Is it a crime to provide communication services designed to be proof against government access?
This question does not normally arise in the Going Dark debate. The key question instead has been whether lawmakers should impose an affirmative obligation on providers to maintain their ability to provide the government with access to user communications in response to a warrant or other legal process. That is, the current debate assumes no such obligation is clearly established by current law.
Against that backdrop, last week’s multinational takedown of secure phone company Phantom Secure is quite interesting. Here is how the FBI’s page on the case describes its significance: “This case is the first time the U.S. government has targeted a company and its leaders for assisting a criminal organization by providing them with technology to “go dark,” or evade law enforcement’s detection of their crimes.”
To be clear, the Phantom Secure prosecution does not show that Apple or other mainstream providers could or would be prosecuted in similar fashion. It is something of a shot across the bow, however, and the precedent certainly will loom large for smaller entities whose business model and clientele might more closely resemble Phantom Secure.
Phantom’s raison d'être appears to have been to enable crime, making it an easy case for this treatment. That’s not remotely true for most companies providing communication services. But there’s a substantial gray-zone in which hard questions about an extension of the Phantom Secure precedent may arise.
What is Phantom Secure?
Phantom is a Canadian company that provides secure communications through modified Blackberry devices running a proprietary, closed network for an individually vetted clientele who may use the service to communicate securely with one another. From the bottom up, the enterprise has been designed to maximize secrecy and anonymity, and to minimize the information the company possesses. Among other things, customers may contact Phantom at any time to have Phantom remotely wipe all data from seized devices. According to the Justice Department, all of this quite explicitly has been done in pursuit of business from persons engaged in criminal activity who seek to avoid detection by law enforcement. (Motherboard notes a specific connection to the Sinaloa cartel.)
What happened over the past two weeks?
Following a sealed criminal complaint in San Diego at the beginning of March, American, Canadian and Australian authorities (with help from authorities in Panama, Thailand and Hong Kong) began a series of searches targeting Phantom and its key officers. Last week, the FBI arrested Phantom’s CEO Vincent Ramos in Washington state. And now a grand jury has indicted Ramos along with four co-conspirators who are not yet in custody. The FBI has posted details here.
As part of the takedown, some 150 domain names associated with Phantom have been seized. I’m not yet clear on what happened, but it seems possible that investigators in the participating countries might have been able to use their control for a time to investigate and identify participants in the Phantom network, which may yield a large number of additional and important arrests down the line.
What is the theory of criminal liability here?
The indictment that dropped on March 15 does not claim that it is a crime simply to provide encrypted communication services or the like, even where those services may result in communications being immune as a practical matter from government access pursuant to warrants or other process. But it is a crime, the Justice Department asserts, to use such services knowingly and intentionally to enable and facilitate the commission of other crimes (like narcotics trafficking). Simply put, the Justice Department takes the position that a secure-communications provider can become part of a criminal conspiracy or racketeering enterprise, if the requisite intent is there.
The specific charges in United States v. Ramos are:
- 18 U.S.C. §1962(d)—Conspiracy to commit a Racketeer Influenced and Corrupt Organizations Act (RICO violation).
Section 1962 is the RICO statute. It has three substantive provisions (that is, three scenarios in which involvement in a racketeering organization’s illegal activities can itself constitute a crime, apart from those underlying crimes themselves), plus a conspiracy provision (meaning that it also is a crime to agree with others to commit one of those three RICO violations).
The Phantom Secure indictment charges 1962(d), the conspiracy provision. Based on the earlier criminal complaint in the case, my understanding is that the particular claim is that the defendants conspired to violation 1962(c), which in relevant part states that: “It shall be unlawful for any person employed by or associated with any enterprise … to conduct or participate, directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity….”
According to the criminal complaint that preceded the indictment (I don’t yet have the indictment itself), the particular claim is that defendants conspired to participate in Phantom Secure through activities including (i) illegal gambling, money laundering, and narcotics trafficking (in violation of state law) and (ii) federal criminal activity involving conspiracy to distribute narcotics, abetting narcotics distribution, and—notably—obstruction of justice. That last element stands out and appears to stem from the idea that Phantom Secure offered a service specifically intended to destroy data in the event of criminal investigation.
- 18 U.S.C. §2 (predicated on 21 U.S.C. §841 and §846)—Conspiracy/Aiding & Abetting the Distribution of Narcotics
Separately, the defendants also are charged directly with conspiring to distribute cocaine.
Does this really matter for the Going Dark debate?
Intent is the key here. Phantom Menace appears to be an easy case, a paradigm example in which the defendants not only understood that some people using their services did so to facilitate crime, but affirmatively sought to profit from that prospect. The same thing cannot be said about Apple or other mainstream device or service providers, and so I do not see the Phantom Secure case as setting a precedent that threatens them.
The more interesting question is how far prosecutors in the future might push this model in relation to other bespoke operators that may be akin to Phantom Secure in some ways but not others. There are many entrepreneurs out there developing devices and networks that share with Phantom an intense commitment to maximizing user privacy, and inevitably some of these will be used by criminals to an extent that begins to raise genuine questions about the intentions of the provider. Whether and when such situations will trigger criminal investigation—let alone indictment and asset-seizure—of course will be highly fact-specific, as these questions of intent will arise along a wide spectrum.
Time will tell how aggressive the Justice Department will prove to be in assessing that spectrum. (Note: It’s not just about the Justice Department, of course; as Motherboard notes, the Dutch have had some similar cases). Perhaps we will see no other cases, or at least no others that are not—like Phantom Secure—relatively strong cases for criminal intent. But perhaps it will be otherwise, and Phantom Secure will come to be seen as the opening move in a high-stakes extension of the Going Dark debate.