Just because a home computer might be hacked does not mean that an average user doesn't expect his experience on that computer to be private. Every area of life might be breached by determined intruders and, if that were the test of having a expectation of privacy, then every area of life would flunk it. Your home, your car, your bathroom, your bedroom, you name it. In reality, of course, break-ins, hacks, and other intrusions are the exception and not the rule in the areas we commonly regard as private. If the legal test on protecting privacy were to turn on whether break-ins or hacks were a regular element of the environment (however infrequent), then the exception swallows the rule and privacy is no more. This judge's ruling essentially embraces such logic and is thus wildly out of line with existing law regarding protection against unreasonable searches and seizures.
Also bad judging in reaching the issue gratuitously: the main issue here was whether a particular warrant was misused; it was unnecessary to decide what would have happened without a warrant of any kind. Yet the judge reached to inject his obiter dictum into the analysis as a sort of by-the-by, "here is what I would rule if other issues were before me."
Why such an outcome? As the lawyers say, "hard facts make for bad law." You have a despicable perp doing vile things and the natural instinct is to want to nail him. Just as, conversely, when you have a sympathetic person who has being seriously wronged, the natural instinct is to do what you can to help him get justice. In either case, judges and juries will be more prone than otherwise to engage in results-oriented jurisprudence and will thus try to bend and shape the law to that purpose even if the law objectively says otherwise. This factor may help explain why the judge did what he did. It does not make it right.
Finally, bad judging means, in this case, bad precedent and this decision will surely have pernicious effects until the day comes when its run is ended by a higher court. For this case, that day will surely come. It is a bad decision all around.
The absurdity of this is everyone - and I mean everyone, judging by private browsing habits - has an "expectation of privacy" when it comes to their home computer. So the judgement here is absurd on its face. This isn't standing naked in front of a bay window, there's no real room for interpretation.
So when a judge says there isn't a reasonable expectation of privacy, he/she isn't even being honest with themselves, let alone the entirety of the computer-owning public. This is a bald-faced hand-out to law "enforcement" and has no bearing in reality.
He may not be a member of the computer-owning public. The article refers to him as "Senior U.S. District Judge Henry Coke Morgan Jr.". Senior status is not a title like Senior Engineer[1]. Rather, it means that he is actually semi-retired: He is paid his pension and travel expenses and has discretion over which cases to take. For example, there is one judge that is basically retired and lives on Cape Cod. However, he occasionally holds court down there in order to handle traffic cases for those caught speeding on federal land so that they don't have to go up to Boston. Judges on Senior status often decide to not do sentencing and they pretty much universally decline to hear Child Porn cases.
There is some fraction of Senior Status judges who don't use Outlook or Gmail but rather have their secretaries print their emails, they handwrite the responses, and their secretaries type up their emails and send them.
Considering all of this and the fact that he was born in 1935[2], he may genuinely believe that if he has a home computer that infection with viruses and weird pop-ups is inevitable.
Sources:
[1] a talk given at the Haystack Observatory by the Clerk of Court for the District of Massachusetts
Edit:
Of course, this isn't the majority of judges by any means. Many of them are comfortable writing opinions from their iPad while at an airport. Also, consider Scalia's opinion in Riley v. California, which this opinion would seem to directly contradict (once I can actually find the pdf...)
I was involved in a drawn out litigation over discovery once as a technical SME. Our attorney and the rest of us were very nearly held in contempt for not producing material.
Turns out the judge, in whose chambers there was a picture of him on an all-American football team in the 1960s, was dumbfounded that a DVD could contain 80,000 emails and about 30,000 other documents. The opposing counsel, equally aged, agreed.
We were literally saved by lunch -- we were able to track down the judges clerk and get her to translate.
Hi, I found your comment by ctrl+f for 1935 (and 80, 81: his current age).
Yep, I agree. While I hesitate to participate in age-based discrimination, my gut feeling on this is that he simply isn't qualified to make a ruling about the nature of digital privacy.
>Edit: Of course, this isn't the majority of judges by any means. Many of them are comfortable writing opinions from their iPad while at an airport. Also, consider Scalia's opinion in Riley v. California, which this opinion would seem to directly contradict (once I can actually find the pdf...)
That's actually true though. Not burglars exactly, but the police absolutely can peer through gaps that you accidentally leave in your windows, even if you expect to be private inside. The court ruling even refers to this example.
Sometimes people on HN complain when security researchers are threatened with prosecution under the CFAA. Well, which is it - is exploiting vulnerabilities more akin to peering through someone's window blinds with unintended gaps, or burglary?
People have been found guilty of changing a URL by incrementing the client number. Then when the police infects a computer with a targetted worm, we're told it's "peering through open windows"...
Seriously? I have taught people to do that. Not to access information they aren't authorized to have, simply because it's faster than filling out the web form...
This depends highly on context. The Jones intrusion/trespassing test and the Katz reasonable expectation of privacy test are generally used to determine whether police observations from the curtilage (the area surrounding the house) constitute a search.
For example, a Florida appeals court recently ruled that peaking through "a gap accidentally left in a window" was violative of the Fourth Amendment.
There's a whole series of window peaking, gate crossing, fielding entering, etc. cases. They tend to turn on the very specific facts of the case, such as whether the police intruded on a private space to look through the window, or whether the occupant sufficiently indicated that the space was private.
In this case, they installed malware which is akin to breaking in.
It isn't simply like the Silk Road case where a misconfigured server leaked an ip. Which is akin to peering in through the cracks.
It is also very easy to make hypocrites of people in cases like this. Break into the home computes of the people who brought this forward and see if they stand behind their argument.
Curious whether this precedent could be used to argue that Snowden acted legally. After all, leaks happen routinely, and the technical difficulty of copying documents onto a thumb drive is minimal. Clearly, then, the NSA has no reasonable expectation of privacy for any document that it keeps in electronic form.
You could argue that, but you wouldn't win, despite that being a logical next step to this ruling. Judges and legislators today seem to arrive at their preferred judgment first, then work backwards to see what kinds of precedents or reasoning they could massage to justify their rulings. If you're looking for consistency and logic in the US justice system you're going to be disappointed.
Most regular people are idiots and have little grasp of formal logic.
Judges are supposed to be experts at the law and better at this stuff than "regular normal people". That's why they spend years in law school, and why judges aren't just randomly selected from the general population.
People have an OK grasp of formal logic, that is the formalism. It's learned at an early age, it's prerequisite for deductive (or inductive?) learning actually. Most might lack the cognitive ability to exercise those formalism in an abstract synthesis into long formulas.
No, people suck at it - just look at your first sentence. There are a lot of likely reasons, my favorite being evolutionary pressure: 10,000 years ago two men see the tall grass twitch, while one scrambles up a nearby tree the other considers the cost in energy expenditure to flee vs the likelihood of a tiger attAAARGH. We can't trust brains to the point where we have to invent highly structured methods: https://en.wikipedia.org/wiki/Analysis_of_competing_hypothes...
What's got energy expenditure to do with logic? Isn't what you talk about Bayesian Inference?
> while one scrambles up a nearby tree
I'm not sure that is just a nervous reflex or the result of the logic implication "If that's a Tiger and I stay then I will die". Even if the thought becomes hardwired, it would have to have been logically evaluated before it became subconscious. To react and be afraid, the danger must be recognized and categorized, "If the grass twitches then something moved it", etc. etc. Going down that argument, small life forms would be able of some small amount of logic reasoning, too. As long as those grow bulks of neurons, I don't see why that should be wrong.
Nothing, but it has everything to do with the point immediately proceeding - evolutionary pressure.
> ...it would have to have been logically evaluated before it became subconscious.
Yes, and at that point it would no longer be logic based - it would be pattern matching. The human brain is a pattern matching machine, because historically that has offered a major advantage. For your position to be true, that such a flight mechanism is logic based, then you would have to believe that the behavior would immediately change in the event of conflicting information being presented. That doesn't happen, see confirmation bias (or any other kind of bias).
> What are you trying to say?
Exactly what I did. Your statement was illogical, but I'm starting to suspect that we might not be conversing in your native language - which would also explain it.
Considering that in many places judges are elected, I'd consider that fairly close to randomly selected. Nobody is being particularly ardent in their vote for judges, and as a result basically anyone who runs for the position with the largest advertising budget can win.
Elected judges made sense back in the frontier days, just like elected county clerks.
These days, they simply don't. They need to eliminate that entirely. These positions should be appointed by elected state legislatures or elected county governance boards (actually, the clerk position should simply be a salaried employee position).
Well, unless justification and judgment aren't pretty much synonym, that's a contradiction? The subconscious decision met by such a judge should be guided by an organic sound understanding of justice. The verbalization of this kind of emotion should only bring up the true reasons of thought, maybe polished and cut short. At least, that would be my lame excuse.
Doubtful. Expectations of privacy and their bearings on 4th amendment search reasonableness don't have much to do with Snowden's case. The NSA isn't arguing that a government search was unreasonable, nor are their expectations germane; what Snowden took wasn't "private" in a 4th amendment sense, it was classified, and he'd be prosecuted under the Espionage Act.
He signed a bunch of documents where he promised to not disclose anything. He was perfectly aware that he was violating those agreements as well as probably both civil and military law.
Regardless of how important an impact the release had he's still a traitor to the US. No number of "privacy is an illusion" rulings will change that.
I presume that capital punishment is an option for traitors which makes getting of the hacking charge a minor thing anyways.
Not everything disclosed in the Pentagon Papers was illegal either. If the requirement is that everything in the disclosure needs to be illegal, then whistleblowing is de facto illegal.
Releasing the Pentagon papers was illegal, but Ellsberg's prosecutors messed up, violated the law in a number of ways themselves, so he got off.
The way to whistleblow legally is either to carefully go over the material and only release parts that are illegal, or report it to the higher authorities instead of the public.
The TFA case concerns 4th amendment rights against self-incrimination. Snowden's case isn't a 4th amendment case. Therefor, precedent, if any (and Reilly seems to specifically trump the judge's decision) wouldn't apply.
Snowden's various NSA oaths are supersceded by his oath to uphold and defend the Constitution of the United States. Which he did.
Snowden wasn't acting as a law enforcement officer performing a search of personal information subject to the 4th Amendement, but as a citizen and US Government employee or contractor, having sworn an oath to defend and protect the Constitution, to do so through exercise of his own 1st Amendment free speech rights.
It's also worth pointing out (because the article makes a hash of things), that the case involved two different issues: expectation of privacy in the IP address, and expectation of privacy in the contents of the computer.
The first decision is reasonable: no matter how you try to obscure things, an IP address is public information. Some third-party must have your IP address in order for you to receive packets.
The second decision is, of course, unreasonable. Saying you have no expectation of privacy in the contents of your computer because it can get hacked is like saying you have no expectation of privacy in your house because it can get broken into.
I suspect that on appeal, the former decision will stand and the latter will not.
> However, the Court FINDS that any such subjective expectation of privacy - if one even existed in this case - is not objectively reasonable. SA Alfin testified that when a user connects to the Tor network, he or she must disclose his or her real IP address to the first Tor node with which he or she connects. This fact, coupled with the Tor Project's own warning that the first server can see "[t]his IP address is using Tor," destroys any expectation of privacy in a Tor user's IP address.
I strongly disagree with this conclusion: the only logical conclusion one can make is that the defendant didn't have a reasonable expectation of privacy of he or she participating in the Tor network. But Tor doesn't anonymize users by magically hiding IP addresses but by making the actual origin of a request unknowable. Tor users do have a reasonable expectation of privacy of their IP addresses not being disclosed as the actual origin of some communication.
So no, in my opinion the court decision is not reasonable at all. And by the way, I find the analogy of Tor anonymizing users by "masking" IP addresses, problematic, at least.
Tor doesn't make your IP address unknowable. There is still a node out there that knows your public IP address and can send packets to you. That's what removes the 4th amendment protection.
Which is plain ridiculous. If I were to move away from everyone and let only one person know my new address so they could forward my mail, I'd have no expectation of privacy because /someone/ knows my real address? If we were to extend it so I changed my name and had a network of people forward my mail to someone else with a different name, then that last person still knows my address and real name. That's exactly what Tor does. It's explicit purpose is for privacy!
It wouldn't count unless maybe that person were your spouse or attorney. Your legal protections sometimes extend to those(though I don't know know this to be true in this example).
At least in Oregon, you're required to have your current address on your state id card or driver's license. You need those to get a bank account or for many other services. You also need it to be updated for voter registration. And if you own a business, often your address will be on the record. So your current address would likely not be protected even if you took all those steps.
I think you misunderstood what I wrote ("making the actual origin of a request unknowable"): of course there is a node that knows your IP address, but no node knows both the actual origin and destination (not even the user who generated the request in the case of hidden services) in any communication inside the network. The objectively reasonable expectation of privacy is in who, from all the IP addresses that are part of the network, is initiating a communication.
Who is entering into a polling place is also "public", yet nobody knows who made certain vote.
Such a node exists, that's true, but this is what the mathematicians would call a non-constructive existence proof: you know it exists but you have no idea how to find it.
But they argued that the IP address is freely given, so they didn't need a warrant for this. However, the IP address was freely given to the FBI when it transmitted the other information as what was to be collected by the warrant from the NIT. So the argument that the IP address was freely given was a consequence of their software running on the person's computer. They pointed out that the warrant was legal and specific, and given in the jurisdiction of the issuing magistrate because it was a "tracking" device and the computer made a digital journey to Virginia and the tracking device went back home with them. But then they go on to say that a warrant was not necessary at all because you have no reasonable expectation of privacy when you're on the internet because a bunch of assholes will hack you anyways, and therefore this is equivalent of a police organization peering into your house through slits in your blinds. Since no expectation of privacy, there can be no 4th amendment violation.
It's like saying that if a house is connected to the road that house shouldn't expect to have privacy. Just because there's easy access to the house does not mean that the house can be accessed by anyone on the road.
This is not just bad judging this is bordering onto absurdity.
I'm not sure I completely agree. If my house is on a busy public road, I have no expectation that people won't see it, see who's coming and going, possibly even see things through open windows, etc. I probably would not walk around naked in front of the windows or outside, etc. I'd probably be more concerned about keeping doors and windows locked, or I might install a security system, because I know there's a higher risk of someone breaking in.
If my house is a mile off any public road on a private drive, surrounded by trees, I have a different expectation. I might be more comfortable sunbathing nude, etc. being fairly sure that I'm in a private setting.
If I have a computer and it's not on any network, or only on a private network that I fully own, I expect it is private. At least as private as any papers I have in my desk.
If I use that computer to connect to a public network and access public resources, I have less expectation. I know that at minimum, the resources I access will know that I have done so. I know that it's possible for others on the network to see my traffic. I have exposed my computer to the outside world, and with that comes foreseeable risk, just as I take on foreseeable risks when I do anything else in the outside world.
So I think I agree that by using the internet, I have some reduced expectation of privacy. I think I agree that warrantless monitoring of my activities on the network, e.g. tracking IP addresses and what sites I connect to, etc. is probably OK, just as anyone can follow me around in public and see what places I visit without needing a warrant.
I don't think I agree that this extends into actually invading and searching my computer from the network, even though it may be possible to do that. I think this is like arguing that a warrant is not needed to enter my home and read my mail, on the basis that the correspondence was transported over a public network (the postal service). Or to listen to my phone calls because I'm using the public telephone network. So on that point the judge did go too far and I'd expect that to be overturned on appeal.
So I think there is some rational argument here, but that it went too far in its conclusions.
The term "bad judgment" implies a mistake and some good faith, something a diplomatic lawyer like Grellas would likely do by impulse. Not being a lawyer or obligated to diplomacy here, I'd call it a despicable, bad faith maneuver.
Also, didn't the Supreme Court rule that cell phones, which are connected to the internet, require a warrant, which indicates that there is a certain expectation of privacy? Of course, there's no real difference between a smart phone and a computer.
Smart phones are locked down, harder to hack, and as such might have a greater expectation.
Note that the judge cited the Apple-FBI story:
>Tor users likewise cannot reasonably expect to be safe from hackers. Even if Tor users hope that the Tor network will keep certain information private -just as terrorists seem to expect Apple to keep their data private - it is unreasonable not to expect that someone will be able to gain access
How are smart phones harder to hack? they've been information goldmines for years. java vulnerabilities, bluetooth vulnerabilities, even vulnerabilities from the charging cable.
Regarding android, the latest Qualcomm debacle (FDE is broken) shows that it's not a very safe platform. Add in the google services that store information unencrypted (which nerfs Signal and other "safe" apps), and you have a owned phone.
iPhone's walled garden is, as John Oliver stated, akin to "dancing on the edge of a volcano"; only safe until the next vulnerability arrives. Don't forget that every iOS other than current has been jailbroken/rooted.
Thankfully, Windows Phone is a joke that is being phased out, so we don't have to laugh uncomfortably at it anymore.
This article left out a lot of details, but to me it sounds like what happened is that the FBI infiltrated PlayPen under a warrant granting them access to do so. They then used PlayPen's tor node to trace inbound traffic across the tor network and identify the IP addresses of visitors.
I could be wrong, but if that's the case, it sounds to me like the defendant didn't have a reasonable expectation of privacy. I think of it as sending a letter with no return address. If the letter is addressed to a criminal enterprise, and there is a reasonable expectation that the sender is engaged with said criminal enterprise, to the extent that the FBI can trace that letter back to the sender seems that it would be legal, in my opinion.
However, the TL;DR of this article seems to be that nobody's computer can be expected to be private because everyone's computer can be hacked. I don't think that's what the judge intended with this decision.
Yes, the Judge could have ruled defendant's have a reasonable expectation of privacy for devices connected to the internet. And while it may even be true subjectively, I think the Judge did get it right objectively.
A lot of people in this thread, and you to some extent, suggest that this judge's ruling is the non-digital equivalent of saying a person does not have a reasonable expectation on their home because those too can be broken into the same as an internet connected device. Even in your examples you list "your home" and "your car", but as you know, legally, a home and car don't carry the same expectation of privacy from a 4th amendment analysis. Further, just because a internet connected device and home can be broken into that does not make it a good or fair analogy. Internet connected devices can be broken into by anyone, anywhere in the world so long as they have an internet connection, that is not the case with a home. Nor can people protect their digital data with lethal force the same way one might protect their home. The threats to privacy and the privacy protections for an internet device and a physical home are simply not the same.
Perhaps a better way to distinguish a home and internet connect device is to use other precedent as an analogy. A public phone booth (reasonable expectation of privacy) vs speaking on your private cell phone in public (no reasonable expectation of privacy). Trash in your house (reasonable expectation of privacy) and when you put in on the curb for pick up (no expectation of privacy), might be good for saying non-internet connect device (privacy) and internet connected device (no privacy).
So why don't I think it bad decision?
Lets just say if the Judge did rule there is a reasonable expectation on internet connected devices, it wouldn't stop the Gov. They could always hide behind the non-Gov search/seizure argument in future cases. In other words, the Gov could always say they didn't hack a defendant's internet connected device, that a non-Gov actor searched/seized the data and anonymously provided the evidence to the Gov; therefore, the evidence is not subject to 4th amendment protections. Again not something likely to happen in any of these non-digital analogies (i.e. police are not going to claim the person who broke into your home, while breaking into your home seized evidence of your crimes and gave it to the police anonymously).
As much as we would all like to have a reasonable expectation of privacy on our internet connected devices, we don't objectively; therefore, I think the court reached the right decision. Definitely if the security of the devices improves to keep out Gov and non-Gov actors alike (objective expectations), then our reasonable expectations (subjective) and the law can change with it.
I upvoted you because I believe you made a cogent argument, but I respectfully disagree.
I would argue that it's only relatively recently that people have started to associate an internet connected machine with the potential for a lack of privacy.
People have begun to realize that making a secure device is difficult, but that doesn't mean they don't expect some degree of privacy.
Most certainly don't expect that connecting their laptop to Wifi that they control and pay for automatically reduces the privacy of things contained on their laptop, and only on their laptop to zero.
Further, the expectation is that security and privacy is a feature that all (well, most) companies are actively working to improve, and therefore a fluid definition of an expectation of privacy is dangerous, I think.
Well with or without the upvote, thanks for the reply. I am a lawyer and OP is a lawyer, and ultimately whether anyone disagrees with the judges ruling, I shouldn't be downvoted because I played devils advocate with OP and legally I agree with the ruling. It is law, as OP hints I acknowledge this Judge may very well be overturned at some point, and I even gave an example where I would agree with him being overturned, so the downvotes without replies are bizarre.
>People have begun to realize that making a secure device is difficult, but that doesn't mean they don't expect some degree of privacy.
I totally agree and just think a lot of people in the thread don't understand 4th Amendment law and are conflating 4th amendment analysis of reasonable expectation of privacy with the separate right to privacy.
The Judge's ruling is very limited: In a criminal case the Gov can introduce evidence of a crime they collected from a device connected to the internet they obtained without a warrant.
My point is, even if the Judge said the introduction of said evidence violates the 4th Amendment and should be suppressed...legally such a ruling would still be limited and have no effect of the Gov's actual efforts to collect all that data without a warrant. The only practical effect such a ruling would have is that once the Gov has evidence of a crime then they will obtain a narrow search warrant or alternatively (as I mention above) introduce the evidence as collected by a non-Gov 3rd party (not subject to 4th Amendment protections).
>Further, the expectation is that security and privacy is a feature that all (well, most) companies are actively working to improve, and therefore a fluid definition of an expectation of privacy is dangerous, I think.
Yes, fluid definitions can be dangerous, but it can also be the most beautiful and powerful thing about the law. One such example separate but equal being defined constitutional in Plessy v Ferguson, then being redefined as unconstitutional in Brown v Board.
> Yes, fluid definitions can be dangerous, but it can also be the most beautiful and powerful thing about the law. One such example separate but equal being defined constitutional in Plessy v Ferguson, then being redefined as unconstitutional in Brown v Board.
That is certainly a good point, however I guess I'm projecting my bias by presuming that this particular ruling should have skipped over the Plessy v Ferguson equivalent and landed immediately on Brown v Board.
I think a reasonable expectation of privacy should be the goal for everyone manufacturing hardware and developing software, especially as the world gets more and more connected.
The fact that it's not a reasonable expectation for a layman is a black mark on our industry (software and hardware), and is something we should work to change (by actually making secure software).
[Edit:] furthermore the fact that DoJ etc are sitting on zero-days, thus decreasing (by not increasing) the security of our systems is most definitely a negative contribution to this fight.
> Internet connected devices can be broken into by anyone, anywhere in the world so long as they have an internet connection, that is not the case with a home
A home can be broken into by anyone, anywhere in the world so long they communicate that wish to someone who is near and willing to break into peoples home for money.
> Nor can people protect their digital data with lethal force
That's what the legal system is for. They will apply force, lethal in some cases, if a criminal break the law. People no longer need to hire a private army to protect their home.
> the Gov could always say they didn't hack a defendant's internet connected device, that a non-Gov actor searched/seized the data and anonymously provided the evidence
Its a common TV troop in crime shows where the police will break into someones home, and just before doing it, they say into the camera: "when we got here, the door was already open". While its true that the actually police could do this, it is very much illegal, and equally illegal would it be for the police to claim that a non-Gov actor did the break in and provided the evidence anonymously.
> Perhaps a better way to distinguish a home and internet connect device is to use other precedent as an analogy. A public phone booth (reasonable expectation of privacy) vs speaking on your private cell phone in public (no reasonable expectation of privacy). Trash in your house (reasonable expectation of privacy) and when you put in on the curb for pick up (no expectation of privacy), might be good for saying non-internet connect device (privacy) and internet connected device (no privacy).
This seems like an argument for someone looking over your shoulder when using a mobile device, or a laptop, in a public place.
How do any of those examples have any bearing on someone actually hacking the device? Most devices have policy and counter-measures built-in to specifically prevent any kind of unauthorized access.
For example, every device running the popular operating system Windows has a firewall built-in and activated by default.
>How do any of those examples have any bearing on someone actually hacking the device? Most devices have policy and counter-measures built-in to specifically prevent any kind of unauthorized access.
It is not apples to apples, but take the trash example.
Case law holds that you have reasonable expectation of privacy in the trash inside your home (i.e. the Gov can not introduce evidence collected from the trash inside your house without obtaining a warrant). Lets call that the non-internet connected device, which AFAIK would still have 4th Amendment protections.
Now lets say you take that trash to the crub, all the sudden case law says you no longer have reasonable expectation of privacy of said trash (i.e. the Gov can collect the trash without a warrant and introduce any evidence of your crime they collect from said trash). This in my analogy would be the internet connected device, this court says no longer has 4th Amendment protections.
You could put a lock on your trash can that you remotely unlock only when the trash man gets there, but the case law says you lost expectation of privacy when the trash hit your curb (i.e. the internet connection) its not a matter of the ongoing defensive measures you took to maintain privacy. Moreover, if I shredded documents evidencing my crime that I then put on the curb, I do not regain my expectation of privacy (4th Amendment protections) because I took defensive measures to avoid anyone being able to read the documents.
A better analogy to taking the trash to the curb, in this example, would be disposing of your device or hard drive. So if your hard drive is not encrypted and you throw it away without securely erasing the data or adequately physically destroying it (the equivalent of shredding paper documents), then you have no reasonable expectation of privacy.
By taking the trash to the curb, or throwing away your hard drive, you signal that you no longer care about said trash/data. You probably still care about the data on the device that you haven’t yet decided to throw away. The point is you can review how much of the data, if any, that you’re throwing away, you don’t care about. Someone hacking your device doesn’t give you the opportunity to make this consideration.
To continue with your analogy, hacking a device that someone still owns is exactly like breaking into someone’s house to go through their trash. The internet connection is just a medium by which the break-in occurs.
>The point is you can review how much of the data, if any, that you’re throwing away, you don’t care about. Someone hacking your device doesn’t give you the opportunity to make this consideration.
I see your point, but playing devil's advocate why is the opportunity to consider what data you put on the curb or that is on a device you connect to the internet any different? Surely you can elect to drill a hole in your hard drive before putting it on the curb and you can remove any and all data (including evidence of a crime) from your device before you connect it to the internet.
I do understand the argument you’re making here, but I’m not convinced. Let’s consider a few similar examples with mediums other than internet:
1) Should the government require warrant to monitor the way you use electricity to see what’s on your screen, or to steal your encryption keys?[1][2]
2) Should the government require warrant to listen to the vibrations your water pipes carry and eavesdrop on the conversations inside? (hypothetical afaik)
Maybe the difference here is that Internet is not, by law, considered an utility in the U.S. Should that make a difference? I think, logically, no. If the government cannot, without a warrant, implement side-channel attacks like the one listed above, then it definitely shouldn’t be allowed to actually actively exploit a device that’s simply making use of some utility, even a digital one.
More to the point, no one intends to make their data public, any of it, simply by connecting to the internet. That’s the determination you make when you actually copy that data anywhere, or when you use any web service, including this site. So no, there is no opportunity to review what you want to reveal, because there is no intent to do so in the first place.
Funny you mention water pipes: they are an attack vector that's considered in TEMPEST shielding to block emanation attacks per what a professional told me. It's one of reasons you won't see bathrooms in many TEMPEST computer rooms that are otherwise self-contained. Anything that conducts plus power lines.
Danger of your argument is that the majority of users expect privacy and that their systems are secure.
My experience is that the average person today assumes their devices are not secure and any information they have is accessible to the government without warrants.
Same argument could be made about my house or my mail. I can only really expect privacy in both cases from the good actors in society, the people that respect a locked door, closed blinds, or the federal laws against opening my mail.
I guess I expect my privacy/security in most cases, but I'm aware of the realities and try to prepare for that privacy/security to be violated.
What matters for purposes of 4th amendment jurisprudence is whether or not someone's expectation of privacy is reasonable, not whether or not their expectation is fulfilled.
What constitutes probable cause for a search is relevant. The judge is arguing that all devices connected to the Internet are probably hacked and that as a result of the devices already being hacked, there is no reasonable expectation of privacy.
Despite how many computers are hacked, I posit it's mathematically (factually) incorrect by a wide margin that the majority of Internet-connected devices are hacked.
That alone, if it is the force behind the judge's opinion/ruling, makes it invalid, right? Facts? Or do they have no place in a modern US courtroom?
If it's "safe to say", then there should be some statistical evidence backing this up, no?
At least in terms of viruses (the most common means of infiltrating a home computer), the percentage of households affected by any kind of computer virus is 40% according to http://www.statisticbrain.com/computer-virus-statistics/ (which in turn comes from data from Microsoft and Panda Security, among other places). This doesn't seem to define what "affected" means, however; it could mean that at least one computer was infected, or it could mean that they received a bit of spam from a non-household family member or friend whose computer was compromised.
The 4th amendment and surrounding case law deals with two distinct issues (actually, more than two, but two relevant here): that some searches require warrants and some do not, and that for those that do require warrants, probably cause must be shown in order for said warrants to be obtained. "Reasonable expectation of privacy" is the standard for deciding what is or is not a warrant-requiring search under the 4th amendment (see, e.g., Katz v. US). "Probable cause" is, given that something is a warrant-requiring search, the standard that needs to be met in order to get the warrant. The former is the one relevant to this discussion, not the latter.
I'm much less skeptical than the median HN poster about government's use of new technology in its traditional roles of criminal justice and national security, but if this article is a fair summary of the case, I can't see how the ruling makes any Constitutional sense.
Because burglars regularly break into people's homes or cars doesn't make them subject to warrant-free search. If the FBI wants to run code on my CPU in my private home without my permission, they should have a warrant, just as they'd need one to manipulate other objects in my home without my consent.
Even as a programmer I would much rather have to get through "… houses with WALLS …" than through reasonably strong encryption, the task might require strength, but is quite straightforward.
In California, police can peer into car windows without a warrant. That's one reason police always seem to be carrying a mag-light when they pull someone over. (The other being that mag-lights are heavy and useful as clubs.)
Oh yeah. Another piece of advice I've often heard is that, if police come to your door asking questions, it's prudent to step outside to speak with them, rather than speaking with them through an open door. If they see something suspicious through your opened door, they can reasonably claim probable cause and force entry.
This may be all BS. But it's advice I've heard more than once.
If police are doing a "knock and talk", they don't have a warrant. Barry Cooper had the best script for that:
If police are knocking, lock your door and say through a window: "I don't talk to police; have your dispatcher call me. If you have a warrant, here are my hands, go ahead and kick the door down". Then cover your ears, close your eyes, and wait.
The problem with those kind of scripts is that while they correctly account for not accidentally exposing yourself to the Police (without a lawyer present etc), they fail to account for the consequences of getting in the police's nerves and looking like a suspect in their eyes (which can get down to them downright making stuff up or planting stuff on you).
if police are targeting you, they're likely to make stuff up or plant evidence anyway.
If you feel you can't handle your affairs, make sure to lawyer up as soon as the police leave your house. You'll need to. let the lawyer know what you did, so he can take appropriate action.
Just remember that a lawyer, should (s)he put your needs above the needs of The People or The Court, (s)he would be disbarred. So don't expect magic to happen.
> Genuinely curious, do you need a warrant to look through a window.
Home windows? If it is visible from a place where a normal person going about their normal activities can see, then no warrant.
For example, if someone walks up your walk to your stoop and there are windows that can been seen through from there, then no warrant. If they have to step off your walkway, walk around the side of your house, scramble through your bushes and pull themselves up to peer through, then a warrant would be required.
I think you can be charged with public indecency if you stand in front of your window naked. So there is some sort of gray area when talking about the privacy of your home.
Hmm. I don't agree with the ruling either. But I don't think this analogy does the original argument justice.
The point of mentioning "accessing the internet" is it's a lot easier for the hacker to scale up their wrongdoing with ease. It's much simpler to put a virus of some sort (say, a fake download button on a media sharing site) and reach a large audience, than it is to break into the homes of a similarly large group of people.
Where I primarily disagree with the judgment is that this notion makes it a "virtual certainty" that hacking occurs for any given person. Smart browsing habits, and general computer literacy, can make the odds decrease to near zero.
Not only that, most places(?) have fire codes that mandates that all houses are easy(ish) to break-in to. Maybe not easy to sneak into, but certainly easy to break-in to. Because the fire department and emergency services need a way in.
I suppose the analogy would be that just because Microsoft has the power to remotely upgrade your windows 10 install (and potentially install any back-door), that should not violate your expectation of privacy.
I feel bad for the judge. He's bending over backward to rationalize the end justifying the means... and he's dead wrong.
His argument is essentially that if your house is connected to a road, then there is no expectation of privacy.
I expect the ruling, or at least that absurd part of it, will be overturned or superseded. But the counter argument (for future cases) would be that running through a physical firewall is not a direct connection to the internet (silly as it is to make the argument).
Did you read the ruling? Do you have any specific critiques, and do you think the multiple precedents cited are applied incorrectly?
Edit: I've gone through most of the relevant sections. Most of the ruling is reasonable, the section this article and the EFF are complaining about is less supported by precedent.
The actual legal argument says that hacking is common enough that people don't have a reasonable expectation of privacy, then there's this paragraph:
>Although this Court recently noted in dicta that the possibility of hacking "is not enough to defeat an individual's reasonable expectation of privacy" because it is illegal, see United States v. Darby, No. 2:16-cr-36, ECF No. 31 at 10-11 (E.D. Va. June 3, 2016), this Court stresses that child pornography often resembles an international crime. Similarly, much hacking occurs by foreign nations where the governments condone or participate in hacking. Child pornography is not just a national issue; it is an international issue, and at least a portion of the pornography in this case arrived from foreign sources through the World Wide Web
This seems to be the weakest part. It's saying that hacking can't be the basis for a lack of expectation of privacy, but that since some countries allow hacking, it's legal there, and if you're accessing stuff from other countries you no longer have the expectation of privacy.
The heinousness of the crime does not justify giving up or overriding Constitutional freedoms. Never. Not ever.
And if anyone is in place to protect us from that level of overreach, it's a judge. I cannot believe he's pulling a "won't someone think of the children!" in justifying (and creating some janky circular logic) this ruling.
The scariest precedent here is the level of crime dictating the flexibility of constitutionality.
I think you're misreading it. He's not saying that the heinousness of the crime justifies it, he's saying that by accessing child porn from another country, the defendant opened himself to hacking risk and as such has no reasonable expectation of privacy.
An unlocked car (which is the closest legal analogy, I think) is a bad fit here. If we're really going to search for analogues let's pick one that really matches what's going on in digital communication: physical communication.
Whoever, without authority, opens, or destroys any mail
or package of newspapers not directed to him, shall be
fined under this title or imprisoned not more than one
year, or both. -- Title 18 § 1703(b)
What if the "computer" on the internet is my pacemaker, and it uploads a data stream to servers in, say, Dublin. Does that mean I should not have a reasonable expectation in the U.S. for privacy of that data? That kind of rationale is bad in principle and bad law.
If you're uploading information to a third party, you no longer have privacy rights under the third party doctrine. That's very well established precedent.
As I said in another comment here, the issue is when it goes beyond such information like IP addresses and goes to actually hacking, which involves running code on the victim's computer.
Any web page can include content from any country. Country TLDs don’t correspond in any way to where the content is hosted, and for most people even using DNS-resolved URLs is advanced. However, mostly thanks to IPv4 exhaustion, not even IP blocks correspond to geographical location anymore[1].
And all of this doesn’t matter anyway, because of how packet routing works. No one accessing the Internet can be reasonably expected to have any control over how their packets are routed on the network. You only control the next hop[2].
So I would agree to the extent that there can be no expectation of privacy for any unencrypted traffic. However, that’s just one type of hacking – snooping.
As for actual hacking – that is someone breaking into your system – this system has to be running on something, some sort of device. This device has to be physically located somewhere.
If an Elbonian comes to US and breaks into your house is it okay because in their country there are no lock on the doors, just a lot of mud, so breaking is not a crime? This is the logic here, as I see it.
What it ultimately comes down to is the US government wants to have it both ways. They want to be able to extradite people that hack into devices located in the US, but they want you to have no expectation of privacy when they are the ones doing the hacking.
>If an Elbonian comes to US and breaks to your house is it okay because in their country there are no lock on the doors, just a lot of mud, so breaking is not a crime? This is the logic here, as I see it.
If they came to the US they would be subject to US jurisdiction. Hackers from other countries aren't, at least not always.
Edit: I mean prosecution. Jurisdiction applies whenever there are effects in the US, see link below.
This is my point though. The US government claims they have jurisdiction when it suits them. Guccifer is still in the news and fresh on everyone’s mind.
Personally it never made sense to me how one can be subject to some random foreign country’s law by just using the Internet. But if that’s the doctrine it should at least be applied consistently.
I spoke incorrectly above. They always have jurisdiction if there was damage in the US. The point is that they can't get access to the person if they don't have an extradition treaty with the country they're in, but that's not jurisdiction, my mistake.
("No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.")
Not comedy. One reason for "quartering soldiers" was to obtain evidence and to intimidate within a private space. I've long held any form of broadly imposed in-privacy monitoring (including compulsory back door keys) is a 3rd Amendment violation, especially if the individual is practically paying for it.
Wikipedia and news articles should give you the details.
I'd say lack of access to law (as well as its unbearable complexity) is an issue of due process and the fundamental rule of law.
But you can't look to the Constitution to dictate everything - its drafters could not anticipate all future developments, and if the government is that citizen-hostile a piece of paper won't stop it. That which the Constitution does specify should be considered more as "behavioral tests", and currently the majority of our test report is failure.
The counter-point presumably being that law enforcement are not soldiers? Maybe the 3rd amendment has been interpreted as applicable to all government agents.
>> ...but if this article is a fair summary of the case...
Thanks for that. A good reminder that we need to think that every time we read anything like this. Just asking a simple question, "Did they get this right?" and even taking a minute to read through to the actual primary source.
"For example, hacking is much more prevalent now than it was even nine years ago, and
the rise of computer hacking viathe Internet has changed the public's reasonable expectations of
privacy. Cf Lee Raine, How Americans balance privacy concerns with sharing personal
information: 5 key findings, PewResearchCenter (January 14, 2016),
http://www.pewresearch.org/fact-tank/2016/01/14/key-findings...
(reporting that members of a focus group "worried about hackers," though "some accept that
[privacy tradeoffs are] a part of modern life"). Now, it seems unreasonable to think that a
computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in
today's digital world, it appears to be a virtual certainty that computers accessing the Internet can
- and eventually will - be hacked."
"Thus, hacking resembles the broken blinds in Carter. 525 U.S. at 85. Just as Justice
Breyer wrote in concurrence that a police officer who peers through broken blinds does not
violate anyone's Fourth Amendment rights, jd. at 103 (Breyer, J., concurring), FBI agents who
exploit a vulnerability in an online network do not violate the Fourth Amendment. Just as the
area into which the officer in Carter peered - an apartment - usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other
circumstances is not protected from Government actors who take advantage of an easily broken
system to peer into a user's computer. People who traverse the Internet ordinarily understand the
risk associated with doing so. Thus, the deployment of the NIT to capture identifying
information found on Defendant's computer does not represent a search under the Fourth
Amendment, and no warrant was needed."
The judge conveniently disregards the difference between passive observation and active intrusion. Breaking into someone's computer is no different than if the officer had broken the blinds themself, which clearly would not meet the test described by Justice Breyer.
"But whether the Constitution really be one thing, or another, this much
is certain - that it has either authorized such a government as we have
had, or has been powerless to prevent it. In either case it is unfit to exist.”
-- Lysander Spooner, No Treason
That's an unanswerable question, since we cannot compare a control Earth where the U.S. Constitution was adopted in 1783 and an experimental Earth where it was never ratified.
It is axiomatic that the present we now know inevitably followed from the history that preceded it. When you look at the U.S. federal government that now exists, it must have assumed its current form either by design of the Constitution, or contrary to that design. In case of the latter, the Constitution was entirely unable to prevent the government that it established from evolving into a form contrary to its design. Maybe the process was slowed somewhat. We cannot know for certain.
Therefore, if you dislike the current form of US federal government, it is nonsensical to idolize the Constitution, or any other causally-related fact of history. History gave us the present. If you do not like the present, and wish the future to be different, do not repeat the mistakes of the past. Whether history could have given us another present is irrelevant, because it did not.
In the end, whenever a living human fights with a document, the human will emerge victorious, and the document will become confetti. The Constitution is nothing without a living human to be its champion.
Also flawed logic. Our options are not simply Constitution or No Constitution. There are a near-infinite number of unique constitutions we could have adopted, rather than the one we've got.
Spooner was criticizing the actual form of our current Constitution. GP was making an appeal to the Constitution and the judicial system's ignoring of it. I agree with Spooner that a Constitution such as ours is completely powerless to prevent individual judges from rewriting every time it fits their fancy.
We've basically had an ongoing Constitutional Convention in the federal courts since the founding -- without the consent of the people.
It is very concerning indeed, but will hopefully not be a precedent. At least if common sense and a basic level of constitutional competence prevails.
Rule 41 is a huge concern---as mentioned in the EFF posts---and risks decisions like this becoming commonplace. As the EFF mentions, it also encourages forum shopping: finding a court lax on fourth amendment issues, in this case.
As far as I remember the CCC wrote an expertise in the ruling and mentioned computerized implants. That was the point were the judges understood that there should be an expectation of privacy on home computers.
Non-American here: glad to hear they can. Will they, in cases like this, do that by themselves? Or should someone (EFF) appeal this ruling? Or can only the suspect/criminal in this specific case appeal?
The defendant must appeal, but someone (the EFF) often supports the defendant through either friend-of-the-court briefs [1] or directly supplying free legal services.
I remember a case where police placed or retrieved something from a car in the driveway without a warrant. The reasoning was that your driveway is not private property.
It might work since one has no expectation of privacy in public and taking picture of him is perfectly legal, making a copy of the document (taking picture) on the machine with no expectation of privacy would be perfectly legally too.
Probably not though. The CFAA still says it's illegal to do anything on a computer that you're not authorized to use. It has nothing to do with expectation of privacy.
That makes no sense. Why aren't the FBI in violation of CFAA, then?
Expectation of privacy defines the bounds of a search. Police searches are not permitted to conduct otherwise illegal activity Just because they are searching.
>(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
So something can't be illegal for the police to do for the sole reason that it violates the CFAA. If it violates something else, I suppose CFAA charges can be added on, though.
This was a federal district judge, who under the U.S. Constitution (Article III) has life tenure and can't be fired; he can be removed from office only if impeached by the House of Representatives and convicted by the Senate after a trial.
The chief judge of the district could cut this judge's case load to zero [0]. In this case, though, (A) that's very unlikely to happen, and (B) the judge would still stay on full salary.
[0] EDIT: This sort of happened, for example, to (now-former) federal district judge Sam Kent in Galveston after he was accused of "inappropriate touching" of female court employees. See http://www.chron.com/news/houston-texas/article/Criminal-cas... Kent later pled guilty to a felony charge of making false statements to investigators; he tried to retire from the bench so as to keep his pension, but that pissed off the House judiciary committee, which pushed through articles of impeachment, which caused Kent to resign. He served not quite three years in prison. See http://bigbendnow.com/2011/08/disgraced-former-judge-complet... and https://en.wikipedia.org/wiki/Samuel_B._Kent
>This was a federal district judge, who under the U.S. Constitution (Article III) has life tenure and can't be fired; he can be removed from office only if impeached by the House of Representatives and convicted by the Senate after a trial.
Ben Franklin had some thoughts on this as documented here:
Judicial elections are ... tricky, but reasonably common. Without public financing for the elections and stronger campaign finance laws, it's really hard to avoid the problem of buying the courts.
> Judicial elections are ... tricky, but reasonably common.
It's state judges (in some states) who are elected. This was a federal district judge; they're appointed for life by the president with the advice and consent of the Senate.
So I can take photos in public because there's no expectation of privacy. Does this mean I can hack into whatever computer I want now for the same reason? Or does a lack of privacy not necessarily mean it's legal to do such things?
The ruling is about whether one has a 4th amendment right to privacy with regard to criminal investigations. You'd still be violating, at a minimum, the CFAA if you broke into someone else's private computer. There are exemptions in the CFAA for exactly this kind of investigatory activity.
But the ruling won't hold, because it is dumb and bad.
Also, does this not mean that cases like Andrew Auernheimer, where he simply used an API to access data that was not protected at all will be found not guilty in the future?
These Playpen cases are all deriving their 4th Amendment bypass based on the IP Address = Phone Number analogy[0].
The judge in this case at least seems to understand where the others did not that the IP Address had to be obtained by questionable means.
But decision reads: "The Court notes, however, that perhaps malware is a better description for the program through which the provider of the pornography attempted to conceal its distribution of contraband over the Internet than for the efforts of the Government to uncover the pornography."
The conclusion is that Tor is more malware than the FBI spyware.
I am not entirely dissuaded by govt's logic re expectation of privacy. Most porn/torrent sites do attempt to install spyware/malware. Everyone knows this. Whether the govt should be doing this is another matter entirely.
I am more distressed by the fact that this judge is allowing the FBI to use this tool and not allowing defendant access to its source code in discovery. This is unacceptable.
I am more distressed by the fact that this judge is allowing the FBI to use this tool and not allowing defendant access to its source code in discovery. This is unacceptable.
So when the government keeps zero-days to itself with plans to exploit them, instead of helping to strengthen security as they should, after this ruling they now have an additional conflict of interest: they have an incentive to keep this line of judicial interpretation viable by keeping security weak.
What about businesses? Should they expect all their computers to be public and if so, doesn't that have serious ramifications for data protection and the prosecution of hackers?
I was thinking the same thing. Also, using this ruling to target business documents would likely be the fastest way to get it overturned. Even if they somehow rule that businesses are different than homes, most executives take all their documents home regularly.
Also Federal courts have computer systems which means all legal documents are now available for access. Unless this Judge thinks it only applies to defendants.
Based on this ruling, why wouldn't the suspect's defense now be "well, my computer must have been hacked, it wasn't me downloading the questionable content. See, look, even the courts have ruled that my computer, for all intents and purposes, is publicly available for all kinds of hackers to utilize for nefarious purposes."
They tried that, and it was rejected in the same ruling. More specifically, they claimed that someone might have MITM'ed the FBI's program to send different information since it didn't use encryption, and that the program may have weakened security settings allowing someone else to plant child porn on their computer. The first was rejected as implausible, as the program sent all its information back quickly (less than a second) and any attacker would need deep knowledge of the program to know what to send. The second was rejected as not supported by evidence (no evidence that the FBI's program changed security settings and a declaration by an agent that it didn't, and also the charges weren't based on the files found on the computer).
And the NIT program didn't give them anything about the person except for some identifying info. They went to the ISP located in florida to find out information on this and then got a traditional warrant to search the house which resulted in them finding the material. They waiting to install the NIT until the person went into a forum and tried to access the pornography. Everything about this to me makes sense with one exception. The judge handled that the warrant was topical and specific, which I agree, and argued that the issuing magistrate could issue it seems like a reasonable interpretation of the rules but I wish they would update those instead of let precedent twist the words a little. But I disagree with the finding that despite all of these hoops the judge finds that a warrant wasn't necessary in the first place. That to me is a stretch. Seems like a better thing was that the system worked. There was suspicion, description of what information to seize, and a triggering event. These were all met and a judge had allowed the deploying of the NIT in these circumstances. Why say that despite all of the checks being satisfied they weren't necessary in the first place, especially with the argument that there can be no expectation of privacy simply by being on the internet.
I'm inclined to agree that there's no expectation of having your IP be secret even when using Tor, but there's an expectation of not having other people run code on your computer. The judge considered this distinction and rejected it.
The IP not being secret is supported by precedent from other cases, it seems reasonable that if the government can trace it back without hacking the computer it should be fine.
From the judge's ruling:
"Just as Justice Breyer wrote in concurrence that a police officer who peers through broken blinds does not violate anyone's Fourth Amendment rights, jd. at 103 (Breyer, J., concurring), FBI agents who exploit a vulnerability in an online network do not violate the Fourth Amendment. Just as the area into which the officer in Carter peered - an apartment - usually is afforded Fourth Amendment protection, a computer afforded Fourth Amendment protection in other circumstances is not protected from Government actors who take advantage of an easily broken system to peer into a user's computer"
The keywords are "exploit a vulnerability". In that sense, I'm inclined to agree with the judge.
Put another way, are broken blinds all that different from an unsecured (though attempting to be secured) network?
The counter might be: using an exploit of any kind is akin to first breaking the blinds yourself.
My counter would be that broken blinds are self-evidently broken, and the owner knows that they don't serve their intended purpose.
The same is not true of broken computer security, where usually the owner believes that the security feature does its job.
I'd say a better analogy would be a lock. The owner believes that the lock works and will keep people out. The fact that the lock can be picked doesn't mean everyone should expect their locks to be useless, nor does it allow the police to pick a lock to get into someone's house without a warrant.
I think this is akin to saying that windows and doors are vulnerable to rocks and bump keys/battering rams, respectively. In the case that police take advantage of the real world counterparts, they're expected to have warrants despite the "vulnerability" because the owner has the expectation that most decent people (the general public) won't exploit it. The standard is whether a member of the public could happen to see inside, not whether it's feasible for them to if they really wanted to.
A broken blind is more comparable to a server (http, ftp ...) with no authentication/password, maybe just for some directories that should have been protected. Also, wifi with no password.
Exploiting a vulnerability is more like using a bump key or picking the lock on the door. Would it be weird if the cops could pick the locks on your door without a warrant (you know they're all crap locks because hardly anyone knows the difference).
The analogy seems to break down a bit. Given that peering through broken blinds likely doesn't violate any laws but exploiting vulnerabilities does run afoul of CFAA (see 18 USC § 1030, a.2.C), merely "peering through the blinds" seems like bad faith.
The CFAA exempts law enforcement agencies so I don't think you are correct.
>This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States
Yes, and even if it didn't specifically exempt them it wouldn't necessarily affect the rules of evidence/fourth amendment stuff. My point was that "if a regular guy did this it would be a crime so maybe it's not quite the same as looking through the blinds."
The difference is the action, right? Suppose there were drapes on the outside, operable from the outside -- could the police operate them to make the window viewable?
If you mean a pane of glass, you are correct. From the street, someone can look through your window. I don't feel this ruling is akin to looking through a window however. It is like walking though an unlocked door (or possibly wide open door). Any sane person would call that trespassing.
>A judge in Virginia rules that people should have no expectation of privacy on their home PCs because no connected computer "is immune from invasion."
Brilliant. Finally we can do away with all the stupid laws we have. Private residences are also not immune from invasion. In fact, even a 9-year old child could easily throw a rock through a window, reach in and unlock it, open it up and do whatever they please. The fridge is not locked with a secure method so they can have whatever they want from there--there's no reasonable expecation of it being immune from invasion and theft, so why should it be illegal? This judge is a genius. In fact, this judge is showing us how important it is to do away with silly laws. No one is immune to being punched, kicked, stabbed or shot, and in fact it is quite easy for someone to do that as a matter of fact, if they certainly decide to do so, so we can finally do away with all those ridiculous laws pertaining to assault, rape and murder as well. Another great day for us. We're making progress in America!
In other news, hacking in East Virginia is now legal.
While the judge's statement and ruling seem to defy both logic and precedent, this didn't start here, and it doesn't stop here. The government and FBI in particular have long been trying to approach and establish the notion that it's okay for the "good guys" to hack, and not okay for the "bad guys" to hack. This ruling doesn't establish that, but will people in favor of this ruling draw the logical conclusion and say what used to be criminal hacking is no longer a crime, that an online bank has no expectation of privacy and it's being hacked and the money stolen is inevitabile? Would this same judge throw out a case of criminal hacking? I doubt it.
Things like this seem to pop up every other week now. It feels like companies and governments alike keep trying to fuck up the Internet, or even the very idea of personal computing. Does any other industry face such ridiculousness on a constant basis?
This ruling makes no sense. My mind makes the invalid phone number noise, "do-do-dooooooo", when I read it.
When I read about decisions like this, I often wonder if judges are purposefully making these nonsensical rulings so that the higher courts are forced to take the cases and make valid decisions. Though, I'm still undecided as to why this might be; perhaps the judge isn't up to the task of making a complicated ruling, some personal bias that favors one side of the law, or wishing to look good in front of the Feds in hopes that he or she can move up in the court system.
The part of the ruling this article is discussing isn't binding precedent, and doesn't affect the case. Even if it were overturned the court would still have found for the government.
If this holds, it would be an excellent defense for any hacker that infiltrates any connected system in the US.
So... hack the government freely now? "You were the idiots that connected the system to the web... you should have no expectation of privacy."
Put a more insane way: "Your doors were unlocked therefore invading your home was not a crime."
This will have to be struck down to preserve our democracy I would think. Insanity.
Total aside: DoJ is really dropping the ball and will have to decide whether they want to prosecute hackers or enable their own hacking. Can't really support both.
So, I'm assuming as long as I'm only spying on his computer or his accountants or his attorneys and not editing his security settings that it's not illegal because it public information.
A much better real-world analogy that would fit this case, that the judge should have used, is: Let's say the FBI intercepts a shipment of illegal goods (either counterfeit merchandise, drugs, whatever). They intercept the shipment before it gets to a distributer, and they want to find out who the end customers are. Would they be allowed to put a gps tracker in the individual packages so that it reports their final location once they reach the end customers?
Having read through the opinion the one thing that strikes me is how completely unnecessary deciding that people with computers connected to the internet, because of the existence of hackers, have no expectation of privacy.
The judge had found, by tighter reasoning, that law enforcement didn't violate the Fourth Amendment in using their tools to find the defendants IP. Then, having gone through that, for no obvious reason, goes on to decide that no one has an expectation of privacy on their personal computers because computers are so full of security holes and hackers are so sophisticated these days that, essentially everyone has 'broken blinds' that anyone else in the world can see through on what would ordinarily be considered a private space.
It boggles the mind.
Up to that point the judge basically says "The defendant decided to go somewhere questionable and do something illegal -- since the FBI was watching, controlling, in fact that questionable place that was more or less public but dedicated to illegal activity, they had every reason to collect information because of probable cause".
Great! Perfect! There is a lot of precedent. I'm reminded of when the FBI took over a biker bar that was known to be a nexus of drug trade and bugged the place and wired it for surveillance and put people who went there and were seen doing illegal things under surveillance themselves. From what I understand, it was a fruitful endeavor. But this is like they did that then decided since the road that connects to that bar also connected to houses that could be seen from the street, any of those houses can be searched. It's insane.
The division between state-sanctioned invasion of individual privacy (in this case) and draconian sanctions on trivial "penetration" actions (like changing the UUID in a URL) for corporate entities using the CFAA is really contradictory.
We need to turn it around: draconian punishments for "law enforcement" members who violate the constitution, and protections for individuals who tinker, probe, or explore without malicious actions/intent.
Well it can't go both ways, either it is or it isn't. So I say hack every computer in Virginia Law Enforcement - because they're connected to the Internet and thus have no expectation of privacy, thus this supersedes precedence for wire fraud charges for just checking stuff out on computers that aren't after all private... you can't have it both ways. The law applies to everyone or no one.
Instead of hacking think of it from the other side: If no computer connected to the Internet has a reasonable expectation of privacy then law enforcement must develop a system to manage all of their data and IT needs that is not connected to the Internet.
Good luck getting that budget passed.
While the the slippery slope is not a valid argument it is always interesting to think about how precedent like this could spiral out of control.
The root of the problem is this BS "reasonable expectation of privacy" criterion.
The criterion should be open and clear: "Does the government need to get on your internet connected PC (or mail, or whatever else)? Is that beneficial to society?".
Whether you expect your mail or PC or whatever to be private or read by others is beyond the point.
Even whether it's publicly visible should be beside the point (the same way that whether you have your door open or not, nobody has the right to just get into your house without your consent).
E.g. one's public moves (location in time) is public knowledge too, but a society should be able to decide that it's illegal for the government (or even companies and individuals) to aggregate that information about a person, or even more so all citizens.
Even if some third parties still have it, your location data on your telco's servers (period) is something very different than your location data on an advertiser's servers or your location data on some government agency servers.
Why do "expectations" of privacy figure so prominently in this? Is it not about rights? Like as in Bill of?
If I walk down a street in a bad neighborhood, I may or may not "expect" to be mugged, but regardless of what I expect, or what anyone placing bets on me expects, I have the RIGHT not to be mugged.
Edit: In other words, mugging is a crime and unreasonable searches & seizures are crimes.
Know what else gets me about this "expectations" bit - it's ass-backwards. Like "hacking happens a lot, therefore hacking is okay." Well, armed robbery happens a lot, therefore that judge has no reasonable expectation of not being robbed at gunpoint - it's totally fine everybody!
For that matter, the child porn they're trying to stop happens a lot. If you're going to be consistent you now have to say no child has a reasonable expectation of not being exploited.
The law is not a weather vane that swings depending on whichever way people want to break it!
- Celebrities have no expectation of privacy on their cell phones (including photos)?
- Home security systems offer no expectation of privacy (they are remotely connected)?
- There is no expectation of security with the IoT?
Computers connected to the Internet are all part of these things.
How about someone in the FBI, CIA, NSA, etc, discussing or storing something top secret on a computer connected to the internet. This is pretty much the same thing as just leaving the document out in public, right? </sarcasm>
I think you would be giving the Court too much credit for putting that much thought into their decision. And I think even more important we know how good the FBI is at "cyber" that there would be no issues in attribution of traffic to an IP address. So this is really blanket permission for the FBI or any .gov to hack anything internet attached.
Oh, I don't think it's too much credit to consider the court thinking about those things. They might do it by analogy and get it all dreadfully wrong, but they often get down to the nitty gritty implementation details.
If Tor is to succeed, the child pornographer must also be protected. Yes, I know this is abhorrent, but you cannot have a service that purports to protect you from the prying eyes of your government (or anyone else) while also being vulnerable to exploits like this one. You may be okay with the government collecting a series of such exploits and deploying them on child porn sites in similar fashion (many people are), but then there's nothing stopping them from using the same techniques to go after people buying drugs, expressing dissent, or simply holding political or social opinions that the government wishes to squash for whatever current reason. At that point, Tor is as good as dead.
Yes, sadly in a sense the judge is correct -- connecting to the Internet can result in virus infections. About two weeks ago, I detected that my computer had gotten a bad virus. Maybe I got rid of it. But last night my computer ran for 9:23 minutes checking for more virus infections -- none were found.
To me, a first criterion of computer security of an operating system is that it be able to run any software at all, including software that tries to be malicious, and connect to any communications at all, all quite safely.
Does meeting this criterion really have to be too difficult?
With this criterion met, the judge will be wrong.
While I have no sympathy for the defendants in this case, computing is important and so is secure computing.
While i dont agree with the Judge, i also detest the criminals they were trying to arrest.
What people should always remember is that statute or no statute, expectation of privacy or not, precedent or no precedent...
The jury system needs to be thoroughly re-educated in their rights to nullification. If we use these precedents to arrest child abuse criminals today and ten years from now it becomes used to quell dissent the jury's who sit for these trials MUST know their power to nullify the trial/law being charged...
From wiki..."The jury in effect nullifies a law that it believes is either immoral or wrongly applied to the defendant whose fate they are charged with deciding."
“The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.”
I am not familiar with this case and was wondering what the FBI did to discover visitor IPs. My first thought was that it was done using javascript and they just nabbed anyone who didn't disable JS. But the article says "visited PlayPen and downloaded images from the site." This quote was used in describing how unlikeable the accused will be to the public and may not have been meant to be taken literally. So, I'm still assuming that it was javascript and not some weird thing attached to an image file.
--separate thought--
I actually haven't thought much about the legality of the Feds running JS on a visitor's computer. I never had any issues with it, even being a complete psycho-libertarian in the extreme. I understand the wording of this particular ruling is distasteful but ignoring that does running JS on a visitor's computer need a warrant?
I'm still pondering it but it seems similar to the Feds busting a store that was a front for selling drugs and then tracking everyone that went in that store.*
The analogy isn't perfect because in the computer case they are actually planting a "bug" in private property (assuming our personal computers are still considered private). Whereas in the drug case the Feds could simply follow these people to their homes and then they know their address.
The analogy can be made better if the Feds put a tracking device inside the drugs that the visitors to the "drug store" purchased. These people then are carrying the tracker into their own home, unbeknownst to them. Similarly the web surfers accessing the compromised site are downloading a tracking script onto their computer without realizing.
My intuition tells me that we want the Feds to need to get a warrant to deliver JS to visitors of a child porn site but not to get a warrant for each individual visitor.
I would be quite interested to hear people's thoughts.
* The use of this fictional scenario does in no way imply my support of the U.S. government's policies on the legality of drugs nor imply recognition of said government's ability to determine this for individuals. :-p
You agree with the judge in all aspects save the not requiring a warrant in the first place-- which i think is the only strange there here at all. The judge ruled exactly as you think. The defendant argued that the warrant lacked jurisdiction, being based in VA and he lived in FL. The rules of warrants allow for implanting of tracking devices in the jurisdiction and its ok if they are then taken out of the jurisdiction. the judge argued that you take a digital trip to Virginia's servers, download the porn, and then head back to florida with the contraband. This met the interpretation of the warrant issuing guidelines so it was a valid warrant under the rules. Further, the warrant specified who and what was to be collected: IP address, mac address and a few others. The IP address was actually provided by the client "voluntarily" when the rest of the payload came back. But the stretch--and just incorrect part, to me, at least-- is that the judge opines that a warrant was not necessary in the first part because the internet is known to be treacherous so everyone knows you can be hacked. He gives a big list of hacks, half of which were government actions, and then points out you can't have a reasonable expectation of privacy, and therefore its not an unreasonable search and seizure.
Indeed, I am in total opposition to the overarching spirit of the article where my personal computer is not my private property because I connect it to the internet.
It is funny to me to have to think about the physical location of a server that I am accessing being important. Like my fate depending on whether I was routed to a server in Georgia vs. Kentucky, something I absolutely do not think about whilst navigating the internet.
IIRC, in this case the FBI served up a "diagnostic" executable to users. Since they're using Tor browser, in general, simply enabling Javascript won't do anything to de-anonymize the user (unless the Feds had a TBB 0-day or something of the like). This executable obviously called out to FBI-controlled servers and provided a real IP.
Basically, the only people they ended up busting were people who for some reason decided it was a good idea to download and run an executable being served by their favorite CP site on the "darknet".
There is kind of a reasonable expectation for sites to run JS on your computer, if you don't use NoScript. I'm more inclined to believe they installed an actual rootkit, though. There are vulnerabilities in image libraries all the time, and people who are just technically proficient enough to download the Tor Browser can be tricked into downloading .exe files.
Without TOR(even with TOR you're still not 100% private, though 99% better than the alternative), your PC/home-router/VPS are 100% public actually, whatever you do can be traced back to you, even the VPS vendor such as DigitalOcean/Linode/etc can connect your IP with you quickly, of course.
VPN can secure the tunnel, still you can be tracked to IP/MAC quickly. Same to P2P network such as torrent etc.
My take is that when you go surfing, considering the device you used for surfing just like your home mailbox, home address, phone number etc, those are pretty much public info that anyone can find out who you are if they are interested in you.
In my reading of this, it appears to apply (in this case) only to obtaining the IP address of the computer, as that is the information in question. To wit, the user was trying to hide his IP address using TOR, and the FBI discovered his IP address with a hack they call a "network investigative technique" or NIT.
Nothing I see talks about the contents of the computer, so in the real world this would be the equivalent of the police tailing you after a crime to find out your home address so they can subsequently get a warrant to search said property.
If it's truly this limited, than I don't have a problem with it.
Funny that they specifically mention 'Home' computers. Wouldn't want the public snooping around on data inside court and government computers now would we... Incompetent double-speaking idiots the lot of them.
Historically, hacking was effectively an active intrusion into a computer system. Similar to breaking into a home. By this judge's logic, that is not the case.
Most "hacking" today is actually downloading some malicious code, which then takes over the computer system. It's like saying, "Hey, come into my house and go through my stuff. But, only take what you want after you've looked through it."
That'll be the next argument made by the government for a ruling. IANAL, but as scary [and wrong!] as it is, it seems logical.
"A judge in Virginia rules that people should have no expectation of privacy in their homes because no house 'is immune from invasion.'"
That's basically the impression I'm getting here. If we're going to base expectation of privacy on whether or not it's possible to break into something, then it's reasonable to assume that this applies to one's own home and that the Fourth Amendment is officially dead in the eyes of this judge.
I would expect that this ruling does not exclusively apply to the FBI. Would this mean that hackers can legally hack any computer connected to the internet?
How is this ruling possibly justified? By that same logic, breaking into someone's house is also legal because no security system is burglar proof. Also what I still don't understand is that the presence of any counter hacking measures (AV, proxy, VPN services) implies someone creating measures to protect their privacy. None of this makes sense,
The only way that makes any sense is if there is a double standard where law enforcement doesn't have to follow the law (4th amendment) but the citizens do (CFAA).
Rejecting the Rule Of Law is dangerous. If the government doesn't respect the laws - including their spirit - then why should the people? You might have notice the recent rise populism. Many people are tired of an oligarchy that only vaguely follows the law that is supposed to be "of the people, for the people and by the people". Rulings like this and other events that don't even pretend to respect the Constitution are interpreted as proof that democracy has already failed.
Brexit, the drama in the recent primaries, and other forms of "trumpism"[1] are examples of the growing blowback. Do you really want to support the path towards more civil unrest and other types of instability?
You're making my point for me. The law is blatantly ignoring the plain reading of the highest law of the land, which creates the double standard.
I'm not talking about a technical reading of the law that takes into account modern legal theories and precedent. This is about the perception that a lot of people have that the social contract has failed. As Blyth said (see my previous [1]), "The Hamptons is not a defensible position".
I never claimed it didn't. Re-read my original post, and maybe watch that 4m video?
I only referenced the CFAA as a law that applies to the citizens. The double standard is that the citizens are supposed to respect the law while law enforcement and this judge are blatantly ignoring their half of the social contract when they skip the warrant requirement.
This isn't really that complicated. Again, legal theory doesn't matter to people that are angry and lashing out at anything they see as "establishment".
edit:
> They had a warrant.
From the article:
The judge argued that the FBI did not even need the original warrant
to use the NIT against visitors to PlayPen.
Of course. That would be relevant if I was talking about the legal theory of the case itself. If you had read my previous comment, you should have noticed that I'm talking about the popular perception.
I'm trying to give you a warning that we've struck an iceberg and the ship of state is taking on water. You're responding with technicalities about an unsinkable double hull. If you're not going to listen to the warning, that's your business.
I view this detail that you're harping on as just such a technicality.
If you want to make a point about the media exaggerating such technicalities to warp public perception, I may well agree.
But you're trying to show that there's a perception that "law enforcement and this judge are blatantly ignoring their half of the social contract when they skip the warrant requirement." This is not a very good example to show that. It may be misinterpreted by people who already want to find evidence of double standards, but it can't be the source of such a perception in the first place. You can't use it as an example of such.
The judgement specifically mentions "home" computers, Does this mean "business" computers do expect privacy? If so what is magical about a "business" computer?
If the judgement applies to all computers connected to the internet that means one can hack into any system legally because the target has no privacy expectations.
There is nothing private about how 90% of internet companies make their money. Expecting otherwise in an industry that isn't geared towards privacy is naive. I wish the court would see it in a different light. But if you want to send a private note, encrypt a letter offline using PGP, print it, and send via US Mail.
One wonders if the wordingnof thenruling also implies that business and government computers - and hence their email - also have no e pe tation f provacy f cnnected to the internet? And I would note that they hacked a Tor node, one which couldat a stretch be called a business rsther than a home computer.
"Belongings of people who are leaving their apartments are not private, Court Rules.
A judge in Rhode Island rules that people should have no expectation of owning their belongings while they are outside of apartments, because no person on the street 'is immune from robbery'."
So, was the FBI break in on the client computer or the server computer? If the FBI broke into the server and also traced the TOR network, then all they got from the client computer was its IP address, which was enough to identify the criminal?
This is why I stopped giving a shit what the courts rule when their ruling obviously disagrees with the spirit of the constitution, or bill of rights. I don't stop having rights because some corrupt former lawyer says so.
Another case of how bad defendants make terrible caselaw. The court doesn't want to let the bad guy get away on a technicality and thus rulings like this happen.
Sure, this is more and more the case families have one desktop PC to do important stuff, like bank transfers and backups on family photos and videos. Then we have personal computers: smartphones and tablets and some laptops.
If you can not expect privacy on your Home Computer, you can not expect privacy in your home. End of story.
That distinction has been around since the 8-bit era in the '70s and '80s.
A "Home Computer" was a computer intended for use in the home, while a "Personal Computer" was a computer intended for use by a single person.
Home Computers were also Personal Computers, but the reverse wasn't true: many Personal Computers were intended for business use. If everyone at a company had a computer in their cubicle, those computers were Personal Computers, but not Home Computers.
This distinction used to be important because Home Computers and business PCs were separate markets, and the machines were as different as you could imagine. They were made by different companies, used different CPU and bus architectures, and ran different operating systems. For example, in the 8-bit era, business PCs all used Zilog Z80 CPUs on the S-100 bus, were made by a legion of white-box manufacturers, and all ran the CP/M operating system, while Home Computers were made by names such as Commodore, Atari, Tandy, and Apple, typically had MOS 6502 processors (except Tandy, who used the Z80 but not on the S-100 bus), and ran barebones operating systems developed in house, which were little more than BASIC REPLs with some disk I/O features added.
Nowadays almost nobody bothers making the distinction. Yeah, sure, the big companies have separate "home" and "business" product lines, but they're all going to be x86 machines running Windows, and you can get both from the same company (see: Dell's Inspiron and OptiPlex lines), so people don't really make a distinction anymore, and seeing someone use a phrase like "Home Computer" in the 21st century feels like an anachronism.
Not too late into the 80's "PC" seemed to be bound to DOS/Windows and not just any personal computer. Apple seemed to embrace this by referring to competitors as "PCs".
Well, what I forgot to mention (but kinda hinted at) was that "Personal Computer" quickly became used to just mean business PCs and not Home Computers (even though it technically applies to both).
When the IBM PC came out, it and the legion of clones took over the business PC market and replaced the S-100 CP/M market almost overnight. So when "PC" is just used to refer to business PCs and the IBM-compatible DOS/x86 platform completely and thoroughly dominates the business PC market... than naturally the term "PC" will come to be synonymous with that platform.
WTF? ok from the title of the article it looks to me that now i'm legitimate to spy/access other people's computers.... but reading the body of the article maybe the gudge only said that you cannot expect that your _location_ is keep secret.... which one is correct? what he actually ruled?
And I thought I am cynical enough to no longer be surprised by GOV's process to circumvent the Constitution and make nineteen eighty-four the reality. I was wrong.
As a long-time IT Guy who has grown tired and disgusted with GOV's fascist, class-war behavior, with this court decision I say to them:
Bring. It. The. FSCK. On.
While maintaining an air-gapped rig is a PITA, I can do that.
While conducting my Connected Life via a live image, removable-media-based system is a PITA, I can do that as well.
While good encryption slathered on everything is annoying, it is doable.
BTW, GOV... As long as you are connected to a network, you have no reasonable expectation of privacy;
Expect your thoughts and beliefs laid bare; your plans to be known by others sooner, rather than later; your secrets to be learned by all;
You want to see what Cyber Warfare _truly_ looks like?
Unless you're willing to take your computer with you everywhere, it's still easily compromised with hardware modifications when you're out of the home. Your router's firmware probably has multiple 0 days the NSA/FBI could exploit. Intel's Management Engine is an effortless backdoor into every laptop and desktop you have. Securing your smart phone against privacy issues is a lost cause.
The only real option you have left is using a typewriter with a one-time pad in a sound isolated room with a sheet over your head. And even then what you type isn't anonymous, it's just encrypted to withstand everything up to, but not including, some government agent holding a wrench (insert xkcd comic here)
At a superficial level, I think I would notice extra chips/wiring/HD showing up on a naked Mo-board.
Going further, as you wish to approach this in pseudo-apsolutist terms, GOV would simply choke on any effort to go _that_ far. Be it the Hardware Effort or the Software/Data Collection and Processing Effort (times many many millions), they would gag on The Spew. Yes, no encryption protects data for ever, blah blah. Good Encryption and other impediments just makes persuit/enforcement not worth the effort [insert THX-1138 reference and every real-world example of governments failing to absolutely control their populace here].
And since I am willing to talk in Absolute Terms, GOV is lousy at math. They may know something about Social Psychology, Propaganda, et al, but the Citizenry has both the guns and the numbers.
Just because a home computer might be hacked does not mean that an average user doesn't expect his experience on that computer to be private. Every area of life might be breached by determined intruders and, if that were the test of having a expectation of privacy, then every area of life would flunk it. Your home, your car, your bathroom, your bedroom, you name it. In reality, of course, break-ins, hacks, and other intrusions are the exception and not the rule in the areas we commonly regard as private. If the legal test on protecting privacy were to turn on whether break-ins or hacks were a regular element of the environment (however infrequent), then the exception swallows the rule and privacy is no more. This judge's ruling essentially embraces such logic and is thus wildly out of line with existing law regarding protection against unreasonable searches and seizures.
Also bad judging in reaching the issue gratuitously: the main issue here was whether a particular warrant was misused; it was unnecessary to decide what would have happened without a warrant of any kind. Yet the judge reached to inject his obiter dictum into the analysis as a sort of by-the-by, "here is what I would rule if other issues were before me."
Why such an outcome? As the lawyers say, "hard facts make for bad law." You have a despicable perp doing vile things and the natural instinct is to want to nail him. Just as, conversely, when you have a sympathetic person who has being seriously wronged, the natural instinct is to do what you can to help him get justice. In either case, judges and juries will be more prone than otherwise to engage in results-oriented jurisprudence and will thus try to bend and shape the law to that purpose even if the law objectively says otherwise. This factor may help explain why the judge did what he did. It does not make it right.
Finally, bad judging means, in this case, bad precedent and this decision will surely have pernicious effects until the day comes when its run is ended by a higher court. For this case, that day will surely come. It is a bad decision all around.