SOURCE Boston 2010 Clark slides
Download
Report
Transcript SOURCE Boston 2010 Clark slides
SOURCE Boston 2010
April 23, 2010
R.W. Clark
Agenda
Top Precedents
IP Addresses Not Pii
No REP in unsecured wireless network
Work Place Monitoring
Computer Network Security
Legal Parameters (What can I do legally?)
Precedents
Google, NSA & Cyber Attacks
More Cases & Issues
Disclaimer
aka The fine Print
Joint Ethics Regulation
Views presented are those of the speaker or author and do
not represent the views of the government.
Where a disclaimer is required for a speech or other oral
presentation, the disclaimer may be given orally provided it is
given at the beginning of the oral presentation.
All material is unclassified
Court Recognizes Your
Special Skills
United States v. Prochner, 417 F.3d 54 (D. Mass.
July 22, 2005)
Definition of Special Skills
Special skill - a skill not possessed by members of the
general public and usually requiring substantial
education, training or licensing.
Examples - pilots, lawyers, doctors, accountants,
chemists, and demolition experts
Not necessarily have formal education or training
Acquired through experience or self-tutelage
Critical question is - whether the skill set elevates to a
level of knowledge and proficiency that eclipses that
possessed by the general public.
IP Addresses and Pii
Johnson v. Microsoft Corp., 2009 U.S. Dist. LEXIS 58174 (W.D. Wash. June
23, 2009).
IP address a four-part number enables e-mails, pictures, data, to be
transmitted via the Internet to a particular computer. United States v.
Heckenkamp, 482 F.3d 1142, 1144 n.1 (9th Cir. 2007).
When a person uses a computer to access Internet, computer is
assigned an IP address by user's Internet service provider. United
States v. Steiger, 318 F.3d 1039, 1042 (11th Cir. 2003).
IP address does not identify a user's name or mailing address. In re
Charter Commc'ns, 393 F.3d 771, 774 (8th Cir. 2005).
Static IP addresses remain constant with regard to a particular user, but
many assign dynamic IP addresses that change each time the user
connects to Internet. Steiger, 318 F.3d at 1042.”
In order for “personally identifiable information” to be personally
identifiable, it must identify a person.
IP address identifies a computer, and can do that only after matching IP
address to a list of a particular Internet service provider's subscribers.
Thus, because an IP address is not personally identifiable, Microsoft did
not breach the EULA when it collected IP addresses.”
Secure Your Wireless Router
United States v. Ahrndt, 2010 U.S. Dist. LEXIS
7821 (D. Ore January 28, 2010)
Unsecured wireless router
Neighbor access
iTunes “share” library
Dad’s Limewire Tunes
Secure Your Wireless Router
United States v. Ahrndt, 2010 U.S. Dist. LEXIS
7821 (D. Ore January 28, 2010)
The extent to which the Fourth Amendment provides
protection for the contents of electronic communications in
the Internet age is an open question. The recently minted
standard of electronic communication via e-mails, text
messages, and other means opens a new frontier in Fourth
Amendment jurisprudence that has been little explored."
Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 904
(9th Cir. 2008).
The issue in this case is whether the Fourth Amendment
provides a reasonable, subjective expectation of privacy in
the contents of a shared iTunes library on a personal
computer connected to an unsecured home wireless
network.
Government Workplace
Monitoring
United States v. Etkin, 2008 U.S. Dist. LEXIS 12834, (SDNY Feb. 20,
2008).
Hines v. Overstock.com, Inc., 2009 U.S. Dist. LEXIS 81204 (EDNY Sep 8,
2009).
Cf. Quon v. Arch Wireless Operating Co., Inc., 445 F. Supp. 2d 1116; (CD
Cal. Aug 15, 2006) Affirmed in part and reversed in part by, Remanded
by Quon v. Arch Wireless Operating Co., 529 F.3d 892, (9th Cir. Cal.,
June 18, 2008)
With respect to Fourth Amendment claims, city employees had a
reasonable expectation of privacy in the personal text messages sent and
received on employer-provided pagers because the employer had
instituted an informal policy that no auditing would occur so long as
employees reimbursed for any messaging that exceeded the allotted
amount.
Government Workplace
Monitoring
Stengart v Loving Care Agency, 2010 N.J. LEXIS
241, (Sp Ct. N.J March 30, 2010)
N.J. Supreme Court upholds privacy of personal emails accessed at work .
This case presents novel questions about the extent to
which an employee can expect privacy and
confidentiality in e-mails with her attorney, which she
sent and received through her personal, passwordprotected, web-based e-mail account using an
employer-issued computer.
Computer Network Security &
Privacy
In the United States there is no omnibus statute or
constitutional provision that provides comprehensive
legal protection for the privacy of personal
information, but rather an assortment of laws regulate
information deemed to be of sufficient importance to
be afforded some level of protection. The U.S.
constitution, federal statutes and regulations, and state
law combine to govern the collection, use, and
disclosure of information.
Congressional Research Service, RL 31730, Privacy: Total
Information Awareness Programs and Related Information
Access, Collection, and Protection Laws (March 21, 2003)
Authority for Computer
Network Defense
Common Law Principle
Property is “the free use, enjoyment, and disposal
of all his acquisitions, without any control or
diminution, save only by the laws of the land.”
George J. Siedel, Real Estate Law 21 (1979), citing,
W. Blackstone, Commentaries 138
Property in its nature is an unrestricted and
exclusive right. Hence it comprises in itself the
right to dispose of the substance of the thing in
every legal way, to possess it, to use it, and to
exclude every other person from interfering with
it.
Mackeldey, Roman Law § 265 (1883).
Authority for Computer
Network Defense
Right to exclude people from one’s personal
property is not unlimited.
Self defense of personal property one must prove
that he was in a place he had a right to be, that he
acted without fault and that he used reasonable
force which he reasonably believed was
necessary to immediately prevent or terminate the
other person's trespass or interference with
property lawfully in his possession
Moore v. State, 634 N.E.2d 825 (Ind. App. 1994) and
Pointer v. State, 585 N.E. 2d 33, 36 (Ind. App. 1992)
Authority for Computer
Network Defense
Common Law Doctrine-Trespass to Chattel
Owner of personal property has a cause of action
for trespass and may recover only the actual
damages suffered by reason of the impairment of
the property or the loss of its use
One may use reasonable force to protect his
possession against even harmless interference
The law favors prevention over post-trespass
recovery, as it is permissible to use reasonable
force to retain possession of a chattel but not to
recover it after possession has been lost
Intel v. Hamidi, 71 P.3d 296 (Cal. Sp. Ct. June 30,
2003
Computer Network Security
Federal Information Security Management Act of
2002, 44 U.S.C. §§ 3541 et seq.
Computer Fraud and Abuse Act, 18 U.S.C. § 1030
Electronic Communication and Privacy Act, 18
U.S.C. §§ 2510 et seq.
protection of the rights or property of
the provider clause of 18 U.S.C. §
2511(2)(a)(i)
Pen Registers and Trap Devices, 18 U.S.C. §§
3121 et seq.
Stored Communications Act, 18 U.S.C. §§ 2701
et seq.
Computer Network Security
18 U.S.C. § 2511(2)(a)(i)
Owner of a network “may intercept or
disclose communications” on its own
machines “in the normal course of
employment while engaged in any activity
which is a necessary incident to . . . the
protection of the rights or property of the
provider of that service.”
Computer Network Security
The Service Provider Exception is a
limited exception. Not a criminal
investigator’s privilege.
18 U.S.C. § 2511(2)(a)(i)
Computer Network Security
Broad exception, however, Provider must conduct
reasonable, tailored monitoring to protect itself from
harm.
Doesn’t allow unlimited monitoring
Need “substantial nexus” b/w threat and
property
U.S. v McLaren, 957 F. Supp 215, 219 (M.D. Fla. 1997)
System administrators can track hackers within
their networks in order to prevent further damage.
U.S. v. Mullins, 992 F.2d 1472, 1478 (9th Cir. 1993)
Computer Network Security &
Balancing Privacy
Consent and Banners
User Agreements
User Training
Web Policies
Expectation of Privacy
Intrusion, Crime Attack??
In re: Grand Jury Subpoena to Sebastien Boucher,
2009 U.S. Dist. LEXIS 13006 (DC Ver. Feb. 19,
2009)
Gov’t appeal US Magistrate Judge’s Opinion and Order
granting Defendant’s motion to quash grand jury
subpoena that it violates his Fifth Amendment right.
Gov’t doesn’t want password for encrypted HD wants only
to have defendant provide an unencrypted version of the
HD to grand jury.
Court –Boucher must provide an unencrypted version of
HD to grand jury.
Acts of producing incriminating 2 situations – 1 existence
and location unknown to Gov’t; 2 production implicitly
authenticates.
Gov’t knows incriminating files on encrypted drive Z: and
will not use this as “authentication” will link files to
Defendant in other way
Reasonable Expectation of Privacy and P2P
United States v. Borowy, 595 F.3d 1045 (9th Cir. Nev.
February 17, 2010)
Defendant intended to render the files stored on his own computer
private, but his technical savvy failed him. His subjective intention not
to share his files did not create an objectively reasonable expectation of
privacy in the face of such widespread public access under the Fourth
Amendment.
United States v Beatty, 2009 U.S. Dist. LEXIS 121473 (W.D.
Penn. December 31, 2009)
Cyber Warfare & Definitions
Sean Condron, Getting It Right: Protecting American
Critical Infrastructure in Cyberspace 20 Harv. J. Law & Tec
404 (Spring 2007)
Following September 11, 2001, the executive branch made a policy
decision to distinguish homeland security from homeland defense. n40
Homeland security has been defined as a "concerted national effort to
prevent terrorist attacks within the United States, reduce America's
vulnerability to terrorism, and minimize the damage and recover from
attacks that do occur." n41 In contrast, "[h]omeland defense is the
protection of US sovereignty, territory, domestic population, and critical
defense infrastructure against external threats and aggression, or other
threats as directed by the President." n42 The Department of Homeland
Security is the federal agency in charge of homeland security while
the Department of Defense is the lead federal agency for homeland
defense. n43
Cyber Warfare & Definitions
Multiple agencies using multiple authorities monitor the .gov traffic in
order to provide computer network security. The governing authorities
are the Homeland Security Act of 2002 (HSA) and the Federal
Information Security Management Act of 2002 (FISMA). See e.g. 6
U.S.C. §§ 101 et seq. and 44 U.S.C. §§ 3541 et seq.
Individual Federal agencies monitor their networks and traffic that
flows to and from those systems under authority from FISMA and the
“protection of the rights or property of the provider” clause of 18 U.S.C.
§ 2511(2)(a)(i) which allows the monitoring of communications placed
over federal systems in order to combat fraud and theft of service.
The principal authority for the Department to advance cyber security is
the HSA. While cybersecurity is not specifically identified under HSA,
it treated as an undifferentiated component of the broader critical
infrastructure protection mission of the Department. See e.g., 42 U.S.C.
§ 5195c and 6 U.S.C. § 101(4).
Cyber Warfare & Definitions
•
•
Request for Comments: 4949
August 2007
•
security event I) An occurrence in a system that is relevant to the
security of the system. (See: security incident.)
•
security incident 1. (I) A security event that involves a security violation.
(See: CERT, security event, security intrusion, security violation.)
•
security intrusion (I) A security event, or a combination of multiple
security events, that constitutes a security incident in which an intruder
gains, or attempts to gain, access to a system or system resource
without having authorization to do so.
•
Attack 1. (I) An intentional act by which an entity attempts to evade
security services and violate the security policy of a system. That is, an
actual assault on system security that derives from an intelligent threat.
(See: penetration, violation, vulnerability.)2. (I) A method or technique
used in an assault (e.g., masquerade). (See: blind attack, distributed
attack.)
Cyber Warfare & Definitions
http://www.dtic.mil/doctrine/jel/doddict/data/c/01179.html
computer network attack -(DOD) Actions taken through the use of
computer networks to disrupt, deny, degrade, or destroy information
resident in computers and computer networks, or the computers and
networks themselves. Also called CNA.
http://www.dtic.mil/doctrine/jel/doddict/data/c/01180.html
computer network defense - (DOD) Actions taken through the use of
computer networks to protect, monitor, analyze, detect and respond to
unauthorized activity within Department of Defense information systems
and computer networks. Also called CND.
http://www.dtic.mil/doctrine/jel/doddict/data/c/01181.html
computer network exploitation - (DOD) Enabling operations and
intelligence collection capabilities conducted through the use of
computer networks to gather data from target or adversary automated
information systems or networks. Also called CNE.
http://www.dtic.mil/doctrine/jel/doddict/data/c/01182.html
computer network operations - (DOD) Comprised of computer network
attack, computer network defense, and related computer network
exploitation enabling operations. Also called CNO.
Cyber Warfare
Paul Ohm, The Myth of the Superuser: Fear, Risk, and Harm
Online, 41 U.C. Davis L. Rev. 1327 (April 2008)
Fear of the powerful computer user, the "Superuser," dominates
debates about online conflict. He is a mythic figure: difficult to find,
immune to technological constraints, and aware of legal loopholes.
The exaggerated focus on the Superuser reveals a pathological
characteristic of the study of power, crime, and security online, which
springs from a widely held fear of the Internet.
Cyber Warfare Legal Research
Sean Condron, Getting It Right: Protecting American Critical Infrastructure
in Cyberspace 20 Harv. J. Law & Tec 404 (2007)
Alan F. Williams, Prosecuting Website Development Under the Material
Support to Terrorism Statutes: Time to Fix What's Broken, 11 N.Y.U. J.
Legis. & Pub. Pol'y 365 (2007/2008)
Thomas Wingfield, When is a Cyber Attack and “Armed Attack”, Potomac
Institute for Policy Studies (February 2006)
Todd M. Hinnen, The Cyber-Front in the War on Terrorism: Curbing Terrorist
Use of the Internet, 5 Colum. Sci. & Tech. L. Rev. 3 (2003 / 2004)
Winston P. Nagan, The New Bush National Security Doctrine and the Rule of
Law, 22 Berkeley J. Int’l L. 375 (2004)
Eric Jensen, Unexpected Consequences From Knock-On Effects: A
Different Standard for Computer Network Operations” 18 Am. U. Int’l
Rev. 1145 (2003)
Eric Jensen, Computer Attack on Critical National Infrastructure: A Use of
Force Invoking the Right of Self-Defense, 38 Stan. J. Int’l 207 ( 2002)
Mary Ellen O’Connell, The Myth of Preemptive Self-Defense, The American
Society of International Law: Task Force on Terrorism (August 2002)
Cyber Warfare Legal Research
LTC Dhillon and LTC Smith, Defensive Information Operations and
Domestic Law: Limitations on Government Investigative Techiniques 50
A.F. L. Rev. 135 (2001)
William C. Banks, M.E. Bowman, Executive Authority for National Security
Surveillance, 50 Am. U.L. Rev. 1 (October 2000)
Roger D. Scott, Territorial Intrusive Intelligence Collection and International
Law, 46 A.F. L. Rev. 217 (1999)
Michael N. Schmitt, Computer Network Attack and the Use of Force in
International Law: Thoughts on a Normative Framework, 37 Colum. J.
Transnat’l L. 885 (1999)
Todd A. Morth, Considering Our Position: Viewing Information Warfare as a
Use of Force Prohibited by Article 2(4) of the U.N. Charter, 30 Case W.
Res. J. Int’l L. 567 (Spring/Summer 1998)
Roger Scott “Legal Aspects of information Warfare: Military Disruption of
Telecommunications, 45 Naval L. Rev. 57 1998
Lawrence Greenberg, Information Warfare and International Law, National
Defense University Press (1997)
Independent Newspaper, Inc. v. Brodie, 2009 Md.
LEXIS (Ct. of Apps. Md. Feb 27, 2009)
When a trial court is confronted with a defamation action in which
anonymous speakers or pseudonyms are involved, it should
1 require plaintiff to undertake efforts to notify anonymous posters they
are subject of a subpoena or application for an order of disclosure,
including posting a message of notification of the identity discovery
request on the message board;
2 withhold action to afford the anonymous posters reasonable
opportunity to file and serve opposition to the application;
3 require plaintiff to identify and set forth exact statements purportedly
made by each anonymous poster, alleged to constitute actionable
speech;
4 determine whether complaint has set forth a prima facie defamation
per se or per quod action against the anonymous posters; and
5 if all else is satisfied, balance anonymous poster's First Amendment
right against strength of the prima facie case of defamation presented by
plaintiff and necessity for disclosure of anonymous defendant's identity,
prior to ordering disclosure.
Contact Information
[email protected]