Court Says Deleting Browser History To 'Avoid Embarrassment' Isn't Destruction Of Evidence

from the those-that-delete-the-past-are-doomed-to-repeat-it dept

A court order demanding the retention of digital evidence morphed into the worst-case scenario for a defendant in a Canadian "breach of confidence" lawsuit. Even though the defendant's actions were ultimately deemed lawful, the intended effect of the questioned action was undone by the judicial discussion of them.

Melissa Caldwell of CyberLex has more details on the events leading up to this unfortunate conclusion:

The underlying action arose after Moyse, who had been employed by Catalyst, left the company to take a position with a competing investment management firm. Catalyst brought an action for breach of confidence for the alleged misuse of confidential information regarding a target company in which Catalyst had unsuccessfully attempted to acquire an interest. Subsequently, the target company was successfully acquire by Catalyst’s competitor, and Catalyst claimed Moyse had delivered Catalyst’s confidential information to its competitor and its competitor had used it in the successful acquisition.

After Moyse had joined the competitor company and before this action was commenced, Catalyst obtained a consent order requiring Moyse and the competitor company to preserve and maintain all records in their possession, power or control “relating to Catalyst and/or related to their activities since March 27, 2014 and/or related to or was relevant to any of the matters raised in the Catalyst action.” The order required specifically that Moyse turn over his computer to counsel for forensic imaging of the data stored on it.

However, before turning his personal computer over to his lawyer, Moyse deleted his personal browsing history and purchased software entitled “RegCleanPro” to further delete registry information.

Catalyst claimed Moyse had destroyed evidence by deleting his browser history. Moyse countered that the preservation order did not specify his computer needed to be kept in "as is" condition -- free from any alterations until it could be imaged. He also pointed out that Catalyst was interested in company documents, rather than his personal internet use. And he had a very good reason for deleting his browser history, seeing as the contents of his computer were about to be made public -- a reason the court sympathized with [PDF] when considering the implications of the preservation order.

I accept Mr. Moyse's evidence as to why he deleted his internet browsing history. There is no evidence to contradict his statements as to why he deleted his internet browsing history. He was a young man at the time who had a very close relationship with his girlfriend who is now his fiancée. He did not want his internet searching to become part of the public record.

The court found that the documents central to the lawsuit were not affected by Moyse's actions. They were available through Dropbox accounts and forensic examiners found no evidence Moyse had ever transferred the documents to his personal Dropbox account. In addition, they found the last time he accessed his account predated his work on the disputed documents.

As for Moyse, his attempt to keep his access of porn sites under wraps backfired. He may have been cleared of evidence spoliation accusations, but his personal web browsing habits still made it into the public record -- albeit without the excruciating level of detail that would have been present if he hadn't thought to scrub his browsing history before turning over the computer.

Filed Under: browser history, evidence, evidence destruction

Oracle's 'Gamechanger' Evidence Really Just Evidence Of Oracle Lawyers Failing To Read

from the are-we-done-yet? dept

It's the case that will never die. As you may recall, over the summer, Oracle asked Judge William Alsup for yet another trial over Google's copying of some Java APIs in Android, claiming that Google had failed to disclose that Android apps would work on Chromebooks. At a hearing last month it seemed very possible that Alsup would order another trial, but (thankfully!) he has now denied Oracle's request for the same exact reason he denied their first request for another trial at the beginning of the summer. He literally says:

Oracle’s new Rule 50 motion is denied for the same reasons as its old one.

First, Alsup defends his earlier decision to limit the trial to Android's use in smartphones and tablets. It's a long explanation, but a sensible one. In short, because of the (ridiculous) Federal Circuit ruling rejecting Alsup's (much earlier) determination that APIs were not subject to copyright (which was the correct ruling, but was overturned because the Federal Circuit is clueless), the case was sent back to the lower court, years after the original verdict that said Google's use was infringing. This trial was over just the fair use question, but was built off of that earlier verdict. Google argued that adding in a bunch of new devices that used Android (as Oracle wanted) that didn't exist when the first trial happened wouldn't make sense, as they introduced new questions and issues that weren't raised in the first trial -- and Alsup agreed. Alsup also notes that Oracle is "free to pursue its claims for infringement arising from Google’s implementations of Android in devices other than smartphones and tablets in a separate proceeding and trial." In other words, no matter the outcome of this case, Oracle may still file another lawsuit over Android in the future. So, in the end, Alsup notes that Oracle wanted to have the court accept the first jury verdict, but then expand it way beyond its scope:

In its new trial motion, Oracle now argues that it was error to limit the device uses in play to smartphones and tablets. We should have had one mega-trial on all uses, it urges. This, however, ignores the fact that Oracle’s earlier win on infringement in 2010 — the same win it wished to take as a given without relitigation — concerned only smartphones and tablets. And, it ignores the obvious — one use might be a fair use but another use might not, and the four statutory factors are to be applied on a use-by-use basis. Significantly, the language of Section 107(4) of Title 17 of the United States Code directs us to consider “the effect of the use upon the potential market for or value of the copyrighted work.” Oracle cites no authority whatsoever for the proposition that all uses must stand or fall together under the fair use test of Section 107.

Alsup also scolds Oracle, in noting that while it wanted to lump in all sorts of post-2010 actions by Google, it successfully blocked the introduction of post-2010 evidence that would have helped Google:

Oracle itself, it must be said, successfully excluded at least one post-2010 development that would have helped Google. Specifically, a pretrial ruling obtained by Oracle excluded evidence tendered by Google with respect to Android Nougat. Significantly, this evidence would have shown that (back in 2008) all of the accused APIs could simply have been taken from OpenJDK, Sun’s own open-source version of Java, apparently in full compliance with the open-source license. Put differently, Sun itself had given away Java (including all of the lines of code in suit) in 2008 via its open-source OpenJDK. In 2015, Google used OpenJDK to reimplement the Java APIs for the latest release of Android, which it called Nougat. Google wished to use this evidence under the fourth fair use factor to show that its infringement did no more market harm than Sun itself had already invited via its own OpenJDK release. Despite its importance, the Court excluded this development because it had not been presented by Google in time for effective rebuttal by Oracle. This exclusion was a major win for Oracle in the weeks leading up to trial.

Then on to the main show: Oracle's claim that Google hid the plans to make Android apps work on Chrome OS. Google had revealed to Oracle its "App Runtime for Chrome" (ARC) setup, and it was discussed by Oracle's experts, but at Google I/O, Google revealed new plans for apps to run in Chrome OS that were not using ARC, but rather a brand new setup, which Google internally referred to as ARC++. Oracle argued that Google only revealed to them ARC, but not ARC++ and that was super relevant to the fair use argument, because it showed that Android was replacing more than just the mobile device market for Java. But, here's Oracle's big problem: Google had actually revealed to Oracle the plans for ARC++. It appears that Oracle's lawyers just missed that fact. Ouch.

Throughout the briefing and argument on this motion, Oracle left the distinct impression — more accurately distinct misimpression — that Google had stonewalled and had completely concealed the ARC++ project. This was an unfair argument.

In fact, Google timely produced at least nine documents discussing the goals and technical details of ARC++ and did so back in 2015, at least five months before trial. Counsel for Oracle now acknowledges their legal team never reviewed those documents until the supplemental briefing on this motion. The Court is disappointed that Oracle fostered this impression that no discovery had been timely provided on the ARC++ project eventually announced on May 19.

Rule 26(e) requires a party to supplement discovery responses in a timely manner only “if the additional or corrective information has not otherwise been made known to the other parties during the discovery process or in writing” (or if otherwise ordered by the Court). This creates a “‘duty to supplement,’ not a right.” Luke v. Fam. Care and Urgent Med. Clinics, 323 Fed. Appx. 496, 500 (9th Cir. 2009). Nevertheless, Google had no duty to supplement responses with new information that had already been disclosed in the ARC++ documents already produced.

Oracle should have known that items produced in response to its own document requests potentially contained information that supplemented Google’s earlier written discovery responses. Oracle’s failure to review the ARC++ documents is its own fault.

That's a pretty big error on the part of Oracle's lawyers. For all the bombast that they went after Google with in court last month, to then have to admit that they were the ones who had failed to actually read the material that Google supplied them is... really, really bad. If I'm Oracle, I'm really pissed off, because these lawyers from Orrick are not cheap and they just wasted a ton of Oracle money because of their own mistakes.

Judge Alsup also notes that none of this really matters anyway because (once again) this trial was limited to the situation back in 2010, when Android was just in use on phones and tablets, and the desktop/laptop issue was left out of the case (in part because of Oracle's own desire not to relitigate the first part of the trial).

Oracle’s purported “game changer” would not have changed anything at all, because the scope of the “game” was smartphones and tablets, postponing new and later uses to a later contest. ARC++ was not yet on trial. Thus, any failure to produce such evidence could not have substantially interfered with Oracle’s preparation for our trial. On the contrary, it clearly and convincingly would have been inconsequential.

There are a few other attempts from Oracle that Alsup rejects as well -- including some stuff about one particular witness having a single line of an email redacted. There was also an attempt to present some evidence suggesting that Sun wasn't as happy about Google's actions as Google had implied during its testimony, but it involved (yet again) some bizarre behavior by Oracle's lawyers, withholding documents from Google until the very last minute. And, again, Judge Alsup notes that the documents don't really support Oracle's contention anyway. There were a few more arguments in there as well, which aren't as important, but you can read them all in the full ruling from Alsup if you are a glutton for such punishment.

Either way, it's almost certain that Oracle will appeal certain aspects of all of this, and in some sense, this is all just procedural posturing anyway. And, on top of that, Oracle may file a new case against Google for non-tablet/phone uses anyway. In short: this case is nowhere near over, but if you get anything out of these documents, it's that Oracle, the company, should be pretty upset at the lawyers it hired for making a big deal out of something that only served to show that they didn't do their job.

Filed Under: android, apis, copyright, evidence, java
Companies: google, oracle, orrick

DOJ Tells Forensic Experts To Stop Overstating The 'Scientific Certainty' Of Presented Evidence

from the directed-to-use-air-quotes-when-saying-'science'-or-'certainty' dept

The DOJ is finally addressing some long-ignored problems with the forensic evidence its prosecutors rely on. For two decades, FBI forensics experts handed out flawed testimony in hundreds of criminal cases, routinely overstating the certainty of conclusions reached by forensic examination. Of those cases, 28 ended in death penalty verdicts.

An earlier attempt to address issues with flawed science and flawed testimony swiftly ran aground. Federal judge Jed S. Rakoff very publicly resigned from a committee formed to examine these issues after he was informed by the attorney general's office that he wasn't actually supposed to be examining these issues.

Last evening, January 27, 2015, I was telephonically informed that the Deputy Attorney General of the U.S. Department of Justice has decided that the subject of pre-trial forensic discovery -- i.e., the extent to which information regarding forensic science experts and their data, opinions, methodologies, etc., should be disclosed before they testify in court -- is beyond the “scope” of the Commission’s business and therefore cannot properly be the subject of Commission reports or discussions in any respect.

[...]

Because I believe that this unilateral decision is a major mistake that is likely to significantly erode the effectiveness of the Commission -- and because I believe it reflects a determination by the Department of Justice to place strategic advantage over a search for the truth -- I have decided to resign from the Commission, effective immediately. I have never before felt the need to resign from any of the many committees on which I have served over the years; but given what I believe is the unsupportable position now taken by the Department of Justice, I feel I have no choice.

Caleb Mason of Brown, White & Osborn (the "White" is Popehat's Ken White) reports that the DOJ appears to be taking these problems more seriously. It has issued a directive [PDF] forbidding forensic experts from making claims about "scientific certainty" when presenting evidence.

Directive Number 1 provides that agencies must now “ensure that forensic examiners are not using the expressions ‘reasonable scientific certainty’ in their reports or testimony.” Yes, you read that right. The Department of Justice is telling its forensic expert witnesses to stop claiming “scientific certainty.” Why? Because for most forensic disciplines, there never was any, and DOJ is—after decades of resistance—admitting it.

One of the forms of evidence is fingerprints, the thing every law enforcement agency makes sure to obtain when booking suspects because it's supposedly so infallible. But like almost everything else law enforcement forensic experts claim are reasonably certain, scientifically-speaking, examination of prints no more guarantees a match than examining bite marks.

Fingerprint examiners look for “matching points” in prints, but believe it or not, there are no general standards for which points to look at, how many points to look at, or even what counts as a “point.” Not only are there no established standards, there isn’t even general agreement within the forensic analysis community. Some people like eight points, others ten, others twelve. Many examiners insist they can make an identification with just a single point.

Even more amazingly, in stark contrast to DNA matching, no one knows what the statistical likelihood is of two fingerprints sharing particular points, or whether that likelihood is different for different regions or features of the print. This is the crucial question for any identification methodology, because while each person’s fingerprints may be unique, the examiner doesn’t look at every molecule—the examiner looks at whatever five (or eight, or ten) “points” he or she chooses to look at.

Why is this process still so vague even after decades of reliance on it for identifying suspects? Well, it's because the DOJ won't allow anyone other than the government to take a look at the collected records. Researchers who may have been able to make better determinations on how many points are needed for more definitive matches (or how often false positives are returned by the database) have been locked out by the DOJ.

But the big fingerprint databases are controlled by DOJ, and DOJ has steadfastly refused to let researchers use them for the types of analyses geneticists do with DNA. That’s what makes print analysis so frustrating: the data exists, so fingerprint analysis could be a genuine scientific discipline, with publicly-available databases, peer-reviewed research, known error rates, and accepted methodologies. It could be a real body of knowledge about the differential rates of occurrence among populations of particular physical features of our fingerprints. Hopefully one day it will be. But it’s not now, as the DOJ directives finally acknowledge.

The DOJ's not offering to open up its fingerprint database for outside examination. But at least it's admitting it hasn't let anyone without a vested interest in successful prosecutions take a good look at the methods used by its forensic examiners or the collected evidence they're working with.

[As a bonus, here's another fantastic read by Caleb Mason: a Constitutional examination of Jay-Z's hit track, entitled "JAY-Z’S 99 PROBLEMS, VERSE 2: A CLOSE READING WITH FOURTH AMENDMENT GUIDANCE FOR COPS AND PERPS."]

Filed Under: doj, evidence, forensics, prosecutors, science

Another Judge Declares FBI's Playpen Warrant Invalid, Suppresses All Evidence

from the playing-fast-and-loose-with-the-Fourth-Amendment dept

Cyrus Farivar of Ars Technica reports that another federal judge has found the warrant used by the FBI to deploy its Tor-busting malware is invalid. This finding isn't unique. Multiple judges in various jurisdictions have found the warrant invalid due to Rule 41, which limits execution of warrants to the jurisdiction where they were issued. But only in a few of the dozens of cases stemming from the FBI's child porn investigation has a judge ruled to suppress the evidence obtained by the FBI's NIT.

A federal judge in Iowa has ordered the suppression of child pornography evidence derived from an invalid warrant. The warrant was issued as part of a controversial government-sanctioned operation to hack Tor users. Out of nearly 200 such cases nationwide that involve the Tor-hidden child porn site known as "Playpen," US District Judge Robert Pratt is just the third to make such a ruling.

In other cases, judges have found the warrant invalid, but have granted the FBI the "good faith" exception or found that the information harvested by the agency's hacking tool isn't protected under the Fourth Amendment. In one particularly memorable case, the presiding judge wandered off script and conflated security and privacy, suggesting that because computer hacking is so commonplace, the FBI should be allowed to peek into compromised computers (and compromise them!) and extract whatever it can without worrying about tripping all over the Fourth Amendment.

With hundreds of cases all over the nation (and many more handed off to foreign law enforcement agencies) stemming from a single warrant, this collection of rulings is far from coherent. But, more often than not, judges have found that the reach of the FBI's NIT deployment far exceeded its Rule 41 grasp. That all could change by the end of the year, making future investigations handled in this manner (running seized websites to deploy hacking tools) much less likely to be successfully challenged in court.

Judge Pratt's ruling [PDF], however, did at least shut down the government's Third Party Doctrine arguments.

There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer.

[...]

If a defendant writes his IP address on a piece of paper and places it in a drawer in his home, there would be no question that law enforcement would need a warrant to access that piece of paper—even accepting that the defendant had no reasonable expectation of privacy in the IP address itself. Here, Defendants' IP addresses were stored on their computers in their homes rather than in a drawer.

Analogies to physical objects are seldom perfect, but Pratt's does better than most.

"Judge Pratt correctly interpreted the NIT's function and picked the correct analogy," Fred Jennings, a New York-based lawyer who has worked on numerous computer crime cases, told Ars. Jennings continues:

[Pratt] correctly points out that the usual analogies, to tracking devices or IP information turned over by a third-party service provider, are inapplicable to this type of government hacking. A common theme in digital privacy, with Fourth Amendment issues especially, is the difficulty of analogizing to apt precedent—there are nuances to digital communication that simply don't trace back well to 20th-century precedent about physical intrusion or literal wiretapping.

The evidence suppression will likely result in charges being dropped, as anything located on the defendant's devices would have stemmed from the invalid NIT warrant. Outcomes like these don't do much to appease the general public, as the actions alleged are often viewed as indefensible. But the ugliness of the crime has no bearing on the Constitution and the rules governing search warrants.

The FBI can't play by different rules just because the targets are less sympathetic. That's why the push back against the proposed Rule 41 changes is important, because alterations to jurisdictional limits won't solely be used to chase down the worst of the worst. It will greatly expand the reach of questionable search warrants and investigative tools and encourage magistrate shopping by law enforcement to lower the level of scrutiny their deficient affidavits might otherwise receive.

Filed Under: doj, evidence, fbi, nit, playpen, warrant

The NYPD's Third 'Forfeiture' Option: Call Seized Items 'Evidence;' Never Give Them Back

from the the-system-works dept

It's not just asset forfeiture being used by law enforcement to take property away from people. With civil asset forfeiture (as opposed to criminal asset forfeiture), property is deemed "guilty," even if its former possessors are not. Kaveh Waddell of The Atlantic is highlighting another way law enforcement agencies are taking possession of property: by calling it "evidence" and playing keep away with former defendants who've had their cases dismissed or have been acquitted.

Last summer, Kenneth Clavasquin was arrested in front of the Bronx apartment he shared with his mother. While the 23-year-old was being processed, the New York Police Department took his possessions, including his iPhone, and gave him a receipt detailing the items in police custody. That receipt would be his ticket to getting back his stuff after his case ended.

But the ticket is worthless. His case was dismissed but no one involved in the seizure of his items showed any interest in returning them. He brought the court's dismissal to the NYPD to retrieve his iPhone but the property desk claimed it was being held as "arrest evidence" -- even though there were no more criminal charges forthcoming. He was sent to the District Attorney's office to ask for permission to obtain the no longer needed "evidence," but the office was less than interested in helping him reclaim his belongings.

Clavasquin needed to get a release from the district attorney’s office stating that his property would no longer be needed for evidence. Over the following three months, he repeatedly called the assistant district attorney assigned to his case, but he neither got a release nor a written explanation of why he was being denied one.

Then, with the help of an attorney at the Bronx Defenders, a public-defender office that had been representing him since the day after his arrest, Clavasquin sent a formal written request for the district attorney’s release. He got no response.

Clavasquin's iPhone was seized in the summer of 2015. His case was dismissed in December. The phone is still in the possession of the NYPD while Clavasquin has continued making monthly service contract payments for a phone he can't use.

The article points out that this noxious blend of asset seizure and bureaucratic malaise affects "hundreds, if not thousands" of New York City arrestees. The city is now facing a class-action lawsuit over this process, filed by Clavasquin and two others with the help of Brooklyn Defenders. In these cases, neither form of asset forfeiture -- civil or criminal -- is being used. Instead, the NYPD is tying up possessions seized during arrests in miles of red tape, subverting what would appear from the outside to be a straightforward, two-step process: case dismissed, items returned.

Even if someone is able to move heaven, earth, and the District Attorney's office, that's not the end of the frustration. One thing most arrestees carry often disappears into the evidence locker as well, greatly increasing the difficulty of retrieving possessions.

The NYPD property clerk, which actually holds on to the items, requires two forms of ID before releasing any property. Drumming up two forms of ID can be difficult on its own, but it’s made harder still if the person’s wallet, which may contain a driver’s license, is in police custody. (The property clerk won’t count a seized license as a valid form of ID.)

Not only is the process labyrinthine, frustrating, and nonsensical, but there's a clock ticking the whole time. A person has 120 days from the point the criminal case has ended to demand return of their items from the NYPD. If their case has been dismissed, they have 270 days to secure the elusive release form from the DA's office -- something that explains the office's disinterest in answering phone calls, emails or letters asking for this piece of paper. Once the clock runs out, the city is free to auction off the seized property.

If the DA's office wants to put seized items into indefinite limbo, all it has to do is classify them as "investigatory evidence," which means they might be used at some point in future to further a criminal investigation. The DA's office has every reason to put seized items out of reach of their owners and very little compelling it to relinquish control of property that can eventually be used to (indirectly) fund its office. In practical terms, being arrested by the NYPD means losing whatever you had on you permanently -- unless you have the funds to pay an aggressive lawyer to navigate the deliberately daunting retrieval process.

Also of note is the fact that the most common item in NYPD evidence lockers are cellphones. Considering how many of these were seized during run-of-the-mill arrests, one has to question assertions made by district attorneys like Cyrus Vance, who claim there are hundreds of phones prosecutors and investigators can't access because of encryption. Sure, the numbers may be correct (Vance claimed his office was dealing with 175 uncrackable phones), but one has to ask how many of these actually may hold evidentiary value, and how many are simply sitting around waiting for the clock to run out so they can be auctioned.

It's just another form of legal robbery, once you strip away the bureaucratic lingo and law enforcement statements that try to give this a veneer of respectability. When criminal cases are dismissed, seized belonging are "evidence" of nothing and should be released to their owners. Instead, law enforcement agencies and district attorneys offices are working together to keep non-criminals from their rightful belongings.

Filed Under: asset forfeiture, evidence, nypd

Drug Dealer's Lawyers Want To Know How Yahoo Is Recovering Communications It Previously Said Were Unrecoverable

from the either-don't-understand-the-system-or-it-doesn't-work-the-way-Yahoo-clai dept

Yahoo's in the middle of another national security-related courtroom battle, albeit somewhat inadvertently. Its response to a discovery order in a drug dealer's trial has left the defense wondering exactly how the hell it complied with it. Joseph Cox of Motherboard has more details.

Defense lawyers in the case claim that six months of deleted emails were recovered—something which Yahoo's policies state is not possible. The defense therefore speculates that the emails may have instead been collected by real-time interception or an NSA surveillance program.

United States Magistrate Judge Maria-Elena James, from a San Francisco court, granted the defense's motion for discovery in an order filed on Wednesday.

Russell Knaggs, the accused drug dealer, apparently utilized a Yahoo email account to hook up suppliers in Colombia with buyers in Europe. To add to the difficulty level, Knaggs did this while serving time for another drug bust. The method used was not all that uncommon. Everyone shared a single email account and composed draft messages. Each party would log into the account, read the draft message left for them, and compose a draft of their own in response. No emails were sent. All drafts were then deleted from both the "Draft" folder and the "Trash."

According to Yahoo, there was no way for Yahoo to retain these messages. Except that it did and turned them over to law enforcement, suggesting ongoing surveillance, rather than the recovery of communications from the account.

After receiving requests from UK police and the FBI in September 2009 and April 2010, Yahoo created several “snapshots” of the email account, preserving its contents at the time—and revealing the messages. But the defense alleges there should have been nothing for law enforcement to find.

Yahoo's explanation is that the recovered emails were copies created by the email service's “auto-save” feature, which saves data in case of a loss of connectivity, for example. The company has filed several declarations from a number of its staff, but the defense said some of those contradicted each other, and it wants more information.

Here's what the defendant's tech expert had to say in his testimony [PDF].

With regard to Yahoo‟s “snapshot” and its process of “retriev[ing emails] from the servers because their auto-save function systematically preserved edits made over time,” Abramson says the descriptions Yahoo gives of its auto-save feature are inconsistent, contradictory, and furthermore “do[] not align with [Abramson‟s] understanding of such programs.” Abramson contends Yahoo‟s statements “do not in fact agree with common technical principles. The timing of e-mail data saved between 2 minutes and several seconds is not consistent.” Abramson Rpt. at 8. He asserts that “[a] more plausible explanation for the e-mail information provided to law enforcement is that the e-mail account of Mr. Knagg‟s [sic] was under surveillance and through the immediate efforts of surveillance, Yahoo was able to capture the email information and provide it to law enforcement.”

The defense wants several things from Yahoo, including source code, in hopes of sussing out the methods used to capture and preserve these draft messages. Yahoo would rather not give this information up. The judge, while somewhat sympathetic to Yahoo's arguments, also notes it's the company's own inconsistent explanations that have led to this situation.

The Court agrees with Yahoo that Petitioner's requests are somewhat broad; however, the Court also agrees that Yahoo‟s seemingly conflicting responses up to this point create a situation where Petitioner cannot be certain he understands the process of information gathering he seeks to challenge. While Yahoo believes that Petitioner seeks information that is cumulative given its interrogatory responses, it would appear that the requested discovery would not necessarily be cumulative, but might instead provide clarity to Petitioner regarding Yahoo‟s data-gathering methods. Additionally, since the documents Petitioner requests are potentially the same ones that helped Chan “clarify” her previous statement and better understand the data-gathering process, it would appear that these documents could help Petitioner gain a better understanding of the system as well, and could help to prove or disprove one of the grounds of his appeal, as is the purpose of his discovery request. The Court also notes that Chan‟s responses up to this point do not provide the sort of personal knowledge or foundational information for the Court or Petitioner to be able to adequately assess her responses. Consequently, Petitioner's request for documents and a 30(b)(6) deposition is appropriate rather than ordering further interrogatory responses.

The list of items the defense wants has been scaled back by the judge, but what remains will still provide a glimpse into Yahoo email's inner workings, including any evidence of targeted or bulk surveillance methods put into place by the company. Whether or not we'll get to see it is another matter, as the judge will consider instituting a protective order if the information produced is deemed too sensitive.

What it sort of looks like is possibly illegal surveillance being covered up with parallel construction. The problem with this theory is that Yahoo has been more than a little resistant to broad surveillance requests. That doesn't completely rule out complicity, but it would definitely be a risky move for a private company to cover for government wrongdoing. When (and if) more details are provided, we'll know more. If nothing else, it may indicate draft messages are indiscernible from sent messages, at least when it comes to Yahoo's servers.

Filed Under: communications, deleted, drug dealer, emails, evidence, russell knaggs
Companies: yahoo

Appeals Court Says DOJ Can Keep Its Evidence-Production Guidelines To Itself

from the an-open-court-with-secret-rules dept

Judge Alex Kozinski pointed out the obvious in a Ninth Circuit Appeals Court decision:

There is an epidemic of Brady violations abroad in the land. Only judges can put a stop to it.

Brady evidence -- possibly exonerating evidence that prosecutors are required to turn over to the defense -- is far too frequently withheld and/or buried. The punishments for violating this requirement are almost nonexistent. The prosecution hates to see wins become losses. And the government in general -- despite declaring fair trials to be the right of its citizens -- hates to play on a level field.

A federal judge withdrew from a forensic evidence committee because the government told him it wasn't his job to point out the severely-flawed pre-trial forensic evidence discovery procedures deployed by prosecutors. Judge Rakoff called the government out in his resignation letter.

The notion that pre-trial discovery of information pertaining to forensic expert witnesses is beyond the scope of the Commission seems to me clearly contrary to both the letter and the spirit of the Commission’s Charter… A primary way in which forensic science interacts with the courtroom is through discovery, for if an adversary does not know in advance sufficient information about the forensic expert and the methodological and evidentiary bases for that expert’s opinions, the testimony of the expert is nothing more than trial by ambush.

"Trial by ambush" will continue unabated. Prosecutors will shrug off the minimal punishments for withholding evidence. The DOJ will continue to argue that it's allowed to erect as many roadblocks as it wishes in front of defendants.

The DC Appeals Court has allowed the DOJ to retain another aspect of its "trial by ambush" strategy, as reported by Mario Machado of Fault Lines.

The D.C. Court of Appeals declared that the federal government will not have to disclose the contents of a guide that determines when its prosecutors should disclose evidence to the accused. The Department of Justice’s “Blue Book” stays in-house, at least for the time being.

The "Federal Criminal Discovery Blue Book" was crafted after DOJ prosecutors were blasted by a judge for their actions in the prosecution of Senator Ted Stevens.

In nearly 25 years on the bench, I have never seen anything approaching the mishandling and misconduct I have seen in this case.

Brady material was withheld from the defense, something that would have never been discovered without an FBI whistleblower stepping forward. The new guidelines were supposed to make things better. Very little seems to have changed since its introduction. And no one on the defense side of the fight has any idea what prosecutors are required to do under these guidelines.

The National Association of Criminal Defense Lawyers (NACDL) tried asking the government for a copy. This was denied. So, it filed a FOIA request for the "blue book." This, too, was denied, with the government claiming its internal guidelines for ensuring a fair fight were not subject to FOIA requests. From the DC Appeals Court decision [PDF].

The Department refused to disclose the Blue Book, invoking the Freedom of Information Act’s Exemption 5, which exempts from disclosure certain agency records that would be privileged from discovery in a lawsuit with the agency. The Department maintained that the Blue Book fell within the attorney work-product privilege, and therefore Exemption 5, because it was prepared by (and for) attorneys in anticipation of litigation.

This claim is laughable. Of course it's for litigation. But it's not for any specific litigation. It's for use in all DOJ prosecutions, which makes it more aligned with general information, rather than a narrow slice of "attorney work-product." The NACDL pointed this out.

The NACDL argued that the Blue Book fell outside the work-product privilege because it had a non-adversarial function, to wit: the training and education of the DOJ’s vaunted prosecutors. It also argued that its disclosure was fair game because it was not drafted with a specific litigation in mind, but ultimately the Court sided with the federales, who fought tooth and nail to keep the book under wraps.

One part of the judicial system has seen the contents of the "blue book" (other than DOJ prosecutors): the district court. An in camera presentation to both the lower court and the appeals court has allowed both to reach the decision they have. But will it result in the courts holding the DOJ to their own super-secret standards? Of course not.

Judges are presented with evidence obtained through discovery. They have no idea whether all of it is present or if the DOJ followed its own instructions for handing over Brady material to the defense. The judges' viewing of this internal document will not result in greater accountability.

Handing these guidelines over to defense lawyers, however, would give them more avenues to challenge withheld evidence and other perceived violations in disclosure. The government doesn't like this idea and claims that a more level playing field would severely hamper its prosecutions. One is inclined to agree with the DOJ's claim about hampered prosecutions, although not for the reasons it states.

DOJ thus argues that disclosing the Blue Book would “essentially provide a road map to the strategies federal prosecutors employ in criminal cases.” Id. It contends that disclosure would afford anyone who wanted to read the Blue Book (including opposing counsel) “unprecedented insight into the thought processes of federal prosecutors.” Disclosure thus would “undermine the criminal trial process by revealing the internal legal decision-making, strategies, procedures, and opinions critical to the Department’s handling of federal prosecutions.” In addition, it would “severely hamper the adversarial process[,] as DOJ attorneys would no longer feel free to memorialize critical thoughts on litigation strategies for fear that the information might be disclosed to their adversaries to the detriment [of] the government’s current and future litigating positions.”

In other words, the fight might be slightly fairer, and the government won't be having any of that. The DC Circuit is now completely complicit in the government's "trial by ambush" plans.

Filed Under: brady evidence, brady violations, doj, evidence, hiding evidence, production

For The First Time, A Federal Judge Has Suppressed Evidence Obtained With A Stingray Device

from the get-a-warrant,-g-men dept

Evidence acquired using Stingray devices has rarely been suppressed. This is due to the fact that it's almost impossible to challenge. The reason it's almost impossible to challenge is because the FBI -- and the law enforcement agencies it "partners" with (via severely restrictive nondisclosure agreements) -- will throw out evidence and let suspects walk rather than expose the use of IMSI catchers.

Earlier this year, a Baltimore city circuit judge threw out evidence obtained with the Baltimore PD's cell tower spoofing equipment. And this was no run-of-the-mill drug bust. An actual murder suspect had evidence suppressed because of the BPD's warrantless deployment of a Stingray device. Without the use of the Stingray, the BPD would not have been able to locate the suspect's phone. And without this location, there would have been no probable cause to search the apartment he was in. You can't build a search warrant on illegally-obtained probable cause, reasoned the judge. Goodbye evidence.

"I can't play the 'what if' game with the Constitution," [the judge] said, lamenting that it protects people from illegal searches even when the defendant is "likely guilty."

Now, it's finally happened at a higher level. For the first time ever, a federal judge has suppressed evidence obtained by the warrantless use of a Stingray device.

U.S. District Judge William Pauley in Manhattan on Tuesday ruled that defendant Raymond Lambis' rights were violated when the U.S. Drug Enforcement Administration used such a device without a warrant to find his Washington Heights apartment.

The DEA had used a stingray to identify Lambis' apartment as the most likely location of a cell phone identified during a drug-trafficking probe. Pauley said doing so constituted an unreasonable search.

"Absent a search warrant, the government may not turn a citizen's cell phone into a tracking device," Pauley wrote.

The opinion [PDF] notes the DEA first tried to locate Lambis using cell site location info but found it wasn't precise enough. So, it deployed a Stingray to track him down, ultimately ending with a DEA tech roaming an apartment's hallways with a cell site simulator until Lambis was located.

A few hours later, DEA agents showed up at the apartment, where Lambis' father allowed them to enter and Lambis himself consented to a search of his room and belongings.

It's pretty tough to work your way backwards from a consensual search to a suppression order, but Lambis' lawyer was apparently up to the challenge. But -- as in the Baltimore PD case -- the DEA would never have known which apartment Lambis was located in without the use of a cell site simulator, and that's where it all falls apart for the DEA.

The government tried to argue that two fairly recent cases involving thermal imaging (Kyllo) and drug dogs (Thomas) weren't applicable, as its "limited search" only disclosed information it could obtain without a warrant: cell site location. This is at odds with its reasons for deploying the cell site simulator -- which was that the CSLI it obtained wasn't precise enough to locate the suspect.

The court finds the government's attempt to route around these two precedential decisions unavailing, noting that the use of a cell site simulator is actually more intrusive than the search methods used in the cases the DEA's lawyers wanted to have ignored.

The Government attempts to diminish the power of Second Circuit precedent by noting that Thomas represents a minority position among circuit courts. But this Court need not be mired in the Serbonian Bog of circuit splits. An electronic search for a cell phone inside an apartment is far more intrusive than a canine sniff because, unlike narcotics, cell phones are neither contraband nor illegal. In fact, they are ubiquitous. Because the vast majority of the population uses cell phones lawfully on a daily basis, “one cannot say (and the police cannot be assured) that use of the relatively crude equipment at issue here will always be lawful.”

The court also points out that the DEA -- for whatever reason -- obtained a warrant for the cell site location info. It wonders why it didn't bother to obtain a warrant for the cell site simulator deployment, seeing as it obtained a warrant for information it could have obtained without one. It also notes that a warrant for CSLI is not the same as a warrant for obtaining precise location info via the use of sophisticated electronic equipment.

The fact that the DEA had obtained a warrant for CSLI from the target cell phone does not change the equation. “If the scope of the search exceeds that permitted by the terms of a validly issued warrant . . . , the subsequent seizure is unconstitutional without more.” Horton v. California, 496 U.S. 128, 140 (1990)... Here, the use of the cell-site simulator to obtain more precise information about the target phone’s location was not contemplated by the original warrant application. If the Government had wished to use a cell-site simulator, it could have obtained a warrant. And the fact that the Government previously demonstrated probable cause and obtained a warrant for CSLI from Lambis’s cell phone suggests strongly that the Government could have obtained a warrant to use a cell-site simulator, if it had wished to do so.

The government also tried to use the Supreme Court's horrendous Strieff decision to save the evidence, but the court notes that the "temporal proximity" between the illegal Stingray search and the consensual search of the apartment was too close to allow the illegality of the original search to dissipate.

The government also tried to use the Third Party Doctrine to salvage its warrantless search, but the court refuses to be sold on this bad idea.

This Court need not address whether the third party doctrine is “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” United States v. Jones, 132 S. Ct. 945, 957 (2012) (Sotomayer, J., concurring), because even under the historic framework of the doctrine, it is not available to the Government here. The doctrine applies when a party “voluntarily turns over [information] to third parties.” Smith v. Maryland, 442 U.S. 735, 744 (1979) [...] However, the location information detected by a cell-site simulator is different in kind from pen register information: it is neither initiated by the user nor sent to a third party.

[...]

Unlike CSLI, the “pings” picked up by the cell-site simulator are not transmitted in the normal course of the phone’s operation. Rather, “cell site simulators actively locate phones by forcing them to repeatedly transmit their unique identifying electronic serial numbers, and then calculating the signal strength until the target phone is pinpointed.”

These points are good. The following, though, is even better. The court finds the government can't attempt to use the Third Party Doctrine when it has chosen to act as the "third party" in this equation.

For both the pen register and CSLI, the Government ultimately obtains the information from the service provider who is keeping a record of the information. With the cell-site simulator, the Government cuts out the middleman and obtains the information directly. Without a third party, the third party doctrine is inapplicable.

The Second Circuit has yet to make a decision on the reasonable expectation of privacy in CSLI. If this is appealed, it may finally have to handle that question. Then again, CSLI is only partially implicated here and it may be able to let the Fourth Amendment's reach be determined on a case-by-case basis until something more directly addressing the issue comes along. If nothing else, the ruling here should encourage more federal agencies operating in this district to get a warrant "just in case." Then again, the secrecy surrounding Stingray devices discourages the creation of paper trails, so it may be that the government will continue to roll the Fourth Amendment dice until a higher court tells them otherwise.

Filed Under: dea, evidence, raymond lambis, stingray, suppression, surveillance, warrant

Agent's Testimony Shows FBI Not All That Interested In Ensuring The Integrity Of Its Forensic Evidence

from the bad-things-are-good-if-done-for-the-'right'-reasons dept

Security researcher Jonathan Zdziarski has been picking apart the FBI's oral testimony on the NIT it deployed in the Matish/Playpen case. The judge presiding over that case denied Matish's suppression request for a number of reasons -- including the fact that Matish's residence in Virginia meant that Rule 41 jurisdiction rules weren't violated by the FBI's NIT warrant. Judge Morgan Jr. then went off script and suggested the FBI didn't even need to obtain a warrant to deploy a hacking tool that exposed end user computer info because computers get hacked all the time.

He equated this to police peering through broken blinds and seeing something illegal inside a house, while failing to recognize that his analogy meant the FBI could let themselves inside the house first to break the blinds, then peer in from the outside and claim "plain sight."

The oral arguments [PDF] -- using FBI Special Agent Daniel Alfin's testimony -- were submitted in yet another case tied to the seizure of a child porn website, this one also taking place in Virginia and where the presiding judge has similarly denied the defendant's motion to suppress. The DOJ has added the transcript of the agent's oral testimony in the Matish prosecution as an exhibit to this case, presumably to help thwart the defendant's motion to compel the FBI to turn over the NIT's source code.

Many assertions are made by Agent Alfin in support of the FBI's claim that its hacking tool -- which strips away any anonymity-protecting efforts put into place by the end user and sends this information to a remote computer -- is not malware. And many of them verge on laughable. Or would be laughable, if Alfin wasn't in the position of collecting and submitting forensic evidence.

There's so much wrong in here, it's probably best to just start at the top.

1. A MAC address is a unique identifier that can never be altered.

THE WITNESS: Yes, Your Honor. MAC is an acronym that stands for media address control.

THE COURT: Is that different than IP address?

THE WITNESS: Yes, Your Honor. A MAC address is unique and does not change. So you can look at the MAC address in the matter at hand from Mr. Matish's computer, and that MAC address is always the same. It is the one that was identified by the government. It was also the one that was seized by the government. A MAC address is hard-wired or burned into the card.

[Compared with this, from the same agent, roughly 30 pages later…]

Q. Are any of those items -- I believe you testified to the MAC address. Can that be changed?

A. It can be --

2. The FBI didn't need to encrypt the data collected by the NIT because, hey, Tor is secure and can't be compromised.

Q: In one of the declarations that was submitted on behalf of Mr. Matish by Dr. Soghoian, it is alleged that because the NIT sent data over the regular Internet and not encrypted that the authenticity of the data could not be verified.

A: This is incorrect. It also fails to acknowledge that the NIT was, in fact, sent to Mr. Matish's computer over the Tor network, which is encrypted.

3. Encryption would ruin the integrity of the collected evidence.

Q. Would encryption of the data as it was transmitted from the computer to the government -- what effect, if any, would that have had on the utility of the data going forward?

A. It would have not completely made the network data useless, but it would have hurt it from an evidentiary standpoint. Because the FBI collected the data in a clear text, unencrypted format, it shows the communication directly from Mr. Matish's computer to the government. It can be read; it can be analyzed. It was collected and provided to defense today, and they can review exactly what the FBI collected.

Had it been encrypted, it would not have been of the same value, because the encrypted data stream itself could not be read. In order to read that encrypted data stream, it would have to first be decrypted by the government, which would fundamentally alter the data. It would still be valid, it still would have been accurate data; however, it would not have been as forensically sound as being able to turn over exactly what the government collected.

4. The FBI's malware is not malware because "mal" means "bad" and "FBI" means "good."

Q. And, finally, would you describe the NIT as malware?

A. No. The declaration of Dr. Soghoian disputes my point from my declaration that I do not believe the NIT should be considered malware, but he fails to address the important word that makes up malware, which is "malicious."

"Malicious" in criminal proceedings and in the legal world has very direct implications, and a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious. And for that reason I do not believe that the NIT utilized in this case pursuant to a court order should be considered to be malware.

5. The defense has all the data it needs to examine the FBI's NIT.

Q. Okay. And you're aware that the first time that the government agreed to produce that particular data was in its response to this motion to compel?

A. I assume that's the case. I don't know exactly what date it was provided on, but I know it was turned over.

Q. And then you talked about a data stream being made available, right?

A. Yes.

Q: And you're aware that the first time that the government agreed to produce that data was in its surreply to the motion to compel.

A. I don't recall the first time that that data was made available, but I know it has been made available and has been turned over.

Q. As of --

A. As of today.

Q. -- 20 minutes ago, correct?

A. Yes. To the best of my knowledge, it was not turned over prior to that.

7. The NIT is like a set of burglar's tools...

Q. You say the exploit would shed no light on what the government did. The government deployed this exploit, correct?

A. The government used the exploit to deploy the NIT.

Q. And I believe you used the analogy that this exploit is like a way of picking a lock, right?

8. … except that sounds really bad and not something the "good" FBI should be doing. So, now it's an open window.

A. Yes. A more accurate analogy may be going in through an open window. As I've stated in my declaration, there was a vulnerability on Mr. Matish's computer. The FBI did not create that vulnerability. That vulnerability can be thought of as an open window. So we went in through that open window, the NIT collected evidence, and then left. We made no change to the window.

There's plenty more to read through and Zdziarski's Twitter stream contains several highlights and some incisive analysis. Matish's lawyer also makes a very good point about the problems with using insecure data -- transmitted in unencrypted form -- as forensic evidence.

To prevent tampering with the evidence. I mean, this is analogous to -- I mean, there's a crime scene. Certain evidence is collected, and rather than bagging and labeling it and following established techniques for how evidence is to be collected and transferred back to, you know, the server, which is like an evidence locker, they just threw everything in the back seat of the cruiser and drove back. Oh, and, by the way, they won't tell us whether on the way back they also picked up someone else who rode in the back of the cruiser.

Or as Zdziarski puts it:

He also points out that the FBI's refusal to allow Matish to examine the NIT is not at all aligned with normal evidentiary practices.

We've set out through our expert declarations exactly why this information is critical, and the government is saying, no, we've looked at it, we've analyzed it; our experts say you wouldn't be able to make a meaningful trial defense based on this information. But in some ways, Your Honor, that's the same as saying, we're not telling you who our confidential informant is. You don't need to talk to him, because we're telling you he's believable and everything he's saying is true. You don't need to look at the DNA tests from the lab, because we're telling you it's a match, and we're telling you the tests were fine.

Despite this, the court decided to deny the motion to suppress and Matish will be dealing with the evidence collected against him. According to this testimony, it isn't much -- some images found in unallocated space, suggesting they had been deleted. That's not much but it may be enough to secure a conviction.

But the testimony gives us greater insight into the FBI's handling of forensic evidence and its perception of the exploits at its disposal. And what's on display here is far from encouraging.

Filed Under: evidence, fbi, malware, nit

Store Owner Sues Baton Rouge Police For Seizing His CCTV Recording Of Alton Sterling Shooting

from the store-entirely-self-service-apparently dept

I don't get to use the phrase "with alacrity" that often, but Baton Rouge store owner Abdullah Muflahi's filing of a lawsuit against the Baton Rouge police can only be described as that.

Following the shooting of Alton Sterling by Baton Rouge police officers, Muflahi's store was raided by law enforcement officers who took the hard drive containing the store's surveillance camera footage of the altercation. So far, everyone involved has refused to discuss the illegal seizure of Muflahi's recording equipment, deferring to the FBI and its investigation of the shooting -- which would be something if the FBI would answer questions about the seizure and current location of the hard drive.. but it won't talk about it either.

Hence the speedily-filed lawsuit by Muflahi, as reported by Mike Hayes of Buzzfeed:

The owner of the Triple S Food Mart in Baton Rouge where Alton Sterling was fatally shot on July 5 says police detained him for hours while seizing his security footage of the incident without a warrant, according to a lawsuit [PDF] filed Monday.

28-year-old Abdullah Muflahi says that police at the scene placed him in a locked police car for four hours and denied him access to his cell phone, preventing him from contacting his family or an attorney.

According to the lawsuit, police wouldn't even allow Muflahi to go back into his store to use the restroom during his detention, forcing him to urinate outside of his store in full view of the public. And his detention didn't end there. Muflahi was taken back to the Louisiana State Police headquarters and held for another two hours while officers questioned him.

This all sounds very suspicious, illegal, and retaliatory. Muflahi not only had CCTV footage of the shooting, but also filmed it with his own cell phone, providing one of the two "unofficial" accounts of the arrest. While it's fantastic that a recent Supreme Court decision may have resulted in officers' reluctance to seize/search Muflahi's cell phone, the Fourth Amendment itself seemed to have little effect on their decision to enter his store and seize his recording equipment without a warrant. While the recording could correctly be described as "evidence," that doesn't excuse a warrantless entry or seizure.

The lawsuit, unfortunately, is a little thin when it comes to establishing anything that might overcome the immunity that shields individual officers from the consequences of their actions. While it does suggest the Baton Rouge Police Department's training is inadequate, it really doesn't go into detail as to why the court should be expected to believe this assertion. However, it does make an allegation that could be interesting if the court decides to explore it.

[Baton Rouge Police Chief Carl Dabadie] has negotiated a contract with a union representing police officers that provides a blanket indemnification for police officers who are sued by the public from all claims no matter what the circumstances under which the claim arise and further provides that meritorious complaints about police officers are purged from employment files after only 18 months. Both contract provisions encourage aggressive conduct by police officers by minimizing consequences.

It's common knowledge that police union contracts are generally constructed to shield officers from not only public scrutiny, but internal misconduct investigations as well. Most of these are complemented by a "Law Enforcement Bill of Rights" that gives officers up to three days to ignore questions about alleged misconduct or excessive force. These "extra rights" are often granted in the face of police union pressure, and the unions themselves are heavily-involved in the drafting of department discipline policies. Unions also help fired officers regain their positions, making it even harder for law enforcement agencies to rid themselves of the "bad apples" continually spoiling the rest of the "bunch."

While there's zero chance any decision would result in an alteration of the union's relationship with the Baton Rouge police department or the policies it helped draft, any discussion would at least shine a little more light on how these unions tend to make bad policing/policies even worse.

Filed Under: 4th amendment, abdullah muflahi, alton sterling, baton rouge, evidence, video