www. NYLJ.com
Thursday, May 5, 2016
Volume 255—NO. 86
Corporate Crime
Implications of the DOJ and
Apple Legal Fight That Wasn’t
O
ne of the most compelling legal
stories of 2016 has been the
legal fight between the U.S.
Department of Justice and
Apple about whether Apple
should be (or can be) compelled to help
the DOJ access information stored on
an iPhone that belonged to one of the
perpetrators of the December 2015
mass shooting in San Bernardino. The
stakes were high for both parties. The
DOJ is frustrated by its inability to
decode encrypted communications.
And Apple, like many other technology
companies, promotes privacy as a core
corporate value. Both sides quickly
“dug in” for a lengthy court fight that
many believed would wind up in the
U.S. Supreme Court.
But one day before a scheduled federal court hearing in March, the DOJ
unexpectedly withdrew its motion. The
DOJ disclosed that it had made a “onetime payment” to an unnamed “outside
party” who had identified a potential
weakness in the iPhone’s operating
system, which could allow the Federal
Bureau of Investigation to bypass the
iPhone’s encryption. Shortly thereafSteven M. Witzel is a partner of Fried, Frank,
Harris, Shriver & Jacobson. Joshua D. Roth is
an associate at the firm. Harrison D. Polans,
a law clerk, assisted in the preparation of this
column.
ter, the Washington Post reported that
the FBI had paid one or more “grey
hat” hackers to “crack” the iPhone’s
encryption.
This column provides an overview
of the facts surrounding the DOJ’s
legal fight with Apple and the relevant
legal considerations, and examines the
legal framework under the Computer
Very little is publicly known about
how the FBI ultimately unlocked
the shooter’s iPhone. Some commentators have speculated that
the FBI used the information provided by the “grey hat” hacker(s)
to build hardware that allowed it
to “crack” the iPhone’s passcode.
Fraud and Abuse Act (the CFAA) that
governs hacking. We conclude that
courts should more closely supervise the government when it engages
in such activities. Among other things,
we argue that courts should take into
consideration the potential privacy
and cybersecurity interests of uninvolved third parties (e.g., other iPhone
users) before authorizing the government to hack into protected systems
in order to execute duly authorized
search warrants.
By
Steven M.
Witzel
And
Joshua D.
Roth
Background on the Legal Fight
Between the DOJ and Apple. In
December 2015, two shooters killed
14 people and injured 22 more at the
Inland Regional Center in San Bernardino, California. While the shooters reportedly swore allegiance to ISIS
and expressed radical views on social
media, very little is known about their
motives and whether they were acting in coordination with others in the
United States or abroad. To investigate those questions and others, the
FBI attempted to gain access to information that was stored on an iPhone
that belonged to one of the shooters,
Syed Rizwan Farook, which was recovered from his car pursuant to a search
warrant that also authorized the FBI
to search the contents of the iPhone.1
Farook’s iPhone was “locked” and
encrypted. Accordingly, the FBI asked
Apple, the creator of the iPhone, to voluntarily help unlock the device without
triggering a security feature that would
erase all of the information stored on
the device after a certain number of
unsuccessful attempts to enter the
passcode.
Because the information stored on
the iPhone had not been backed up to
the iCloud (Apple’s free “cloud” based
storage solution), Apple did not have
access to the information at issue, and
thus could not simply turn it over to
Thursday, May 5, 2016
the FBI.2 Apple’s inability to access
the information at issue from its own
servers distinguished this case from
the thousands of information requests
that companies like Apple receive from
law enforcement authorities every year
and typically comply with without
objection.3
Apple ultimately declined to help the
FBI, citing its policy against undermining the security features of its products.4 In response, the DOJ filed a
motion in the Central District of California pursuant to the All Writs Act,
seeking an order compelling Apple to
help the FBI unlock Farook’s iPhone.5
The All Writs Act was enacted in its
original form in 1789, and permits federal courts to “issue all writs necessary
or appropriate in aid of their respective jurisdictions and agreeable to the
usages and principles of law.”6 The
DOJ invoked the All Writs Act against
Apple to facilitate the search of Farook’s
iPhone, which the court had already
authorized pursuant to a search warrant. The DOJ argued that “based on
the authority given to the courts under
the All Writs Act, courts have issued
orders, similar to the one the government is seeking here, that require a
manufacturer to assist in accessing
a cell phone’s files so that a warrant
may be executed as originally contemplated.”7 The DOJ further argued that
Apple’s assistance was essential:
iPhones will only run software cryptographically signed by Apple, and
because Apple restricts access to
the code of the software that creates
these obstacles, there is no other
party that has the ability to assist
the government in preventing these
[security] features from obstructing the search ordered by the court
pursuant to the warrant.8
On Feb. 16, 2016, Magistrate Judge
Sheri Pym granted the DOJ’s motion and
ordered Apple to help the FBI unlock
the shooter’s iPhone. Specifically,
the order required Apple to provide
“reasonable technical assistance” to
(1) “bypass or disable the auto-erase
function whether or not it has been
enabled,” (2) “enable the FBI to submit
passcodes to [the iPhone] for testing
electronically via the physical device
port, Bluetooth, Wi-Fi, or other protocol available,” and (3) “ensure that
when the FBI submits passcodes to
[the iPhone], software running on the
device will not purposefully introduce
any additional delay between passcode
attempts beyond what is incurred by
Apple hardware.”9
Apple vigorously resisted the court’s
order, arguing that it was being told
“to build a backdoor to the iPhone,”
which could endanger the privacy of
all iPhone owners, create a dangerous precedent, and “undermine the
very freedoms and liberty our government is meant to protect.”10 Apple
also warned that, once created, a tool
to unlock the iPhone “could be used
over and over again, on any number of
devices” by anyone with knowledge of
how it worked, including “sophisticated
hackers and cybercriminals.”11 Apple
further criticized the DOJ’s invocation
of the All Writs Act, stating that “the
government’s boundless interpretation
of the [Act]” makes it “hard to conceive
of any limits the government’s order
could obtain in the future.”12
Notwithstanding the court’s order,
Apple continued to refuse to help the
FBI. As a result, three days after the
court ruled, the DOJ filed a motion
to compel Apple to comply with the
court’s order.13 Apple responded by
filing a motion to vacate the court’s
February 16 order, arguing that the
All Writs Act did not provide a basis
for relief and that the order violated
Apple’s First and Fifth Amendment
rights.14 Specifically, Apple stated:
no court has ever authorized what
the government now seeks, no
law supports such unlimited and
sweeping use of the judicial process, and the Constitution forbids
it … . Such an order will inflict significant harm—to civil liberties,
society, and national security—
and would preempt decisions
that should be left to the people
through laws passed by Congress
and signed by the President.15
On March 21, one day before a
scheduled court hearing on these
issues, the DOJ unexpectedly asked
the court to adjourn the hearing
because “an outside party demonstrated to the FBI a possible method
for unlocking [the shooter’s] iPhone”
without Apple’s assistance.16 The DOJ,
however, cautioned that “[t]esting is
required to determine whether it is a
viable method that will not compromise data on [the shooter’s] iPhone,”
and requested that the court adjourn
the hearing to allow it to test the
proposed solution.17
Early reports speculated that the
FBI had hired a digital forensics firm
in Israel, Cellebrite Mobile Synchronization, to unlock the iPhone.18 However, on April 12, 2016, The Washington
Post, quickly followed by a number
of other media outlets, reported that
the FBI had hired at least one professional “grey hat” hacker, who reportedly identified a flaw in the iPhone’s
software known as a “zero day exploit,”
and then sold that information to the
FBI for a “one-time fee”19 believed to
be in excess of $1 million.20
Very little is publicly known about
how the FBI ultimately unlocked the
shooter’s iPhone. Some commentators have speculated that the FBI
used the information provided by the
“grey hat” hacker(s) to build hardware
that allowed it to “crack” the iPhone’s
passcode.21 But regardless of how the
FBI managed to unlock the iPhone, the
DOJ subsequently withdrew its motion
against Apple because it no longer
needed Apple’s assistance.22
In the weeks since the DOJ withdrew
its motion, there has been much discussion about whether the FBI would
Thursday, May 5, 2016
and should disclose the security
vulnerability that it used to unlock
the shooter’s iPhone to Apple.23 Apple
has indicated that it will not seek to
compel the government to disclose
the vulnerability, asserting that it is
“confident” that the vulnerability will
have a “short shelf life” and that it
will likely be fixed through the company’s regular product development
process.24 The FBI, for its part, stated on April 26 that it does not plan
to share details of the vulnerability
with Apple. And FBI Director James
Comey recently asserted that the
FBI may be able avoid the relevant
White House review process for such
decisions entirely depending on how
much the FBI understands about the
security vulnerability at issue.25 That
White House process, known as the
Vulnerabilities Equities Process (the
VEP), was adopted in 2010 and established an interagency Equities Review
Board, which provides recommendations regarding the disclosure of information about vulnerabilities that the
government discovers.26 Without saying so directly, Director Comey may
have been suggesting that the FBI simply purchased a “tool” without fully
understanding the underlying security
vulnerability, and as such has nothing
to disclose.
A Word (or Three) About Hackers.
Hackers are typically classified into
three groups based on their tactics
and motivations. For example, “white
hat” hackers search for security weaknesses in computer systems, typically
with permission from the systems’ owners, and disclose those vulnerabilities to
the owners, so they can be patched.27
“Black hat” hackers, by contrast, compromise computer systems for personal
gain by obtaining information and then
exploiting it themselves or selling it to
third parties. They are the stereotypical
criminal hackers who engage in malicious activities and attract much of the
media’s attention.28
“Grey hat” hackers, the kind reportedly utilized by the FBI to access the
shooter’s iPhone, “operat[e] on the
fringe of civil and criminal liability to
report security vulnerabilities.”29 Unlike
“white hat” hackers, “grey hat” hackers are not authorized to search for
security vulnerabilities, and they often
disclose security flaws publically. But
unlike “black hat” hackers, “grey hat”
hackers do not sell security vulnerabilities to criminals, but rather seek to sell
their discoveries to governments or to
the system owners themselves.30
Government Sanctioned Hacking
and the Computer Fraud and Abuse
Act. The CFAA is the primary federal
cyber security and anti-hacking law. It
prohibits, among other computer-related acts, “access[ing]” and “obtain[ing]
information” from any “protected computer”31 “without authorization” or
“exceed[ing] authorized access.”32 The
CFAA carries stiff penalties, including
jail time, and has been subject to varying interpretations by courts. However,
courts uniformly agree that the CFAA
applies where an individual hacks into
a computer system or device to which
he or she does not have authorized
access.33
While very little is known about how
the “grey hat” hacker(s) managed to
bypass Apple’s security features, it
seems likely that the hacker(s) violated the CFAA in the process. Of course,
from a practical perspective, the “grey
hat” hacker(s) who helped the FBI were
never at risk of being prosecuted under
the CFAA because they were assisting
the FBI (at least after the fact). But it is
noteworthy that the DOJ encouraged
and financially rewarded the type of
activity that it would have prosecuted
under different circumstances.
Notably, the CFAA has a broad exception for hacking that can be characterized as “lawfully authorized” intelligence and law enforcement activity.34
This exception allows the government
to engage in conduct that would
otherwise violate the CFAA. The exception relies on boilerplate language used
in the “savings clauses” of various
criminal statutes.35
It is unclear, however, what constitutes “lawfully authorized” activity
because no court has ever interpreted this provision in the context of the
CFAA or any other statute.36 But regardless of the scope of this exception, it
arguably applies to accessing (and
assisting the government in accessing) electronic information pursuant
to a warrant. Thus, courts may be able
to effectively authorize hacking that
would otherwise be prohibited by the
CFAA by issuing a search warrant, and
without any additional scrutiny relating to the availability of the “lawfully
authorized” exception to the CFAA.
Court-Authorized Hacking and the
Need for Enhanced Judicial Scrutiny and Oversight. Under the Fourth
Amendment, courts issue search warrants upon a showing by the government that probable cause exists to
believe that there is evidence of a crime
in the place to be searched.37 That standard, however, does not consider the
potential effects of the search on uninvolved third parties because the rights
of such parties are rarely implicated.
This standard becomes problematic
when the government seeks to access
electronic information that is protected
by the same security features that are
used to protect the private information of others using the same system
or device. In these circumstances,
the government may unintentionally
put at risk information belonging to
third parties. That risk is heightened
in instances like the San Bernardino
case where the government seeks to
bypass security features for a widely
used device and where those security features protect the information of
countless third parties.
This traditional Fourth Amendment
analysis may be changing to address
technological changes. On April 28,
Thursday, May 5, 2016
2016, the Supreme Court adopted
an amendment to Rule 41(b) of the
Federal Rules of Criminal Procedure
that authorizes courts to issue warrants that allow access to computers
located outside their districts when
the location of the data sought “has
been concealed through technical
means.”38 Congress has until Dec. 1,
2016 to reject the amendment before
it goes into effect.
Because of cybersecurity and personal data risks, we propose that courts
should carefully scrutinize government requests for security bypasses,
and balance the competing interests
at stake. Courts should consider factors such as (1) the seriousness of the
government’s underlying investigation;
(2) the existence (or lack thereof) of
an ongoing threat to the public interest; (3) the existence (or lack thereof)
of alternative means for the government to access the information at issue;
(4) the potential damage to existing
cybersecurity protocols; (5) the potential impact on third parties, including
the number of uninvolved people
whose personal information could possibly be compromised; and (6) whether
the government intends to advise the
system owner about how it defeated
any security features. While various others factors may also be relevant, the
salient point is that courts should weigh
the interests of all stakeholders before
authorizing searches that implicate the
potential privacy and pecuniary interests of uninvolved third parties.
Applying these factors to the San Bernardino case (based on our admittedly
limited visibility into the relevant facts),
a court should consider (1) that the
investigation pertains to a mass shooting perpetrated by individuals with possible connections to domestic and/or
foreign terrorists; (2) the ongoing threat
that ISIS poses to American national
security interests; (3) the asserted lack
of alternate ways for the government
to determine the shooter’s possible
connections to terrorists other than
by forcing Apple to provide access to
his iPhone; (4) the potential for cyber
attacks and theft of valuable data by
hackers who could misappropriate the
iPhone’s vulnerability; (5) the potentially significant risk that that private
data belonging to millions of iPhone
users could be jeopardized; and (6) the
fact that the government does not presently intend to advise Apple about how
it managed to “unlock” the iPhone. We
do not have enough information to fully
evaluate the relative strengths of these
“Grey hat” hackers, the kind
reportedly utilized by the FBI
to access the shooter’s iPhone,
“operat[e] on the fringe of civil
and criminal liability to report
security vulnerabilities.”
factors in the San Bernardino case. But
we submit that they form the bases
of a new paradigm under which to
resolve issues involving these types of
searches.
Conclusion
As the use of encryption and other
similar types of information security
features increases, courts may be
increasingly called upon to decide
whether and when to compel technology companies and others to help law
enforcement access protected information. Because these types of requests
implicate various interests outside the
usual Fourth Amendment analysis,
courts should consider adopting a
more robust and fact-specific approach
that takes into consideration and balances the additional and various interests at stake.
••••••••••••••••
•••••••••••••
1. See Government’s Ex Parte Application for
Order Compelling Apple to Assist in Search, In the
Matter of Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black
Lexus IS300, California License Plate 35KGD203
(hereinafter Matter of Search of an iPhone), Ed
No. 15-0451M, at 3 (C.D. Cal. Feb. 16, 2016), available at http://www.wired.com/wp-content/uploads/2016/02/SB-shooter-MOTION-seeking-asstiPhone.pdf.
2. FBI Director James Comey acknowledged that
law enforcement authorities made a mistake early in
the investigation when they failed to try to back up
the information stored on the iPhone to the iCloud.
Instead, the authorities attempted to change the
iPhone’s password, which reportedly made it impossible to perform a backup. See Walt Mossberg,
“The iCloud loophole,” THE VERGE (March 2, 2016),
http://www.theverge.com/2016/3/2/11144588/waltmossberg-apple-vs-fbi-iphone-icloud-loophole.
3. See Apple, Government Information Requests
(2016), available at http://www.apple.com/privacy/government-information-requests/;
Apple,
Report on Government Information Requests: July
1-Dec. 31, 2015 (2016), available at http://images.
apple.com/legal/privacy/transparency/requests2015-H2-en.pdf.
4. See Apple, A Message to our Customers (Feb.
16, 2016), available at www.apple.com/customerletter/ (“Customers expect Apple and other technology companies to do everything in our power to
protect their personal information, and at Apple we
are deeply committed to safeguarding their data.”).
5. See Government’s Ex Parte Application for
Order Compelling Apple to Assist in Search, supra
note 1.
6. See 28 U.S.C. §1651. Federal courts may issue
orders under the All Writs Act that are “necessary
or appropriate to effectuate and prevent the frustration of orders [they have] previously issued”
and to “achieve the ends of justice entrusted to
[them].” United States v. New York Telephone Co.,
434 U.S. 159, 172-73 (1977) (internal citations and
quotations omitted). The All Writs Act also applies
“to persons who, though not parties to the original
action … are in a position to frustrate the implementation of a court order or the proper administration of justice.” Id. at 174.
7. See Government’s Ex Parte Application for
Order Compelling Apple to Assist in Search, supra
note 1, at 11.
8. Id. at 13.
9. See Order Compelling Apple to Assist Agents
in Search, Matter of Search of an iPhone, Ed No.
15-0451M, at 2 (C.D. Cal. Feb. 16, 2016), available at https://assets.documentcloud.org/documents/2714001/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.pdf.
10. See Apple, A Message to our Customers, supra note 4.
11. Id.
12. See Apple’s Motion to Vacate Order Compelling Apple to Assist Agents in Search and Opposition to Government’s Motion to Compel Assistance,
Matter of Search of an iPhone, Ed No. CM 16-10, at
4 (C.D. Cal. Feb. 25, 2016), available at https://www.
scribd.com/doc/300522240/Motion-to-Vacate-Briefand-Supporting-Declarations (“For example, if
Apple can be forced to write code in this case to
bypass security features and create new accessibility, what is to stop the government from demanding
that Apple write code to turn on the microphone in
aid of government surveillance, activate the video
camera, surreptitiously record conversations, or
turn on location services to track the phone’s user?
Nothing.”).
Thursday, May 5, 2016
13. See Government’s Motion to Compel Apple
to Comply with this Court’s Feb. 16, 2016 Order
Compelling Assistance in Search, Matter of Search
of an iPhone, Ed No. CM 16-10 (C.D. Cal. Feb. 19,
2016), available at https://assets.documentcloud.
org/documents/2716000/031122954861.pdf.
14. See Apple’s Motion to Vacate Order Compelling Apple to Assist Agents in Search and Opposition to Government’s Motion to Compel Assistance, supra note 12.
15. Id. at 1.
16. See Government’s Ex Parte Application for a
Continuance, Matter of Search of an iPhone, at 3
(C.D. Cal. March 21, 2016). See also Jordan Novet,
“Court cancels hearing after FBI found a ‘possible method’ to unlock shooter’s iPhone,” VENTUREBEAT (March 21, 2016), http://venturebeat.
com/2016/03/21/u-s-attorneys-ask-to-vacate-applecourt-hearing-saying-fbi-has-found-a-possiblemethod-to-unlock-shooters-iphone/.
17. See Government’s Ex Parte Application for a
Continuance, supra note 16 at 3.
18. See Sagi Cohen, “Report: Israeli company
helping FBI crack iPhone security,” YNETNEWS
(March 23, 2016), http://www.ynetnews.com/
articles/0,7340,L-4782246,00.html (“The FBI is reportedly using the services of Cellebrite in its effort to break the protection on a terrorist’s locked
iPhone, according to experts in the field familiar
with the case … . Cellebrite has not responded to
the report. But if it is indeed the “third party” in
question, it would bring the high-stakes legal showdown between the government and Apple to an
abrupt end.”).
19. See Ellen Nakashima, “FBI paid professional
hackers one-time fee to crack San Bernardino
iPhone,” THE WASHINGTON POST (April 12, 2016),
available at https://www.washingtonpost.com/
world/national-security/fbi-paid-professionalhackers-one-time-fee-to-crack-san-bernardinoiphone/2016/04/12/5397814a-00de-11e6-9d3633d198ea26c5_story.html.
20. Mark Berman and Matt Zapotosky, “The FBI
paid more than $1 million to crack the San Bernardino iPhone,” THE WASHINGTON POST (April
21, 2016), available at https://www.washingtonpost.
com/news/post-nation/wp/2016/04/21/the-fbi-paidmore-than-1-million-to-crack-the-san-bernardinoiphone/. A “zero-day exploit” refers to a security
vulnerability that a hacker exploits before the party
being breached is even aware of the issue.
21. See Kavita Iyer, “FBI reportedly paid ‘grey hat’
hackers to crack San Bernardino terrorist’s iPhone,
TECHWORM (April 13, 2016), http://www.techworm.net/2016/04/fbi-reportedly-paid-grey-hathackers-crack-san-bernardino-terrorists-iphone.
html.
22. See Government’s Status Report, Matter of
Search of an iPhone, Ed No. CM 16-10 (C.D. Cal.
March 28, 2016), available at https://assets.documentcloud.org/documents/2778267/Apple-StatusReport.pdf.
23. See Nakashima, “FBI paid professional hackers,” supra note 19.
24. See Zack Whittaker, “Apple won’t sue FBI to
reveal hack used to unlock seized iPhone,” ZERO
DAY NET (April 8, 2016), http://www.zdnet.com/
article/apple-wont-sue-fbi-to-discover-hack-usedto-unlock-seized-iphone/.
25. See Devlin Barnett, “FBI Plans to Keep Apple
iPhone-Hacking Method Secret,” The Wall Street
Journal (April 26, 2016), available at http://www.
wsj.com/articles/fbi-plans-to-keep-apple-iphonehacking-method-secret-sources-say-1461694735;
Eric Lichtblau and Katie Benner, “With Finality,
F.B.I. Opts Not to Share iPhone-Unlocking Method,”
N.Y. Times (April 27, 2016), available at http://www.
nytimes.com/2016/04/28/technology/with-finalityfbi-opts-not-to-share-iphone-unlocking-method.
html?_r=0.
26. See Commercial and Government Information Technology and Industrial Control Product
or System Vulnerabilities Equities Policy and Process (Feb. 16, 2010), available at https://www.eff.
org/files/2016/01/18/37-3_vep_2016.pdf. Although
little is known about the VEP, the Obama administration has taken the position that this process
should be “biased towards responsibly disclosing
vulnerabilities.” See Kim Zetter, “Obama: NSA Must
Reveal Bugs Like Heartbleed, Unless they Help
the NSA,” WIRED (April 15, 2014), https://www.
wired.com/2014/04/obama-zero-day/. According
to Michael Daniel, the special assistant to President Barack Obama on cybersecurity, “disclosing
vulnerabilities usually makes sense” because it
provides transparency and ensures that electronic
systems are secure and unable to be exploited by
cybercriminals. See Lichtblau and Benner, “F.B.I.
Opts Not to Share iPhone-Unlocking Method,” supra note 25. Despite the FBI’s current refusal to disclose information to Apple about the vulnerability
that was used to access Farook’s iPhone, the FBI
recently advised Apple about a different vulnerability pursuant to the VEP. See Joseph Menn, “Apple says FBI gave it first vulnerability tip on April
14,” REUTERS (April 26, 2016), http://www.reuters.
com/article/us-apple-encryption-fbi-disclosureidUSKCN0XO00T.
27. See Chris Hoffman, “Hacker Hat Colors Explained: Black Hats, White Hats, and Gray Hats,”
HOW-TO GEEK (April 20, 2014), http://www.howtogeek.com/157460/hacker-hat-colors-explainedblack-hats-white-hats-and-gray-hats/.
28. Id.
29. Cassandra Kirsch, “The Grey Hat Hacker:
Reconciling Cyberspace Reality and the Law,” 41
N. KY. L. REV. 383, 386 (2014).
30. See Kim Zetter, “Hacker Lexicon: What
are White Hat, Gray Hat, and Black Hat Hackers?,” WIRED (April 13, 2016), http://www.wired.
com/2016/04/hacker-lexicon-white-hat-gray-hatblack-hat-hackers/. Several of the country’s most
prominent technology companies, including
Google, Facebook, Microsoft, Yahoo, and PayPal
Holdings have adopted “bug bounty programs,”
through which they offer hackers rewards for discovering and reporting security vulnerabilities.
These programs provide a financial incentive for
security researchers to report security vulnerabilities rather than use them to do harm. The amount
of the reward depends on the vulnerability that is
uncovered, but can be significant. See Nicole Perlroth, “Hacking for Security and Getting Paid for It,”
N.Y. TIMES BITS (Oct. 14, 2015), http://bits.blogs.
nytimes.com/2015/10/14/hacking-for-security-andgetting-paid-for-it/; Enid Burns, “Microsoft Woos
Hackers with Bounties for Bugs,” E-COMMERCE
TIMES (June 21, 2013), http://www.ecommercetimes.com/story/78331.html.
31. The CFAA’s definition of “protected computer” covers virtually any computer connected
to the Internet. See Computer Crime & Intellectual
Property Section, Department of Justice, Prosecuting Computer Crimes, at 4 (2d ed. 2010), available
at https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf.
32. See 28 U.S.C. §1030(a)(2).
33. See United States v. Phillips, 377 F.3d 215, 21920 (5th Cir. 2007).
34. See 28 U.S.C. §1030(f) (“This section does
not prohibit any lawfully authorized investigative,
protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence
agency of the United States”).
35. See, e.g., 17 U.S.C. §1039(d) (Digital Millennium Copyright Act (DMCA)); 18 U.S.C. §1028(e)
(fraud and related activity in connection with identification documents, authentication features, and
information); 18 U.S.C. §1038(d) (false information
and hoaxes); 18 U.S.C. §1039(d) (fraud and related
activity in connection with obtaining confidential
phone records information of a covered entity); 18
U.S.C. §1367(b) (interference with the operation of
a satellite); 8 U.S.C. §1324c(b) (penalties for document fraud under the Immigration and Nationality
Act); 18 U.S.C. §1546(c) (fraud and misuse of visas,
permits, and other documents); 18 U.S.C. §1029(f)
(fraud and related activity in connection with access devices); see also Blueport Co. v. United States,
71 Fed. Cl. 768, 776 (Fed. Cl. 2006) (noting that the
DMCA’s law enforcement and intelligence exception “may merely reflect a concern by Congress
that the Act might be construed in such a way as to
interfere with federal, state, and local law enforcement officials and their agents, and lawful intelligence activities by federal, state, and local officials
or their agents.”).
36. See Orin Kerr, “Did the CIA Violate the Computer Fraud and Abuse Act by Accessing Intelligence Committee Computers?,” LAWFARE (April
12, 2014), www.lawfareblog.com/did-cia-violatecomputer-fraud-and-abuse-act-accessing-intelligence-committee-computers.
37. See Safford United School District No. 1 v. Redding, 557 U.S. 364, 370 (2009) (“Probable cause
exists where the facts and circumstances … are
such in themselves to warrant a man of reasonable
caution in the belief that an offense has been or
is being committed, and that the evidence bearing on that offense will be found in the place to
be searched.”) (internal citations and quotations
omitted).
38. See Ltrs. from John G. Roberts, Chief Justice, U.S. Supreme Court, to Joseph R. Biden,
President, U.S. Senate, and Paul D. Ryan, Speaker,
U.S. House of Representatives (April 28, 2016),
available at http://www.supremecourt.gov/orders/courtorders/frcr16_8mad.pdf. See also Matt
Ford, “The Supreme Court Expands FBI Hacking
Powers,” THE ATLANTIC (April 29, 2016), http://
www.theatlantic.com/politics/archive/2016/04/
supreme-court-fbi-hacking/480498/; Kurt Orzeck,
“High Court OKs Rule Change Expanding FBI
Hacking Powers,” LAW 360 (April 28, 2016), http://
www.law360.com/whitecollar/articles/790647?nl_
pk=ace45e2f-cb8e-4521-b699-500bdbf1cb53&utm_
source=newsletter&utm_medium=email&utm_
campaign=whitecollar.
Reprinted with permission from the May 5, 2016 edition of the NEW YORK LAW
JOURNAL © 2016 ALM Media Properties, LLC. All rights reserved. Further
duplication without permission is prohibited. For information, contact 877-257-3382
or [email protected]. # 070-05-16-06