Worse than that- even if you are adjacent to a crime that took place and not the suspect, they can also invade your privacy - rifle through all of your private data online and so on.
I had a friend who owns a PC repair shop who bought a laptop from another 'friend' that was sold to him illegally. (He did not know it was illegally stolen from the next state over) The state police came in (with FBI in tow) and seized all of his equipment. Every last computer (all of his own, as well as customers that had their pc in for repair) in the shop was checked over.
They held onto his equipment (along with 3 other customers) for 6 months, and he had to make do with a laptop to keep his business running. Fortunately, he had backed up his PC repair software to another location. Or he would have been out of business.
All because the FBI wanted to be thorough. Not because he was on suspicion of a crime.
I wasn't addressing the egregious police-stateness at all, one way or the other (which I suppose is downplaying it, by not addressing it, but that wasn't my intention). I think that there should be incredibly strict bounds on what can be seized without a warrant, and still rather strict bounds on what can be seized with a warrant, but I don't know whether this case overstepped those bounds.
For example, I believe it's illegal to take information which was coincidentally seized along with legitimate evidence subject to a warrant, and use it in an unrelated case. I'm strongly in favor of such laws, to discourage "fishing expeditions", where law enforcement uses a legitimate warrant to seize a bunch of unrelated material that they're interested in using for other purposes.
However, I suspect if you walk into a data center where some malicious customer is doing something illegal, probably that customer has tried to make it harder to connect them to what they're doing.
Also, I don't know about this case, but there are lots of small hosting companies that lease servers from other companies, and the staff at the colo only know the lessor, not the lessee. They wouldn't have any access to the hosting company's customer database which might map customers to servers.
Besides, the FBI has to worry about low-probability cases like, what if one of the employees is a friend of, or paid off by, the bad guys? Or what if the bad guys are somehow monitoring the facility?
The FBI has a legitimate goal of seizing the evidence they need as quickly and with as little notice to the bad guys as legally possible.
Did the FBI act wrongly in this case? I don't know enough to tell.
I've had my house raided, and $10k worth of gear taken by law enforcement, which they kept for 8 months, finding nothing, then I got to go and pick it up.
My perspective is permanently in "what if they come after me" as a result of this.
However, even prior to that incident, I've believed that violating the rights of an innocent party is a worse outcome than not being able to access incriminating data of the guilty.
I don’t usually love parallels from digital to physical worlds, especially with regards to laws, since there is a lot of nuance that gets lost.
But, with that said… If I own a property that I don’t use, and people start making and selling drugs there, without me knowing… to what degree am I liable?
And what do the police/FBI do in that situation?
I would be totally fine with them entering the property, dealing with the specific threat, not looking at more than they need to for that investigation, and letting me know what happened.
It seems like the exact same thing. These people were allowing illegal activity on their property (devices), unknowingly. So the police come in and deal with the threat, only look at what they need for the specific investigation, and let people know afterwards.
That's not a similar example to what's going on here.
Your example would have to include a situation in which the FBI makes copies of the keys to the house, copies of the hard-drives, etc. Then inevitably makes it embarrassingly easy for other parties to get access to those as well, permanently reducing your net security to almost zilch regardless of the outcome of the context and warrant.
And worse, in the process of gaining access to that one house and hard-drive, they simultaneously gain the potential to access millions of homes and hard-drives that have nothing to do with the warrant, and then those millions of houses and hard-drives see their net security reduced to essentially nothing.
I'm trying to think through this from a legal perspective.
If I'm going from store-to-store around town, my understanding is that police are allowed to watch me and even go into the businesses and ask questions or pull security footage without a warrant. The information they gather is circumstantial and probably would not hold up in court, but they can use it as grounds to get a warrant.
Let's imagine a different case. Instead of police having to go in and ask nicely for customer logs and security footage, the owner happens to have meticulous notes that he keeps and sells to randos around town. Creepy... but it's largely the same data that they could have gotten by asking nicely enough anyway.
If there is no law against the proprietor bundling up his customer data and selling it, it doesn't seem like there is a strong legal case against police using it.
Obviously, this is a MUCH bigger problem on the internet than in real life - just in the huge difference in scale in the amount of data and the ability to parse it.
While I'm sure that's the rationale, I wonder if there is a difference. If the FBI seized drugs and then continued to sell them, isn't that against the law? If the FBI seized a computer and used to to distribute child porn wouldn't that also be against the law? I can see not seizing it and allowing the original operators to continue for 2 weeks.
Does the FBI operate under different laws? For example, if I know my neighbour is hosting child porn on their computer and I wait 2 weeks to report them, probably I'm safe. If take his computer and host the files on the same machine for 2 weeks before handing it over to the police, I'm pretty sure I'd be arrested. What law is different for the FBI to be able to do that (if they did)?
So when the feds go in and raid a company and demand hard drives to investigate illegal activity which criminals typically know to hide and try their best to hide, you think that's futile and agencies are better off not relying on this kind of data because criminals are unlikely to make any mistakes in covering their tracks?
So agencies are doing things backwards by relying on this kind of operational data search? They should be doing more stakeouts and rely more on people ratting them out?
Counter argument: I was at a talk given by an FBI agent to a group of system administrators in 2004. The agent urged us to do our own investigating.. audit logs, sniff packets, etc. The reasoning was that our servers and networks were our private property and we could do as we pleased, whereas the FBI is bound by law to seek warrants and be very careful not to violate anyone's rights.
(The bulk of the talk was about computer forensics.)
Can't the investigators get a warrant to spy on the suspect? They then install a bunch of spyware on the machine and in the suspect's home and on the suspect's internet connection.
From a legal perspective, this is a common game of cat and mouse law enforcement regularly uses to circumvent the 4th amendment prohibition on unreasonable search and seizures without a warrant.
In other words if law enforcement illegally obtains evidence, that evidence can be suppressed and all evidence as a result (fruit of the poisonous tree doctrine). But the 4th amendment only applies to the government, so a non government actor can otherwise illegally obtain evidence (break in to your home and steal said evidence and turn it over to law enforcement) and you would not be able to suppress the evidence because the government didn’t violate your 4th amendment rights, another private citizen did.
In this case you get entities arguing geek squad is the government/acting on behalf the government, presumably because they took some small payments, on the other hand you have the governments arguement that geek squad is not acting on behalf of the government and in fact the criminals signed a contract allowing geek squad to search and seize evidence of a crime from the computers.
It’s a well settled area of law, but it’s controversial.
I went to the local electronic crimes branch of law enforcement once, when my Gmail account was broken into.
They basically asked me if I was reporting large-scale financial theft, human traficking or child porn. If it wasn't one of those, they didn't have the manpower or will to pursue it.
I'm trying to think of an analogy which can explain why this might be reasonable from the FBIs perspective.
Suppose you were using a shared storage space (shared servers, or server farm) with several other dudes. One of them is a drug dealer. One day the police/FBI decide to raid the storage space since the drug dealer has been using it to store illegal drugs.
Is it not reasonable to consider this collateral damage (which, granted, is totally unnecessary) during law enforcement operations?
I'm not saying this is OK in any case, but might this not be a reasonable move by the law enforcement agencies?
The mirror image of your argument is just as applicable:
Law enforcement has already been seen to act adversarial to private interests, remotely logging out of computers is utilized to try and limit law enforcement's ability to obtain information beyond the scope of a warrant. There is little doubt that law enforcement would willingly take information beyond the scope of the warrant and later find a way to use it against them.
They can still prosecute anyone they caught by independent means. It's just a matter of having some other way to search their computers, which is just a formality in most prosecutions. It's exceedingly easy to get a warrant against anyone these days; that's why they have parallel construction.
But you've simply pointed out the strength of the analogy. Siezing adjacent blades in a multi-tenant rack is just as nonsensical as siezing adjacent computers in a multi-tenant office.
Physical proximity is simply not a valid justification in either situation.
If the courts and/or the FBI are unable to understand this, the remedy is to get them educated and not to simply accept the consequences of overly-broad warrants or seizures.
States are not really the buyers to be concerned about. In many cases, the state already has tools that give them enhanced access to target data, all the way up to the authority to obtain and execute warrants. The people that are really worrisome are private malicious actors.
The point, which you missed, is that the FBI already can look through your sock drawer with a warrant. And they already can get your private information from a company's server. If you want that not to be the case, it's an entirely different argument.
I had a friend who owns a PC repair shop who bought a laptop from another 'friend' that was sold to him illegally. (He did not know it was illegally stolen from the next state over) The state police came in (with FBI in tow) and seized all of his equipment. Every last computer (all of his own, as well as customers that had their pc in for repair) in the shop was checked over.
They held onto his equipment (along with 3 other customers) for 6 months, and he had to make do with a laptop to keep his business running. Fortunately, he had backed up his PC repair software to another location. Or he would have been out of business.
All because the FBI wanted to be thorough. Not because he was on suspicion of a crime.
reply