Monday, October 31, 2011

“Access,” “Authorization” and Deleting Files

As I’ve noted, the basic federal computer crime statute – 18 U.S. Code § 1030 -- creates a civil cause of action for those who have been “harmed” by conduct that violates the statute’s criminal provisions.

The cause of action arises under § 1030(g), which states, in part, that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”

Section 1030(a) of Title 18 outlines a number of criminal “violations,” any of which can serve as the basis for a civil suit under § 1030(g). To prove the civil case, the plaintiff must prove that the defendant(s) committed the violation(s) alleged in the plaintiff’s complaint.

The § 1030(g) cause of action was the focus of a recent opinion from the U.S. District Court for the District of Kansas: Farmers Bank & Trust, N.A. v. Witthuhn, 2011 WL 4857926 (2011). The Farmers Bank & Trust N.A. [Farmers] filed a complaint in which it asserted “several claims against its former employees, defendants Ray Witthuhn and Tonetta Stieben.” Farmers Bank & Trust v. Witthuhn, supra. In Count III of the complaint, Farmers “allege[d] various violations” of 18 U.S. Code § 1030, which could support the imposition of civil liability pursuant to 18 U.S. Code § 1030(g). Farmers Bank & Trust v. Witthuhn, supra.

The defendants moved for summary judgment as to the § 1030(g) claims, and Farmers argued that summary judgment wasn’t appropriate. Farmers Bank & Trust v. Witthuhn, supra. As Wikipedia notes, summary judgment is a process by which a court can dispose of civil claims without having a trial. As Wikipedia also notes, summary judgment can only be granted if the judge finds there are (i) “no issues of ‘material’ fact requiring a trial for their resolution” and (ii) “in applying the law to the undisputed facts, one party is clearly entitled to judgment”.

The judge began her ruling on the defendants’ motion for summary judgment by explaining that certain facts at issue in the case are “uncontroverted”:

Witthuhn and Stieben were bank officers for Farmers -- Witthuhn was the Vice President and Stieben was Assistant Vice President. They were entrusted with Farmers' confidential information and trade secrets. Farmers' internal computer systems are password protected with restricted access.


Access to Farmers' customers' personal and financial information is limited to those with a business reason for knowing such information. [Witthuhn and Stieben] were not authorized to access this information for non-bank purposes, nor were they permitted to copy or delete this information for competitive purposes.


On December 27, 2010, [Witthuhn and Stieben] announced their intention to resign their employment, but between December 27 and January 3, 2011, they still had passwords and could access Farmers' computer systems. [They] deleted substantial amounts of data from Farmers' computers, including customers' personal and financial information and Farmers' confidential business information.


[Witthuhn and Stieben] were not permitted to delete Farmers' customers' personal and financial information or Farmers' confidential business information without the supervision of Farmers Bank IT personnel. [They] did not have permission to delete any of Farmers' files or emails containing Farmers' customers' personal and financial information or Farmers' business information.


By at least January 4, 2011, Farmers believed [Witthuhn and Stieben] were involved in downloading a substantial amount of material or data from Farmers' computer system. Despite Farmers' belief, it allowed [them] to return to work and continue working on January 5, 6, and 7. Dikeman, Farmers' President, testified that `[w]e had gone into a high-security mode and were watching everything they were doing.’ On January 7, 2011, Farmers' representatives took [their] keys, cut off their access to the computer networks and changed the locks at the branch office.

Farmers Bank & Trust v. Witthuhn, supra.

The court then addressed the defendants’ challenge to the Farmers’ claims that arose under 18 U.S. Code §§ 1030(a)(4) (crime to “knowingly and with intent to defraud” access a computer “without authorization” or by exceeding authorized access) and/or 1030(a)(2)(C) (crime to intentionally access a computer without authorization or by exceeding authorized access and thereby obtain information). Farmers argued that Witthuhn and Stieben were liable under either or both subsection(s) “because they either accessed information without authorization, or exceeded their authorized access by deleting information between the time when they announced their resignations and January 7, 2011.” Farmers Bank & Trust v. Witthuhn, supra.

In ruling on this challenge, she noted that there is a split of authority among courts

about the meaning of `authorization’ under [§ 1030]. On the one hand, there is a line of cases construing the term to depend on whether the employee violated a duty of loyalty or acted with an interest adverse to the employer – the Citrin cases. On the other hand, several courts determine authorization based on the `employer's decision to allow or terminate an employee's authorization’ – the Brekka cases. . . . This Court is persuaded by the reasoning in Brekka . . . and applies this approach in determining whether there is a genuine issue of material fact that defendants violated [§ 1030] when they accessed and deleted files from Farmers' computer system between the time they announced their resignations and the time their computer access was terminated.

Farmers Bank & Trust v. Witthuhn, supra.

The judge applied this standard to find that the defendants were entitled to summary judgment on the plaintiff’s claim(s) that they accessed the Farmers’ computer system “without authorization:”

The uncontroverted facts establish that defendants were permitted to access Farmers' confidential and proprietary information prior to January 7, 2011. They had passwords to Farmers' computer system and access to restricted information. Plaintiff argues that company policy only allowed [them] to access this information for a business reasons, but this argument would require the Court to follow the Citrin line of cases and determine whether defendants were acting in the interest of Farmers -- a standard that this Court has already declined to follow.


Instead, the Court looks to whether Farmers permitted [Witthuhn and Stieben] to access this information. Because it is uncontroverted that [they] were permitted to access the information at issue, no reasonable jury could determine that liability under [§1030] could lie based on [their] unauthorized access to the information in Farmers' computer system.

Farmers Bank & Trust v. Witthuhn, supra.

The judge then addressed Farmers’ claim that Witthuhn and Stieben are liable under § 1030 “because they exceeded their authorized access by deleting information in Farmers’ computer system.” Farmers Bank & Trust v. Witthuhn, supra. Witthuhn and Stieben argued that the uncontroverted facts at issue establish that they accessed

information they were permitted to access in the first place. [Farmers] responds that notwithstanding the initial access, [Witthuhn and Stieben] exceeded their authorization by deleting substantial amounts of data from Farmers' computer system. [They] reply that Farmers allowed employees to delete information in some instances and that the Bank's policy does not require that they obtain prior approval before deleting documents.

Farmers Bank & Trust v. Witthuhn, supra.

The judge noted that 18 U.S. Code § 1030(e)(6) defines “exceeds authorized access” as to “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesses is not entitled so to obtain or alter.” She explained that as “this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered . . . someone who has `exceed[ed] authorized access.’” Farmers Bank & Trust v. Witthuhn, supra. Or, as another judge put it, “exceeding authorized access occurs `when the defendant has permission to access the computer in the first place, but then accesses certain information to which he is not entitled.’” Farmers Bank & Trust v. Witthuhn, supra (quoting U.S. Bioservices Corp. v. Lugo, 595 F.Supp.2d 1189 (U.S. District Court for the District of Kansas 2009)).

Farmers argued that Witthuhn and Stieben were liable under § 1030(g) “because they exceeded their authorized access by deleting information in Farmers' computer system.” Farmers Bank & Trust v. Witthuhn, supra. Witthuhn and Stieben argued, in response, that “Farmers allowed employees to delete information in some instances and that the Bank's policy does not require that they obtain prior approval before deleting documents.” Farmers Bank & Trust v. Witthuhn, supra. The judge found that there

is no question that [Witthuhn and Stieben] were authorized to access Farmers' confidential and proprietary information in the first place, but the Court finds there is a genuine issue of material fact about whether [they] used their access to `obtain or alter information in the computer’ that they were not `entitled so to obtain or alter.’ It is uncontroverted that [Witthuhn and Stieben] deleted substantial amounts of data from Farmers' computers, including customers' personal and financial information and Farmers' confidential business information.


And regardless of whether Farmers had a policy that required [them] to obtain prior approval to delete that information, it is uncontroverted that [Witthuhn and Stieben] did not have permission to delete any of Farmers' files or emails containing Farmers' customers' personal and financial information or Farmers' business information. Moreover, Farmers' had an Information Security and Unauthorized Access Policy that required retention of information for certain purposes and provides that `records shall generally be destroyed, or sterilized, under Bank IT personnel supervision.


Given all of these facts, a reasonable jury could conclude that [Witthuhn and Stieben] exceeded their authorization by deleting information in Farmers' computer system that they were not authorized to delete.

Farmers Bank & Trust v. Witthuhn, supra.

Finally, the judge addressed the defendants’ challenge to Farmers’ claim under 18 U.S. Code § 1030(a)(5)(A), which makes it a crime to “knowingly” cause “the transmission of a program, information, code, or command” and thereby “intentionally cause[] damage without authorization” to a computer. Farmers Bank & Trust v. Witthuhn, supra. Section 1030(e)(8) defines “damage” as “any impairment to the integrity or availability of data, a program, a system or information.” She found that “[b]ecause it is uncontroverted that [Witthuhn and Stieben] were not permitted to delete files and emails from Farmers' computer system, a reasonable jury could conclude that they violated this subsection.” Farmers Bank & Trust v. Witthuhn, supra.

The judge therefore held that “[b]ecause three of [Farmers’] four alleged [§1030] violations hinge on whether defendants exceeded their authorized access, or caused damage from the unauthorized deletion of information, these claims must be decided by a jury.” Farmers Bank & Trust v. Witthuhn, supra. In other words, she denied the defendants’ motion for summary judgment on these three claims, but granted them summary judgment on the fourth claim – the one that factually “rest[ed] solely on damage sustained from intentional unauthorized access.” Farmers Bank & Trust v. Witthuhn, supra. Since the judge found, as noted above, that at all relevant times Witthuhn and Stieben were authorized to access the system, she held that this claim was not appropriate for trial. Farmers Bank & Trust v. Witthuhn, supra.

Friday, October 28, 2011

Cyberthreats and the Limits of Bureaucratic Control

This is another fyi-type post (or maybe a self-promotion type post) about a new article of mine.

This one is entitled Cyberthreats and the Limits of Bureaucratic Control and it will be published this spring by the University of Pittsburgh's Journal of Law, Technology & Policy. It's a very long article, the subject-matter of which is described in the abstract I'm inserting below.

If the article sounds interesting, you can access the final draft on SSRN.

This article argues that the approach the United States, like other countries, uses to control threats in real-space is ill-suited for controlling cyberthreats, i.e., cybercrime, cyberterrorism and cyberwar. It explains that because this approach evolved to deal with threat activity in a physical environment, it is predicated on a bureaucratically organized response structure. It explains why this is not an effective way of approaching cyber-threat control and examines the two federal initiatives that are intended to improve the U.S. cybersecurity: legislative proposals put forward by four U.S. Senators and by the White House; and the military’s development of six distinct Cyber Commands.

The article explains why each of these efforts is flawed and why U.S. authorities persist in pursuing antiquated strategies that cannot provide an effective cyberthreats defense system. It argues that the continuing reliance bureaucratically structured response systems is the product of the fallacy of inevitability, i.e., the recursive reliance on established institutional models. And it outlines an alternative approach to the task of protecting the country from cyberthreats, and approach that is predicated on older, more fluid threat control strategies.

4th Amendment Future: Remote Searches and Virtual Force

I've just posted the final draft of a new article of mine on SSRN. . . which might, or might not, be of interest to you. It's a paper I presented last spring at a symposium on "4th Amendment Futures."

I'm posting an abstract of the article below. If the abstract sounds interesting, you can access the full text of the article (which will be published by the University of Mississippi Law Journal later this year) on SSRN.

Here's an abstract of what it covers:
This article examines the 4th Amendment implications of two tactics that may become part of law enforcement’s efforts to investigate and otherwise control criminal activity. The first is the use of certain types of software, most notably Trojan horse programs, to conduct surreptitious, remote searches of computers and computer media. The other tactic is the use of “virtual force,” e.g., using Distributed Denial of Service and other attacks to shut down or otherwise disable websites that host offending content and/or activities.




Alpacas, Surveillance Cameras and Kyllo

As I’ve explained in earlier posts, under the U.S. Supreme Court’s decision in Katz v. U.S., 389 U.S. 347 (1967), a “search” violates a reasonable expectation of privacy in a place or thing. Under Katz, you have a 4th Amendment reasonable expectation of privacy in a place/thing if (i) you subjectively believe it’s private and (ii) society accepts your belief as objectively reasonable.

And as I explained in a post I did several years ago, in Kyllo v. U.S., 533 U.S. 27 (2001), the Supreme Court considered when law enforcement’s use of special technology will, and will not, constitute a “search” under the Katz standard. The Kyllo Court held that it is a 4th Amendment “search” (i) to use technology that is not in general public use (ii) to detect information from inside a home. (If you’re interested in my critique of that holding, you can find it in my earlier post.)

And that brings us to the federal government’s investigation of Karen A. Anderson-Bagshaw for various crimes, including mail fraud and false statements. As an opinion by a federal district court judge notes, the government has charged Anderson-Bagshaw, a

former employee of the U.S. Postal Service, with fraudulently procuring disability benefits. The government bases its charges in part on allegations that [she] worked at several small business ventures, including a physically active role in the operation of an alpaca farm in her backyard, while claiming that debilitating back pain made her unable to work.

U.S. v. Anderson-Bagshaw, 3901880 (U.S. District Court for the Northern District of Ohio 2011) (“U.S. v. Anderson-Bagshaw #1”).

This post isn’t concerned with the charge, but with Anderson-Bagshaw’s effort to suppress certain video recordings. As the opinion cited above explains, in investigating

whether [she] improperly received disability benefits, the U.S. Postal Service Office of Inspector General (`OIG’) sought to observe the rear of [her] property where an alpaca farm is located. An OIG worker's compensation analyst conducted early drive-by observations, but [her] house obscured the backyard from view, and by dense foliage in the adjacent lot. However, . . . the forested lot next to [her] property was logged and a line of sight opened. . . .


OIG sought and received permission from the Illuminating Company, a local electric services provider, to install a camera on a utility pole outside [Anderson-Bagshaw’s] property but next to [it]. An OIG technical officer furnished the utility company with a box containing a video camera, that could not capture audio footage but could pan, rotate, and zoom. On June 16, representatives from the Illuminating Company hung the box on the utility pole approximately 35 feet above the ground. The Government neither sought or obtained a search warrant before placing the camera.

OIG arranged to stream the video footage through a device installed on June 17, 2009 by employees of WindStream, an internet service provider. With the camera and internet access, the OIG agents could access the camera on a secure server.

Between June 17 and July 10, 2009, the camera recorded footage of the property without interruption. The yard behind [her] house was generally open to be viewed by adjoining property owners and the camera did not view any areas that were not visible from the neighboring lots.


Though the camera enabled OIG agents to view areas behind the house that were not visible from the street, nothing on [her] property obscured the view from neighboring lots. [It] had a wire mesh `pasture fence’ meant to keep the alpacas from straying, but the mesh was functionally transparent and did not obscure the view from ground level. OIG Special Agent Morgano daily checked the video camera feed. She regularly spent three to five hours per day observing the footage and directing the camera's zoom and orientation.

U.S. v. Anderson-Bagshaw #1.

After being charged, Anderson-Bagshaw moved to suppress “video footage recorded by the utility pole camera, claiming the Government's surveillance of her backyard” was an unconstitutional “search” because it was not authorized by a warrant. U.S. v. Anderson-Bagshaw #1. The federal district court judge who has this case rather quickly dismissed Anderson-Bagshaw’s claim that the surveillance violated the 4th Amendment:

[She] did not manifest any subjective expectation of privacy. Where defendants have taken steps to create a private zone within the curtilage of a residence, courts are willing to deem utility-pole surveillance a search within the 4th Amendment. U.S. v. Cuevas-Sanchez, 821 F.2d 248 (5th Circuit 1987) (defendants manifested a subjective expectation of privacy by erecting a ten-foot-high metal fence). Here, however, the backyard of the residence was entirely open to observation from adjacent properties, and the wire-mesh alpaca fence neither hampered these views nor manifests any subjective expectation of privacy.

Moreover, any subjective expectation of privacy [she] may have had in her open backyard would have been unreasonable. The Supreme Court rejected an invitation to create `a rule of constitutional dimensions’ that backyard conduct `will not be observed by a passing aircraft or a power company repair mechanic on a pole overlooking the yard.’ California v. Ciraolo, 476 U.S. 207 (1986). Those are precisely the circumstances presented here, where the view afforded by the . . . surveillance camera is identical to the view available to the power company's employee responsible for installing it.


Furthermore, the contested area of [her] backyard was clearly visible from either adjoining lot. Law enforcement officials `may see what may be seen’ from vantage points where they have a right to be. Florida v. Riley, 488 U.S. 445 (1989). . . . Silent video surveillance captured under these circumstances is inoffensive to surveillees' Fourth Amendment rights. . . .


[T]he 6th Circuit [Court of Appeals] has long said that exposed backyard areas do not give rise to reasonable expectations of privacy that would trigger Fourth Amendment protections. U.S. v. Bratton, 434 F.2d 51 (6th Cir. 1970) (county sheriff did not violate a moonshiner's 4th Amendment rights in observing a distillery apparatus from over a fence).

U.S. v. Anderson-Bagshaw #1.

The judge then addressed the possibility that Kyllo applied here:

Technology . . . has progressed since the moonshiner's conviction in Bratton, and will continue to present challenges to defendants' 4th Amendment rights as law enforcement officials deploy increasingly powerful surveillance technologies.


`[T]echnological enhancement of ordinary perception from a vantage point’ may present 4th Amendment concerns in cases where sense-enhancing technologies not in general use permit observations `that could not otherwise have been obtained without physical intrusion into a constitutionally protected area.’ Kyllo v. U.S., 533 U.S. 27 (2001).


This case, however, which involves a camera placed on a utility company's property by the company's agents and with permission of the utility, affording observations of an open backyard identical to those available to a curious utility worker with a cheap pair of binoculars, or the disinterested glance of neighbors in either adjoining lot, is not one of them.

U.S. v. Anderson-Bagshaw #1.

After receiving the judge’s ruling, Anderson-Bagshaw filed a motion asking the judge to reconsider his order “denying her motion to suppress video surveillance footage.” U.S. v. Anderson-Bagshaw, 2011 WL 4944118 (U.S. District Court for the Northern District of Ohio 2011) (“U.S. v. Anderson-Bagshaw #2”). According to Anderson-Bagshaw, the

footage recorded by the government's pole camera mounted across a neighboring lot must be suppressed because her husband, James Bagshaw, intermittently takes his morning coffee in the nude, and her son was recorded relieving himself near a backyard tree.


She says that this supports her argument she did not `knowingly expose’ herself to the public because the behavior of her cohabitants manifests a subjective expectation of privacy, and that the duration of the video surveillance renders that subjective expectation objectively reasonable.

U.S. v. Anderson-Bagshaw #2”.

The judge found that “[b]oth arguments fail.” U.S. v. Anderson-Bagshaw #2”. He noted that Anderson-Bagshaw hadn’t established a subjective expectation of privacy because the “backyard was plainly visible from the adjoining lots” and nothing – including the “wire-mesh fence aimed at containing errant alpacas” -- had been done to shield it from public view. U.S. v. Anderson-Bagshaw #2”. He also pointed out that “nothing new” showed that Anderson-Bagshaw manifested a subjective expectation of privacy:

The episodes may indicate a subjective expectation of privacy on the parts of James Bagshaw and Donald Anderson, or may just as well indicate a blithe indifference to public exposure. But there is no indication [she] shares either sentiment -- though the absence of any similarly revealing conduct on the part of [Anderson-Bagshaw] suggests she may have been more attentive to the unobstructed view available from the adjoining parcels.


Indeed, [her] counsel has represented that [she] observed the installation of the video camera, knew of its existence, and in fact was billed by the third-party internet company that streamed the surveillance data.

U.S. v. Anderson-Bagshaw #2”.

The judge also noted that Anderson-Bagshaw’s renewed motion to suppress

still founders on the objectively reasonable prong of the privacy inquiry. Any subjective expectation, whether held by [Anderson-Bagshaw], her husband, son, or the alpacas, does not transform the transparent fences described at the evidentiary hearing into the type of enclosure that gives rise to a reasonable expectation of privacy.

U.S. v. Anderson-Bagshaw #2”.

Finally, the judge held that the duration of the surveillance did not transform it into a 4th Amendment search. U.S. v. Anderson-Bagshaw #2”. He noted that the Supreme Court has yet to decide whether 24-hour surveillance can constitute a 4th Amendment search, but explained that the camera at issue in this case “hardly creates the type of detailed portrait of a single subject's movements that might establish a privacy-implicating mosaic of information. . . . Nor does the remote offsite installation threaten the type of invasiveness at issue in the context of covertly installed indoor cameras.” U.S. v. Anderson-Bagshaw #2”.