Entries Tagged "courts"

Page 18 of 29

Australia Man Receives Reduced Sentence Due to Encryption

From the Courier-Mail:

A man who established a sophisticated network of peepholes and cameras to spy on his flatmates has escaped a jail sentence after police were unable to crack an encryption code on his home computer.

[…]

They found a series of holes drilled in to walls and ceilings throughout the Surfers Paradise apartment with wires leading back to Wyllie’s bedroom.

Police seized his personal computer, but files were encrypted and a video camera was not plugged in.

[…]

In passing sentence, Judge Devereaux took in to account the 33 days Wyllie had spent in custody after being arrested and ordered that two years’ probation was sufficient punishment, given that there was no hard evidence proving he had secretly recorded his flatmates.

Posted on October 21, 2009 at 7:19 AMView Comments

The Problem of Vague Laws

The average American commits three felonies a day: the title of a new book by Harvey Silverglate. More specifically, the problem is the intersection of vague laws and fast-moving technology:

Technology moves so quickly we can barely keep up, and our legal system moves so slowly it can’t keep up with itself. By design, the law is built up over time by court decisions, statutes and regulations. Sometimes even criminal laws are left vague, to be defined case by case. Technology exacerbates the problem of laws so open and vague that they are hard to abide by, to the point that we have all become potential criminals.

Boston civil-liberties lawyer Harvey Silverglate calls his new book “Three Felonies a Day,” referring to the number of crimes he estimates the average American now unwittingly commits because of vague laws. New technology adds its own complexity, making innocent activity potentially criminal.

[…]

In 2001, a man named Bradford Councilman was charged in Massachusetts with violating the wiretap laws. He worked at a company that offered an online book-listing service and also acted as an Internet service provider to book dealers. As an ISP, the company routinely intercepted and copied emails as part of the process of shuttling them through the Web to recipients.

The federal wiretap laws, Mr. Silverglate writes, were “written before the dawn of the Internet, often amended, not always clear, and frequently lagging behind the whipcrack speed of technological change.” Prosecutors chose to interpret the ISP role of momentarily copying messages as they made their way through the system as akin to impermissibly listening in on communications. The case went through several rounds of litigation, with no judge making the obvious point that this is how ISPs operate. After six years, a jury found Mr. Councilman not guilty.

Other misunderstandings of the Web criminalize the exercise of First Amendment rights. A Saudi student in Idaho was charged in 2003 with offering “material support” to terrorists. He had operated Web sites for a Muslim charity that focused on normal religious training, but was prosecuted on the theory that if a user followed enough links off his site, he would find violent, anti-American comments on other sites. The Internet is a series of links, so if there’s liability for anything in an online chain, it would be hard to avoid prosecution.

EDITED TO ADD (10/12): Audio interview with Harvey Silvergate.

Posted on September 29, 2009 at 1:08 PMView Comments

Sears Spies on its Customers

It’s not just hackers who steal financial and medical information:

Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an “online community” for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.

To join the “My SHC Community,” users downloaded software that ended up grabbing some members’ prescription information, emails, bank account data and purchases on other sites.

Reminds me of the 2005 Sony rootkit, which—oddly enough—is in the news again too:

After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.

Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.

The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it.

The court ordered the retailer of the CD to pay damages of 1,200 euros.

Posted on September 24, 2009 at 6:37 AMView Comments

NSA Intercepts Used to Convict Liquid Bombers

Three of the UK liquid bombers were convicted Monday. NSA-intercepted e-mail was introduced as evidence in the trial:

The e-mails, several of which have been reprinted by the BBC and other publications, contained coded messages, according to prosecutors. They were intercepted by the NSA in 2006 but were not included in evidence introduced in a first trial against the three last year.

That trial resulted in the men being convicted of conspiracy to commit murder; but a jury was not convinced that they had planned to use soft drink bottles filled with liquid explosives to blow up seven trans-Atlantic planes—the charge for which they were convicted this week in a second trial.

According to Channel 4, the NSA had previously shown the e-mails to their British counterparts, but refused to let prosecutors use the evidence in the first trial, because the agency didn’t want to tip off an alleged accomplice in Pakistan named Rashid Rauf that his e-mail was being monitored. U.S. intelligence agents said Rauf was al Qaeda’s director of European operations at the time and that the bomb plot was being directed by Rauf and others in Pakistan.

The NSA later changed its mind and allowed the evidence to be introduced in the second trial, which was crucial to getting the jury conviction. Channel 4 suggests the NSA’s change of mind occurred after Rauf, a Briton born of Pakistani parents, was reportedly killed last year by a U.S. drone missile that struck a house where he was staying in northern Pakistan.

Although British prosecutors were eager to use the e-mails in their second trial against the three plotters, British courts prohibit the use of evidence obtained through interception. So last January, a U.S. court issued warrants directly to Yahoo to hand over the same correspondence.

It’s unclear if the NSA intercepted the messages as they passed through internet nodes based in the U.S. or intercepted them overseas.

EDITED TO ADD (9/9): Just to be sure, this has nothing to do with any illegal warrantless wiretapping the NSA has done over the years; the wiretap used to intercept these e-mails was obtained with a FISA warrant.

Posted on September 9, 2009 at 10:10 AMView Comments

Subpoenas as a Security Threat

Blog post from Ed Felten:

Usually when the threat model mentions subpoenas, the bigger threats in reality come from malicious intruders or insiders. The biggest risk in storing my documents on CloudCorp’s servers is probably that somebody working at CloudCorp, or a contractor hired by them, will mess up or misbehave.

So why talk about subpoenas rather than intruders or insiders? Perhaps this kind of talk is more diplomatic than the alternative. If I’m talking about the risks of Gmail, I might prefer not to point out that my friends at Google could hire someone who is less than diligent, or less than honest. If I talk about subpoenas as the threat, nobody in the room is offended, and the security measures I recommend might still be useful against intruders and insiders. It’s more polite to talk about data losses that are compelled by a mysterious, powerful Other—in this case an Anonymous Lawyer.

Politeness aside, overemphasizing subpoena threats can be harmful in at least two ways. First, we can easily forget that enforcement of subpoenas is often, though not always, in society’s interest. Our legal system works better when fact-finders have access to a broader range of truthful evidence. That’s why we have subpoenas in the first place. Not all subpoenas are good—and in some places with corrupt or evil legal systems, subpoenas deserve no legitimacy at all—but we mustn’t lose sight of society’s desire to balance the very real cost imposed on the subpoena’s target and affected third parties, against the usefulness of the resulting evidence in administering justice.

The second harm is to security. To the extent that we focus on the subpoena threat, rather than the larger threats of intruders and insiders, we risk finding “solutions” that fail to solve our biggest problems. We might get lucky and end up with a solution that happens to address the bigger threats too. We might even design a solution for the bigger threats, and simply use subpoenas as a rhetorical device in explaining our solution—though it seems risky to mislead our audience about our motivations. If our solution flows from our threat model, as it should, then we need to be very careful to get our threat model right.

Posted on September 4, 2009 at 6:18 AMView Comments

Court Limits on TSA Searches

This is good news:

A federal judge in June threw out seizure of three fake passports from a traveler, saying that TSA screeners violated his Fourth Amendment rights against unreasonable search and seizure. Congress authorizes TSA to search travelers for weapons and explosives; beyond that, the agency is overstepping its bounds, U.S. District Court Judge Algenon L. Marbley said.

“The extent of the search went beyond the permissible purpose of detecting weapons and explosives and was instead motivated by a desire to uncover contraband evidencing ordinary criminal wrongdoing,” Judge Marbley wrote.

In the second case, Steven Bierfeldt, treasurer for the Campaign for Liberty, a political organization launched from Ron Paul’s presidential run, was detained at the St. Louis airport because he was carrying $4,700 in a lock box from the sale of tickets, T-shirts, bumper stickers and campaign paraphernalia. TSA screeners quizzed him about the cash, his employment and the purpose of his trip to St. Louis, then summoned local police and threatened him with arrest because he responded to their questions with a question of his own: What were his rights and could TSA legally require him to answer?

[…]

Mr. Bierfeldt’s suit, filed in U.S. District Court in the District of Columbia, seeks to bar TSA from “conducting suspicion-less pre-flight searches of passengers or their belongings for items other than weapons or explosives.”

I wrote about this a couple of weeks ago:

…Obama should mandate that airport security be solely about terrorism, and not a general-purpose security checkpoint to catch everyone from pot smokers to deadbeat dads.

The Constitution provides us, both Americans and visitors to America, with strong protections against invasive police searches. Two exceptions come into play at airport security checkpoints. The first is “implied consent,” which means that you cannot refuse to be searched; your consent is implied when you purchased your ticket. And the second is “plain view,” which means that if the TSA officer happens to see something unrelated to airport security while screening you, he is allowed to act on that.

Both of these principles are well established and make sense, but it’s their combination that turns airport security checkpoints into police-state-like checkpoints.

The TSA should limit its searches to bombs and weapons and leave general policing to the police—where we know courts and the Constitution still apply.

Posted on July 8, 2009 at 6:42 AMView Comments

Update on Computer Science Student's Computer Seizure

In April, I blogged about the Boston police seizing a student’s computer for, among other things, running Linux. (Anyone who runs Linux instead of Windows is obviously a scary bad hacker.)

Last week, the Massachusetts Supreme Court threw out the search warrant:

Massachusetts Supreme Judicial Court Associate Justice Margot Botsford on Thursday said that Boston College and Massachusetts State Police had insufficient evidence to search the dorm room of BC senior Riccardo Calixte. During the search, police confiscated a variety of electronic devices, including three laptop computers, two iPod music players, and two cellphones.

Police obtained a warrant to search Calixte’s dorm after a roommate accused him of breaking into the school’s computer network to change other students’ grades, and of spreading a rumor via e-mail that the roommate is gay.

Botsford said the search warrant affidavit presented considerable evidence that the e-mail came from Calixte’s laptop computer. But even if it did, she said, spreading such rumors is probably not illegal. Botsford also said that while breaking into BC’s computer network would be criminal activity, the affidavit supporting the warrant presented little evidence that such a break-in had taken place.

Posted on June 2, 2009 at 12:01 PMView Comments

No Warrant Required for GPS Tracking

At least, according to a Wisconsin appeals court ruling:

As the law currently stands, the court said police can mount GPS on cars to track people without violating their constitutional rights—even if the drivers aren’t suspects.

Officers do not need to get warrants beforehand because GPS tracking does not involve a search or a seizure, Judge Paul Lundsten wrote for the unanimous three-judge panel based in Madison.

That means “police are seemingly free to secretly track anyone’s public movements with a GPS device,” he wrote.

The court wants the legislature to fix it:

However, the District 4 Court of Appeals said it was “more than a little troubled” by that conclusion and asked Wisconsin lawmakers to regulate GPS use to protect against abuse by police and private individuals.

I think the odds of that happening are approximately zero.

Posted on May 15, 2009 at 6:30 AMView Comments

Software Problems with a Breath Alcohol Detector

This is an excellent lesson in the security problems inherent in trusting proprietary software:

After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc.

Draeger, the manufacturer maintained that the system was perfect, and that revealing the source code would be damaging to its business. They were right about the second part, of course, because it turned out that the code was terrible.

2. Readings are Not Averaged Correctly: When the software takes a series of readings, it first averages the first two readings. Then, it averages the third reading with the average just computed. Then the fourth reading is averaged with the new average, and so on. There is no comment or note detailing a reason for this calculation, which would cause the first reading to have more weight than successive readings. Nonetheless, the comments say that the values should be averaged, and they are not.

3. Results Limited to Small, Discrete Values: The A/D converters measuring the IR readings and the fuel cell readings can produce values between 0 and 4095. However, the software divides the final average(s) by 256, meaning the final result can only have 16 values to represent the five-volt range (or less), or, represent the range of alcohol readings possible. This is a loss of precision in the data; of a possible twelve bits of information, only four bits are used. Further, because of an attribute in the IR calculations, the result value is further divided in half. This means that only 8 values are possible for the IR detection, and this is compared against the 16 values of the fuel cell.

4. Catastrophic Error Detection Is Disabled: An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

Basically, the system was designed to return some sort of result regardless.

This is important. As we become more and more dependent on software for evidentiary and other legal applications, we need to be able to carefully examine that software for accuracy, reliability, etc. Every government contract for breath alcohol detectors needs to include the requirement for public source code. “You can’t look at our code because we don’t want you to” simply isn’t good enough.

Posted on May 13, 2009 at 2:07 PMView Comments

Googling Justice Scalia

Nice hack:

Last year, when law professor Joel Reidenberg wanted to show his Fordham University class how readily private information is available on the Internet, he assigned a group project. It was collecting personal information from the Web about himself.

This year, after U.S. Supreme Court Justice Antonin Scalia made public comments that seemingly may have questioned the need for more protection of private information, Reidenberg assigned the same project. Except this time Scalia was the subject, the prof explains to the ABA Journal in a telephone interview.

His class turned in a 15-page dossier that included not only Scalia’s home address, home phone number and home value, but his food and movie preferences, his wife’s personal e-mail address and photos of his grandchildren, reports Above the Law.

And, as Scalia himself made clear in a statement to Above the Law, he isn’t happy about the invasion of his privacy:

“Professor Reidenberg’s exercise is an example of perfectly legal, abominably poor judgment. Since he was not teaching a course in judgment, I presume he felt no responsibility to display any,” the justice says, among other comments.

Somehow, I don’t think “poor judgment” is going to be much of a defense against those with agendas more malicious than Professor Reidenberg.

Posted on May 1, 2009 at 12:52 PMView Comments

1 16 17 18 19 20 29

Sidebar photo of Bruce Schneier by Joe MacInnis.