The Feds and the Net: Closing the Culture Gap By Mike Godwin Column for Internet World May 1994 issue It was about halfway through my lecture at the FBI Academy at Quantico last fall that I began to sense in my audience a rising hostility. And, let me tell you, I take it very seriously when I'm feeling hostility from people who are licensed to carry weapons. But in spite of my nervousness, which I tried to hide from the FBI agents and federal prosecutors in my audience, I pressed on with my criticisms of federal law enforcement's investigations and prosecutions of computer-crime cases. In my experience, I told them, these law-enforcement efforts have all too often infringed on the rights of presumptively innocent citizens. And the infringements have occurred in ways that can't easily be remedied by the traditional legal system. But the hostility and resistance I met with at Quantico from some (but by no means all) of my audience showed me that the road to a solution is going to be a tough one. So, you may wonder, just what does Godwin think *is* the solution? Well, I don't have all the answers, but I do know this: in the long term, both the legal system and the law-enforcement establishment will have to learn to protect these rights rather violate them. The problem, of course, is that both of these institutions are notorious slow in adapting to technological and social change. How, then, can we make the criminal-justice system responsive in the short term to the rights of individuals, not all of whom are suspects or targets of criminal investigations? And that's why I was at Quantico that day--I was hoping to engage in a dialog designed to help answer that question. I had been invited by Hal Hendershot of the FBI's Computer Fraud Program, along with Scott Charney of the Justice Department's Computer Crimes Unit. The five-day computer-fraud seminar was designed to give selected FBI agents and assistant U.S. attorneys the background and expertise required for investigating and prosecuting computer crime and toll fraud. They heard details of past and present federal computer-crime prosecutions, and learned the relevant federal law in the area. They also learned about the Steve Jackson Games case, in which Secret Service agents were successfully sued by the games publisher and several other plaintiffs for having violated their statutory e-mail privacy and publisher's rights. They also learned technical details about computers, computer networks, and the phone network, and Ilene Rosenthal of the Software Publishers Association came in to inform them about the legal issues raised by software copyright infringement. At the end of that five-day period, I was given an hour to talk to the attendees about my organization, the Electronic Frontier Foundation, and about the civil-liberties issues raised by computer-crime investigations. I introduced myself, told them about my background in computers, journalism, and law, and I talked a bit about EFF's current work, which includes helping to develop national policy on issues like encryption technology and growth of the National Information Infrastructure. Then I got to the heart of the matter. I told them about about EFF's origins in what its founders, Mitch Kapor and John Perry Barlow, saw as the mishandling of computer-crime cases. Although we do other kinds of work as well nowadays, at the start EFF was concerned about whether computer-crime cases were being handled in ways that promoted justice. To underscore the point, I talked about three cases I'd worked on: _The Steve Jackson Games case._ As I noted above, the agents and prosecutors had already heard something about Steve Jackson Games, which was not a criminal case but a civil case arising from a mishandled and overreaching search and seizure of a publisher of role-playing games. What my audience had already heard was how the search warrant had been badly written, and how the Secret Service field agents had done too little investigation into the business they were searching. (For example, they apparently thought that the SJG game book called GURPS CYBERPUNK was "a manual for computer crime." In fact, it was the rulebook for a science-fiction roleplaying game.) I tackled the case from a different angle. I pointed out that Steve Jackson Games was not the target of the investigation, so there was no reason not to presume that the company, which had a fairly large staff of writers and editors, was not perfectly legitimate. Although the Secret Service apparently believed that one SJG employee might possess some evidence about a computer crime, there was no reason to disrupt this business in order to seize that evidence--the company's founder and president, Steve Jackson, would have happily complied with a subpoena. But the Secret Service operated on the assumption that anyone running a bulletin-board system (BBS) and publishing books like GURPS CYBERPUNK couldn't be trusted to comply with a court order to turn over evidence--so they conducted a search and seizure instead, and in doing so pushed the company to the brink of bankruptcy. Had EFF not stepped in and paid for the company's lawsuit against the Secret Service, it's possible that the damage would never have been remedied at all. I pointed out that the Secret Service had also proceeded in either ignorance or defiance of the First Amendment's protections for freedom of speech and freedom of the press. A BBS, like an Internet node or a Usenet site, is a medium for conversation, debate, discussion--as such, it clearly raises a basic set of interests that have long been understood to be protected by the First Amendment. What's more, Steve Jackson was a traditional publisher as well--even if he *had* been publishing a "manual for computer crime," such publications are understood to be protected by the First Amendment. Ultimately, Steve Jackson won his case. But, as you can imagine, neither the lawyers nor the policemen in the room enjoyed hearing about how law enforcement had shown a basic failure to grasp the meaning of the Constitution. _The Craig Neidorf case_. INTERNET WORLD readers will recall that I recently published an article in these pages concerning the prosecution of a young man named Craig Neidorf, who allegedly had engaged in interstate transportation of stolen property when he copied a BellSouth E911 memorandum and published it in his online newsletter, PHRACK. What I didn't tell you in that article, though, is that for a long time prior to the Neidorf trial in July of 1990, the government's lead prosecutors had been telling both the press and the judge that Neidorf had "stolen" not a memorandum but the *actual source code* for the Emergency 911 system. They did so even though it was apparent to non-programmers that the document was written in English, not a programming language. They also claimed that, with this document in hand, a would-be hacker could threaten the functioning of the entire Emergency 911 system. One might be charitable and suppose that a government lawyer couldn't be expected to know that BellSouth "system practice" document was not a program, not "source code." But this particular prosecutor had already built a reputation for handling high-tech and computer-related crimes. He'd gotten the first conviction under the federal Computer Fraud and Abuse Act in a case involving Unix source code, so he'd seen source code before. Moreover, the government claimed at one point that the BellSouth document was worth nearly $80,000. They had gotten this figure from a BellSouth employee who, in calculating the cost of the document, threw in such elements as the cost of the VAX workstation on which it was produced. (One wonders if BellSouth makes a practice of firing up a VAX, wordprocessing a single document, and throwing the machine away.) When I pointed this out to my audience at Quantico, there was a distinct rustling in the room, and the atmosphere grew a bit hotter--what was I implying about the prosecutor? _The Legion of Doom case_. In another case, related to the Neidorf case, a team of prosecutors had negotiated plea agreements for the three young "hacker" defendants, based in part on their having "stolen" a copy of the same E911 document. The government used the same figures for valuation of the document that it had used in the Neidorf case, and, indeed, the lead prosecutor of the Neidorf case was involved in both the plea agreements and the sentencing proceedings for these three defendants. What's notable about this case, I told my audience, is that the government told the judge that these defendants had possessed the E911 source code, just as they'd said Craig Neidorf had possessed. The only difference was that they did so in late fall of 1990--*months after it had been established that the document wasn't source code at all.* "It's very hard to explain how the government could make this kind of claim so many months after the Neidorf case," I said. At this point, one woman, an FBI agent, stood up and questioned me pointedly: "Are you saying you think the prosecutors lied to the judge?" I had to pause for a moment. "Well," I said, "yes, I do think so. But even if you don't agree with me, I think you have to agree that, at the very least, the government was *reckless* in what it told the court--almost criminally reckless." "But look," another FBI agent said heatedly, "wasn't it the obligation of *their lawyers* to raise all these issues if the cases were so flawed?" "Yes," I agreed. "But this is a new area of the criminal law, and sometimes even the best criminal lawyers don't know enough to judge whether the government's evidence is what they say it is. And in many of these cases, defendants don't have access to the best lawyers--they have to accept court-appointed counsel or overworked public defenders. So it's not terribly likely that they'll spot all the relevant evidentiary issues or understand the technology well enough to challenge the government's claims." "Well, what do you want us to do about that?" "I think you each have an obligation," I said, "to use the knowledge you acquire in this workshop to protect defendants' rights as well as try to make your case. Both law-enforcement officers and prosecutors have sworn to uphold the Constitution--part of this oath surely means stepping in to protect a defendant's rights when you can't rely on the legal system or his lawyer to do so." This argument met a lot of resistance. "It isn't our job to protect the defendant!" "What about protecting the general public's rights?" And so on. So, to put a civil summary on what was a fairly tense exchange, I'd have to say that we agreed to disagree. I was gratified, however, after the lecture, when one prosecutor came up to talk to me afterwards. "I just want you to know," she said, " that I understood what you were saying, and I agree. I know you weren't attacking us." And it's true; I wasn't attacking anyone. What I was trying to do was raise some consciousness. You see, as the the Net becomes more and more a part of public life for everyone, increasingly there will be efforts by the government to police this new arena of human interaction. Such efforts will require not only new technical and legal expertise on the part of law enforcement, but also an understanding of the nature and needs of the new kinds of communities they'll be policing. But, just as important, they'll also require that law enforcement agents and prosecutors restrain their natural tendency to go for the throat and rely on the adversarial process of the courtroom to hash things out. Individual rights are too important to be sacrificed while we're waiting for defense lawyers and judges to learn what source code is, or to know when a cost estimate on a wordprocessing document is vastly overinflated, or to know that Usenet is a haven for First Amendment-protected expression. The first line of defense against the infringement of our rights is an informed law-enforcement team. But the road to making that line of defense effective in computer-crime cases is going to be a hard one. ---- Mike Godwin (mnemonic@eff.org) is online counsel for the Electronic Frontier Foundation, where he advises users of electronic networks about their legal rights and responsibilities, and instructs criminal lawyers, law-enforcement personnel, and others about computer civil-liberties issues. For info on EFF mailing lists, newsgroups & archives, mail eff@eff.org. To browse EFF's archives, use FTP, gopher, or WAIS to connect to ftp.eff.org, gopher.eff.org, or wais.eff.org respectively. Look in /pub/Eff. To get basic EFF info send a message to info@eff.org. Send detailed queries to ask@eff.org. For membership information, mail membership@eff.org.