In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy

In an obscure case that could have broad implications, a judge in the Eastern District of Virginia sentenced the Danish CEO of two overseas technology companies to time served and a fine of $500,000 for the advertisement and sale of a mobile application capable of surreptitiously monitoring communications and other information on a mobile device. A Department of Justice press release touted the result as “the first-ever criminal conviction concerning the advertisement and sale of a mobile device spyware app.” Nevertheless, the sentence of ten days of time served represents a significant downward departure from the recommended 4-10 month prison term contemplated by the defendant’s plea agreement.

According to a statement of facts filed with the plea agreement, the defendant, Hassam Akbar, advertised and sold “StealthGenie,” a now-defunct mobile app that could be used for real-time monitoring of a mobile device owner’s calls, texts, emails, photographs, calendar appointments, contacts, and other information. The app apparently could also remotely activate the phone’s microphone and record nearby sound. Once installed and activated, the app was undetectable to the average user because it ran in the background whenever the smartphone was powered on with no indication that the app was running. According to the DOJ, “[a]pps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life – all without the victim’s knowledge”; indeed, according to the DOJ “SteathGenie ha[d] little use beyond invading a victim’s privacy.” For this reason, as Wired reported, the Akbar indictment was hailed as a step in the right direction by at least one group working to fight domestic violence, which was hopeful the conviction signaled an intent to crack down not only on the users but also on the developers and distributors of tools used to perpetrate domestic violence and stalking.
Continue Reading Recent Conviction Illustrates How Obscure Federal Statute Can Be Used to Criminally Prosecute Those Who Design and Sell Devices and Apps Capable of Surreptitious Monitoring

Recently, Louisa Marion and I analyzed the Supreme Court’s far-reaching decision in Riley v. California, 573 U.S. __ (2014), and its implications going forward. In Riley, Chief Justice Roberts concluded that today’s cell phones (which the Court called “minicomputers”) are fundamentally different than physical containers: their storage capacity is virtually unlimited; they contain a

In an unexpectedly sweeping opinion, a nearly united Supreme Court today recognized the fourth amendment’s protection for digital privacy. Chief Justice Roberts’ opinion in Riley v. California is grounded on the Founders’ abhorrence of general warrants and unparticularized intrusions into our private lives. It highlights the pervasiveness of cell-phone (“minicomputer”) use, as well as the

In conjunction with the 2014 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by e-discovery in this context, including

The University of Maryland announced on February 19th that it is the most recent university to fall victim to a data breach. According to the University’s President, UM was the target of a “sophisticated” computer attack that exposed the personally identifiable information (PII) of over 300,000 individuals. Specifically, the hack targeted records that relate to the University’s student identification (ID) system and thus compromised the PII of various students and staff who had been issued a University ID since 1998. The compromised PII includes names, Social Security numbers, dates of birth, and University ID numbers.

The compromised records were maintained by the school’s IT Department and protected by “sophisticated, multi-layered security defenses” that the hackers were nonetheless able to bypass. This reflects the painful reality that data breaches are often a matter of when, not if, especially for universities.
Continue Reading Another University Data Breach Adds to Growing Trend

In the Summer issue of the American Bar Association’s Criminal Justice Magazine, I write about the Ninth Circuit’s watershed en banc ruling in United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013), that border agents must have “reasonable suspicion” before conducting forensic searches of laptops at the US border. The decision will

A finding of bad faith is not required for a remedial jury instruction when the government’s negligent destruction of evidence significantly prejudices a defendant, the Ninth Circuit ruled earlier this month in its panel decision in United States v. Sivilla, No. 11-50484 (9th Cir. May 7, 2013) (Noonan, J.). However, bad faith—or a showing that the exculpatory nature of spoliated evidence was apparent to the government—remains necessary for complete dismissal under Arizona v. Youngblood, 488 U.S. 51 (1988).

In June 2010, Victor Hugo Sivilla loaned his Jeep to his sister’s boyfriend for several hours. Two days later, Sivilla was arrested after U.S. border agents found $160,000 worth of cocaine and heroin in his vehicle’s engine manifold. After photographing the Jeep’s engine compartment, the case agent turned the vehicle over to the Department of Homeland Security (DHS) forfeiture section.
Continue Reading Good Faith Not Good Enough? Ninth Circuit May Require a Remedial Jury Instruction After Government Spoliation in a Criminal Case

The Senate Judiciary Committee yesterday took a significant step forward towards enhancing data privacy. By bipartisan voice vote, the Committee approved Senators Leahy and Lee’s bill (S. 607) to reform the Electronic Communications Protection Act (ECPA) and extend greater privacy protections to content stored in the cloud. As I discussed previously, ECPA, and particularly

On Tuesday, March 19, 2012, the Obama Administration took a significant step toward increasing user privacy when the Department of Justice dropped its long-standing opposition to a warrant requirement before government officials can obtain content stored in the Cloud. Testifying before the U.S. House Judiciary Subcommittee on Crime, Terrorism, Homeland Security, and Investigations, Acting Assistant Attorney General Elana Tyrangiel commented on possible reforms to the Electronic Communications Privacy Act (“ECPA”), and particularly the controversial provisions of the Stored Communications Act (“SCA”) (18 USC 2701 et seq.) which govern when the Government may compel third-party service providers like Google, Microsoft, and Twitter to disclose the contents of stored electronic communications. C-Span’s video coverage of the hearing is available here.
Continue Reading Obama Administration Supports ECPA Reforms Requiring Warrants to Compel Disclosure of Users’ Electronic Content