With this post, I'm launching a new, (very) occasional series I'm calling YANAL, for "You Are Not A Lawyer." In this series, I will try to disabuse computer scientists and other technically minded people of some commonly held misconceptions about the law (and the legal system).
I start with something from criminal law. As you probably already know, in the American criminal law system, as in most others, a jury must find a defendant guilty "beyond a reasonable doubt" to convict. "Beyond a reasonable doubt" is a famously high standard, and many guilty people are free today only because the evidence against them does not meet this standard.
When techies think about criminal law, and in particular crimes committed online, they tend to fixate on this legal standard, dreaming up ways people can use technology to inject doubt into the evidence to avoid being convicted. I can't count how many conversations I have had with techies about things like the "open wireless access point defense," the "trojaned computer defense," the "NAT-ted firewall defense," and the "dynamic IP address defense." Many people have talked excitedly to me about tools like TrackMeNot or more exotic methods which promise, at least in part, to inject jail-springing reasonable doubt onto a hard drive or into a network.
People who place stock in these theories and tools are neglecting an important drawback. There are another set of legal standards--the legal standards governing search and seizure--you should worry about long before you ever get to "beyond a reasonable doubt". Omitting a lot of detail, the police, even without going to a judge first, can obtain your name, address, and credit card number from your ISP if they can show the information is relevant to a criminal investigation. They can obtain transaction logs (think apache or sendmail logs) after convincing a judge the evidence is "relevant and material to an ongoing criminal investigation." If they have probable cause--another famous, but often misunderstood standard--they can read all of your stored email, rifle through your bedroom dresser drawers, and image your hard drive. If they jump through a few other hoops, they can wiretap your telephone. Some of these standards aren't easy to meet, but all of them are well below the "beyond a reasonable doubt" standard for guilt.
So by the time you've had your Perry Mason moment in front of the jurors, somehow convincing them that the fact that you don't enable WiFi authentication means your neighbor could've sent the death threat, your life will have been turned upside down in many ways: The police will have searched your home and seized all of your computers. They will have examined all of the files on your hard drives and read all of the messages in your inboxes. (And if you have a shred of kiddie porn stored anywhere, the alleged death threat will be the least of your worries. I know, I know, the virus on your computer raises doubt that the kiddie porn is yours!) They will have arrested you and possibly incarcerated you pending trial. Guys with guns will have interviewed you and many of your friends, co-workers, and neighbors.
In addition, you will have been assigned an overworked public defender who has no time for far-fetched technological defenses and prefers you take a plea bargain, or you will have paid thousands of dollars to a private attorney who knows less than the public defender about technology, but who is "excited to learn" on your dime. Maybe, maybe, maybe after all of this, your lawyer convinces the judge or the jury. You're free! Congratulations?
The police and prosecutors run into many legal standards, many of which are much easier to satisfy than "beyond a reasonable doubt" and most of which are met long before they see an access point or notice a virus infection. By meeting any of these standards, they can seriously disrupt your life, even if they never end up putting you away.
Front page posts
Can they even read your emails if, let's say, your mail server is in another country? They should not be able to...
I can think offhand of several ways to get around this problem. Law enforcement officials probably have more.
1) Law enforcement treaties between the country where you are and the country where your mail is. A warrant in country A may well operate in country B.
2) If the mail server operator in country B also has a presence in country A, the warrant may be able to force him through his presence in country A to divulge content stored in country B. It may be possible to combine this with #1 in some third country C.
3) The mail server operator simply cooperates and provides the data.
4) The court compels you to provide the data. In some cases, the court can have you imprisoned for refusing to comply, or for tampering with the data.
5) The authorities in country A install snooping hardware on your computer that simply intercepts the data on your computer (post-decryption if you're encrypting data).
Again, law enforcement probably has more tricks; these are just from a few minutes thought.
3), 4) and 5) seem outrageous.
Frankly, so does 1. I know of no law enforcement treaties which recognize foreign warrants.
Well, this is hardly definitive, but this page from the US State Dept's website says, in reference to Mutual Legal Assistance Treaties the US has with other countries: "The treaties include the power to summon witnesses, to compel the production of documents and other real evidence, to issue search warrants, and to serve process. " (bold added by me).
Do remember that other countries may have much lower standards for search and seizure than the US. There's no 4th Amendment protection even in Great Britain, which has the most familiar of legal systems for Americans. Police here can seize data and machines of their own motion and supply the information to overseas law enforcement. (If there is a 'national security' reason they can even censor or falsify information provided for the purposes of foreign legal proceedings.)
Stop thinking that a limited set of arbitrary rules that you have digested will protect you in practical circumstances. There's a cultural problem for geeks that Paul is pointing to here: the law enforcement institutions (even in highly legalistic jurisdictions such as the US states) do not operate like machines. They operate like collections of people. And they move slowly. The rules are often approximately followed and of indeterminate applicability. Experience in their practical use is what counts.
The facts to which the rules apply are usually in dispute, and no one accepts that because you are smart you have a better view of the facts than they do. Especially if that view is to your advantage, even implying that is likely to be disadvantageous. You are arguing with the football team. They have no respect for your smarts.
Indymedia has had this happen twice to them... and in those cases there wasn't even a question of them having done anything wrong.
(4) is unconstitutional. You cannot be compelled to provide, but you cannot tamper with or destroy the evidence either.
(5) is simply a wire-tap warrant. Probably cause is all they need (which means, according to my High School law class, they have around a 40% statistical chance you may have committed the crime in question). Not that hard to get, and not outrageous at all.
(3) is why it is very important to understand the legal protections where ever you have off-shore storage. If it is in a country with a lower standard of privacy, this may be perfectly legal. Non citizens in the country in question may have lower protection standards than citizens. And if it is on a offshore rig (e.g. Sealand), the protection you have is simply the whim of the operator.
IANAL but I do know of a company that was subpoenaed for emails going back some x number of years in regards to a possible violation of environmental standards. The IT Manager was actually threatened with jail time because the emails desired by the prosecutors were far enough back in time that they had been deleted by the mail management system in place in the company.
IANAL, but I think that IT manager had a lot of hot air breathed on him.
I work for a Big 4 auditing firm where subpoenas for data, especially email, are not all that uncommon. All Auditing, Consulting, etc firms remove their data quickly as part of policy. Usually, everything related to a client is policy to be removed in under a year.
I imagine the only thing they could try to say is that he intentionally deleted it, which would be a no-no. Having a company-wide policy of data retention, and having the system settings to back it up can protect you in this case.
The 5th amendment says you cannot be compelled to testify against yourself. You can still be compelled to turn over any evidence that you possess, such as written records. Handing over a pile of records is not the same thing as testifying. You can also be compelled to testify against another person (just not against yourself), with some very limited exemptions like attorney-client privilege. IANAL but this is how I've always heard it.
In fact, what's even more surprising is that you can be compelled to produce a Diary, or Journal.
This is the first thing you need to realize when YANAL: _ANYTHING YOU WRITE_ can be subpoenaed, which literally means "under penalty" which means, if you don't produce it, you're punished.
Don't write ANYTHING down that you don't want to be used against you.
In the USA it is unconstitutional to force someone to incriminate themselves.
Forcing someone to cough up the key to an encrypted hard drive or the location of a journal that proves their guilt does not fly.
Not yet, anyways.
Not only does it not fly, it has actually been upheld by a judge that a person cannot be forced to give up a drive encryption key because doing so would vilate the 5th amendment.
See http://en.wikipedia.org/wiki/United_States_v._Boucher
Maybe it won't fly, but it does run really fast...
But the border guard that asks you to provide your password can simply seize the hardware for examination. AFAIK, they have no limit on when they have to return it.
The appeal in United States v. Boucher was still pending as of October 2008.
I know Customs can look through and even seize anything they want for no reason at all. My main protection is the sheer volume of passengers who pass them every day. (That, and the fact that I'm not trying to smuggle anything.) But if they pick me out, I'd just have to stand there while they rummage through my stuff. They might ask me to say something incriminating, but I know enough to keep my mouth shut even if I have nothing to hide.
Then they discover that my laptop hard drive is encrypted.
Let's say that even though I have nothing illegal I'm perfectly willing to make a stand and sacrifice my laptop on principle. The data on it is fully backed up elsewhere and I can easily afford to buy a new one. So I remain completely silent. What would happen?
(I assume you mean the US.)
That depends completely on the specific situation. Maybe nothing. Maybe they take your laptop and never give it back. Maybe you get it back at some future time. Maybe they feel they have probable cause (for some reason that is both unknown to you and maybe completely wrong) and they will detain you until you produce the decryption key.
Legal precedent on encryption keys is still up in the air. Cases have gone both ways on whether an encryption key is like a physical lock key (e.g. a piece of metal, which you may be compelled to give up) or like the combination for a lock (which you may not be compelled to give up, so long as it does not exist outside your mind). In one lower-court case where some data was protected by an encryption key and that key was passphrase-protected, the ruling was that the passphrase-protected key must be given up, but the passphrase itself could not be compelled. In any event, it will be a few years before legal precedent on encryption keys settles in the US.
I don't know about (4) in criminal cases but I'm in a civil case right now and we (my enemy and I) have compelled each other (and each other's associates) to produce all kinds of things.
In the UK, for example, you can be forced to reveal a password to an encryption system, or face 2 years imprisonment.
Even if you're a US citizen, if you cross a border and the US government has a mutual agreement with that country, the police there can compel you to reveal before they extradite you.
Number 4 is unconsitutional in the U.S. unless they are willing to provide immunity to prosecution for you if you invoke the 5th amendment protections against providing evidence against yourself. They could do that in seeking evidence against a third party or in seeking evidence against you from a third party who has access to your information.
You cannot be compelled to testify against yourself. You can, in fact, be compelled to give some kinds of evidence. The clearest examples of this are DUI cases where you may be compelled to give blood or urine for alcohol and/or drug testing. The Supreme Court made this distinction long ago.
Yes. It is well settled that you can be compelled to grant access to information (like bank account records). To fall under the prohibitions of the 5th Amendment, the Supreme Court has long held that the compelled act must be "testimonial" in nature; and guess what - signing an authorization to release/request information (like bank account records or activity logs) has been held to not be testimonial.
On a related note, none of the Constitutional protections apply in Civil proceedings. In Civil cases, you routinely use discovery to obtain access to all manner of personal/private information for use in the lawsuit (wider dissemination can, and usually is, prevented through the use of Protective Orders). But, in most cases, Protective Orders do not prevent a party to a civil suit from passing evidence of a crime to law enforcement. Also, if there is no preexisting relationship between the private party and law-enforcement, the government can sometime obtain Party B's information by requesting it from Party A - and thereby avoid any Constitutional arguments by Party B.
This thread emphasize the critical role that prosecutorial discretion plays in our society and why, as a result, privacy DOES matter (even to those who never commit crimes).
Just a quick FYI... there are some Constitutional protections that apply in Civil proceedings. The biggest one being the 7th amendment, dealing with a right to a jury in a civil proceeding. It's true the 7th hasn't been incorporated against the states, and thus you may not have a federally protected right to a jury trial if the proceeding is in a state court, but it's always protected in federal court. Just remember, under civil rules of procedure you have to explicitly request a jury trial otherwise the judge will serve as the finder of fact.
The other big constitutional protection that applies in civil cases is the seldom cited 13th amendment, which prohibits involuntary servitude unless convicted of a crime. Which is one of many reasons why it is darn near impossible to get specific performance as a remedy to contract breach.
Citation needed. To the best of my knowledge, no you cannot be compelled to give blood or urine for drug/alcohol testing. However, almost every state has laws in place that if you refuse you lose your privilege to drive.
The case you are referring to, Schmerber v. California, 384 U.S. 757 (1966), does indeed allow the withdrawal of blood or urine, unless you physically resist. Simply saying you refuse doesn't cut it. Also, this is not about compelling you to give up evidence, such as the location of your diary.
This is about the right of law enforcement to "take" the evidence by a physical means. The courts cannot force you to "communicate" the location of your diary. Thus while they can "take" any evidence they need, you cannot be forced to divulge that information via "commincxation". That distinction is clearly made in the above stated SCOTUS ruling. So the SCOTUS said they can take it, not that you can be compelled to give it. It's a very important distinction.
There fixed that for you.
As has been long established, the judge can hold a person in jail "in contempt of the court" indefinitely, without having to charge the person with any crime, even.
There was a recent expose of a list of people having been held in jails for months and in excess of a year, because they wouldn't cooperate with the court.
Yes, a judge can hold you in contempt, but that can be challenged. although, I don't know what impact there is on a judge who abuses this power. If a judge holds you in contempt for enforcing your constitutional rights, it can (see endnote) be overturned by another court. There is clear SCOTUS precedent that you cannot be forced to give up your personal papers and effects. They can be taken with a warrant, but if you've done an excellent job of hiding them and no one can find them you cannot be compelled to divulge them. In other words if you're successful in hiding the proof of your criminal activities and no other proof can be discovered you get to go free.
[endnote] I say can, and not will as I am a pessimist when it comes to modern US courts and I have no faith that any court will uphold any Constitutional guarantee of any citizen save: one from a rich and powerful family, fellow judge/lawyer, or politician.
P.S. to webmaster
It would be nice to have an option here to post anonymously, while logged in. Not that I'm paranoid about everything I ever say on the internet being hauled into court to be used against me on some trumped up charge. I just prefer my political speech to be anonymous. Yes, I'm an anonymous coward and damn proud of it. Coming from a family with one of the original anonymous cowards, well at least until he signed the Declaration of Independence (which you'll note they never sent, but preserved and probably kept hidden).
Every single bit in this and all of your transmissions is recorded by the NSA and or its international affiliates. Fact. Storage duration is unknowable.
What can the NSA do with the information? The second they were to use it for anything overt, their secret would be out. Yeah, you can construct scenarios where it still matters, but they are rather roundabout.
The primary thing people need to worry about is legal surveillance and legal data gathering, because information that has been gathered legally can be used to mislead a jury, embarrass, intimidate, and blackmail you even if you haven't done anything wrong.
The NSA isn't allowed to do that, because that would violate the 4th amendment. Fact.
Nobody else can do it for them because, amazingly enough, it's not legal to get someone else to do something illegal for you. Fact.
And, besides, why the hell would NSA _want_ to store every bit of this transmission? There's nothing at all interesting in it. Nobody gives a fuck about your emails, unless you're a terrorist or a Russian spy or something, and even in that case they have to get a warrant before they can start targetting a single bit of your transmissions.
Grow up and lay off the tinfoil. Really, you aren't that important and nobody is out to get you.
So freaking true
1) There are no laws against U.S. intelligence gathering in other countries... in particular electronic signals.
2) There are already agreements to share intelligence between various countries to by pass individual country restriction to collect internal 'intelligence'.
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPO...
3) The technology behind Echelon is highly classified, but, to give a sense of what it is likely capable of, in World War II the U.S. was able to collect nearly all electronic signals sent across the globe. (See the above EU report ... pg 59) (See also http://nasaa-home.org/history/his5.htm). These are wireless signals, but any wired system is also vulnerable to interception (see http://www.military.com/Content/MoreContent?ESRC=navy-a.nl&file=FL_seala... discussing taping of undersea phone lines) (unless we get Quantum communications, but that is beyond the cope of this).
4) Your point about the NSA not being interested in any of us is very true. That is the only security we have ... blend in and be quiet. Why would the U.S. Government spend time and money to pick me up, detain me and question me? At this point I am not worth the energy. And I think that *may* be the same reason that all information isn't stored either. 99.9999% of it would be noise. If there is a use for it I suspect it is being stored.
- I don't know what the balance is between personal liberty/ privacy and the governments need to monitor communications for threats. I do worry, perhaps needlessly, perhaps not, that the basic foundations of the constitution, such at the right against self-incrimination, the right to liberty, and oversight of this intelligence gathering is such that the balance has tipped heavily in favor of the government.
This may be what is necessary in the modern world, but I am not convinced of that fact.
There mere fact the NSA is being mentioned along with the name of their surveillance program probably makes this page and those who post to it, "interesting", or at least more interesting than half of the pages out there.
"Just because you're Paranoid doesn't mean they're not out to get you."
Somebody hasn't been paying attention to the news. The NSA has been violating the 4th Amendment since before 9/11. The latest revelation is that they specifically targeted journalists.
It's not a "conspiracy theory" when it's been reported as fact all over the mainstream media.
Since when has "mainstream media" been any kind of credible? I thought that was why places like slashdot and cnet existed.
If Fox News told me the NSA was spying on me and had been my whole life, I would laugh at them. Well, at the TV anyway.
"The latest revelation is that they specifically targeted journalists. "
and
"It's not a "conspiracy theory" when it's been reported as fact all over the mainstream media."
So, in order to enhance their own credibility, why not say that they are the ones being targeted? Seriously...Government agencies have bigger fish to fry that worrying about every little bit of e-mail traffic. There is not as much intervention as the paranoid citizens of this country would like you to think. This whole conversation is going into a legal debate about what is and isn't a violation of this law or that amendment...what's the title of the article?
Please pick up your crayons, STFU, and go sit in the corner. As someone already said..."You are not that important." Get over yourself.
Disclaimer, I work at an ISP.
No, the NSA does not store every *bit* of data you send. They do store all of your meta-data. Just like we do.
For example, they will most likely store all of the URL's you type into a web browser, but not the content of the page itself.
Much of the data we store for technical reasons, and it would rarely if ever be looked at by a human. In many cases we are required by law to store certain types of data.
Some types of data that IS stored by your ISP, and I'm certain by the NSA as well:
- All DNS lookup requests.
- All IP address records, and associated MAC addresses.
- All header information on emails. Most of the time the actual body & attachments are only cached on a short term basis.
- Almost all of your traffic is also logged, for example pretty much all TCP header info.
- Use of things like Sandvine allow us to do DPI to perform additional logging of extra data when certain conditions are met. (for example, any traffic to/from a known child porn site will be fully logged & flagged).
- All of the above are also tied to your cable/dsl modem's MAC & account info.
The lesson to learn from this is that the tinfoil hat types are really only wrong in that they think we are watching them specifically. We're not. We don't really watch anybody directly unless we get law enforcement interest, someone reports abuse, or you're doing something that's messing up our traffic/network.
Those people who are singled out for observation for whatever reason, do indeed have ALL their traffic fully logged.
As for the legality, as the title of the blog indicates I don't deal with the legal aspect. But the suits sum it up for us techies as "The simple version is that it's our network & we can log whatever we want to."
As for the NSA, they might not be able to do this within the US itself, but all traffic which leaves or enters the country is fair game for full monitoring 24/7.
And no, we don't provide info directly to law enforcement. If they want it, they have to come get it with the proper paperwork. There are some things we will report to them if it gets found during routine troubleshooting or if someone complains & we investigate.
You really need to provide more information. Other public news sources suggest otherwise. For instance I can't find any US law on everybody scale data retention. Data retention is pretty much limited to government requests and they last only 90 days (at least initially/default). It in no way suggests data retention / logging of all users. If this information is logged are you suggesting it is logged indefinitely-or discarded after a short amount of time (days/weeks/a few or several months)?
On the other hand Europe does have data retention required by law. If ISPs in the US are doing this it really should be made public knowledge. Unlike data retention flaging is even worse than just retaining data for one good reason. It means that monitoring IS occuring. I believe I've heard about projects that snoop on user's surfing in the US to spot child pornography. I believe that was in response to demands by certain people to "think of the children". It is definitely not law. If it is happening though the public should be informed of it. Even if the monitoring is limited and the masses are not effected by these practices should be stopped. If you can justify it for one group there is no reason you can't justify and extend it. It's just like the DNA situation. It started with only the very worst offenders and now many countries are tracking everybody who enters the system. It's getting worse too though. There are now plans to not only track those who enter the system- but anybody who is arrested- even if they are found NOT GUILTY.
The people in the US have a constitutional right to make associations. This is freedom of association. The US also has essentially not recognized this right for those who would have a use for exercising such rights. I'm mainly referring to ex-cons. These are the people who would need such protections to get the laws changed. Presumably if you are knowingly and intentionally commiting a crime you probably believe such laws are unconscionable or have little choice in the matter. You need to be able to organize against the laws you consider unjust. Pretty difficult to do if the law doesn't recognize such rights.
Oh this gets into a fun area of the law. And one the courts, and companies holding the data, have studiously avoided.
Are DNS requests private data? Or are they business records? What is the retention time if the information is not immediately personally identifiable?
Example. A company HAS to keep records about invoices and what not for the IRS. Credit card numbers, what was bought, etc. That will be held as long as the company wants too. This is personally identifiable and is necessary for tax rules at a minimum.
Example 2: Credit History information... that is tracked and kept, at a minimum, for 10 years. The information supporting that information is likely also kept for a minimum of 10 years.
Computer Stuff: A company keeps IP traffic and header and what not, perhaps, for performance improvement and historical trending. I highly doubt a company would be prohibited from collecting this information. That same information, with little effort, could be used to build personally identifiable information.
There are some limitations on keeping *search* records, and I am too lazy to research all the current law, but you might look at: http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1716
The NSA isn't allowed to do that, because that would violate the 4th amendment.
Fact.
Nobody else can do it for them because, amazingly enough, it's not legal to get someone else to do something illegal for you.
Fact. The Office of Legal Council provided legal opinions purporting to legalize torture. The "Principals Meeting" of the National Security Council approved the torture of individual detainees by the CIA. The agency went ahead and tortured. Was it legal? No. Was it done? Hell yes. Will any of the perpetrators face criminal sanctions in this country? Probably not.
Just because it's illegal doesn't mean it's not being done. It doesn't even imply it's rare.
Please. Have you been paying attention? Your faith in the government is misplaced. Google "warrantless wiretapping". Here, I'll do it for you.
Result 1:
http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy
You lose. We all lose.
This is the legal version of that now famous xkcd cartoon.
To turn your argument on its side, this is a good reason not to run an open wireless access point. While you may win out in court after your neighbor does something illegal on your connection, in the intervening months and possibly years, the social and monetary costs to you may be quite high. .
One of the strongest arguments you can make against torture (at least to those unresponsive to arguments based on basic human decency and morality) is that it produces unreliable evidence. Anyone will say anything to make the torture stop. (Bush probably knew that but he didn't care; a made-up terrorist plot was as good as a real one when it came to crowing to the public that they'd stopped another one.)
But what about lead-pipe cryptography? I can tell right away if he gives me the right key, so I just keep beating him until he does. If he dies, then he probably didn't know it anyway. So what's wrong with torturing somebody for a crypto key?
oops, I meant "lead pipe CRYPTANALYSIS"...
This post paraphrased: Don't do anything to attract the attention of the police, they have the authority to destroy your life with the tiniest shred of suspicion. Your rights do not apply.
War is peace
Freedom is slavery
Ignorance is strength
This is a fair critique, but remember, I'm assuming a crime has actually been committed. The "life ruining" doesn't really start until the police have followed a few steps that lead to your computer, email account, and home. So, no, the "tiniest shred of suspicion" won't lead to the parade of horribles I describe, but "probable cause" will.
Its not the police that you should really worry about - its the media - they don't have to get warrants from judges they just print whatever they like.
Plus - for certain types of "offences" they have their own enforcers - in the form of vigilantes - who will murder you first and ask questions afterwards.
The police are tame by comparison.
Having dealt first hand with an 'issue' with both the police and the media I have to say the media treated me far worse than the police. They made up stuff. They trashed my reputation. And then, a year later, when the 'issue' hadn't been completely resolved, a new editor decided to make his mark by browbeating the police into a further investigation, dragging my family's name through front page headlines all over again. Of course, the police didn't turn up anything else. The police did their job competently and mostly professionally (Well, the detective assigned to the case had an affair with the police chief and they embargoed my bank accpount illegally--fixed by a call from my lawyer), and when it was obvious what happened, they left me alone. I was never charged with any crime, but you wouldn't know it by reading the paper.
You should investigate whether the newspaper can be sued for libel. Quite a few people have been successful at bring suit against journalists who misrepresented guilt.
For example, a person is never "arrested for" a crime. Instead, (s)he is "arrested in suspicion of" a crime. The former might be understood to imply guilt.
I'm not a lawyer, so don't take this advice literally. But you might want to talk to your lawyer about whether any of the media committed libel in this case.
It's better to be discrete and private enough to not get caught than it is to trust your freedom to 12 people who were too stupid to get out of jury duty.
Because convincing those 12 stupid people that you're innocent will probably ruin your life.
That's a moronic statement. I welcome jury duty as a chance to serve and a chance to learn. If you don't get that, it is you who are the stupid one.