People get into petty arguments with strangers all the time. They are usually brief and quickly forgotten about, and everyone just gets on with their lives. However these days, with pretty much everyone wielding easy access to a camera phone, these minor altercations can suddenly take on a life of their own.
This argument at a mall in Pittsburgh, Pennsylvania is a classic example of this. Misplaced anger and petty vindictiveness over a refused request to pet a service dog escalated a simple misunderstanding into a viral video, that has thousands of people weighing in with their own opinions on the matter.
The video was originally shared to Facebook by service dog handler Megan Stoff and has been viewed over 2 million times, with people shocked by the aggression of the mother. It is (or at least should be) a well-known fact that service dogs are there to assist people with special circumstances or requirements, and shouldn’t be interfered with while working. Sure, a polite request can be made, but no means no, and this mom didn’t seem to understand that.
Had this crazy experience yesterday at the mall where some lady asked if she could pet the dogs. People ask us all the time so I just said, “no.” All the dogs are working so it’s my go to answer. And they walked away. No big deal right? This lady went out of her way to come back with her child and yell at us for saying “no” and for not saying, “nO iM sOrRy ThEy’Re TrAiNiNg.” And we should “have a sign or something.” You mean the 20 patches on my dog that say don’t pet? 🙃 Entitlement these days is real. They even got mall security because we said they couldn’t pet the working dogs. 🙃😂 Security said that the lady was crying 😂 So much harassment for just saying no. This video is public and is shareable. There was no common sense here.
The group were on a meet-up at the mall, getting to know each other as fellow service dog handlers. One of the group, Ciarán Williamson, couldn’t understand why being told ‘no’ upset the mom quite as it did, and after being confronted by the mall security that she called on them, decided that enough was enough and went home. Ciarán gave his perspective on being a service dog handler to Bored Panda. “I don’t necessarily mind being asked to pet my dog, though usually, I have to tell people no,” he told us. “I don’t really get upset by having to do this unless it’s a particularly stressful day or environment and I’m having trouble doing what I’ve set out to do in the first place.”
Image credits: ML Leigh
“I’d rather people ask than just lean in and try to grab her, which happens every day… but I don’t always have the energy to explain what she’s doing or why she can’t be petted. I’m autistic and sometimes just can’t speak very efficiently at all so I can’t explain even if I wanted to. I might shake my head no, or indicate in some other short way not to pet her or talk to her, and I just want to have that respected. People also often take pictures of us without asking and that makes me really super uncomfortable, I don’t want people to do that at all.”
“I guess I just don’t want people to assume I am able to divert my attention to interact with them how they want me to, and that if someone has a service dog in the first place it means they’re disabled and probably having a hard time already. Using judgment about whether it’s appropriate to ask to pet helps (does the dog already have a vest on that says not to pet? Is it really loud and busy and chaotic of an atmosphere? Does the service dog handler look uncomfortable or distracted?) I have let people pet her, but in really specific situations where I can focus on making sure I keep her attention and I know I won’t need her to work for me at that moment.”
Image Credits: Ciarán Williamson
“Unfortunately I feel like people don’t consider me at all when they ask to interact with my service dog the majority of the time. Usually people just lean in and talk to her or try to pet her without even acknowledging me… They also often just assume I’m rude instead of something out of my control (like I can’t hear them, which happens a lot in overstimulating environments). I am concerned about people continuing to do these things because it’s really common.”
“My dog Clover is doing very well in training though, she has a Facebook page I started for her recently so people could see her and ask me questions about her and stuff there if they’re curious. I like talking about my service dog, just not necessarily when I’m trying to go grocery shopping! She deals well with strangers approaching but she is a very friendly and outgoing dog that enjoys people so attention from other people can be a big distraction for her and it’s something we have to work on all the time. I don’t think people consider that when they get upset about not being allowed to pet her.”
Here’s what people had to say about the situation:
Almost finished…To complete the subscription process, please click the link in the email we just sent you.
In what's threatening to become an annual tradition, executives from Twitter and Facebook will testify before Congress Tuesday. And unlike last fall's session, this round will include the top brass, including Twitter CEO Jack Dorsey and Facebook COO Sheryl Sandberg. (Facebook CEO Mark Zuckerberg presumably gets a pass, given his solo session this past April. Here's how to watch.
Wednesday will actually see two hearings. The morning session before the Senate Intelligence Committee kicks off at 9:30 am ET, featuring both Dorsey and Sandberg. Google CEO Larry Page was invited, but declined to attend; Google offered global affairs executive Kent Walker instead. Walker will provide written testimony, but won't appear in person. You can watch that session live right here when it starts:
The second half of the doubleheader starts at 1:30 pm ET, and will feature Dorsey solo before the House Energy and Commerce Committee. You can watch a stream of that one here:
The morning session will ostensibly focus on foreign efforts to interfere in US democracy, but if past is prologue, the executives will likely end up fielding a range of questions about everything from Russian influence campaigns to perceptions of bias against conservatives.
Expect Sandberg's answers to echo Zuckerberg's from a few months ago as well, although hopefully she won't have to get back to them on quite as much. In prepared remarks, she acknowledged Facebook's lapses during the 2016 election. "We were too slow to spot this and too slow to act," Sandberg writes. "That’s on us. This interference was completely unacceptable. It violated the values of our company and of the country we love." She then goes on to outline the various steps Facebook has taken to help fix the problem. (The process is ongoing; Zuckberberg estimated in May that it would take three years to patch things up completely.)
The House hearing will focus instead on "transparency and accountability," presumably in response to reports—so far inaccurate or overhyped—that Twitter and other platforms have inherent bias against conservatives. In his prepared remarks, Dorsey stresses that "Twitter does not use political ideology to make any decisions, whether related to ranking content on our service or how we enforce our rules. We believe strongly in being impartial, and we strive to enforce our rules impartially. We do not shadowban anyone based on political ideology. In fact, from a simple business perspective and to serve the public conversation, Twitter is incentivized to keep all voices on the platform."
On that last point, Dorsey may take some flak from Democrats as well; Twitter is notably the only major platform not to have banned InfoWars, the conspiracy-minded Alex Jones media property that has alleged that the Sandy Hook shooting was a hoax, among indecencies. Twitter has also long been a preferred haven for white supremacists; the company has received repeated criticism for not doing enough to curtail the harassment and abuse that can run rampant on its platform. Dorsey will also give Congress a crash course in "healthy conversation," the still somewhat nebulous North Star that Twitter outlined back in March.
As you watch, it's worth keeping an eye not just on the answers from Sandberg and Dorsey, but on the questions Congress asks. When Zuckerberg took his turn at the mic, several representatives clearly had a limited familiarity with how Facebook works, and the mechanisms it uses to fight abuse. Congress may soon try to regulate the tech giants—even Donald Trump has alluded to it of late—but how can they do so if they don't grasp the fundamentals of what they would be regulating? And perhaps more importantly, how can they help these companies fight off enemies of the United States if they don't understand the threat?
It's unlikely that Sandberg, Dorsey, and Congress will resolve those issues over the course of a few hours Wednesday. But watch anyway, if only for a better sense of just how far they all have left to go.
Amazon touts its Rekognition facial recognition system as “simple and easy to use,” encouraging customers to “detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases.” And yet, in a study released Thursday by the American Civil Liberties Union, the technology managed to confuse photos of 28 members of Congress with publicly available mug shots. Given that Amazon actively markets Rekognition to law enforcement agencies across the US, that’s simply not good enough.
The ACLU study also illustrated the racial bias that plagues facial recognition today. "Nearly 40 percent of Rekognition’s false matches in our test were of people of color, even though they make up only 20 percent of Congress," wrote ACLU attorney Jacob Snow. “People of color are already disproportionately harmed by police practices, and it’s easy to see how Rekognition could exacerbate that."
Facial recognition technology’s difficulty detecting darker skin tones is a well-established problem. In February, MIT Media Lab’s Joy Buolamwini and Microsoft’s Timnit Gebru published findings that facial recognition software from IBM, Microsoft, and Face++ have a much harder time identifying gender in people of color than in white people. In a June evaluation of Amazon Rekognition, Buolamwini and Inioluwa Raji of the Algorithmic Justice League found similar built-in bias. Rekognition managed to even get Oprah wrong.
“Given what we know about the biased history and present of policing, the concerning performance metrics of facial analysis technology in real-world pilots, and Rekognition’s gender and skin-type accuracy differences,” Buolamwini wrote in a recent letter to Amazon CEO Jeff Bezos, “I join the chorus of dissent in calling Amazon to stop equipping law enforcement with facial analysis technology.”
'We wouldn’t find this acceptable in any other setting. Why should we find it acceptable here?'
Alvaro Bedoya, Center on Privacy and Technology
Yet Amazon Rekognition is already in active use in Oregon’s Washington County. And the Orlando, Florida police department recently resumed a pilot program to test Rekognition’s efficacy, although the city says that for now, “no images of the public will be used for any testing—only images of Orlando police officers who have volunteered to participate in the test pilot will be used.” Those are just the clients that are public; Amazon declined to comment on the full scope of law enforcement’s use of Rekognition.
For privacy advocates, though, any amount is too much, especially given the system’s demonstrated bias. “Imagine a speed camera that wrongly said that black drivers were speeding at higher rates than white drivers. Then imagine that law enforcement knows about this, and everyone else knows about this, and they just keep using it,” says Alvaro Bedoya, executive director of Georgetown University’s Center on Privacy and Technology. “We wouldn’t find this acceptable in any other setting. Why should we find it acceptable here?”
Amazon takes issue with the parameters of the study, noting that the ACLU used an 80 percent confidence threshold; that’s the likelihood that Rekognition found a match, which you can adjust according to your desired level of accuracy. “While 80 percent confidence is an acceptable threshold for photos of hot dogs, chairs, animals, or other social media use cases, it wouldn’t be appropriate for identifying individuals with a reasonable level of certainty,” the company said in a statement. “When using facial recognition for law enforcement activities, we guide customers to set a threshold of at least 95 percent or higher.”
While Amazon says it works closely with its partners, it’s unclear what form that guidance takes, or whether law enforcement follows it. Ultimately, the onus is on the customers—including law enforcement—to make the adjustment. An Orlando Police Department spokesperson did not know how the city had calibrated Rekognition for its pilot program.
The ACLU counters that 80 percent is Rekognition’s default setting. And UC Berkeley computer scientist Joshua Kroll, who independently verified the ACLU’s findings, notes that if anything, the professionally photographed, face-forward congressional portraits used in the study are a softball compared to what Rekognition would encounter in the real world.
“As far as I can tell, this is the easiest possible case for this technology to work,” Kroll says. “While we haven’t tested it, I would naturally anticipate that it would perform worse in the field environment, where you’re not seeing people’s faces straight on, you might not have perfect lighting, you might have some occlusion, maybe people are wearing things or carrying things that get in the way of their faces.”
Amazon also downplays the potential implications of facial recognition errors. “In real world scenarios, Amazon Rekognition is almost exclusively used to help narrow the field and allow humans to expeditiously review and consider options using their judgement,” the company’s statement reads. But that elides the very real consequences that could be felt by those who are wrongly identified.
“At a minimum, those people are going to be investigated. Point me to a person that likes to be investigated by law enforcement,” Bedoya says. “This idea that there’s no cost to misidentifications just defies logic.”
'What we’re trying to avoid here is mass surveillance.'
Jeramie Scott, EPIC
So, too, does the notion that a human backstop provides an adequate check on the system. “Often with technology, people start to rely on it too much, as if it’s infallible,” says Jeramie Scott, director of the Electronic Privacy Information Center’s Domestic Surveillance Project. In 2009, for instance, San Francisco police handcuffed a woman and held her at gunpoint after a license-plate reader misidentified her car. All they had to do to avoid the confrontation was to look at the plate themselves, or notice that the make, model, and color didn’t match. Instead, they trusted the machine.
Even if facial recognition technology worked perfectly, putting it in the hands of law enforcement would still raise concerns. “Facial recognition destroys the ability to remain anonymous. It increases the ability of law enforcement to surveil individuals not suspected of crimes. It can chill First Amendment-protected rights and activities,” Scott says. “What we’re trying to avoid here is mass surveillance.”
While the ACLU study covers well-trod ground in terms of facial recognition’s faults, it may have a better chance at making real impact. “The most powerful aspect of this is that it makes it personal for members of Congress,” says Bedoya. Members of the Congressional Black Caucus had previously written a letter to Amazon expressing related concerns, but the ACLU appears to have gotten the attention of several additional lawmakers.
The trick, though, will be turning that concern into action. Privacy advocates say that at a minimum, law enforcement’s use of facial recognition technology should be heavily restricted until its racial bias has been corrected and its accuracy assured. And even then, they argue, its scope needs to be limited, and clearly defined. Until that happens, it’s time not to pump the brakes but to slam down on them with both feet.
“A technology that’s proven to vary significantly across people based on the color of their skin is unacceptable in 21st-century policing,” says Bedoya.
You've probably never heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there's also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn't clear—and the leak doesn't seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.
"It seems like this is a database with pretty much every US citizen in it," says Troia, who is the founder of his own New York-based security company, Night Lion Security. Troia notes that almost every person he's searched for in the database, he's found. And when WIRED asked him to find records for a list of 10 specific people in the database, he very quickly found six of them. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen," he says.
In the Open
While it's far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shodan, which allows researchers to scan for all manner of internet-connected devices. He says he'd been curious about the security of ElasticSearch, a popular type of database that's designed to be easily queried over the internet using just the command line. So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results. As Troia combed through them, he quickly found the Exactis database, unprotected by any firewall.
"I’m not the first person to think of scraping ElasticSearch servers," he says. "I’d be surprised if someone else didn't already have this."
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it's no longer accessible. Exactis did not respond to multiple calls and emails from WIRED asking for comment on its data leak.
Aside from the sheer breadth of the Exactis leak, it may be even more remarkable for its depth: Each record contains entries that go far beyond contact information and public records to include more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel. WIRED independently analyzed a sample of the data Troia shared and confirmed its authenticity, though in some cases the information is outdated or inaccurate.
"I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen."
Vinny Troia, Night Lion Security
While the lack of financial information or Social Security numbers means the database isn't a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering, says Marc Rotenberg, executive director of the nonprofit Electronic Privacy Information Center. "The likelihood of financial fraud is not that great, but the possibility of impersonation or profiling is certainly there," Rotenberg says. He notes that while some of the data is available in public records, much of it appears to be the sort of nonpublic information that data brokers aggregate from sources like magazine subscriptions, credit card transaction data sold by banks, and credit reports. "A lot of this information is now routinely gathered on American consumers," Rotenberg adds.
Without confirmation from Exactis, the precise number of people affected by the data leak remains tough to count. Troia found two versions of Exactis' database, one of which appears to have been newly added during the period he was observing its server. Both contained roughly 340 million records, split into about 230 million records on consumers and 110 million on business contacts. On its website, Exactis boasts that it possesses data on 218 million individuals, including 110 million US households, as well a total of 3.5 billion "consumer, business, and digital records."
"Data is the fuel that powers Exactis," the site reads. "Layer on hundreds of selects including demographic, geographic, lifestyle, interests, and behavioral data to target highly specific audiences with laser-like precision."
But if the Exactis leak does in fact include 230 million people's information, that would make it one of the largest in years, bigger even than 2017's Equifax breach of 145.5 million people's data, though smaller than the Yahoo hack that affected 3 billion accounts, revealed last October. (It's worth emphasizing in the case of the Exactis leak, unlike in those earlier data breaches, the data wasn't necessarily stolen by malicious hackers, only publicly exposed on the internet.) But like the Equifax breach, the vast majority of people included in the Exactis leak likely have no idea they're in the database.
EPIC's Marc Rotenberg argues that the timing of the breach, just after the implementation of Europe's General Data Protection Regulation, highlights the persistent lack of regulation around privacy and data collection in the US. A GDPR-like law in the US, he notes, might not have prevented Exactis from collecting the data it later leaked, but it might have required the company to at least disclose to individuals what sort of data it collects about them and allow them to limit how that data is stored or used.
"If you have a profile on someone, that person should be able to see their profile and limit its use," Rotenberg says. "It’s one thing to subscribe to a magazine. It’s another for a single company to have such a detailed profile of your entire life."
As you emerge from your turkey-induced coma, take a moment to reflect on the past week in security, which despite the holiday was chock-full of wonderments. From Uber shadiness to Android location-tracking, it was quite the whirlwind.
Uber made headlines midweek when it came out that the company had not only been breached a year ago—coughing up the personal info of 57 million users—but paid the hackers $100,000 to keep it quiet. The failure to disclose a security breach is not only ethically dubious, it’s also outright illegal in many states, which means we could see some serious fallout.
And there's more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Google Tracks Android Location Even When You Tell It Not To
In a perplexing violation of privacy norms, Android phones collect the location of nearby cell towers even if you’ve turned off location services. The company confirmed the practice to Quartz, saying that the feature was in place to improve push notifications and messages. It also said it would stop doing so by the end of November.
In many ways, the headline sounds scarier than what it means in practice. Google encrypts the data in transit, and says it doesn’t store any of it. It’s also distinct from the location data that it provides app developers and advertisers. Someone could conceivably use the location data for ill if they’ve compromised an Android device, but by that point they’d likey have access to the phone’s location—and even more sensitive information—already.
None of which excuses Google! It’s still an extremely bad look to collect location info on people who are unaware, especially given the many, many situations where a person has reason to fear for their safety if their location at any given moment were widely known. At best, Google’s overreach was incredibly tone deaf and intrusive. At worst, it could have had serious real-world consequences.
Cryptocurrency values keep skyrocketing, but the thefts haven’t slowed down either. The latest victim: Tether, a cryptocurrency pegged to the dollar. Its operators say that an “external attacker” stole over $30 million worth earlier this week. The company says it was taking steps to freeze the funds. More details are scare—and Tether ended up deleting its initial blog post on the matter—but let it serve as yet another in a long series of warning about locking down your cryptocurrency, or maybe even, just a thought, sticking with traditional money until the security situation calms down.
While major outbreaks like WannaCry and NotPetya grab the headlines, ransomware is a daily disturbance, taking in more than $2 billion in 2017 alone, according to security firm Bitdefender. That doubles last year’s payout of a billion dollars, thanks in part to a major spike in the average demand, which hit $1,000—over 250 percent higher than in 2016. As if that’s not bad enough, it also doesn’t take into account the ancillary costs, like the hundreds of millions of dollars that Maersk lost dealing with NotPetya. There are some ways you can protect yourself, but most of the standard malware advice applies: Don’t click on or download anything you don’t trust, and make sure you keep a backup of all of your stuff just in case.
Cyberthreats will only escalate from here on out, so the Air Force Research Lab will hand over nearly $50 million to Ball Aerospace & Technologies to investigate ways to keep analog weapons safe from digital intrusion.
What is Ransomware and How Do You Deal With It?
Ransomware. It's malware but worse. It takes the contents of your device hostage and demands Bitcoin as a, you guessed it, ransom. Here's how to avoid it and what to do if your laptop gets locked.
The first time the police arrived on her doorstep, in March of 2015, Courtney Allen was elated.
She rushed to the door alongside her dogs, a pair of eager Norwegian elkhounds, to greet them. “Is this about our case?” she asked. The police looked at her in confusion. They didn’t know what case she was talking about. Courtney felt her hope give way to a familiar dread.
Three days earlier, Courtney and her husband, Steven, had gone to the police headquarters in Kent, Washington, a suburb of Seattle, and reported that, for the past few months, they had been the victims of a campaign of online harassment. They had found a fake Facebook page under Steven’s name with a profile picture of Courtney, naked. Emails rained down in their inboxes; some called Courtney a cunt, whore, and bitch, and one they felt was a death threat. Her coworkers received emails with videos and screenshots of Courtney, naked and masturbating. The messages came from a wide range of addresses, and some appeared to be from Steven.
There were phone calls too. One to Steven’s grandmother warned that her house might burn down, with her in it, if she didn’t stay out of the Allens’ lives. There were so many calls to the dental office where Courtney worked that the receptionists started to keep a log: “Called and said, ‘Put that dumb cunt Courtney on the phone,’ ” one of them wrote in neat, bubbly handwriting. “I said, ‘She is not here at the moment, may I take a message?’ ” At one point Courtney created a Google Voice number to ask, “If I talk to you, will you leave me alone?” Instead, dozens of voicemails poured in: “Do you think I’m ever going away?” one said. “Now that my private investigator went and got all the tax information? There’s no job either one of you guys can have that I won’t know about and be there.”
The Kent police officer who took the Allens’ statement seemed unsure of what to make of their story. Courtney and Steven told him who they believed was behind the harassment: a man in Arizona named Todd Zonis with whom Courtney had an online relationship that she had recently broken off. She says she told the officers that she had sent Zonis the videos of herself while they were still involved and that he had sent ones of himself to her, but that she had deleted their exchange. In a report, the officer noted that, while Courtney and Steven insisted that his role was obvious, Zonis’ name barely appeared in the folder full of printouts and CDs that they had with them. The officer assigned them a case number and advised them not to have any more contact with Zonis.
Now, three days later, the two officers on Courtney’s doorstep explained why they had come: An anonymous tipster, who claimed to work with Steven, had left a report on the Crime Stoppers website. It said that Steven “had been telling everyone for months that his wife was leaving him but he had a plan to beat her into staying.” The tipster added that he had noticed “a lot of bruises.” When prompted for more information on the suspect, the informant wrote that the Allens had a “large gun collection” and two big dogs. (One detective later noted that some of the reports seemed designed to trigger “a large/violent police response.”)
The police left after interviewing Courtney, but three days later, two detectives knocked on the Allens’ door in the early afternoon. Courtney wondered, more cautiously this time, if she would now get a response to her complaint. But no—the detectives were investigating another anonymous tip. This one was about an alleged incident at a park involving Steven and the Allens’ 4-year-old: “His son screamed and he smacked him repeatedly on the back, butt, legs, and head, but not the face,” the tipster wrote. “He then berated his wife, calling her ‘whore’ and worse … She covers for him when the abuse is to her, but abuse to the child I don’t know what will happen.”
In her report of the visit, detective Angie Galetti wrote that the Allens’ son “came downstairs and appeared to be happy and healthy.” She described how Courtney had to coax her nervous son into showing his skin to the detectives: “There was no suspicious bruising or marks of any kind,” she wrote. He “appeared appropriately attached to his mother and Detective Lorette and I had no concerns.”
But Courtney’s concerns were mounting. The day before, she had gotten an email to an account she only used for spam. “How did you even GET this email address?” Courtney wrote back. “Leave me and my family alone!” A reply came accusing Steven of also using unsavory cybertactics to find out about Courtney’s online behavior, but added: “I am MUCH better at it. For example. Your Jetta, in the driveway”—and yes, that’s where it was. The message included the car’s vehicle identification number. Courtney had started having nightmares; just going outside made her afraid. She felt violated by the images of her that were circulating who knew where, and anxious about what might come next.
And now this. It was “one of the worst moments of my life,” she said later, hoping that help was coming but instead “having to lift up my son’s shirt and show them my son’s body to make sure he had no bruises.” When the detectives asked for her phone number, she realized she didn’t remember it—she had just changed it in an attempt to evade the endless calls. She found herself sobbing in front of the detectives. The harassment was so creative, so relentless, so unpredictable. Around the same time, at least 15 of her neighbors received a “community alert” in the mail warning them that they were living near a dangerous abuser, Steven Allen. It was postmarked from Arizona.
But the most frustrating thing was how hard it all was to explain or prove. Courtney was beginning to feel trapped in a world of anonymous abuse. She didn’t know if she would be able to convince anyone that what she believed to be happening was real.
It began, as relationships often do these days, online. From the start it was a strange and tangled story of exposure and distrust in the internet era.
In the fall of 2012, Courtney and Steven had been together for 12 years but had known each other for 20: They met in a high school biology class and reconnected later when Courtney was going through a divorce. The couple—now in their mid-thirties, with a house full of fantasy books and clay dragons that Courtney sculpted—were avid players of Grepolis, an empire- and alliance-building browser game set in ancient Greece.
One day a player in an opposing alliance asked if he could join theirs. The small council that ran the alliance agreed. This was Courtney’s first introduction to Todd Zonis and she liked him from the start: “He was crude and rude and I thought it was actually kind of funny,” she says.
Courtney’s player name was sharklady76. As she recalls it, Zonis sent her a note on the game’s messaging service to say he had once owned a shark, and from there the conversation took off. They talked about gardening and pets. She shared pictures of her elkhounds; Zonis sent ones of his tortoise. The two progressed to video-chats. Both were married, but “it just kind of grew from there,” Courtney remembers. “It was a really strong friendship and then turned into not a friendship.”
At the time, Courtney was staying home with her toddler. She and Steven had made that decision together, but still, it was rough on their marriage: Steven was working long hours as an IT instructor and felt the stress of being the sole breadwinner. He often traveled for work. Courtney was a nervous new mother, afraid to let her son stay with sitters, which only increased her sense of isolation. She was often angry at Steven, whom she began to see as controlling and neglectful.
Zonis was a freelance sound engineer with a flexible schedule. The relationship with him offered “an escape,” Courtney says: “He was charming. He told me everything that I ever wanted to hear about how wonderful I was.” She adds, “I just thought the world of him. Because it was online, it was very easy to not see the faults someone has, to not see warning signs.” Eventually Courtney was spending a lot of time online with Zonis and pulling further away from Steven. She kept telling herself that they were just good friends, even when Zonis sent her a penis-shaped sex toy. One day, nearly a year after Zonis first joined the alliance, Steven noticed Courtney’s email open while updating her laptop. He read an exchange between her and Zonis. It was explicit, and it mentioned videos. He confronted Courtney. She was furious that he had read her emails but said she would stop communicating with Zonis. Instead, she moved the relationship to her tablet, behind a password; she also labeled Zonis’ contact information with a fake name.
She wanted to be sure Steven wasn’t the mastermind of a complex scheme.
Steven, sensing his marriage falling apart, turned to Google. He searched “adultery” and “online affair” and found a website called Marriage Builders that bills itself as “the #1 infidelity support site on the internet.” It was founded by Willard F. Harley Jr., a psychologist who encourages his readers to work to understand and meet their spouse’s needs but also recommends a radical response when a spouse won’t end an affair: making it public to the family of the people involved. Love, he writes, should be based not on trust but on transparency. “Imagine how little crime would be committed if everyone’s activities were videotaped.”
Steven tried to follow Harley’s advice for healing a marriage. He apologized for being distant and tried to get Courtney interested in answering the site’s questionnaires. But Courtney, often busy on her tablet, was leery of the Marriage Builders philosophy.
In November of 2014, just over a year after first seeing Courtney’s emails with Zonis, Steven noticed her tablet unlocked on the counter. She was in the shower, so he looked. He saw messages from a name he didn’t recognize but a writing style that he did. He then found more messages. The relationship hadn’t ended. His mind went to the advice from Marriage Builders: “Exposure helps prevent a recurrence of the offense. Your closest friends and relatives will be keeping an eye on you—holding you accountable.”
A few days later, Steven contacted his parents and Courtney’s parents and told them about the relationship. He found Zonis’ wife and wrote and texted her. He looked up Zonis’ parents on a people-finder site. “I would ask that you encourage your son to stop this affair before it completely ruins our family,” he wrote, adding that he had heard that the Zonises had an open relationship. “If you have any questions or would like to see some of the evidence, please email me.”
Courtney was livid. She told Steven not to come home that night; when he did, she took their son to her parents’ house. She returned the next day, but they slept in separate rooms and Courtney discussed divorce.
Zonis, too, was outraged. He saw the messages that Steven sent as an attack on his family, and one that was unjustified. Zonis tells the story of the relationship differently. After he joined the alliance, he says, he noticed Courtney talking about her husband in forums in a disturbing way, saying he was controlling and would punish her. He says Courtney reached out and became friends with him and his wife, Jennifer—“The two would chat, you know, for hours,” he says—though Courtney denies this. She asked a lot of questions about their marriage, he says, looking for advice. He denies that either he or Courtney ever sent explicit videos, or that they were more than friends.
To Zonis, calling his relationship with Courtney an “affair” was a false characterization and cost him dearly; Steven’s comment about an open marriage, he says, turned his parents against him. He claimed that his parents cut off contact and wrote him out of their will, which meant he would not inherit the “ancestral home.” In total, he says he lost an inheritance worth more than $2 million. Zonis began saving for a lawyer so he could take Steven to court. “He destroyed my family,” Zonis says, “just to basically keep his own wife in line.”
After the “exposure,” the Allens received barrages of virulent emails from Zonis’ account. He later denied writing both the anonymous emails and some that came from his account, speculating that perhaps someone to whom he’d told his story had taken it upon themselves to punish the Allens, or that the Allens were harassing each other and blaming him. He didn’t much care, he says, because he considered the harassment trivial: “My rights were violated and nobody cares, and we’re still talking about what happened to poor Courtney?”
After exposing the affair, Steven continued asking for advice from other people on the Marriage Builders site. He even posted emails between Courtney and Zonis, and a copy of a letter that he wrote to Courtney: “I am so very sorry I hurt you and hurt you so deeply for years, by not considering your feelings near as much as I should have, and by demanding and disrespecting your opinion to get what I wanted. I was abusive and controlling. I was so sure I was right, and getting what I wanted would help you too, that I didn’t realize the hurt I was causing you.” He didn’t realize that Zonis had found these posts and took them as Steven admitting to being an abuser.
Steven had hoped the exposure would allow them to move on; it had the opposite effect. One of his coworkers received an email accusing Steven of assaulting Courtney. When Steven told Courtney that Zonis must have sent it, she refused to believe him. Zonis “had my ear,” she says. “I was listening to everything that he said, and I was assuming anything Steve said was a lie.”
But she also felt cracks forming in her relationship with Zonis—she accused him of making the threatening call to Steven’s grandmother, which he angrily denied—and asked for space to try to get her head straight. She went back to work, seeking more independence. In an email to Zonis, the former sharklady described something she’d seen on TV: “There is a whale carcass. All the great whites gobble it up, ripping huge chunks out of it at a time. That is what I feel like … the whale.” “In my new world,” she wrote Zonis, “EVERYONE is lying to me. I don’t believe anyone anymore.”
In the meantime, Steven, angry about the message to his coworker, emailed Zonis, writing that he could “look forward to continued exposures to people in your life.” Zonis, who considered this a second attack, forwarded a copy of the email to Courtney, but when she read it she sensed something was wrong. The writer referred to their child as “her” son instead of “our” son, and a boast about his ability to manipulate her did not sound like her husband. (“I know Steven looks down upon people who try to manipulate,” she says. “It just didn’t fit with his character.”)
In a modern act of trust, she and Steven showed their emails to each other. She saw that the version Zonis sent to her had been edited—that Steven’s words had been changed. Courtney felt she finally knew whom to trust. “That,” she said later, “was when I turned to Steve and said, ‘I need help. I don’t know how to get myself out of this.’ ”
Courtney decided to ease Zonis out of her life. Her messages to him became short, bland, and infrequent, but still she received long, aggressive responses. Finally she began demanding to be left alone, then stopped responding at all. But emails and calls continued, as many as 20 in a single day; even Courtney’s mother was getting calls. Zonis said later that he was calling the Allens to get an apology, something that he could show to his parents. One email from his personal account said that the sender had just been in the Allens’ city —“VERY nice place”—and promised a visit to the area again soon. (Zonis denies writing the message.) There were also voicemails: “I will burn myself to the ground to get him. I told you, you’re going to lose him one way or the other.”
Emails arrived from other accounts too: Courtneythewhoresblog@blogspot.com, CourtneyCallMe69@aol.com, CourtneysGotNoPrinciples@LyingCunt.com, ItsHOWsmall@babydick.com, email@example.com, Youareaselfishcocksucker@noonewilleverreallyloveyou.com. There were dozens of others.
Some messages to the Allens’ neighbors and coworkers came from what appeared to be Steven’s email. Courtney’s boss got emails from “Steven” with subject lines such as “My Slut wife Courtney” and “Courtney is not who she seems to be.” One night, as Courtney worked on a sudoku puzzle in bed, she received an email that looked as if it had come from her husband, who was next to her reading a book. The next night, Steven’s cell phone dinged on the nightstand with a new email. He picked it up and turned to Courtney. “Apparently you hate me,” he said.
In March 2015, Courtney filed for a protective order against Zonis, which would make further contact a crime. Steven filed for a similar order for himself and their son the month after the “exposure,” but Courtney had believed that doing so would be too antagonizing. Zonis and his wife responded in kind by getting orders of their own. Two days after Courtney’s order was granted, she got an email from Zonis’ personal account: “Glad that bullshit symbolic gesture is out of the way,” it said. (Zonis denies writing this too.)
No charges were filed. The Kent police, while sympathetic, “weren’t really interested in something that was a misdemeanor protective order violation,” Steven says. The Allens got the sense that because Zonis was in Arizona, and because so much of the harassment was confusing and anonymous, it was hard for the police in Kent to act. At the end of March, Courtney and Steven walked into the FBI’s office in Seattle to present their case. (The Kent police, county prosecutor, and FBI all said they were unable to comment for this story.) Three months later the Allens got a letter stating, “We have identified you as a possible victim of a crime,” and informing them that the FBI was investigating. Months passed with no word. When they heard about the FBI’s involvement, the Kent police closed their own case. The Allens, not sure what else to do, continued to bring them evidence of new and ever more inventive harassment.
In early April the Allens received a package in the mail that was full of marijuana. After they reported it to the police, Detective Galetti informed the Allens that there had been more Crime Stoppers reports: allegations that they were selling drugs, that they were cutting them with butane, that their customers were high school kids.
The Allens began to consider a different option. Earlier that year, after Steven started a new job at the University of Washington, he told campus authorities about the harassment. Natalie Dolci, then a victim advocate with the campus police, referred him, as she had many others, to a pro bono program called the Cyber Civil Rights Legal Project at the prominent K&L Gates law firm. The project had been started a year earlier to help victims of what is variously known as sexual cyberharassment, cyberexploitation, and revenge porn. (Dolci prefers the terms “technology-enabled abuse” or “technology-enabled coercive control,” phrases broad enough to include things such as using spyware or hacking in-home cameras.) Often the cases didn’t go to court, meaning the public seldom heard their details. Most people just wanted to settle, get the harassment to stop, keep their images off the internet and their names out of public records.
Steven and Courtney weren’t eager to file a lawsuit, but they hoped the firm—a large one with a cyberforensics unit experienced in unraveling complex online crimes—would be able to help them unmask the harasser and prove their story to police. “We were just trying to get law enforcement to do something,” Steven said later.
On April 29, 2015, Steven and Courtney walked into a conference room overlooking Seattle’s port and Mount Rainier where they met David Bateman, a partner at K&L Gates and one of the founders of the Cyber Civil Rights Legal Project, and Breanna Van Engelen, a young attorney. A mock trial program in college convinced Van Engelen that she wanted to be a litigator—to stand up in court on behalf of clients she believed had been wronged—but she was fresh out of law school and had yet to try her first case.
The lawyers were skeptical of the Allens’ story at first. It was so outlandish that Van Engelen wondered if it was made up—or if one spouse was manipulating the other. Courtney’s fear seemed genuine, but so many of the emails did appear to come from Steven, who knew his way around computers. Van Engelen wanted to be sure that Steven wasn’t the mastermind of a complex scheme in which he hid his own abuse, impersonating Zonis impersonating him. She interviewed the Allens separately and then spent a week poring through the evidence: voicemails and social media profiles and native files of emails. By digging into how they were created, she found that emails from “Steven” had been spoofed—sent through anonymizing services but then tagged as if they came from his email or were sent from an untraceable account. Had Steven been the mastermind, it would have been “like robbing a bank but wearing a mask of your own face,” she said later. “It just doesn’t make any sense.” Van Engelen came to believe the Allens were telling the truth.
But that left another question. What if the case did go to trial? Even if she could convince a jury—which would mean explaining the complexities of how identity is both hidden and revealed on the internet—could she get them to care? Cyberharassment is still an unappreciated crime. Gary Ernsdorff, a prosecutor in King County, where the Allens live, said that people often don’t think it’s that big a deal—it’s just online, after all. Or they blame victims for sharing intimate images in the first place. What, Van Engelen wondered, would a jury make of the Allens’ saga? Would they think Steven had gone too far in exposing the affair? Would they blame Courtney for the videos? Though Van Engelen saw the Allens as victims, she realized a jury might not.
Many people assume that cyberharassment is easy to avoid: They believe that if victims hadn’t sent a naked photo, then that person would have nothing to worry about. But experts say this assumption is essentially a comforting fiction in a world in which we’re all potential victims. A 2016 survey found that one in every 25 Americans online—roughly 10 million people—had either had explicit images of themselves shared online against their will or had been threatened with such sharing. For women younger than 30, it was one in 10. The same survey found that, photos or no, 47 percent of Americans who used the internet had been victims of online harassment of some kind.
Danielle Citron, a law professor at the University of Maryland and the author of Hate Crimes in Cyberspace, began studying cyberharassment in 2007. What she found reminded her of her past research on the shocking leakiness of information databases. Nearly all of us are giving away reams of sensitive information about ourselves without understanding how it might be used, whether by a stalker or an unscrupulous company. This includes what we share online—geotags on our photos, workout apps that generate maps to our houses, badly protected Facebook updates or lists that show family ties, or posts that reveal innocuous-seeming facts, such as birthdays, that can be used to access other information. We also leave an enormous digital trail of personal and private information with every credit card purchase and Google search and ad click.
People are starting to understand “that the web watches them back,” says Aleecia McDonald, a privacy researcher at Stanford’s Center for Internet and Society. But we still don’t appreciate the extent to which it’s happening or what risks we might face in the future. McDonald suggests thinking of the internet as a backward-facing time machine that we are constantly loading with ammunition: “Everything that’s on file about you for the last 15 years and the next 40 years” may someday be used against you with technology that, at this time, we can’t understand or predict. And much of the information that we leave in our wake has no legal protection from being sold in the future: “We overcollect and we underprotect,” Citron says.
Even without access to intimate images, Van Engelen says, “if I was obsessed enough and motivated enough, I could mess up your life.” Many experts now agree that the solution to cyberharassment lies in changing the ways we respond to the release or misuse of private information: to stop trivializing it, to take it seriously as a crime, to show perpetrators that their actions have consequences.
“You can tell people, ‘Don’t do anything that you wouldn’t want to have go public,’ ” McDonald says. “But what kind of life is that?”
As Van Engelen prepared to take on the Allens’ case, she kept finding more social media profiles. There were accounts impersonating Courtney and Steven; one Google Plus account, which included the videos and Courtney’s contact information, birthday, and maiden name, had more than 8,000 views. There was an account for their son. A Facebook account in the name of “Jennifer Jones”—Courtney recognized one photo as Zonis’ pet tortoise—sent messages to her friends and family accusing Steven of abuse and of having sent “Jones” threatening emails and photos of his penis. (Zonis denies creating any of these accounts, saying: “I’ve never been on Facebook in my life” and “Who puts a picture of their pet on a secret account they’re trying to hide?”)
The Allens contacted Facebook, Google, YouTube, and other sites to have the accounts taken down, with mixed success. One of the hardest to remove was the Facebook page in their son’s name. When Courtney filled out a form indicating that she wasn’t the one being impersonated, the site suggested she alert that person to have it removed; there seemed to be no expectation that the targeted person might be a 4-year-old. The account stayed up despite repeated requests. (It was finally disabled in late October, after WIRED’s fact-checkers asked Facebook for comment.) But at least Facebook had a complaint option; other sites offered no recourse, and the most the Allens could do was ask search engines not to include them in results. Sites that specialize in posting revenge porn sometimes charge hundreds of dollars to remove images—what Ernsdorff calls “a business model of extortion.”
Van Engelen and her colleagues were subpoenaing tech companies to find out who was assigned IP addresses, but they kept having to send new subpoenas as new accounts kept popping up. According to court records, they found that many of the early emails—from addresses such as CourtneyCallMe69 and Dixienormousnu—could be traced to the Zonises’ house. In one case the same message was sent seven times by different accounts in just over a day. Some of the accounts were anonymous but traceable to the Zonises’ home IP address or a hotel where they stayed; one came from what appeared to be Steven’s email but with the tag “Douchebag” attached—it was routed from an anonymizing website based in the Czech Republic that sent email from fake accounts. Van Engelen interpreted this spree as evidence that Zonis was trying to get through spam filters, as well as proof that he used anonymizers and impersonation. Zonis counters that Steven was manufacturing evidence against him.
As time passed, the emails and social media accounts became harder to trace. Van Engelen found that many of the IP addresses, created and disguised with Tor software, bounced through layers of anonymous routing. More came from the Czech website or another anonymizer. The writing style changed too, as if, according to Van Engelen, the writer didn’t want the syntax or orthography to be analyzable: Sometimes they read as though they were written by someone with limited, fluctuating facility with English.
In the summer of 2015, the Allens found out that a new credit card had been opened in their names and that one of their existing cards had been used fraudulently. They could see that all the attempted charges were to access sites that might yield personal information: ancestry.com, a site that allows recovery of old W2s, a company that does background checks.
Courtney began seeing a counselor. Her fear had become “an absolute paranoia.” She had night terrors and panic attacks if she saw police in the neighborhood. Zonis had told her that he was able to fly for free because his wife worked for an airline; Courtney feared he might show up at any time. She stopped letting her son play outside. “It just changed who I was,” she says. “I wasn’t functioning.” Almost worse than the fear was the guilt about what was happening to the people in her life. “No one can say anything to me about the horrible things that I’ve done,” she says, “because I’ve already said them to myself.”
"Me living was how I was going to beat him."
Courtney had come to see the internet as a danger to which the people around her were oblivious. “Nobody’s safe,” she says. “If you’re on the internet, you’re pretty much a target.” She was appalled at what she saw her friends post—vacation updates that revealed their locations, pictures of their young children. She asked other parents at her son’s school not to post pictures of him, and one asked her, “Aren’t you proud of your son?” When she offered to share the recommendations that the FBI had sent her about keeping information private, only one friend responded—and only to ask whether such precautions were really necessary. Courtney locked down her own social media and stopped giving out her phone number. “Privacy has become top priority to me,” she said. “Anonymity has become sacred.”
In late June 2015, K&L Gates filed the Allens’ lawsuit against Zonis, seeking damages and relief related to defamation, negligence, intentional infliction of emotional distress, electronic impersonation, and invasion of privacy. Two months later, Zonis filed his own suit in federal court in Arizona, making similar claims against Steven. The complaint included excerpts of harassing emails that Zonis alleged were sent to him by Steven: “Too bad your whore wife is still without a child … did I mention that I own [Mrs. Allen] again?” and “All I had to do was act like the benevolent husband, and let you do the work … I plan on continuing to cause you pain like you can’t even imagine.” It took more than a year of motions and replies for the cases to be combined and moved to Washington, where the first case was filed.
In August Courtney received an anonymous email that ended, “Easier if one help everyone and kill self.” She’d had suicidal thoughts before. If she did kill herself, she thought, that might finally make the harassment stop. Maybe this was how she could save her family. She went to get a gun that was kept in a safe. Her hands were shaking and she fumbled the combination to the lock. She began to think about all the things she’d miss if she pulled the trigger—teaching her son to drive, retiring with Steven, the books she would never read. At last, still unable to open the safe, she gave up. “I decided he wasn’t going to win,” she said later. “Me living was how I was going to beat him.”
The following month the Allens took a trip to Hawaii. While they were away there were calls and emails, but none of them mentioned the trip. To Courtney it seemed like a small miracle: one moment in her life that belonged only to her. “It was a breath,” she said later. She would hold onto that precious realization for a long time: “I can keep some things private.”
But it was only a breath. Emails had begun coming to Steven’s account at the University of Washington—a job he thought had gone unnoticed until he got an anonymous email referencing the school’s mascot: “Public record. all. done.” Soon dozens of accounts, from the IT department to the university president, were getting emails about the Allens, often with images of Courtney. According to court records, two preschools in the Kent area also got emails that appeared to be from Steven; they said that he planned to come in with a gun and start shooting.“It wasn’t me!” Steven cried when the police called him at work. “I’m here!”
Gradually the Allens grew somewhat inured to the videos and emails—“There’s no one that I know who hasn’t seen me in very intimate detail,” Courtney says. “He can’t hurt me that way anymore”—though she continued to worry that their son would find the videos one day.
As Halloween neared, the K&L Gates lawyers received a threat they considered credible enough to heighten security. Later that fall, two FBI agents appeared at the Allens’. The couple hoped again that their troubles were ending at last. But while the agents were aware of their case, they said they were required to tell the Allens to cease and desist because Zonis had contacted them with evidence that he said showed the Allens were committing credit fraud against him. Later, Zonis would produce documents that he said showed Steven mocking Jennifer, sending her pictures of his penis, and threatening retribution; in one post, it appears that Steven had asked his Marriage Builders friends to make the threatening call to his grandmother.
“Everything he’s done, he’s claiming I’ve been doing,” Steven said later.
“Every bit of everything that we were accused of was what he did to us,” Zonis says.
In January of 2017, the lawsuit’s discovery process finally ended. Van Engelen and her colleagues had been working on the case for nearly two years. By then Zonis, after cycling through several lawyers, was representing himself, with his wife assisting. Before trial, the parties were required to attempt mediation. The judge encouraged a settlement, telling the Allens that a jury looking at the mess of competing claims would see everyone involved as having unclean hands. The Allens and their lawyers sent an offer to the room next door, where the Zonises were waiting: They would dismiss their suit if Zonis dropped his counterclaim and left the Allens alone. Zonis instead asked them to pay a large sum for what he said he lost. The case proceeded to trial.
On Wednesday, March 22, 2017, the Allens, their lawyers, and the Zonises gathered in a courtroom. Van Engelen watched from her seat as a colleague began questioning potential jurors: How many of you have made a friend on the internet? How many of you have ever taken a selfie? If someone takes and shares intimate pictures and they get published online, is that their fault?
Many of the responses were exactly what Van Engelen had feared. She summed them up: “This is trivial. Why am I here? I don’t want to be part of someone’s Facebook dispute. This is high school.” More than one person thought that if you made explicit videos of yourself, it was your fault if they were shared. Others felt the Allens, with their table of lawyers, had an unfair advantage. Van Engelen listened with growing nervousness. That night she went home and cried in the shower. She kept thinking: “What if somebody just decided that they weren’t going to listen to any of the evidence and they’d already made up their minds?”
Before the trial, Steven created a timeline of the harassment. Bateman decided to present it to the jury during opening arguments; because it had so many details, the lawyers had to print it on a 10-foot-long poster so that the jurors would be able to see the entries. This isn’t trivial, Bateman told the jury, detailing the false police reports, the enormous number of emails, the videos. Van Engelen felt her anxiety ease. “Right away you could see the jurors’ faces change,” she says. “I think they got that this wasn’t what they thought coming in.”
Van Engelen played some of the voicemails aloud. Courtney wept. She told the story of trying to unlock the gun.
Van Engelen called Courtney as her first witness. Courtney described her relationship with Zonis and said that she thought the videos would be private. Zonis had filed a motion to have the images of Courtney withheld from court. (He said later that the images were unimportant “flash” intended to distract the jury from what he had been through.) Van Engelen feared their absence would make the jurors take the case less seriously. In her questioning she described them as clinically as possible, so that Courtney wouldn’t have to: “Do you orgasm?” she asked. “Do they show your inner and outer labia?” Courtney testified for more than a day, the whole time too ashamed to look at the jurors. Van Engelen asked her to read some of the emails and played some of the voicemails aloud; she then read from the Google Plus profile that bore Courtney’s name and image. “I am a real whore wife,” Van Engelen read, continuing, “and have suffered for years with unsatisfying sex with a husband who is hung like a cocktail frank.”
“Did you write that about yourself?” she asked. “Did your husband write this about himself?” “No,” Courtney replied. Van Engelen continued her questions. Courtney wept. She told the story of trying to unlock the gun.
Zonis gave an opening statement. His wife cross-examined Courtney and later testified as her husband questioned her. Together the couple set out their version of the story: that they were Courtney’s friends who had tried to rescue her from an abusive husband. They said that Todd wasn’t romantically interested in Courtney and that Steven had been the one harassing them. The Zonises introduced emails and posts that they said were written by the Allens. But they were paper printouts with no metadata or digital trail to prove authenticity. When the lawyers requested a forensically sound copy of Zonis’ data, Zonis replied that his computer had malfunctioned—he blamed spyware that he claimed Steven had installed via an image file—and he had sold it; that he had copies of the files on CDs but Jennifer had thrown them out by mistake.
On the stand, Steven denied writing most of the emails or posts Zonis claimed were from him. The Allens had kept digital copies of emails that appeared to come from Steven, and the K&L Gates team showed the jury how those had been spoofed. They also showed that the email formatting on some posts didn’t match that of the Allens’ computer and that the time zone was not Pacific but Mountain, where Zonis lived. It appeared, the lawyers suggested, that Zonis had created the posts himself.
Zonis later countered that the discrepancies were proof that Steven had used spyware to steal the emails. The Zonises hired an expert witness to testify over Skype. He said that it was theoretically possible that the forensic trails leading back to Zonis could have been faked—though he conceded that he had never seen it done and had not reviewed the evidence.
The lawyers called Andreas Kaltsounis, a cyberforensics expert who used to work with the FBI and the Department of Defense. He explained to the jury how Tor networks and IP addresses function. He then presented a map showing that many of the seemingly separate accounts from which the Allens had received anonymous harassment were actually linked by overlapping IP addresses. One of the linked accounts was the Facebook page for “Jennifer Jones,” the account that used a picture of a tortoise. It could have been, as Zonis argued, an account that Steven, or some unknown person, created. But the lawyers were prepared. One day, months before the trial, as Van Engelen searched painstakingly through IP addresses associated with logins on the Jones account, she made a discovery: Among the many addresses, there had been one apparent slipup, a login not through Tor but from the Zonises’ home IP address. When she found it Van Engelen ran into Bateman’s office, yelling: “We’ve got him!” It would have been unheard of for someone to fake a login using Zonis’ IP address, Kaltsounis told the jury, because of a safeguard called the three-way handshake that requires hosts to establish a connection with the IP address belonging to the account before any information can be sent.
By the end of arguments, the Allens’ legal team had introduced 1,083 exhibits into evidence. The chart Van Engelen made just to organize the emails was 87 pages long. It was a level of scrutiny that few cyberharassment cases ever receive—and an illustration of what victims face when dealing with such a complicated case, especially if they don’t have access to pro bono help. K&L lawyers and paralegals had spent thousands of hours digging through the evidence. The value of Van Engelen’s time alone was in the ballpark of $400,000.
Zonis never took the stand. He blamed the lawyers for purposefully taking up too much time questioning Courtney and Jennifer, and introducing endless emails that he said had nothing to do with him. Van Engelen was disgusted: “He got his one big chance to tell his side of the story, and he didn’t take it,” she says. “This is somebody who’s very strong behind a keyboard. And when the opportunity arises to actually prove himself and be vindicated, he just folds like a flower.”
On Thursday, March 30, Van Engelen stood up to deliver her closing argument. It was the first time she’d ever done so in a real court.
She began by playing one of the voicemails that Zonis had admitted to leaving—“How does it feel to know that I’m never, ever, ever going to stop?” Then she turned to the jury: “Someone needs to tell him to stop.” She described Courtney’s lowest moment: going for the gun. She reminded them of a message promising isolation, shame, and ridicule, and the email from Zonis’ personal account after Courtney got a protective order: “Glad that bullshit symbolic gesture is out of the way.”
It was impossible to trace all of the harassment directly to Zonis with cyberforensics, Van Engelen told the jury, so she encouraged them to also consider repetition of details (like the sex toy he had sent) that were in both the anonymous messages and voicemails from Zonis. She talked about the problems with the evidence that Zonis had introduced.
“Do not,” Van Engelen concluded, “let this be another bullshit symbolic gesture. Tell him to stop, hold him liable.”
In his own closing statement, Zonis reiterated that “the stuff doesn’t trace back to me,” talked about the difficulty of being cut off from his parents, and cast himself as a scapegoat: “And what if I’m not the devil? Then what do you do? Oh, my God, we were wrong. We can’t have that, can we?” He told the jury that not testifying wasn’t his choice; the judge said this wasn’t true.
The K&L lawyers had not asked for a specific amount of compensation. The Allens told their lawyers that their goal wasn’t money but simply an end to the harassment.
The next afternoon the jury came back with a decision.
The 12 jurors had been given forms to explain which of the Allens’ and Zonis’ claims they deemed true and which they rejected. For the first claim, “Did Todd Zonis electronically impersonate the Allens?” the presiding juror circled yes. The jury also chose yes for “Was the electronic impersonation a proximate cause of the injury or damage to the Allens?” The form offered a blank space to write in the total amount of damages warranted. The jury’s answer: $2 million.
And so it went. The jury found each of the Allens’ other claims against Zonis—intentional invasion of privacy, intentional infliction of emotional distress, and defamation—justified, and to each they affixed a boggling sum. The jury did agree with Zonis on one count: The Allens had “intruded upon the seclusion” of the Zonises, but they found that no harm had resulted. When the amounts awarded to the Allens were totaled, they added up to $8.9 million. It was a record for a cyberharassment case that didn’t involve a celebrity. The jury “didn’t believe it was trivial anymore,” Van Engelen said with satisfaction.
After the trial was over, the Allens and some of the jurors had the chance to meet outside the courtroom. One of the jurors came up to Courtney, gave her a hug, and said, “You’ve been through so much.” Neither the Allens nor their lawyers expect to actually see the award money, but that moment in the hallway felt just as valuable.
“The fact that other people can see it, and they see the crazy in it, helps me feel that I’m not insane,” Courtney said later. The Allens’ deepest hope, though, remained simple: that the harassment would stop.
For more than a month after the trial, it seemed they would get their wish. Then one afternoon Courtney logged on to her computer and found a new email. It read, “pun ish men t w ill soo n b han ded out to the wic ked. you rti me is sho rt. mis sin g fam ily we wil lno t. pri ce for act ion to be pai d y et it is.” More emails followed. Courtney felt a mixture of dread and exhaustion. It wasn’t over. “I’d love nothing more than for us to be left alone,” she says. “Do I expect that to happen? No. I expect this to be in our lives, in some capacity, forever.”
At the time this story went to press, law enforcement had not yet indicated whether criminal charges would be filed. Gary Ernsdorff, of the King County prosecutor’s office, allowed that he kept an eye on the case. Cyberharassment, especially with private images, “is dropping a bomb in somebody’s life,” he said.
After the trial Zonis filed a notice of appeal. He felt the trial was unfair and that the proceedings hadn’t paid enough attention to what he believed the Allens had done to him. His losses, he said, were real and numerous (to the list he added what he considered stress-induced health problems), while the Allens’ were petty, just “flash” from a “hot-button issue.” He still denied that his relationship with Courtney was an affair or that he had access to the videos of her or sent the anonymous emails. He also said, in a phone interview, “Anything that I said or did was reactionary” and “If they wanted me to plead guilty to harassment, no problem. What am I harassing them about?”
Soon after the trial, a blog appeared in Zonis’ name. In it he questioned the way the trial was run, disputed its findings, excoriated the people involved, and posted much of the same evidence against Steven that the lawyers discredited at trial. “My name is Todd Zonis and I lost my family, my home, my future, and probably my life, and while my life may not teach you anything, hopefully my death will,” the blog began. The evidence he posted included the images of Courtney and a note: “Please feel free to download any and all of the materials that I have posted here, and use or distribute them as you see fit.”
As many as a million spectators turn out for the Macy's Thanksgiving Day Parade. Another 200,000 show up the night before to watch the enormous balloons inflate. Keeping New York City safe on an ordinary day is challenging enough; locking down a massive parade route is all the more so. But the New York Police Department has recently deployed a new secret weapon to counter body-worn bombs: A team of Labrador retrievers who have graduated from patent-pending "Vapor Wake" security training. These are good dogs.
Researchers developed Vapor Wake dog training at Auburn University's College of Veterinary Medicine, in part as a response to Richard Reid's attempted shoe-bombing in 2001. For the last decade or so, Auburn has honed a process to breed and train labs that can detect faint whiffs of explosive particles in the thermal heat plumes humans create as they walk. Combining genetics with rigorous training, the dogs learn to identify different levels of explosive odor, so they can tell the difference between, say, a concealed firearm and multiple pounds of explosives. That level of discernment matters, especially in a situation like the Thanksgiving parade, where the Vapor Wake dogs will need to ignore the weapons law enforcement will be carrying.
Vapor Wake dogs are born at Auburn, receive environmental and socialization training for their first year, and then receive specific Vapor Wake training through VWK9 until they're about 18 months old. Then they're paired up with a handler for a seven-week joint behavioral training course. Finally, the dogs are ready to help save the world. Or in this case, one of the world's biggest parades.
"We will have our typical counterterrorism overlay for both the balloon inflation and for the parade," NYPD Chief of Patrol Terence Monahan said at a security press conference Monday. "You will see our Vapor Wake dogs and other canine dogs on both the balloons and during the route."
'People will try to beat a metal detector or sneak things into luggage at airports, but when it comes to a dog they don’t try. They do not want to take on a canine's sense of smell.'
Paul Hammond, VWK9
The dogs work efficiently and calmly in large crowds, and can rapidly screen dozens of people at a time. And if they smell something, they follow the scent trail. Last year, the NYPD deployed eight Vapor Wake dogs for the parade. This year, they've upped the pups to 14, according to Paul Hammond, the president of VWK9, the Alabama-based company that works exclusively with Auburn on the commercial side of Vapor Wake.
Vapor Wake dogs don't replace traditional bomb-sniffing dogs, which focus on assessing stationary objects like baggage and vehicles. Instead, Vapor Wake pups are trained to have their heads up, sniffing the air. One dog can sniff out someone wearing or carrying a bomb in a sea of tens of thousands of people.
"The reality is that the terrorist is always evolving and the new threat is the smaller device being body-worn and hidden and transited into an event," Hammond says. "And these bombs are only emitting a small amount of explosive particles. So traditional bomb dogs really struggle to protect against a bomber in transit."
Major police departments like New York and Chicago have already incorporated Vapor Wake dogs, as have railroad police forces like Amtrak and ViaRail in Canada. The dogs work at concert venues and sports stadiums, at Disney World and Disneyland, at megachurches, and even at Apple's major events and product launches.
VWK9 exclusively uses Labradors for Vapor Wake because of their approachability. "The public perception of a Labrador is such that people don’t mind walking past them," Hammond says. "What we don’t want is people making a 'U' around us trying to avoid the canine. At the same time, because these dogs are front of the house there's a huge deterrent value. People will try to beat a metal detector or sneak things into luggage at airports, but when it comes to a dog they don’t try. They do not want to take on a canine's sense of smell."
Because the technique requires refined sniffing, VWK9 reevaluates and re-certifies every Vapor Wake dog every year, whether they are still part of the company's contract business or are owned by other institutions. "No matter who you are, if you’ve got Vapor Wake dog, they have to be evaluated by us on a yearly basis," Hammond says.
They may not have the brute power of the sand-filled dump trucks and heavy weapons teams that will also be out in force at the Thanksgiving Day Parade in New York, but Vapor Wake dogs provide a more elegant approach to anti-terrorism work and crowd security. It doesn’t hurt that they’re they cutest canines on the block—no disrespect to the Snoopy balloon.