Children Deserve Laws That Protect Them From Online Pedophiles, Not Laws, As Written, That Serve to Invite Them In

Posted on February 6, 2010 by Kevin Whitaker

The Massachusetts Supreme Judicial Court recently reversed four indictments of Matt H. Zubiel for an attempt to disseminate matter harmful to a minor, under M.G. L. c. 272, § 28, and as defined in M.G. L. c. 272, § 31. Each indictment was based on Internet conversations between Zubiel and an undercover police officer on different days.


Deputy Sheriff Melissa Marino, a member of the "high-tech evidence analysis team" in the Plymouth County sheriff's department, conducted undercover investigations of crimes, including child pornography and child enticement. Marino created an undercover screen name, "Melissa QT 1995 and set up a Yahoo profile describing herself as "Meliss Smith" from the South Shore, age thirteen, and in the eighth grade. Her profile invited others to "PM" her (a form of instant messaging) if they wanted to send her a "private message."
 

On February 8, 2006, Zubiel with a screen name of "Ilikesports04," said, "Hi, how are you?" Marino informed Zubiel she was thirteen years old. He indicated he was age twenty-five. Their first online chat lasted forty-two minutes with Zubiel asking Marino for a photograph.  She emailed him photographs of herself when she was thirteen years old. They discussed where each lived and they gave physical descriptions of themselves. Zubiel asked Marino, "[You] ever fool around with boys?" and other questions regarding what she had done with boys, how old the boys were, and additional details about those events.

A second online conversation occurred on February 13, 2006. Zubiel brought up several intimate topics asking questions about her physical appearance and her sexual experience and requested she send him a nude photograph of herself. Zubiel also asked if she was a police officer, acknowledging that they could get in trouble for what they talked about.
 

The next day, February 14, 2006, Zubiel e-mailed Marino a photograph of himself. Again, they discussed sexual topics online and Marino told Zubiel her mother would be working that weekend and she would be home alone. Zubiel questioned Marino further on her sexual history, telling her he would like to visit and “teach [her] everything."
 

On February 15, 2006, they had an online conversation regarding Zubiel's potential visit. They also spoke on the telephone because Zubiel wanted to make sure Marino was not a police officer. Again they discussed sexual topics, and Zubiel said, "I will show you the right way."
 

The final online conversation occurred two day later on February 17, 2006. Afterwards, Marino telephoned Zubiel (upon his request) and Zubiel said he would visit her the next day. Marino gave him an apartment complex address in Marshfield. The next day, Zubiel telephoned Marino for directions as he was entering Marshfield. Zubiel arrived, began walking toward the apartment building, and was arrested.

Following his arrest, Zubiel reportedly admitted the following: his "screen name" was "Ilikesports04,” he had conducted all of the online conversation with Marino, "it was a possibility that he would have sex with this girl if -- if, indeed, she was a real girl, and that the thought was there for him to have sex with this minor." Zubiel gave the police permission to seize his computer and a forensic examination revealed searches for Marshfield High School, directions to the apartment complex, the profile page of "Melissa QT 1995," the photographs that Marino and Zubiel sent to each other, as well as portions of the online conversations.

So why did the Massachusetts Supreme Judicial Court reverse the indictments? Because online electronically transmitted conversations are not explicitly included under the law’s definitions and the court wasn’t going to update the definitions for the Legislature. Under the law, there are four broad categories of criminally disseminated matter that are covered: 1) any handwritten or printed material; 2) any visual representation; 3) any live performance; and 4) any sound recording. The Court found none of these categories applied in the present case. In sum, this case comes down to a matter of words—words the Legislature should quickly correct.
    
The Court states, “If the Legislature wishes to include instant messaging or other electronically transmitted text in the definition of "[m]atter" […], it is for the Legislature, not the court, to do so.” A footnote indicates the Legislature considered amending the law in 2000 to include computer-generated writing, but it has not acted. The court’s tone here suggests that it’s time for the Legislature to take action. At least, I hope that is the message received.

The Legislature should enact enforceable child privacy protection laws quickly. Updated laws are necessary to combat the growing threats dangerously lurking online. Our advancing Information Age, with its evolving communication mediums, requires modern laws that protect children from online sexual predators. Until then, the existing outdated and technologically silent laws only serve to invite these same predators in, and not guard against them.

See Commonwealth vs. Matt H. Zubiel, Slip Opinion, SJC Docket No.: SJC-10454
Tags: , , , , , , , ,

Work Emails and Reasonable Expectations of Privacy - Is the Divide Ripening for the Supreme Court

Posted on December 23, 2009 by Kevin Whitaker

As indicated by my prior posts, You've Got Email, But Is It Private At Work? and Is Einstein Reading Your Email for the Government?, the questions and arguments about privacy and email are heating up.  A recent case in point covered by the ABA Journal in Martha Neal's article, Prosecutor’s E-Mail Sent to His Lawyer on a Work Account is Privileged, Court Says, presents an interesting case. Here Neal reports,

A federal prosecutor's e-mail to his own lawyer is privileged, even though he sent it from work on a government computer, a federal court has ruled.

As pointed out in the article, this is in contrast to similar cases and interpretations. A comparison of this case and the government's arguments reviewed in, Is Einstein Reading Your Email for the Government? shows how the divide in these matters is growing.

Attorney-client privilege is a fiercely guarded area of privacy and this case may present the opportunity for the Supreme Court to reaffirm the attorney-client privilege in the the context of email and the information age. Of course, if taken up, how they go about this could have far wider implications for privacy rights and email communications. If heard, would they focus on the rule (reasonable expectation of privacy) or rather focus on the exceptions or privileges. If examined, will they look at the totality of the circumstances and thus leave the law to be advanced case-by-case as the circumstances come before courts or could they take a more holistic approach that offers guidance in this uncertain arena. Time will tell, but the issue seems to be ripening with each "send" button pressed.

Tags: , , , , , , , , ,

Is Einstein Reading Your Email for the Government?

Posted on September 25, 2009 by Kevin Whitaker

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. - Justice Louis Brandeis (1928)

A recent ABA Journal article on privacy law (Feds Can Monitor Personal E-Mail Sent Privately to Gov’t Workers, DOJ) began as follows:

You might think that a private-mail sent to another U.S. citizen's personal account isn't subject to government monitoring. But that assumption could be wrong if the recipient is a federal government employee.

Both recipients and senders have no reasonable expectation of privacy if an e-mail is opened by a federal employee logged into a work computer network, according to an Aug. 14 legal opinion from the U.S. Department of Justice that was released Friday.

The Memorandum (PDF file) begins,

Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws.

The Memorandum “briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system.” The arguments presented are basically:

  1. There is no "search" under the 4th Amendment;
  2. If there is a "search", then it is reasonable; and
  3. Federal laws trump any state laws.

The central premise of the Memorandum is this, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet, the deployment, testing, and use of EINSTEIN 2.0 technology complies with the Fourth Amendment where each agency participating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements, or their substantial equivalents.

The government's position (which methinks goes too far) is summarized below.

No Search Under the 4th Amendment

The government argues there is no search for Fourth Amendment purposes because “the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of Government-owned information systems…."

[Further]… individuals in the private sector who communicate directly with federal employees of agencies participating in the EINSTEIN 2.0 program through Government-owned information systems do not have a legitimate expectation of privacy in the content of those communications provided that model log-on banners or agreements are adopted and implemented by the agency.

… By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, a federal employee gives ex ante permission to the Government to intercept, monitor, and search “any communications” and “any data” transiting or stored on a Government-owned information system for any “lawful purpose,” including the purpose of protecting federal computer systems against malicious network activity. Therefore, an individual who communicates with a federal employee who has agreed to permit the Government to intercept, monitor, and search any personal use of the employee’s Government-owned information systems has no Fourth Amendment right against the Government activity of protecting federal computer systems against malicious network activity, as the employee has consented to that activity.

The Memorandum goes on to say this applies even when the email was sent to the employee’s non-governmental or personal account. When the,

sender of an email to an employee’s personal, Web-based email account (such as Gmail or Hotmail) does not know of the recipient’s status as a federal employee or does not anticipate that the employee might read, on a federal Government system, an email sent to a personal email account at work or that the employee has agreed to Government monitoring of his communications on that system. A person communicating with another assumes the risk that the person has agreed to permit the Government to monitor the contents of that communication.

But if it is a "Search," then it's Reasonable anyway

The Memorandum argues, even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, …those operations would be consistent with the Amendment’s “central requirement” that all searches be reasonable [because] the Government has a lawful, work-related purpose for the use of EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0 program within the “special needs” exception to the Fourth Amendment’s warrant and probable cause requirements."

State Privacy Laws vs. The Supremacy Clause

The Memoradum’s final argument is the EINSTEIN 2.0 program does not run afoul of state wiretapping or communication privacy laws due to Supremacy clause.

To the extent that such laws purported to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and imposed requirements that exceeded those imposed by the federal statutes discussed above, they would “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause.

What do you think? Do you buy the argument that if you send an email to a government employee's private gmail or yahoo account, then the government may have the right to read the email?

Preceding the last presidential election, Condoleezza Rice was apologizing to presidential candidates for government intrusions into their private passport records. President Obama, a candidate at the time, called for hearings on the matter. Watergate, Hoover, and McCarthyism should remind us as to what ends government intrusions into personal privacy can have. Deeper historic reflections illuminate this point even more. Benjamin Franklin, offered, "they who would give up an essential liberty for temporary security deserve neither liberty nor security." Of a more local flavor, Boston's Samuel Adams, stated:

Driven from every other corner of the earth, freedom of thought and the right of private judgment in matters of conscience, direct their course to this happy country as their last asylum.

Tags: , , , , , , , ,

Massachusetts Privacy Law Stalled-Out Again and Weakening

Posted on August 18, 2009 by Kevin Whitaker

In previous posts, I discussed the legislative amendment being kicked around that would weaken the MA data security law (M.G.L. 93H).

Well, it appears the legislative change may not be necessary as the latest and ungreatest regulatory scheme changes appear to do the hatchet job for them.  Too bad.  In short, it's not good news for Massachusetts consumers or their privacy rights as privacy rights seem, once again, to be taking a backseat to political influences.

The Official Website of the Office of Consumer Affairs & Business Regulation (OCABR) states:

BOSTON – Aug. 17, 2009 – ... The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

...

New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data.  The overall approach is more consistent with federal law, she said.

...

The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.

 

Tags: , , , , ,

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5

Posted on July 13, 2009 by Kevin Whitaker

Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,

Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.

Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?

If your identity is stolen because a company you do business with collects your personal identifying information and negligently fails to protect it, do you care what size company they are or do you feel that perhaps the offending company shouldn't be held accountable because of their "unique situation and resources." Peoples' privacy rights shouldn't be protected a little bit--depending on who is violating them--they should be protected, period.

Recall, the first set of regulations have been delayed again and again--now more delays will likely be needed for new regulations to be adopted for small businesses. On November 12, 2008, the Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its standards for how businesses protect and store consumers' personal information. On February 12, 2009, they filed revised ID theft regulations that would take effect, Jan. 1, 2010, stating in their press release,

The regulations will take effect Jan. 1, 2010, and mandate that personal information – a combination of a name along with a Social Security number, bank account number, or credit card number – be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, 2010, and will ensure better protection of personal information.

“It is time for businesses and other holders of personal information to ensure that consumers’ information is kept safe,” said Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation. “These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers.”

The regulations are a product of the identity theft prevention law signed by Gov. Deval Patrick. In keeping with the administration’s commitment to protecting consumers, Patrick signed an executive order last September requiring all state agencies to implement security measures consistent with the requirements in the regulations.

Since November 2007, there have been over 450 reported cases of stolen or lost personal information that have affected nearly 700,000 Massachusetts residents.  The regulations are the first of their kind in the country, and had originally been scheduled to take effect on Jan. 1, 2009. A sharp change in the business climate, along with the business community’s increased understanding of what is required to protect their customers’ identity, led to the new date.

“Businesses are becoming more aware of the urgency of this issue. To achieve the full benefit for consumers as quickly as possible, it’s worth making sure every business in the state has time to make the necessary changes to comply with these regulations,” Crane said. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

OCABR's approach has seemed and continues to seam reasonable. This proposed legislative change (requiring new standards for small businesses), by contrast, seems rather odd. As my last post discussed a proposed legislative change which would prevent OCABR from even requiring encryption or any other specific methods in its regulations. If the regulators can't require specific methods in their regulations, in what way will the small business standards be any different that the other regulations being watered-down?

Unfortunately, enacting changes that lead to further delay simply ignores the real problem of consumer privacy invasions occurring today and which will continue while the time consuming task of formulating new regulatory schemes unfolds. Perhaps this change, however, is more about the added timing element and the further delay required to adopt, advertise, and implement new regulations. Otherwise, it's perplexing, why would legislators pass a law in the first place and not even allow  the adopted data protection regulations be implemented before tinkering with the enabling law?

Time, energy, and resources have already been expended to put a consumer data protection law in place.  Why wouldn't the legislature first see how it goes before gutting it? Were the lawmakers unaware of what they were doing when they passed the law in the first place? Or have certain lobbying efforts made the difference in a law that hasn't even gotten out of the starting blocks?

Many legislators had the courage to pass a consumer protection law to help protect people from some of the perils of the information age we find ourselves living in. The law they passed will help to safeguard peoples' personal identities and to bring protective measures into the forefront of the entire business community nationwide. I hope our legislators have the conviction to stick to their guns and to let their efforts lead the way. While no legislation by itself will be a panacea against identity theft or other data protection woes, allowing an enforceable law to proceed as currently written and planned demonstrates political conviction as well as a commitment to Massachusetts consumers.

Other parts of this series:

 
Tags: , , , , , , , ,

An Act Ensuring Less Privacy of Massachusetts Resident's Data: Part 3 of 5

Posted on July 9, 2009 by Kevin Whitaker

Massachusetts Senate Bill No. 173 (PDF file) introduced by Senator Michale W. Morrissey this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post. Today, I'll address a proposed change that involves encryption and specific technologies and adds the following language,

The department [OCABR] shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

To put this proposed change in the proper context, you must know OCABR's current regulations require data be encrypted. Unlike today, this proposed change would ensure OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations). Not only does this weaken the agency helping protect consumers' data, but it takes the bright lines out of the regulations and makes the revised law effectively fuzzy at best. In sum, the change leads to foreseeable ambiguity and real world enforcement problems.

Who does this change really protect?

 

Tags: , , , , , , ,

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One

Posted on June 25, 2009 by Kevin Whitaker

Massachusetts Senate Bill No. 173 (PDF file), introduced earlier this year, would amend M.G.L. 93H (MA Data Security Law) and effectively water down the law while reducing the Office of Consumer Affairs and Business Regulation's (OCABR) authority to protect Massachusetts consumers' privacy rights.

These proposed changes to the data protection law are a timely topic as the original MA law was passed following TJX's large-scale data breach. TJX has recently entered into a $9.75 million settlement with 41 states over their data breach. According to the Boston Herald in, TJX to pay states $9.75M in data breach settlement,

The $9.75 million settlement payment includes $2.5 million to establish a data security fund for the states and $1.75 million to cover the states’ investigations into the data breach. Massachusetts will receive more than $950,000 of that money.

The Herald reports, Attorney General Martha Coakley, who was a driving force for all states' involved, said in a statement

Protecting consumers’ personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft.

All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information. This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business.

The Identity Theft Assistance Center (ITAC) blog, in TJX Agrees to Pay $9.75 million to 41 States in Data Breach Case, states:

The company [TJX] also stated in an official news release that it “firmly believes it did not violate any consumer protection or data security laws.” However, California Attorney General Jerry Brown had a different POV [point of view] and cited the company’s 2004 internal audit, which found security vulnerabilities. ... "TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people..."

In the wake of the TJX settlement, under MA Attorney General Coakley's and other attorney generals' realized efforts, it's disappointing to see present attempts to water down the Massachusetts data protection law by state legislators. In coming posts I'll discuss four changes being proposed and how each fails to help consumers or protect individual privacy rights. Thus the title of this series, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which plays off of the proposed act's title "An Act ensuring the privacy of certain data."

Tags: , , , , , , , , , ,

Keylogging for Evidence

Posted on May 19, 2009 by Kevin Whitaker

In my recent post, Encryption and the Right to Maybe Remain Silent, I discussed the government's efforts to obtain encrypted evidence on a laptop. The issue was whether an individual can be forced to decrypt incriminating information. While this area of law has many new questions, there's always more than one way to skin a cat.

Even in cases, where a encryption was not ordered, the government may have taken actions to find encryption keys through a keylogger (which records keystrokes) or other devices. Declan McCullagh discussed this in his 2007 cnet post, Feds use keylogger to thwart PGP, Hushmail -

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.
Tags: , , , , ,