Let’s assume that you have an un-pickable lock on an impenetrable freezer in your basement, and assume further that freezer is full of body parts from your victims (these are assumptions – right?). The Feds think they know what's in there, but they can’t get in unless you unlock it. Can they legally compel you to open it, or can you avoid being so compelled by invoking your 5^th Amendment right to not incriminate yourself?

The equivalent of this scenario is playing out in child pornography cases around the country, where the alleged pornographers have used widely available public encryption products (which are very secure), to lock up the damning content on their computers. Without the magic words (or encryption key), law enforcement will, as a practical matter, never know what is on that drive. Law enforcement argues that where the intent is purely to hide evidence of a crime, there needs to be some way for the courts to allow law enforcement to access the evidence.  They are starting to ask the courts to compel the bad guys to cough up the passwords. 

Interestingly, in the case that is currently getting all of the attention on this, US v. Boucher, federal Magistrate Judge Jerome J. Niedermeier has addressed the “opening of the safe” analogy, concluding that if the safe requires a physical key, a suspect can be compelled to turn it over, but if it is a combination that exists in the persons head, disclosing that is tantamount to a “testimonial act” implicating the 5^th Amendment. Therefore, he ruled that requiring the suspect to enter his password would violate his right against self-incrimination. (So what if the combination is written down – is that writing the equivalent to a physical key? And even if it is the same as a physical key, isn’t the knowledge of the location of the writing in that person's head - the disclosure of which would involve a “testimonial act”, and on and on). The government has appealed, and the case is currently being investigated by a grand jury.

The case is unique to digital information, because the analogy that there is just no other way to get the evidence does not really hold up in the physical world. There is always some way to get into the safe. However, using widely available open source encryption software, such as PGP, it is virtually impossible to unencrypt files without the password. The only thing to do is to use automated guessing software, that systematically and repeatedly guesses at the password - a process that could take many years, even with a lot of computing power. The Feds are scared, because an adverse ruling here could create a safe harbor for information that would be essentially unreachable, potentially benefiting drug dealers, terrorists, and the child pornography industry. Civil Liberty groups such as the EFF say unbreakable encryption “is one of the few ways people can protect what they write, read and watch online,” and support the application of 5^th Amendment rights in cases such as these.  This will be interesting to follow.  It is definitely one where the new technology is creating some interesting challenges for the application of existing laws.

The Washington Post article on this topic is here.

Related New York Times article is here.

Photo complements of Colin Ashe under creative commons

The lists are starting to roll in.  Check out Pogo's Chronicles of Dissent: Top Ten Privacy Breaches of 2007, and Threat Level's look at the year 2007  from a privacy/security perspective.  The Metropolitan Counsel provides us with the Advertising, Marketing And Promotions Law Year In Review,   and the USPTO Announces it's year end results, touting "historic improvement in the quality of patent and trademark reviews and subsequently the quality of issued patents and registered trademarks."  Euclid Managers offers its Predictions for 2008 Security Threats, PatentlyO offers Ten Ways to Spend your Holiday Bonus (I got the Nuvi), the TTAB Blog reports that the Leo Stoller Blog Has Returned, and Chevy Chase reports that Generalissimo Francisco Franco is Still Dead. 

Happy Holidays, and Best Wishes for a prosperous 2008 from the TechKnowledgy Blog!

The Appellate Court of Illinois recently denied a motion to dismiss filed by the online stock photo company Corbis, effectively preserving claims that Corbis violated Jame's Browns right of publicity by offereing to license photos of the the late singer.  The decision is here.  The case is interesting, because presumably there would be some uses of the photos that would not violate Brown's right of publicity, for fair use or first amendment reasons. Corbis would presumably license the photos to anyone who would pay the fee, and note that the photo comes without a publicity release, leaving it up to the licensee to use the photo in a lawful manner.  Nonetheless, the court is willing to entertain the claim that Corbis, by offering to license the photos, is thereby engaging in some commercial activity for which it may need the permission or consent of The Godfather of Soul.  Internet Cases has a good summary of the case.

ChoicePoint - the case that really started it all - announced today that it has settled with 43 states over the 2005 breach of its database that exposed mass quantities of consumer information.  A shock at the time, perhaps, but similar disclosures have become a daily occurrence.  You might recall that the ChoicePoint breach involved thieves posing as small business customers who were able to gain access to ChoicePoint's database, possibly obtaining the personal information of 163,000 people according to the FTC.

In January, ChoicePoint Settled with the FTC for approximately $15 million.  At that time, at least 800 cases of identity theft had reportedly been traced to the breach. 

Amazing as it may seem, the Department of Veteran Affairs has done it again.  This time they are reporting that information on more than half a million people is missing and may have been stolen.  Way down from the 26.5 million records that were at issue back in May of 2006 when the VA reported a lost laptop containing that information.  The Privacy Rights Clearinghouse provides a Chronology of Data Breaches that also shows other reports from the VA, and tallies the total of reported data disclosures by all organizations as exceeding 100,000,000.  Time for us all to check out the do's and don'ts of avoiding identity theft at the FTC's website.

The Superior Court of Arizona in Maricopa County ruled last week that in order to discover the identity of an anonymous online author, a plaintiff must first show that its interest in discovering that identity outweighs the speaker's constitutional right to speak anonymously.   The precise standard used by the court required the plaintiff to " show that its claim would survive a Motion for Summary Judgment before being entitled to discover the identity of an anonymous speaker through any compulsory discovery process."  The case is Paul McMann v. John Doe, and the opinion can be found here.  Evidently, the plaintiff would not commit to continue the case if it was allowed to proceed with the defendant remaining anonymous, and the judge tossed it.

Anonymity a constitutional right?  It's an interesting concept.  Prior to the advent of the Internet, true anonymity had been very hard to establish in connection with widely disseminated published materials.  Now it is the order of the day.  This can be very beneficial in limited circumstances by allowing one to pass helpful information and evade direct retribution, such as with "whistleblowers" or the anonymous reporting of crimes.  However, with true anonymity, extortion and harassment based on false information become commonplace.  Personally, I like the general idea of holding speakers accountable for their words, rather than allowing anonymity as the rule.  If you can't say something nice . . .. 

With as many as 49 bloggers, online editors, and web based reporters behind bars as of the end of 2006, technology companies and human rights groups are collaborating to create an Internet Code of Conduct designed to protect free speech and privacy online.  Participants include Microsoft, Google, Yahoo, Vodafone, Center for  Democracy and Technology, the Electronic Frontier Foundation and the San Francisco based Business for Social Responsibility.  The focus of the code will be to hold companies accountable if they cooperate with governments to suppress free speech or violate human rights.  You may recall Yahoo being in the spotlight for supposedly helping the Chinese government trace Shi Tao's email exchanges.  Shi Tao was subsequently sentenced to 10 years for leaking state secrets.  More detail here. 

The following, in no particular order, are our top ten favorite TechKnowledgy stories of 2006:

1.  Posner Appears Live as Avatar on Second Life.  If the words in that headline are gobbledygook to you, you better get with it!  Second Life is a popular online virtual world where users interact with each other through "avatars", which are basically animated cartoons of themselves.  Judge Richard Posner appeared live on Second Life on December 7th, and was interviewed on a variety of topics for two hours.   The illustrated transcript can be found here.  The idea that one of the most influential legal minds of our time is willing to embrace this emerging technology is just, well, cool. . ..

2.  Supreme Court Alit in Patent Cases.  While the world focused on the drama of the appointment of Justice Alito, IP lawyers had some drama of their own, with a fully loaded patent docket.  Decisions included

Click to read more ...

Brobeck was a huge law firm that popped along with the dot com bubble.  It filed for chapter 7 bankruptcy in 2003.  It's client list read like a Who's Who in the technology, life sciences, medical devices and venture capital industries.  The 900 lawyer firm had offices in in San Francisco, Los Angeles, Palo Alto, San Diego, New York City, Denver, Austin and Washington, D.C.   So, if you are a large company in those industries, chances are, you were a Brobeck client.  PUBLIC SERVICE ANNOUNCEMENT: unless you affirmatively "opt-out", all of your files will be turned over to the Library of Congress.  Read the Notice.  Thought you might like to know.

Click to read more ...

The just concluded 109th Congress largely failed to deliver on technology issues, from data breach notification, patent reform, Net neutrality, H-1B visas,  copyright/digital rights management, and the R&D tax credit.  CNet has a good round-up here.

The Federal District Court in Los Angeles has held that a border search of a defendant's laptop computer violates the Forth Amendment to the U.S. Constitution, because such searches must be supported by reasonable suspicion. The case is U.S. v. Arnold,  No. 2:05-cr-00772 (C.D. Calif.), and it stands in direct contrast to U.S. v Romm, (see our earlier post on that case), wherein the Ninth Circuit reached the opposite conclusion.

Like the Romm case, the Arnold case also involved the discovery of child pornography on the computer's hard drive, leading to an indictment of the defendant. The court noted that although neither a warrant nor probable cause is required for ordinary border searches, cause is required for more intrusive border searches, such as body cavity searches. These "nonroutine" or intrusive searches require a heightened level of suspicion to be reasonable because they implicate the "dignity and privacy interests of the persons being searched."

Click to read more ...

Sabrina Pacifici has updated her Bibliography on Identity Theft.  This resource identifies hundreds of sources of information on the topic, including those available at the federal level, the state level, as well as selected law reviews, journal articles, and news stories.  If you ever have occasion to deal with the topic of identity theft, you will want to save a link to this tremendous resource.  

In a case that raises a myriad of questions for corporate travelers with confidential or other sensitive information, the Ninth Circuit Court of Appeals has held uncatagorically that the contents of laptop computers may be searched at international borders without a search warrant and without any probable cause.  The case is U.S. v. Romm, and the search of the laptop in that case included a review of internet caches, and the forensic recovery of deleted files, all of which led to charges and a conviction unrelated to border or security issues. 

Click to read more ...

The long awaited (or long dreaded) rules implementing the 2005 Junk Fax Prevention Act have gone into effect as of August 1, 2006.  Under the new rules, businesses can continue sending fax advertisements to people with whom they have an established business relationship (EBR), with some limitations, according to the Federal Communications Commission.  The FCC Summary is here.  Basically, the rules provide

Click to read more ...

This is an article from Ingram's, a Kansas City business magazine, treating data disclosure laws.  Excerpt:

On the legal front, if your organization is subject to more than a few of these laws (by virtue of having operations or customers in multiple jurisdictions), the wisest strategy probably would be to develop and implement a uniform policy that meets the requirements of the most stringent of the applicable state laws. Ironically, one of the tradeoffs to consider is just how zealous one wants to be in detecting each and every breach, knowing that there is a disclosure obligation for those detected, even if the likelihood of the data being used maliciously is small.