Cyb3r Crim3

July 2006 - Posts
Jul 31

Cartapping

Almost forty years ago, in Katz v. United States, the U.S. Supreme Court held that it was a violation of the Fourth Amendment's ban on "unreasonable" searches and seizures for law enforcement officers to wiretap a telephone call.

In Katz, the FBI put a wiretap device on the outside of a phone booth, knowing Charles Katz, a suspected bookie, would use the booth to make calls concerning illegal bets. Until 1967, it was not considered a "search" for officers to do this; the U.S. Supreme Court had held in 1928 that the FBI did not violate the Fourth Amendment by using a wiretap on phone lines outside a home to eavesdrop on a telephone call being made from inside the home. The result of the Court's 1928 decision was that officers did not need a warrant to wiretap telephone conversations.

The Katz Court rejected this notion, holding that it is a search to wiretap a telephone call when the callers have taken steps to ensure their conversation is "private." The Court found that Katz had done this when he entered the phone booth and closed the door behind him. So, the rule that comes from the Katz case is that it is a "search" for law enforcement officers to violate a "reasonable expectation of privacy" by using technology or by more traditional means, such as kicking down the door to someone's apartment and entering to "look around." A "reasonable expectation of privacy" exists when (i) I think something (a place, an activity) is private and (ii) society agrees that it is, in fact, private. The Katz Court noted, however, that whatever one "knowingly" exposes to public view, "even in his own home or office," is "not a subject of Fourth Amendment protection.

This brings us to something new: cartapping.

In 2003, the U.S. Court of Appeals for the Ninth Circuit issued a decision, In the Matter of the Application of the United States for an Order Authorizing the Roving Interception of Oral Communications, which was an appeal from the U.S. District Court for the District of Nevada. The issue in the case was whether the FBI (again) could obtain a court order compelling a car manufacturer to use technology installed in one of its automobiles to let FBI agents eavesdrop on conversations in the car.

The opinion carefully does not identify the car manufacturer, though it cites BMW and Cadillac as cars that have such technology installed in them.  A couple of months ago, I spoke with a federal prosecutor who was involved in the case, and learned the car was a Mercedes.  

The technology -- which the opinion calls "the System" -- is becoming increasingly common: on-board telecommunications systems that "assist drivers in activities from the mundane -- such as navigating an unfamiliar neighborhood or finding a nearby Chinese restaurant -- to the more vital -- such as responding to emergencies or obtaining roadside assistance." In the Matter of the Application, supra. As the opinion notes, these systems rely on a combination of Global Positioning System technology and cellular phone connections.

The System installed in the vehicle at issue in this case allowed the manufacturer to open a cellular connection and listen in on conversations held in the car. (According to the opinion, the purpose of this feature of the System was to let the manufacturer assist police in locating stolen vehicles; the rather peculiar assumption seems to have been that vehicles would be stolen by two or more thieves, who would discuss the theft and/or their whereabouts as they fled the scene of their crime.)

Anyway, the FBI figured out that the System could be used to eavesdrop on conversations being held in a vehicle owned by what we might call "a person of interest." FBI agents got the local federal district court to order the manufacturer to cooperate by opening the cellular connection and letting FBI agents use it to overhear what was said in the vehicle. The manufacturer complied with the first order, challenged subsequent orders unsuccessfully in the district court and therefore complied with them, as well.

Obviously, the manufacturer has a great incentive not to cooperate with the FBI.  I cannot imagine that this particular use of the System would be a great marketing point.  (“Buy our car and the FBI rides with you.”  No thanks.)  So one interesting point about the case is that the battle is between the car manufacturer and the FBI, not between the person who owns the car (and whose privacy is being, I submit, violated).  As far as I know, he never suspected what was going on.

The manufacturer appealed the district court's rulings, and the Ninth Circuit sided with the company.

The Ninth Circuit based its holding on a technical issue that arises under the federal statutory scheme that implements the Katz decision. Known as Title III, this statutory scheme requires law enforcement officers to obtain a Title III warrant before they intercept telephone or other communications. The statutory scheme establishes a Fourth Amendment-plus standard for obtaining such orders. This statutory scheme allows courts to order private parties -- such as a telephone company -- to assist law enforcement in intercepting calls and other communications, but it specifically provides that such assistance cannot be required when it would substantially interfere with the private entity's ability to provide the services it has contracted for. The Ninth Circuit found that was true here; when the cellular connection was open, it essentially shut down the System's other functions.

That is not what I find interesting about the case. What I find interesting is whether, given the increasing proliferation of systems like this, we still have a reasonable expectation of privacy in our cars.

For many decades, in real-life and in movies, the car was the place people went to when they wanted to talk without fear of being overheard. And until recently, anyway, people would have had a reasonable expectation of privacy, under Katz, in what they said in their cars. People believed the interior of their car was, like a telephone booth, a private place for conversations; others could see inside, but they could not hear what was said inside, at least not if the windows were closed and the people inside spoke softly. And since everyone believed this, it was an expectation society regarded as reasonable.

But what about now? Remember, the Katz Court said the Fourth Amendment does not protect what we "knowingly" expose to public view or public hearing. This is known as the assumption of risk principle: If I do not take steps to prevent my conversations from being overheard, then I have assumed the risk they will be overheard and I have no Fourth Amendment expectation of privacy in them.

If I buy a car, knowing it has a version of the System installed in it, and knowing that the System can be used to listen in on what is said in the car, haven't I assumed the risk that someone will listen in? If so, I have lost any expectation of privacy in the car under Katz.

I threw this issue out in my cybercrimes seminar last term. One student's husband has the System in his car; she said that the operators often open up a connection essentially to "check in" with the occupants, asking them if they are "all right," for example. Based on this, she says she thinks the car is "about as private as a park bench."

Another student, whose car also has a version of the System but who does not have operators checking in to see how she is doing, says she believes the presence of the System does not alter our Fourth Amendment expectation of privacy in vehicles at all. She bases her view on the premise that she has to initiate contact with the operators of the System in her vehicle (and is charged every time she does so). She therefore concludes that it would be an illegitimate use of the System for those who monitor the technology in her vehicle to listen in on conversations held in the car.







Jul 30

Using Cell Phones to Track People

As you probably know, your cell phone can be used to track your movements.  There are two ways to do this:  One is triangulating signals from cell phone towers; the other is using GPS technology in the cell phone itself. 

A federal law required that all cell phones sold after, I think December 2004, have GPS technology installed, as a safety measure.  The law grew out of a sad case in Florida, in which a woman was driving through swampy terrain, had a wreck, went off the road, was severely injured and called 911 for help.  The problem was that she did not know where she was, so she could not guide rescuers who were trying to find her.  She died.  The law is intended to prevent this, and I think that is a good idea.

Some time ago, law enforcement officers figured out that our cell phones can be used to track our movements, using either method, and started going to cell phone companies to get them to do this.  As I understand it, the systems used by the companies pretty much do this anyway, as a part of providing service.  So what law enforcement really wanted was for the companies to turn over that information to law enforcement (and maybe focus or enhancing the tracking a bit, as necessary.

This is now increasingly common, and it has already produced a number of decisions by federal district courts (and other courts).  The issue is whether using someone's cell phone to track them is a "search" under the Fourth Amendment. 

As I explain in my "Notes on the Fourth Amendment" post, if it's not a search, law enforcement can do this without a warrant . . . just as in 1979 they got a phone company to put a pen register on Michael Smith's home telephone.  The pen register tracked the numbers he dialed, and that information was used to get a search warrant for his home.  He moved to suppress the evidence seized from his home, claiming that the use of hte pen register was a search, was conducted without a warrant (or an exception to the warrant requirement) and was therefore "unreasonable" and violative of the Fourth Amendment. In Smith v. Maryland, the Supreme Court (in a decision I think is wrong, wrong, wrong) held that it was not a search, because he "voluntarily" gave this information to the phone company.  The Court then applied the standard they have always used for snitches, which is that if I tell you of my plans to rob the local bank, I can't complain when you tell law enforcement what I said.  I have no reasonable expectation of privacy here because I've assumed the risk you will rat me out.

The problem, as I see it, with the Supreme Court's position on all this is that it involves a false choice, that is, a choice that really is no choice:  To the extent I use technology, I assume the risk that the providers of that technology will share information with the government about my activities, what I assume are "private" activities.  The only way I can avoid assuming that risk is not to use technology, which I don't think was a viable option in 1979 when Smith was decided, and certainly is not a viable option now.  If you go with the Supreme Court's view, about the only way you can have privacy in a world of pervasive technology is to go live in a cabin off in the words, like the Unabomber.

Okay, back to cell phones.  The government, basically, argues that using your cell phone to track your movements (which can be done with remarkable precision) is not a search for the same reason it was not a search to install a pen register on Smith's phone.  You voluntarily "give" this information to your cell phone provider and cannot, therefore, claim it is "private."  Some federal courts seem to buy this argument, but others are not. 

The analysis is further complicated by the fact that there is a statute that governs the installation of pen registers; the government also argues that the pen register statute, which merely require an officer to say that he thinks getting the desired information will help an investigation, authorizes using cell phones to track your movements. Some courts are buying this argument, some are not.

I happen to think this is a very important issue, because it goes to a topic I will be writing more on:  The government's exploiting our personal technology -- technology we have chosen to use because it makes our lives easier, safer, better, etc. -- to monitor our movements and other activities.  The principle the government relies on -- which comes from the Smith case and from the Katz case I mentioned in my Notes on the Fourth Amendment post -- is that by giving certain information to a third-party I assume the risk they will give it to the government.

Now, I have no problems with that principle when it comes to conversations between criminals and would-be criminals.  We all know we assume the risk that someone will betray us when we share information with them; and criminals know, or should know, that this risk is heightened when you are dealing with people who do not have a particular good track record for integrity.

I don't, however, think this applies to information I share, pursuant to a contract, with a legitimate service provider, like a cell phone company.  You may recall the standard I mentioned earlier, the one the Supreme Court uses to decide if we have a reasonable expectation of privacy in an area or activity.  Under that standard, I have a Fourth Amendment expectation of privacy in something if (i) I think it's private and (ii) society agrees.

I haven't conducted a formal poll, but my sense is that most people believe that the information they share with their cell phone company (calling records, location data) is private.  I know I think it should be private, though I am aware there is an argument to the contrary, given the position the Supreme Court took in the Smith case.

This may seem a trivial point, but think of the implications:  This assumption of the risk of sharing information rule applies not only to cell phone companies, but to any company.  As personal technology becomes an ever-more pervasive feature of our lives, that means the government can use these third-party entities to "harvest" a great deal of information about us . . . unless and until we persuade the Supreme Court to revisit Smith.


Jul 30

Notes on the Fourth Amendment

I'm going to do several posts that deal with Fourth Amendment issues (and will no doubt do many more as we go along), so I thought I'd do a post that outlines basic Fourth Amendment principles.  That way, I can refer back to it instead of repeating all that in every Fourth Amendment-related posts.

Okay, the Fourth Amendment creates a right to be free from "unreasonable" searches and seizures.  When you parse that principle out, you get these sub-principles:
  • The Fourth Amendment only comes into play when there has been what I call a Fourth Amendment event:  a search or a seizure.  Searches violate a reasonable expectation of privacy.  In Katz v. United States, decided in 1967, the Supreme Court held that one has a reasonable expectation of privacy if (i) they think something (like my house or my desk) is private and (ii) society agrees that it is.  (i) is a subjective standard, while (ii) is an objective standard.  Seizures of property interfere with the owner's possession and use of that property.  My favorite seizure case is Soldal v. Cook County, which involved the Cook County police's towing Soldal's mobile home. Soldal esssentially argued, all the way to the Supreme Court, that towing his mobile home.  The Supreme Court, of course, agreed:  If you take away someone's property, you have clearly interfered with their possession and use of that property.
  • If you don't have a search or a seizure, the Fourth Amendment doesn't come into play.
  • Only "unreasonable" searches and seizures violate the Fourth Amendment.  If the search and/or seizure is "reasonable," there is no constitutional violation.
  • There are two ways a search or seizure can be reasonable:  The first, default standard is using a search warrant (which should be called a search and seizure warrant, since it lets police search for evidence and then seize it when they find it).  To get a warrant, police must go to a magistrate, present the magistrate with facts they say establish probable cause to believe evidence of a crime is in a particular place, and ask the warrant to issue a warrant authorizing them to go get the evidence.  If the magistrate agrees (and they almost always do) that the evidence establishes probable cause, he/she will issue the warrant.  The search for the evidence and its seizure will be "reasonable" if the officers stay within the scope of the warrant.  They cannot, for example, go to a home to search for a stolen big-screen TV and open dresser drawers; since the TV could not be in dresser drawers, it is "unreasonable" for them to do this.
  • The other way a search or seizure can be reasonable is when an exception to the warrant requirement applies.  One exception is exigent circumstances; so if police have probable cause to believe evidence in a particular place and that the evidence will be destroyed if they take the time to get the warrant, they can go in without a warrant and get it.  Another is consent:  If an officer says to you, "Can I search your car?" and you agree, you have consented, which means you have given up any Fourth Amendment expectation of privacy you have in your car.  There are a number of other exceptions, but you get the idea.
Jul 29

"Access"


“Hacking” is probably the best-known type of cybercrime, so I want to write a bit about it, from two perspectives:  terminology and law.

Terminology is important because we really do not have settled terms in this area.  As I suspect most people know, hacking is an ambivalent term:  Historically – twenty, thirty, even forty years ago – the term “hacker” denoted someone who was intelligent, creative and resourceful and who “hacked,” i.e., explored computers and computer systems to see how they worked and how one could “access” (more on that in a minute”) a closed system.  Hacking was an intellectual exercise, a constructive exercise because what someone learned by hacking often helped improve how computer systems functioned.

The terms “hacker” and “hacking” then went through an intermediate stage, one in which they began to take on negative connotations.  “Hacker” began to become synonymous with “intruder,” or “burglar” (since burglars “break in” to places where they are not supposed to be).  During this period, distinctions arose between “white hat hackers” (who engaged in hacking as a constructive exercise) and “black hat hackers” (who hacked for illegitimate reasons).  There was also (still is, I guess?) the notion of the “grey hat hacker” whose activities fell in between, were a mix of constructive and illegitimate.

When I speak on cybercrimes, I sometimes use the term “hacker” and sometimes get grief for doing so because the term necessarily encompasses all three categories.  I get grief (when I do) from people who point out that hacking is not always a “bad” thing and, historically, began as a “good” thing.  I do not disagree.  I simply explain that I need a term to use to refer to people who break into systems, and hacker is all I have.  

And I think the notion of white hat hacker may be declining, at least in the popular consciousness.  I think that, for many people, “hacker” has become synonymous with “criminal.”

Why is that?  I think it’s due to an interaction between law and how computer technology evolved over the last two decades or so.  As far as I can tell, the concept of hacking as constructive intellectual exercise prevailed pretty much unchallenged when computers were mainframes and even after they began to evolve into smaller versions, precursors of the desktop PC.  The concept of “black hat hacker” emerged and began to dominate with the proliferation of desktop PC’s for at least a couple of reasons.  One was that the attendant development of the Internet made it possible for a lot more people to be able to explore computer systems; and many of them were not motivated by the intellectual curiosity that prompted the original hackers to explore computer systems.  The other reason is that as desktop PC’s (and analogues) proliferated, businesses and other likely targets of financial crimes came to rely upon them; this, of course, created an incentive for people to “hack” for purely criminal purposes.

Okay, that’s a brief history (hopefully fairly accurate) of hacking as terminology.  Now I want to talk about law and hacking.

The U.S. federal government, every U.S. state and many other countries have laws that make “hacking” illegal.  How do they do this?  They do it by making it a crime to “access” a computer or computer system without being “authorized” to do so.  These statues will provide that it is a crime (of varying levels) intentionally (or knowingly) to “access” a computer, computer network or computer system (they do tend to use all three) without being “authorized” to do so.  In the world of the law, this means that it must either be your goal (your intent) to gain access to a system without being authorized to do so, or you must do this knowing that you are not authorized to do so.  (Acting intentionally is usually seen as more “wrong” than merely acting knowingly, but that is not always true – it depends on the jurisdiction.)

Okay, the crime popularly known as “hacking” consists of “accessing” a system without authorization.  The “without authorization” part is pretty easy, conceptually, because it’s analogous to burglary (entering someone else’s property without their consent).  Police find me in a house that does not belong to me; I broke a window to get inside and I have a pillowcase filled with stuff from the house.  My entry is “without authorization” because (i) the owner of the house didn’t give me permission to enter and (ii) I clearly know that.

The problem is “access.”  What does it mean to “access” a computer system?  Hacking is analogous to burglary in that you do something you’re not supposed to do, but you do not physically enter a computer system.  You do . . . something else.

The federal hacking statute (18 U.S. Code § 1030) does not define “access.”  Many state statutes do, and they usually say something like this:  “`Access’ means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network.”  (Florida Statutes § 815.03).

There are very few cases that deal with what “access” is, in practice.  The one that is most often cited is from Kansas:  State v. Allen, 917 P.2d 848 (Kan. Sup. Ct. 1996).  In the Allen case, the defendant was war-dialing – using a dial-up modem to repeatedly contact the computer system at the Southwestern Bell Company.  If a dial-in connected with the Southwestern Bell system, he hung up.  He was apparently exploring the possibility of connecting to the system and interacting with it, but never got that far.  The Kansas Supreme Court threw out the hacking (unauthorized access) charge against him because it said he had not “accessed” the system:  “Until Allen . . . entered appropriate passwords, he could not be said to have had the ability to make use of Southwestern Bell's computers or obtain anything. Therefore, he cannot be said to have gained access to Southwestern Bell's computer systems”.

Most of the time, “access” is not a real problem because the perpetrator (the “hacker”) does communicate with the system and usually goes further by copying or deleting data, say.  Access becomes problematic when, for example, someone is port scanning a system.  There is only one federal case on port scanning and that court, like the Allen court, said that it was not access . . . which means it may not be a crime.  (It is also a crime to attempt to gain access, but I have not seen any prosecutions for that.)

“Access” is particularly problematic when it comes to wireless systems:  If I am in public, find an unsecured wireless network and use it (free-ride on it), have I illegally “accessed” that system?  I don’t think so, based on the cases I note above and on common sense.  Many people agree, but some disagree.  Indeed, this post was prompted by an email I got today from a friend in Europe, where they are debating this.

I think the free-riding on a wireless system might well be prosecutable as theft of services (like stealing electricity) because you know you are getting something you paid for.  On the other hand, though, there are intentionally free wireless systems out there, so you may not actually know that.

You would think law would have figured all this out by now, wouldn’t you?


Jul 29

Statute Allowing Law Enforcement to Obtain Emails Is Unconstitutional

On July 21, an Ohio federal district court issued a decision that could have major repercussions for law enforcement's ability to investigate cybercrme cases.

The case is Steven Warshak v. United States (Southern District of Ohio Case No. 1:06-cv-357). The opinion was issued on July 21 by Judge Susan Dlott, who sits in Cincinnati.

The case is a civil suit:  Warshak sued the U.S. government, claiming that it violated "the Fourth Amendment to the United States Constitution by directing" Internet Service Providers "to produce . . . electronic mail . . . of Warshak's from their servers pursuant to warrantless search orders issued under" 18 U.S. Code § 2703(d). He then filed a motion asking the court "to prospectively enjoin the United States from obtaining and enforcing any future § 2703(d) orders."

According to the opinion, last year federal agents were investigating "allegations of mail and wire fraud, money laundering, and other federal offenses in connection with the operations of Berkeley Premium Nutraceuticals, Inc. . . . a company owned by Warshak." As part of that investigation, the agents obtained § 2703(d) orders from a federal magistrate; the orders directed two Internet Service Providers (NuVox Communications and Yahoo) to turn over information about Warshak's emails and email account. The ISP's complied, and provided the information last year. Warshak was informed of all this on May 31, 2006, after the federal unsealed the orders to the ISP's. This prompted his lawsuit, which had two claims; we will only focus on one, the Fourth Amendment issue, because this is the issue on which he prevailed. (Since he won on the first issue the court did not address the second.)

Section 2703(d) lets a court issue an order -- like the ones above -- that requires an ISP to produce emails if officers offer "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication. . . are relevant and material to an ongoing criminal investigation." According to the opinion, the agents met this requirement, and so obtained the orders seeking Warshak's emails.

Now, as the opinion correctly notes, this "reasonable grounds to believe that the contents" of email "are relevant and material to an ongoing criminal investigation" standard is a lower standard than the probable cause standard included in the Fourth Amendment. The Fourth Amendment states that "no warrants shall issue but upon probable cause", which means that the government must (a) show probable cause to believe that a crime has been committed and evidence of the crime will be found in the place to be searched and (b) obtain a search warrant to go get that evidence.  While probable cause has not been quantified, it is clear that "reasonable grounds" is a less demanding requirement than "probable cause."  The government conceded that in this case.  (And, of course, the government did not get a search warrant, which is important because warrants constrain the scope of evidence-gathering in ways that a § 2703(d) order arguably, at least, does not.)

This, then, is the issue: The statute lets the government use a sub-Fourth Amendment standard to obtain email. This procedure will be constitutionally permissible if the Fourth Amendment does not encompass email stored on an ISP; it will not be constitutionally permissible if the Fourth Amendment does encompass email stored on an ISP.

The Supreme Court held about 150 years ago that we have a Fourth Amendment expectation of privacy in sealed letters and packages sent via snail mail. The Supreme Court held about 30 years ago that we do not have a Fourth Amendment expectation of privacy in the numbers we dial from a telephone, even a telephone in our own home, because we have "voluntarily shared" that information with the phone company; since, according to this logic, we voluntarily shared the information with the phone company, they can give it to the government, without a warrant, if they like.

This latter holding is the basis of § 2703(d):  Congress assumed it applies to emails and other information shared with an ISP, which means the government does not need probable cause or a warrant to obtain that type of information.  Congress created the § 2703(d) procedure as essentially a middle ground (a sop to privacy advocates, some would say).  It means law enforcement has to do something to obtain this information, but not as much as they have to do when the Fourth Amendment is involved.

(We will assume here that the Supreme Court was correct when it held that we have no Fourth Amendment expectation of privacy in dialed phone numbers; I do not think the Court was correct, but we will not go into that now.)

Warshak argued that "emails stored on the servers of commercial ISPs" are more analogous to sealed letters sent via snail mail than they are to the phone numbers we dial. This is his theory:

"[I]n the case of email, the subscriber perhaps maintains more control over the email lettter than in any other traditional third party carrier context. . . . [T]he sender or receiver of a closed letter or package actually relinquishes control of the container and cannot immediately repossess the letter or package -- it is in the physical possession of the postal carrier and/or common carrier outside the dominion and control of the sender or recipient. In the email context, the owner of the email can repossess a read-and-then-closed email at any moment, without any notice or permission from the ISP, can retake the email, delete the email from his mailbox, or do what she wants to do with the email. . . ."

Steven Warshak v. United States.

Judge Dlott agreed, at least conditionally: "While the Court is prepared to reconsider its views upon the presentation of further evidence . . . it is not persuaded . . . that an individual surrenders his reasonable expectation of privacy in his personal emails once he allows those emails . . . to be stored on a subscriber account maintained on the server of a commercial ISP." The judge therefore issued a preliminary injunction barring the United States government from using a § 2703(d) order to obtain "the contents of any personal email account maintained by" an ISP "in the name of any resident of the Southern District of Ohio, including but not limited to Steve Warshak."

The injunction is limited to the Southern District of Ohio (which encompasses the southern half of the state, including Columbus, Cincinnati and Dayton) because this is the scope of this federal court's jurisdiction.  If, however, Judge Dlott stands by her decision (the Department of Justice will certainly ask her to reconsider), then this opinion would become a firmly-established precedent. (Right now, it is a precedent, but unless and until she rejects a motion to reconsider it at least has the potential to become an altered, or even an erased, precedent.)

If she were to do that, I am sure the Department of Justice would appeal her decision to the Sixth Circuit Court of Appeals (the federal court of appeals that hears cases from Ohio), because it effectively nullifies the government's ability to use § 2703(d) to obtain emails and email information from ISPs. The even greater concern for the Department of Justice, though, is that this decision will establish the general principle of § 2703(d) is unconstitutional because it violates the Fourth Amendment. If that principle stands, the statute will be unenforceable in any state in the United States. The Fourth Amendment, after all, applies everywhere, not just in the Southern District of Ohio.


Jul 28

Introduction

My name is Susan Brenner, and I am a law professor.

I specialize in the legal and policy issues generated by cybercrime, cyberterrorism and (to a lesser extent) cyberwarfare (a/k/a information warfare).

I have published many law review and other articles on these issues, and have contributed chapters to several books that deal with cybercrime and related topics.  Last year, edited a book on jurisdiction in cybercrime cases with a professor from the Hague; it is being published this year by Asser Press.

Jurisdiction is an important issue in cybercrime cases for several reasons, the most basic of which is that a court cannot entertain and adjudicate a criminal case against an accused cybercriminal unless it has jurisdiction over that case.  To have jurisdiction over the case, the applicable law (statutes, usually) must give the court the power to hear that case.

Jurisdiction can become problematic in cybercrime cases because cybercrime cases tend to be transborder, i.e., tend to involve a perpetrator (or two or more) located in one jurisdiction and a victim (or two or a thousand) located in another jurisdiction.  This can be problematic because criminal jurisdiction – a court’s power to entertain and adjudicate a criminal case – has usually assumed that a “crime” will be committed in one and only one jurisdiction.  That has been a reasonable assumption because most crimes require that the perpetrator and victim be in physical proximity to each other; it is, for example, not physically possible to murder someone by stabbing or shooting them unless both the killer and killed are in the same place.

Cybercrime does not conform to this model, which is why jurisdiction becomes problematic.  With cyberspace, a perpetrator (or several) in one country can commit a crime against a victim (or two or a thousand) in another country (or several other countries).  The law then has to figure out how to decide if and when it has jurisdiction over the perpetrator for what he (they) did.

This example illustrates the kinds of things I will be posting about.  I will be writing about both procedural issues like this and issues involving substantive law (the law that defines crimes, like fraud and theft and homicide and hacking).

I hope you find the posts interesting.

I will be very interested in any comments you may have.  And I am also interested in hearing any suggestions you have for post topics.

This Blog

Syndication

Recent Posts

Sponsors

Tags

No tags have been created or used yet.

Archives