62 comments

[ 3.8 ms ] story [ 92.7 ms ] thread
The real problem here is that the legal system, under which many sophisticated laws are prosecuted, is under the stewardship of a lot of common, everyday people of middling intellect.

So, yeah, browsing history possesses all the legal integrity of pocket litter and fast food receipts, and who's to say which information on a typical consumer-class hard drive constitutes a forgery contaminated by trojans and rootkits, versus what is actual legitimate forensic evidence, but that doesn't stop zealous prosecutors and judges from placing this sort of evidence in front of bored, apathetic juries, serving jury duty, because their name came up on the list after getting a traffic ticket.

Unlike so much other relatively new law, this satisfies mens rea, "the guilty mind" (https://en.wikipedia.org/wiki/Mens_rea) so I can't say I have problems with it. Heck, it echoes a favorite Proverb, the start of 28:

The wicked flee when no man pursueth: but the righteous are bold as a lion.

If I were to realize a (now very much ex-)friend had just maimed and murdered a bunch of people, my first thought would not be to dispose of evidence.

I delete my browser history often enough, but each instance is not evidence that I believe I've committed any crime.

Do browsers actually log when you delete history? Is there any record or log beyond traces on the filesystem?

I don't think so, but an empty history, or a history consisting solely of access over the past few days, might be taken as evidence that it was wiped.
So what? I might delete it just for my own convenience. (BTW, it's irrelevant if somebody does so, but if you are curious: I actually do. The reason is it is much simpler to search for something in the cache/history when it's small.) There's no reason whatsoever to think that I'm hiding something. I mean, if I was an investigator, I surely would pay attention to that, but I cannot (or shouldn't be able to) treat absence of evidence as evidence of "hiding something". No evidence is no evidence and nothing more.
> my first thought would not be to dispose of evidence.

Which is exactly why I might delete my browsing history as I occasionally do without realizing that I was disposing of "evidence".

Were it my first thought, I suspect my second thought would be "that's a terrible idea" - and my third to buy another computer, lest my daily, innocuous, use of it be cast as any form of evidence tampering.

I guess if you have no fear of recrimination or are a sociopath you can be confident in your righteousness? Sounds about right. The great thing is that people with your attitude get caught up in stings just the same as those who have mens rea. Police don't look at evidence and think "here's a guy/gal with nothing to hide", they think "here is someone we can charge".
> who's to say which information on a typical consumer-class hard drive constitutes a forgery contaminated by trojans and rootkits

If only we had some sort of system where two legal experts argued this in front of a neutral third party, possibly calling in technical experts as needed. If only.

If only that didn't require expertise, both on the part of the defendant and the defense team, who both probably struggle at keeping their e-mail clients properly configured.

You do understand that it's quite the common perception, outside the technical field, that computer evidence is nigh-infallible, nearly on the level of DNA evidence. So much that, once brought into context, it's pretty much believed as iron-clad evidence by non-technical people.

(comment deleted)
Sickening stuff. It's even worse when you realize you're afraid of ending up on a watch list for speaking out about this kind of abuse.
Which is why am ashamed to say I don't say anything controversial online anymore. Hell, even posting this makes me nervous. Though I guess that's one of the goals of government surveillance – obedience.
Once I wrote a popular post concerning the government limiting freedom. Within a day or two I got called with a survey about my internet usage from the "Finance department" who talked really fast when I questioned on what authority. I answered him questions anyway about all the internet websites I frequent and communities I'm part of. He even asked me what IRC channels I used. I gave every detail. That was a few years ago.
This sounds like another "banal-sounding activity that everyone does is suddenly illegal!" misunderstanding. The charge is that someone destroyed potential evidence on their computer with the intent of preventing that evidence from being found by an investigation that they believed was likely. In the non-digital realm, this is like shredding business records when you suspect you're being investigated. Shredding isn't illegal, but attempting to obstruct an investigation is, and (IMHO) rightfully so.

Which is to say: deleting your browser history as part of an effort to thwart a criminal investigation could land you in prison.

It's worse than that.

Deleting your browser history if they government says that you thought it might one day be relevant in an investigation can land you in prison.

For example: You're downloading run of the mill adult-on-adult pornography and one of the links that you click redirects you to a child porn site, you weren't looking for child porn and you didn't want any but you inadvertently browsed to a site that hosts it, so you delete all of your cache because you don't want that on your computer. Well, if that site was a honeypot and when the authorities come investigating, they'll use your cleared cache as proof that you knew you were doing something illegal and prosecute you for it despite the fact that you didn't intentionally break the law.

I did a little googling, and destroying the porn would actually be the right thing to do and so shouldn't get you in trouble. According to "18 U.S. Code § 2252A - Certain activities relating to material constituting or containing child pornography", an affirmative defense is not having much and either deleting it promptly or reporting it:

  (d) Affirmative Defense.— It shall be an affirmative defense to a charge of
      violating subsection (a)(5) that the defendant—
    (1) possessed less than three images of child pornography;
    and
    (2) promptly and in good faith, and without retaining or allowing any person, 
       other than a law enforcement agency, to access any image or copy thereof—
        (A) took reasonable steps to destroy each such image;
        or
        (B) reported the matter to a law enforcement agency
            and afforded that agency access to each such image.
(source: https://www.law.cornell.edu/uscode/text/18/2252A)
In this hypothetical case, wouldent (1) still give you a problem, as it is likely that your browser downloaded more than three images. In that case, you are already in violation of this law, regardless of what you proceed to do with the images, so clearing your cache would be illegal.
Yeah, reporting it is definitely the right thing to do and would totally go well for you. /s
Did you notice the "or"? Just delete it if you feel that way.
On a tangent: if people do accidentally find indecent images of children, or images of child sexual abuse, there are methods to report those images anonymously.

The Internet Watch foundation is one site. There are probably others for different countries. https://www.iwf.org.uk/

The IWF has just announced a collaboration with Google, Facebook, Twitter: http://www.bbc.co.uk/news/uk-33844124

I'm not sure when this section of the US Code became law but back in the 1990s, I was looking at some adult material and I followed a link to some .ru site that had material that was highly suspect. I made note of the domain, closed my browser and opened the phone book.

I called the local FBI office and reported the site. I never heard anything else on the matter. To be honest, I was more worried that it was a honeypot and I wanted to make sure that if they were watching, they knew that I didn't go there on purpose.

That's an affirmative defense to possession but not to the destruction of evidence.

The man in this story wasn't otherwise implicated in the terrorist plot but they got him for deleting his internet cache because he was afraid of how it would look.

How is this different than shredding all the junk mail you receive, then having the Feds show up and say that you're obviously involved in a mail fraud conspiracy because you failed to properly forward a misdelivered letter?
The issue here is not that the destruction is evidence for involvement; that was established otherwise. The issue here is that individuals knowingly destroyed evidence with the intent to obstruct investigations.
How do you determine it was evidence if it is destroyed? Who knows if I deleted conspiration notes instead of porn?
It's on the state to establish that it was evidence. In this case, they did some computer forensics.
The trouble is, no amount of "computer forensics" can explain the reason why records disappeared. May be it was a virus, a bug in browser or someone else had access to the computer.
Nobody can say for sure if he did it knowingly or not, and this isn't the point. One thing is when you try to hide the evidence (i.e. it can be proved that you lied about it), but you fail to. The other thing is when there's no evidence. You cannot charge man with anything if there's no evidence of crime, but you "think" he destroyed it on purpose (prior to investigation). Maybe he deletes browser history on the daily basis. It's OK. There's nothing wrong with it. Shouldn't be. No matter how "suspicious" it seems to you, your suspicions don't matter.
Nobody can say for sure if he did it knowingly or not

And nobody can say absolutely for sure whether a murderer had the mens rea to charge him with first degree.

The issue here is that individuals knowingly destroyed evidence with the intent to obstruct investigations.

This issue is that they now have the tools to charge you with obstructing an investigation that hadn't even begun yet, when you took the action.

We all understand how this scenario is obstruction:

1. -Investigation Begins-

2. Police:We would like to see #source_of_potential_evidence.

3. Person:Sure thing. -deletes #source_of_potential_evidence-. Oh, sorry guys, I don't have that.

This is what happened:

1. Person:Oh, this doesn't look good. I don't think I want to keep this on my computer. -deletes #source_of_potential_evidence-

2. -Investigation Begins-

3. Police:We would like to see #source_of_potential_evidence.

4. Person:Sorry guys, I don't have that.

If there is not yet an investigation, it's not yet evidence. How can you be held responsible for destroying evidence if it's not yet evidence?

This isn't about maintaining the integrity of investigations. It's about giving prosecutors the ability to get people when they otherwise couldn't.

> as part of an effort to thwart a criminal investigation

Correction: a criminal investigation that didn't happen yet, might never happen, or might happen say 6 years from now.

And you'll be guilty regardless of whether this investigation targets you or someone you just happened to interact with. And regardless of whether the investigation results in other charges or not. And regardless of whether your potential evidence even matters in the investigation.

I don't think a government should hold such power over any person. SOX was targeted at corporations, the fact that it is used on other targets is a demonstration of how overreaching it is.

Combined with the alarmingly common practice of threatening innocent people with 20 year sentences until they plead guilty, this is a very dangerous precedent.

> Correction: a criminal investigation that didn't happen yet, might never happen, or might happen say 6 years from now.

I'd recommend reading the Indictment. This wasn't that sort of case. This was a case where the accused knew the Tsarnaev brothers, had communicated with them electronically, and made and received several phone calls to and from them after the Boston bombing and they'd been announced as suspects.

Under those circumstances, it was highly likely the FBI would come to him seeking evidence, and if the facts alleged are true, the defendant's behavior in this case looks very sketchy indeed.

This guy was scared that the FBI will come after him and decided that he didn't want to provide them with information that they would likely use to threaten him with 100 years of jail time regardless of his actual involvement.

Is that decision so exceedingly unreasonable that he needs to spend 20 years in prison for it? Keeping in mind that he has no obligation to create or retain the records that he deleted in the first place.

Mind you, I don't like this guy at all, and he does look sketchy as hell, but he is not even charged with knowing about the attacks. He is guilty of simply being afraid of the government.

And the worst thing is, most people don't even know that SOX applies to them as persons.

I'm not saying I necessarily agree with the prosecution, their tactics or the charges, but this article is sensationalist to the point that you could change the headline to "emptying your trash could land you in prison".

> prosecutors argued that he made a conscious choice to destroy materials he knew could be used in a future investigation.

See, that's the point here. If he had happened to have (say) VHS tapes or even handwritten notes of those sessions, and he had thrown them out after the bombing, he could have been slapped with the same charges. The primary difference here is that emptying your browser history leaves a telltale sign, while chucking out some physical object does not.

Also, this article is conveniently omitting the fact that he also pled guilty to three counts of essentially lying to the FBI: http://www.thedailybeast.com/articles/2015/03/26/the-fbi-is-...

Remember kids, don't talk to police. Ever. https://www.youtube.com/watch?v=6wXkI4t7nuc

The timeline listed in the source he provides clearly states that he made an effort to "delete files [...] reformat his computer" after the events, indicating knowledge he could be implicated as an accomplice.

That said, I think using the "mens rea" argument associated with implicit guilt is how dangerous precedents are born.

I'm specifically concerned with this excerpt from from Sarbanes-Oxley act which is being misappropriated by prosecutors:

>Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

Deleting videos and attempting to reformat a computer after the Boston marathon are done knowingly. Clearing one's cache/browser history is in many situations an automatic action, and it's troubling to find it lumped in with pre-meditated action.

I see justification for 3 counts of obstruction, not 4. The 4th looks like an attempt to set the modus operandi of the courts in dealing with our web/online history, and I don't think anything which draws attention to that is necessarily a bad thing...

> Clearing one's cache/browser history is in many situations an automatic action

Article says "he doctored his browser history" which sounds less automatic.

> Article says "he doctored his browser history" which sounds less automatic.

Or the writer could have been trying to introduce verbal variety and as a consequence ineptly misrepresented what happened. The link[1] immediately after "doctored his browser history" only mentions "deleting files/data" and "reformatting":

[1] https://www.bostonglobe.com/metro/2014/05/30/timeline-allege...

Seems like there's a lot of worry about the precedence this case sets, but not a lot of detail about what actually happened.
I'm sorry, I should have provided the source in my original post. Pages of interest are 9 and 10:

SOURCE: http://www.justice.gov/sites/default/files/usao-ma/legacy/20...

It states (item 40), paraphrased, that he deleted his internet cache and also browsing history selectively, which was used to reason that he was attempting to hide his philosophical similarities with the brothers.

I take issue with item 43:

----

By deleting his Internet cache and other files, MATANOV obstructed the FBI’s determination of his Internet activity during the night of April 18 and the day of April 19, 2013, and the extent to which he shared the suspected bombers’ philosophical justification for violence, among other topics of interest. MATANOV’s deletions have thus obstructed the FBI’s investigation of the bombings and the suspected bombers, and have caused the FBI to expend considerable additional resources during its investigation of the bombings and the suspected bombers.

----

This man is clearly guilty, and the other evidence is damning. That said I cannot ever see validity in the argument that clearing history of access to publicly-accessible records online definitively indicates obstruction, or "malicious intent." Localized browsing history should be considered more ephemeral than user-stored files, because otherwise where is the line drawn? Could you be charged in 2018 for not leaving your computer in a cold enough climate for encryption keys to be recoverable from RAM? Possibly, because without those you'd cause the FBI to "expend considerable additional resources during its investigation."

I say this because the application of that reasoning doesn't discriminate between individuals actually trying to defraud (e.g., this gentleman) and those who are privacy conscious. It has chilling and unintended consequences, and those shouldn't be ignored when the case can absolutely be made without this assertion.

I say this because the application of that reasoning doesn't discriminate between individuals actually trying to defraud (e.g., this gentleman) and those who are privacy conscious.

But it does. If you're legitimately purging your browser history because you're privacy conscious, you're almost certainly going to have it performed in some sort of automated fashion. Maybe you have the browser purge those things on shutdown. Or you have an extension that nukes things older than 24h. Or, worst case, hopefully you have some way of demonstrating that you do this on the regular, by hand (but that still might not cover you, truth be told).

Doing it one-off is a completely different matter, legally speaking.

See my reply elsewhere in this subthread for an analogous situation involving company financial records. [1] Nutshell: if you don't want to be prosecuted for obstruction of justice or destroying evidence, you have a standing, documented, and meticulously followed document retention policy, under which you're shredding things on the regular.

There is unambiguous, and well-settled precedent (and probably also statute, but I'm too lazy to look it up) to this effect. There is no new legal ground being broken here whatsoever.

[1] https://news.ycombinator.com/item?id=10032792

If you're intelligent and privacy conscious, yes. I also think a statistically-relevant alternate scenario exists where a person is deleting things selectively out of fear of (real or imaginary) ideological persecution. I don't see this legal interpretation by federal prosecutors as discriminating between actively impeding an investigation (obstruction) and controlling what information we retain on the devices we own--especially when that information can be recovered from other places, like browsing history.

They were looking to create a case for philosophical sympathies and they found evidence of that in both his statements and direct actions. That would be enough to charge him, and yet they've chosen to specifically juxtapose his internet browsing history (and deletion thereof) with "[causing] the FBI to expend considerable additional resources during its investigation." As you said they either recovered the files directly, or else subpoenaed the ISP, and neither could be said to take "considerable effort."

They're saying that because he viewed certain videos and pictures (publicly available) online, he must be a sympathizer. I'm saying, yes he's a sympathizer (and deserves prosecution) but his browsing history online should not be a legally valid justification. Unless you want to sweep up journalists & whistleblowers in the process... Even copyright defendants (thanks to the TPP), if the hypothetical owner of defecatingdwarves.us were to demand criminal charges be brought against a cyberlocker illegally streaming their videos, and you just happened to delete the history entry from your recent visit which the plaintiff decided to treat as "evidence."

This case isn't creating a precedent, but it's the first time I have seen federal prosecutors use this rationale and it's concerning. I personally don't think deleting your browsing history alone--even selectively--warrants a potential 20yr federal sentence.

Sharing a mindset is criminal too now? Thoughtcrime, really?

Also, nobody under investigation has to implicate itself?

If you play postal, and one of the guys you have smoke breaks with runs amok - deleting that game from a "new philosophical viewpoint" makes you guilty?

The problem is, that law tryies to mindread here in the end. Which they can not. There is a diffrent between rhetoric and action.

Even if he deleted specific entries from his browser history, if they knew that, then they must've had their own records of it. So they already had the evidence. So it wouldn't matter that he deleted his copy, it was unnecessary. That wouldn't obstruct or destroy anything.
He didn't know they had copies (assuming they even did; I think it's more likely they were able to reconstruct the deleted data, given that deleting a file is just removing its dirent, and formatting a drive is just recreating the filesystem metadata). As far as he knew, the entries in his browser history were the only records of those searches, or whatever.

That makes the action (assuming it was done with intent to destroy the evidence, and not merely an automatic, "quitting the browser purges its history" type thing) illegal.

Consider the analogous situation of two companies, both engaged in illegal activities:

Company A has a standing, published document retention policy that says that all financial records must be destroyed after 30 days.

Company B has someone sneaking in at night to shred the records of their profits from selling meth to schoolchildren.

The Feds have copies of both of their records, because they have someone on the inside copying them and turning them over.

One company's relevant employees are going to face one set of charges. The other's are going to face two. Can you guess which is which?

> Clearing one's cache/browser history is in many situations an automatic action, and it's troubling to find it lumped in with pre-meditated action.

Taking out the trash is in many situations an automatic action, but if you do it to hide evidence, it's obstruction of justice and it's a crime.

I don't find it troubling at all just because it's a new technology. When researching something in pre-internet days, I'd often write things down. Book titles, periodical dates and pages, microfilm request forms, key quotes. That my browser does that sort of thing automatically is different, but not all that different.

If anybody doesn't like that, they can turn it off right now with one checkbox. But clearing the cache because you want to destroy evidence is no different than, as in War Games, quickly taking the trash can out to the curb.

That's odd. I thought SOX applied to public corporations.

How a guy was charged with violating it seems odd.

Too bad SOX doesn't apply to government.

Specifically, Hilary Clinton's email scandal would be a crime under SOX, as would be the recent IRS data destruction.

The problem isn't that there aren't laws that criminalize these activities, there are.

The problem is that the government will never prosecute itself, and thus the government lets the corrupt get away with it increasing corruption over time.

One example of this is that there's been no reform of voting systems despite their failure in 2001, and increasing evidence of voter fraud in every presidential election since.

As pertains to the 'delete files [...] reformat his computer", would he have been absolved if he had instead "lost" his computer?
Every day it seems I read something that makes me believe I'm living in an absurdist Dostoevsky novel.
You mean Kafka, maybe?
Eh, I was thinking more along the lines of The Double with the world around me making less and less sense, whilst living under a crushing bureaucracy.
The wording seems to indicate taking a specific action to delete specific things.

So would having a browser/extension that automatically cleans up after itself imply guilt? Even people who don't do anything illegal, immoral, or unethical online might legitimately not want their computer constantly polluted with all the droppings from every site they visit - tracking cookies, cached ads, etc.

What about browsing from a VM that loads a pristine provisioned image every time you boot it? Seems a reasonable way to avoid both that pollution and reduce likelihood of being infected by malware or other security issues. The responsible thing for any good patriotic law-abiding citizen to do.

Either way, it would be a standard operating procedure. So anything that they didn't find would not be something that you had intentionally deleted.

Now you know why companies have these annoying policies which automatically delete all email older than 90 days.
I think this article in several places equates actively deleting your browser history with using an incognito mode in chrome, or another method of automatically deleting, or even preventing the creation of history all together. This is not the case, you are perfectly fine having a system that will automatically delete your history, at least for now, it's not illegal to do that.

This is also why many companies have a very precise document destruction procedures. I used to run a company that was involved in the document management industry. Many companies track very closely the lifecycle of every document they create, and many have programs that will purge the document literally on the day when it can be delete. If you have to keep a document for 7 years, there are systems that will purge that document at midnight on the 7th anniversary of it's creation.

This is perfectly legal as long as it's all automatic. I think under Sarbanes-Oxley you do have an obligation to preserve evidence once the investigation is open, so you would have to disable the automated system. But as long as your documents are destroyed as soon as it's legally possible, you are basically covered.

This is really weird! So lets say if a person once made some stupid remarks on a blog or somewhere else, and wants to erase his or her internet presence so that future employers can't see it, it is a crime too ?
..and I thought my daily dose of crazy was over!
If you find out someone who has used your computer was involved in an act of terrorism, then delete evidence of their guilt, I'm not sure I understand why that would not be a crime.

This guy was not prosecuted for deleting his browser history, he was prosecuted for deleting information he knew was relevant to a criminal terrorism investigation.

Deliberated evidence destruction should logically be sanctionned. I don't see anything wrong here. In a crime investigation, privacy should not come into play. That would make it easy to get away with it. Put yourself on the side of the victims if you don't understand.
Whats next ? Accessing internet will make you potential terrorist ?