Friday, April 24, 2009
Senators Rockefeller and Snowe have proposed extensive legislation on Cybersecurity.
Legislation -Download S._773_Cybersecurity_bill
Sunday, November 30, 2008
The MySpace related case, a first case of its kind raises issues as to whether contract terms can serve as the basis for a violation of the Computer Fraud & Abuse Act (18 U.S.C. s 1030). For background information and the indictment, see here. Although there has been a verdict (no felonies), it is likely this case will be reviewed. See Ashley Surdin, Wash. Post, Woman Guilty of Minor Charges for MySpace Hoax. Scott Glover, LA Times, My Space Case Goes to Los Angeles Federal Jury raises the issue of whether this verdict will remain.
(esp) (w/ a hat tip to Gerri Moohr & Tiffany M. Joslyn, Research Counsel at NACDL’s White Collar Crime Project )
Addendum, Doug Berman, Sentencing Law & Policy, Friday forum: What sentence would you impose on Lori Drew, the MySpace bullying defendant?
Monday, November 3, 2008
A interesting issue is presented in the Chronicle of Higher Education, Harvard Law Professor Takes New Tack Against RIAA (citing Jaikumar Vijayan, Computer World, Harvard professor offers new challenge to RIAA antipiracy campaign -Nesson claims Digital Theft Act, on which RIAA lawsuits are based, is unconstitutional) on whether the Digital Theft Act as used in a civil lawsuit is improper because the statute is limited to criminal matters.
Years back the issue would not have arisen as the overlap between criminal and third-party civil statutes did not exist. With the Racketeer Influenced & Corrupt Organization Act (RICO) in 1970 we have seen statutes that allow for both criminal and civil enforcement, with the civil enforcement being extended beyond a government agency. The rationale for these civil actions being allowed is that DOJ can't do it alone and allowing third -party civil actions can assist with enforcement. This was appealing with RICO because its initial focus was organized crime. But RICO was interpreted broadly and went well beyond its roots and with it went the third-party civil actions. DOJ had and continues to have guidelines that restrict application of the statutes by providing oversight on prosecutorial discretion. There are, however, no guidelines on the civil side. This caused Congress to place additional limits on the civil side of RICO as seen in 18 U.S.C. 1964(c).
Other criminal statutes have seen attempts to be used in civil matters, such as the Foreign Corrupt Practices Act. In Lamb v. Phillip Morris, Inc., 915 F.2d 1024 (6th Cir. 1024), the court did not allow the civil action. (See also Lewis v. Spock, 612 F. Supp. 1316 (N.D. Cal. 1985)). Interestingly, one finds civil RICO actions that use the FCPA.
Monday, May 19, 2008
The federal indictment resulting from an incident on MySpace has been reported nationally. (see, e.g., here and here). A press release of the U.S. Attorneys Office of the Central District of California states that:
"A Missouri woman was indicted today on federal charges for fraudulently using an account on the social networking website MySpace.com to pose as a teenage boy who feigned romantic interest in a 13 year-old girl. That girl later committed suicide after the 'boy' spurned her and told her, among other things, that the world would be a better place without her."
The Indictment charges a conspiracy to commit a violation of the computer fraud statute - 18 U.S.C. s 1030 and also specific substantive offenses under section 1030. Some are critical of the use of the computer fraud statute for this purpose (see here). Clearly, whether this alleged incident should be the subject of an indictment, and whether it should be subject to a federal indictment will likely be issues that will be considered in this case.
But in addition to questions of whether the computer fraud statute was intended for this purpose, there is also a question of whether the U.S. Attorneys Office in the Central District of California ought to be prosecuting this case. According to the indictment (see below), the basis for the jurisdiction is that Fox Interactive Media Inc. is the Beverly Hills Corporation which operates myspace.com ("MySpace"). As the server is located in LA County, the indictment notes that this is within the Central District of California.
This indictment raises a threshold question of where is the appropriate jurisdiction in computer related cases, and specifically in cases charging criminal conduct. Should it be the place of the keystroke, the place of the social harm, or can prosecutors go for jurisdiction, as they have here, to the place of the server? Is it appropriate to give prosecutors the power to chose jurisdiction this way? Does this disadvantage the accused in that their evidence may be located in the place where the social harm is alleged to have occurred and not where the server is located? Does a prosecution such as this make the requirement of venue meaningless? Interestingly, Missouri has since passed a cyberharrassment law (see here).
The indictment - Download my_space_lori_drew_indictment.pdf
Tuesday, May 13, 2008
In the case of United States v. Williams, the Eleventh Circuit Court of Appeals affirmed the convictions of two individuals who had received a 96 month and 60 month sentence for a violation of 18 U.S.C. s 1832, the theft of trade secret statute. The defendants in this case were accused of trying to sell trade secrets of Coca-Cola to Pepsi. Pepsi notified Coca-Cola of the attempt to sell them trade secrets and Coca-Cola then brought in the FBI, who used an undercover agent to secure the evidence obtained in this case
The court rejected the appellants arguments of a claimed Sixth Amendment violation in limiting cross-examination, limiting the closing argument, and using the judge's recent open heart surgery as an example when defining reasonable doubt. The court also rejected a sentencing argument. Williams, who received the 96 month sentence was given an above guidelines range, in sharp contrast to a sentence given to an individual who plead guilty and received a 24 month sentence. The 11th Circuit held that giving enormous weight to one factor - in this case the seriousness of the offense - does not mean the sentence is unreasonable. The court explicitly states in discussing the 60 month sentence given to one of the individuals here that because this individual "did not provide any assistance to the government, there was no 'unwarranted' disparity between his sentence" and the sentence of 24 months given to a cooperating party.
Although the court's opinion does not discuss this point, allowing for a significant sentence reduction for cooperation raises some concerns. For one, it can put the individual with little information to provide the government at an enormous disadvantage. It also places the individual who is last to the talk with authorities at a loss, as all the information may have already been provided to the government. The credibility of those providing cooperation becomes more questionable when the rewards for giving the information reaches levels that offer a significant advantage to the cooperator. Perhaps the biggest concern is that providing such an enormous benefit to cooperators places those who decide to use their constitutional right to trial by jury, at a disadvantage.
See AJC - here
Addendum - Professor Doug Berman's Sentencing Law & Policy Blog here.
Saturday, March 29, 2008
One of the hardest criminal activities to investigate and prosecute are cybercrimes and other activities that may be occurring via the WorldWideWeb. The identity of the perpetrator can be difficult to discern. Some of these crimes involve Intellectual Property. In 2007, the DOJ filed 217 Intellectual Property cases. This fact was brought out by AG Mukasey would gave a speech this past week, in California, emphasizing that intellectual property crimes will be a major focus in the DOJ. Mukasey stated:
"To put it simply, the continuing worldwide escalation of counterfeiting and piracy poses a threat to both our economy and public safety. Since that threat comes from so many different directions, our response has to proceed on several fronts. We need strong and coordinated law enforcement efforts, both at home and abroad; we need robust intellectual property laws; and we need adequate resources devoted to IP law enforcement."
The DOJ has moved beyond its role as prosecutors to become teachers, as Mukasey states:
It's imperative that countries work together on cases like these to ensure strong enforcement worldwide. To enhance that kind of cooperation, Justice Department lawyers have provided training and technical assistance to thousands of foreign prosecutors, investigators, and judges in more than a hundred countries.
Hopefully, there has been or will be comparable training to those who will be defending individuals charged with these crimes.
Friday, March 21, 2008
With political candidates Obama, Clinton, and now McCain receiving word from the State Department that their passport files had been breached (see here, here), an interesting question will be whether the perpetrators of this activity can suffer consequences beyond the loss of their jobs.
Back in 1997, the First Circuit reversed wire and computer fraud convictions brought against an individual who was accused of browsing in an Internal Revenue Computer. The court held that the government had not provided sufficient evidence that the accused had received "anything of value." In reversing the conviction, the court found that "mere browsing" was not enough, even if the information viewed was "about friends, acquaintances, and political rivals," as the accused did not "printed out, record[ ], or use  the information he browsed." 106 F.3d 1069 (1st Cir. 1997).
But the present happenings may be different as the Freedom of Information Act and the Privacy Act of 1974 may apply. 18 U.S.C. s 552(a) provides for misdemeanor penalties in certain circumstances. It states:
"(i)(1) Criminal penalties
Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.
(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000."
Exceptions are noted in the statute. But the statute explicitly applies to contractors working for an agency. Specifically the statute states:
"(m) Government contractors
(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency."
But there are more important questions that we should be asking here -- Why are we seeing security breaches of this nature? As this is not a new problem, what steps were taken to make sure that this didn't happen again? Was there a corporate compliance program in place and why did it not work? It is pretty frightening that our State Department can have security breaches like this occurring on several occasions. If someone did this haphazardly, perhaps in fun, punishing them may not be the answer. The more important point is to educate those who work with these type of documents on the importance of their confidentiality. If this were a corporation, might the government be offering the corporation a deferred prosecution agreement, in order to make certain that there was future compliance with the law.
Thursday, March 6, 2008
A press release of the Attorney General of Virginia, announced that the Virginia Supreme Court upheld the nation’s first felony SPAM conviction. Virginia’s Anti-Spam Act "prohibits the sending of unsolicited bulk e-mail by fraudulent means, such as changing the header or routing information to prevent recipients from contacting or determining the identity of the sender." According to the press release, "such conduct is punishable as a class 1 misdemeanor or as a class 6 felony if any one of the following conditions applies:
- The volume of Spam transmitted exceeds 10,000 in any 24-hour time period, 100,000 in any 30-day time period, or one million in any one-year time period.
- Revenue generated from specific Spam exceeds $1,000 or total revenue from all Spam transmitted to any ISP exceeds $50,000.
- The defendant knowingly hires, employs, uses or permits any minor to assist in the transition of Spam."
The defendant in this case was sentenced to a term of nine years.
Saturday, January 5, 2008
The San Jose Mercury News here, notes that Governor Arnold Schwarzenegger has opened an office in California focused on fighting identity theft. The new office combines two existing offices - the Office of Privacy Protection and the State Security Office, with the new office being called "Information Security and Privacy Protection."
This is an important step in recognizing that identity theft has a significant effect on a large number of people. As noted on the new website, "[o]ver 8,000,000 U.S. residents were victims of identity theft in 2006. That represents about 4% of adults, including more than a million Californians." A 2003 DOJ advisory states that this is "one of the fastest growing crimes in the U.S. and Canada." (see here)
Hopefully combining these two offices will allow for increased resources to fight identity theft. It is good to see a state official recognizing the importance of stopping identity theft.
Saturday, November 10, 2007
The U.S. Attorney's Office for the Central District of California reports on a plea agreement reached in an identity theft case that has some unusual twists. The press release describes:
"In the first prosecution of its kind in the nation, a well-known member of the 'botnet underground' was charged today with using 'botnets' – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications."
According to the release, the accused has agreed to enter a plea to "four felony counts: accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud." The alleged conduct is described in part as follows:
"installing malicious computer code, or 'malware,' that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into 'zombies,' they continued to use their computers to engage in commercial activities. [the accused] used the malware, which he called a 'spybot,' to intercept electronic communications being sent over the Internet from those zombie computers to www.paypal.com and other websites. Once in possession of those intercepted communications, [he] and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, [he] and the others accessed bank accounts to make purchases without the consent of the true owners. [He] also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others."
The press release states that this "is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets."
Saturday, September 29, 2007
Destroying a computer with evidence of pornography can land you a conviction. A press release of the U.S. Attorney for Connecticut reports of a plea "to one count of misprision of a felony" by an attorney who "admitted that he was aware that an individual had committed a child pornography crime, yet he failed to report it to authorities." The release notes that he "then concealed the crime by destroying a laptop computer containing the child pornography."
The attorney was acting as attorney to a church. According to the press release, the attorney told the individual with the improper items on the computer that "this is serious business,” “this is a federal crime that carries a minimum of five years in jail,” and “you need a lawyer.” The attorney for the church then "destroyed and concealed ... [the] laptop." This attorney then "failed to report to law enforcement that [the person he advised to secure legal counsel], who was not his client, had possessed child pornography."
At least the charge was not a SOX amendment charge (see here)
Every attorney who represents an entity of any type needs to be aware of this case. It is sad to see a criminal conviction being given to an attorney based upon these facts. Would a disciplinary violation have been a better resolution?
Information - Download Information.pdf
Plea Agreement - Download plea_agreement.pdf
Sunday, July 22, 2007
A growing problem in the United States is identity theft. It is, therefore, good to see DOJ taking steps to combat this activity and to assist those who are victims of these crimes. Late last week DOJ proposed "legislation that seeks to update and improve current laws aimed at protecting Americans from the increasingly sophisticated crime of identity theft." The bill is titled the Identity Theft Enforcement and Restitution Act of 2007. According to a DOJ Press Release, one of the provisions in the bill would allow for "victims of identity theft [to] recover the value of the time lost attempting to repair damage inflicted by identity theft." The Act also "would amend the identity theft and aggravated identity theft statutes" and "would add several new crimes to the list of aggravated identity theft offenses."
Tuesday, July 17, 2007
Various newspapers report that Scholastic Corp., the publisher of the forthcoming book"Harry Potter and the Deathly Hallows," needed to obtain a subpoena to find the source of leaks of the upcoming book. (For details see, e.g., Chicago Tribune (Bloomberg), Washington Post and Wall Street Jrl). But whether the material allegedly posted online is the true version remains unknown (see Newsday). EWeek.com discusses whether the leak resulted from a phishing scheme.
With the book being released at 12:01 a.m. Saturday, many anxiously await the arrival of this Seventh Harry Potter book. The blogs are a frenzy of who will live and who will die. Although leak incidents may remain a civil matter, one has to wonder if the use of computers to either obtain the material and/or disseminate it warrant criminal scrutiny. It is not uncommon for fads to be a source for federal and state fraud prosecutions. For example, during the 90's there were fraud prosecutions related to improper distribution of "Beanie Babies." (See Do We Need A "Beanie Baby" Fraud Statute?")
Friday, June 8, 2007
A press release of the U.S. Attorney for the Eastern District of California reports that an individual was sentenced "to five years of prison for his participation in a nationwide and international cable piracy scheme that resulted in the sale and distribution of over 100,000 cable descramblers designed to illicitly obtain cable programming, and that resulted in gross sales of over $12 million." According to this release, the defendant and another individual "operated a business which manufactured and sold cable television descramblers allowing illicit access to cable programming." They "advertised the descramblers extensively through a series of web sites on the Internet and also through national magazines." These devices reaped a profit as they "allowed consumers to receive premium and pay-per-view cable television programming without the knowledge or authorization of cable operators."
Sunday, June 3, 2007
The U.S. Attorneys Office of the Central District of California issued a press release of a recent federal criminal complaint against an individual who is alleged to have "uploaded the first four episodes of this season’s "24" earlier this year before they were originally aired on the Fox television network."
Press Release -
Monday, April 30, 2007
A Department of Justice press release reports that "[a] sixth defendant has pleaded guilty in connection with Operation D-Elite, the first criminal enforcement action targeting individuals committing copyright infringement on a peer-to-peer (P2P) network using BitTorrent technology." The release states that:
"Operation D-Elite targeted leading members of a technologically sophisticated P2P network known as Elite Torrents. At its height, the Elite Torrents network attracted more than 133,000 members and facilitated the illegal distribution of more than 17,800 titles—including movies, software, music and games—which were downloaded over 2 million times."
Sunday, April 1, 2007
Monday, March 12, 2007
A DOJ Press Release discusses the recent indictment on 23 counts of alleged hackers who are based in India. The release states that "[a] federal grand jury in Omaha, Neb., has indicted three individuals on charges of conspiracy, fraud and aggravated identity theft stemming from a high-tech, international fraud scheme designed to hijack online brokerage accounts for profit . . ." The press release also states, that "[a]s part of this ongoing investigation, at least 60 customers and nine brokerage firms in the United States and elsewhere have been identified as victims, with one of the brokerage firms reporting more than $2 million in losses." The release does not tell why the case was filed in Omaha, Nebraska.
Tuesday, February 27, 2007
According to Yahoo News (AP) here two men plead guilty to illegal computer access for crimes related to MySpace. Perhaps the more interesting aspect of the case is that these young men were arrested in LA for crimes occurring in New York. When the crime relates to a computer, jurisdiction can be almost anywhere- the location of the keystroke, the location of the damage, or the location it passes through. This is yet another example of this happening. (see also here)
Monday, February 12, 2007
The venue and jurisdiction for Internet and computer related cases presents many problems for the defendant. Laurie Cohen's article in the Wall Street Journal, "Internet's Ubiquity Multiples Venues to Try Web Cases," captures the fact that the government has all the cards when it comes to selecting the venue for a Internet related case. After all the WorldWideWeb allows anyone to access anything anywhere. As Former Attorney General Janet Reno said - "A hacker needs no passport and passes no checkpoints." It will be interesting to see if Congress starts considering the vast prosecutorial discretion they are giving to the government by not setting forth explicit rules of venue and jurisdiction when dealing with Internet related offenses.