Articles Posted in Cyber Crimes

Cybersecurity has become an issue of national importance in recent years as people entrust more and more personal information to various companies, and as other companies compile massive amounts of personal information from various sources. Businesses that maintain databases of personal information must take reasonable measures to keep this information secure, and they must also disclose cybersecurity breaches to affected people or the general public. In early September 2017, a major credit reporting agency (CRA) disclosed a hack that potentially compromised millions of people’s personal data several months earlier. The Department of Justice (DOJ) has reportedly opened an investigation into several of the CRA’s executives for alleged actions between the time the company learned of the breach and the time it announced it to the public. The investigation does not concern the breach itself but allegations that the executives sold stock in the company because of the anticipated impact of the announcement on the stock price. This is also known, in both federal and Texas white-collar criminal laws, as insider trading.Federal securities statutes do not identify “insider trading” as a distinct offense. The Securities Exchange Act of 1934 prohibits the use of “manipulative and deceptive devices” in connection with publicly traded securities, including stocks. 15 U.S.C. § 78j. The Securities and Exchange Commission (SEC) expounds on this provision in its regulations. Rule 10b5-1 states that it is a manipulative and deceptive device to buy or sell a publicly traded security “on the basis of material nonpublic information.” 17 C.F.R. § 240.10b5-1(a). Willful violations of these provisions by an individual can result in a fine of up to $5 million and a prison sentence of up to 20 years, 15 U.S.C. § 78ff(a), but the burden of proof for the state is substantial.

The CRA, Equifax, is one of the main agencies in the U.S. that collect and compile consumer credit information, using this information to generate credit reports and credit scores. The company reportedly experienced a massive cybersecurity attack between May and July 2017. During this time, hackers obtained personal information, including names, addresses, and Social Security numbers, for about 143 million people. (For the sake of scale, this is somewhat less than half the total population of the United States, or about equal to the population of Russia.) The company reportedly learned of the hack in late July but did not announce it to the public until early September.

After the announcement of the hack, Equifax’s share price reportedly dropped by more than a third over several weeks. Federal securities regulators apparently noticed, through regulatory filings, that several executives at the CRA had sold some of their stock in the company before the announcement. Specifically, they are investigating allegations that three executives sold $1.8 million worth of stock outside of any scheduled plans for stock trades.

The term “white collar crime” refers to a wide range of offenses involving financial and commercial activities. Many federal statutes dealing with financial regulations have both civil and criminal enforcement provisions. This means that the government can bring a civil lawsuit, which could result in penalties and damages, or a criminal prosecution, which could result in a fine and a prison sentence. Antitrust law deals with monopolistic and other anticompetitive practices by businesses. Most federal antitrust cases involve civil enforcement, but one statute allows criminal prosecution by the Department of Justice (DOJ). An online retail company recently pleaded guilty to criminal antitrust violations in a Texas white collar prosecution. United States v. Zaappaaz, Inc., No. 4:17-cr-00477, information (S.D. Tex., Aug. 7, 2017). Its president also pleaded guilty to a similar charge. United States v. Makanojiya, No. 4:17-cr-00478, information (S.D. Tex., Aug. 7, 2017).

The Sherman Antitrust Act of 1890 was the first major federal statute addressing anticompetitive business practices. It prohibits contracts and conspiracies “in restraint of trade or commerce” across state lines. 15 U.S.C. § 1. The purpose of this statute, according to the Supreme Court, “is to protect the public from the failure of the market” by prohibiting “conduct which unfairly tends to destroy competition itself.” Spectrum Sports, Inc. v. McQuillan, 506 U.S. 447, 458 (1993). Criminal penalties may include up to 10 years in prison. Congress has amended the statute over the years to increase the monetary penalties. Originally, the law provided for a fine of up to $5,000. Since 2004, the maximum penalty has been $100 million for a corporation, or $1 million for an individual or an organization other than a corporation. Additionally, private parties may be able to file civil lawsuits for antitrust violations that directly caused them harm.

The corporate defendant is a Texas corporation that sells “customized promotional products, including wristbands and lanyards,” through several websites. Zaappaaz, information at 1. The government alleged that the defendant conspired with other e-commerce businesses involved in the sale of similar products “to suppress and eliminate competition by fixing and maintaining prices.” Id. at 2. The defendant allegedly made these agreements at in-person meetings or in communications through text messaging and social media platforms. This occurred from approximately October 2014 until about June 2016. The information in Makanojiya makes almost identical allegations against that defendant, identifying him as the president and director of the corporate defendant.

The protection of intellectual property is critically important for many businesses, particularly in the electronics and technology industries. Computer and software companies rely extensively on copyright, trademark, and patent protections. Most acts of alleged copyright infringement result in civil claims, but federal criminal law allows prosecution in some situations. An individual often described as a “e-waste recycler” is facing a prison sentence for acts that he stated were intended to help extend the lives of personal computers, but which a major software company considered infringement. Prosecutors indicted him on 21 counts in 2016. United States v. Lundgren, No. 16-cr-80090, superseding indictment (S.D. Fla., Feb. 2, 2017). Last year, he pleaded guilty to two counts, criminal copyright infringement and conspiracy to traffic in counterfeit goods. An appeals court has now affirmed the district judge’s sentence of 15 months’ imprisonment and a $50,000 fine. United States v. Lundgren, No. 17-12466, slip op. (11th Cir., Apr. 11, 2018).

Copyright infringement involves the use of copyrighted material without a license from the copyright owner. It becomes a criminal offense when a person infringes a copyright “willfully,” and “for purposes of commercial advantage or private financial gain.” 17 U.S.C. § 506(a)(1)(A). The penalty for criminal copyright infringement depends in part on the number of copies made of any infringed works and their total value. If a defendant is found to have produced or distributed 10 or more copies, “including by electronic means,” they could face up to five years in prison and a fine. 18 U.S.C. § 2319(b)(1).

The defendant in Lundgren operated a business that refurbished discarded electronic devices, such as cell phones, for resale. His legal problems began when he attempted to take on the issue of “planned obsolescence.” This is a practice by many designers and manufacturers to set a limit on the useful life of a product or device, requiring consumers to purchase a new one. Light bulbs offer one example. While they reportedly could last much longer, light bulb manufacturers design them with a limited life span. Computers and cell phones become effectively unusable as newer software and hardware enter the market.

The First Amendment to the U.S. Constitution guarantees the right to freedom of speech. Generally speaking, the government cannot restrain people’s speech through criminal penalties. Certain forms of speech, however, are not protected. The government may enact restrictions on speech when the restriction is closely related to a legitimate government function or public interest, and it is narrow enough to serve that purpose without burdening other rights. The U.S. Supreme Court recently ruled on a challenge to a state law that made it a felony for individuals with certain criminal convictions to use social media networks. No comparable restriction exists in Texas criminal statutes, but the ruling could still have an impact here. The court found that the statute violated the First Amendment, since the state could achieve its purpose in other, less restrictive ways. Packingham v. North Carolina, 582 U.S. ___ (2017).

The law at issue in Packingham deals with registered sex offenders. The precise definition of a registered sex offender varies from one state to the next, and it is frequently subject to amendment by lawmakers. Politicians often couple the term with an express or implied statement about danger to children. Protecting children from harm is a legitimate public interest, but the extent to which lawmakers may go in furtherance of this interest is a matter of ongoing debate.

Under § 14-202.5 of the North Carolina General Statutes, a registered sex offender commits a felony if they access a “commercial social networking Web site” of which they know minors can become members. The statute defines “commercial social networking Web site” very broadly based on four criteria:  the site (1) obtains revenue from membership fees or advertising; (2) “facilitates social introduction” between people; (3) allows the creation of individual pages that could contain personal information; and (4) enables users to communicate with one another.

The criminal justice system must constantly adapt to changes brought by the increased use of the internet. Legal doctrines that once only applied to physical searches of people’s homes must now regulate “virtual” searches. Several years ago, federal prosecutors charged an individual with multiple offenses arising from his alleged administration of an online marketplace for illegal drugs and other contraband. It was reportedly the first prosecution involving the drug trade on the so-called “dark net.” A jury convicted the defendant on all seven counts in the government’s indictment, which included drug-related offenses, racketeering, and computer fraud. A judge sentenced him to life imprisonment. In May 2017, a federal appellate court denied his appeal, in which he argued in part that his Fourth Amendment rights had been violated. United States v. Ulbricht, No. 15-1815, slip op. (2d Cir., May 31, 2017).

Federal law allows law enforcement to monitor electronic communications under strict limitations. Two types of surveillance allowed by federal law are known as “pen registers” and “trap and trace devices.” A pen register “records or decodes dialing, routing, addressing, or signaling information transmitted by” a telephone or other device. 18 U.S.C. § 3127(3). A trap and trace device “captures the incoming electronic or other impulses,” allowing law enforcement “to identify the source of a wire or electronic communication.” Id. at § 3127(4). Neither device may capture or record “the contents of any communication.” Id. They provide law enforcement with a record that shows the source, destination, and duration of phone calls and other communications.

Continue reading

Cyber crime, as an area of legal practice, regularly presents new challenges on both sides of the criminal justice system. Despite new technologies and new laws, prosecutors often use laws that have been around since telephones were still relatively new to take on alleged schemes that rely heavily on the internet. Federal prosecutors recently brought fraud charges against a pair of defendants accused of an elaborate scheme involving false claims of online copyright infringement. United States v. PH, et al., No. 0:16-cr-00334, indictment (D. Minn., Dec. 14, 2016). The case illustrates many of the unusual challenges of cyber crime law.

Copyright protection gives an author of creative works, such as books and films, the exclusive right to use, distribute, display, or license the use of a copyrighted work. The use of a copyrighted work without the copyright owner’s permission may constitute copyright infringement and could potentially result in liability to the owner. Willful copyright infringement may carry criminal penalties in certain circumstances. 17 U.S.C. § 506, 18 U.S.C. § 2319. In any case of alleged non-criminal copyright infringement, the copyright owner is responsible for pursuing the alleged infringer.

The PH case does not involve alleged criminal copyright infringement. The defendants were charged with mail and wire fraud for allegedly sending out fraudulent claims of copyright infringement with settlement demands. Federal law prohibits any “scheme or artifice to defraud” that affects interstate commerce, such as through the use of the U.S. Postal Service—more commonly known as mail fraud. 18 U.S.C. § 1341. Fraudulent schemes that involve the use of interstate or foreign “wire, radio, or television communication” are categorized as wire fraud. Id. at § 1343.

Continue reading

The Fourth Amendment to the U.S. Constitution requires law enforcement officials to obtain a warrant prior to searching an individual’s personal effects or seizing their property. The warrant must demonstrate probable cause to believe that the search or seizure will reveal evidence related to a criminal investigation. These protections apply both to a person’s physical effects, such as documents and other materials, and to their “electronically stored information” (ESI). The extent to which a warrant may allow law enforcement to search and seize ESI is still a matter of dispute. A federal judge issued a ruling in late 2016 that seems to grant broad powers to law enforcement to seize ESI. The court found that the Federal Rules of Criminal Procedure and the Stored Communications Act (SCA) required a provider of email services to turn over the entire contents of several email accounts. In re Microsoft Corp., No. 2:16-mj-08036, mem. order (D. Kan., Sep. 28, 2016).

At the time the Fourth Amendment was drafted and ratified in the 18th century, people’s personal effects mostly consisted of materials that they kept on their person or in their residence. This remained true for nearly two centuries, until computers became widespread, and people began using third-party internet service providers (ISPs) to communicate. Private communications, which enjoy the Fourth Amendment’s protection from warrantless searches and seizures, may now reside on servers maintained by ISPs, with the owner of those communications having the right to access them.

The third-party doctrine, which holds that information voluntarily disclosed to others is no longer protected by the Fourth Amendment, would seem to make communications stored by ISPs accessible to law enforcement—this seems to fit the letter of that particular doctrine, if not its spirit. The SCA attempts to reconcile the use of third-party ISPs with the Fourth Amendment, establishing requirements for warrants issued to ISPs. 18 U.S.C. § 2703. Procedural rules also address warrants for ESI. See Fed. R. Crim. P. 41(e)(2)(B).
Continue reading

The Fourth Amendment’s guarantee of people’s right “to be secure in their persons, houses, papers, and effects” has gained new meanings as computer technology enables people to store their personal communications, such as email, on remote servers operated by third-party service providers. Courts have repeatedly had to consider whether data stored remotely remains “private” for the purposes of the Fourth Amendment. Federal law allows law enforcement to access emails and other remotely stored data without a warrant under certain circumstances. Texas became one of the first states to require a search warrant for such materials in 2013, and several other states have followed suit. In June 2016, the U.S. House of Representatives passed H.R. 699, the Email Privacy Act (EPA), which would apply the same restrictions as those found in Texas law. The bill is now pending in the Senate.

The Supreme Court, when determining whether police must obtain a warrant for certain types of materials or information, looks at whether a person has a reasonable expectation of privacy in that particular area. The “third-party doctrine” holds that a person has no reasonable expectation of privacy in materials that they have voluntarily given to a third party. See Smith v. Maryland, 442 U.S. 735 (1979). “Cloud computing,” which refers to the use of remote servers to store data, instead of local devices like personal computers or smartphones, has raised numerous questions and concerns regarding the third-party doctrine.

Most Supreme Court rulings on the third-party doctrine involve information given out once, such as the numbers of outgoing phone calls in Smith. Cloud computing, on the other hand, involves data that people store with the intention of accessing it repeatedly. Email service providers, for example, frequently offer remote hosting to consumers free of charge, allowing people to access their email from multiple devices and locations. This is not the same type of activity addressed in the most influential third-party doctrine court cases, all of which predate the widespread availability of cloud computing.

Continue reading

Unauthorized access to computer systems, commonly known as “hacking,” undoubtedly causes significant damage to individuals and businesses around the country. As often happens, however, the law has had difficulty keeping up with new technology. Federal law prohibits a wide range of computer fraud-related activities, but most offenses require proof that a defendant acted with intent, which is the most difficult mental state for prosecutors to prove. Perhaps as a result, some prosecutors have developed creative strategies to pursue alleged hackers. In one recently filed case, federal prosecutors have charged an individual under the federal hacking statute with no allegations that he personally engaged in any hacking activities. Instead, they essentially allege that he developed software with the intent that it would be used by hackers. United States v. Huddleston, No. 1:17-cr-00034, indictment (E.D. Va., Feb. 16, 2017).

Congress first enacted a criminal statute related to computer fraud, found at 18 U.S.C. § 1030, in 1984. It has amended this section numerous times over the years, perhaps most notably in 1986 with the Computer Fraud and Abuse Act (CFAA). That bill significantly expanded the legal definition of “computer fraud.” The original 1984 law made it a federal crime to access computer systems of the federal government or a financial institution without authorization. The CFAA added provisions about unauthorized access, or access that exceeds granted authority, to any “protected computer,” which it defined to include nearly any computer whose use affects interstate commerce. 18 U.S.C. §§ 1030(a)(4) – (6), (e)(2)(B).

Federal prosecutors are not accusing the defendant in Huddleston of hacking anybody. Instead, the alleged conduct leading to the indictment consisted solely of developing a software tool reportedly used by hackers. According to the indictment, the defendant created a “remote administration tool,” or “remote access trojan” (RAT), a type of software that allows a user to take control of someone else’s computer without their knowledge or consent. This RAT has allegedly been used in multiple cyberattacks around the world. Prosecutors allege that the defendant created this software for the specific purpose of making it available to hackers.

Continue reading

The term “cybercrime” covers a vast array of acts involving computers and other technologies. The difficulty in defining “cybercrime” can occasionally lead to prosecutions for activities that might not seem particularly criminal but that arguably fit within a statute’s definition of prohibited conduct. The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, has been a subject of criticism as prosecutors use it in creative ways to pursue alleged cybercriminals. In one recent case, prosecutors charged a former newspaper employee under the CFAA for giving unauthorized access to newspaper servers. He was convicted and sentenced to two years in prison. United States v. Keys, No. 2:13-cr-00082, superseding indictment (E.D. Cal., Dec. 4, 2014). A federal appellate court in another case held that using someone else’s password to access certain computer systems violates the CFAA. United States v. Nosal, No. 14-10037, slip op. (9th Cir., Jul. 5, 2016).

Congress enacted the CFAA in 1986 as an amendment to the Comprehensive Crime Control Act of 1984. It has amended the law several more times, including in 2001 as part of the Patriot Act and most recently in 2008. The law covers a wide range of activities that center on unauthorized access to “protected computers,” defined very broadly as any computer used by a financial institution or the federal government, or used “in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2).

The defendant in Key was a journalist and blogger for the Los Angeles Times. Prosecutors alleged that he helped members of the hacker group Anonymous gain access to the newspaper’s servers in late 2010. The hackers used this access to modify a news article posted to the Los Angeles Times’ website. The modified story was only up for about 40 minutes, and it was not clear if either the newspaper or its parent company suffered any financial loss.

Continue reading

Contact Information