Technology

Break the Scarfo Silence


By Mark Rasch In January 1999, agents of the FBI raided the offices of Nicodemo S.

Scarfo, a reputed Philadelphia underworld figure, searching for evidence

of illegal gambling operations. Armed with a search warrant, the agents

searched for and seized files contained on his computer, including a

single file that was encrypted using the commercial software PGP.

According to documents later filed with the court, the government believed

that the encrypted file was relevant to the gambling investigation, and

that it was covered by the court order. Unfortunately, as the government

told the court, their "normal investigative procedures to decrypt the

codes" were unsuccessful. The government was then in a quandary.

In an effort to decipher the contents of the previously seized encrypted

file, the government, on May 8, 1999, applied to a Untied States

Magistrate Judge C. Donald Haneke for a court order permitting them to

install what they described as a "keystroke logger" on Scarfo's computer.

The government, under the laws that permit search and seizure, and under

the court's inherent authority to issue orders to effectuate its own

powers, requested authority from the court to install "software, firmware

and/or hardware" to "monitor the inputted data on Nicodemo S. Scarfo's

computer" to attempt to capture the PGP pass phrase.

The government went further, asking the court to excuse it from the normal

requirements that it leave a copy of the search warrant after conducting

the search, and permitting what is sometimes called a "no-knock" warrant.

Based upon the government's affidavits and submissions, the magistrate

signed an order, based on a finding of probable cause to believe there was

evidence of a crime in the encrypted file, permitting the government to

enter Scarfo's office, install the key logger and capture keystrokes.

The court described the program as a "specialized computer program to

search for and seize computer passwords and keys." The key logger was in

place for two months, after which the court permitted the government to

retrieve the output. Contained in the output file was only 45 pages of

keystrokes, including literally hundreds of keystrokes such as or similar

"nonsense" characters.

On the last entry of the last page of the key log file was an entry that

included Scarfo's PGP pass phrase, which by happenstance, was his father's

federal Bureau of Prisons ID number. The government then used this

information to decrypt the encrypted file.

Earlier this year, in a courthouse in Newark, New Jersey, Scarfo's lawyers

moved to suppress the results of the search made by the key logger as

being both an unreasonable search and seizure, and an illegal wiretap.

They also requested that the government reveal precisely what the key

logger was, how it worked, what it searched for, and how it seized

evidence --- matters never disclosed to the magistrate who issued the

order that it be installed.

Because the federal rules governing criminal discovery provide very

limited disclosure requirements, the government refused to disclose any

details about the key logger. The government also stated that "the FBI's

key logger system is a highly sensitive law enforcement search and seizure

technique" and that disclosure of the technique would compromise both law

enforcement investigations and national security.

This was accompanied by a lengthy affidavit from the head of the FBI

laboratory, indicating that only 30 people in the world were privy to the

inner working of the key logger system, and that disclosure would

invariably injure ongoing investigations. Moreover, the government

contended in a pleading filed with the New Jersey judge, the laws

regarding electronic wiretaps were not implicated in this case because the

key logger was configured not to capture communications emanating from

Scarfo's computer via modem to the outside world.

The Federal District Judge disagreed, and ordered the government to

demonstrate precisely how national security would be implicated if the

materials were disclosed. The government responded by asserting that the

key logger system itself was "classified" and therefore invoked provisions

of federal law that limit or preclude the disclosure of classified

information. At present, no disclosure has been made to the defense or to

the court about how the key logger worked.

LEGAL REGIME. Did the government overreach in this case? Was the installation and

monitoring of the key logger program a violation of the federal wiretap

law?

Clearly the government had a legitimate interest in conducting a criminal

investigation of Nicky Scarfo. The magistrate found probable cause to

search the computer and to seize the pass phrase. Courts routinely permit

the installation of hidden video cameras or surveillance. Indeed, only

days after the government filed its classified motion, they revealed in

another case that they had installed a hidden camera at a TRW's offices to

monitor Brian P. Regan, suspected of spying for Libya, and to watch him

sending emails containing classified information.

But there are limits to government surveillance. There are essentially

three limitations on the scope of government searches and seizures. They

are the Fourth Amendment itself, federal rules on the issuance of search

warrants, and federal laws regarding "electronic surveillance."

The Fourth Amendment by its terms provides that: "[t]he right of the

people to be secure in their persons, houses, papers, and effects, against

unreasonable searches and seizures, shall not be violated, and no Warrants

shall issue, but upon probable cause, supported by Oath or affirmation,

and particularly describing the place to be searched, and the persons or

things to be seized."

Thus, the Constitution requires that the conduct be considered a "search"

or seizure, that it be reasonable, and that if searched pursuant to a

warrant, there be a finding by a neutral and detached magistrate that

there is probable cause.

Finally, the Constitution mandates that there be specificity --- that the

warrant provide sufficient detail about what is to be searched for and

seized --- and not merely act as a "general warrant."

Complaints that the government violated Scarfo's privacy by installing the

key logger are likely to be unavailing. All search warrants violate

privacy --- that is the essential nature of a court ordered search. The

court made a finding, which the government agents are generally entitled

to rely upon unless secured in bad faith, that the PGP file was likely

evidence of a crime and therefore could be seized.

The magistrate further found that the key logger was a reasonable method

for obtaining the pass phrase, and that a covert "search" for the pass

phrase was appropriate. The government therefore contends that, under the

Fourth Amendment itself, the "search" was reasonable, supported by a

warrant and affidavits, and based upon probable cause.

What distinguishes this case from most Fourth Amendment cases is the fact

that the items to be searched for and seized did not exist at the time the

court order was in effect. The government did not describe to the

magistrate how the key logger would accomplish the minimization

requirements inherent in the Fourth Amendment.

How, for example, could the key logger distinguish between a PGP pass

phrase (covered by the seizure order) and a letter to Scarfo's attorney

(protected by attorney client privilege)? Was the "minimization" to be

accomplished after the fact --- that is, all keystrokes were to be

captured, but government agents would only read the ones that were

relevant to the court order? Indeed, the government's affidavit in support

of the key logger order is remarkable in its lack of detail about what is

presumably a new and legally untested technology.

In a recent case involving the government's use of infrared monitors to

peer virtually inside a home without a warrant to determine whether a

suspect was using heat lamps to grow marijuana, the United States Supreme

Court ruled that the invasive use of new technology violated the Fourth

Amendment. In doing so, the Court relied heavily on specific findings

about the nature of the infrared device, precisely what it did, how it

worked, and what it was able to capture, in determining the extent to

which it invaded privacy.

No such information was provided by the government, either to the

Magistrate or the District Court to effectively evaluate the use of this

new keystroke logging technology. Indeed, the Magistrate was never told

that the technology he was authorizing was classified for national

security purposes, and that its disclosure would result in irreparable

harm to national security. It was effectively described as a run of the

mill search warrant.

SEARCH WARRANTS AND WIRETAP. The Federal Rules of Criminal Procedure generally requires at the time of

a search that the person searched be provided with a copy of the warrant

and an inventory of what was seized. In the Scarfo case, it is unclear

when the search and seizure occurred. Was it when the key logger was

installed? Did each keystroke log constitute a separate search? Was the

search accomplished when the government retrieved the log files, or only

when government agents examined the results of the logs?

In the Scarfo case, the government specifically requested that the

magistrate excuse the requirements of notice and disclosure, and the court

did so. Thus, the failure to leave an inventory or provide notice was

lawfully excused, but the metaphysical question of when the search

occurred or whether it was "reasonable" remains unanswered.

The most difficult aspect of the case is the application of the federal

wiretap law and the Electronic Communications Privacy Act to the

government's actions. Federal law distinguishes between a "search" for

evidence of a crime and an "interception" of either aural or electronic

communications.

For example, if the government has probable cause to believe that there is

evidence of a crime contained on your computer, they may obtain a simple

search warrant for that computer, with no need for a wiretap order, even

if there are emails or other "communications" contained on the hard drive.

If, on the other hand the government wants to read your emails in

transmission, (or listen to your telephone calls, or install an audio

"bug" in your house) it must obtain a special order, called a Title III

order which severely limits what the government can do. The order must be

approved by high-level Justice Department officials, can only be effective

for 30 days at a time, and significant efforts must be made to ensure that

only matters covered by the court order are examined.

Further complicating the issue is the fact that the law may distinguish

between the interception of email "in transmission" and email that is

stored -- even temporarily. As a general rule, for the government to

obtain communications "in transmission" requires a Title III wiretap

order, to obtain them in "temporary storage" requires a search warrant,

and to obtain them in "permanent storage" requires a mere subpoena.

While the Ninth Circuit federal court of appeals in California ruled that

acquisition of temporarily stored email requires a Title III wiretap order

(although the decision was "withdrawn" last week and no new order yet

issued), federal appellate courts in Texas and district courts in

Massachusetts and elsewhere have ruled that the interception must be while

the email is "in transmission" to trigger the more stringent Title III

requirements.

The law makes no provision however for the interception of communications

"for transmission" but not yet "in transmission." Thus, as you type an

email on the screen, but have not yet pressed the "send" button, or as you

type an Instant Message on the computer but have not yet "transmitted" it,

is capture of these communications an "interception in transmission?" Is

the government "intercepting" Brian Regan's email when it virtually

"shoulder surfs" his computer with a camera under the authority only of a

search warrant and not a Title III order?

What distinguishes the Scarfo case is the fact that the key logger, while

intending to capture only a PGP key typed (whether or not the modem was

engaged) may also have captured keystrokes that represented communications

in transmission. The government's position on the legality of this

monitoring is unclear. The government may be contending that the

interception of emails, web traffic or other electronic communications is

permissible under the lower search warrant standard using the key logger,

so long as the key logger captures the communications before they leave

the computer en route to the Internet.

Alternatively, the government may be arguing that the specific file at

issue in this case, the PGP pass phrase, was not in transmission, and

therefore could be lawfully seized even if other matters were captured

"for transmission."

The United States Supreme Court addressed a similar issue in 1942 when it

ruled that the installation of an audio "bug" adjacent to a lawyer's

office that would pick up the attorney's end of his conversations on the

telephone did not come within the ambit of the federal interception law.

The Supreme Court noted that "What is protected is the message itself

throughout the course of its transmission by the instrumentality or agency

of transmission." The court concluded that the listening in the next room

to the words of the target as he talked into the telephone receiver was

not an interception of a wire communication any more "than would have been

the overhearing of the conversation by one sitting in the same room."

In this case, the court tied the target's expectation of privacy to the

physical trespass necessary to invade such privacy. Because no physical

trespass was required, the majority of the court in 1942 concluded, no

invasion of privacy occurred. This literalistic approach was, however,

rejected by the court in an electronic surveillance case in 1967 involving

a tap placed on the outside of a telephone booth, and by the current

Supreme Court in considering the use of the infrared monitors which

required no physical trespass.

UNLEASHING THE TROJANS. If the government seriously takes the position that the interception

triggered by the wiretap law and ECPA occurs only at the modem or other

device, and not between the keyboard and CPU, this represents a dangerous

expansion of the law that could vitiate the need for the government to

ever obtain a Title III order.

Programs such as the BO2k and Sub7 Trojans, or WinWhatWhere, or Monitorer

can be surreptitiously installed on a target computer and ordered to

capture keystrokes, in real time, before they are transmitted to the web.

They can further be used to transmit the results of these "searches" to

law enforcement or intelligence agents in real time over the Internet or

by direct dial-back.

If the government seriously takes the position that Title III is

implicated only past the network interface, then privacy rights are

effectively nullified.

For now, the government is resisting disclosure of the mechanism by which

the key logger captures information as both irrelevant and protected for

national security purposes. However, knowing at a minimum what the logger

captures, how it captures it, when it captures it, and how it restricts

what it captures, is essential for the court, the defense, and for society

generally to evaluate what privacy regime applies to the new technology.

As the Supreme Court noted in the infrared search case in June of this

year, "It would be foolish to contend that the degree of privacy secured

to citizens by the Fourth Amendment has been entirely unaffected by the

advance of technology."

Knowing what the technology is and how it works is the first step to

evaluating its affect on privacy. While the government should be permitted

to use legitimate surveillance techniques, their use and growth must be

effectively scrutinized by the courts, the press, and the public at large

with as full disclosure as possible. Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive

Systems Inc. in Reston, Virginia, a computer security and network design

consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the

head of the U.S. Department of Justice Computer Crime Unit and prosecuted

a series of high profile computer crime cases from 1984 to 1991.


Silicon Valley State of Mind
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus