Podcast Discussing Data Privacy and Information Security Implications of United States v. Cotterman – Now Available!

You can now listen to the podcast for Courts Showing Greater Respect for Data Privacy – United States v. Cotterman. Click HERE!

For a recap, here is my discussion of this podcast and who participated:

I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Courts Showing Greater Respect for Data Privacy – United States v. Cotterman

TAKEAWAY: Data privacy is gaining respect within the judiciary, as it should because in many ways, data is the new currency and is worthy of protection.

On March 8, 2013 the Ninth Circuit Court of Appeals (en banc) handed down a watershed case with significant privacy implications: United States v. Cotterman, No. 09-10139 (9th Cir. Mar. 8, 2013). This case (including the majority, concurring and dissenting opinions) is 82 pages so plan your time accordingly. It is worth reading because it represents a tug-of-war between competing interests of border security and data privacy. Data privacy may not have scored a knockout but it certainly gained some very important ground.

While analyzing the Cotterman case I made some notes on my whiteboard. Instead of sharing the customary random psychedelic photo with you, I decided to just share an image of the whiteboard so you can see what I thought was really important which I will briefly discuss below.

Note – it is 12:30 on Saturday night and a few hours ago I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

Facts

Cotterman was a sleazebag child molester who had been convicted for molesting a child and apparently traveled out of the country quite frequently. Cotterman was returning from Mexico with his wife, had been visiting a country known for “sex tourism,” and had what was considered to be a significant amount of electronic equipment with him (a laptop and several cameras).

Cotterman was profiled at customs while coming back into America because of the totality of all of these factors which indicated he fit within the parameters of the Operation Angel Watch program aimed at combating child sex tourism. This led to Cotterman and his wife being taken for a heightened inspection. Cotterman’s laptop and cameras were inspected, nothing inappropriate was found during the cursory inspection and he and his wife were allowed to go. Because there were files that were password protected, however, this raised another red flag and the laptop and a camera were held for forensic examination.

The forensic examiner later contacted Cotterman and asked him to provide his password. Cotterman, sensing the inevitable at this point, hopped a plane to Mexico and then on to Sydney, Australia. Meanwhile, the forensic examiner was able to crack the password and discovered 378 child porn pictures and videos, some of which showed Cotterman sexually molesting a young girl between the age of 7 to 10. 

Procedural Posture

The district court determined that the forensic examination of the laptop and camera were improper and excluded the evidence under the exclusionary rule. The prosecutors appealed, arguing that the law was clear that customs had the authority to do a routine border search without the need for any suspicion whatsoever, including the forensic examination.

The key issue in this case was whether it was reasonable to conduct a forensic examination of the computer and camera.

The Ninth Circuit’s Analysis and Ruling

The Ninth Circuit disagreed with the prosecutors argument but ultimately gave them a favorable ruling in the case that enabled the evidence to be used against Cotterman. The court found that, in order to obtain a forensic exam of data on electronic devices, there must be a “reasonable suspicion”, which is a heightened standard over what is typically required for a routine border search. The reason for requiring a reasonable suspicion for a forensics exam is because of the “comprehensive and intrusive nature of forensic examination.” The court also found, however, that the facts of this case satisfied the reasonable suspicion standard and the evidence should not have been excluded.

The court emphasizes protection of data privacy

The court also emphasized that Fourth Amendment protection of “personal papers” directly encompasses data on electronic devices because such data goes to the heart of the notions of freedom of conscious, thoughts, and ideas. Therefore, data on electronic devices is afforded a higher standard of protection than other forms of property. The court expressly stated “data on electronic devices carries with it a significant expectation of privacy.”

The court acknowledged that this case directly implicates substantial personal privacy interests and found that inspecting information individuals stored on digital devices is much less like inspecting an impersonal gas tank and more closer to inspections of people themselves, therefore, requiring a higher standard. In the court’s words: “It was essentially a computer strip search.”

I believe this represents a higher level of respect for the value and importance of data than we have seen out of many courts (especially if you consider that most of the data breach lawsuits have been tossed because there courts find there is no value in the compromised data). For me, this was the true value in this case — let’s see if other courts will follow.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Ninth Circuit Upholds $9.5 Million Facebook Privacy Settlement

facebook

The United States Court of Appeals for the Ninth Circuit upheld the $9.5 million settlement of a class action lawsuit. The lawsuit that included, among other things, claims for violating the Computer Fraud and Abuse Act, was based on assertions by Facebook users that, through its Beacon Program, Facebook violated their privacy by sharing on their profiles information reflecting other activities they had taken on the Internet. One example of this was, if a user had rented a movie through Blockbuster.com, that information would be transmitted to Facebook and broadcast on the person’s Facebook page.

Once users began complaining to Facebook, it released a privacy control that permitted users to opt-out of the Beacon Program and, eventually, discontinued the Beacon Program all together. Nineteen plaintiffs sued Facebook in a class action lawsuit styled Lane v. Facebook, Inc., Blockbuster, Inc., et al., No. 10-16380, 2012 WL 4125857 (9th Cir. Sept. 20, 2012).

The basis for their claims was “the general allegation that Beacon participants had violated Facebook members’ privacy rights by gathering and publicly disseminating information about their online activities without their permission.” There were several specific causes of action alleged violations of:

  • the Electronic Communications Privacy Act, 18 U.S.C. § 2510 (1986);
  • the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (1986);
  • the Video Privacy Protection Act, 18 U.S.C. § 2710 (1988);
  • California’s Consumer Legal Remedies Act, Cal. Civ.Code § 1750; and
  • California’s Computer Crime Law, Cal. Pen.Code § 502

Ultimately, Facebook and several of the plaintiffs reached a settlement for $9.5 million, among other things, but some members of the class opted out of the settlement and some objected. The district court approved the settlement and, in this opinion, the Ninth Circuit affirmed finding the settlement agreement was “fair, reasonable, and adequate.”

Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act

This past Monday I blogged of what I called the “Trilogy of Access Theories” to refer to the 3 lines of circuit court cases that have different theories for interpreting “access” under the Computer Fraud and Abuse Act (“CFAA”).

That was a FAIL!

United States v. Nosal

As of today the trilogy has become a duo with the Ninth Circuit‘s opinion in United States v. Nosal. Honestly, however, I can’t say that it is that much of a surprise that the Ninth Circuit backed off of the hard line it took in LVRC Holdings LLC v. Brekka in which it established the rigid “access means access” theory. The facts of Brekka were quite distinguishable from the facts of United States v. Rodriguez, United States v. John, United States v. Phillips, and International Airport Centers, LLC v. Citrin–the cases in which the Eleventh, Fifth, and Seventh Circuits, respectively, ruled differently on the access issue. Moreover, the Brekka Court left a few clues in its opinion though I am saving those for a different day … but here’s a hint: study those Bluebook signals! 

Case Background

Continue reading