Lots of people smoke cannabis to get high. But the cannabis plant is also very useful for easing a number of serious medical conditions including chronic pain, glaucoma, multiple sclerosis, migraine headaches and the nausea associated with chemotherapy. San Francisco became the center of medical cannabis use during the beginning of the AIDS crisis when AIDS patients found that it relieved their pain and helped spark their appetite.

Despite its usefulness, those who support medical cannabis are experiencing severe security problems. This community is under intense pressure from federal law enforcement authorities who raid the houses and businesses of people involved in this political movement. Agents also raid medical cannabis growers and dispensaries where medical cannabis is distributed and sold to patients. The number one item authorities seek in these raids is not cannabis, or suspects, or firearms - it's data. I’m going to talk today about what kind of data they are looking for, how they are getting it, how this community is trying to protect itself.

These are not theoretical threats. My country, the United States, appears to be going through a collective mental health crisis in which half the nation feels compelled to make war against Iraq to secure illusionary security based on flawed intelligence - and it is also making war on its own citizens. 750,000 Americans are arrested every year for cannabis, usually for simple possession. Most are arrested by state and local police.

American has the largest prison population in world, both per capita and in absolute numbers. There are two million people in prison in the U.S., about half are there as a result of drug charges. It's interesting to note that the prison guard's union is the single largest contributor to political campaigns in California and has consistently opposed changes in drug laws. But the drug laws have not proven to be an effective public policy. After fourty years of police actions and billions of dollars spent arresting, prosecuting and imprisoning people, drugs are as plentiful as ever in the U.S. The prosecution of soft drugs like cannabis has helped push people to cheap, easier to produce, more dangerous drugs like methamphetamine which is now very popular.

In the meantime, marijuana remains the number one cash crop in California - which is the number one agricultural state in the U.S. If the U.S. legalized and taxed cannabis, my country would not have an annual budget deficit of $368 billion a year and be cutting education and healthcare to pay for a war. Efforts are afoot in California to tax and regulate cannabis there first, activists hope that the rest of the nation will follow.

Attempts To Defend The Community

As a result of the U.S. government's failed marijuana policy, raids on the medical cannabis community have transformed a political war into a data war. Let's look at specific threats, some attempted solutions, and how tools developed by hackers can help these people secure sensitive information. By aiding this community, hackers are squarely on the side of the democratic majority. The U.S. Supreme Court recently upheld the right of federal authorities to arrest cannabis patients even if they exchange no money for their cannabis and consume it entirely inside the state of California. But polling data indicates that seventy to eighty percent of Americans support the right of sick people to use medical cannabis. In 1996, California passed a state law. the Compassionate Use Act, which permitted doctors to recommend cannabis for their patients. Since then, nine other U.S. states have passed similar laws. But the federal government does not recognize these laws and considers all marijuana use illegal and all people who grow and sell cannabis drug traffickers.

When they prosecute medical cannabis defendants in federal court, federal authorities know that sympathetic local juries won’t convict medical cannabis providers. So they suppress evidence that the cannabis is for medical use. Federal authorities especially target growers and those associated with growers. They often file conspiracy charges for which they need no actual drugs as evidence - just information. Growing or conspiring to grow more than 100 plants gets you a mandatory minimum federal prison sentence of five years in the U.S., and if you are growing over 1,000 plants, you go to prison for ten years. Van Phung Van Nguyen, a 26-year-old dispensary operator from San Francisco arrested in a June DEA raid, is currently facing ten years in prison for running a medical cannabis dispensary. He is one of many defendants facing federal charges as a result of recent raids there.

The medical cannabis community is vulnerable. Many people in this community are ill and they are not, by in large, technologically sophisticated. Most of them (except for some of the larger growers or dispensary operators) don’t have a lot of money. Many are small business people, if they have any business training at all. To help protect this group, the people of San Francisco, which has 40 medical cannabis dispensaries and the largest concentration of the estimated 100,000 medical cannabis patients in the US, first tried a radical approach known as Democracy.

The San Francisco Board of Supervisors (or city council) passed a resolution calling San Francisco a sanctuary city forbidding local police form helping federal authorities arrest or prosecute people in the medical cannabis community. But as often occurs here in Europe, the police have informal agreements between themselves. I filed a state freedom of information request for information on these agreements and was ignored.

In the last round of San Francisco DEA actions in June, it was clear that the local police were providing intelligence to federal authorities and were present at the raids. Local police are rewarded for their cooperation. Federal law enforcement agencies also provide funding for local police forces who want to maintain good relationships with them. So in summary, the sanctuary resolution has essentially failed.

ID Card System

Local police and federal authorities have also raided doctors and seized patient records to find out who is using medical cannabis. So the city of San Francisco set up an anonymized identity card system to help prevent the seizure of patient data. The way it works is that you show the San Francisco Department of Public Health your letter of recommendation from your doctor and a form of ID. Health officials call your doctor to verify the information and then hand it back to you without keeping a copy. Patients also need to sign a medical release form, show proof that they live in San Francisco, and indicate whether or not they want a caregiver to also get an ID card. Each card costs $25.

The city then issues you and your caregivers an ID card that contains your photo, a thirteen digit ID number, the date the card was issued and when it expires. If a cop stops you, they can phone the Department of Public Health phone number on the card and give them the ID number to confirm bona fid patients and caregivers. This card does not contain your name and address or any other identifying information that could be entered into a database of cannabis users. The State of California is set to run an ID card program for the whole state which our Governor, Arnold Schwarzenegger, attempted to stop.

Dispensaries Collect Data

But some counties and dispensaries also issue their own ID cards containing more informaton and collect data that can be used against patients. Some dispensaries also keep transaction and banking records that are seized by authorities when they raid these facilities. They sometimes communicate with growers in ways that make it easier for federal authorities to locate these people. Ironically, the city of San Francisco is now proposing dispensary regulations that would require the dispensaries to create and retain transaction records that make both dispensaries and patients vulnerable to federal prosecution.

In my job as a reporter, I began to keep track of the kind of information federal authorities were seeking in medical cannabis raids. I also asked dispensaries and patients if they took measures to secure their information. Some people had never heard of some of the security measures I asked about, some of them had. Some sought more information on their own and asked others for help. On my blog, www.ontherecord.org I have posted this talk together with a PDF of an affidavit for a search warrant connected to a series of raids made by federal authorities in San Francisco in June. The affidavit lists the kinds of information authorities are looking for. They are often seeking information to support charges of a “conspiracy to manufacture, distribute and possession with intent to distribute controlled substances; principally marijuana.” So what do they seize? Mostly data you’d expect, some you wouldn’t. Here’s a list:

Federal authorities want records of price, quantity and times when cannabis was purchased, possessed, transferred, distributed, sold or concealed. They want accounting of transactions, amounts of substances, cash outstanding, funds owed or expended, ledgers. Especially important are records that they can use to indict and identify co-conspirators, customer and supplier lists, correspondence (including e-mail), receipts, journals, pay and owe sheets for employees. They are keen to determine the sources of the cannabis including names, address and phone numbers of growers and other identifying information.

Investigators also seek information on cannabis grow locations, storage lockers, businesses, offices or homes owned or leased by alleged traffickers. Books and magazines which explain how to grow marijuana are sought as are documents about gun ownership or registration. In addition, authorities look for communications equipment, phones, pagers, beepers, and answering machines. Agents ask for permission to answer or record any incoming phone calls while they are searching a location, and are not required to identify themselves.

Other information sought includes personal telephones and address books, letters, cables, telegrams, telephone and other utility bills, especially electricity bills which are used to prosecute growers who use lots of power for lights and ventilation systems. Photographs, yearbooks, audio and video tapes are sought. One grower had a film maker following him around. The film seized in the raid identified many of his friends and neighbors. Keys, personal IDs and other identity documents, bank cards and bank account information is also seized. Dispensary operators using a checking accounts to pay rent on leased properties are charged with money laundering based on depositing the proceeds of marijuana sales into their checking accounts.

And of course investigators are looking for cash. Local police authorities, such as the Los Angeles Police Department have recently taken to seizing bank accounts of dispensary operators. Banking statements, wire transfer records, money orders, checks, travelers checks, deposit receipts, stock certificates, money wrappers, counting machines, income tax returns are all targeted.

Also sought are any documents about purchase, sale or lease of real estate, motor vehicles, precious metals, jewelry or anything other large ticket items purchased with alleged illegal drug proceeds. Any travel data, airplane tickets, credit card receipts, hotel and restaurant receipts, maps and written directions to alleged grow locations are included in search warrants. Any information about the ownership of the dispensaries, leases, public licenses and business statements., contracts, warrantees on equipment, partnership and corporate documents, and safety deposit box records are seized. This is a very long list, I’m sorry if I am boring you. Police are tediously thorough.

Investigators especially look for computer passwords. They also search for and seize computer files, and data storage devices. Sometimes they cart off the hardware. In the recent raids against dispensaries, federal authorities argued that data may be stored under deceptive file names and they need time to sort through it. They note that it is impractical and even invasive to search for this kind of data on site - and they worry that there may be destructive code embedded in the system. Plus they need to employ “data search protocols” to recover erased, compressed, password protected, or encrypted files. So when they arrive at the raid site, authorities bring in their own machines to mirror entire hard drives and take away the peripheral media such CDs, floppy disks etc. Copies of stored data are returned to the defendant.

So now you may be thinking, “wow, it really sucks to be in the U.S., but fortunately, we live in Holland, or Germany or France or the UK.” Unfortunately, the DEA is now beginning to claim jurisdiction over anyone accused of growing cannabis anywhere in the world. On July 29th, local police in Vancouver Canada collaborated with the DEA to raid the offices of the British Columbia Marijuana Party. They also raided the party’s bookstore, and TV studios and a cannabis seed business ran by members of the party. One of their top priorities in the search were customer records. Four people were arrested and the DEA is expected to try to extradite them to the U.S. to face prosecution there. The raid was carried out under Canada’s Mutual Legal Assistance in Criminal Matters Act.

Defending Data

The easiest way that this community has found to protect its data is not keep any. Dispensaries are beginning to understand it is not a good idea to retain lists of patients or patient data. They are also resisting demands by the city of San Francisco that they keep transaction receipts.

Dispensary operators are beginning to think twice about using credit cards to pay expenses or recording IP addresses on their web sites. If they visit grow sites, most of them know to turn off their cell phones to avoid being tracked. While the post-911 U.S. Patriot Act expanded government surveillance powers, allegedly to fight terrorism, many of the requests for phone taps and surveillance involve drug investigations. Most people know enough not to discuss sensitive issues on their cell phones or via e-mail, but people are still indiscreet. Our own intelligence operative aren’t that discreet themselves. Italian authorities announced this week that they have issued arrest warrants for 19 people, believed to be CIA operatives, who were on a mission to kidnap an alleged radical Muslim cleric in Italy. The agents were tracked via their cell phone use.

Some dispensary operators, growers, patients and caregivers, lawyers and journalists are starting to use security tools to keep their data private. Some know how to open Hushmail accounts or use free or commercial versions of PGP or Ciphire to encrypt their e-mail. Some use Neocrypt and PGPdisk to create encrypted partitions on their harddrives where files can be protected. Some are aware of TOR and use onion routing to anonymize their web surfing. As with most security tools, there is often a trade off between usability and insecurity. With PGPdisk, for example, you have to figure out how much of your drive to encrypt, if you want encrypted or clear text in a network of PCs, and if deleted unencrypted files or swap files are secure. And since it's proprietary software, you can get locked out of your own drive if your license expires.

Fewer members of this community are aware of less-known tools like GAIM for instant messaging or Adium for instant messaging on Macs. Password management tools are largely unknown. Some dispensaries have taken steps to make rapid data destruction possible and may be aware of Darik’s Boot and Nuke (DBAN) which you can read about here. Secure voice such as the Cryptophone software for windows systems hasn’t really caught on.

There are other practical security issues that this community deals with. Patients who need to travel with their medical cannabis face arrest by airport security officials who work for the federal government and their computers may be searched by airport officials. Those who are arrested and go to jail awaiting trial, or sent to prison after conviction, are often frequently moved by corrections officials. Keeping track of them behind bars can be difficult for their friends and families.

Journalists like myself who cover this movement can be subpoenaed to reveal information and the names of confidential sources. Several journalists were subpoenaed in the case involving the unmasking of CIA agent Valerie Plame. One, Judith Miller of the New York Times, has done three weeks in prison on a contempt charge so far. It’s possible that journalists and others could also be put in jail on a contempt charge for declining to provide passwords to decrypt documents.

Finally, I’d like to point out that federal drug investigators have created an extensive informant system in which those charged with crimes are given reduced sentences and other rewards for turning other people. This has helped to account for an almost 800 percent increase in the number of women going to jail on drug crimes in the U.S. in the last ten years. Women are often peripherally involved in drug operations and have less information to trade. Therefore, they often do longer sentences than the male defendants in these cases.

While there is obviously a need to develop trust within the medical cannabis community, its a difficult challenge for this group. People are frightened of going to jail, often ill and in pain, and dispensary operators compete against each other making it difficult for security procedures to be replicated across a group of cannabis providers. And any cooperation among members of this community can be construed by the authorities as proof of drug distribution conspiracy. So the challenges are great, but good technology tools and education can be an important line of defense until the marijuana laws are overturned. Current data security tools and their successors can help keep people stay out of jail.

Please keep the needs of this community in mind when developing new privacy systems and intelligent user interfaces. So far, there has been no federal trial of medical cannabis defendants who actively used these data security techniques to minimize evidence. So we don’t know for sure if they work for this community or not. Stay tuned. I welcome your questions.