LawOfficer.com has an interesting review of United States v. Harrison and when/how social engineering is acceptable to gain entry to private space.

Importantly, the prosecution conceded that just as it would be a violation of the Fourth Amendment for an officer to induce consent by pointing a gun at a suspect, it would also violate the Fourth Amendment if an ATF agent induced consent by falsely claiming that someone had planted a bomb in Harrison’s apartment. Yet, the district court found that this is the precise effect of the agents’ misrepresentation.

The agents’ conduct left Harrison with two options: (1) either deny consent to search and take the risk that a bomb had been planted in the residence, or (2) consent to the search. Consent under these circumstances wasn’t free of impermissible coercion, and Harrison’s consent was therefore involuntary. As such, the court of appeals affirmed the suppression of the firearm and ammunition.

Lying and social engineering tactics have been protected by the courts in the past. Officers may lie about their identity and claim they have more knowledge, evidence or insights than they really do in an investigation as explained in a FLETC law enforcement training brief.

Officers often use deception during the course of their investigations. Hoping to entice a confession from a suspect, an officer may legally, but falsely, tell a suspect that his fingerprints were found at a crime scene, that his criminal acts were recorded by a concealed video camera, or that a co-criminal has confessed and implicated him. An undercover officer, by design, is engaged in a pattern and practice of deception.

This case illustrates that lies go too far when they involve risk of death or injury to a suspect (e.g. bomb threats or pointing a gun). They are unacceptable because high severity threats make consent to a search involuntary, which violates the Fourth Amendment.

The case is also interesting because it is not clear whether the suspect who answered the door was authorized to give consent to the space searched. The story calls it his apartment but the case detail is slightly different.

When Harrison was reluctant, the agents assured him he could give permission to search even though it was his girlfriend’s apartment…

The courts usually support an officer who asks for consent to search from anyone who has control over the property (a key, name on a lease, no one else is present, no one else objects, or is legally authorized). More to the point, with regard to cloud environments, in a co-tenant situation there needs to be evidence of control (e.g. a locked door and a unique key) to prevent the search of shared infrastructure/space becoming a search of individual/private space.

The European ATM Security Team (EAST) has published their third report of the year. Their data shows the skimming losses continue to shift to areas without chip. They also point to a rise in devices used to block the cash dispenser.

The trend of the majority of skimming related losses occurring outside of EMV liability shift areas continues; from January to September 2011 such losses were reported in 47 countries outside of the Single Euro Payments Area (SEPA) and in 12 countries within SEPA. The USA remains the top location for such losses.

Cash trapping incidents were reported by nine countries and this type of attack is increasing in most of them. This reflects a continuance of the trend reported in EAST’s most recent European ATM Crime Report (covering January to June 2011)

The report also indicates a rise in gas-based explosions. While the new cash trapping attacks are said to be easily defeated by retrofitting or upgrading the ATMs, there was no mention of guidance to defeat explosive attacks.