Justice Department Archives

In a potential quandary for Congress, the Supreme Court ruled that government authorities must obtain a warrant before attaching GPS devices, like car-mounted electronics, to track suspects. But they didn't rule on tracing the location of mobile devices, like smartphones, that officers have never touched.

In United States v. Jones, the justices determined that the U.S. government violates constitutional protections against unreasonable searches when it "physically invades" personal property -- in this case an alleged cocaine dealer's Jeep -- to insert a location-detection tool. The device transmitted signals pinpointing the vehicle's location within one hundred feet to a government computer, according to the court's opinion.

But Monday's ruling does not address the legality of tracking mobile devices without handling them -- a debate that is sure to intensify as location-identification services become ubiquitous in society. The justices underscored that unresolved privacy issues remain:

"If longterm monitoring can be accomplished without committing a technical trespass -- suppose, for example, that the federal government required or persuaded auto manufacturers to include a GPS tracking device in every car -- the court's theory would provide no protection," Justice Samuel Alito wrote. "For example, suppose that the officers in the present case had followed [the] respondent by surreptitiously activating a stolen vehicle detection system that came with the car when it was purchased."

Justice Sonia Sotomayor agreed with Alito:

"With increasing regularity, the government will be capable of duplicating the monitoring undertaken in this case by enlisting factory- or owner-installed vehicle tracking devices or GPS-enabled smartphones," she stated. "GPS monitoring generates a precise, comprehensive record of a person's public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations . . . The government can store such records and efficiently mine them for information years into the future."

In a way, the judicial branch passed the baton to the legislative branch for closure on the executive branch's case. The Justice Department had argued authorities don't need a warrant to track a person's movements on public streets.

"Concern about new intrusions on privacy may spur the enactment of legislation to protect against these intrusions," Alito acknowledged. "This is what ultimately happened with respect to wiretapping . . . In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative."

Lawmakers who have supported bills banning cellphone-tracking took advantage of the ruling to press for permanent protections.

Sen. Ron Wyden, D-Ore., said in a statement, "It seems that a majority of the Supreme Court would agree that secretly turning someone's cell phone into a tracking device without their knowledge is unconstitutional. However, U.S. law is woefully outdated when it comes to all kinds of location tracking technology. Congress has a responsibility to step in and provide clear rules and boundaries for the use of these technologies, so that law enforcement doesn't have to go all the way to the Supreme Court every time it needs direction."

Last Congress, Wyden introduced the Geolocation Privacy and Surveillance Act, or GPS Act, with Illinois Republican Sen. Mark Kirk and Reps. Bob Goodlatte, R-Va., Jason Chaffetz, R-Utah, and Peter Welch, D-Vt.

Goodlatte said in a statement that the high court's decision "confirms the fact that a warrant is necessary for tracking an individual's movements with a GPS device . . . However, the court stopped short of requiring a warrant for all geolocation information including that obtained from mobile telephones."

House lawmakers on Tuesday are slated to mull updating a 1986 anti-hacking law that even ideological opponents agree criminalizes innocent Web surfing. However, when a Senate panel discussed the Computer Fraud and Abuse Act in September, Justice Department officials argued that changing the penalties could let legitimate bad guys off the hook.

At issue is the government's power to convict people who have broken website terms of service agreements. In written testimony released on Monday, Orin S. Kerr, a George Washington University Law School professor, argues that the current law threatens the civil liberties of millions of Americans, like those who fudge information on Facebook and online dating services.

"If a user writes in his profile that he goes to the gym every day -- but in truth he goes only once a month -- he has violated Match.com's Terms of Use," Kerr's testimony states. "Similarly, a man who claims to be 5 foot 10 inches tall, but is only 5 foot 9 inches tall, has violated the Terms . . . One study has suggested that about 80 percent of Internet dating profiles contain false or misleading information about height, weight and age alone. If that estimate is correct, most Americans who have an Internet dating profile are criminals under the Justice Department's interpretation of the [act]."

Critics like Kerr want lawmakers to spell out what the law means by "exceeds authorized access" so that employers do not have wiggle room to punish personnel who accidentally breach terms of service agreements. Congress is expected to insert revisions to the law in broader cybersecurity legislation.

But Justice officials have said limiting the law could derail cyberspy trials. At the Senate hearing, James A. Baker, associate deputy attorney general, noted, for example, that the government was able to prosecute State Department staff for improperly accessing passport records of then Sen. Barack Obama, D-Ill., and Sen. John McCain, R-Ariz., during the 2008 presidential campaign, by breaking the agency's computer access rules.

Kerr recommends that Congress rewrite the section of the law in question to exclude Terms of Service violations except in the case of federal employees who handle confidential information.

The Senate Judiciary Committee already has passed an amendment that narrows the law in this way. Kerr's testimony states, "Notably, the language carves out one significant exception. The government can pursue prosecutions for violations of computer use policies used by government employees. This will enable prosecutions when government officials misuse sensitive government databases."

Or, Kerr suggests, lawmakers could limit the law to specific types of information that, if misused, could cause harm. The mandate would only cover, perhaps, data worth more than $5,000, as well as sensitive or private information about a person, such as medical records, diaries and financial records.

Kerr, along with Richard Downing, deputy chief of Justice's computer crime unit, former Homeland Security Secretary Michael Chertoff, and Harvard Law School lecturer James Barker, are scheduled to testify on Tuesday before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security.

Strange bedfellows, like the American Civil Liberties Union, Americans for Tax Reform, the Competitive Enterprise Institute, the Electronic Frontier Foundation and the FreedomWorks Foundation have co-signed a letter seeking to protect people who accidentally run afoul of site service contracts.

The subject came into focus during the 2008 "MySpace Suicide" case. In that incident, a federal attorney brought criminal charges against a MySpace user who registered under an alias, a breach of the website's terms of service. A mother whose daughter had a falling out with a 13-year-old girl had been impersonating a teenage boy on MySpace to befriend and then reject the teen.

The young girl later killed herself and the mother was charged with, among other things, violating the computer fraud law. Kerr briefed and argued a successful motion to dismiss the case in 2009.

In one of the biggest cyber crackdowns in history, the FBI and international partners have arrested six Estonian nationals for hijacking computers worldwide to bilk the multi-billion dollar Internet advertising market, bureau officials announced on Wednesday.

About 4 million computers belonging to consumers, businesses and government agencies, including NASA, were infected by this "man-in-the-middle" attack that targeted the Domain Name System, or DNS, a service similar to a phone directory for the Internet. DNS translates alphabetical website names entered by users, like Apple.com, into numerical digits, or internet protocol addresses, that computers can understand and connect to.

In unsealing an indictment in New York on Tuesday, federal officials detailed a two-year FBI investigation dubbed Operation Ghost Click that pursued hackers operating mainly out of Estonia and Russia.

The indictment "describes an intricate international conspiracy conceived and carried out by sophisticated criminals," Janice Fedarcyk, assistant director in charge of the FBI New York office, said in a statement. "The harm inflicted by the defendants was not merely a matter of reaping illegitimate income."

Using malicious software called DNSChanger, the "Rove" criminal organization manipulated online ads to pocket at least $14 million, according to FBI officials. Sometimes, the gimmick opened up victims' computers to further corruption by preventing anti-virus software from updating.

DNSChanger can send visitors surfing on legitimate commercial websites, like iTunes, to bogus sites that purport to sell the company's goods. The ring would change the DNS settings on compromised computers to point to the wrong IP addresses. "They victimized legitimate website operators and advertisers who missed out on income through click hijacking and ad replacement fraud," Fedarcyk said.

The United States is trying to extradite the criminals, who were apprehended in Estonia on Tuesday. Internet users should be aware that DNSChanger may still be on their computers, bureau officials said, adding that people who believe their systems are infected should contact a computer professional.

Various private sector and international organizations assisted the FBI during the takedown, including the Estonia Police and Border Guard, Dutch National Police Agency, Georgia Tech University, Internet Systems Consortium, Team Cymru, Trend Micro and University of Alabama at Birmingham.

Navigation service OnStar has scrubbed a planned policy that would have kept tabs on drivers after they canceled their subscriptions, amid a backlash from customers and privacy activists.

A recently proposed change to the General Motors subsidiary's terms and conditions stated that starting in December it would continue to collect data from vehicles whose owners dropped the service, unless those individuals opt-out. On Tuesday, OnStar officials scratched the plan and said any future offers to preserve two-way communications will require that customers opt-in with preferences on how their data is to be used.

"We realize that our proposed amendments did not satisfy our subscribers," OnStar President Linda Marshall said in a statement. "This is why we are leaving the decision in our customers' hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers."

Civil liberties advocates are pressing for stronger limits on the use of GPS-location information in the public and private sectors. This coming Supreme Court term, justices will take up a controversial case filed by the Obama administration that will decide whether government authorities violated a suspect's 4th Amendment rights by slipping a mobile-tracking device onto his Jeep without a warrant.

On Wednesday, the American Civil Liberties Union and the conservative Heritage Foundation, will host separate events previewing the high court's next session, including the GPS surveillance case.

OnStar's now-scrapped plan to track ex-customers would have allowed the firm to provide them with emergency information about natural disasters and vehicle recalls, OnStar officials said. The data also would have helped the company plan future offerings, they said.

Immigration and Customs Enforcement agents seized 10 online gambling websites, after gaming companies allegedly processed illegal payments through an undercover U.S.-based Internet business the feds propped up to ensnare the culprits.

Here's how the operation went down, federal officials announced Monday night:
In the fall of 2009, a cooperating online player who lived in Maryland created an account on the gambling site, betED.com. Federal investigators provided the individual with $500 to place bets on the gaming site. In March 2010, betED paid out the informant's winnings by wiring $100 through the underground processor, called Linwood Payment Solutions.

Allegedly, Linwood has processed gambling transactions since 2009 for betED and other gambling organizations using banks located in Guam and Charlotte, N.C., according to an affidavit unsealed on Monday. It is illegal for Internet gambling ventures to conduct business in Maryland, regardless of whether the operator is based outside the United States, said U.S. Attorney Rod J. Rosenstein.

Officials said between December 2009 and January 2011, Linwood processed payments worth more than $33 million, including those exchanged in Maryland.

The shakedown comes on the heels of federal charges against major online poker firms for allegedly duping U.S. banks into processing $3 billion worth of illicit proceeds. In that case, Justice officials ultimately halted the domestic operations of the three largest poker websites doing business stateside -- PokerStars, Full Tilt Poker and Absolute Poker.

This time, it seems the gambling operators were duped. "Linwood allowed undercover agents to gain person-to-person contact with top managers of gambling organizations to discuss the Internet gambling business, to negotiate contracts and terms of the processing and to handle the intricate movement and processing of collection and payment data from the gambling organizations to the banks," federal officials said in a statement on Monday.

As part of the investigation, the U.S. government also seized 11 bank accounts based in Charlotte, N.C.; Guam; Panama; Malta; Portugal; and the Netherlands.

Defendants in the case face a maximum of five years in prison on charges of operating an illegal gambling business and up to 20 years in prison for money laundering.

William Winter, special agent in charge of ICE Homeland Security Investigations in Baltimore, noted, "The proceeds from illegal Internet gambling are often used to fuel organized crime and support criminal activity."

Added IRS Special Agent in Charge Rebecca A. Sparkman, "Regardless of how the money changes hands - via cash, check, wire transfers or credit cards - and regardless of where the money is stored - in a United States financial institution or an offshore bank - we will trace the funds."

The implicated sites include the following:
• Bookmaker.com
• 2Betsdi.com
• Funtimebingo.com
• Goldenarchcasino.com
• Truepoker.com
• Betmaker.com
• Betgrandesports.com
• Doylesroom.com
• Betehorse.com
• BetED.com

The U.S. government just went on the cyber-offensive in shooting down a network of malware-spewing servers. For the first time, the FBI has destroyed a botnet -- an organization that hijacks users' computers via remote servers to unfurl malicious software -- by hijacking the culpable servers to send stop commands.

This was no ordinary spam-spreading botnet. The potent Coreflood, which infects only Microsoft Windows-based computers, monitors its victims' keystrokes as they type to steal the users' personal information such as bank account pin codes, FBI officials said.

This week, law enforcement officials put the kibosh on the operation by seizing the five servers that were manipulating innocent victims' computers. Now, even if computer users are still infected with the worm, any data their machines attempt to send to the servers will trigger a kill command and inform the users' Internet service providers.

The Coreflood perpetrators infiltrated as many as two million computers and made off with hundreds of thousands of dollars through fraudulent wire transfers before the FBI moved in. The Justice Department obtained the servers -- located in Arizona, Georgia, Texas, Ohio and California -- through search warrants, and filed a civil complaint against 13 unnamed alleged thieves.

The cyber intelligentsia seems impressed --

Wired.com writer Kim Zetter reports, "In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge to seize control of a massive criminal botnet comprising millions of private computers, and deliver a command to those computers to disable the malicious software."

But she notes that some privacy proponents are wary of the FBI's actions:

"Not everyone, however, is convinced the government's proactive move is positive and without risk.

"Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood," said Chris Palmer, technology director for the Electronic Frontier Foundation, "this would still be an extremely sketchy action to take. It's other people's computers and you don't know what's going to happen for sure. You might blow up some important machine.'"

Work on a White House legislative proposal for cybersecurity reform would be delayed by a government shutdown, Obama administration officials told senators.

Judiciary Crime and Terrorism Subcommittee Chairman Sheldon Whitehouse, D-R.I., who recently lambasted the administration for stalling passage by withholding judgment on the issue, pressed officials this week to provide timing for when they expect to deliver an offer.

"I don't want to put a date on it particularly with the prospect of a government shutdown looming, but I think we're very close, in a matter of some weeks away, from being able to share proposals with Congress," Cameron F. Kerry, the Commerce Department's general counsel, said during a full committee hearing that focused on separate Internet privacy legislation.

Unless Democrats and Republicans can negotiate agency funding levels by Friday, all non-essential government activities will stop when a temporary spending measure expires at the end of the day.

Whitehouse took a long pause after Kerry's answer, before replying, "I hadn't thought of it in the context of the government shutdown -- pretty significant national security cost to precipitate with a government shutdown." Kerry said he agreed.

Talks between lawmakers and the administration on enacting network defense legislation ground to a halt about a year ago, after the White House retreated to study the subject privately through an interagency review.

During that time, committees and individual members in the House and Senate introduced a slew of conflicting measures -- some would empower the Homeland Security Department to oversee civilian networks while others would centralize cyberspace operations at the Pentagon.

"It's very hard with the discrepancies between where one committee or another wants to go to resolve those discrepancies without a position being taken by the administration," Whitehouse said. During the past year, "discussions back and forth between the executive and legislative branch have been reduced to, as best I can tell, zero."

Kerry said officials largely have resolved the basic issues and the more detailed proposals are in the final phase of circulating through agencies.

Prosecutors can demand information about users from Twitter to advance ongoing investigations into WikiLeaks, a federal magistrate ruled March 11, the Associated Press reports.

The decision removes hurdles for the Justice Department, currently in the midst of a grand jury probe into the leak of hundreds of thousands of classified documents published by the whistleblower website over the past year.

The Justice Department demanded that Twitter hand over account details of WikiLeaks' supporters last December, prompting a backlash on the Internet.

"The disclosures sought are 'relevant and material' to a legitimate law enforcement inquiry," the court ruled. The 1986 Electronic Communications Privacy Act allows prosecutors to obtain data through a court order if they can demonstrate that it is gathering this information as part of an ongoing criminal investigation.

The court said that it had found no violation of the First Amendment in ordering Twitter to produce its users' information. "Petitioners, who have already made their Twitter posts and associations publicly available, fail to explain how the Twitter Order has a chilling effect," the decision stated.

The three who petitioned to reverse the court order against them -- technologist Rop Gonggrijp, encryption developer Jacob Appelbaum, and former WikiLeaks developer and Icelandic Member-of-Parliament, Birgitta Jonsdottir -- will be appealing the case.

Since petitioners "voluntarily conveyed" private information -- such as their IP addresses -- to Twitter, they didn't have a right to be protected from searches of what they had disclosed, the court argued.

The top Republican on the Senate Judiciary Committee postponed a vote on extending contentious surveillance provisions in a national security law -- set to expire in three weeks -- so that he could unveil a bill that would make the sections permanent.

On Thursday, the panel planned to vote on the bipartisan 2011 USA PATRIOT Act Sunset Extension Act, which, through 2013, would continue to allow roving wiretaps of suspects who switch computers or phone numbers to avoid monitoring; tracking of "lone wolves" -- persons of interest with no known links to terrorist organizations; and retrieval of records and other tangible evidence from organizations with a court order. The renewal, which was introduced Jan. 26 by Chairman Patrick Leahy, D-Vt., also would heighten judicial scrutiny of such actions. Some lawmakers have objected to making major changes to the legislation in a rush.

Ranking member Chuck Grassley, R-Iowa, delayed the vote during the committee's meeting. "Having this debate year after year offers little certainty to agents utilizing these provisions to keep the nation safe," he said. "Short-term reauthorizations lead to operational uncertainty and compliance and reporting problems if the reauthorization occurs too close to expiration. If these provisions are necessary, we should provide more certainty rather than simply revisiting the law year after year given the indefinite threat we face from acts of terrorism, and that looks like decades ahead. We should permanently reauthorize the three expiring provisions."

Grassley said he, along with Senate Minority Leader Mitch McConnell, R-Ky., and Intelligence Committee Ranking Republican Saxby Chambliss, R-Ga., would introduce legislation Thursday afternoon to cement the measures.

Later in the day, Leahy said that he and Senate leadership have begun procedures to allow his legislation to go directly to the Senate floor for a full vote.

During the committee's meeting, member Dianne Feinstein, D-Calif., who also is chairman of the Intelligence panel, said she would offer a third bill to authorize a straight renewal for three years, without Leahy's reforms. Feinstein, who earlier had supported Leahy's proposal, said, "I think there is not time really to go through a major change in those." A three-year extension would allow the sections to be debated again at the same time the entire law comes up for review, she noted. Feinstein submitted letters of support for her measure from the attorney general and the director of national intelligence.

Leahy said at the meeting, "These are going to expire in a couple weeks so I would hope that all senators in both parties who have interest in that will meet with me and Sen. Grassley. None of us want to play politics on national security and we should get moving on this."

WikiLeaks is ushering in an era of "globalization of citizen oversight" in which whistleblowers, leakers and publishers are so scattered across the globe that governments are in a conundrum finding the right legal tools to address these leaks, said new media expert Clay Shirky, at a panel on WikiLeaks organized by the advocacy group Personal Democracy Forum on Jan. 25 at New York University.

Leakers can sidestep legal processes in their home countries by wading into murky legal waters of leaking to international organizations. "If you want to leak, do not do it to a member of press that is same nationality as you," said Shirky.

The so-called "Palestine Papers," leaked documents revealing the role of British intelligence in a crackdown of the Islamist movement Hamas, shared between Qatar-based al-Jazeera TV and the UK-based Guardian on Jan. 25, illustrates a shifting landscape in which partnerships between whistleblowers and international journalism outlets will make it more difficult for governments to clamp down on leakers without causing a diplomatic backlash.

As governments struggle to find laws to prevent sensitive data from is being transmitted, one way federal agencies have tried circumvent legal processes has been by putting pressure on corporations supporting WikiLeaks.

When Amazon knocked WikiLeaks off its hosting services in December, it tried to deflect speculation that it had been pushed into doing so. We're not reacting to a government inquiry, Amazon claimed, We're just ejecting a party that violated our terms of service publishing injurious material not theirs to publish.

"Disingenuous," said PayPal founder Peter Thiel, at a panel entitled "WikiLeaks: Why It Matters. Why It Doesn't." that was organized by the Silicon Valley forum, the Churchill Club, on Jan. 20 in Santa Clara, Calif. Wasn't the real reason why Amazon ejected WikiLeaks "the power of the state in the background?" Thiel pressed. Paypal confessed that it pulled the plug on supporting WikiLeaks after the State Department officially informed it that WikiLeaks was illegal.

Senator Joseph Lieberman, who publicly praised Amazon for dropping WikiLeaks, was "one of the few intellectually honest actors" in this game, Shirky said at the Churchill Club panel.

Twitter will be taking action in "the next couple of days" after the Department of Justice issued an order for information from WikiLeaks supporters, Birgitta Jonsdottir, an Icelandic Member of Parliament formerly involved in WikiLeaks and who was named in the subpoena, said over Skype yesterday to the NYU Panel. She did not attend the event in person because she had been advised not to travel into the U.S.