pageok
pageok
pageok
Can the FBI Install Spyware on Your Computer Without A Warrant?:
Kevin Poulsen has an interesting piece at Wired.com on a recent criminal case in which the government obtained a search warrant and remotely installed spyware on a target's computer. The program reported back a wealth of information on how the computer was being used, including IP addresses, the MAC address, etc.. No contents of communications were obtained; this would have required a Title III order rather than a traditional search warrant. The warrant affidavit is here.

  Given that the government obtained a probable cause warrant and didn't collect the contents of any communications, it's hard to find a legal problem with what the government did. At the same time, the story does make me wonder if something like this was used in the United States v. Forrester case I blogged about earlier. I never did find out if the Forrester case involved monitoring at the ISP or involved spyware installed on the suspect's personal machine. But if it was the latter, I tend to think a warrant probably was necessary and the court's decision probably was wrong.

  Why might it matter whether the government installed the device at the ISP or on the suspect's machine? It's true that the government ends up with the same information either way. But the Fourth Amendment usually focuses on how information is collected rather than what information is collected. The fact that the government can buy the morning newspaper at a corner store without a warrant doesn't mean that they can break into your home and read your copy without obtaining a warrant first.

  More broadly, I tend to think that the most persuasive rationale for the third-party doctrine underpinning Smith v. Maryland (and thus Forrester) is that the recipient of a communication is a party to the communication that can consent to monitoring. When a communication is received by its intended recipient, that recipient has control over what to do with the information received much like the recipient of a traditional letter. Thus in Smith v. Maryland, the phone company could record Smith's telephone numbers because it was the end recipient of the communication -- the communication about the numbers to be dialed -- from Smith to the phone company.

  Spyware is different. If the government places spyware on a private machine, it is not working with a party to the communication. Rather, it is intercepting the contents of communications between the parties, the user and the ISP. I think it's much harder to apply the third-party doctrine in that setting. You end up having to say that the possibility the government could get the ISP to conduct the monitoring means that the government doesn't have to try. But consent is consent in fact, not a likelihood of consent if the government had tried to obtain it. Given that, I'm dubious that spyware is covered under the rationale of Smith v. Maryland. As a result, I tend to think a warrant is probably needed to install spyware without the ISP's involvement even if non-content information was disclosed (note that a warrant was obtained in the case covered by Wired). It's not an open and shut case, but I think a warrant is probably needed.

  Anyway, sorry if these ideas are hard to follow; I'm working on an article about the third party doctrine and my views are still forming, so some of my comments may seem disjointed. Finally, thanks to Dan Solove for the link.
Oren (mail):
(1) It's not a "device", it's software. Maybe that's pedantic but there are specific physical devices called keyloggers that literally sit between the keyboard and computer and record all the keys pressed. This could be compared to installing a tape recorder in someone's office.

OTOH, there is software that performs the same task (and is also called a keylogger) but does so on a virtual level.

Sorry to be pedantic but this distinction seems critical to me because the method of delivery in the former case is strictly break-and-enter while, in the latter case, the delivery method can vary enormously.

For instance, in the virtual case, the gov't could install it via a security vulnerability (i.e. hack in to the machine and install it - most analogous to the physical case). Alternatively, they could con the suspect into installing it himself by various means which would be least analogous to the physical case - more like having an FBI agent pose as a criminal and accompany the suspect home while wearing a wire.

(2) The device used in the Forrester case was unambiguously a software-based device. I conclude this because the opinion made reference to "imaging monitoring"* which can only be obtained via software.

(3) I'm curious as to the standard of review here with respect to such monitoring done by the ISP. In one sense, there is no REP in data that one sends to one's ISP (and on to various computers around the world) because they can read it at will. In another sense, it is like a bank deposit vault in that it is a reasonable assumption that it is NOT being read because, in fact, internet communications are never read (and the contents of bank deposit vaults are not inspected by bank employees). Attempting to quantify the word "reasonable" here seems nigh impossible.
7.20.2007 9:58am
Oren (mail):

More broadly, I tend to think that the most persuasive rationale for the third-party doctrine underpinning Smith v. Maryland (and thus Forrester) is that the recipient of a communication is a party to the communication that can consent to monitoring. When a communication is received by its intended recipient, that recipient has control over what to do with the information received much like the recipient of a traditional letter.


An ISP is not analogous to the recipient of a letter but rather the courier. They are certainly not the intended recipient of the information in the "letter" (packet) but rather an intermediary.
7.20.2007 10:03am
Michael Hussey:
Another follow-on question is whether spyware detection software running on a suspect's computer will notify the suspect of spyware installed under the authorization of a proper warrant. See, Security Firms Comment on Police Spyware This is both a technical and legal question. If the spyware detection software is technically capable of detecting that spyware, should the government be able to force the spyware detection software author to suppress any detection of spyware installed under an authorized warrant? This latter question seems more like a First Amendment or Due Process takings question than a Fourth Amendment search and seizure issue.
7.20.2007 10:14am
OrinKerr:
Oren,

1) An ISPs role is context-dependent, just like a telephone company's. They are the recipient of some nformation and a courier for other information.

2) I understand that you feel that the word "device" should be limited to mean a physical device. I disagree; I think "device" is a more general term for a tool, which can mean a physical device containing software or just software.

3) It's a mistake to think that the phrase "reasonable expectation of privacy" refers to reasonable assumptions about when someone will be able to maintain privacy. See my Four Models paper for more.
7.20.2007 10:17am
cirby (mail):
Seems like the simple way to resolve these questions is to flip them.

How would a government agency react if a citizen used the same techniques on a government-owned computer?

If there would be no reaction, then no harm, no foul.

But if the actual government response is a felony charge for hacking, then I'd have to come down against the tactic - and you know that the things described above would send most FBI agents into a fit...
7.20.2007 10:22am
RainerK:
I realise that the cases mentioned regard electronic communication. I wonder if person-to-person communication is treated the same? There was recently a development in my state (WV) where legislators practically fell over themselves to ensure that one party consent suffices to admit result of monitoring (e.g. wiring an informant and sending him into a home) as evidence.
The rationale was the usual "conterband does not enjoy privacy protection." Concerns were dealt with by the usual "if you do no wrong, you have nothing to fear."
However, do we all know at all times what actually IS wrong? Do the magistrates always use due diligence when asked ti sign a search warrant?
7.20.2007 10:34am
Justin (mail):
Cirby,

for a variety of reason, such a test goes even too far for me. There are legitimate information that one can glean off of a private citizen that has no realistic chance of hurting his privacy rights -i.e., those cases where a (more or less) innocent person TRULY has nothing to fear.*

The better test is whether the information has the potential to divulge anything that one would normally expect to remain private. Surely "what websites one goes to" fits under this category, and thus the Fourth Amendment should apply in the first instance, absent any of the typical exceptions.

*Note: I am against the "general guilt" concept of the fourth amendment. In my view, the fourth amendment is an important protection against the federal government targeting disfavored individuals for prosecution. In a day and age where we expect even our elected officials' ability to abide the law to be less than perfect, we must give some protection to the (majority/entirety) of the people who are not "truly" innocent - expecting probable cause for a particular crime is one way such protection occurs, even if it can be random in its application.
7.20.2007 11:15am
Jim at FSU (mail):
I have to admit I don't like the idea of the government, with its trillions of dollars worth of resources, investing in research to develop and exploit computer vulnerabilities.

Once they have the ability to execute arbitrary code on your computer without your knowledge or consent, the extent of their data gathering is really only limited by their goodwill. I also worry that this software, like anything else valuable, will inevitably get turned over to criminal parties.

I was under the impression that such intrusions were a crime regardless of who did them. At the very least such activity should require a warrant.
7.20.2007 11:24am
Jim at FSU (mail):
Ok, I spoke too soon. I looked at the affidavit and I think they may have been using a very primitive mechanism to harvest the IP address and info from the computer. If I am correct, what they did is far less than an intrusion and their request for an ordinary warrant was entirely sufficient, even for a civil libertarian such as myself.

It is possible they may have just used what is called a "web bug"- a tiny transparent image stored on an FBI computer and then used http handshaking info to gather as much information about his computer/browser/OS as it could. This is actually a decently large amount of information and certainly enough to find where the connecting user is located. Rather than "collecting the IP addresses of every computer HE connects to" it appears to collect the IP addresses of every computer that connects to the FBI server.

And obviously, this would not be an intrusion of any sort. Web-based advertising and email spamming companies have been doing similar things for years now.
7.20.2007 11:38am
Michael Edward McNeil (mail) (www):
According to this article in Wired : “In a case decided earlier this month by the 9th U.S. Circuit Court of Appeals, federal agents used spyware with a keystroke logger to record the typing of a suspect who used encryption to scramble his communications.”

I’m not sure exactly which case they’re referring to, but as a consequence of the foregoing it would not be possible (assuming good encryption was being employed) for the government to “get the ISP to do the monitoring” — as all the ISP would see is encrypted data too.
7.20.2007 11:53am
Oren (mail):

Oren,

1) An ISPs role is context-dependent, just like a telephone company's. They are the recipient of some nformation and a courier for other information.

2) I understand that you feel that the word "device" should be limited to mean a physical device. I disagree; I think "device" is a more general term for a tool, which can mean a physical device containing software or just software.

3) It's a mistake to think that the phrase "reasonable expectation of privacy" refers to reasonable assumptions about when someone will be able to maintain privacy. See my Four Models paper for more.


(1) Let me rephrase more precisely. The data being sent can be cleanly divided into two categories: substance and routing information. The former is only intended for the recipient (the computer to whom the packet is addressed) whereas the latter is intended for everyone to inspect and act appropriately. A postcard would be a good analogy - there is a message and an address.

Email is a lot trickier and could be compared to a bank vault - the bank has unlimited access to all the boxes in the vault but, in practice, does not actually inspect their contents. See (3) for my thoughts on that:

(2) If you want to adopt that language, when you first introduce a device, you must specify whether it is physical or virtual. The distinction is important because the former involves a government agent breaking into a suspect's house - an act with I thought brings about additional constitutional scrutiny.

(3) I read your paper and, to be honest, it decreased my respect for constitutional law considerably. It seems that there is no way for a layperson (hell, even a lawyer) to look at a new technology and determine what is and is not protected. I (think I) understand the theoretical reasons for the bifurcated (quadfurcated?) approach but there is a high cost to be paid in societal uncertainty - a cost that increases as the pace of technological evolution increases.

That said, the contents of emails (and the content of safe deposit boxes) pass two of the four tests with certainty: probabilistic and private-facts. The headers of emails, OTOH, can be said to meet both, either or none, depending on whether you parse a computer's actions literally or abstractly.
7.20.2007 12:02pm
John Armstrong (mail) (www):
sorry if these ideas are hard to follow


No, no! They're very clear, at least to me.

What makes these sorts of arguments difficult is all the people trying to set law and policy with no idea of how computers and the internet work (vis. Ted Stevens). For someone who knows what's going on under the hood, your ideas always sound like you have at least some inkling yourself, and they make perfect sense. I might not be an expert on the law, but you get your analogies right.
7.20.2007 12:29pm
Grant Gould (mail):
This does raise the fascinating question of whether, if you clean such spyware off of your computer, you have committed some sort of crime (obstruction of justice, perhaps?). Presumably it is illegal to remove a government wiretap from your phone; is it similarly illegal to remove government spyware from your PC? If so, is it illegal to run a spyware-removal program that doesn't exempt government spyware? Is it illegal to write, distribute, sell, or import such a program?

This just seems to raise question after question...
7.20.2007 12:37pm
Anderson (mail) (www):
Presumably it is illegal to remove a government wiretap from your phone

Why? If I find a tap on my phone, how do I know it's from the government, and not from my jealous girlfriend or whatever?
7.20.2007 1:03pm
Oren (mail):

Presumably it is illegal to remove a government wiretap from your phone


I certainly hope this isn't the case.
7.20.2007 1:17pm
Tony Tutins (mail):
I forget my crim pro, but this sounds like the pen register exception (no reasonable expectation of privacy in the numbers you call, because the bank uses those numbers for billing purposes) and the bank account exception (the bank processes your checks, thus knows how much and to whom you pay money). Do we have a reasonable expectation of privacy in the websites we access? Wikipedia knows my IP address, as does volokh.com, I believe. Presumably I'm blasting my network card's MAC address all over the internet as well.
7.20.2007 1:57pm
fffff:
Anyway, sorry if these ideas are hard to follow; I'm working on an article about the third party doctrine and my views are still forming, so some of my comments may seem disjointed.

Oren, this is the Internet: there's no room for anything but your sharpest, best, clearest, most concise writing - especially given the prices we pay to get this blog. Next time, bring your A game.
7.20.2007 2:02pm
Birdman2 (mail):

Could anyone out there answer a couple of basic questions from someone who is a non-expert (as you'll see) in these areas but who has a basic or at least rudimentary understanding of Fourth Amendment law generally? These questions probably are best viewed not as part of, but as forming the underpinning of, the evidently complex issues the post addresses. The questions are not intended to be argumentative (though they may appear to be so). They are genuine questions.

1. Why would a "Title III order," rather than a "traditional search warrant," be necessary to obtain the contents of (for example) e-mails rather than merely the addresses of the e-addreses or sites visited by the target of the investigation?

2. What is a Title III order"?

3. How does such an order differ from a traditioonal search warrant?

4. Why does the law with respect to these issues apparently differ from the law governing telephone wiretaps? I would have thought that a traditional search warrant was all that's necessary to intercept and obtain not only the numbers a targeted individual phones, but also the content of the phone conversations he or she has. Is this wrong?

Any help on these issues would be appreciated.
7.20.2007 2:05pm
Ned Ulbricht (mail):
In the Forrester and Alba case, according to Declan McCullagh, the government filed a November 26, 2002 memorandum.

On pp.10-11 of that memorandum (pp.11-12 in PDF), the government describes its version of the procedures employed under the authority of the pen register trap/trace order for defendant “Alba's Internet Protocol ‘IP’ address (designated in the wiretap pleadings as the ‘Target Acount’).” Specifically, on p.11 (p.12 in PDF), the government relates:
The pen register trap/trace intercept was accomplished through the use of a “mirror port.”


According to Professor Kerr's earlier post, he believes that the Ninth Circuit's opinion in Forrester is reasonably susceptible to two different interpretations:

The first possibility is that the government served the order on the ISP, and that the information was collected at the ISP. [...] The second possibility is that the Court meant what it said literally: the government installed a pen register analogue "on [the defendant's] computer," which seems to suggest some kind of surveillance device actually inside the person's machine.


With all respect to Professor Kerr, I do not believe that the Ninth Circuit's opinion is ambiguous.

It may be that I have a cogitive bias due to my awareness of 18 U.S.C. § 1030. That's possible. But discounting for that potential cognitive bias, when you have to argue that the appellate panel misstated the facts here, there's something wrong with your argument.

Just looking at the memorandum, the government argued one point, apparently in opposition to an argument by the defendant. And here we have the Ninth Circuit finding a set of facts closer to the defendant's position.

Further, the particular techniques used in the pen register trap/trace intercept were essential to the Ninth Circuit's opinion. These were not immaterial facts.
7.20.2007 2:38pm
Sigivald (mail):
I don't think it's illegal for you to remove a government tap from your phone - it's just impossible, since it's not a physical tap on your phone.

Wiretaps aren't bugs, and they're not even going to be on the wiring in your house - if they're physical at all, they'll be in the local Central Office.

(And likely, these days, they'll just be software, set to record the already-digitally-encoded data making up your call (64kbit PCM audio) once it reaches the local office, or copy it to another line with a recording device on it.

Any CO using digital switches will work that way.)

Tony: IP address, probably no expectation of privacy, is my guess.

MAC, doesn't matter, since the MAC address on any packet is that of the device that sent it on that network hop, so your machine's MAC lasts only as far as the first router, such as to your DSL/Cable adapter (unless it's a bridge, in which case it lasts to the first router on the ISP's side).
7.20.2007 3:23pm
Anderson (mail) (www):
it's just impossible, since it's not a physical tap on your phone.

So what did James Bond take out of the handset in the movies? Answer me THAT, smart guy!!!
7.20.2007 3:41pm
Ned Ulbricht (mail):
So what did James Bond take out of the handset in the movies? Answer me THAT, smart guy!!


Smoke.
7.20.2007 4:31pm
Insignificant Dallasite:

(2) If you want to adopt that language, when you first introduce a device, you must specify whether it is physical or virtual. The distinction is important because the former involves a government agent breaking into a suspect's house - an act with I thought brings about additional constitutional scrutiny.


There's no such thing as a virtual computer program. Spyware is as real as anything else, since it exists in the real world, apart from anyone's belief or agreement. It may not be a physical device, but it certainly isn't a virtual one.

And there are both physically intrusive and non-intrusive methods of capturing screen images without using any form of spyware.
7.20.2007 5:32pm
whit:
i think that regardless of all the other legal niceties...

a program (like spyware - govt. or otherwise) that is installed within your computer - iow, it runs within the ram chips on your computer - is a privacy issue of a different sort than a program that monitors whatever packets of information that are streaming from your house out into "the internets".
7.20.2007 6:48pm
Jay Myers:

As a result, I tend to think a warrant is probably needed to install spyware without the ISP's involvement even if non-content information was disclosed (note that a warrant was obtained in the case covered by Wired).

Unless the government tricks someone with legitimate access into installing the spyware directly onto a target's computer then I would think that a warrant is definitely required. The question is when do people give up an expectation to privacy in the internal workings of their computer. Unless they allow free remote access to their system then it seems clear to me that they are not intending to surrender their privacy.

An open window is not the invitation an open door is and coming in via a communication line and installing a monitoring program should be considered no different than reaching through an open apartment* window to operate the computer or install a listening device. By installing your program on the computer's hard drive you are penetrating a physical space that someone legitimately expects to be private. That is the crux of the difference between monitoring the target's information as it is being used by the ISP's computers and compromising the target's computer.

* I specified an apartment window to forestall arguments that the analogy was inapt because officer was already in violation due to being on the target's private property.
7.21.2007 4:48am
OrinKerr:
Ned Ulbricht,

I'm also aware of 18 U.S.C. 1030, but I don't think I follow your argument.
7.21.2007 5:52am
Ned Ulbricht (mail):
Orin,

People who focus their attention on computer law tend to be aware that the Electronic Communications Privacy Act (ECPA) is not the sole source of law concerning computer intrusions. I'd expect that you're also generally aware that California, like most other states, has a public policy regarding unauthorized access to computer systems (Penal Code, Section 502). But, someone who doesn't specialize in computer law, like a Ninth Circuit appellate judge, might be forgiven if it totally slipped their mind that there's been some legislative line-drawing about tampering with other people's computer systems. Three Ninth Circuit judges working together might assume that the ECPA is the only law there is regarding computer intrusions—especially if the ECPA is the only law they were briefed on.

We still have an argument in the court below about what techniques the government agents employed in carrying out the pen register trap/trace order. I don't know exactly how that argument was resolved in the district court. But, the Ninth Circuit summed up the final outcome as an installation "on Alba’s computer." (p.8075)

Then, the opinion disposed of one of the issues raised by defendant Alba on appeal by stating, on p.8086:
We therefore hold that the computer surveillance techniques that Alba challenges are not Fourth Amendment
searches. However, our holding extends only to these particu
lar techniques and does not imply that more intrusive techniques or techniques that reveal more content information are also constitutionally identical to the use of a pen register.


You complained, in your earlier blog posting, that "the opinion does not actually say how the surveillance occurred." I'd agree that the decision does not provide a detailed description of the techniques. But, it does contain a very clear statement of the Ninth Circuit's overall understanding of those techniques. In the Ninth Circuit's understanding, the techniques amounted to installing the "pen register analogue on Alba’s computer."
The Ninth Circuit looked at these techniques carefully, and decided that installing a device on the defendant's computer pursuant to a pen register trap/trace order was A-OK.

The appellate panel had to to look closesly at the techniques in order to pass on their appropriateness under Fourth amendment standards. Now perhaps Judge Fisher, in writing the opinion, made a careless error in summing up the techniques at issue. But two other appellate judges also looked at the techniques closely, decided the case, and presumably read the opinion carefully. All three judges agreed that the government installed the device "on Alba’s computer." That was their unanimous understanding.
7.21.2007 2:54pm
MAJ Arkay:

1. Why would a "Title III order," rather than a "traditional search warrant," be necessary to obtain the contents of (for example) e-mails rather than merely the addresses of the e-addreses or sites visited by the target of the investigation?

2. What is a Title III order"?

3. How does such an order differ from a traditional search warrant?

4. Why does the law with respect to these issues apparently differ from the law governing telephone wiretaps? I would have thought that a traditional search warrant was all that's necessary to intercept and obtain not only the numbers a targeted individual phones, but also the content of the phone conversations he or she has. Is this wrong?



Title III governs law enforcement interception of and access to "wire and oral" (and now electronic) communications in ordinary criminal investigations. The phrase "Title III" is because this section was called that in the 1970-something Public Law on wire and oral communications.

The blog's assertion is incorrect; the warrant affidavit in this case is a Title III request, a "traditional" search warrant request.

The other kind is a Foreign Intelligence Surveillance Act (FISA) warrant, which can only be submitted to the Foreign Intelligence Surveillance Court, not to the court to which this affidavit was submitted.

The Foreign Intelligence Surveillance Act (FISA) (in Title 50, US Code) regulates the U.S. Intelligence Community's collection of "foreign intelligence" and "counterintelligence" information. The FBI is one of the sixteen IC members.

Under the Fourth Amendment, a Title III warrant to intercept a communication must be based on probable cause to believe that a crime has been or is being committed. Surveillance under FISA is permitted based on a reasonable belief that the surveillance target is a foreign power or an agent of a foreign power, irrespective of whether the target is suspected of engaging in criminal activity.

Whether Title III or FISA, the techniques are the same. The purposes are not; therefore, the courts are not.

Hope this clears it up a bit.
7.22.2007 2:46pm
Mary Katherine Day-Petrano (mail):
Oren, -- "Maybe that's pedantic but there are specific physical devices called keyloggers that literally sit between the keyboard and computer and record all the keys pressed."

Just curious. How do keyloggers work when people don't keyboard, but instead use voice recognition?

Another question about the spyware issue. What if spyware that is installed (with/without warrant) overwrites and crashes a disability software, such as Dragon NaturallySpeaking, and the affected person removes the spyware to stop the interference with the auxiliary aids and services to ensure effective communication.

It seems to me, if the surveillance laws came up against Sec. 508 of the Rehabilitiation Act, 1998 amends. or Title II of retaliation provision of the Americans With Disabilities Act, the disability statutes would work either an express repeal or implied repeal on the laws authorizing things like spyware interfering with voice recognition software. There is no "law enforcement" exception written into the ADA or Rehab Act.

When my voice recognition software is interfered with by installation of some other program such as spyware, the next initial startup of the voice recognition fails -- pretty obvious.
7.25.2007 6:46pm