March 19, 2024

Being Acquitted Versus Being Searched (YANAL)

With this post, I’m launching a new, (very) occasional series I’m calling YANAL, for “You Are Not A Lawyer.” In this series, I will try to disabuse computer scientists and other technically minded people of some commonly held misconceptions about the law (and the legal system).

I start with something from criminal law. As you probably already know, in the American criminal law system, as in most others, a jury must find a defendant guilty “beyond a reasonable doubt” to convict. “Beyond a reasonable doubt” is a famously high standard, and many guilty people are free today only because the evidence against them does not meet this standard.

When techies think about criminal law, and in particular crimes committed online, they tend to fixate on this legal standard, dreaming up ways people can use technology to inject doubt into the evidence to avoid being convicted. I can’t count how many conversations I have had with techies about things like the “open wireless access point defense,” the “trojaned computer defense,” the “NAT-ted firewall defense,” and the “dynamic IP address defense.” Many people have talked excitedly to me about tools like TrackMeNot or more exotic methods which promise, at least in part, to inject jail-springing reasonable doubt onto a hard drive or into a network.

People who place stock in these theories and tools are neglecting an important drawback. There are another set of legal standards–the legal standards governing search and seizure–you should worry about long before you ever get to “beyond a reasonable doubt”. Omitting a lot of detail, the police, even without going to a judge first, can obtain your name, address, and credit card number from your ISP if they can show the information is relevant to a criminal investigation. They can obtain transaction logs (think apache or sendmail logs) after convincing a judge the evidence is “relevant and material to an ongoing criminal investigation.” If they have probable cause–another famous, but often misunderstood standard–they can read all of your stored email, rifle through your bedroom dresser drawers, and image your hard drive. If they jump through a few other hoops, they can wiretap your telephone. Some of these standards aren’t easy to meet, but all of them are well below the “beyond a reasonable doubt” standard for guilt.

So by the time you’ve had your Perry Mason moment in front of the jurors, somehow convincing them that the fact that you don’t enable WiFi authentication means your neighbor could’ve sent the death threat, your life will have been turned upside down in many ways: The police will have searched your home and seized all of your computers. They will have examined all of the files on your hard drives and read all of the messages in your inboxes. (And if you have a shred of kiddie porn stored anywhere, the alleged death threat will be the least of your worries. I know, I know, the virus on your computer raises doubt that the kiddie porn is yours!) They will have arrested you and possibly incarcerated you pending trial. Guys with guns will have interviewed you and many of your friends, co-workers, and neighbors.

In addition, you will have been assigned an overworked public defender who has no time for far-fetched technological defenses and prefers you take a plea bargain, or you will have paid thousands of dollars to a private attorney who knows less than the public defender about technology, but who is “excited to learn” on your dime. Maybe, maybe, maybe after all of this, your lawyer convinces the judge or the jury. You’re free! Congratulations?

The police and prosecutors run into many legal standards, many of which are much easier to satisfy than “beyond a reasonable doubt” and most of which are met long before they see an access point or notice a virus infection. By meeting any of these standards, they can seriously disrupt your life, even if they never end up putting you away.

Comments

  1. >I’m launching a new, (very) occasional series I’m calling YANAL, for “You Are Not A Lawyer.”

    Yes, more like this please. Patents and libel seem ripe for YANAL discussion.

  2. Village Idiot says

    Quote: “It’s better to be discrete and private enough to not get caught than it is to trust your freedom to 12 people who were too stupid to get out of jury duty.”

    Jury duty is the last place to defend your (or more accurately someone else’s) rights.

    Finding someone Not Guilty by reason of believing the law to be unjust is perfectly fine no matter what the judge says or evidence presented indicates. If juries were forced to issue certain verdicts in certain situations (or in light of certain evidence) then there would be no point in having juries unless it’s all for show. So although juries are often composed of people who have no clue about the subject that they’re asked to decide a major question about, it can work both ways. Too bad that’s a function of basic education, and oddly enough public schools teach very little law, if any, yet “ignorance of the law is no excuse.”

    I remember reading about the the 4th and 5th Amendments in graduate school (joking); it’d be great if State and Federal lawmakers remembered they exist (not joking).

    Consider these troubling trends:
    Ohio: Law Would Allow Forced Blood Draws by Police: Ohio legislature votes to allow police to make forced, warrantless blood draws from anyone accused of DUI (http://www.thenewspaper.com/news/24/2443.asp)

    New Jersey Court Upholds Extreme Force in DUI Blood Draws:
    New Jersey appellate court upholds the use of extreme force in taking blood samples from motorists accused of DUI. (http://www.thenewspaper.com/news/20/2035.asp)

    It’s going on in Texas as well, but the Minnesota Court of Appeals ruled that police may not, without a warrant, use force to take blood from a motorist suspected of DUI. Ah, but DUI is so evil and horrible and stuff, so it’s ok. Online, it’s kiddie porn that we sacrifice our rights for.

    I saw one simplistic trollish comment stating “if you can’t do the time, don’t do the crime.” That’s equivalent to “privacy is not an issue if you have nothing to hide” (and both statements always makes me think of my friends’ grandparents who showed me their WWII concentration camp tattoos; their “crime,” being Jewish, was rather arbitrarily defined IMO and I bet they didn’t think they had anything to hide until suddenly they did). Anyway, that’s impressive; usually I see several inane comments like that pop up in threads like this from people who don’t want to be bothered to think about the issue. What if you DIDN’T do the crime, but the police want to make absolutely sure of that fact? Your neighbors (and even the media) might be watching as the police carry boxes of your stuff out of your house, your employer will certainly hear about it, your spouse may no longer trust you, etc. You will be instantly convicted in the court of public opinion… Congratulations, your life is now a mess!

    But you’re a Good Citizen and committed no crime so you were exonerated and did no time, therefore you have nothing to complain about. BTW: The police won’t say ‘sorry’ and buy you a new front door (or computer, or hard drive) if they smash the one you have. It could’ve been worse; at least they didn’t think you were selling smokable dried plant matter and enter with a no-knock warrant (which made you think you were getting robbed) and so were shot full of holes when you reached for your lawfully-owned firearm to defend yourself with, or even if you just reached for your pants. “Oops! Wrong house; we wanted the one next door, our bad.” It’s more common than most people think.

  3. Land of the “free”. 🙂

  4. How do all these factors apply to a civil case, ie. RIAA rather than the kiddie porn and death threat scenarios

  5. Fortunately some countries have valid privacy and human rights laws that prevent unwarranted bullying by the so called I.T. forensics. Unfortunately the facts are that if you are stupid enough to allow a so called I.T. Forensics inspection of your data then it no longer matters whether you are guilty or not. I.T. Forensics is not an exact science. For every non trivial forensics argument there exists a valid counter argument of slightly greater complexity. This is a recursive process with increasing complexity as it goes on. The only question is do you have the cash to afford a worthwhile forensics defense. It’s a shame that I.T. forensics is even allowed in court when in fact the so called evidence derived from these procedures is not even close to circumstantial.
    The facts are: using I.T. forensics it is possible to prove any innocent person guilty of a crime they did not commit. That is unless the accused has the cash to afford a forensics defense in which case its a matter of who runs out of money first.
    The most atrocious violations of a persons legal rights are perhaps those committed using the Internet explorer dat files arguments. These files prove absolutely nothing. If you visit a website which opens a popup on its own these files make no distinction as to whether you as a human visited the popup site or not. It is much worse because hundreds of automated applications use Internet Explorer behind the scenes to access sites that the user never even knew existed. If you open an email from a spammer does not mean that you also visited the spammers website. However that is exactly what these dat files will show. These files mean nothing. Yet time and again we see these dat file arguments used in court as hard evidence.
    If the privacy and human rights laws are inadequate then even tools like DBAN will make no difference. The only real defense is to study I.T. forensics yourself such that you are not dependent on having tons of cash to mount a defense.
    Legal cases were never supposed to be determined by who has the deeper pockets. However this is exactly what I.T. forensics does to the legal system.

  6. This is brilliant! Are you taking suggestions for more YANAL posts? I have my own laundry list of things my geek clients try to handle on their own with varying degrees of success, from DMCA to ICANN to licensing to Work-Made-For-Hire. You could probably write a book!

  7. Most of the commentary after the article misses the essential point that the author is *really* trying to make: YOU ARE NOT A LAWYER, quit pretending you know a damn thing about the law.

    One more comment from an internet nerd about what he “recalls” and I’ll jump off a bridge.

  8. the law may be a rigorous exercise in detail but to what point ? do you have something to hide? check your paranoia at the door! the law is a matter of INTENT if you have in the deepest corner of your soul to be dishonest, it then has no place to hide. A judge or a jury can conceivably see through all the crap that’s thrown at you as evidence.

    Hidden fact: ignorance of the law is no excuse, stupidity begets stupidity there isn’t a lawyer in the game that wont cross examine you with ” have you ever told a lie?” if you say yes then your a liar if you say no, i believe its obvious you can bet the cross examination will go deeper until you are broken down to yes or no questions of your moral fabric. a jury will see through the deception as any human can. if that’s their focus.

    there again: if your intent was not deceptive but straightforward it can only be brought to bare based on focus, and the reality is if your will is base on your humbleness with the court the reasonable doubt is brought to bare.

    for the techies the issue is: well what about the evidence? and there again in the freedom to tinker as long as your intent was to learn and not to deceive, defraud, devolve, or destroy and the evidence doesn’t show the sign of intent to do so, it cannot be brought to bear as evidence for or against you, so it has to be in the “act of doing so”. where the research of intent is done by surveillance.

    oh and for the tin hats the NSA has just recently installed snort in many mid fabric environments aka class 1 switching environments although they don’t store forever your information they can pull one strand or many back for weeks in the path down the line..nothing (packetwise) is sacred, just a matter of judicial weight. just my two cents.

    PS Echelon was obsolete the day it was installed

  9. Pray tell, why do the police need access to our credit card number from the ISP? What kind of evidence is this going to furnish them with? Is this simply for “name-to-ID” mapping, or is this some spurious clause weaseled into some idiot law somehow?

  10. It really doesn’ t matter ‘if’ you win in court. Up untill that time, all it takes are jack booted thugs to make your life a living hell.

    Of course, and ounce of prevention is worth a pound of cure, as it’s been said through out history.

    I’m sure it’s not a legal doctrine, but there’s there is always CYA (Cover Your Ass) as something to live by. All the police officers, lawyers, judges, etc… are very well versed in the use of the CYA doctrine. CYA, close that open access point. CYA, make sure your machines are clean of viruses. CYA, if you are working on a machine, and your work reveals kiddy porn, fraud, or other illegal activities (no, don’t go out of your way to find it), stop immediately and report it (if the person is later arrested, they could blame it on you).

    Just because you have done nothing wrong doesn’t mean that any accusing agency will let you go before you are cleared at a trial

  11. I found this post to be pretty uninformative. Its subject is reasonable doubt, but it says nothing about the actual validity of any of the defense ideas mentioned with respect to reasonable doubt. Instead it goes off track and discusses search and seizure…except it doesn’t even say what those legal standards are, so no information is conveyed except “the police have a lot of power which they often use on suspects” which presumably we all know already.

  12. Legislate against “the legal standards governing search and seizure” and get done with it. It’s America. It is easy to do. Just bribe enough already corrupt politicians(you can choose anyone you want. They are all corrupt by definition) and pass the appropriate laws.

  13. The police can fuck your life up whether you’re guilty or not.

  14. I was confused by the article until I realized the author was trying to say “you’re life is already down the craper the moment the police become interested”.

    Yet I think techies are even more aware of this than most people so I still find the purpose of this article confusing?

  15. (from an other jurisdiction, but may be applicable) You can refuse to produce evidence in a civil case that may open you up to criminal sanctions, but – in simple terms – it would mean that on that issue the opposing view would be accepted.

  16. some people have missed this about that – http://www.latimes.com/news/printedition/asection/la-na-supreme-court-police15-2009jan15,0,6755954.story

    “The high court rules in a 5-4 opinion that evidence from an illegal search can be used if an officer makes an innocent mistake.”

    more info – http://www.wtop.com/?nid=343&sid=1573523

    how long before “innocent mistake” is part of the training?

  17. man from mars says

    The reliance on the reasonable doubt standard, although very common among lay people, is misplaced. Two distinct legal trends have substantially weakened any protection to defendants the reasonable doubt standard once provided.

    First, there is no accepted legal definition of “reasonable doubt.” A judge will not instruct the jury that reasonable doubt means “more than 99.9%” or even “more than 99%.” Nor will the judge any longer instruct juries that the reasonable doubt standard means a “moral certainty” of the defendant’s guilt. Juries are given no useful definitions of the term “reasonable doubt” and in consequence juries routinely convict if they think it is “reasonable” or “reasonably likely” that the defendant is guilty.

    Second, juries generally are poorly educated, innumerate, and technologically illiterate. The average juror will have had a seventh grade education, and will be completely unable to understand the merits or lack thereof of any technological argument. Juries, except in very extreme cases, decide cases like a seventh-grader would: on the basis of the likability and looks of the defendant, the victim, the attorneys, and the witnesses. They do not objectively analyze data in the way a scientist might: they decide whom they like, and thus whom they believe.

    It is irrelevant whether evidence has been presented that shows the defendant is guilty beyond a reasonable doubt. It is only relevant whether the jury convicts (judges almost never overrule a jury’s verdict). And the jury will not acquit or convict based on an objective view of the evidence, but based on likability.

  18. Move to Canada

  19. I love this line, “… you will have been assigned an overworked public defender who has no time …” excellent posting

  20. I worked for a web email company. The police frequently showed up at my office looking for details on this account or that account. Child porn investigations I went out of my way to provide them with any and all info they requested. Other stuff, it was pretty much what they asked for. If they presented a warrant, fine I’d package it up nicely so they would give a USB drive and copy whatever they wanted. Our TOS gave that any requests from law enforcement would be honoured.

    Most companies and their employees do not care about joe user’s rights. They want to do what is the “right thing to do”. In our case it was providing the info to the police. In some cases the info we provided was used to arrest and obtain convictions on pedophiles who were abusing children and peddling photos of their acts. I don’t feel sorry for cooperating with the police.

    PS most of the requests came through the american police to the RCMP and from there to me.

  21. Under the War Powers Act, you can be imprisoned, searched, seized and everything else without probable cause and considering that the US has been under the WPA since 1990, all of this is trivial.

    The WPA null-voids the Constitution.

    Protect your rights – buy a firearm.

  22. nice rant dude.

  23. I like the YANAL concept, sort of a virtual splish of cold water for amateur lawyers, who seem to have not much to do in their spare time now that Ron Paul has been kicked to the curb.

  24. I have the answer,

    Don’t do it, if you can’t do the time don’t do the crime.

    • Anonymous says

      After all, every real criminal need a patsy… looks like you’re it.

      Pity you put your computer in for repair at that slightly cheaper repair shop. Pity you didn’t keep your virus and firewall settings up to date. Sorry but they guy accessing your wireless router knew a bit more about WEP than you did.

      etc.

      etc.

      etc.

      But don’t worry, when you tell the cops that you don’t know anything about it, they will have heard that one before 😉

  25. You know that was the whole point of techies even bringing up the topic right? It’s because IPs ARE NOT ALWAYS RELIABLE. SOMEONE’S LIFE COULD BE TURNED UPSIDE DOWN! Tracking IPs is becoming more popular. That means IP spoofing is going to get even more popular. That will make IP numbers even less reliable. So busting in on someone’s house with guns and a warrant based on just an IP is unacceptable. If you got something else then maybe, but if that’s all you got then you don’t have anything. The investigation should be immediately stopped before someone’s life gets ruined. So, your point is basically that since we do it wrong now we should keep doing it wrong? Um…..Right.

    Please, the “techies” if you will have already known this for years. Please try to keep up with us on this. I know we move fast, but come on. You don’t think it can happen? You want to know what this looks like in real life?
    http://www.wired.com/politics/law/news/2008/02/blind_hacker
    That was phones. You think it can’t be done with IPs too?

    • David Nieporent says

      The government does not need to prove its case in order to search your house. A search is part of an investigation. The standard for being allowed to investigate you is not certainty.

  26. I am not a lawyer, but I have a relative who is.
    The most valuable information he gave me was, “Keep your damn mouth shut.”
    Another post-er mentioned cops’ general experience with not-so-clever people being clever. Not many people can keep a lie consistent.
    Close up your APs.
    Close your mouth.

  27. Another technique that hasn’t been mentioned is civil forfeiture proceedings. Most jurisdictions have civil forfeiture proceedings for certain kinds of crimes such as drugs or prostitution. These statutes reach the “instrumentalities” of the crime. If you supposedly committed the crime at home using a home Internet connection, your home and computer can be seized if allowed by statute. As noted, constitutional protections don’t apply in civil court. You also face a much lower “preponderance” standard and you don’t get court-appointed counsel. Furthermore, anything you say in civil court can be used against you in criminal court. Double jeopardy does not attach to civil forfeiture so you can have your house taken away and get put in jail for the same conduct in two different cases.

    Here’s how it works. Say you try to buy drugs on craigslist. The police arrest you can seize your home as an instrumentality of the crime. You have to testify to save your house. Remaining silent doesn’t work because it CAN be held against you in forfeiture proceedings. You can’t rely on reasonable doubt because there is no reasonable doubt. In civil court is is merely more likely than not. Don’t speak at your hearing and you lose your house. If you do testify, you may not lose your house. However, anything you said in forfeiture proceedings could provide probably cause for criminal charges.

    This can also work in areas like copyright infringement that have both civil and criminal penalties. Copyright infringement proceedings often start with civil trial initiated by a record company. However, anything that happens at the civil trial can lead to criminal charges.

  28. Most people who have done something illegal are prone to try to convince the police that they have not done what they are accused of. The only way a person, whether guilty or (especially if) innocent, should deal with the police and prosecutors is to immediately exercise their right to remain silent or exercise their 5th amendment right self incrimination. I am not a lawyer, but I think that most lawyers will give you this advice. Cutting off the justice system off at the knees from the very beginning of contact will be the best defense against any future prosecution.

  29. It’s pretty simple:

    1) Never talk to the police for any reason, even if you are 100% certain you have committed no crimes whatsoever.

    2) Always, and I mean always, hire a criminal defense attorney to speak for you.

    3) Make sure your spouse (if you have one) knows they don’t have to speak to the police about you either, ever; they should say nothing about you, even unrelated information. They cannot take away your children, etc., if your spouse goes to live somewhere else and she has been charged with nothing.

    4) If the police come to your door, exit your domicile and lock it behind you before speaking to them, if you are arrested in most places the police can search anything you have immediate access to for things that could be harmful to them. Police have abused this to search entire homes and evidence is almost always upheld to be admissible, this requires no warrant.

    As to the article author, all the things you describe are significantly less horrible and costly than what your wife can do to you if she has a bad day, and without a shred of evidence. So what if the police steal 10 grand worth of hardware? I’ll buy more, it’ll probably pale in comparison to my legal bills anyway. I won’t have to lie to the police because I won’t be saying jack to them in any case. My drives are all encrypted and I can’t freaking remember the password. I’m so darned stressed I can’t recall anything, in fact. I don’t know if they can steal your money so you can’t pay for an attorney or not, providing they don’t, I’ll certainly be paying for one and requesting everything be sealed if possible. This may very well cost me jobs in the future and that will suck, so you certainly have a point there.

    • I agree with all these points a little differently but #4 is would like to expound on. I don’t allow the police into my house even if I originated the complaint.

  30. I did a couple years in an I.T. management position for the state AG’s office. Got to read all the interesting search and seizure manuals. I know the flaws in all the procedures and got to see some boneheaded seizures.

    That said, open WAP’s – how about secured WAP’s. I do pen-testing on a regular basis and you’d be shocked how easy it is to crack WEP and even WPA.

    And a truecrypted hard drive isn’t vulnerable to encase copying.

  31. Make sure to tag your new posts as YANAL

  32. Well Mr. Department of Justice Guy, you certainly did you best to paint America as a banana republic where justice is only available to the highest paying customer.

    No wonder your prisons are filled to the brim with poor people.

  33. As intelligent specialists, the natural tendency or
    fault or SIN is to pride or arrogancy.
    The LOGIC of the law is as similar to the LOGIC
    of SCIENCE or computer engineering as
    Boolean Logic resembles Fuzzy Logic (multi-value).
    Please start another blog. Where lawyers
    think they know science, programming or even
    engineering. Are expert witneses convincing fakes,
    unconvincing TRUTH TELLERS or something else?
    Thank you for you are a GENIUS.

  34. I have no knowledge of US laws – here in the Netherlands however I have no obligation to divulge my passwords to law enforcements.

    A 40 character strong random password plus a hard drive fully encrypted with TrueCrypt will protect you from any unwanted finds. As I am overly paranoid I also have a package at XeroBank VPN (and no it’s not spam). My traffic goes over VPN beyond the reach of my ISP (or any tap), and same is true for my email.

    Anyways, if you know what you are doing there is no need for a lawyer in the first place. Read this and you’ll be up to speed: Border Proofing your Laptop.

  35. He takes a whole blog entry to basically say, “If the police investigate you, life will suck.” and offers very little substance in the process. I came over from slashdot and was hoping for a legal explanation to why the unsecured router defense wouldn’t work? Or similar theories people float around. I suppose I’d have to pay $500/hr for substance.

    • I came from slashdot as well after seeing all the flaming going on there. You guys have missed the point completely.

    • I guess the long answer is that you do need $500/hr the actual time. Mostly because the information is out there, but it take a while to digest.
      http://en.wikipedia.org/wiki/Probable_cause

      The police only need ‘probable cause’ to get a search warrant.

      Does the unsecured router defense work? Maybe before your conviction where you need beyond a reasonable doubt, but not during the investigation. The police only have to have ‘probable cause’.

      Once they suspect something they have the legal authority to get warrants to your house, your computers, and your ISP. And anything else they believe may be related to whatever came through your unsecured router.

      Can you honestly tell me that there is *nothing* on your computer that might look funny to a cop? More investigation.

      How about your computer at work? Maybe you were a bad person there too? The cops can get a court order to look at that. How does your employer feel knowing that you are being investigated? Suddenly you don’t look like the kind of employee they want.

      There is little limit to what can be done. It costs money and the police know that most of the time this is minor stuff and the prosecuting attorney will offer a plea deal fairly quickly. Do you want to fight this for a year? And maybe lose? Possibly sitting in jail awaiting trial if you can’t afford bail?

      While all this is going on you have no computer, you have to go to a friends house to check e-mail … unless the court orders an injunction prohibiting you for accessing the internet.

      How much information are you looking for?

      The simple answer.
      The police only need probable cause to make you life ‘interesting’.

    • David Nieporent says

      Which is that most people think that having a situation where your “life will suck” is a bad thing. Many people mistakenly believe — as you apparently do — that having a “defense” is sufficient. It isn’t Yes, the “unsecured router defense” MIGHT work — if you can convince a jury that it’s reasonable — but relying on winning at trial is like saying, “It doesn’t matter whether I smoke, because if I get cancer I can just treat it with chemo.” The chemo MIGHT work — but your life will suck in the process. Much better to avoid the cancer in the first place.

  36. I don’t know if they are going to go through all the records or not, they could, and you could still hide from them, encryption is your friend but..

    Best advice?

    Do yourself a favor and DO NOT TALK to police officers! Do not talk about ANY crime you may have ever committed with another sole on planet earth.

  37. More to your point, the likely danger for the vast majority of those who commit the crime you suggest is not criminal liability (and its reasonable doubt standard) at all. State and federal governments generally lack the resources to prosecute these cases absent a tie-in with another priority (e.g., kiddie porn). You “criminals” will far more likely be approached by a private organization with seemingly unlimited resources and a serious financial interest in seeing you pay for your conduct. It begins with a threatening letter, demanding a settlement one can’t afford. Then you’re served notice. Assuming no default judgment against you, no constitutional protections will prevent the hell of civil discovery and e-discovery entering your life in an expensive way. Guess how quickly your fellow defendant ISP will move to be let out of the lawsuit in exchange for sharing everything they have regarding you? (Thought you had a reasonable expectation of privacy on their network, did you? Oh well. Maybe when you’re out of this suit you can sue them and find out.) And at the end, if you lasted through that, they will likely have to meet only the preponderance of the evidence standard.

    Jail may then start to look appealing.

  38. So, you are saying that if RIAA/MPAA tell the police that you hurt them, the police will make your life miserable and destroy you financially even if there are no real evidence against you and you would win in court? Well, that proves beyond any reasonable doubt that USA legal system is not just useless, but actively harmful and any sane person should emigrate.

    So glad that I don’t live in the US.

  39. ProfJonathan says

    I totally applaud the YANAL concept, since while I know that those in technology are probably much more educated about the law than the average person, there are unfortunately any number of myths out there that get otherwise well-meaning folks into trouble.

    If it’s at all of value, I recently did a seminar on copyright law for tech businesspeople and producers, and the podcast is available for free download at:

    http://ourmedia.org/node/480711

    I hope you find it useful. Well done, Paul, and keep up the good work! {ProfJonathan, teaching a course in Cybercrime this semester}

  40. Don’t break laws. Unfortunately that is impossible. Everyone breaks laws constantly, without even knowing it. They could know everything about American law and still get punished. Why pray tell? Several American laws tend to be lazy and state that laws from other countries pertain to the United States. That flower you bought in Paris could get you arrested in the United States because its illegal to import that into India. Now how wonky is that?

  41. It’s all about due process. The merits can be completely avoided in 99.9% of cases. The cops, judges and prosecutors break the law 100x more than you. You just have to hold them accountable for it.

    http://www.ruleoflawradio.com
    Mondays, Thursdays 8 PM – 10 PM CST
    Fridays 8 PM – 12 AM CST

  42. I think what Mr. Ohm is missing is that many techies live their lives and set their relationship to the legal system based on an attitude which is very important to us. There is a particularly high percentage of techies who are libertarian relative to the rest of the population, and one thing that many of us have in common is that we refuse to bow to authority. All of the legal issues Mr. Ohm raises are, to some of us, seen as direct threats from an unjust authority. Therefore, to change our actions or give up our reliance on the precious “reasonable doubt” in favor of ensuring that our lives don’t get turned upside down is the equivalent of giving in to the legal threats. That is something we could never do – that is how we let the unjust authority win. To many of us, it is exactly in forcing the hand of the police state to perform all these searches and actions that we prove the point of our philosophy.

    May reasonable doubt live on, and may also those who have the guts to push their rights to the fullest on as well.

    • Anonymous says

      Any real criminal with half a brain instantly understands that it is easy to make use of the police and the standard police policy of using intimidation as a substitute for real evidence and deduction. Dumb, brutal authoritarianism is the perfect tool for a smart criminal, anyday.

      Simply lay plenty of false trails, and sow plenty of false evidence by deliberately dropping into unprotected access points and committing minor crimes then visiting a few kiddy porn sites and then vanish without a trace. Simple. The cops are so busy acting tough and pushing their search and seizure authority to the limit that they never get around to finding any of the real criminals.

      With botnets already spanning millions of machines and controlled via Romania or Mongolia, and with clusters of bots available for hire on the black market, don’t be surprised to see this is already happening. The innocent people will eventually get out of jail with a criminal record and a grudge for life, and will decide that it is a lot better survival strategy to team up with the criminals than try to work a failed system and before long the criminals ARE the system. That’s the world you are living in right now, so get used to it.

      Libertarians believe in liberty, because when liberty is destroyed everything else also falls over. It’s not some reckless hacker spirit, it’s just common sense.

  43. I’m just guessing but I expect that US laws are silent about what US citizens, including US law enforcement, can do outside of US borders. If so, then only the laws of the other countries are relevant.

    What about rules of evidence for evidence gathered outside US jurisdiction? Could evidence obtained without legal niceties in, say, Afghanistan be used in a US court? That sounds like a good question.

    Similarly, what about the much criticized practice of rendition? Say a US agent picks up a combatant in Afghanistan and then sends him to Syria; never entering US territory. Is that illegal? If so, by what legal theory?

    I expect that cyberspace could give law enforcement a lot of jurisdiction headaches. What about the day when your hard drive with kiddie porn is not physically in your residence? It is in “the cloud” somewhere on the planet, and potentially moved elsewhere on the planet every few minutes. More headaches.

    Nevertheless, Mr Ohm is correct. Tekkies (myself included) love to be clever — more clever than the cops. Not with criminality in mind, but rather in cleverness contests. But in real life they are much less clever than they think they are. We can learn by reading Ohm’s blog. He really ought to name the blog Ohm’s Law.

    • A quick Google search didn’t show me any blogs called “Ohm’s Law”. I like that name! 🙂

      Over the years, I’ve noticed that those who get into cleverness contests are rarely as clever as they think they are! Besides, cops have one thing on their side that potential hoodwinkers never think of: they’ve got lots of experience dealing with people who are trying to hoodwink them.

      Thanks, Mr Ohm!

    • This has been broached but is still unsettled, the likely answer is that a search carried out in accordance with the law of the state that gathered the evidence will be admissible in a US court. If the information is specifically gathered at the request of the Federal Government against a US citizen, then a warrant would be required.

      As far as rendition, I think it important to first point to the difference between “traditional rendition” and “extra-ordinary rendition”. The former is governed by international treaty law, the latter, well the latter is a problem.

      JMS

  44. Paul skirts the issue but doesn’t directly state it in his essay. The problem (IMO) in the US, is that the threat of legal action has become defacto legal action. The costs and disruption to your life.. even before you get to court, for a minor offense would destroy most anyone financially in the middle class.

    Working a lot with forensics most local police rely on interrogation and basic investigation skills more than NCIS, or CSI TV techniques. And at that they only really care about kiddie porn not much else unless compelled to do so by a DA/CA. The FBI is another story.

    All I will say is round robin routing, wep crack, a high gain antenna and a heavily populated college apartment community if you really want to stay anonymous.

  45. With other words the US legal system is broken, and you should better fix it or leave the country. Because what you tell your fellow Americans, Ohm, is: forget rule of law in our system. You gave good reasons for me not to do business in the US.

  46. You should have had XeroBank Internet Privacy

    • this is spam

      • I’ve used their service for a few years now, both VPN and email is very stable and at least allows me to bypass anything my ISP would put in place. Combined with TrueCrypt I feel pretty save (as well as not doing anything to get me into trouble ;).

  47. specifically the affidavit that was given by David Shrimpton for TELUS regarding IP addresses and identity. It was accepted by the court and is now part of case law (One of the reasons Canadians are allowed to download music legally, just not upload it). In that affidavit Mr. Shrimpton detailed how a simple IP address doesn’t identify an individual, only a computer. For any of your advice to apply, the police would have to have specific information that it was you, in particular, at a certain time that was using the computer associated with that IP address. Even then, the IP address can only specify a Internet connection. Should there be more than one PC behind that firewall, there is no way to identify a specific user absent a electronic surveillance warrant (in which you would have to prove exhaustion, which would be unlikely in the case of a single individual). Wire taps are expensive. In addition, any encrypted traffic to any real standard would defeat any surveillance as it would take more time to decrypt the data then the statute of limitations would allow for most charges. To gain a warrant for your email it would have to be proven that you did something criminal with it, or used it to further criminal gains. Again, this would be very hard without having physical evidence (a threatening email or example of criminal intent).

    In the states it might be different.. Thank god I live in a country where we haven’t traded our freedom for a false sense of security.

    P.S.: not a lawyer, just someone who has researched this heavily, also worked with Mr. Shrimpton at TELUS. He is my hero =).

    • If you are referring to BMG et. al v. John Doe et. al Case No. T-292-04, then you are confusing civil lawsuits (that case) with criminal prosecution (Ohm). BMG was about discovery of information in a civil suit – Canadian courts apply a standard similar to U.S. courts. In criminal cases, Canadian courts apply a probable cause standard BASED ON American case law. So Ohm’s comments are completely applicable.

  48. Now explain to your readers the difference between liability and damages. I’ve given up.

    • Liability is the about the consequences flow from your actions. Damages are one of the consequences.

      You may be liable to pay damages if you harm another, and are found to have caused or contributed to the injury or loss that flows from that harm.

  49. I think one of the hardest concepts for us techies to grasp is that judges are people.

    Yes, law is software for people. (Doubly so for contract law.) But judges and juries aren’t CPUs, and the law isn’t interpreted by a context-free parser. You can’t trick them unless you’re a sitcom. “The injunction says I have to pay this guy. But it doesn’t say it has to be in U.S. currency, so I printed my own!” Fail.

    That said, obviously there *are* plenty of legal disputes over “technicalities”, and specific phrases can carry all sorts of legal connotations. It would be interesting to learn at exactly what point terminology and commas become important.

    • “It would be interesting to learn at exactly what point terminology and commas become important.”

      Whenever they’re relevant.

      In short – anything the parties can’t, or won’t, agree upon between themselves gets determined by the court. Agreement is usually better – you have better control over the consequences.

  50. This post paraphrased: Don’t do anything to attract the attention of the police, they have the authority to destroy your life with the tiniest shred of suspicion. Your rights do not apply.

    War is peace
    Freedom is slavery
    Ignorance is strength

    • This is a fair critique, but remember, I’m assuming a crime has actually been committed. The “life ruining” doesn’t really start until the police have followed a few steps that lead to your computer, email account, and home. So, no, the “tiniest shred of suspicion” won’t lead to the parade of horribles I describe, but “probable cause” will.

    • Its not the police that you should really worry about – its the media – they don’t have to get warrants from judges they just print whatever they like.

      Plus – for certain types of “offences” they have their own enforcers – in the form of vigilantes – who will murder you first and ask questions afterwards.

      The police are tame by comparison.

      • Having dealt first hand with an ‘issue’ with both the police and the media I have to say the media treated me far worse than the police. They made up stuff. They trashed my reputation. And then, a year later, when the ‘issue’ hadn’t been completely resolved, a new editor decided to make his mark by browbeating the police into a further investigation, dragging my family’s name through front page headlines all over again. Of course, the police didn’t turn up anything else. The police did their job competently and mostly professionally (Well, the detective assigned to the case had an affair with the police chief and they embargoed my bank accpount illegally–fixed by a call from my lawyer), and when it was obvious what happened, they left me alone. I was never charged with any crime, but you wouldn’t know it by reading the paper.

        • You should investigate whether the newspaper can be sued for libel. Quite a few people have been successful at bring suit against journalists who misrepresented guilt.

          For example, a person is never “arrested for” a crime. Instead, (s)he is “arrested in suspicion of” a crime. The former might be understood to imply guilt.

          I’m not a lawyer, so don’t take this advice literally. But you might want to talk to your lawyer about whether any of the media committed libel in this case.

    • It’s better to be discrete and private enough to not get caught than it is to trust your freedom to 12 people who were too stupid to get out of jury duty.

      Because convincing those 12 stupid people that you’re innocent will probably ruin your life.

      • That’s a moronic statement. I welcome jury duty as a chance to serve and a chance to learn. If you don’t get that, it is you who are the stupid one.

  51. D.S. Dantas says

    This is the legal version of that now famous xkcd cartoon.

    To turn your argument on its side, this is a good reason not to run an open wireless access point. While you may win out in court after your neighbor does something illegal on your connection, in the intervening months and possibly years, the social and monetary costs to you may be quite high. .

    • One of the strongest arguments you can make against torture (at least to those unresponsive to arguments based on basic human decency and morality) is that it produces unreliable evidence. Anyone will say anything to make the torture stop. (Bush probably knew that but he didn’t care; a made-up terrorist plot was as good as a real one when it came to crowing to the public that they’d stopped another one.)

      But what about lead-pipe cryptography? I can tell right away if he gives me the right key, so I just keep beating him until he does. If he dies, then he probably didn’t know it anyway. So what’s wrong with torturing somebody for a crypto key?

  52. Can they even read your emails if, let’s say, your mail server is in another country? They should not be able to…

    • I can think offhand of several ways to get around this problem. Law enforcement officials probably have more.

      1) Law enforcement treaties between the country where you are and the country where your mail is. A warrant in country A may well operate in country B.

      2) If the mail server operator in country B also has a presence in country A, the warrant may be able to force him through his presence in country A to divulge content stored in country B. It may be possible to combine this with #1 in some third country C.

      3) The mail server operator simply cooperates and provides the data.

      4) The court compels you to provide the data. In some cases, the court can have you imprisoned for refusing to comply, or for tampering with the data.

      5) The authorities in country A install snooping hardware on your computer that simply intercepts the data on your computer (post-decryption if you’re encrypting data).

      Again, law enforcement probably has more tricks; these are just from a few minutes thought.

      • 3), 4) and 5) seem outrageous.

        • Frankly, so does 1. I know of no law enforcement treaties which recognize foreign warrants.

          • Well, this is hardly definitive, but this page from the US State Dept’s website says, in reference to Mutual Legal Assistance Treaties the US has with other countries: “The treaties include the power to summon witnesses, to compel the production of documents and other real evidence, to issue search warrants, and to serve process. ” (bold added by me).

          • Do remember that other countries may have much lower standards for search and seizure than the US. There’s no 4th Amendment protection even in Great Britain, which has the most familiar of legal systems for Americans. Police here can seize data and machines of their own motion and supply the information to overseas law enforcement. (If there is a ‘national security’ reason they can even censor or falsify information provided for the purposes of foreign legal proceedings.)

            Stop thinking that a limited set of arbitrary rules that you have digested will protect you in practical circumstances. There’s a cultural problem for geeks that Paul is pointing to here: the law enforcement institutions (even in highly legalistic jurisdictions such as the US states) do not operate like machines. They operate like collections of people. And they move slowly. The rules are often approximately followed and of indeterminate applicability. Experience in their practical use is what counts.

            The facts to which the rules apply are usually in dispute, and no one accepts that because you are smart you have a better view of the facts than they do. Especially if that view is to your advantage, even implying that is likely to be disadvantageous. You are arguing with the football team. They have no respect for your smarts.

          • Indymedia has had this happen twice to them… and in those cases there wasn’t even a question of them having done anything wrong.

        • (4) is unconstitutional. You cannot be compelled to provide, but you cannot tamper with or destroy the evidence either.

          (5) is simply a wire-tap warrant. Probably cause is all they need (which means, according to my High School law class, they have around a 40% statistical chance you may have committed the crime in question). Not that hard to get, and not outrageous at all.

          (3) is why it is very important to understand the legal protections where ever you have off-shore storage. If it is in a country with a lower standard of privacy, this may be perfectly legal. Non citizens in the country in question may have lower protection standards than citizens. And if it is on a offshore rig (e.g. Sealand), the protection you have is simply the whim of the operator.

          • IANAL but I do know of a company that was subpoenaed for emails going back some x number of years in regards to a possible violation of environmental standards. The IT Manager was actually threatened with jail time because the emails desired by the prosecutors were far enough back in time that they had been deleted by the mail management system in place in the company.

          • IANAL, but I think that IT manager had a lot of hot air breathed on him.

            I work for a Big 4 auditing firm where subpoenas for data, especially email, are not all that uncommon. All Auditing, Consulting, etc firms remove their data quickly as part of policy. Usually, everything related to a client is policy to be removed in under a year.

            I imagine the only thing they could try to say is that he intentionally deleted it, which would be a no-no. Having a company-wide policy of data retention, and having the system settings to back it up can protect you in this case.

          • The 5th amendment says you cannot be compelled to testify against yourself. You can still be compelled to turn over any evidence that you possess, such as written records. Handing over a pile of records is not the same thing as testifying. You can also be compelled to testify against another person (just not against yourself), with some very limited exemptions like attorney-client privilege. IANAL but this is how I’ve always heard it.

          • In fact, what’s even more surprising is that you can be compelled to produce a Diary, or Journal.

            This is the first thing you need to realize when YANAL: _ANYTHING YOU WRITE_ can be subpoenaed, which literally means “under penalty” which means, if you don’t produce it, you’re punished.

            Don’t write ANYTHING down that you don’t want to be used against you.

          • In the USA it is unconstitutional to force someone to incriminate themselves.

            Forcing someone to cough up the key to an encrypted hard drive or the location of a journal that proves their guilt does not fly.

            Not yet, anyways.

          • Not only does it not fly, it has actually been upheld by a judge that a person cannot be forced to give up a drive encryption key because doing so would vilate the 5th amendment.

            See http://en.wikipedia.org/wiki/United_States_v._Boucher

          • Maybe it won’t fly, but it does run really fast…

            But the border guard that asks you to provide your password can simply seize the hardware for examination. AFAIK, they have no limit on when they have to return it.

            The appeal in United States v. Boucher was still pending as of October 2008.

          • I know Customs can look through and even seize anything they want for no reason at all. My main protection is the sheer volume of passengers who pass them every day. (That, and the fact that I’m not trying to smuggle anything.) But if they pick me out, I’d just have to stand there while they rummage through my stuff. They might ask me to say something incriminating, but I know enough to keep my mouth shut even if I have nothing to hide.

            Then they discover that my laptop hard drive is encrypted.

            Let’s say that even though I have nothing illegal I’m perfectly willing to make a stand and sacrifice my laptop on principle. The data on it is fully backed up elsewhere and I can easily afford to buy a new one. So I remain completely silent. What would happen?

          • hobbycounsel says

            (I assume you mean the US.)

            That depends completely on the specific situation. Maybe nothing. Maybe they take your laptop and never give it back. Maybe you get it back at some future time. Maybe they feel they have probable cause (for some reason that is both unknown to you and maybe completely wrong) and they will detain you until you produce the decryption key.

            Legal precedent on encryption keys is still up in the air. Cases have gone both ways on whether an encryption key is like a physical lock key (e.g. a piece of metal, which you may be compelled to give up) or like the combination for a lock (which you may not be compelled to give up, so long as it does not exist outside your mind). In one lower-court case where some data was protected by an encryption key and that key was passphrase-protected, the ruling was that the passphrase-protected key must be given up, but the passphrase itself could not be compelled. In any event, it will be a few years before legal precedent on encryption keys settles in the US.

          • I don’t know about (4) in criminal cases but I’m in a civil case right now and we (my enemy and I) have compelled each other (and each other’s associates) to produce all kinds of things.

          • In the UK, for example, you can be forced to reveal a password to an encryption system, or face 2 years imprisonment.

            Even if you’re a US citizen, if you cross a border and the US government has a mutual agreement with that country, the police there can compel you to reveal before they extradite you.

      • Number 4 is unconsitutional in the U.S. unless they are willing to provide immunity to prosecution for you if you invoke the 5th amendment protections against providing evidence against yourself. They could do that in seeking evidence against a third party or in seeking evidence against you from a third party who has access to your information.

        • You cannot be compelled to testify against yourself. You can, in fact, be compelled to give some kinds of evidence. The clearest examples of this are DUI cases where you may be compelled to give blood or urine for alcohol and/or drug testing. The Supreme Court made this distinction long ago.

          • Yes. It is well settled that you can be compelled to grant access to information (like bank account records). To fall under the prohibitions of the 5th Amendment, the Supreme Court has long held that the compelled act must be “testimonial” in nature; and guess what – signing an authorization to release/request information (like bank account records or activity logs) has been held to not be testimonial.

            On a related note, none of the Constitutional protections apply in Civil proceedings. In Civil cases, you routinely use discovery to obtain access to all manner of personal/private information for use in the lawsuit (wider dissemination can, and usually is, prevented through the use of Protective Orders). But, in most cases, Protective Orders do not prevent a party to a civil suit from passing evidence of a crime to law enforcement. Also, if there is no preexisting relationship between the private party and law-enforcement, the government can sometime obtain Party B’s information by requesting it from Party A – and thereby avoid any Constitutional arguments by Party B.

            This thread emphasize the critical role that prosecutorial discretion plays in our society and why, as a result, privacy DOES matter (even to those who never commit crimes).

          • Just a quick FYI… there are some Constitutional protections that apply in Civil proceedings. The biggest one being the 7th amendment, dealing with a right to a jury in a civil proceeding. It’s true the 7th hasn’t been incorporated against the states, and thus you may not have a federally protected right to a jury trial if the proceeding is in a state court, but it’s always protected in federal court. Just remember, under civil rules of procedure you have to explicitly request a jury trial otherwise the judge will serve as the finder of fact.

            The other big constitutional protection that applies in civil cases is the seldom cited 13th amendment, which prohibits involuntary servitude unless convicted of a crime. Which is one of many reasons why it is darn near impossible to get specific performance as a remedy to contract breach.

          • Citation needed. To the best of my knowledge, no you cannot be compelled to give blood or urine for drug/alcohol testing. However, almost every state has laws in place that if you refuse you lose your privilege to drive.

            The case you are referring to, Schmerber v. California, 384 U.S. 757 (1966), does indeed allow the withdrawal of blood or urine, unless you physically resist. Simply saying you refuse doesn’t cut it. Also, this is not about compelling you to give up evidence, such as the location of your diary.

            This is about the right of law enforcement to “take” the evidence by a physical means. The courts cannot force you to “communicate” the location of your diary. Thus while they can “take” any evidence they need, you cannot be forced to divulge that information via “commincxation”. That distinction is clearly made in the above stated SCOTUS ruling. So the SCOTUS said they can take it, not that you can be compelled to give it. It’s a very important distinction.

            There fixed that for you.

        • As has been long established, the judge can hold a person in jail “in contempt of the court” indefinitely, without having to charge the person with any crime, even.

          There was a recent expose of a list of people having been held in jails for months and in excess of a year, because they wouldn’t cooperate with the court.

          • celtic_hackr says

            Yes, a judge can hold you in contempt, but that can be challenged. although, I don’t know what impact there is on a judge who abuses this power. If a judge holds you in contempt for enforcing your constitutional rights, it can (see endnote) be overturned by another court. There is clear SCOTUS precedent that you cannot be forced to give up your personal papers and effects. They can be taken with a warrant, but if you’ve done an excellent job of hiding them and no one can find them you cannot be compelled to divulge them. In other words if you’re successful in hiding the proof of your criminal activities and no other proof can be discovered you get to go free.

            [endnote] I say can, and not will as I am a pessimist when it comes to modern US courts and I have no faith that any court will uphold any Constitutional guarantee of any citizen save: one from a rich and powerful family, fellow judge/lawyer, or politician.

            P.S. to webmaster
            It would be nice to have an option here to post anonymously, while logged in. Not that I’m paranoid about everything I ever say on the internet being hauled into court to be used against me on some trumped up charge. I just prefer my political speech to be anonymous. Yes, I’m an anonymous coward and damn proud of it. Coming from a family with one of the original anonymous cowards, well at least until he signed the Declaration of Independence (which you’ll note they never sent, but preserved and probably kept hidden).

    • Every single bit in this and all of your transmissions is recorded by the NSA and or its international affiliates. Fact. Storage duration is unknowable.

      • What can the NSA do with the information? The second they were to use it for anything overt, their secret would be out. Yeah, you can construct scenarios where it still matters, but they are rather roundabout.

        The primary thing people need to worry about is legal surveillance and legal data gathering, because information that has been gathered legally can be used to mislead a jury, embarrass, intimidate, and blackmail you even if you haven’t done anything wrong.

      • The NSA isn’t allowed to do that, because that would violate the 4th amendment. Fact.

        Nobody else can do it for them because, amazingly enough, it’s not legal to get someone else to do something illegal for you. Fact.

        And, besides, why the hell would NSA _want_ to store every bit of this transmission? There’s nothing at all interesting in it. Nobody gives a fuck about your emails, unless you’re a terrorist or a Russian spy or something, and even in that case they have to get a warrant before they can start targetting a single bit of your transmissions.

        Grow up and lay off the tinfoil. Really, you aren’t that important and nobody is out to get you.

        • So freaking true

        • 1) There are no laws against U.S. intelligence gathering in other countries… in particular electronic signals.

          2) There are already agreements to share intelligence between various countries to by pass individual country restriction to collect internal ‘intelligence’.
          http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A5-2001-0264+0+DOC+PDF+V0//EN

          3) The technology behind Echelon is highly classified, but, to give a sense of what it is likely capable of, in World War II the U.S. was able to collect nearly all electronic signals sent across the globe. (See the above EU report … pg 59) (See also http://nasaa-home.org/history/his5.htm). These are wireless signals, but any wired system is also vulnerable to interception (see http://www.military.com/Content/MoreContent?ESRC=navy-a.nl&file=FL_sealab_032802 discussing taping of undersea phone lines) (unless we get Quantum communications, but that is beyond the cope of this).

          4) Your point about the NSA not being interested in any of us is very true. That is the only security we have … blend in and be quiet. Why would the U.S. Government spend time and money to pick me up, detain me and question me? At this point I am not worth the energy. And I think that *may* be the same reason that all information isn’t stored either. 99.9999% of it would be noise. If there is a use for it I suspect it is being stored.

          – I don’t know what the balance is between personal liberty/ privacy and the governments need to monitor communications for threats. I do worry, perhaps needlessly, perhaps not, that the basic foundations of the constitution, such at the right against self-incrimination, the right to liberty, and oversight of this intelligence gathering is such that the balance has tipped heavily in favor of the government.
          This may be what is necessary in the modern world, but I am not convinced of that fact.

          • There mere fact the NSA is being mentioned along with the name of their surveillance program probably makes this page and those who post to it, “interesting”, or at least more interesting than half of the pages out there.

            “Just because you’re Paranoid doesn’t mean they’re not out to get you.”

        • Somebody hasn’t been paying attention to the news. The NSA has been violating the 4th Amendment since before 9/11. The latest revelation is that they specifically targeted journalists.

          It’s not a “conspiracy theory” when it’s been reported as fact all over the mainstream media.

          • LunaticSerenade says

            Since when has “mainstream media” been any kind of credible? I thought that was why places like slashdot and cnet existed.

            If Fox News told me the NSA was spying on me and had been my whole life, I would laugh at them. Well, at the TV anyway.

          • “The latest revelation is that they specifically targeted journalists. ”
            and
            “It’s not a “conspiracy theory” when it’s been reported as fact all over the mainstream media.”

            So, in order to enhance their own credibility, why not say that they are the ones being targeted? Seriously…Government agencies have bigger fish to fry that worrying about every little bit of e-mail traffic. There is not as much intervention as the paranoid citizens of this country would like you to think. This whole conversation is going into a legal debate about what is and isn’t a violation of this law or that amendment…what’s the title of the article?

            Please pick up your crayons, STFU, and go sit in the corner. As someone already said…”You are not that important.” Get over yourself.

        • Disclaimer, I work at an ISP.

          No, the NSA does not store every *bit* of data you send. They do store all of your meta-data. Just like we do.
          For example, they will most likely store all of the URL’s you type into a web browser, but not the content of the page itself.
          Much of the data we store for technical reasons, and it would rarely if ever be looked at by a human. In many cases we are required by law to store certain types of data.

          Some types of data that IS stored by your ISP, and I’m certain by the NSA as well:
          – All DNS lookup requests.
          – All IP address records, and associated MAC addresses.
          – All header information on emails. Most of the time the actual body & attachments are only cached on a short term basis.
          – Almost all of your traffic is also logged, for example pretty much all TCP header info.
          – Use of things like Sandvine allow us to do DPI to perform additional logging of extra data when certain conditions are met. (for example, any traffic to/from a known child porn site will be fully logged & flagged).
          – All of the above are also tied to your cable/dsl modem’s MAC & account info.

          The lesson to learn from this is that the tinfoil hat types are really only wrong in that they think we are watching them specifically. We’re not. We don’t really watch anybody directly unless we get law enforcement interest, someone reports abuse, or you’re doing something that’s messing up our traffic/network.
          Those people who are singled out for observation for whatever reason, do indeed have ALL their traffic fully logged.

          As for the legality, as the title of the blog indicates I don’t deal with the legal aspect. But the suits sum it up for us techies as “The simple version is that it’s our network & we can log whatever we want to.”
          As for the NSA, they might not be able to do this within the US itself, but all traffic which leaves or enters the country is fair game for full monitoring 24/7.

          And no, we don’t provide info directly to law enforcement. If they want it, they have to come get it with the proper paperwork. There are some things we will report to them if it gets found during routine troubleshooting or if someone complains & we investigate.

          • You really need to provide more information. Other public news sources suggest otherwise. For instance I can’t find any US law on everybody scale data retention. Data retention is pretty much limited to government requests and they last only 90 days (at least initially/default). It in no way suggests data retention / logging of all users. If this information is logged are you suggesting it is logged indefinitely-or discarded after a short amount of time (days/weeks/a few or several months)?

            On the other hand Europe does have data retention required by law. If ISPs in the US are doing this it really should be made public knowledge. Unlike data retention flaging is even worse than just retaining data for one good reason. It means that monitoring IS occuring. I believe I’ve heard about projects that snoop on user’s surfing in the US to spot child pornography. I believe that was in response to demands by certain people to “think of the children”. It is definitely not law. If it is happening though the public should be informed of it. Even if the monitoring is limited and the masses are not effected by these practices should be stopped. If you can justify it for one group there is no reason you can’t justify and extend it. It’s just like the DNA situation. It started with only the very worst offenders and now many countries are tracking everybody who enters the system. It’s getting worse too though. There are now plans to not only track those who enter the system- but anybody who is arrested- even if they are found NOT GUILTY.

            The people in the US have a constitutional right to make associations. This is freedom of association. The US also has essentially not recognized this right for those who would have a use for exercising such rights. I’m mainly referring to ex-cons. These are the people who would need such protections to get the laws changed. Presumably if you are knowingly and intentionally commiting a crime you probably believe such laws are unconscionable or have little choice in the matter. You need to be able to organize against the laws you consider unjust. Pretty difficult to do if the law doesn’t recognize such rights.

          • Oh this gets into a fun area of the law. And one the courts, and companies holding the data, have studiously avoided.

            Are DNS requests private data? Or are they business records? What is the retention time if the information is not immediately personally identifiable?

            Example. A company HAS to keep records about invoices and what not for the IRS. Credit card numbers, what was bought, etc. That will be held as long as the company wants too. This is personally identifiable and is necessary for tax rules at a minimum.

            Example 2: Credit History information… that is tracked and kept, at a minimum, for 10 years. The information supporting that information is likely also kept for a minimum of 10 years.

            Computer Stuff: A company keeps IP traffic and header and what not, perhaps, for performance improvement and historical trending. I highly doubt a company would be prohibited from collecting this information. That same information, with little effort, could be used to build personally identifiable information.

            There are some limitations on keeping *search* records, and I am too lazy to research all the current law, but you might look at: http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1716

        • Pseudonymous says


          The NSA isn’t allowed to do that, because that would violate the 4th amendment.


          Fact.
          Nobody else can do it for them because, amazingly enough, it’s not legal to get someone else to do something illegal for you.

          Fact. The Office of Legal Council provided legal opinions purporting to legalize torture. The “Principals Meeting” of the National Security Council approved the torture of individual detainees by the CIA. The agency went ahead and tortured. Was it legal? No. Was it done? Hell yes. Will any of the perpetrators face criminal sanctions in this country? Probably not.

          Just because it’s illegal doesn’t mean it’s not being done. It doesn’t even imply it’s rare.

        • Please. Have you been paying attention? Your faith in the government is misplaced. Google “warrantless wiretapping”. Here, I’ll do it for you.

          Result 1:
          http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy

          You lose. We all lose.