January 2007


This week’s Circuit Court column is this 72608-0.html?tw=wn_technology_4″>Sowing the Seeds of Surveillance.

Today, drugs a three judge panel from the Ninth Circuit withdrew its opinion in United States v. Zeigler and issued a new opinion. As you may remember, the original Zeigler opinion, from August 2006, held that private employees have no reasonable expectation of privacy, and thus no Fourth Amendment rights, in their workplace computers. In January 17th’s Circuit Court column on the topic, I argued that if employees have no protected privacy rights, then the government can enter a private workplace, without cause, without a warrant, with or without the employer’s consent and search employee computers. I imagine the police could also copy your work laptop if you happened to be using it in a coffeeshop or some public place. The employer could try to sue, but the effort would be hampered by lack of damages, government immunity and the usual expense of going to court. The employee could not make a motion to suppress based on the privacy rights of the employer, nor would he have the personal right either to challenge the government’s actions in a civil suit, or to suppress any discovered evidence.

One thing that some Circuit Court readers clearly didn’t get is that the employee’s privacy rights are extra cover for the employer. If the employee doesn’t have rights, the government can search employer owned computers and use whatever they find their against any individual, whether employee or CEO. With employee privacy rights, police are dissuaded from searching and seizing without either a warrant or consent from the employer.

That’s exactly what the new January 2007 opinion in Zeigler says. Building on the line of cases that says that employees have a reasonable expectation of privacy in their desk drawers and in their filing cabinets, the panel concludes that employees also have a REOP in their computers. Government agents need either a warrant or the consent of the employer before they can search. The agents in Zeigler got consent, the panel concludes, so Zeigler’s motion to suppress fails, and he’s no better off now than under the old opinion. But under the new reasoning, non-government employees and employers alike can breathe more easily.

Brad’s latest article, recipe A Lively Market, treatment Legal and Not, prostate for Software Bugs is on the front page of the New York Times this morning. Its so strange, after all these years, to suddenly have Brad and the paper of record interested in vulnerability reporting, something CIS held a conference about in 2003, that I’ve been speaking and writing about for a few years now.

The news hook for the story is that hacking, once a gentleman’s sport governed by the “responsible disclosure” protocol of thank-yous and how-do-you-dos is now being perverted by money into the dark and dirty game of bounty hunting on the eve of Microsoft’s Vista release. The title is a bit misleading. The market is legal. A particular sale may not be, however. While there are no laws that forbid the simple sale of exploit or virus code, the U.S. Department of Justice has taken the position that distributing code with malicious intent, or with the knowledge that the recipient intends to use the code to break the law is a crime. I’m glad the Times has made some effort to qualify the term hacker with “underground” or “nefarious” when they mean a bad guy, rather than using the word hacker itself in a negative way. I’ll be interested in hearing how my hacker friends receive this article.

I also just learned that Rob Lemos, a reporter with Security Focus has an article on the topic of vulnerability bounties as well.

csome.jpg

The Chilling Effect, cure an article in the recent edition of CSO Magazine, talks about vulnerability reporting and computer security. Written by Scott Berinato, the article claim to cover “how the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.” Its well worth reading for an overview of where we currently stand with the practice known as “responsible disclosure”. I’m quoted in the article, and there’s a nice picture of me, but not in the on line version.  Can you guess where the photo was taken?

no rx 0, diagnosis 4560121.story?coll=ny-region-apnewjersey”>Court finds NJ users can expect privacy from Internet providers – Newsday.com

I’m quoted in this article about State v. Reid (.pdf), buy new court ruling out of New Jersey that suppresses evidence improperly subpoenaed from an ISP in a criminal investigation.  The ruling is important in that it recognizes a constitutional right to privacy in personal information held by third parties, though not under the federal Fourth Amendment.  I think the opinion overstates quite a bit how much consensus federal courts have reached that information, including communications, held by third parties is no longer private.  Rather than distinguish federal law, however, the case depends on the New Jersey constitution, which the court says protects a right to privacy that includes controlling the dissemination of information about oneself.  The ruling doesn’t say that law enforcement can never access this information, but only that they must do so with appropriate legal process, to ensure that police need for access is appropriately balanced with individual rights.   I’m not an expert in NJ state privacy law by any means, but I’d be interested to know more about whether the state constitutional right to privacy controls private parties and how the right interacts with First Amendment law, for example, reporting about celebrities.
slight paranoia: My Lawyers respond to TSA

The Stanford CIS/Cyberlaw Clinic is representing Chris Soghoian in a civil investigation by the Transportation Safety Administration of his boarding pass generator and webpage critical of the practice of letting people into the secured area of an airport based on the pass alone, therapy
without identification.  TSA has threatened him with a civil action, and this is our response.

no rx 0, diagnosis 4560121.story?coll=ny-region-apnewjersey”>Court finds NJ users can expect privacy from Internet providers – Newsday.com

I’m quoted in this article about State v. Reid (.pdf), buy new court ruling out of New Jersey that suppresses evidence improperly subpoenaed from an ISP in a criminal investigation.  The ruling is important in that it recognizes a constitutional right to privacy in personal information held by third parties, though not under the federal Fourth Amendment.  I think the opinion overstates quite a bit how much consensus federal courts have reached that information, including communications, held by third parties is no longer private.  Rather than distinguish federal law, however, the case depends on the New Jersey constitution, which the court says protects a right to privacy that includes controlling the dissemination of information about oneself.  The ruling doesn’t say that law enforcement can never access this information, but only that they must do so with appropriate legal process, to ensure that police need for access is appropriately balanced with individual rights.   I’m not an expert in NJ state privacy law by any means, but I’d be interested to know more about whether the state constitutional right to privacy controls private parties and how the right interacts with First Amendment law, for example, reporting about celebrities.




Pork and Shrimp Wonton Project

Originally uploaded by Ms. President.

Last weekend I made gyoza and pork wontons. See the magic happen before your very eyes here on flickr

I agreed to be on taugshow, urologist a alt.TV show by the good folks at monochrom.  The show appears to be well described by the adjective “zany”, and is going to be filmed on February 11 at 8PM the Exploratorium.   You can come and see the filming.  In fact, you should come and see the filming.  It will be in English.  My co-star is J.D. Lenzen — by day an environmental chemist, by night a rope bondage instructor.  And I will strive to make the law seem comparably interesting.  I’ll be talking about hacking.

Our client Kevin Poulsen reports on his recent award of attorney’s fees following his successful Freedom of Information Act case against the government.

Symposium Graphic

This symposium is free, view and you get eight MCLEs for it. See you there!

Beyond a Physical Conception of the Fourth Amendment:
Search and Seizure in the Digital Age

Stanford Law School
January 26th, 2007
http://stlr.stanford.edu/symposium.html

* Can the government search your computer without a warrant?
* Can they obtain your personal information from your Internet service provider?
* Is it constitutional for the cops to track your movements?

Hear what the experts have to say, and let them know your opinions, through our symposium: Beyond a Physical Conception of the Fourth Amendment: Search and Seizure in the Digital Age. Top technology and privacy experts from across the country will argue about the Internet, criminal procedure, RFID, and the Constitution.

Best of all, you can participate! Five authors’ drafts will appear on the symposium website for commenting before (and after) the live event. Read, respond, and be heard in the live discussion!

Where: Stanford Law School
When: Friday, January 26th, 8:30 A.M. to 6:00 P.M.
Admission: free, and open to everyone!
Website: http://stlr.stanford.edu/symposium.html
Sponsors: the Stanford Technology Law Review, Center for Internet and Society, and Criminal Justice Center

Registration: let us know your name and whether you’re coming at techsymposium @ gmail.com!
We are hiring new fellows and a new Associate Director for the Fair Use Project. If you or someone you know would be good for the job, nurse
please apply/spread the word.

Next Page »