment is directed exclusively at state action and evidence secured by private searches, even if illegal, need not be excluded from a criminal trial." (quoting from United States v. Kinney, 953 F.2d 863, 865 (4th Cir. 1992))
  2. However, if the government is prevented from a certain action, the government cannot use private individuals as "agents" to commit that action. Whether a private individual is an agent under this rule is determined by "the totality of the circumstances." The defendant bears the burden of proving that a private individual is effectively the agent of the government.
  3. The test: "An agency relationship exists where both parties, the private individual and the government, have ‘manifested their consent to that relationship, either expressly or by necessary implication from their conduct.’" Whether consent has been manifested depends upon (a) "whether the government knew of and acquiesced in the intrusive conduct;" (b) "whether the private party's purpose for conducting the search was to assist law enforcement efforts or to further her own ends."
  4. The court concludes from the evidence that the government knew of and acquiesced in Unknownuser’s behavior, and Unknownuser was acting to assist law enforcement efforts, not for his own ends. (This is a heavily factual decision, and the court spends a lot more than just one sentence making this conclusion. The conclusion occurs in this paragraph: "The caselaw holds that many particular factors, such as government knowledge, government presence during a search, and the government's failure to prevent a search, when standing alone, each fail to establish the requisite agency relationship. Here, however, there are many individual factors in combination which, when viewed in their totality, show that both parties, the government and Unknownuser, expressed their consent to an agency relationship.")
  5. The court distinguishes Unknownuser’s searches on Steiger (which were on his own initiative) from his searches on Jarrett (which occurred only after their first exchanges over Steiger).
  6. Therefore, Unknownuser was acting as an agent of the government.
  7. (The court’s unstated premise: Hacking into a person’s computer over the Internet to gather evidence violates the Fourth Amendment.)
  8. Hence, the evidence from Jarrett’s computer by Unknownuser was the result of an illegal search, and hence inadmissible. All this evidence will be suppressed.

Thoughts

These thoughts are sketchy, quickly formed, and not too significant. Hopefully others will contribute better ideas. But here we go:

  1. Although this is never stated explicitly, it’s a clear premise of the court’s argument that your computer cannot be hacked into and searched free of the constraints of the Fourth Amendment. I’m not sure if this has been decided before, but it’s pretty good to hear.
  2. Would this case have turned out differently if the FBI had told Unknownuser the first time to stop hacking, but Unknownuser nevertheless sent out the Jarrett information on his own? It seems like it would: if the FBI didn’t encourage Unknownuser, then Unknownuser wouldn’t be acting as a government agent. But this would seem to lead to dilemmas within law enforcement: How do you (explicitly) tell somebody to stop illegal activities, while (implicitly) encouraging him to continue in order to gather more evidence? (Perhaps the FBI should just have thanked him profusely, then said, at the end of each email, "But please stop hacking.")
  3. Probably because of the nature of the case (child pornographers are not, as a rule, particularly sympathetic), even the most ardent of liberals might feel squeamish about applying the exclusionary rule here, leaving out crucial evidence with the possible consequence that a child pornographer will go free. Those troubled by the exclusionary rule might want to look into the writings of Yale Law professor Akhil Amar, who has extensively criticized the exclusionary rule for leaving out good evidence. (Amar’s column on Findlaw can be found here. More specific articles on the exclusionary rule: an article on the Fourth Amendment entitled, Searching for Guidance, a summary of Amar’s Harvard Law Review article, Fourth Amendment First Principles, and, of course, Amar’s book, The Constitution and Criminal Procedure.)
 
Related Links
· More about Computer Crime
· News by Steven Wu


Most read story about Computer Crime:
Generalized Spam and Blogs

Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
  
The comments are owned by the poster. We aren't responsible for their content.

Considering how easy it is to fake electronic evidence (Score: 1)
by MurphysLaw on Thursday, November 14 @ 16:58:09 EST
(User Info | Send a Message)
Then it's easy to conclude that Law Enforcement officials need to build their own case and not rely on outside agents hacking into computers. I don't imagine that there's anything in this decision which would prevent the FBI from obtaining a search warrant based on information gathered by a third party. From there, the FBI can build their own case.

The decision sounds correct to me.


[ Reply to This ]


Re: Life Sentences for Child Porn Busters? (Score: 0)
by Anonymous on Thursday, November 14 @ 17:32:07 EST
We shouldn't even consider encouraging vigilante cracking. You break into someone's computer, you're committing a crime - even if you do it for the purpose of finding illegal material to turn over to the police. Two wrongs don't make a right.


[ Reply to This ]


Re: Life Sentences for Child Porn Busters? (Score: 1)
by TomWiles on Thursday, November 14 @ 19:53:03 EST
(User Info | Send a Message)
There is another serious consideration here. The SubSeven trojan is similar to VNC, it allows the intruder to remotely manipulate the computer as well as gather information from the computer.

If unknown user used this capability to take over the computer, log onto the internet, and download the pornography, you would have the perfect frame.

Think about it.

The BugBear worm has similar capability and it infected millions of machines in the first seven days.

I am very concerned about allowing information taken from a compromized machine being used as evidence in a courtroom trial.

If fifty people have access to the compromized machine (48 of which you can not even find), how do you prove who did what. What about innocent until proven guilty.


[ Reply to This ]


Re: Life Sentences for Child Porn Busters? (Score: 0)
by Anonymous on Thursday, November 14 @ 20:08:35 EST
I don't see how you can consider violating someone's privacy and security in order to squelch free speech even remotely "good".


[ Reply to This ]


Leges humanae nascuntur, vivunt, moriuntur
Human laws are born, live, and die

Contributors retain copyright interests in all stories, comments and submissions.
Everything else copyright (c) 2002 by the Information Society Project.

This material may be distributed only subject to the terms and conditions
set forth in the Open Publication License, v1.0 or later.
The latest version is currently available at http://www.opencontent.org/openpub/.

You can syndicate our news with backend.php

Page Generation: 0.258 Seconds