Legal Intrigue in the Cybersecurity Arena
Legal rulings in the cybersecurity arena keep getting more interesting. A federal appeals court just recently ruled that electronic searches are excluded from the “plain view doctrine.” This doctrine is based on a legal precedent in which evidence that is in plain view may be seized and used as evidence if a legally permissible search is being conducted. The ruling was in response to a case in which the US government had obtained a court warrant to find records potentially relevant to a drug testing company that is suspected of having provided illegal steroids to professional baseball players. The government investigators scoured through the company’s computers and found evidence related to baseball players other than the ten named in the warrant. Chief Judge Alex Kozinski ruled that the government overlooked constraints specified in the warrant and thus should not be allowed to “benefit from its own wrongdoing.” Additionally, Kozinski stated that the government should not be allowed to access data for which there is no probable cause.
Purely and simply, what happened in this case is that government investigators screwed up, and yet the government in its zeal to crack down on suppliers of illegal steroids to baseball players tried to get away with what the investigators did anyway. At a deeper level of analysis, this ruling realistically reflects the difference between searching for evidence in a computing system versus in the physical world. In a computing system, once someone, a.k.a. an investigator, has root or Administrator privileges on that system, that person can now access virtually every file and directory in that machine. An investigator in the proverbial heat of battle might very well be tempted to “take a shortcut,” so to speak, by accessing files that are not specified in a warrant. I suspect that a fair proportion of investigators feel that because they are in “cyberspace,” they will somehow not get caught.
In contrast, in physical investigations numerous physical barriers, many of which occlude physical objects from view let alone prevent physical access, are almost always present. Suppose, for example, that law enforcement has obtained a search warrant that allows investigators to enter an apartment of a suspected criminal. After entering that apartment, investigators are not likely to see certain things in the apartment—hard to find trap doors that lead to vaults or other rooms, ventilation and heating ducts in which contraband or evidence many be hidden, and so on. Furthermore, the search warrant used for access to this apartment will not allow access to the apartment next door after clues about the use of the next door apartment in a crime are discovered in the first apartment. The negative consequences of law enforcement entering the second apartment without a warrant serve as a strong deterrent to doing so.
Alex Stamos of iSEC Partners Inc. has added even more intrigue to legal issues surrounding electronic searches by arguing that the recent ruling in the case of the drug testing company is not likely to apply to information stored as part of software as a service (SaaS) as opposed to information stored on a company computer because there are fewer legal obstacles to accessing the former. I fail to comprehend Stamos’ reasoning. Just because information is owned by a variety of organizations happens to reside on a single computer does not allow someone with a warrant to obtain information belonging to company A to access company B’s information any more than the investigators in the case of the drug testing company’s computer. But who knows—Stamos could possibly turn out to be right. In a country with common law, as in the US, laws are passed, but their meaning is defined by court rulings. So let’s wait for the first ruling concerning a law enforcement search of a SaaS-related database to occur. Whatever the outcome is, rest assured it will again be intriguing.