ThinkTank Forensics

This is a follow-up to a comment on a post I did earlier this year.

More precisely, this is a follow-up to Jeremy R. Fishman’s comment on my 5th Amendment Bummer post.

In that post, which updated an earlier post on the Boucher case, I explained that a federal judge had held that Boucher couldn't take the 5^th Amendment privilege against self-incrimination as the basis for refusing to surrender the key needed to access his encrypted hard drive.

In his comment, Jeremy raised the issue of Boucher’s being “in custody” which, as I noted in a reply comment, gets us into a different standard – the Miranda rules. Since it’s only logical to assume Miranda comes up when someone is being detained by law enforcement and is asked to do something, I thought I’d do a post parsing the extent to which the Miranda rules do, and do not, apply in this situation.

I can’t find any cases in which Miranda’s applicability to a Boucher-style scenario has come up, so I’m going to use a hypothetical to analyze the issues. We’ll essentially assume the facts in the Boucher case: John Doe arrives at the O-Hare airport on a flight from London; as he goes through Customs, he’s flagged for secondary (more intensive) screening. Doe’s carrying a laptop. The Customs officer takes the laptop and turns it on; it boots up, and the officer tries to examine the contents of the laptop, but can only see part of the files it contains. As in the Boucher case, part of the hard drive has been partitioned as Drive Z; the partitioned drive is encrypted, so the Customs officer can’t access the files it contains.

Let’s assume that when the Customs officer looked at the files on the unencrypted part of the hard drive he developed reasonable suspicion to believe that Drive Z contained child pornography. Reasonable suspicion, as Wikipedia explains, is a lower standard than probable cause; reasonable suspicion lets the Customs officer detain John Doe for a reasonable period of time while the officer tries to confirm, or disconfirm, his belief that Doe’s laptop contains child pornography.

If the officer had probable cause to believe the laptop contained child pornography, he could (i) arrest Doe and/or (ii) get a warrant to search the contents of the laptop. I’m not assuming probable cause because I don’t think the circumstances outlined above can support probable cause and because probable cause wouldn’t alter the Miranda analysis we’re about to pursue.

As long as Doe is in “custody” – as long as he is either under arrest or his freedom of movement has been restrained in a fashion analogous to an arrest – he is entitled to the protections of Miranda. As Wikipedia explains, that means the officer must give Doe the Miranda warnings (right to remain silent, right to have an attorney present during any questioning, right to have an attorney appointed) and find out if Doe wants to waive the rights or invoke them. If Doe invokes the right to silence and/or the right to an attorney, the officer cannot ask him any questions; if Doe waives one and invokes the other right, the officer still cannot ask him any questions; the officer can only question Doe if Doe waives both the right to remain silent and the right to an attorney. Since the Miranda rules apply regardless of whether Doe has been arrested or is only being detained while the officer tries to determine if there is child pornography on the laptop, it doesn’t matter whether the officer has probable cause or not.

Probable cause is only relevant insofar as the officer might want to obtain a warrant to search the laptop. As I noted in my posts on the Boucher case, getting a warrant in this situation won’t help the officer pursue the child pornography inquiry because Drive Z is encrypted and law enforcement officers currently have no way of breaking encryption.

So, the Customs officer has reasonable suspicion to believe Doe is carrying a laptop that contains child pornography; as I’ve noted before, and as I assume everyone already knows, child pornography is contraband, i.e., is illegal in and of itself. Possession of child pornography is therefore a crime. The issue is whether Doe has child pornography on his laptop; the only way the officer can resolve that issue is by gaining access to the contents of Drive Z, and the only way he can gain access to the contents of Drive Z is by getting Doe to give him the encryption key for Drive Z.

In the Boucher case, the government did what I suspect it will typically do in cases like this: have a grand jury issue a subpoena to the person (Boucher or Doe) that orders him to surrender the encryption key to the grand jury. I suspect the government will use this procedure because, as I noted in my Boucher posts, a grand jury can compel someone to comply with its demands by locking them up until they do.

Law enforcement officers can’t do that. They can only ask the suspect to give them the encryption key, which brings us back to the alternative scenario we’re analyzing. If you recall where we were, the Customs officer has reasonable suspicion to believe there is child pornography on the laptop; the reasonable suspicion lets the Customs officer detain Doe for a “reasonable” period of time while the officer tries to (i) develop the probable cause he needs to arrest Doe and seize the laptop or (ii) decide he was wrong about the laptop’s containing child pornography.

The Customs officer has detained Doe, which means he’s in custody for the purpose of the Miranda rules. That means, as I noted earlier, that if the officer wants to ask Doe about the laptop, the encryption key or anything else (other than, say, if he wants a drink of water or to use a bathroom) he must (i) give Doe the Miranda warnings and (ii) get a valid waiver of the rights to silence and counsel from Doe. More precisely, under the Miranda rules, the officer cannot “interrogate” Doe unless he does both of these things. If he interrogates Doe without doing both of these things, he violates Miranda.

The Supreme Court has defined Miranda interrogation as words or actions by the police office that he should know are reasonably likely to elicit an incriminating response from the suspect. Rhode Island v. Innis, 446 U.S. 291 (1980). We’ll make the interrogation analysis really simple here; we’ll assume the Customs officer asks Doe to give him the encryption key for Drive Z. Asking someone a direct question constitutes interrogation under the Innis standard, so we have to decide what the consequences of the officer’s asking this question are, under Miranda.

If the officer asks Doe this question (i) without giving Doe the Miranda warning or (ii) after he has given the warnings and Doe has invoked his rights to silence and/or an attorney, the officer has violated the Miranda rules. If the officer asks the question after he has given Doe his Miranda rights and after Doe waived both the right to silence and the right to an attorney, then asking the question doesn’t violate Miranda.

Let’s consider what happens if the officer violates the Miranda rules by asking Doe for the encryption key and Doe answers the question, i.e., gives the officer the encryption key. (Asking the question without giving the warnings and getting a waiver would still violate Miranda, but we wouldn’t have any evidence to suppress.) In other words, Doe says something like, "OK, I'll give you the key to my hard drive. The key is ______________." (We're assuming, for the purposes of analysis, that Doe has committed the key to memory; I think the analysis will be pretty much the same even if he has to retrieve a key he's written down or is stored in something.)

In U.S. v. Patane, 542 U.S. 630 (2004), the U.S. Supreme Court held that a violation of Miranda (i) requires the suppression of statements (testimony) made by the suspect but (ii) does not require the suppression of physical evidence law enforcement obtains as a result of the suspect’s statements. In the Patane case, and in a number of other cases, the Court explained that the Miranda rules are not constitutional rules themselves and are not co-extensive with the 5^th Amendment privilege against self-incrimination; they are, instead, a fabrication, a set of prophylactic rules the U.S. Supreme Court created to control what police officers can do when they are interrogating a suspect. In the Patane case, and other cases, the Court has held that the policy which justified imposing the Miranda rules on police interrogations does not require the suppression of evidence other than statements elicited in violation of the Miranda rules.

Where does that leave us? Well, to some extent it brings us back to the 5^th Amendment analysis I applied in my Boucher posts. What happens if Doe answers the question and gives the officer his encryption key? Is the encryption key a statement (“testimony”) that must be suppressed because the officer violated Miranda? Or is it physical evidence the officer obtains as the result of a statement that violated Miranda? In other words, can the prosecution argue that (i) it can’t use the statements Doe made in the course of giving the encryption key to the Customs officer but (ii) can use the key itself because it is physical evidence, not testimony?

If the prosecution were to make such an argument, I strongly suspect that Doe’s attorney would respond with an argument along the lines of the act-of-producing-evidence-as-testimony analysis I outlined in my Boucher posts. That is, I suspect Doe’s attorney would argue that it is impossible to sever Doe’s statements from his act of giving the government the encryption key because both constitute “testimony” under the Fisher analysis I outlined in my Boucher posts.

If you look at the 5^th Amendment bummer post, you’ll see what I mean; the U.S. Supreme Court has held that in certain circumstances the act of producing physical evidence to the government is itself “testimony” that is protected by the 5^th Amendment privilege against self-incrimination; and since the fabricated Miranda rules are somehow based on the 5^th Amendment privilege, I think the act-of-producing-evidence-as-testimony principle has to apply in a Miranda analysis as well as under a 5^th Amendment analysis. If I’m right, then we pretty much have the same issues to resolve regardless of whether the Customs officer interrogates Doe in violation of Miranda or whether Doe is subpoenaed by a grand jury.

If, of course, Doe gives the Customs officer the encryption key after having been given the Miranda warnings and voluntarily waiving his rights to silence and to an attorney, then he’s probably out of luck.

In a post I did last year, I noted that federal law allows the issuance of “sneak and peek” search” warrants. This post examines the use of a “sneak and peek” in a particular cybercrime case. Before I get to that case, though, I need to explain what “sneak and peek” warrants are and how they differ from traditional search warrants.

In the federal system, regular search warrants are governed by Rule 41 of the Federal Rules of Criminal Procedure. Rule 41(b)(1) says that at “the request of a federal law enforcement officer or an attorney for the government” a magistrate judge who has authority to issue warrants in that district can “issue a warrant to search for and seize a person or property located within the district”.

That provision contemplates the kind of searches and seizures officers have historically conducted: They go to a place, search for tangible evidence, seize it if they find it and leave a copy of the executed warrant and a receipt for the items the officers seized with “the person from whose premises” the property was taken. Rule 41(f)(1). (They can also leave the warrant and receipt on the premises if no one was there.)

Rule 41 warrants can be, and are, used to search for and obtain computer evidence. Rule 41(a)(2) defines the “property” that can be seized with such a warrant as including “documents, books, papers, any other tangible objects, and information.” So such a warrant can be used to seize computer hardware and/or data (“information”).

“Sneak and peek” warrants differ from regular Rule 41 warrants not in terms of how they are obtained (the officer still has to file an application for the warrant and an affidavit in support), but in terms of the kind of evidence they’re directed at and certain differences in the execution of the warrant. The PATRIOT Act amended § 3103a of Title 18 of the U.S. Code to accommodate “sneak and peek warrants,” which had been around for a while.

An early “sneak and peek” case is U.S. v. Johns, 851 F.2d 1131 (U.S. Court of Appeals for the Ninth Circuit 1988). In Johns, federal agents applied for a search warrant that would let them “surreptitiously enter” a commercial storage unit “to examine the contents without taking anything”. U.S. v. Johns, supra. They wanted to see what was in the unit but they didn’t want the owner to know law enforcement officers had been there. The court issued the warrant, the agents entered the storage unit and found chemicals used to manufacture methamphetamine, which resulted in Johns being indicted. U.S. v. Johns, supra. He moved to suppress the evidence, arguing that the “sneak and peek” warrant violated the 4th Amendment and Rule 41.

The Johns court followed the approach it had taken in U.S. v. Freitas, 800 F.2s 1451 (U.S. Court of Appeals for the Ninth Circuit 1986). The Freitas court, like later courts, found that a “sneak and peek” warrant violated Rule 41 because it didn’t require the agents executing to the warrant leave a copy of the warrant and a receipt for whatever was taken. (Back then, it was usually just visual observation and/or taking photos of whatever was in the place being searched).

The court also found, though, that the provisions of Rule 41 aren’t co-extensive with the requirements of the 4^th Amendment; in other words, they’re narrower than the constitutional provision. According to most of the courts who considered “sneak and peek” warrants prior to the PATRIOT Act, the 4^th Amendment is broad enough to encompass this kind of search for (and seizure of) intangible evidence. And I think that’s probably true; the 4^th Amendment was created to address the traditional kind of searches and seizures but that doesn’t mean it can’t – and shouldn’t – be interpreted to apply to nontraditional searches and seizures.

To eliminate any concerns about the validity of “sneak and peek” warrants, Congress included a provision in the PATRIOT Act – codified as 18 U.S. Code § 3103a – that “specifically allow[s] officers to delay giving notice to the subject of a search if the court issuing the warrant `finds reasonable cause to believe that providing immediate notification of the execution of the warrant may have an adverse result.’” American Civil Liberties Union v. U.S. Dept. of Justice, 265 F.Supp.2d 20 (U.S. District Court for the District of Columbia 2003) (quoting the PATRIOT Act). The statute does require that the “sneak and peek” provide “for the giving of such notice within a reasonable period not to exceed 30 days after the date of its execution, or on a later date certain if the facts of the case justify a longer period of delay.” 18 U.S. Code § 3103a(b)(3).

That, then, is a brief history of “sneak and peek” warrants. As I noted in my prior post, in the Scarfo case, which arose in the 1990s, federal agents used a “sneak and peek” warrant to install a keystroke logger on a suspect’s office computer. So in that case, the focus wasn’t on simply sneaking in and peeking around, but on installing the logger so it would capture keystrokes typed on the keyboard. The purpose was to discover the key for an encrypted file on the computer; agents had used an earlier warrant to obtain a copy of the hard drive, which they searched without finding what they were looking for. The suspected the keystroke logger would record the key needed to access the file and, indeed, it eventually did.

Aside from the Scarfo case, I hadn't really seen any “sneak and peek” cases, at least not any reported cases. Recently, though, I found this one, which I had somehow overlooked: U.S. v. Hernandez, 2007 WL 2915856 (U.S. District Court for the Southern District of Florida 2007).

The case involved a DEA investigation into “Internet pharmacies, wherein customers order controlled substances prescriptions via the Internet”. U.S. v. Hermandez, supra. One of the pharmacies the DEA was investigating was RX Direct, Inc., which was then located in Deerfield, Florida. U.S. v. Hermandez, supra.

I won’t go into all the details of the investigation; I’ll just note that the agents involved made a number of undercover purchases of drugs from RX Direct, Inc. received evidence from citizens who had ordered drugs from the company and conducted an extensive investigation into its general operations. At that point, one of the agents – DEA Agent Richards – submitted an affidavit to a federal magistrate seeking a “sneak and peek” warrant for RX Direct, Inc. In outlining her probable cause for the warrant, she noted that based on her personal experience and that of other experienced agents,

information concerning the operation of Internet pharmacies routinely are stored in computer hardware and computer software. She . . . learned through her investigation that RX Direct dispensed prescription controlled substances pursuant to the electronic transmittal or prescription drug orders. Therefore, she believed that RX Direct stored information on computers which reflected the activity described in the affidavit.

Investigator Richards believed that the computers and computer media which would be found at the Deerfield location of RX Direct `are instrumentalities used to further, and contain evidence of, the dispensation of prescription controlled substances via the Internet where no legitimate physician/patient relationship was established.’

U.S. v. Hernandez, supra. Agent Richards reported that the owner of RX Direct had said he intended to move RX Direct to a new location, and it was not clear if the records would be relocated, as well. She then asked that the warrant be a “sneak and peek” warrant:

[B]ecause there is an ongoing undercover investigation of the subjects of this investigation, it would be detrimental to the investigation for an overt search warrant to be executed during normal business hours at this time. The overt execution of a search warrant at this time may result in endangering the life or physical safety of the CS; may result in the subjects . . . fleeing from prosecution before the investigation is complete; may result in the subjects destroying or tampering with evidence at as yet unidentified locations; and would likely seriously jeopardize the potential success of the undercover investigation by alerting the subjects to the existence of law enforcement scrutiny.

U.S. v. Hernandez, supra. Richards asked “permission to execute the warrant in a surreptitious fashion after the close of business and continuing during the hours of 10:00 p.m. and 6:00 a.m. so that the owners/operators of RX Direct would be unaware of the execution”. The court issued the warrant and allowed the agents to delay providing notice of the execution of the warrant for 30 days. U.S. v. Hernandez, supra. When they executed the warrant, the agents copied the data on the company’s hard drives.

The investigation continued, and eventually resulted in the indictment of individuals involved with RX Direct, Inc. One of them moved to suppress evidence, arguing that the “sneak and peek” warrant was invalid because it authorized the agents to copy data. He said “with most `sneak and peek’ warrants, no evidence is seized.” U.S. v. Hernandez, supra. I’m not sure that’s literally true: As I noted earlier, prior to the PATRIOT Act, officers executing “sneak and peek” warrants would go into a place -- a home or office or storage unit – and look around . . . and often to take photography or videotape what they saw. When they photographed and videotaped what they saw, they were in a sense “seizing” evidence, though not in the tangible, literal sense.

As I noted above, Rule 41 allows officers executing a search warrant – which includes a “sneak and peek” warrant – to seize “information.” I’d argue that even in the non-computer “sneak and peek” warrant cases the officers were, at least in a sense “seizing” information. In other words, they came away knowing something they didn’t prior to the search; we could say their simply learning that information was a seizure of evidence, but that might be a little difficult to defend. It seems to me, though, that if they recorded what they saw, they did in fact “seize” evidence in the form of information.

The Hernandez court quickly dismissed the argument about seizing evidence: “[T]he defendant cites no case which precludes the copying of records during the execution of a search warrant”. I suspect there is no case like that because copying documents has traditionally been part of executing warrants for paper records. I’m not sure if this “sneak and peek” warrant specifically authorized copying the data, which I think would probably have been a good idea. In denying the motion to suppress, the court also noted that the government was not planning to introduce evidence derived from the copying of the hard drives during the execution of the “sneak and peek” warrant at trial, so there was “no basis to suppress any evidence as the result of the copying of the computer hard drives.”

This post isn't about -- or isn't only about -- the use of computer technology to commit crimes. It's more about the use of computer technology to commit war.

A few weeks ago, I was part of a conversation about the legal issues cyberwarfare raises. We were talking about various scenarios – e.g., a hostile nation-state uses cyberspace to attack the U.S. infrastructure by crippling or shutting down a power grid, air traffic control systems, financial system, etc.

Mostly, we were focusing on issues that went to the laws of war, such as how and when a nation-state that is the target of a cyberattack can determine the attack is war, rather than cybercrime or cyberterrorism. (As I noted in an earlier post, the distinction between the threats lies in the nature of the attacker: Cybercrime and cyberterrorism are carried out by civilians, while war is carried out exclusively by nation-states. For the purposes of the analysis in this post, I’m going to assume that war is the exclusive province of nation-states; in other words, I’m not going to consider scenarios in which civilians who are not affiliated with a nation-state launch what is, in effect, cyberwarfare.)

More precisely, we were discussing how a country that is under cyberattack – like the attacks that recently targeted U.S. sites or the ones that targeted Estonia in the 2007 – decides if it it is authorized to retaliate against the attacker (assuming it can identify the attacking nation-state with enough precision to justify launching a counterattack.) We were, in other words, focusing on the “Pearl Harbor moment,” i.e., the point at which a nation-state can justifiably conclude it is the target of state-initiated cyberwarfare.

As we discussed those issues, someone raised a very interesting point, one that had never occurred to me. He pointed out that the signals used to launch the initial attacks and the signals that would be used to launch counterattacks would travel primarily, if not exclusively, over civilian-owned and –operated networks. He asked what would happen if the companies that operate the networks that constitute the Internet refused to carry the signals that would deliver the cyber-counterattack (and, I assume, any subsequent attacks by either side to this almost-war). I don’t think any of us had a clue.

I still don’t . . . but I thought I’d use this post to raise the issue and throw out a few ideas as to how it MIGHT be resolved. As I analyze the issues, I’m making two assumptions, both of which I think are accurate: One is that a cyberwarfare attack would necessarily travel primarily, if not exclusively, over civilian networks; the other is that the operators of those networks can, at least at some point, identify traffic as “war” traffic, as opposed to the “not-war” traffic they usually carry.

If those assumptions are, in fact, valid, then it seems the civilians who own and operate the constituent networks that create the Internet can, in effect, exercise a veto over cyberwarfare . . . or at least aspects of cyberwarfare. In the scenario that was implicit in the discussion I noted above, the operators of civilian networks could exercise their veto to prevent the attacked state from launching retaliatory cyberattacks and, I assume, to stop the attacking state from launching further offensive cyberattacks. In this scenario, the network operators are essentially neutral. They probably don’t have to be, which means there’s another, more unsettling scenario: The civilians who operate the networks could choose sides; so they might allow the signals being used in the attacking state’s cyberattacks and prevent the defending state from launching its own counterattacks.

I, however, want to focus on the general issue: In the cyberwarfare context, it seems civilians have the capacity to control the battlefield or, perhaps more accurately, to control whether there will be a battlefield. I can’t think of any historical instances in which civilians had the ability to exercise a veto power over nation-states’ ability to carry out acts of war.

When the gentleman raised the issue of network operators’ deciding not to facilitate cyberwarfare, the first thing I thought of was nationalization, as in nationalizing the networks. That led me to think about whether the U.S. government has ever had to do anything similar . . . and that led me to the United States Railroad Administration. As you may know (I didn’t), President Wilson nationalized the railroads in 1917, after we declared war on Germany:

Chicago & North Western Railway Co. v. Commissioner of Internal Revenue, 22 B.T.A. 1407, 1931 WL 473 (U.S. Board of Tax Appeals 1931).

As Wikipedia explains, once the U.S. entered World War I in April, 1917, “the nation's railroads proved inadequate to the task of serving the nation's war efforts.” Many of the companies were in bankruptcy, others were suffering financial difficulties because of the inflation that had “struck the American economy”, the unions were threatening to strike and despite the railroad companies attempt to “join forces and coordinate their efforts [to] help the war effort”, they failed. Wikipedia, supra.

In December 1917, the Interstate Commerce Commission “recommended federal control of the railroad industry” to improve its effectiveness and the President nationalized the railroads later that month. On March 21, 1918, the Railway Administration Act went into effect; among other things, it “guaranteed the return of the railroads to their former owners with 21 months of a peace treaty”. Wikipedia, supra. On March 1, 1920, the “railroads were handed back to their original owners and the” United States Railroad Administration was shut down. Wikipedia, supra.

There is, then, U.S. precedent for taking over companies that provide services which constitute part of what we now call the country’s critical infrastructure. Since no one seems to have challenged President Wilson’s nationalizing the railroads, the Act that authorized his doing so is (was) at least presumptively valid. My point is that what President Wilson did with the railroads COULD provide a precedent for a contemporary President’s nationalizing the networks that constitute, or contribute to the constitution of, the Internet. In this post, I’m not concerned with how viable it would be to do that in practice; I’m simply focusing on the legal issues that might be involved in an effort to do that, assuming it was practicable.

As Devil’s advocate, I see certain differences between President Wilson’s nationalizing the railroads and the hypothetical scenario in which a contemporary President somehow manages to nationalize the networks that create and sustain cyberspace. One lies in the justification for nationalization: President Wilson nationalized the railroads to improve their performance as a coordinated transportation system, the benefits of which would accrues to civilians as well as to the military; if a modern President nationalized the networks under the scenario(s) I outlined above, he/she would be nationalizing them to alter their performance, to shift their function from serving purely civilian ends to serving civilian and military ends.

In other words, I see nationalizing the networks as having a much more dramatic effect on the functioning of the networks than I suspect President Wilson’s nationalizing the railroads did on the functioning of the railroads. Nationalizing the railroads was intended to improve their ability to efficiently transport military personnel and equipment within the territorial United States. Nationalizing the railroads in no way altered their function so that they became, at least to some extent, an implement of war. Their role was simply to support the military by transporting the men and material it needed to wage war outside the territorial boundaries of the United States.

That brings me to another, related difference I see between the railroad and network nationalization scenarios: Nationalizing the railroads did not transform them from purely civilian entities into civilian/military entities. Nationalizing the networks would, I think, transform them into civilian/military entities or even into a component of the military. It seems to me that nationalizing the networks so they can carry defensive and offensive cyberwarfare traffic is analogous to nationalizing the airlines so Boeing 777s and 747s can drop bombs on the enemy.

I’m not saying nationalizing of the networks isn’t an option under the law, as it exists now or as it could exist. As far as law is concerned, I think nationalization of the networks clearly is an option. At this point, though, I’m not convinced it’s a practicable option nor am I convinced it would be a particularly advisable one.

But, as always, I could be wrong. I’ve just started thinking about these issues, so I may change my mind as I get further into them.

This post is a follow-up to a post I did recently in which I analyzed whether the federal government could nationalize private computer networks if the owners refused to let them be used in defensive (or offensive) cyberwarfare.

This post is about a related issue: if the civilian owners of such networks refused to let them be used to carry offensive or defensive cyberwarfare traffic, would that constitute treason?

To answer that question, we first have to define treason. Article III § 3 clause 1 of the U.S. Constitution defines it as follows: “Treason against the United States shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.” (If you’re wondering why the sentence uses “them” and “their” rather than “it” and “its”, the reason is that the drafters of the Constitution saw the United States as a single sovereign entity that was composed of discrete sovereign entities – the states.)

Section 2381 of Title 18 of the U.S. Code implements the constitutional provision by making treason a crime:

To commit treason, therefore, one who is (i) a citizen or otherwise owes allegiance to the United States must (ii) intentionally (iii) levy war against it or give “aid and comfort” to its enemy/enemies. The first two elements are pretty straightforward, the second less so.

“Citizen” includes those born in the U.S. and/or to American citizens, as well as naturalized citizens. U.S. v. Stephan, 50 F. Supp. 445 (U.S. District Court for the Eastern District of Michigan 1943). And it must be your purpose – your intention – to levy war against the United States and/or give aid and comfort to its enemies. Stephan v. U.S., 133 F.2d 87, 94 (U.S. Court of Appeals for the Sixth Circuit 1943).

The first alternative in the third element – levying war against the United States – is unambiguous because it directly refers to “war.” If a U.S. citizen had joined the German Army in World War II and fought against the U.S. that would clearly be treason because he/she would directly be “levying war” against his own country. In re Charge to Grand Jury, 30 F. Cas. 1036 (U.S. Circuit Court for the Southern District of Ohio 1861).

The second alternative is more ambiguous, at least on its face: Giving “aid and comfort” is analogous to aiding and abetting a crime. For example, in Best v. U.S., 184 F.2d 131, 137-138 (U.S. Court of Appeals for the First Circuit 1950), a federal Court of Appeals upheld a U.S. citizen’s conviction for treason. It was based on Robert Best’s serving as a radio commentator for the German Short Wave Station, which operated during the last two years of World War II. As the court noted, his “Best’s Little Lifesaver” broadcasts were beamed at U.S. troops fighting in Europe and were intended to “foster a spirit of defeatism, of hopelessness in the face of vaunted German might”, thereby undermining the effectiveness of U.S. troops and helping Germany win the war. Best v. U.S. supra. The Court of Appeals held that this was enough to constitute treason:

Best v. U.S. supra (quoting Chandler v. U.S. 171 F.2d 921 (U.S. Court of Appeals for the First Circuit 1948)). The Court of Appeals found that Best’s motive was irrelevant:

Best v. U.S. supra.

That brings us to the final requirement for treason under the second alternative set out in § 2381: The person must have given aid and comfort to an “enemy” or “enemies” of the United States. Courts have held that the term “enemies” means “a foreign power in a state of open hostility with” the United States. Stephan v. U.S., supra. This is why Julius and Ethel Rosenberg, who were accused of giving the Soviet Union information about the U.S. atomic bomb program, were prosecuted for espionage, instead of treason. Since a state of open hostility did not exist between the U.S. and the Soviet Union at the time, what they did couldn’t be treason. U.S. v. Rosenberg, 195 F.2d 583 (U.S. Court of Appeals for the Second Circuit 1952).

And that brings us back to networks and cyberwarfare: If the civilian owner of a network refuses to let the U.S. military use the network to transmit signals as part of a cyberwar attack, is that treason? In answering that question, I’m going to assume the network owner qualifies as a citizen or someone who otherwise owes allegiance to the U.S.

Under the first alternative in § 2381, the answer depends in part on whether the network owner is directly or indirectly aiding military forces engaged in war with the U.S.. If the owner is refusing to let the network be used to respond to a cyberattack that has been already been launched against the U.S., that might qualify as aiding the attacking forces . . . as long as the owner is refusing for the purpose either of levying war against the U.S. or giving aid and comfort to the country that is attacking the U.S.

If the owner is refusing for other reasons – to keep the network from becoming the target of attacking forces or to stay neutral in a conflict conducted in cyberspace – would that negate any inference of an intent to aid the attackers? I think it would, because I think I can distinguish that scenario from the scenario in the Best case. The Best court said it didn’t matter – insofar as Best’s liability for treason was concerned – whether he aided the enemy because he thought the U.S. would benefit more from being defeated by Germany than by defeating Germany. All that mattered was that when he made the broadcasts he acted with the purpose of giving aid and comfort to the German forces in their battle against Allied forces.

If the network owner is refusing to let the network be used because of concerns that aren’t related to the conduct of cyber-hostilities between the U.S. and the country attacking the U.S., then I’d argue the owner can’t be convicted of treason. Since the owner isn’t a member of the armed forces and, we’re assuming, the government hasn’t nationalized computer networks in the U.S., it seems to me the owner can refuse to let the network be used to launch a defensive attack without incurring liability for treason.

What if the owner is refusing to let the network be used to launch an offensive attack? Does that alter the analysis? I think it does. I don’t see how the network owner could be convicted of treason here for several reasons: One is that since no state of war exists between the countries at least until the attack is launched, and maybe until it hits its target(s), I don’t see how the network owner could be levying war against anyone. (I’m assuming, throughout this analysis, that cybertattacks constitute acts of war.)

Another, related reason is that if the countries aren’t already in a state of open hostility, the owner can’t be giving aid and comfort to an “enemy” of the U.S. Given all that, I think it would be very difficult – even impossible – to prove that the network owner refused to let the network be used to launch the offensive cyberattack for the purpose of either levying war against the U.S. or giving aid and comfort to its “enemy.” The country against which the attack is/will be/would be launched isn’t an enemy, as I understand, until the attack has arrived, and maybe until the attacked state responds in kind.

Would it matter if, as I hypothesized in my earlier post, the federal government had earlier nationalized the computer networks controlled by U.S. citizens? I don’t know. I don’t know (so far) what, if any, effect nationalization has on the treason analysis. It seems all nationalization would do is to put the network owner in a position in which he/she/it is now obligated to follow orders from designated federal officials. If that’s true, then refusing to obey such an order would presumably be punished as precisely that, i.e., as the intentional refusal to follow an order issued under the authority of the statute authorizing nationalization of the networks. In other words, it seems that a refusal after nationalization should constitute the crime, if any, the nationalization statute created to sanction those who do not follow orders from an authorized source. I’ll have to look into that a little more, and see if nationalization would impact on the treason analysis.