Articles Posted in Cyber Crimes

data accessThe term “cybercrime” covers a vast array of acts involving computers and other technologies. The difficulty in defining “cybercrime” can occasionally lead to prosecutions for activities that might not seem particularly criminal but that arguably fit within a statute’s definition of prohibited conduct. The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, has been a subject of criticism as prosecutors use it in creative ways to pursue alleged cybercriminals. In one recent case, prosecutors charged a former newspaper employee under the CFAA for giving unauthorized access to newspaper servers. He was convicted and sentenced to two years in prison. United States v. Keys, No. 2:13-cr-00082, superseding indictment (E.D. Cal., Dec. 4, 2014). A federal appellate court in another case held that using someone else’s password to access certain computer systems violates the CFAA. United States v. Nosal, No. 14-10037, slip op. (9th Cir., Jul. 5, 2016).

Congress enacted the CFAA in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. It has amended the law several more times, including in 2001 as part of the Patriot Act and most recently in 2008. The law covers a wide range of activities that center on unauthorized access to “protected computers,” defined very broadly as any computer used by a financial institution or the federal government, or used “in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2).

The defendant in Key was a journalist and blogger for the Los Angeles Times. Prosecutors alleged that he helped members of the hacker group Anonymous gain access to the newspaper’s servers in late 2010. The hackers used this access to modify a news article posted to the Los Angeles Times’ website. The modified story was only up for about 40 minutes, and it was not clear if either the newspaper or its parent company suffered any financial loss.

Continue reading

smartphoneOur legal system is waging an ongoing struggle to keep up with the sorts of opportunities that new digital communications technologies offer for criminal activity like fraud, theft, and harassment. Sometimes, law enforcement identifies a clear technology-based threat to other individuals or the public. At other times, police and prosecutors pursue people—often children and young adults—for alleged conduct that is at best naive or immature, and at worst non-criminally negligent. Many of these types of alleged offenses involve the use of smartphones and social media in ways that do not make sense to people who remember a life before such technology existed.

Criminal statutes have evolved, in a sense, as our society and technology have advanced. In the 19th century, people began to use the U.S. Postal Service to perpetrate fraudulent schemes. Our legal system created the distinct federal and state offenses of mail fraud as a result. In the 20th century, telephone and television technology drove the creation of wire fraud statutes. Similar changes have occurred with regard to laws against harassment and threats, which can occur via the telephone and email as well as in person.

The only real difference between many alleged offenses today, as opposed to similar ones occurring decades ago, is often the use of new communications technologies, which amplify what might have otherwise been a private remark. A teenager in Texas, for example, was charged with making a terroristic threat, Tex. Pen. Code § 22.07, in 2013 after he allegedly posted in an online video game forum that he was going to “shoot up a kindergarten,” along with other alleged threats that he says were “a poorly thought out sarcastic joke.”

Continue reading

The internet and social media have created incredible opportunities for communication and interaction across the world. Unfortunately, this includes more than just friendly or polite communications. The phenomenon of “trolling,” broadly defined as posting or sending messages deliberately intended to upset others, has existed since the very beginning of the internet, but social media has created vast new opportunities for “trolls.” Many countries have enacted laws criminalizing various forms of internet trolling, but such efforts have been limited in the U.S. The First Amendment’s guarantee of freedom of speech would make enforcing such a law difficult, and crafting a law that targets only the most abusive, inexcusable forms of trolling, as opposed to speech that is merely controversial, is difficult if not impossible. The unintended consequences of such a law could be significant.

Part of the problem with efforts to legislate “trolling” is the difficulty defining the term. A CNN article describes it as a person who “deliberately disrupt[s] online discussions in order to stir up controversy.” The key elements of trolling seem to be a deliberate act of communication with the sole or primary motivation of causing offense or distress. The word’s meaning has grown over the brief history of the internet to encompass a wide range of behaviors, which range from relatively harmless pranks to acts that might fall under existing laws regarding cyberstalking or even hacking.

The use of telecommunications equipment, including telephones, mobile devices, and computers, to harass or stalk someone is prohibited under federal and state cyberstalking laws. Under federal law, the content of the transmission must be “obscene or child pornography,” and it must be made “with intent to abuse, threaten, or harass another person.” 47 U.S.C. § 223(a)(1)(A). Texas law contains similar provisions regarding cyberstalking, Tex. Pen. Code § 33.07(b). It also prohibits “online impersonation,” which it defines to include posing as a person online or posting their private information without their permission and “with the intent to harm or defraud any person.” Id. at § 33.07(a).

Continue reading

Targaryen (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsThe U.S. Securities and Exchange Commission (SEC) is charged with enforcing federal laws against securities fraud, which includes a constantly expanding range of activities. In late 2015, the agency turned its attention to Bitcoin, a virtual payment system that has been the subject of much attention and controversy in recent years. Bitcoins have no physical, tangible form. Instead, they exist as a series of complicated computer transactions and calculations. It is possible to create new Bitcoins by assisting in processing Bitcoin transactions, a process known as “mining.” The SEC filed a civil complaint in late 2015 against two companies engaged in Bitcoin mining, alleging violations of the Securities Act of 1933 and the Securities Exchange Act of 1934. SEC v. Garza, et al, No. 3:15-cv-01760, complaint (D. Conn., Dec. 1, 2015). Although the suit is civil, not criminal, it offers an idea of how financial regulators may approach cases that add elements of cyber crime to securities law.

Federal securities laws regulate the issuance, sale, and exchange of a wide range of intangible assets. The Securities Act and the Securities Exchange Act use similar definitions of “security,” which include familiar items like stocks, notes, bonds, treasury bills, and futures, as well as various other types of investments. 15 U.S.C. §§ 77b(a)(1), 78c(a)(10). Bitcoin is a new, and still relatively unfamiliar, technology, but the SEC is viewing the assets involved in this case as “investment contracts.” Garza, complaint at 1.

Speaking very generally, the Securities Act prohibits fraudulent activities in connection with the issuance of securities, and the Securities Exchange Act prohibits fraud in their secondary sale or exchange. The SEC alleges, however, that the defendants engaged in a typical type of fraud, albeit one “cloaked in technological sophistication and jargon.” They allegedly “sold what they did not own, and misrepresented the nature of what they were selling.” Id.

Continue reading

tookapic [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayThe internet and other digital technologies have resulted in a vast array of legal challenges. One issue that has received considerable recent attention is “revenge porn,” the publication or distribution of intimate photos of a person, usually female, without that person’s consent. More than half of the states in the U.S., including Texas, have enacted laws imposing civil and/or criminal liability for acts commonly associated with revenge porn, but the difficulty in defining the phenomenon leads to concerns about potential First Amendment problems. At the federal level, prosecutors have successfully used laws related to hacking, such as in a case alleging a scheme that involved hacking email accounts to steal photographs and posting them to a website. United States v. Moore, et al., No. 2:13-cr-00917, indictment (C.D. Cal., Dec. 20, 2013). The two defendants each received prison sentences of about two years.

The distribution of intimate photos without the subject’s consent can occur in at least two different ways. In some cases, the photos originate from a romantic or intimate relationship between the person depicted and the person distributing the photos. The term “revenge porn” is based on the idea that this is a way to get back at the other person for breaking off the relationship. This clearly constitutes a violation of trust, and it is morally reprehensible by any measure. The legal standard for criminalizing such conduct, however, is not particularly clear.

Other cases involve the theft of intimate photos from a person’s computer, mobile device, or online account. This type of case fits much more easily into existing legal frameworks regarding cyber crime, and it has resulted in many of the successful prosecutions to date.

Continue reading

McLac2000 [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayThe body of statutes and regulations encompassing federal criminal law has grown considerably in the past few decades, and federal law can affect people in unusual and unexpected ways. In a case that made headlines in 2015, federal prosecutors used a confluence of two areas of criminal law, financial fraud and terrorism, to charge a man in connection with the April 2013 Boston Marathon bombing. United States v. Matanov, No. 1:14-cr-10159, indictment (D. Mass., May 29, 2014). Prosecutors conceded that the defendant, who knew the two bombers, was not involved in the bombing and had no advance knowledge of it. Instead, they charged him with offenses related to false statements and destruction of evidence because he deleted his browser history.

The charges against the defendant were based on a law, known as the Sarbanes-Oxley Act, passed in the wake of the Enron scandal in 2002. Pub. L. 107-204, 116 Stat. 745. The law added a section to the chapter of the federal criminal code dealing with obstruction of justice, making it an offense to “destroy[]…any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation…of any matter within the jurisdiction of any department or agency of the United States…or in relation to or contemplation of any such matter or case…” Pub. L. 107-204 § 802(a), 116 Stat. 800; 18 U.S.C. § 1519. Interpreted broadly, this could allow a prosecution for disposing of records that could be used in a hypothetical future federal investigation. In the defendant’s case, prosecutors accused him of destroying evidence needed in the investigation of the Boston Marathon bombing.

The bombing occurred on April 15, 2013 along the route of the Boston Marathon. Two bombs exploded, killing three people and wounding hundreds. The suspects killed a police officer on April 18, and a massive manhunt led to the death of one bombing suspect in the early morning of April 19 and the arrest of the other later that day. The surviving suspect was convicted of all charged offenses in April 2015, and a jury sentenced him to death in May.

Continue reading

By Brocken Inaglory (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia CommonsAn executive assistant’s personal use of corporate credit accounts resulted in a federal charge of wire fraud. United States v. Coulman, No. 3:14-cr-02424, information (S.D. Cal., Aug. 27, 2014). Prosecutors alleged that the defendant used corporate credit cards to purchase vacations, electronics, clothing, and other goods, as well as attempting to conceal her activities from her employer. Prosecutors got a bit creative, alleging a connection between the defendant’s scheme and interstate commerce in order to establish federal jurisdiction. The defendant waived indictment and entered a guilty plea on the day federal prosecutors filed the information. The court sentenced the defendant in August 2015 to 21 months in prison and ordered her to pay the amount she was accused of misappropriating—nearly $1 million—in restitution.

According to the government’s information, the defendant began working for Hewlett-Packard (HP) in 2000, and she remained there until 2012. She worked as the executive assistant to one of the company’s vice presidents during the last four years of her employment. Part of that job involved “review[ing] monthly credit card statements and submit[ting] the related expense reports, receipts, and supporting documentation to HP program administrators.” Id. at 1-2. She also responded to questions from program administrators about expenditures and expense reports. Prosecutors noted that she had access to the vice president’s email account, “which included the ability to delete emails received by, and send emails from [that] account.” Id. at 2.

Prosecutors described a scheme by which the defendant used corporate credit cards for multiple unauthorized expenses, including over $350,000 for a business operated by her brother, more than $100,000 at a “resort spa,” id. at 3, airfare and hotels for trips to Hawaii and Europe, and purchases at the Apple Store and several high-end department stores. The total amount of fraudulent expenditures, according to the FBI, exceeded $954,000.

Continue reading

OpenClipartVectors [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayFederal prosecutors announced indictments in what they are calling the “largest known computer hacking and securities fraud scheme” in August 2015. The indictments allege that the nine defendants, who are reportedly based in Ukraine, illegally accessed private computer networks to obtain information for use in insider trading. U.S. v. Korchevsky, et al., No. 15-cr-00381, indictment (E.D.N.Y., Aug. 5, 2015); U.S. v. Turchynov, et al., No. 15:cr-00390, indictment (D.N.J., Aug. 10, 2015). Prosecutors claimed that the defendants made $30 million from the scheme. The Securities and Exchange Commission (SEC) filed a related civil enforcement action against 32 individuals and companies, alleging $100 million in illegal profits. SEC v. Dobovoy, et al, No. 15-cv-06076, am. complaint (D.N.J., Aug. 23, 2015). This appears to be one of the first major cases alleging cybercrime directly related to securities fraud.

The defendants in both criminal cases are accused of hacking computer servers maintained by private companies engaged in the business of “issuing press releases on behalf of publicly-traded companies.” Turchynov, indictment at 4. Publicly traded companies have contracts with these companies, commonly known as “newswires,” under which they provide “confidential press releases…contain[ing] material nonpublic information” that would be of interest to the stock market. Id. at 5. The newswires publish these press releases when authorized to do so by the companies.

According to the indictments, the defendants obtained about 150,000 press releases from newswire servers over a five-year period. They allegedly used material nonpublic information from at least 800 of these press releases to trade stocks ahead of the public release of the information, resulting in alleged profits of around $30 million.

Continue reading

By Yinan Chen (www.goodfreephotos.com (gallery, image)) [Public Domain], via Wikimedia CommonsAs technology develops and expands, so do the methods used by law enforcement to investigate alleged criminal offenses. This summer, the news media reported on a Colorado couple suspected of taking the wife’s children out of the country in violation of a child custody order. Authorities reportedly located the suspects by tracking their use of online music and video streaming services. Based on the internet protocol (IP) address associated with their accounts, investigators pinpointed their location in Mexico. Colorado authorities reportedly had a warrant for the suspects’ accounts, as required by the U.S. Constitution and the Video Privacy Protection Act (VPPA) of 1988, 18 U.S.C. § 2710. This statute prohibits video rental and streaming services from disclosing personal information about customers without their consent, and it prevents law enforcement from accessing such data without a warrant.

According to law enforcement in Larimer County, Colorado, who took the lead on the case, the suspects are a husband and wife. The wife was involved in a custody dispute with her ex-husband over their two daughters. She and her husband allegedly took the two girls out of the county in December 2014, and their location remained unknown for eight months. The sheriff’s office obtained a warrant to track the IP address used by the wife’s accounts on Spotify and Netflix, online music and video streaming services, respectively. Investigators determined that they were located in Cabo San Lucas, in the Mexican state of Baja California Sur. The U.S. State Department reportedly arranged for Mexican officials to take them into custody and return them to the United States.

The case likely does not present Fourth Amendment problems, since the sheriff’s office obtained a warrant to track the IP address. The VPPA applies to this case, since officials accessed the wife’s Netflix account data. The statute prohibits the disclosure of a customer’s “personally identifiable information” (PII), defined to include information indicating “specific video materials or services” requested by the customer. 18 U.S.C. § 2710(a)(3). Streaming video did not exist when Congress enacted the VPPA in 1988, but courts have held that it applies to online video-streaming service providers. See Garvey et al. v. Kissmetrics et al., a/k/a In re Hulu Privacy Litigation, order (N.D. Cal., Aug. 10, 2012).

Continue reading

4156375919_fcab94358d_z.jpgIn early 2015, a federal jury found the alleged proprietor of an online marketplace for illegal drugs guilty of online drug distribution, conspiracy to commit computer hacking, conspiracy to commit money laundering, and other charges. Prosecutors accused the defendant of creating and operating the marketplace, known as the “Silk Road,” using the pseudonym “Dread Pirate Roberts.” United States v. Ulbricht, No. 1:14-cr-00068, superseding indictment (S.D.N.Y., Aug. 21, 2014). The defendant’s principal defense strategy involved admitting to creating the site but claiming that he was not the “Dread Pirate Roberts” who had operated it in recent years. After the jury convicted him, the court vacated two counts. It sentenced him to concurrent life sentences on two counts and to concurrent three-year sentences on each of the three remaining counts.

Prosecutors alleged that the defendant created and operated the Silk Road, an online marketplace for illegal drugs. The Silk Road operates in what is known as the “dark web,” where users can only access the site by using software to conceal their identities and locations. Most transactions allegedly take place using Bitcoin and other forms of anonymous currency.

Prosecutors had the burden of proving, first, that the “Dread Pirate Roberts” operated the Silk Road, and second, that the defendant was the “Dread Pirate Roberts.” Law enforcement officers arrested the defendant at a San Francisco public library in 2013, and FBI officials stated that he was logged into a Silk Road site at the time. Investigators were able to access the Silk Road’s infrastructure as a result, and prosecutors used this as evidence against the defendant.
Continue reading