Law, Dissonance, and Remote Computer Searches

• Publication year: 2012

NORTH CAROLINA JOURNAL OF LAW & TECHNOLOGY VOLUME 14, ISSUE 1: FALL 2012

LAW, DISSONANCE, AND REMOTE COMPUTER SEARCHES

Susan W. Brenner*

This Article examines the conflict—the dissonance—that arises when law enforcement officers from one jurisdiction remotely search a computer that is physically located in another jurisdiction. It reviews the current status of remote computer searches in Europe, noting that such searches are legal under United Kingdom law but are, for most purposes, outlawed by German law. The Article then explains that, because U.S. state supreme courts have used their constitutions to impose search and seizure requirements that exceed those of the Fourth Amendment, similar dissonance has arisen between U.S. states. It uses this domestic dissonance to analyze the issues transnational searches are likely to create and to consider how those issues might be resolved.

1. INTRODUCTION

   As authorities in Europe, the United States, and elsewhere have recognized for well over a decade,1 cyberspace alters the process of law enforcement’s searching for evidence of criminal activity in a very fundamental way: Crime ceases to be territorial as borders become irrelevant, which is advantageous for law-breakers and disadvantageous for law enforcers.2‌

   
   

   * NCR Distinguished Professor of Law & Technology, University of Dayton School of Law, Dayton, Ohio USA.

   1. See COUNCIL OF EUROPE, EXPLANATORY REPORT TO THE EUROPEAN CONVENTION ON CYBERCRIME (ETS NO. 185) ¶¶ 131–37 (2001), available at

      http://conventions.coe.int/Treaty/EN/Reports/Html/185.htm; HOLLIS STAMBAUGH ET AL., NAT’L INST. OF JUSTICE, STATE AND LOCAL LAW ENFORCEMENT NEEDS

      TO COMBAT ELECTRONIC CRIME 3–4 (2000).

   2. See COUNCIL OF EUROPE, supra note 1, at ¶¶ 131–34; see also Susan W. Brenner, Toward a Criminal Law for Cyberspace: Distributed Security, 10 B.U. J. SCI. & TECH. L. 1, 31–65 (2004).

      
      

      43

      
      

      A case from Kentucky illustrates this. In 2009, cybercriminals operating from outside the United States surreptitiously extracted

      $415,989 from an account at the First Federal Savings Bank in Shepherdsville, Kentucky.3 The account belonged to Bullitt County and held funds the county used to pay its employees.4

      On June 22, 2009, “someone started making unauthorized wire transfers of $10,000 or less from the county’s payroll to accounts . . . around the country.”5 It was not until June 29 that bank employees “realized something was wrong,” but by that time the money was gone.6 Because no one in Bullitt County had any idea who was responsible for the transfers, county officials contacted the Federal Bureau of Investigation, which began investigating.7

      The investigation showed the transfers originated in Ukraine.8 The criminals used a Trojan Horse program “known as ‘Zeus’ ” to harvest the county’s funds.9 They “somehow” installed the program on the county treasurer’s computer.10 Zeus “creates a direct connection” between the infected computer (the treasurer’s computer) and the system used by the cybercriminals; this let them “log in to the victim’s bank account using the victim’s own [computer and] Internet connection . . . .”11

      
      

   3. The account of the crime is taken from the following sources: $415,989 Taken from Bullitt Bank Account, COURIER-JOURNAL, July 1, 2009, available at 2009 WLNR 15630449; Kelly House, $415,989 Taken from Bullitt Bank Account, COURIER-JOURNAL, July 2, 2009, at A1, available at 2009 WLNR 15629810; Brian Krebs, PC Invader Costs Ky. County $415,000, WASH. POST (July 2, 2009), http://voices.washingtonpost.com/securityfix/2009/07/an_odysse y_of_fraud_part_ii.html.

   4. See, e.g., Theft Used Stealthy Computer Code, COURIER-JOURNAL, July 27, 2009, available at 2009 WLNR 15691911.

   5. Krebs, supra note 3.

   6. Id.

   7. See, e.g., Hackers Stole $415,000 from Bullitt County Coffers, SPAMFIGHTER (July 21, 2009), http://www.spamfighter.com/News-12758-Hackers-Stole-$4150

      00-from-Bullitt-County-Coffers.htm.

   8. See, e.g., Krebs, supra note 3.

   9. Id.

   10. Id.

   11. Id.

       
       

       The cyberthieves then used the Zeus Trojan to acquire the county treasurer’s username and password and link her computer with the one they would use in the thefts.12 Then they “logged into the county’s bank account by tunneling through the treasurer’s Internet connection.”13 Since they were using her Internet connection, the bank’s system did not flag this as a problematic attempt to log into the account.14 The thieves “created several fictitious employees of the county” and initiated “a batch of wire transfers” to them, extracting more than $400,000 from the county’s account.15 The cybercriminals arranged for U.S.-based intermediaries to wire most of the funds to accounts in Ukraine, at which point they disappeared.16 The criminals who created and implemented the theft have not been, and most certainly will not be, apprehended and punished for their crimes.17

       Unlike their traditional counterparts, cybercriminals can almost instantaneously extract funds from a bank in one country and deposit them into accounts in other countries before the bank realizes what has happened.18 This vastly complicates law enforcement’s task of finding the perpetrator and bringing him or her to justice.19 The criminal’s use of cyberspace effectively fractures the crime, which means relevant evidence is located

       
       

   12. See id. Kennan Bradley, the County Treasurer, later became one of the plaintiffs in a lawsuit the County filed against the bank. See, e.g., Emily Hagedorn, Bank: Bullitt Could Have Avoided Theft, COURIER-JOURNAL, Aug. 27, 2009, available at 2009 WLNR 16811648; see also Complaint at ¶ 2, Bullitt Cnty. Fiscal Court v. First Fed. Savings Bank of Elizabethtown, Inc. (Aug. 5, 2009), available at http://www.courier-journal.com/blogs/bullitt/ffsbcomplaint.pdf.

   13. Complaint, supra note 12, at ¶ 2.

   14. See id. For more on how a Zeus Trojan Horse attack on a bank account works, see Elinor Mills, Zeus Trojan Steals $1 Million from U.K. Bank

       Accounts, CNET NEWS (Aug. 20, 2010), http://news.cnet.com/8301-27080_3-20 013246-245.html.

   15. See, e.g., Krebs, supra note 3.

   16. See id.

   17. In this and similar scams, U.S. law enforcement usually apprehends some or most of the U.S.-based intermediaries, or mules. See, e.g., Krebs, supra note 3.

   18. For more on this, see Susan W. Brenner, Cybercrime Metrics: Old Wine, New Bottles?, 9 VA. J.L. & TECH 13, 18–19 (2004).

   19. See, e.g., Brenner, supra note 2.

       
       

       within various U.S. states or other nation-states.20 Officers from the jurisdiction in which the victim was attacked therefore must conduct an investigation that differs from the parochial investigations with which police historically have dealt.21

       In traditional investigations, officers focus on a physical crime scene because in the real world it is impossible to rob, assault, murder, rape, or otherwise victimize someone without being in physical proximity to them. This means the perpetrator is likely to leave physical evidence at the scene of the crime and to have been observed arriving at or leaving the crime scene.22 Given the need for physical proximity between perpetrator and victim and the constraints involved in fleeing the crime scene and disposing of evidence or the proceeds of the crime, traditional investigations are almost always conducted within a specific jurisdiction, i.e., within a single nation-state or within a constituent state in a federal system.23 That, in turn, means that the investigation will almost certainly be conducted pursuant to the law of a single jurisdiction.24

       As the Bullitt County bank theft illustrates, and as is explained elsewhere, this is not true of cybercrime.25 Physical proximity between perpetrator and victim is not required; the crime scene and the evidence it encompasses can, as in the Bullitt County case, be scattered across two or more nation-states, which means the investigation will implicate the laws and the law enforcement officers of more than one jurisdiction.26

       This creates scenarios with which law enforcement officers are ill-equipped to deal.27 As scholars have explained elsewhere, the methods that law enforcement has traditionally used, on the rare

       
       

   20. For more on this, see Susan W. Brenner, “At Light Speed”: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 J. CRIM. L. & CRIMINOLOGY 379, 416–81 (2007).

   21. For more on this, see Brenner, supra note 2.

   22. See id.

   23. See id.

   24. See id.

   25. See id.

   26. See id.

   27. See id.

       
       

       occasions when transnational evidence gathering was necessary, are far too complicated and cumbersome to be effective in this context.28 And in some instances, they may simply not be available; one country may not, for example, have a mutual legal assistance treaty with another.29 This leaves the investigating officers with two equally unattractive options: end their investigation or possibly violate foreign law in their efforts to obtain evidence.30

       This is precisely what happened in 1999, when the Federal Bureau of Investigation was investigating a series of intrusions that originated in Russia and targeted “the computer systems of businesses in the United States.”31 The attackers stole financial information from the victims’ computers and tried to extort money by threatening to expose sensitive data to the public or damage the victims’ computers.32

       After one of the attackers identified himself as “Alexey Ivanov” and the FBI confirmed that he was in Russia, the Department of Justice sent a request through diplomatic channels to Russian authorities, asking them to detain Ivanov and question him about the attacks.33 The Russians did not respond to the initial contact or to a repeated request.34 Because the United States does

       
       

   28. See, e.g., Susan W. Brenner & Joseph J. Schwerha IV, Transnational Evidence Gathering and Local Prosecution of International Cybercrime, 20 J. MARSHALL J. COMPUTER & INFO. L. 347 (2002).

   29. See id. at 354. A “mutual legal assistance legal treaty,” or MLAT, is a “bilateral intergovernmental agreement that obliges foreign jurisdiction authorities to render assistance” in evidence gathering. Nicholas M. Mclean, Note, Cross-National Patterns in FCPA Enforcement, 121 YALE L.J. 1970, 1987...