Mar 31 2012

After Car-Tracking Smackdown, Feds Turn to Warrantless Phone Tracking

Photo: @jbtaylor/Flickr

Prosectors are shifting their focus to warrantless cell-tower locational tracking of suspects in the wake of a Supreme Court ruling that law enforcement should acquire probable-cause warrants from judges to affix GPS devices to vehicles and monitor their every move, according to court records.

The change of strategy comes in the case the justices decided in January, when it reversed the life sentence of a District of Columbia area drug dealer, Antoine Jones, who was the subject of 28 days of warrantless GPS surveillance via a device the FBI secretly attached to his vehicle. In the wake of Jones’ decision, the FBI has pulled the plug on 3,000 GPS-tracking devices.

In a Friday filing in pre-trial proceedings of Jones retrial, Jones attorney’ said the government has five months’ worth of a different kind of locational tracking information on his client: So-called cell-site information, obtained without a warrant, chronicling where Jones was when he made and received mobile phone calls in 2005.

“In this case, the government seeks to do with cell site data what it cannot do with the suppressed GPS data,” attorney Eduardo Balarezo wrote (.pdf) U.S. District Judge Ellen Huvelle.

Balarezo added:

The government has produced material obtained through court orders for the relevant cellular telephone numbers. Upon information and belief, now that the illegally obtained GPS data cannot be used as evidence in this case, the government will seek to introduce cell site data in its place in an attempt to demonstrate Mr. Jones’ movements and whereabouts during relevant times. Mr. Jones submits that the government obtained the cell site data in violation of the Fourth Amendment to the United States Constitution and therefore it must be suppressed.

Just as the lower courts were mixed on whether the police could secretly affix a GPS device on a suspect’s car without a warrant, the same is now true about whether a probable-cause warrant is required to obtain so-called cell-site data.

A lower court judge in the Jones case had authorized the five months of the cell-site data without probable cause, based on government assertions that the data was “relevant and material” to an investigation.

“Knowing the location of the trafficker when such telephone calls are made will assist law enforcement in discovering the location of the premises in which the trafficker maintains his supply narcotics, paraphernalia used in narcotics trafficking such as cutting and packaging materials, and other evident of illegal narcotics trafficking, including records and financial information,” the government wrote in 2005, when requesting Jones’ cell-site data.

That cell-site information was not introduced at trial, as the authorities used the GPS data for the same function.

The Supreme Court tossed that GPS data, along with Jones’ conviction, on Jan. 23.

The justices agreed to decide Jones’ case in a bid to settle conflicting lower-court decisions — some of which ruled a warrant was necessary, while others found the government had unchecked GPS surveillance powers.

“We hold that the government’s installation of a GPS device on a target’s vehicle, and its use of that device to monitor the vehicle’s movements, constitutes a ‘search,’” Justice Antonin Scalia wrote for the five-justice majority.

The government has maintained in a different case on appeal that cell-site data is distinguishable from GPS-derived data. District of Columbia prosecutors are expected to lodge their papers on the issue by Apr. 6 in the Jones case.

Among other things, the government maintains Americans have no expectation of privacy of such cell-site records because they are “in the possession of a third party” (.pdf) — the mobile phone companies. What’s more, the authorities maintain that the cell site data is not as precise as GPS tracking and, “there is no trespass or physical intrusion on a customer’s cellphone when the government obtains historical cell-site records from a provider.”

In the Jones case, the Supreme Court agreed with an appeals court that Jones’ rights had been violated by the month-long warrantless attachment of a GPS device underneath his car. Scalia’s majority opinion, which was joined by Chief Justice John Roberts, and Justices Anthony Kennedy, Clarence Thomas and Sonia Sotomayor, said placing the device on the suspect’s car amounted to a search. (.pdf)

Mar 30 2012

Megaupload User Demands Return of Seized Content

An Ohio man is asking a federal judge to preserve data of the 66.6 million users of Megaupload, the file-sharing service that was shuttered in January following federal criminal copyright-infringement indictments that targeted its operators.

Represented by civil rights group Electronic Frontier Foundation, Kyle Goodwin wants U.S. District Judge Liam O’Grady, the judge overseeing the Megaupload prosecution, to order the preservation of the 25 petabytes of data the authorities seized in January. Goodwin, the operator of OhioSportsNet, which films and streams high school sports, wants to access his copyrighted footage that he stored on the file-sharing network. His hard drive crashed days before the government shuttered the site Jan. 19.

“What is clear is that Mr. Goodwin, the rightful owner of the data he stored on Megaupload, has been denied access to his property. It is also clear that this court has equitable power to fashion a remedy to make Mr. Goodwin — an innocent third party — whole again,” the group wrote the judge in a Friday legal filing.

The legal filing, the first representing a Megaupload customer, follows a similar move by the Motion Picture Association of America, whose desire to save the data is very different from Goodwin’s. Last week, it asked Carpathia, Megaupload’s Virginia-based server host, to retain the Megaupload data, which includes account information for Megaupload’s millions of users. The MPAA said it wants that data preserved because it might sue Megaupload and other companies for allegedly contributing to copyright infringement.

Megaupload allowed users to upload large files and share them with others, but the feds and Hollywood allege the service was used almost exclusively for sharing copyright material — which Megaupload denies.

A hearing on the data issue is set for next month.

Federal authorities have said they have copied some, but not all of the Megaupload data, and said Carpathia could delete the 25 million gigabytes of Megaupload data it is hosting.

Carpathia said it is spending $9,000 daily to retain the data, and is demanding that Judge O’Grady relieve it of that burden. Megaupload, meanwhile, wants the government to free up some of the millions in dollars of seized Megaupload assets to be released to pay Carpathia to retain the data for its defense and possibly to return data to its customers.

The criminal prosecution of Megaupload targets seven individuals connected to the Hong Kong-based file-sharing site, including founder Kim Dotcom. They were indicted in January on a variety of charges, including criminal copyright infringement and conspiracy to commit money laundering.

Five of the members of what the authorities called a 5-year-old “racketeering conspiracy” have been arrested in New Zealand, pending possible extradition to the United States.

The government said the site, which generated hundreds of millions in user fees and advertising, facilitated copyright infringement of movies, often before their theatrical release, in addition to music, television programs, electronic books, and business and entertainment software. The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

Mar 30 2012

Hackers Breach Credit Card Processor; 50K Cards Compromised

Photo: Jim Merithew/Wired.com

Global Payments Inc, an Atlanta-based payments processor, has been broken into by hackers, leaving more than 50,000 card accounts potentially compromised, according to news reports.

The breach occurred sometime between Jan. 21 and Feb. 25, according to notices that Visa and MasterCard sent to banks recently. The extent of the breach and damages are still unknown, but it appears to be rather small based on initial reports from the Wall Street Journal and elsewhere.

A notice sent by credit union service organization PSCU to its customers indicated that Visa alerted it on Mar. 23 that 46,194 Visa accounts might have been compromised. But that number was downgraded to just 26,000 after eliminating duplicate account numbers and cards with invalid expiration dates, according to the Journal.

Only about 800 accounts are known to have had fraudulent activity on them so far, according to security blogger Brian Krebs, who broke the story and reported that both Track 1 and Track 2 data had been taken, making it easy for criminals to clone the cards and use them for fraudulent activity. The number of accounts showing fraudulent activity could rise, however, as the investigation continues. Krebs reports that sources in the financial industry have told him that possibly as many as 10 million cards may turn out to have been at risk of compromise in the breach.

The last big breach of card processors was in 2008 against Heartland Payment Systems, which resulted in more than 100 million cards potentially compromised.

Hacker Albert Gonzalez was sentenced in March 2010 to an unprecedented 20 years in prison for his role in connection to that breach.

Mar 29 2012

Megaupload Drops Universal Lawsuit to Focus on Criminal Charges

Embattled Megaupload is dropping a lawsuit against Universal Music that accuses the label of unlawfully removing from YouTube a four-minute video Megaupload produced featuring Kanye West, Mary J. Blige, will.i.am and others praising the notorious file-sharing service.

In dropping the suit, Hong Kong-based Megaupload is shifting its attention to criminal charges in the United States where its founder, Kim Dotcom, and top employees are accused of being responsible for facilitating wanton copyright infringement. Dotcom and four others were arrested in New Zealand in January, where they remain free pending possible extradition to the United States to face charges in one of the government’s largest criminal copyright-infringement cases.

“We have the criminal defense. We have the extradition proceedings,” Dotcom attorney Ira Rothken said in a telephone interview.

Rothken added that Megaupload is also facing a possible copyright infringement lawsuit for monetary damages from the Motion Picture Association of America.

“This is all incompatible with us maintaining the civil action,” Rothken said.

The Universal Music lawsuit being dropped (.pdf) was lodged a month before the January criminal indictments that were filed in a Virginia federal court. Megaupload was seeking damages in a California federal court on claims the removal of the $3 million video from YouTube soiled its “reputation as a responsible provider of file services — the very reputation that Megaupload’s investment in the Megaupload video and its numerous endorsements was designed to enhance.”

The Justice Department has seemingly turned the lawsuit’s allegations on its head.

The authorities shuttered Megaupload in January, seized all user data and indicted seven high-ranking Megaupload employees. Megaupload allowed users to upload large files and share them with others. The government alleges that the service was an excuse to encourage uploading of copyrighted movies, which Megaupload profited from via ads and premium subscriptions.

The government said the site facilitated copyright infringement of movies “often before their theatrical release, music, television programs, electronic books, and business and entertainment software on a massive scale.” The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

For the moment, Dotcom and the others are fighting the government’s extradition request and arguing about evidentiary issues.

In the now-scuttled lawsuit targeting Universal, Megaupload claimed the five-day takedown of the YouTube video in December was a sham designed to chill free speech. The suit sought unspecified damages and alleged the label had violated a provision in copyright law that forbids bogus copyright claims. The video has been viewed more than 16.6 million times.

YouTube, meanwhile, claimed Universal Music abused the video-sharing site’s piracy filters when it used them to take down the spot.

YouTube has engineered a filtering system enabling rights holders to upload music and videos they own to a “fingerprinting” database. When YouTube users upload videos, the system scans the upload against the copyright database for matches. If a full or partial match is found, the alleged rights holder can have the video automatically removed, or it can place advertising on the video and make money every time somebody clicks on the video.

Under the Digital Millennium Copyright Act, online service providers like YouTube lose legal immunity for their users’ actions if they don’t remove allegedly infringing content if asked to by rights holders. If the content is not removed, internet service providers could be held liable for damages under the Copyright Act, which carries penalties of up to $150,000 per violation.