Articles Posted in Cyber Crimes

crt-monitor-old-tower-personal-35565The Fourth Amendment to the U.S. Constitution requires law enforcement officials to obtain a warrant prior to searching an individual’s personal effects or seizing their property. The warrant must demonstrate probable cause to believe that the search or seizure will reveal evidence related to a criminal investigation. These protections apply both to a person’s physical effects, such as documents and other materials, and to their “electronically stored information” (ESI). The extent to which a warrant may allow law enforcement to search and seize ESI is still a matter of dispute. A federal judge issued a ruling in late 2016 that seems to grant broad powers to law enforcement to seize ESI. The court found that the Federal Rules of Criminal Procedure and the Stored Communications Act (SCA) required a provider of email services to turn over the entire contents of several email accounts. In re Microsoft Corp., No. 2:16-mj-08036, mem. order (D. Kan., Sep. 28, 2016).

At the time the Fourth Amendment was drafted and ratified in the 18th century, people’s personal effects mostly consisted of materials that they kept on their person or in their residence. This remained true for nearly two centuries, until computers became widespread, and people began using third-party internet service providers (ISPs) to communicate. Private communications, which enjoy the Fourth Amendment’s protection from warrantless searches and seizures, may now reside on servers maintained by ISPs, with the owner of those communications having the right to access them.

The third-party doctrine, which holds that information voluntarily disclosed to others is no longer protected by the Fourth Amendment, would seem to make communications stored by ISPs accessible to law enforcement—this seems to fit the letter of that particular doctrine, if not its spirit. The SCA attempts to reconcile the use of third-party ISPs with the Fourth Amendment, establishing requirements for warrants issued to ISPs. 18 U.S.C. § 2703. Procedural rules also address warrants for ESI. See Fed. R. Crim. P. 41(e)(2)(B).
Continue reading

messengerThe Fourth Amendment’s guarantee of people’s right “to be secure in their persons, houses, papers, and effects” has gained new meanings as computer technology enables people to store their personal communications, such as email, on remote servers operated by third-party service providers. Courts have repeatedly had to consider whether data stored remotely remains “private” for the purposes of the Fourth Amendment. Federal law allows law enforcement to access emails and other remotely stored data without a warrant under certain circumstances. Texas became one of the first states to require a search warrant for such materials in 2013, and several other states have followed suit. In June 2016, the U.S. House of Representatives passed H.R. 699, the Email Privacy Act (EPA), which would apply the same restrictions as those found in Texas law. The bill is now pending in the Senate.

The Supreme Court, when determining whether police must obtain a warrant for certain types of materials or information, looks at whether a person has a reasonable expectation of privacy in that particular area. The “third-party doctrine” holds that a person has no reasonable expectation of privacy in materials that they have voluntarily given to a third party. See Smith v. Maryland, 442 U.S. 735 (1979). “Cloud computing,” which refers to the use of remote servers to store data, instead of local devices like personal computers or smartphones, has raised numerous questions and concerns regarding the third-party doctrine.

Most Supreme Court rulings on the third-party doctrine involve information given out once, such as the numbers of outgoing phone calls in Smith. Cloud computing, on the other hand, involves data that people store with the intention of accessing it repeatedly. Email service providers, for example, frequently offer remote hosting to consumers free of charge, allowing people to access their email from multiple devices and locations. This is not the same type of activity addressed in the most influential third-party doctrine court cases, all of which predate the widespread availability of cloud computing.

Continue reading

binary codeUnauthorized access to computer systems, commonly known as “hacking,” undoubtedly causes significant damage to individuals and businesses around the country. As often happens, however, the law has had difficulty keeping up with new technology. Federal law prohibits a wide range of computer fraud-related activities, but most offenses require proof that a defendant acted with intent, which is the most difficult mental state for prosecutors to prove. Perhaps as a result, some prosecutors have developed creative strategies to pursue alleged hackers. In one recently filed case, federal prosecutors have charged an individual under the federal hacking statute with no allegations that he personally engaged in any hacking activities. Instead, they essentially allege that he developed software with the intent that it would be used by hackers. United States v. Huddleston, No. 1:17-cr-00034, indictment (E.D. Va., Feb. 16, 2017).

Congress first enacted a criminal statute related to computer fraud, found at 18 U.S.C. § 1030, in 1984. It has amended this section numerous times over the years, perhaps most notably in 1986 with the Computer Fraud and Abuse Act (CFAA). That bill significantly expanded the legal definition of “computer fraud.” The original 1984 law made it a federal crime to access computer systems of the federal government or a financial institution without authorization. The CFAA added provisions about unauthorized access, or access that exceeds granted authority, to any “protected computer,” which it defined to include nearly any computer whose use affects interstate commerce. 18 U.S.C. §§ 1030(a)(4) – (6), (e)(2)(B).

Federal prosecutors are not accusing the defendant in Huddleston of hacking anybody. Instead, the alleged conduct leading to the indictment consisted solely of developing a software tool reportedly used by hackers. According to the indictment, the defendant created a “remote administration tool,” or “remote access trojan” (RAT), a type of software that allows a user to take control of someone else’s computer without their knowledge or consent. This RAT has allegedly been used in multiple cyberattacks around the world. Prosecutors allege that the defendant created this software for the specific purpose of making it available to hackers.

Continue reading

data accessThe term “cybercrime” covers a vast array of acts involving computers and other technologies. The difficulty in defining “cybercrime” can occasionally lead to prosecutions for activities that might not seem particularly criminal but that arguably fit within a statute’s definition of prohibited conduct. The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, has been a subject of criticism as prosecutors use it in creative ways to pursue alleged cybercriminals. In one recent case, prosecutors charged a former newspaper employee under the CFAA for giving unauthorized access to newspaper servers. He was convicted and sentenced to two years in prison. United States v. Keys, No. 2:13-cr-00082, superseding indictment (E.D. Cal., Dec. 4, 2014). A federal appellate court in another case held that using someone else’s password to access certain computer systems violates the CFAA. United States v. Nosal, No. 14-10037, slip op. (9th Cir., Jul. 5, 2016).

Congress enacted the CFAA in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. It has amended the law several more times, including in 2001 as part of the Patriot Act and most recently in 2008. The law covers a wide range of activities that center on unauthorized access to “protected computers,” defined very broadly as any computer used by a financial institution or the federal government, or used “in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2).

The defendant in Key was a journalist and blogger for the Los Angeles Times. Prosecutors alleged that he helped members of the hacker group Anonymous gain access to the newspaper’s servers in late 2010. The hackers used this access to modify a news article posted to the Los Angeles Times’ website. The modified story was only up for about 40 minutes, and it was not clear if either the newspaper or its parent company suffered any financial loss.

Continue reading

smartphoneOur legal system is waging an ongoing struggle to keep up with the sorts of opportunities that new digital communications technologies offer for criminal activity like fraud, theft, and harassment. Sometimes, law enforcement identifies a clear technology-based threat to other individuals or the public. At other times, police and prosecutors pursue people—often children and young adults—for alleged conduct that is at best naive or immature, and at worst non-criminally negligent. Many of these types of alleged offenses involve the use of smartphones and social media in ways that do not make sense to people who remember a life before such technology existed.

Criminal statutes have evolved, in a sense, as our society and technology have advanced. In the 19th century, people began to use the U.S. Postal Service to perpetrate fraudulent schemes. Our legal system created the distinct federal and state offenses of mail fraud as a result. In the 20th century, telephone and television technology drove the creation of wire fraud statutes. Similar changes have occurred with regard to laws against harassment and threats, which can occur via the telephone and email as well as in person.

The only real difference between many alleged offenses today, as opposed to similar ones occurring decades ago, is often the use of new communications technologies, which amplify what might have otherwise been a private remark. A teenager in Texas, for example, was charged with making a terroristic threat, Tex. Pen. Code § 22.07, in 2013 after he allegedly posted in an online video game forum that he was going to “shoot up a kindergarten,” along with other alleged threats that he says were “a poorly thought out sarcastic joke.”

Continue reading

The internet and social media have created incredible opportunities for communication and interaction across the world. Unfortunately, this includes more than just friendly or polite communications. The phenomenon of “trolling,” broadly defined as posting or sending messages deliberately intended to upset others, has existed since the very beginning of the internet, but social media has created vast new opportunities for “trolls.” Many countries have enacted laws criminalizing various forms of internet trolling, but such efforts have been limited in the U.S. The First Amendment’s guarantee of freedom of speech would make enforcing such a law difficult, and crafting a law that targets only the most abusive, inexcusable forms of trolling, as opposed to speech that is merely controversial, is difficult if not impossible. The unintended consequences of such a law could be significant.

Part of the problem with efforts to legislate “trolling” is the difficulty defining the term. A CNN article describes it as a person who “deliberately disrupt[s] online discussions in order to stir up controversy.” The key elements of trolling seem to be a deliberate act of communication with the sole or primary motivation of causing offense or distress. The word’s meaning has grown over the brief history of the internet to encompass a wide range of behaviors, which range from relatively harmless pranks to acts that might fall under existing laws regarding cyberstalking or even hacking.

The use of telecommunications equipment, including telephones, mobile devices, and computers, to harass or stalk someone is prohibited under federal and state cyberstalking laws. Under federal law, the content of the transmission must be “obscene or child pornography,” and it must be made “with intent to abuse, threaten, or harass another person.” 47 U.S.C. § 223(a)(1)(A). Texas law contains similar provisions regarding cyberstalking, Tex. Pen. Code § 33.07(b). It also prohibits “online impersonation,” which it defines to include posing as a person online or posting their private information without their permission and “with the intent to harm or defraud any person.” Id. at § 33.07(a).

Continue reading

Targaryen (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsThe U.S. Securities and Exchange Commission (SEC) is charged with enforcing federal laws against securities fraud, which includes a constantly expanding range of activities. In late 2015, the agency turned its attention to Bitcoin, a virtual payment system that has been the subject of much attention and controversy in recent years. Bitcoins have no physical, tangible form. Instead, they exist as a series of complicated computer transactions and calculations. It is possible to create new Bitcoins by assisting in processing Bitcoin transactions, a process known as “mining.” The SEC filed a civil complaint in late 2015 against two companies engaged in Bitcoin mining, alleging violations of the Securities Act of 1933 and the Securities Exchange Act of 1934. SEC v. Garza, et al, No. 3:15-cv-01760, complaint (D. Conn., Dec. 1, 2015). Although the suit is civil, not criminal, it offers an idea of how financial regulators may approach cases that add elements of cyber crime to securities law.

Federal securities laws regulate the issuance, sale, and exchange of a wide range of intangible assets. The Securities Act and the Securities Exchange Act use similar definitions of “security,” which include familiar items like stocks, notes, bonds, treasury bills, and futures, as well as various other types of investments. 15 U.S.C. §§ 77b(a)(1), 78c(a)(10). Bitcoin is a new, and still relatively unfamiliar, technology, but the SEC is viewing the assets involved in this case as “investment contracts.” Garza, complaint at 1.

Speaking very generally, the Securities Act prohibits fraudulent activities in connection with the issuance of securities, and the Securities Exchange Act prohibits fraud in their secondary sale or exchange. The SEC alleges, however, that the defendants engaged in a typical type of fraud, albeit one “cloaked in technological sophistication and jargon.” They allegedly “sold what they did not own, and misrepresented the nature of what they were selling.” Id.

Continue reading

tookapic [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayThe internet and other digital technologies have resulted in a vast array of legal challenges. One issue that has received considerable recent attention is “revenge porn,” the publication or distribution of intimate photos of a person, usually female, without that person’s consent. More than half of the states in the U.S., including Texas, have enacted laws imposing civil and/or criminal liability for acts commonly associated with revenge porn, but the difficulty in defining the phenomenon leads to concerns about potential First Amendment problems. At the federal level, prosecutors have successfully used laws related to hacking, such as in a case alleging a scheme that involved hacking email accounts to steal photographs and posting them to a website. United States v. Moore, et al., No. 2:13-cr-00917, indictment (C.D. Cal., Dec. 20, 2013). The two defendants each received prison sentences of about two years.

The distribution of intimate photos without the subject’s consent can occur in at least two different ways. In some cases, the photos originate from a romantic or intimate relationship between the person depicted and the person distributing the photos. The term “revenge porn” is based on the idea that this is a way to get back at the other person for breaking off the relationship. This clearly constitutes a violation of trust, and it is morally reprehensible by any measure. The legal standard for criminalizing such conduct, however, is not particularly clear.

Other cases involve the theft of intimate photos from a person’s computer, mobile device, or online account. This type of case fits much more easily into existing legal frameworks regarding cyber crime, and it has resulted in many of the successful prosecutions to date.

Continue reading

McLac2000 [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayThe body of statutes and regulations encompassing federal criminal law has grown considerably in the past few decades, and federal law can affect people in unusual and unexpected ways. In a case that made headlines in 2015, federal prosecutors used a confluence of two areas of criminal law, financial fraud and terrorism, to charge a man in connection with the April 2013 Boston Marathon bombing. United States v. Matanov, No. 1:14-cr-10159, indictment (D. Mass., May 29, 2014). Prosecutors conceded that the defendant, who knew the two bombers, was not involved in the bombing and had no advance knowledge of it. Instead, they charged him with offenses related to false statements and destruction of evidence because he deleted his browser history.

The charges against the defendant were based on a law, known as the Sarbanes-Oxley Act, passed in the wake of the Enron scandal in 2002. Pub. L. 107-204, 116 Stat. 745. The law added a section to the chapter of the federal criminal code dealing with obstruction of justice, making it an offense to “destroy[]…any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation…of any matter within the jurisdiction of any department or agency of the United States…or in relation to or contemplation of any such matter or case…” Pub. L. 107-204 § 802(a), 116 Stat. 800; 18 U.S.C. § 1519. Interpreted broadly, this could allow a prosecution for disposing of records that could be used in a hypothetical future federal investigation. In the defendant’s case, prosecutors accused him of destroying evidence needed in the investigation of the Boston Marathon bombing.

The bombing occurred on April 15, 2013 along the route of the Boston Marathon. Two bombs exploded, killing three people and wounding hundreds. The suspects killed a police officer on April 18, and a massive manhunt led to the death of one bombing suspect in the early morning of April 19 and the arrest of the other later that day. The surviving suspect was convicted of all charged offenses in April 2015, and a jury sentenced him to death in May.

Continue reading

By Brocken Inaglory (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia CommonsAn executive assistant’s personal use of corporate credit accounts resulted in a federal charge of wire fraud. United States v. Coulman, No. 3:14-cr-02424, information (S.D. Cal., Aug. 27, 2014). Prosecutors alleged that the defendant used corporate credit cards to purchase vacations, electronics, clothing, and other goods, as well as attempting to conceal her activities from her employer. Prosecutors got a bit creative, alleging a connection between the defendant’s scheme and interstate commerce in order to establish federal jurisdiction. The defendant waived indictment and entered a guilty plea on the day federal prosecutors filed the information. The court sentenced the defendant in August 2015 to 21 months in prison and ordered her to pay the amount she was accused of misappropriating—nearly $1 million—in restitution.

According to the government’s information, the defendant began working for Hewlett-Packard (HP) in 2000, and she remained there until 2012. She worked as the executive assistant to one of the company’s vice presidents during the last four years of her employment. Part of that job involved “review[ing] monthly credit card statements and submit[ting] the related expense reports, receipts, and supporting documentation to HP program administrators.” Id. at 1-2. She also responded to questions from program administrators about expenditures and expense reports. Prosecutors noted that she had access to the vice president’s email account, “which included the ability to delete emails received by, and send emails from [that] account.” Id. at 2.

Prosecutors described a scheme by which the defendant used corporate credit cards for multiple unauthorized expenses, including over $350,000 for a business operated by her brother, more than $100,000 at a “resort spa,” id. at 3, airfare and hotels for trips to Hawaii and Europe, and purchases at the Apple Store and several high-end department stores. The total amount of fraudulent expenditures, according to the FBI, exceeded $954,000.

Continue reading