Category: Computer Crime

My Space Related Case – No Sentencing Today

July 2nd, 2009

The Lori Drew case was scheduled for a hearing today and the question was whether she would be sentenced or perhaps the case dismissed. According to press reports it looks like it may be the latter, although everyone is calling it a "tentative" ruling pending the court's written order. A key issue in the case was whether the computer statute that was used was appropriate for these alleged acts. (see here) The State where the alleged act took place – Missouri – did not have a cyberbullying crime at that time, although one has since been passed. Federal prosecutors in California brought this case, a case with a keystroke in Missouri, premised upon the contractual agreement one clicks with MySpace. They also used the conspiracy statute as it allows for a wide jurisdictional base, although Drew was not convicted of conspiracy. If the final decision is to dismiss the case, it would not be surprising.

See Alexandra Zavis, LATimes, Judge tentatively dismisses case in MySpace hoax that led to teenage girl's suicide ; Gina Keating, Reuters, MySpace suicide conviction tentatively dismissed; Linda Deutsch, AP, Judge tentatively acquits woman in MySpace case

(esp)
Upcoming Conference

April 24th, 2009

An upcoming panel at the ABA Litigation Section's Annual Conference on Friday, May 1 at 3:15 P.M. –"Is Your Data Secure? Responding to Next-Generation Computer Crimes." (see here) Panelists include Wesley Hsu (AUSA & Chief of the Cyber & Intellectual Property Crimes Section (C.D. Cal.), Susan Brenner (NCR Distinguished Professor of Law & Tech – U. of Dayton School of Law), Aaron Philipp(Navigant Consulting), and Aaron Danzig(Arnall, Golden & Gregory).

(esp)
Cybersecurity Legislation

April 24th, 2009

Senators Rockefeller and Snowe have proposed extensive legislation on Cybersecurity.

Michael L. Volkov (Dickinson Wright) provides a summary of that legislation – Download Volkov_-cyber_security

Legislation –Download S._773_Cybersecurity_bill

(esp)
MySpace Related Case – Will the Verdict Stand?

November 30th, 2008

The MySpace related case, a first case of its kind raises issues as to whether contract terms can serve as the basis for a violation of the Computer Fraud & Abuse Act (18 U.S.C. s 1030). For background information and the indictment, see here. Although there has been a verdict (no felonies), it is likely this case will be reviewed. See Ashley Surdin, Wash. Post, Woman Guilty of Minor Charges for MySpace Hoax. Scott Glover, LA Times, My Space Case Goes to Los Angeles Federal Jury raises the issue of whether this verdict will remain.

For a discussion of some of the issues raised here, see Derek Kravitz, Wash. Post, ‘MySpace Suicide’ Case Expands Web Law; Jennifer Steinhauer, NYTimes, Verdict in MySpace Suicide Case.

(esp) (w/ a hat tip to Gerri Moohr & Tiffany M. Joslyn, Research Counsel at NACDL’s White Collar Crime Project )

Addendum, Doug Berman, Sentencing Law & Policy, Friday forum: What sentence would you impose on Lori Drew, the MySpace bullying defendant?
Is It Civil Or Is It Limited to Criminal – Beyond RICO and FCPA

November 3rd, 2008

A interesting issue is presented in the Chronicle of Higher Education, Harvard Law Professor Takes New Tack Against RIAA (citing Jaikumar Vijayan, Computer World, Harvard professor offers new challenge to RIAA antipiracy campaign -Nesson claims Digital Theft Act, on which RIAA lawsuits are based, is unconstitutional) on whether the Digital Theft Act as used in a civil lawsuit is improper because the statute is limited to criminal matters.

Years back the issue would not have arisen as the overlap between criminal and third-party civil statutes did not exist. With the Racketeer Influenced & Corrupt Organization Act (RICO) in 1970 we have seen statutes that allow for both criminal and civil enforcement, with the civil enforcement being extended beyond a government agency. The rationale for these civil actions being allowed is that DOJ can’t do it alone and allowing third -party civil actions can assist with enforcement. This was appealing with RICO because its initial focus was organized crime. But RICO was interpreted broadly and went well beyond its roots and with it went the third-party civil actions. DOJ had and continues to have guidelines that restrict application of the statutes by providing oversight on prosecutorial discretion. There are, however, no guidelines on the civil side. This caused Congress to place additional limits on the civil side of RICO as seen in 18 U.S.C. 1964(c).

Other criminal statutes have seen attempts to be used in civil matters, such as the Foreign Corrupt Practices Act. In Lamb v. Phillip Morris, Inc., 915 F.2d 1024 (6th Cir. 1024), the court did not allow the civil action. (See also Lewis v. Spock, 612 F. Supp. 1316 (N.D. Cal. 1985)). Interestingly, one finds civil RICO actions that use the FCPA.

(esp)
“MySpace” Related Indictment

May 19th, 2008

The federal indictment resulting from an incident on MySpace has been reported nationally. (see, e.g., here and here). A press release of the U.S. Attorneys Office of the Central District of California states that:

"A Missouri woman was indicted today on federal charges for fraudulently using an account on the social networking website MySpace.com to pose as a teenage boy who feigned romantic interest in a 13 year-old girl. That girl later committed suicide after the ‘boy’ spurned her and told her, among other things, that the world would be a better place without her."

The Indictment charges a conspiracy to commit a violation of the computer fraud statute – 18 U.S.C. s 1030 and also specific substantive offenses under section 1030. Some are critical of the use of the computer fraud statute for this purpose (see here). Clearly, whether this alleged incident should be the subject of an indictment, and whether it should be subject to a federal indictment will likely be issues that will be considered in this case.

But in addition to questions of whether the computer fraud statute was intended for this purpose, there is also a question of whether the U.S. Attorneys Office in the Central District of California ought to be prosecuting this case. According to the indictment (see below), the basis for the jurisdiction is that Fox Interactive Media Inc. is the Beverly Hills Corporation which operates myspace.com ("MySpace"). As the server is located in LA County, the indictment notes that this is within the Central District of California.

This indictment raises a threshold question of where is the appropriate jurisdiction in computer related cases, and specifically in cases charging criminal conduct. Should it be the place of the keystroke, the place of the social harm, or can prosecutors go for jurisdiction, as they have here, to the place of the server? Is it appropriate to give prosecutors the power to chose jurisdiction this way? Does this disadvantage the accused in that their evidence may be located in the place where the social harm is alleged to have occurred and not where the server is located? Does a prosecution such as this make the requirement of venue meaningless? Interestingly, Missouri has since passed a cyberharrassment law (see here).

The indictment – Download my_space_lori_drew_indictment.pdf

(esp)
Eleventh Circuit Affirms Coca-Cola Trade Secrets Case

May 13th, 2008

In the case of United States v. Williams, the Eleventh Circuit Court of Appeals affirmed the convictions of two individuals who had received a 96 month and 60 month sentence for a violation of 18 U.S.C. s 1832, the theft of trade secret statute. The defendants in this case were accused of trying to sell trade secrets of Coca-Cola to Pepsi. Pepsi notified Coca-Cola of the attempt to sell them trade secrets and Coca-Cola then brought in the FBI, who used an undercover agent to secure the evidence obtained in this case

The court rejected the appellants arguments of a claimed Sixth Amendment violation in limiting cross-examination, limiting the closing argument, and using the judge’s recent open heart surgery as an example when defining reasonable doubt. The court also rejected a sentencing argument. Williams, who received the 96 month sentence was given an above guidelines range, in sharp contrast to a sentence given to an individual who plead guilty and received a 24 month sentence. The 11th Circuit held that giving enormous weight to one factor – in this case the seriousness of the offense – does not mean the sentence is unreasonable. The court explicitly states in discussing the 60 month sentence given to one of the individuals here that because this individual "did not provide any assistance to the government, there was no ‘unwarranted’ disparity between his sentence" and the sentence of 24 months given to a cooperating party.

Although the court’s opinion does not discuss this point, allowing for a significant sentence reduction for cooperation raises some concerns. For one, it can put the individual with little information to provide the government at an enormous disadvantage. It also places the individual who is last to the talk with authorities at a loss, as all the information may have already been provided to the government. The credibility of those providing cooperation becomes more questionable when the rewards for giving the information reaches levels that offer a significant advantage to the cooperator. Perhaps the biggest concern is that providing such an enormous benefit to cooperators places those who decide to use their constitutional right to trial by jury, at a disadvantage.

See AJC – here

(esp)

Addendum – Professor Doug Berman’s Sentencing Law & Policy Blog here.
AG Mukasey Takes on Intellectual Property Crime

March 29th, 2008

One of the hardest criminal activities to investigate and prosecute are cybercrimes and other activities that may be occurring via the WorldWideWeb. The identity of the perpetrator can be difficult to discern. Some of these crimes involve Intellectual Property. In 2007, the DOJ filed 217 Intellectual Property cases. This fact was brought out by AG Mukasey would gave a speech this past week, in California, emphasizing that intellectual property crimes will be a major focus in the DOJ. Mukasey stated:

"To put it simply, the continuing worldwide escalation of counterfeiting and piracy poses a threat to both our economy and public safety. Since that threat comes from so many different directions, our response has to proceed on several fronts. We need strong and coordinated law enforcement efforts, both at home and abroad; we need robust intellectual property laws; and we need adequate resources devoted to IP law enforcement."

The DOJ has moved beyond its role as prosecutors to become teachers, as Mukasey states:

It’s imperative that countries work together on cases like these to ensure strong enforcement worldwide. To enhance that kind of cooperation, Justice Department lawyers have provided training and technical assistance to thousands of foreign prosecutors, investigators, and judges in more than a hundred countries.

Hopefully, there has been or will be comparable training to those who will be defending individuals charged with these crimes.

(esp)
Does the State Department Need A Deferred Prosecution Agreement?

March 21st, 2008

With political candidates Obama, Clinton, and now McCain receiving word from the State Department that their passport files had been breached (see here, here), an interesting question will be whether the perpetrators of this activity can suffer consequences beyond the loss of their jobs.

Back in 1997, the First Circuit reversed wire and computer fraud convictions brought against an individual who was accused of browsing in an Internal Revenue Computer. The court held that the government had not provided sufficient evidence that the accused had received "anything of value." In reversing the conviction, the court found that "mere browsing" was not enough, even if the information viewed was "about friends, acquaintances, and political rivals," as the accused did not "printed out, record[ ], or use [] the information he browsed." 106 F.3d 1069 (1st Cir. 1997).

But the present happenings may be different as the Freedom of Information Act and the Privacy Act of 1974 may apply. 18 U.S.C. s 552(a) provides for misdemeanor penalties in certain circumstances. It states:

"(i)(1) Criminal penalties

Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000."

Exceptions are noted in the statute. But the statute explicitly applies to contractors working for an agency. Specifically the statute states:

"(m) Government contractors

(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency."

But there are more important questions that we should be asking here — Why are we seeing security breaches of this nature? As this is not a new problem, what steps were taken to make sure that this didn’t happen again? Was there a corporate compliance program in place and why did it not work? It is pretty frightening that our State Department can have security breaches like this occurring on several occasions. If someone did this haphazardly, perhaps in fun, punishing them may not be the answer. The more important point is to educate those who work with these type of documents on the importance of their confidentiality. If this were a corporation, might the government be offering the corporation a deferred prosecution agreement, in order to make certain that there was future compliance with the law.

(esp)
Virginia Supremes Uphold Spamming Conviction

March 6th, 2008
A press release of the Attorney General of Virginia, announced that the Virginia Supreme Court upheld the nation’s first felony SPAM conviction. Virginia’s Anti-Spam Act "prohibits the sending of unsolicited bulk e-mail by fraudulent means, such as changing the header or routing information to prevent recipients from contacting or determining the identity of the sender." According to the press release, "such conduct is punishable as a class 1 misdemeanor or as a class 6 felony if any one of the following conditions applies:
- The volume of Spam transmitted exceeds 10,000 in any 24-hour time period, 100,000 in any 30-day time period, or one million in any one-year time period.
- Revenue generated from specific Spam exceeds $1,000 or total revenue from all Spam transmitted to any ISP exceeds $50,000.
- The defendant knowingly hires, employs, uses or permits any minor to assist in the transition of Spam."
The defendant in this case was sentenced to a term of nine years.

(esp)