Case Studies: 1

The Silk Road, pen/trap, and the Fourth Amendment

In February 2015, a jury convicted Ross Ulbricht of drug trafficking (among other crimes) linked with his role in creating and operating the now infamous Silk Road. This was an online marketplace established on Ulbricht’s extreme libertarian ideals where users from around the world could purchase and sell illegal drugs (and other services). Ulbricht was sentenced to serve two full life sentences without the possibility of parole.

One of the ways the government managed to link Ulbricht to his administrative role within the Silk Road operation was through monitoring IP address traffic from his home router. The government sought authorization to do so, not with a warrant, but under the Electronic Communications Privacy Act. They employed what’s known as a ‘pen register’ that recorded Ulbricht’s outgoing data and a ‘trap and trace device’ which collects incoming data (collectively known as a pen/trap).

Ulbricht would go on to argue that these pen/trap orders were in complete violation of his Fourth Amendment rights.

The courts rejected this argument pointing towards the Supreme Court’s 1979 decision in Smith v. Maryland – which resulted in the concept known as the “third party doctrine.” This doctrine was established in the context of telephones: the Supreme Court had held that since Smith was voluntarily sharing information (e.g. by dialing phone numbers) with a third party (the telephone company) that there was no expectation of privacy linked to this data (however, there IS an expectation of privacy in the content of the communications, e.g. Smith’s phone conversations). So, using the “third party doctrine”, the courts rejected Ulbricht’s appeals and maintained that there is indeed no Fourth Amendment protection that applies to IP address information.

Despite the narrow scope of what information the government can glean from a pen/trap technique without a warrant (in this case they limited it to the capturing of IP addresses, TCP connection data, and ‘similar routing information’), perhaps there is difference between the 1979 ruling that led to the “third party doctrine” and today’s technologies revolving around IP address information. A pen register on a landline telephone reveals only a fraction of the information that a pen register on a home router does. Can the two be weighed equally?

While I do not support of Ross Ulbricht or any of his illicit business operations, it is evident that by repeatedly denying Ulbricht’s appeals and petitions, the Supreme Court leaves in place the “third party doctrine” which allows government agencies to potentially circumvent Fourth Amendment rights with the argument that there is “no expectation of privacy” regarding certain routing information given to an ISP.

Ross William Ulbrict, Petitioner v. United States of America

The Morris Worm

The very first instance of the government using the federal anti-hacking statute known as the Computer Fraud and Abuse Act (CFAA) that resulted in a conviction was in the 1989 case of the US v. Morris.

Robert Tappan Morris was a young Cornell student who in 1988 created one of the very first Internet worms. This worm (now infamously known as the “Morris Worm”) was released on the MIT networks and spread rapidly. While there probably wasn’t any negative intent with this worm by design (for example, it wasn’t deleting files) it did cause quite a commotion – after all, this was the very early days of the Internet (long before it matured into anything as it is today). These things were almost completely unheard of.

At the time, the Internet was a much smaller community largely comprised of mailing lists or researchers exchanging code. Morris seemed to have made this worm simply to test it’s capabilities. It was designed to keep itself relatively concealed and would even attempt to delete itself on a system if it had already infected it. However, this encoded safeguard often failed which resulted in causing repeated reinfections – a computer’s load would sky rocket. This caused many systems to crash.

Morris was found guilty of violating the CFAA, 18 U.S.C. § 1030(a)(5)(A). On the day of his conviction, Morris was facing a harsh possible sentencing of five years in prison and a fine up to $250,000. However, after appeals he was eventually sentenced to three years of probation, 400 hours of community service, and a $10,000 fine. Nowadays, Robert Tappan Morris teaches Computer Science at MIT.

The Morris worm may have started as a college student’s pet project, but think of the wake it has left! I have heard in an interview (see the Malicious Life podcast) that there were some people who were even concerned as to whether the Morris computer worm would become a biological threat, as if it’ll jump across the digital boundary into the real world and begin making people sick. Hilarious.

A Spy Tool for a Creepy High School

This is about a class action lawsuit (Robbins v. Lower Merion School District) against the Lower Merion School District in Pennsylvania, filed by Blake Robbins and other high school students from the district. It was alleged that the MacBook laptops that were issued to high school students had built in webcams/spyware that enabled the school staff to remotely access them to monitor the students even when they were at home.

Because the students did not consent to the spying, and the spying took place off of school property, this is clearly a direct violation of the student’s privacy.

The lawsuit was filed after sophomore Blake Robbins was disciplined at school for what he had done at home. The decision to discipline him was based on a picture secretly taken of him in his bedroom. The lawsuit against the high school sought to recover damages based on the school’s actions which were in violation of the Electronic Communications Privacy Act (§ 2511 and 2520 of the ECPA), The Computer Fraud Abuse Act (§ 1030), as well as the Fourth Amendment of the US. The school eventually settled the case for $610,000

This is a very interesting topic which I think will gain more and more momentum in the near future. If I remember correctly, I believe there have been several instances where kids are being disciplined by their school for things they’re posting on social media (e.g. for something like posting photos of underage drinking or perhaps for posting controversial public opinions remains).

I honestly don’t have an answer as to where one ought to draw the line – when I was in high school we didn’t have things like social media or YouTube. That being said, I tend to think that once a student leaves campus, what they say or do is of no business to their high school but instead their parent’s responsibility.