S. G. R. MacMillan: For the defence of serious criminal cases

	Front Page
	The Firm's History
	Practice Areas
	Philosophy
	Resources
	email

	PGP Public Key

Vancouver Toronto

120 Adelaide Street West, Suite 2110, Toronto, Ontario M5H 1T1
(416) 363-0100

355 Burrard Street, Suite 1300, Vancouver, British Columbia V6C 2G8
Toll Free in North America: 1-877-363-0100

The Feds and the Net: Closing the Culture Gap

By Mike Godwin

Column for Internet World

May 1994 issue

It was about halfway through my lecture at the FBI Academy at Quantico

last fall that I began to sense in my audience a rising hostility.

And, let me tell you, I take it very seriously when I'm feeling hostility

from people who are licensed to carry weapons.

But in spite of my nervousness, which I tried to hide from the FBI agents

and federal prosecutors in my audience, I pressed on with my criticisms of

federal law enforcement's investigations and prosecutions of

computer-crime cases. In my experience, I told them, these law-enforcement

efforts have all too often infringed on the rights of presumptively

innocent citizens. And the infringements have occurred in ways that can't

easily be remedied by the traditional legal system.

But the hostility and resistance I met with at Quantico from some (but by

no means all) of my audience showed me that the road to a solution is

going to be a tough one.

So, you may wonder, just what does Godwin think *is* the solution? Well, I

don't have all the answers, but I do know this: in the long term, both the

legal system and the law-enforcement establishment will have to learn to

protect these rights rather violate them.

The problem, of course, is that both of these institutions are notorious

slow in adapting to technological and social change. How, then, can we

make the criminal-justice system responsive in the short term to the

rights of individuals, not all of whom are suspects or targets of criminal

investigations? And that's why I was at Quantico that day--I was hoping to

engage in a dialog designed to help answer that question.

I had been invited by Hal Hendershot of the FBI's Computer Fraud Program,

along with Scott Charney of the Justice Department's Computer Crimes

Unit. The five-day computer-fraud seminar was designed to give selected

FBI agents and assistant U.S. attorneys the background and expertise

required for investigating and prosecuting computer crime and toll fraud.

They heard details of past and present federal computer-crime

prosecutions, and learned the relevant federal law in the area. They also

learned about the Steve Jackson Games case, in which Secret Service agents

were successfully sued by the games publisher and several other plaintiffs

for having violated their statutory e-mail privacy and publisher's rights.

They also learned technical details about computers, computer networks,

and the phone network, and Ilene Rosenthal of the Software Publishers

Association came in to inform them about the legal issues raised by

software copyright infringement.

At the end of that five-day period, I was given an hour to talk to the

attendees about my organization, the Electronic Frontier Foundation, and

about the civil-liberties issues raised by computer-crime investigations.

I introduced myself, told them about my background in computers,

journalism, and law, and I talked a bit about EFF's current work, which

includes helping to develop national policy on issues like encryption

technology and growth of the National Information Infrastructure.

Then I got to the heart of the matter. I told them about about EFF's

origins in what its founders, Mitch Kapor and John Perry Barlow, saw as

the mishandling of computer-crime cases. Although we do other kinds of

work as well nowadays, at the start EFF was concerned about whether

computer-crime cases were being handled in ways that promoted justice. To

underscore the point, I talked about three cases I'd worked on:

_The Steve Jackson Games case._ As I noted above, the agents and

prosecutors had already heard something about Steve Jackson Games, which

was not a criminal case but a civil case arising from a mishandled and

overreaching search and seizure of a publisher of role-playing games. What

my audience had already heard was how the search warrant had been badly

written, and how the Secret Service field agents had done too little

investigation into the business they were searching. (For example, they

apparently thought that the SJG game book called GURPS CYBERPUNK was "a

manual for computer crime." In fact, it was the rulebook for a

science-fiction roleplaying game.)

I tackled the case from a different angle. I pointed out that Steve

Jackson Games was not the target of the investigation, so there was no

reason not to presume that the company, which had a fairly large staff of

writers and editors, was not perfectly legitimate. Although the Secret

Service apparently believed that one SJG employee might possess some

evidence about a computer crime, there was no reason to disrupt this

business in order to seize that evidence--the company's founder and

president, Steve Jackson, would have happily complied with a subpoena.

But the Secret Service operated on the assumption that anyone running a

bulletin-board system (BBS) and publishing books like GURPS CYBERPUNK

couldn't be trusted to comply with a court order to turn over evidence--so

they conducted a search and seizure instead, and in doing so pushed the

company to the brink of bankruptcy. Had EFF not stepped in and paid for

the company's lawsuit against the Secret Service, it's possible that the

damage would never have been remedied at all.

I pointed out that the Secret Service had also proceeded in either

ignorance or defiance of the First Amendment's protections for freedom of

speech and freedom of the press. A BBS, like an Internet node or a Usenet

site, is a medium for conversation, debate, discussion--as such, it

clearly raises a basic set of interests that have long been understood to

be protected by the First Amendment. What's more, Steve Jackson was a

traditional publisher as well--even if he *had* been publishing a "manual

for computer crime," such publications are understood to be protected by

the First Amendment.

Ultimately, Steve Jackson won his case. But, as you can imagine, neither

the lawyers nor the policemen in the room enjoyed hearing about how law

enforcement had shown a basic failure to grasp the meaning of the

Constitution.

_The Craig Neidorf case_. INTERNET WORLD readers will recall that I

recently published an article in these pages concerning the prosecution of

a young man named Craig Neidorf, who allegedly had engaged in interstate

transportation of stolen property when he copied a BellSouth E911

memorandum and published it in his online newsletter, PHRACK. What I

didn't tell you in that article, though, is that for a long time prior to

the Neidorf trial in July of 1990, the government's lead prosecutors had

been telling both the press and the judge that Neidorf had "stolen" not a

memorandum but the *actual source code* for the Emergency 911 system. They

did so even though it was apparent to non-programmers that the document

was written in English, not a programming language. They also claimed

that, with this document in hand, a would-be hacker could threaten the

functioning of the entire Emergency 911 system.

One might be charitable and suppose that a government lawyer couldn't be

expected to know that BellSouth "system practice" document was not a

program, not "source code." But this particular prosecutor had already

built a reputation for handling high-tech and computer-related crimes.

He'd gotten the first conviction under the federal Computer Fraud and

Abuse Act in a case involving Unix source code, so he'd seen source code

before.

Moreover, the government claimed at one point that the BellSouth document

was worth nearly $80,000. They had gotten this figure from a BellSouth

employee who, in calculating the cost of the document, threw in such

elements as the cost of the VAX workstation on which it was produced. (One

wonders if BellSouth makes a practice of firing up a VAX, wordprocessing a

single document, and throwing the machine away.)

When I pointed this out to my audience at Quantico, there was a distinct

rustling in the room, and the atmosphere grew a bit hotter--what was I

implying about the prosecutor?

_The Legion of Doom case_. In another case, related to the Neidorf case, a

team of prosecutors had negotiated plea agreements for the three young

"hacker" defendants, based in part on their having "stolen" a copy of the

same E911 document. The government used the same figures for valuation of

the document that it had used in the Neidorf case, and, indeed, the lead

prosecutor of the Neidorf case was involved in both the plea agreements

and the sentencing proceedings for these three defendants.

What's notable about this case, I told my audience, is that the government

told the judge that these defendants had possessed the E911 source code,

just as they'd said Craig Neidorf had possessed. The only difference was

that they did so in late fall of 1990--*months after it had been

established that the document wasn't source code at all.*

"It's very hard to explain how the government could make this kind of

claim so many months after the Neidorf case," I said.

At this point, one woman, an FBI agent, stood up and questioned me

pointedly: "Are you saying you think the prosecutors lied to the judge?"

I had to pause for a moment. "Well," I said, "yes, I do think so. But even

if you don't agree with me, I think you have to agree that, at the very

least, the government was *reckless* in what it told the court--almost

criminally reckless."

"But look," another FBI agent said heatedly, "wasn't it the obligation of

*their lawyers* to raise all these issues if the cases were so flawed?"

"Yes," I agreed. "But this is a new area of the criminal law, and

sometimes even the best criminal lawyers don't know enough to judge

whether the government's evidence is what they say it is. And in many of

these cases, defendants don't have access to the best lawyers--they have

to accept court-appointed counsel or overworked public defenders. So it's

not terribly likely that they'll spot all the relevant evidentiary issues

or understand the technology well enough to challenge the government's

claims."

"Well, what do you want us to do about that?"

"I think you each have an obligation," I said, "to use the knowledge you

acquire in this workshop to protect defendants' rights as well as try to

make your case. Both law-enforcement officers and prosecutors have sworn

to uphold the Constitution--part of this oath surely means stepping in to

protect a defendant's rights when you can't rely on the legal system or

his lawyer to do so."

This argument met a lot of resistance. "It isn't our job to protect the

defendant!" "What about protecting the general public's rights?" And so

on. So, to put a civil summary on what was a fairly tense exchange, I'd

have to say that we agreed to disagree.

I was gratified, however, after the lecture, when one prosecutor came up

to talk to me afterwards. "I just want you to know," she said, " that I

understood what you were saying, and I agree. I know you weren't attacking

us."

And it's true; I wasn't attacking anyone. What I was trying to do was

raise some consciousness. You see, as the the Net becomes more and more a

part of public life for everyone, increasingly there will be efforts by

the government to police this new arena of human interaction. Such efforts

will require not only new technical and legal expertise on the part of law

enforcement, but also an understanding of the nature and needs of the new

kinds of communities they'll be policing.

But, just as important, they'll also require that law enforcement agents

and prosecutors restrain their natural tendency to go for the throat and

rely on the adversarial process of the courtroom to hash things out.

Individual rights are too important to be sacrificed while we're waiting

for defense lawyers and judges to learn what source code is, or to know

when a cost estimate on a wordprocessing document is vastly overinflated,

or to know that Usenet is a haven for First Amendment-protected

expression.

The first line of defense against the infringement of our rights is an

informed law-enforcement team. But the road to making that line of defense

effective in computer-crime cases is going to be a hard one.

----

Mike Godwin (mnemonic@eff.org) is online counsel for the Electronic

Frontier Foundation, where he advises users of electronic networks about

their legal rights and responsibilities, and instructs criminal lawyers,

law-enforcement personnel, and others about computer civil-liberties

issues.

For info on EFF mailing lists, newsgroups & archives, mail eff@eff.org. To

browse EFF's archives, use FTP, gopher, or WAIS to connect to ftp.eff.org,

gopher.eff.org, or wais.eff.org respectively. Look in /pub/Eff. To get

basic EFF info send a message to info@eff.org. Send detailed queries to

ask@eff.org. For membership information, mail membership@eff.org.