Cyberattack Case Could Test Limits on Electronic Searches
The Recorder, Vanessa Blum
October 9, 2012
More than a year after federal agents arrested 14 people accused in a cyberattack on PayPal, the high-profile prosecution has ground to a standstill over the handling of computers seized in the nvestigation.
Searches carried out in a dozen states targeted computers, hard drives, and other digital devices, resulting in an avalanche of electronic material for investigators to sift through.
But intermingled with potential evidence of a crime were millions of irrelevant files, like emails, photographs, medical records, downloaded articles, Internet search histories, and old tax returns.
Just how far prosecutors must go to segregate and purge such extraneous material is a question that could derail the federal hacking case and test the limits judges place on electronic searches.
The defendants are each charged with conspiring to launch a cyberattack on PayPal's servers to rotest a decision by the San Jose-based money transfer company to cut ties with online publisher WikiLeaks.
A team of defense lawyers, including some with their own radical stripes, have taken issue with rosecutors keeping full copies of their clients' computers and hard drives, saying the devices contain personal information the government has no right to hold under the Fourth Amendment's limits on searches and seizures.
The conflict has been raging since February with two orders from U.S. Magistrate Judge Paul Grewal siding with the defense that the irrelevant information should be purged. An appeal to U.S. District Senior Judge D. Lowell Jensen is set for hearing Thursday.
"They're not entitled to keep that information — period," said Thomas Nolan Jr. of Nolan, Armstrong & Barton in Palo Alto, who represents an Ohio man charged in the case. "That's what this battle is about." Prosecutors and the FBI are "trying to justify keeping everything they ake and we're trying to say no."
The Anonymous case, U.S. v. Collins, 11-471, is being handled by federal prosecutors Matthew Parella and Hanley Chew in the U.S. attorney's San Jose office. Parella, a star prosecutor of the Barry Bonds trial, heads the region's CHIP — Computer Hacking and Intellectual Property — unit.
In a sign of how seriously the government is taking its appeal to Jensen, Justice Department appellate lawyer Jenny Ellickson entered her appearance in August.
Since nearly every criminal case from child pornography to tax evasion involves the seizure of computers or other digital materials, the issue has implications far beyond cybercrime cases, lawyers said.
"It's permeating criminal investigations," said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation. "What the government is arguing is that people increasingly use computers to further their crime and we have to search through everything, because criminals don't label their contraband."
Technology should allow government to more narrowly target searches of electronic data, said Fakhoury, a former federal public defender in Southern California.
"What the government is saying is the exact opposite, that the technology is so complicated, it's impossible to ferret out what is relevant or irrelevant," he said.
In the background of the debate is a 2010 en banc decision from the U.S. Court of Appeals for the Ninth Circuit that rebuked prosecutors and agents for a sweeping electronic search in their investigation of suspected steroid use by Major League Baseball players. The decision in U.S. v Comprehensive Drug Testing, 621 F.3d 1162, rankled prosecutors and many in law enforcement would like to see it diminished. Parella was one of the prosecutors involved in defending the steroid investigation.
That was on Nolan's mind when he told Grewal at a July hearing that prosecutors were exaggerating obstacles they would face in deleting the extraneous files.
"They don't like the law and they're trying not to follow it," he said.
Prosecutors accuse the defendants of taking part in a distributed denial of service, or DDoS, attack on PayPal's computer servers, a crude form of hacking which bombards a computer network with outside communications until it can no longer function.
According to prosecutors, the online collectivist group Anonymous coordinated the attack in December 2010 after PayPal suspended accounts used by WikiLeaks to receive online donations from supporters. Anonymous dubbed the attack "Operation Avenge Assange", referring to WikiLeaks founder and editor Julian Assange, prosecutors allege.
Defense lawyers say their clients don't belong to an organized political movement or even know one another.
Some attorneys for the 14 defendants reflect a similar renegade spirit.
Among them are Stanley Cohen, the New York lawyer known for representing accused terrorists; and Sebastopol-based solo Omar Figueroa, whose website features the image of a distinctly bohemian Lady Justice traipsing through hemp with the words "Cannabis Justice." Then there's Nolan, a free speech advocate and a veteran of cybercrime defense.
Several lawyers said they got involved in the case because they felt the government charges were inappropriate and targeted political activism.
Los Gatos solo James McNair Thompson likened the DDoS attack to a virtual sit-in on PayPal. A real world sit-in might result in misdemeanor charges, but here the defendants face potential 10-year prison terms.
Nolan and Thompson are leading the protest over the government's handling of evidence.
In seeking a warrant to search the Napa home of Thompson's client, Tracy Ann Valenzuela, government lawyers made the standard promise demanded in such cases. If they seized computers or other digital devices to review off-site, government agents would within 60 days of a forensic review "use reasonable efforts to return, delete or destroy any data outside the scope of the warrant unless the government is otherwise permitted by law to retain such data."
Such language, referred to as a protocol, is a typical feature of modern search warrants. Though not all the warrants issued in the case contained the same wording, the principle is the same, Thompson said. The government "has no business" under the Fourth Amendment maintaining copies of irrelevant personal files such as letters and photos, he said.
"There's no way they can argue they need photographs of someone's girlfriend or family to prove their case," Thompson said.
Thompson first raised the issue in January as part of a routine discovery motion. At that time, prosecutors had provided the defense with a complete copy of all the data extracted in the case, including personal files. Thompson argued the government had to segregate the relevant information.
In March, Grewal gave the government 30 days to return to defendants the material that did not all under the scope of the search warrant.
Subsequently, the government returned devices to their owners and provided a copy of relevant files to the defense team. However, Parella and Chew balked at a mandate to destroy or delete other files from the government copies.
At a hearing in July, the prosecutors said the government had fully complied with the "reasonable efforts" protocol in the search warrant by returning computers and other devices with their full contents to each defendant. Meeting defense demands to also purge the extraneous files from the government's copies would be unduly burdensome and could compromise evidence.
Chew told Grewal the task could take "literally thousands" of government employee hours and might harm the government's case. For instance, a defendant might claim at trial that an incriminating software program found on his computer was inoperable, Parella said. "If we had the complete forensic image, we could put it in front of the jury and say, 'Look it does run,'" Parella said.
Thompson called that government argument "ludicrous." "Surely the government has a great deal of experience trying cases in which firearms are unloaded and secured with a trigger lock, without having jurors reject the evidence because nobody fired the weapon in the courtroom," he wrote in a brief.
Grewal, who is known as one of the district's most tech-savvy magistrates, sided with defense lawyers.
"I thought the warrant requirement was pretty clear that you have to take what you're entitled to and give the other stuff back," he said.
The question, which will now be reviewed by Jensen, may turn on two Ninth Circuit cases from the pre-digital era and whether a computer hard drive is more like an individual file or a file cabinet.
Ruling in U.S. v. Beusch, 596 F.2d 871, in 1979, the Ninth Circuit held that investigators had no obligation to separate out pages from a single volume or file, such as a ledger. Three years later in U.S. v Tamura, 694 F.2d 591, the appeals court set out procedures for searches involving relevant and irrelevant documents so intermingled that agents needed to take them off-site for review. In 2010, the Ninth Circuit en banc opinion in Comprehensive Drug Testing updated Tamura for what the appeals court called "the daunting realities of electronic searches."
An earlier en banc opinion authored by Ninth Circuit Chief Judge Alex Kozinski went further, laying out specific procedures to be followed in electronic searches. The ruling was so despised by prosecutors that every U.S. attorney in the circuit signed a brief seeking an unprecedented super en banc hearing. Instead, the panel issued a revised opinion that more narrowly decided the case.
The Anonymous prosecutors argue that each computer seized in the case is the equivalent of a single volume in Beusch. Therefore any computer containing evidentiary material can be kept in its entirety.
Defense lawyers say the holdings of Tamura and Comprehensive Drug Testing reign. The intermingled computer files may be taken off-site, but they must be carefully sorted and irrelevant materials must be deleted, destroyed or returned.
Fakhoury of the Electronic Frontier Foundation said there is no national standard for protocols n electronic searches. Prosecutors should be wary of pushing the limits, he said.
"The law doesn't give prosecutors leeway to take whatever they want and keep it as long as they want," he said. "The government is trying to expand its search and seizure powers, and I hope that judges are going to be resistant."