SOURCE Boston 2010 April 23, 2010 R.W. Clark Agenda Top Precedents IP Addresses Not Pii No REP in unsecured wireless network Work Place Monitoring Computer Network Security Legal Parameters (What can I do legally?) Precedents More Cases & Issues Disclaimer aka The fine Print Joint Ethics Regulation Views presented are those of the speaker or author and do not represent the views of the government. Where a disclaimer is required for a speech or other oral presentation, the disclaimer may be given orally provided it is given at the beginning of the oral presentation. All material is unclassified Court Recognizes Your Special Skills United States v. Prochner, 417 F.3d 54 (D. Mass. July 22, 2005) Definition of Special Skills Special skill - a skill not possessed by members of the general public and usually requiring substantial education, training or licensing. Examples - pilots, lawyers, doctors, accountants, chemists, and demolition experts Not necessarily have formal education or training Acquired through experience or self-tutelage Critical question is - whether the skill set elevates to a level of knowledge and proficiency that eclipses that possessed by the general public. IP Addresses and Pii Johnson v. Microsoft Corp., 2009 U.S. Dist. LEXIS 58174 (W.D. Wash. June 23, 2009). IP address a four-part number enables e-mails, pictures, data, to be transmitted via the Internet to a particular computer. United States v. Heckenkamp, 482 F.3d 1142, 1144 n.1 (9th Cir. 2007). When a person uses a computer to access Internet, computer is assigned an IP address by user's Internet service provider. United States v. Steiger, 318 F.3d 1039, 1042 (11th Cir. 2003). IP address does not identify a user's name or mailing address. In re Charter Commc'ns, 393 F.3d 771, 774 (8th Cir. 2005). Static IP addresses remain constant with regard to a particular user, but many assign dynamic IP addresses that change each time the user connects to Internet. Steiger, 318 F.3d at 1042.” In order for “personally identifiable information” to be personally identifiable, it must identify a person. IP address identifies a computer, and can do that only after matching IP address to a list of a particular Internet service provider's subscribers. Thus, because an IP address is not personally identifiable, Microsoft did not breach the EULA when it collected IP addresses.” Secure Your Wireless Router United States v. Ahrndt, 2010 U.S. Dist. LEXIS 7821 (D. Ore January 28, 2010) Unsecured wireless router Neighbor access iTunes “share” library Dad’s Limewire Tunes Secure Your Wireless Router United States v. Ahrndt, 2010 U.S. Dist. LEXIS 7821 (D. Ore January 28, 2010) The extent to which the Fourth Amendment provides protection for the contents of electronic communications in the Internet age is an open question. The recently minted standard of electronic communication via e-mails, text messages, and other means opens a new frontier in Fourth Amendment jurisprudence that has been little explored." Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 904 (9th Cir. 2008). The issue in this case is whether the Fourth Amendment provides a reasonable, subjective expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network. Government Workplace Monitoring United States v. Etkin, 2008 U.S. Dist. LEXIS 12834, (SDNY Feb. 20, 2008). Hines v. Overstock.com, Inc., 2009 U.S. Dist. LEXIS 81204 (EDNY Sep 8, 2009). Cf. Quon v. Arch Wireless Operating Co., Inc., 445 F. Supp. 2d 1116; (CD Cal. Aug 15, 2006) Affirmed in part and reversed in part by, Remanded by Quon v. Arch Wireless Operating Co., 529 F.3d 892, (9th Cir. Cal., June 18, 2008) With respect to Fourth Amendment claims, city employees had a reasonable expectation of privacy in the personal text messages sent and received on employer-provided pagers because the employer had instituted an informal policy that no auditing would occur so long as employees reimbursed for any messaging that exceeded the allotted amount. Government Workplace Monitoring Stengart v Loving Care Agency, 2010 N.J. LEXIS 241, (Sp Ct. N.J March 30, 2010) N.J. Supreme Court upholds privacy of personal emails accessed at work . This case presents novel questions about the extent to which an employee can expect privacy and confidentiality in e-mails with her attorney, which she sent and received through her personal, passwordprotected, web-based e-mail account using an employer-issued computer. Computer Network Security & Privacy In the United States there is no omnibus statute or constitutional provision that provides comprehensive legal protection for the privacy of personal information, but rather an assortment of laws regulate information deemed to be of sufficient importance to be afforded some level of protection. The U.S. constitution, federal statutes and regulations, and state law combine to govern the collection, use, and disclosure of information. Congressional Research Service, RL 31730, Privacy: Total Information Awareness Programs and Related Information Access, Collection, and Protection Laws (March 21, 2003) Authority for Computer Network Defense Common Law Principle Property is “the free use, enjoyment, and disposal of all his acquisitions, without any control or diminution, save only by the laws of the land.” George J. Siedel, Real Estate Law 21 (1979), citing, W. Blackstone, Commentaries 138 Property in its nature is an unrestricted and exclusive right. Hence it comprises in itself the right to dispose of the substance of the thing in every legal way, to possess it, to use it, and to exclude every other person from interfering with it. Mackeldey, Roman Law § 265 (1883). Authority for Computer Network Defense Right to exclude people from one’s personal property is not unlimited. Self defense of personal property one must prove that he was in a place he had a right to be, that he acted without fault and that he used reasonable force which he reasonably believed was necessary to immediately prevent or terminate the other person's trespass or interference with property lawfully in his possession Moore v. State, 634 N.E.2d 825 (Ind. App. 1994) and Pointer v. State, 585 N.E. 2d 33, 36 (Ind. App. 1992) Authority for Computer Network Defense Common Law Doctrine-Trespass to Chattel Owner of personal property has a cause of action for trespass and may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use One may use reasonable force to protect his possession against even harmless interference The law favors prevention over post-trespass recovery, as it is permissible to use reasonable force to retain possession of a chattel but not to recover it after possession has been lost Intel v. Hamidi, 71 P.3d 296 (Cal. Sp. Ct. June 30, 2003 Computer Network Security Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541 et seq. Computer Fraud and Abuse Act, 18 U.S.C. § 1030 Electronic Communication and Privacy Act, 18 U.S.C. §§ 2510 et seq. protection of the rights or property of the provider clause of 18 U.S.C. § 2511(2)(a)(i) Pen Registers and Trap Devices, 18 U.S.C. §§ 3121 et seq. Stored Communications Act, 18 U.S.C. §§ 2701 et seq. Computer Network Security 18 U.S.C. § 2511(2)(a)(i) Owner of a network “may intercept or disclose communications” on its own machines “in the normal course of employment while engaged in any activity which is a necessary incident to . . . the protection of the rights or property of the provider of that service.” Computer Network Security The Service Provider Exception is a limited exception. Not a criminal investigator’s privilege. 18 U.S.C. § 2511(2)(a)(i) Computer Network Security Broad exception, however, Provider must conduct reasonable, tailored monitoring to protect itself from harm. Doesn’t allow unlimited monitoring Need “substantial nexus” b/w threat and property U.S. v McLaren, 957 F. Supp 215, 219 (M.D. Fla. 1997) System administrators can track hackers within their networks in order to prevent further damage. U.S. v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993) Computer Network Security & Balancing Privacy Consent and Banners User Agreements User Training Web Policies Expectation of Privacy In re: Grand Jury Subpoena to Sebastien Boucher, 2009 U.S. Dist. LEXIS 13006 (DC Ver. Feb. 19, 2009) Gov’t appeal US Magistrate Judge’s Opinion and Order granting Defendant’s motion to quash grand jury subpoena that it violates his Fifth Amendment right. Gov’t doesn’t want password for encrypted HD wants only to have defendant provide an unencrypted version of the HD to grand jury. Court –Boucher must provide an unencrypted version of HD to grand jury. Acts of producing incriminating 2 situations – 1 existence and location unknown to Gov’t; 2 production implicitly authenticates. Gov’t knows incriminating files on encrypted drive Z: and will not use this as “authentication” will link files to Defendant in other way Reasonable Expectation of Privacy and P2P United States v. Borowy, 595 F.3d 1045 (9th Cir. Nev. February 17, 2010) Defendant intended to render the files stored on his own computer private, but his technical savvy failed him. His subjective intention not to share his files did not create an objectively reasonable expectation of privacy in the face of such widespread public access under the Fourth Amendment. United States v Beatty, 2009 U.S. Dist. LEXIS 121473 (W.D. Penn. December 31, 2009) Cyber Warfare & Definitions Sean Condron, Getting It Right: Protecting American Critical Infrastructure in Cyberspace 20 Harv. J. Law & Tec 404 (Spring 2007) Following September 11, 2001, the executive branch made a policy decision to distinguish homeland security from homeland defense. n40 Homeland security has been defined as a "concerted national effort to prevent terrorist attacks within the United States, reduce America's vulnerability to terrorism, and minimize the damage and recover from attacks that do occur." n41 In contrast, "[h]omeland defense is the protection of US sovereignty, territory, domestic population, and critical defense infrastructure against external threats and aggression, or other threats as directed by the President." n42 The Department of Homeland Security is the federal agency in charge of homeland security while the Department of Defense is the lead federal agency for homeland defense. n43 Cyber Warfare & Definitions Multiple agencies using multiple authorities monitor the .gov traffic in order to provide computer network security. The governing authorities are the Homeland Security Act of 2002 (HSA) and the Federal Information Security Management Act of 2002 (FISMA). See e.g. 6 U.S.C. §§ 101 et seq. and 44 U.S.C. §§ 3541 et seq. Individual Federal agencies monitor their networks and traffic that flows to and from those systems under authority from FISMA and the “protection of the rights or property of the provider” clause of 18 U.S.C. § 2511(2)(a)(i) which allows the monitoring of communications placed over federal systems in order to combat fraud and theft of service. The principal authority for the Department to advance cyber security is the HSA. While cybersecurity is not specifically identified under HSA, it treated as an undifferentiated component of the broader critical infrastructure protection mission of the Department. See e.g., 42 U.S.C. § 5195c and 6 U.S.C. § 101(4). Cyber Warfare & Definitions • • Request for Comments: 4949 August 2007 • security event I) An occurrence in a system that is relevant to the security of the system. (See: security incident.) • security incident 1. (I) A security event that involves a security violation. (See: CERT, security event, security intrusion, security violation.) • security intrusion (I) A security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system or system resource without having authorization to do so. • Attack 1. (I) An intentional act by which an entity attempts to evade security services and violate the security policy of a system. That is, an actual assault on system security that derives from an intelligent threat. (See: penetration, violation, vulnerability.)2. (I) A method or technique used in an assault (e.g., masquerade). (See: blind attack, distributed attack.) Cyber Warfare & Definitions http://www.dtic.mil/doctrine/jel/doddict/data/c/01179.html computer network attack -(DOD) Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CNA. http://www.dtic.mil/doctrine/jel/doddict/data/c/01180.html computer network defense - (DOD) Actions taken through the use of computer networks to protect, monitor, analyze, detect and respond to unauthorized activity within Department of Defense information systems and computer networks. Also called CND. http://www.dtic.mil/doctrine/jel/doddict/data/c/01181.html computer network exploitation - (DOD) Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE. http://www.dtic.mil/doctrine/jel/doddict/data/c/01182.html computer network operations - (DOD) Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations. Also called CNO. Cyber Warfare Paul Ohm, The Myth of the Superuser: Fear, Risk, and Harm Online, 41 U.C. Davis L. Rev. 1327 (April 2008) Fear of the powerful computer user, the "Superuser," dominates debates about online conflict. He is a mythic figure: difficult to find, immune to technological constraints, and aware of legal loopholes. The exaggerated focus on the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely held fear of the Internet. Cyber Warfare Legal Research Sean Condron, Getting It Right: Protecting American Critical Infrastructure in Cyberspace 20 Harv. J. Law & Tec 404 (2007) Alan F. Williams, Prosecuting Website Development Under the Material Support to Terrorism Statutes: Time to Fix What's Broken, 11 N.Y.U. J. Legis. & Pub. Pol'y 365 (2007/2008) Thomas Wingfield, When is a Cyber Attack and “Armed Attack”, Potomac Institute for Policy Studies (February 2006) Todd M. Hinnen, The Cyber-Front in the War on Terrorism: Curbing Terrorist Use of the Internet, 5 Colum. Sci. & Tech. L. Rev. 3 (2003 / 2004) Winston P. Nagan, The New Bush National Security Doctrine and the Rule of Law, 22 Berkeley J. Int’l L. 375 (2004) Eric Jensen, Unexpected Consequences From Knock-On Effects: A Different Standard for Computer Network Operations” 18 Am. U. Int’l Rev. 1145 (2003) Eric Jensen, Computer Attack on Critical National Infrastructure: A Use of Force Invoking the Right of Self-Defense, 38 Stan. J. Int’l 207 ( 2002) Mary Ellen O’Connell, The Myth of Preemptive Self-Defense, The American Society of International Law: Task Force on Terrorism (August 2002) Cyber Warfare Legal Research LTC Dhillon and LTC Smith, Defensive Information Operations and Domestic Law: Limitations on Government Investigative Techiniques 50 A.F. L. Rev. 135 (2001) William C. Banks, M.E. Bowman, Executive Authority for National Security Surveillance, 50 Am. U.L. Rev. 1 (October 2000) Roger D. Scott, Territorial Intrusive Intelligence Collection and International Law, 46 A.F. L. Rev. 217 (1999) Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 Colum. J. Transnat’l L. 885 (1999) Todd A. Morth, Considering Our Position: Viewing Information Warfare as a Use of Force Prohibited by Article 2(4) of the U.N. Charter, 30 Case W. Res. J. Int’l L. 567 (Spring/Summer 1998) Roger Scott “Legal Aspects of information Warfare: Military Disruption of Telecommunications, 45 Naval L. Rev. 57 1998 Lawrence Greenberg, Information Warfare and International Law, National Defense University Press (1997) Independent Newspaper, Inc. v. Brodie, 2009 Md. LEXIS (Ct. of Apps. Md. Feb 27, 2009) When a trial court is confronted with a defamation action in which anonymous speakers or pseudonyms are involved, it should 1 require plaintiff to undertake efforts to notify anonymous posters they are subject of a subpoena or application for an order of disclosure, including posting a message of notification of the identity discovery request on the message board; 2 withhold action to afford the anonymous posters reasonable opportunity to file and serve opposition to the application; 3 require plaintiff to identify and set forth exact statements purportedly made by each anonymous poster, alleged to constitute actionable speech; 4 determine whether complaint has set forth a prima facie defamation per se or per quod action against the anonymous posters; and 5 if all else is satisfied, balance anonymous poster's First Amendment right against strength of the prima facie case of defamation presented by plaintiff and necessity for disclosure of anonymous defendant's identity, prior to ordering disclosure. Contact Information robert.clark3@dhs.gov