Articles Posted in Cyber Crimes

KeyboardThe First Amendment to the U.S. Constitution guarantees the right to freedom of speech. Generally speaking, the government cannot restrain people’s speech through criminal penalties. Certain forms of speech, however, are not protected. The government may enact restrictions on speech when the restriction is closely related to a legitimate government function or public interest, and it is narrow enough to serve that purpose without burdening other rights. The U.S. Supreme Court recently ruled on a challenge to a state law that made it a felony for individuals with certain criminal convictions to use social media networks. No comparable restriction exists in Texas criminal statutes, but the ruling could still have an impact here. The court found that the statute violated the First Amendment, since the state could achieve its purpose in other, less restrictive ways. Packingham v. North Carolina, 582 U.S. ___ (2017).

The law at issue in Packingham deals with registered sex offenders. The precise definition of a registered sex offender varies from one state to the next, and it is frequently subject to amendment by lawmakers. Politicians often couple the term with an express or implied statement about danger to children. Protecting children from harm is a legitimate public interest, but the extent to which lawmakers may go in furtherance of this interest is a matter of ongoing debate.

Under § 14-202.5 of the North Carolina General Statutes, a registered sex offender commits a felony if they access a “commercial social networking Web site” of which they know minors can become members. The statute defines “commercial social networking Web site” very broadly based on four criteria:  the site (1) obtains revenue from membership fees or advertising; (2) “facilitates social introduction” between people; (3) allows the creation of individual pages that could contain personal information; and (4) enables users to communicate with one another.

Dark CobwebThe criminal justice system must constantly adapt to changes brought by the increased use of the internet. Legal doctrines that once only applied to physical searches of people’s homes must now regulate “virtual” searches. Several years ago, federal prosecutors charged an individual with multiple offenses arising from his alleged administration of an online marketplace for illegal drugs and other contraband. It was reportedly the first prosecution involving the drug trade on the so-called “dark net.” A jury convicted the defendant on all seven counts in the government’s indictment, which included drug-related offenses, racketeering, and computer fraud. A judge sentenced him to life imprisonment. In May 2017, a federal appellate court denied his appeal, in which he argued in part that his Fourth Amendment rights had been violated. United States v. Ulbricht, No. 15-1815, slip op. (2d Cir., May 31, 2017).

Federal law allows law enforcement to monitor electronic communications under strict limitations. Two types of surveillance allowed by federal law are known as “pen registers” and “trap and trace devices.” A pen register “records or decodes dialing, routing, addressing, or signaling information transmitted by” a telephone or other device. 18 U.S.C. § 3127(3). A trap and trace device “captures the incoming electronic or other impulses,” allowing law enforcement “to identify the source of a wire or electronic communication.” Id. at § 3127(4). Neither device may capture or record “the contents of any communication.” Id. They provide law enforcement with a record that shows the source, destination, and duration of phone calls and other communications.

Continue reading

BitTorrent networkCyber crime, as an area of legal practice, regularly presents new challenges on both sides of the criminal justice system. Despite new technologies and new laws, prosecutors often use laws that have been around since telephones were still relatively new to take on alleged schemes that rely heavily on the internet. Federal prosecutors recently brought fraud charges against a pair of defendants accused of an elaborate scheme involving false claims of online copyright infringement. United States v. PH, et al., No. 0:16-cr-00334, indictment (D. Minn., Dec. 14, 2016). The case illustrates many of the unusual challenges of cyber crime law.

Copyright protection gives an author of creative works, such as books and films, the exclusive right to use, distribute, display, or license the use of a copyrighted work. The use of a copyrighted work without the copyright owner’s permission may constitute copyright infringement and could potentially result in liability to the owner. Willful copyright infringement may carry criminal penalties in certain circumstances. 17 U.S.C. § 506, 18 U.S.C. § 2319. In any case of alleged non-criminal copyright infringement, the copyright owner is responsible for pursuing the alleged infringer.

The PH case does not involve alleged criminal copyright infringement. The defendants were charged with mail and wire fraud for allegedly sending out fraudulent claims of copyright infringement with settlement demands. Federal law prohibits any “scheme or artifice to defraud” that affects interstate commerce, such as through the use of the U.S. Postal Service—more commonly known as mail fraud. 18 U.S.C. § 1341. Fraudulent schemes that involve the use of interstate or foreign “wire, radio, or television communication” are categorized as wire fraud. Id. at § 1343.

Continue reading

crt-monitor-old-tower-personal-35565The Fourth Amendment to the U.S. Constitution requires law enforcement officials to obtain a warrant prior to searching an individual’s personal effects or seizing their property. The warrant must demonstrate probable cause to believe that the search or seizure will reveal evidence related to a criminal investigation. These protections apply both to a person’s physical effects, such as documents and other materials, and to their “electronically stored information” (ESI). The extent to which a warrant may allow law enforcement to search and seize ESI is still a matter of dispute. A federal judge issued a ruling in late 2016 that seems to grant broad powers to law enforcement to seize ESI. The court found that the Federal Rules of Criminal Procedure and the Stored Communications Act (SCA) required a provider of email services to turn over the entire contents of several email accounts. In re Microsoft Corp., No. 2:16-mj-08036, mem. order (D. Kan., Sep. 28, 2016).

At the time the Fourth Amendment was drafted and ratified in the 18th century, people’s personal effects mostly consisted of materials that they kept on their person or in their residence. This remained true for nearly two centuries, until computers became widespread, and people began using third-party internet service providers (ISPs) to communicate. Private communications, which enjoy the Fourth Amendment’s protection from warrantless searches and seizures, may now reside on servers maintained by ISPs, with the owner of those communications having the right to access them.

The third-party doctrine, which holds that information voluntarily disclosed to others is no longer protected by the Fourth Amendment, would seem to make communications stored by ISPs accessible to law enforcement—this seems to fit the letter of that particular doctrine, if not its spirit. The SCA attempts to reconcile the use of third-party ISPs with the Fourth Amendment, establishing requirements for warrants issued to ISPs. 18 U.S.C. § 2703. Procedural rules also address warrants for ESI. See Fed. R. Crim. P. 41(e)(2)(B).
Continue reading

messengerThe Fourth Amendment’s guarantee of people’s right “to be secure in their persons, houses, papers, and effects” has gained new meanings as computer technology enables people to store their personal communications, such as email, on remote servers operated by third-party service providers. Courts have repeatedly had to consider whether data stored remotely remains “private” for the purposes of the Fourth Amendment. Federal law allows law enforcement to access emails and other remotely stored data without a warrant under certain circumstances. Texas became one of the first states to require a search warrant for such materials in 2013, and several other states have followed suit. In June 2016, the U.S. House of Representatives passed H.R. 699, the Email Privacy Act (EPA), which would apply the same restrictions as those found in Texas law. The bill is now pending in the Senate.

The Supreme Court, when determining whether police must obtain a warrant for certain types of materials or information, looks at whether a person has a reasonable expectation of privacy in that particular area. The “third-party doctrine” holds that a person has no reasonable expectation of privacy in materials that they have voluntarily given to a third party. See Smith v. Maryland, 442 U.S. 735 (1979). “Cloud computing,” which refers to the use of remote servers to store data, instead of local devices like personal computers or smartphones, has raised numerous questions and concerns regarding the third-party doctrine.

Most Supreme Court rulings on the third-party doctrine involve information given out once, such as the numbers of outgoing phone calls in Smith. Cloud computing, on the other hand, involves data that people store with the intention of accessing it repeatedly. Email service providers, for example, frequently offer remote hosting to consumers free of charge, allowing people to access their email from multiple devices and locations. This is not the same type of activity addressed in the most influential third-party doctrine court cases, all of which predate the widespread availability of cloud computing.

Continue reading

binary codeUnauthorized access to computer systems, commonly known as “hacking,” undoubtedly causes significant damage to individuals and businesses around the country. As often happens, however, the law has had difficulty keeping up with new technology. Federal law prohibits a wide range of computer fraud-related activities, but most offenses require proof that a defendant acted with intent, which is the most difficult mental state for prosecutors to prove. Perhaps as a result, some prosecutors have developed creative strategies to pursue alleged hackers. In one recently filed case, federal prosecutors have charged an individual under the federal hacking statute with no allegations that he personally engaged in any hacking activities. Instead, they essentially allege that he developed software with the intent that it would be used by hackers. United States v. Huddleston, No. 1:17-cr-00034, indictment (E.D. Va., Feb. 16, 2017).

Congress first enacted a criminal statute related to computer fraud, found at 18 U.S.C. § 1030, in 1984. It has amended this section numerous times over the years, perhaps most notably in 1986 with the Computer Fraud and Abuse Act (CFAA). That bill significantly expanded the legal definition of “computer fraud.” The original 1984 law made it a federal crime to access computer systems of the federal government or a financial institution without authorization. The CFAA added provisions about unauthorized access, or access that exceeds granted authority, to any “protected computer,” which it defined to include nearly any computer whose use affects interstate commerce. 18 U.S.C. §§ 1030(a)(4) – (6), (e)(2)(B).

Federal prosecutors are not accusing the defendant in Huddleston of hacking anybody. Instead, the alleged conduct leading to the indictment consisted solely of developing a software tool reportedly used by hackers. According to the indictment, the defendant created a “remote administration tool,” or “remote access trojan” (RAT), a type of software that allows a user to take control of someone else’s computer without their knowledge or consent. This RAT has allegedly been used in multiple cyberattacks around the world. Prosecutors allege that the defendant created this software for the specific purpose of making it available to hackers.

Continue reading

data accessThe term “cybercrime” covers a vast array of acts involving computers and other technologies. The difficulty in defining “cybercrime” can occasionally lead to prosecutions for activities that might not seem particularly criminal but that arguably fit within a statute’s definition of prohibited conduct. The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, has been a subject of criticism as prosecutors use it in creative ways to pursue alleged cybercriminals. In one recent case, prosecutors charged a former newspaper employee under the CFAA for giving unauthorized access to newspaper servers. He was convicted and sentenced to two years in prison. United States v. Keys, No. 2:13-cr-00082, superseding indictment (E.D. Cal., Dec. 4, 2014). A federal appellate court in another case held that using someone else’s password to access certain computer systems violates the CFAA. United States v. Nosal, No. 14-10037, slip op. (9th Cir., Jul. 5, 2016).

Congress enacted the CFAA in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. It has amended the law several more times, including in 2001 as part of the Patriot Act and most recently in 2008. The law covers a wide range of activities that center on unauthorized access to “protected computers,” defined very broadly as any computer used by a financial institution or the federal government, or used “in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2).

The defendant in Key was a journalist and blogger for the Los Angeles Times. Prosecutors alleged that he helped members of the hacker group Anonymous gain access to the newspaper’s servers in late 2010. The hackers used this access to modify a news article posted to the Los Angeles Times’ website. The modified story was only up for about 40 minutes, and it was not clear if either the newspaper or its parent company suffered any financial loss.

Continue reading

smartphoneOur legal system is waging an ongoing struggle to keep up with the sorts of opportunities that new digital communications technologies offer for criminal activity like fraud, theft, and harassment. Sometimes, law enforcement identifies a clear technology-based threat to other individuals or the public. At other times, police and prosecutors pursue people—often children and young adults—for alleged conduct that is at best naive or immature, and at worst non-criminally negligent. Many of these types of alleged offenses involve the use of smartphones and social media in ways that do not make sense to people who remember a life before such technology existed.

Criminal statutes have evolved, in a sense, as our society and technology have advanced. In the 19th century, people began to use the U.S. Postal Service to perpetrate fraudulent schemes. Our legal system created the distinct federal and state offenses of mail fraud as a result. In the 20th century, telephone and television technology drove the creation of wire fraud statutes. Similar changes have occurred with regard to laws against harassment and threats, which can occur via the telephone and email as well as in person.

The only real difference between many alleged offenses today, as opposed to similar ones occurring decades ago, is often the use of new communications technologies, which amplify what might have otherwise been a private remark. A teenager in Texas, for example, was charged with making a terroristic threat, Tex. Pen. Code § 22.07, in 2013 after he allegedly posted in an online video game forum that he was going to “shoot up a kindergarten,” along with other alleged threats that he says were “a poorly thought out sarcastic joke.”

Continue reading

The internet and social media have created incredible opportunities for communication and interaction across the world. Unfortunately, this includes more than just friendly or polite communications. The phenomenon of “trolling,” broadly defined as posting or sending messages deliberately intended to upset others, has existed since the very beginning of the internet, but social media has created vast new opportunities for “trolls.” Many countries have enacted laws criminalizing various forms of internet trolling, but such efforts have been limited in the U.S. The First Amendment’s guarantee of freedom of speech would make enforcing such a law difficult, and crafting a law that targets only the most abusive, inexcusable forms of trolling, as opposed to speech that is merely controversial, is difficult if not impossible. The unintended consequences of such a law could be significant.

Part of the problem with efforts to legislate “trolling” is the difficulty defining the term. A CNN article describes it as a person who “deliberately disrupt[s] online discussions in order to stir up controversy.” The key elements of trolling seem to be a deliberate act of communication with the sole or primary motivation of causing offense or distress. The word’s meaning has grown over the brief history of the internet to encompass a wide range of behaviors, which range from relatively harmless pranks to acts that might fall under existing laws regarding cyberstalking or even hacking.

The use of telecommunications equipment, including telephones, mobile devices, and computers, to harass or stalk someone is prohibited under federal and state cyberstalking laws. Under federal law, the content of the transmission must be “obscene or child pornography,” and it must be made “with intent to abuse, threaten, or harass another person.” 47 U.S.C. § 223(a)(1)(A). Texas law contains similar provisions regarding cyberstalking, Tex. Pen. Code § 33.07(b). It also prohibits “online impersonation,” which it defines to include posing as a person online or posting their private information without their permission and “with the intent to harm or defraud any person.” Id. at § 33.07(a).

Continue reading

Targaryen (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsThe U.S. Securities and Exchange Commission (SEC) is charged with enforcing federal laws against securities fraud, which includes a constantly expanding range of activities. In late 2015, the agency turned its attention to Bitcoin, a virtual payment system that has been the subject of much attention and controversy in recent years. Bitcoins have no physical, tangible form. Instead, they exist as a series of complicated computer transactions and calculations. It is possible to create new Bitcoins by assisting in processing Bitcoin transactions, a process known as “mining.” The SEC filed a civil complaint in late 2015 against two companies engaged in Bitcoin mining, alleging violations of the Securities Act of 1933 and the Securities Exchange Act of 1934. SEC v. Garza, et al, No. 3:15-cv-01760, complaint (D. Conn., Dec. 1, 2015). Although the suit is civil, not criminal, it offers an idea of how financial regulators may approach cases that add elements of cyber crime to securities law.

Federal securities laws regulate the issuance, sale, and exchange of a wide range of intangible assets. The Securities Act and the Securities Exchange Act use similar definitions of “security,” which include familiar items like stocks, notes, bonds, treasury bills, and futures, as well as various other types of investments. 15 U.S.C. §§ 77b(a)(1), 78c(a)(10). Bitcoin is a new, and still relatively unfamiliar, technology, but the SEC is viewing the assets involved in this case as “investment contracts.” Garza, complaint at 1.

Speaking very generally, the Securities Act prohibits fraudulent activities in connection with the issuance of securities, and the Securities Exchange Act prohibits fraud in their secondary sale or exchange. The SEC alleges, however, that the defendants engaged in a typical type of fraud, albeit one “cloaked in technological sophistication and jargon.” They allegedly “sold what they did not own, and misrepresented the nature of what they were selling.” Id.

Continue reading