Raid on COVID Whistleblower in Florida Shows the Need to Reform Overbroad Computer Crime Laws and the Risks of Over-Reliance on IP Addresses

The armed Florida State Trooper raid on Monday on the Tallahassee Florida home of data scientist and COVID whistleblower Rebekah Jones was shocking on many levels. This incident smacks of retaliation against someone working to provide the public with truthful information about the most pressing issue facing both Florida and our nation: the spread and impact of COVID-19. It was an act of retaliation that depended on two broken systems that EFF has spent decades trying to fix: first, that our computer crime laws are so poorly written and broadly interpreted that they allow for outrageous misuses of police, prosecutorial and judicial resources; and second, that police continue to overstate the reliability of IP addresses as a means of identifying people or locations. 

All too often, misunderstandings about computers and the digital networks lead to gross miscarriages of justice.

On the first point, it seems that the police asked for, the prosecutors sought, (and the Court granted) a warrant for a home raid by state police in response to a text message sent to a group of governmental and nongovernmental people working on tracking COVID, urging members to speak up about government hiding and manipulating information about the COVID outbreak in Florida.

This isn’t just a one-off misuse: in other cases, we’ve seen the criminalization of “unauthorized” access used to threaten security researchers who investigate the tools we all rely on, prosecute a mother for impersonating her daughter on a social network, threaten journalists seeking to scrape Facebook to figure out what it is doing with our data, and prosecute employees who did disloyal things on company computers. “Unauthorized” access was also used to prosecute our friend Aaron Swartz, and threaten him with decades in jail for downloading academic articles from the JSTOR database. Facing such threats, he committed suicide.  How could a text message urging people to do the right thing ever result in an armed police home raid? Sadly, the answer lies in the vagueness and overbreadth of the Florida Computer Crime law, which closely mirrors the language in the federal Computer Fraud and Abuse Act (laws in many states across the country are likewise based on the CFAA). 

Police all too often liken an IP address to a “fingerprint”

The law makes it a crime – a serious felony –  to have “unauthorized access” to a computer. But it doesn’t define what “unauthorized” means.  In cases across the country, and in one currently pending before the U.S. Supreme court called Van Buren, we’ve seen that the lack of a clear definition and boundaries around the word “authorized” causes great harm. Here, based upon the Affidavit in the Rebekah Jones case, the police took the position that sending a single text message to a group that you are not (or are no longer) a part of is “unauthorized” access to a computer and so is a crime that merits an armed home police raid. This, despite the obvious fact that no harm happened as a result of people getting a single message urging them to do the right thing.

In fact, if you’ve ever shared a password with a family member or asked someone else to log into a service on your behalf or even lied about your age on a dating website, you’ve likely engaged in “unauthorized” access under some court interpretations. We urged the Supreme Court in the Van Buren case to rule that violations of terms of use (as opposed to overcoming technical blocks) can never be criminal CFAA violations. This won’t entirely fix the law, but it will take away some of the most egregious misuses. 

This case confirms our serious, ongoing national failure to protect whistleblowers. 

Even with the broader definition of “unauthorized,” though, it’s unclear whether the text message in question was criminal. The Affidavit from the police confirms that the text group shared a single user name and password and some have even said that the credentials were publicly available. Either way, it’s hard to see how the text could have been “unauthorized” if there was no technical or other notice to Ms. Jones that sending a message to the list was not allowed. Yet this wafer-thin reed was accepted by a Court as a basis for a search warrant of Ms. Jones’ family home. 

On the second point, the Affidavit indicates that the police relied heavily on the IP address of the sender of the message to seek a warrant to send armed police to Ms. Jones’ home. The affidavit fails to state how the police were able to connect the IP address with the physical address, simply stating that they used “investigative resources.” Press reports claim that Comcast – the ISP that handled that IP address –  did confirm that Ms. Jones home was the customer associated with the IP address, but that isn’t stated in the Affidavit. In other cases, the use of notoriously imprecise public reverse IP lookup tools has resulted in raids of the wrong homes, sometimes multiple times, so it is important that the police explain to the Court what they did to confirm the address and not just hide behind “investigative sources.”   

EFF has long warned that the overreliance on IP addresses as a basis for either the identity or location of a suspect is dangerous. Police all too often liken an IP address to a “fingerprint,” a misleading comparison that suggests that IP-based identifications are much more reliable than they really are, making the metaphor a dangerous one. The metaphor really falls apart when you consider  the reality that a single IP address used by a home network is usually providing Internet connectivity to multiple people with several different digital devices, making it difficult to pinpoint a particular individual. Here, the police did tell the court that that Ms. Jones had recently worked for the Florida Department of Health, so the IP address wasn’t the only fact before the court, but it’s still pretty thin for a home invasion warrant, rather than, say, a simple police request that Ms. Jones come in for questioning. 

Even if it turns out Florida police were correct in this case – and for now Ms. Jones has denied sending the text – the rest of us should be concerned that IP addresses alone, combined with some undisclosed “investigative resources” can be the basis for a judge allowing armed police into your home. And it shows that judges must scrutinize both IP address evidence and law enforcement claims about their reliability, along with other supporting evidence, before authorizing search warrants.

This case confirms our serious, ongoing national failure to protect whistleblowers. And in this case – as with Edward Snowden, Reality Winner, Chelsea Manning and many others – it’s clear that part of protecting whistleblowers means updating our computer crime laws to ensure that they can’t be used as  ready tools for prosecutorial overreach and misconduct. We also need to continue to educate judges about the unreliability of IP addresses so they require more information than just vague conclusions from police before granting search warrants.

All too often, misunderstandings about computers and the digital networks lead to gross miscarriages of justice. But computers and the Internet are here to stay. It’s long past time we ensured that our criminal laws and processes stopped relying on outdated and imprecise words like “authorized” and metaphors like “fingerprints,”  and instead apply technical rigor when deliberating about technology. 

Source: Raid on COVID Whistleblower in Florida Shows the Need to Reform Overbroad Computer Crime Laws and the Risks of Over-Reliance on IP Addresses