May 2007

Paul Ohm and I wrote an amicus brief in the 10th Circuit case of US v. Andrus, the opinion I wrote about in last week’s Wired News column. In the case, the defendant’s aged father gave officers permission to search his adult son’s computer without a warrant. The father, however, did not have the authority to consent and the computer was password protected. The officers used EnCase, which is not limited by password protection, and have thus successfully claimed that they had no reason to know that the father was locked out of the machine did not have the authority to allow their search.

If you are interested in the brief, which discusses why the Fourth Amendment requires that digital locks be treated the same as physical locks as well as the hypocrisy of investigators who claim EnCase gave them no clue that the father was locked out of the machine, while routinely using the very same program to identify passwords and permissions for the purpose of proving ownership of contraband files, you can download it. (pdf)

I link to the original decision and my column from this earlier post.

Doe Wins Motion to Unseal, Bodes Well for Preservation of Anonymity | Stanford Center for Internet and Society [beta site]

H.B. Fuller v. Doe is a case my Cyberlaw Clinic students and I have been working on for a year or so. Today we had some good news. The Sixth District Court of Appeal in California has granted our client John Doe’s motion to unseal records. In the trial court, Doe and Fuller stipulated to sealing documents Fuller claimed contained confidential information. On appeal, we moved to unseal the records in the appellate court because they do not contain confidential information. The appellate court agreed in this published opinion.

This conclusion could lead to a great outcome. Allowing companies to bring employee breach of contract claims based on conclusory allegations of confidentiality could really threaten anonymous speech. The case law clearly establishes a right to anonymous speech and a burden on plaintiffs to make some showing of wrongdoing before enforcing subpoenas for identity information, but exactly what that burden of proof is and what evidence is sufficient is still being fleshed out in the courts, including through cases like Fuller v. Doe.

For more about the case, visit the Fuller v. Doe page

space invaders!

Originally uploaded by charoE

I spent the weekend keeping the planet safe from my weapons outpost at the Santa Cruz Boardwalk.

Originally uploaded by charoE

Loki is Yoda.

Michigan man dodges prison in theft of Wi-Fi | Tech news blog – CNET

Arrgh! Why don’t these wi-fi users call me? I’d love to help fight a prosecution like this.  Apparently, Orin Kerr and I agree that there are a lot of solid defenses to this kind of charge.  I’ve even written a motion that is a broader corollary of the due process claim Orin describes.
The brief argues that Anglo-American jurisprudence usually requires that the criminal defendant have a guilty state of mind (mens rea) and that if a statute does not expressly state that the crime is one of strict liability, then courts must read mens rea into the statute.  What this means for users of open wireless access points is that the prosecution should have to prove that they knew their access was prohibited by the owner, and that lack of authorization can not be presumed, especially in the absence of security barriers or warnings.
Now I’m just waiting for an opportunity to use this argument.

Today’s Wired News column is Hack My Son’s Computer, Please, a discussion of the Fourth Amendment opinion in U.S. v. Andrus (pdf), issued in April by the Tenth Circuit Court of Appeals. In the case, a three judge panel of the Court said that police reasonably believed that a 91-year-old father was an authorized user of his adult son’s password-protected computer, in part because the officers did not know the computer was password-protected because they used Encase to scan it. The defendant’s attorney will ask the full Court to rehear the case en banc and my colleague, Professor Paul Ohm at the University of Colorado Law School, and I are working on an amicus brief in support of the proposition that where the only thing authorizing a search of a private computer is the consent of a third party, the officers can not use a tool that is designed to disregard locks that keep that third party out, indicating that the person didn’t have the authority to consent to the search in the first place.  I’m studying EnCase for the brief. Any ideas are welcome.

For more discussion of the Andrus case, visit this threat on The Volokh Conspiracy.

Online Advertising: So Good, Yet So Bad for Us is my latest Wired News column.

The column discusses a debate at this year’s Computers Freedom and Privacy conference between Jeff Chester of the Center for Digital Democracy and Mike Zaneis from the Interactive Advertising Bureau. On one side, Chester argued that online advertising is privacy invasive and should be subject to consumer opt-in.  On the other side, Zaneis argued that advertising makes great content possible, gives people ads that are relevant to them, and doesn’t collect sensitive information.  I find something each man says to disagree with in the column, and don’t necessarily come up with a better answer.  Both Chester and Zaneis wrote me nice emails about the column, which I really appreciate.