Category Archives: Computer Crime

Ordering defendant to decrypt hard drive did not violate her Fifth Amendment rights

U.S. v. Fricosu, 10-CR-00509 (D. Colo. January 23, 2012)

Pursuant to a warrant, federal agents seized defendant’s laptop from her home. When investigators turned it on, they saw the hard drive’s contents were encrypted using PGP Desktop. Defendant would not voluntarily turn over the password to decrypt the drive, so the Government filed an application under the All Writs Act to require defendant to “assist” in the execution of the search warrant. Defendant objected, asserting her privilege against self-incrimination under the Fifth Amendment.

The court rejected defendant’s arguments, granted the Government’s application and ordered defendant to provide an unencrypted copy of the hard drive. It found that the situation did not implicate defendant’s Fifth Amendment rights.

The Fifth Amendment provides that no person shall be compelled in any
criminal case to be a witness against himself. For the most part, this privilege only covers testimony. But an act that implicitly communicates a statement of fact may be within the purview of the privilege as well. For example, producing a document (or electronic data, for that matter) is an acknowledgment that the material:

  • exists
  • is in the possession or control of the producer
  • is authentic (i.e., is what it purports to be)

The court held that defendant’s Fifth Amendment rights were not implicated because providing an unencrypted copy of the hard drive did not serve to accomplish any of the three points listed above.

The feds had confiscated the computer, so they knew of the location and existence of the computer files. (The court found that the fact that investigators did not know the specific content of any specific files on the computer did not matter.) And as for the authenticity of the computer files, the government would presumably be able to do that in other ways. Among other things, the computer was found in defendant’s bedroom. Information on the screen that showed up when it was turned on contained defendant’s first name. And perhaps most damningly, investigators had a taped phone conversation between defendant and her ex-husband discussing the computer and the fact it was password protected.

Video: my appearance on the news talking about isanyoneup.com

Last night I appeared in a piece that aired on the 9 o’clock news here in Chicago, talking about the legal issues surrounding isanyoneup.com. (That site is definitely NSFW and I’m not linking to it because it doesn’t deserve the page rank help.) The site presents some interesting legal questions, like whether and to what extent it is shielded by Section 230 of the Communications Decency Act for the harm that arises from the content it publishes (I don’t think it is shielded completely). The site also engages in some pretty blatant copyright infringement, and does not enjoy safe harbor protection under the Digital Millennium Copyright Act.

Here’s the video:

Impostor bids in online auction sufficient allegation of interrupted service under CFAA

Yoder v. Equipmentfacts, 2011 WL 2433504 (N.D.Ohio June 14, 2011)

[This is a post by Jackson Cooper. Jackson graduated from DePaul University College of Law in May 2011 with a certificate in intellectual property and information technology law. Jackson also recently passed the Kentucky bar exam and will begin practicing soon. You can find him online at jacksonccooper.com or follow him on Twitter at @jacksoncooper.]

The plaintiffs here were an auction company and a firm employed to assist them with running a private online auction.  They sued the defendant, a firm previously employed by the auction company to assist them with running online auctions.  The plaintiffs  alleged violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, stemming from the defendant’s unauthorized access to a private auction conducted by the plaintiffs after the defendant’s relationship with the auction company was terminated.  According to the plaintiffs, the defendant made unauthorized access to the auction system using an administrative user name and password to post negative comments, and later impersonated a customer in order to place fraudulent bids as that customer.  The plaintiffs further alleged that the defendant, posing as a customer, won auctions for over one million dollars of equipment and failed to pay on those winning bids.

The defendant asked the court to dismiss the CFAA claim, challenging the plaintiffs’ pleadings on the issue of “loss” as defined by the CFAA. The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Plaintiffs alleged lost commission resulting from the defendant’s fraudulent bids and resulting failed auctions.  Defendant claimed that the small scale sabotage as at issue here did not satisfy the “interruption of service” requirement, and therefore could not support the claimed violation of the CFAA.

The court, noting the lack of a definition of “interruption of service” in the statute and the lack of case law dealing with disruptions of this type, treated the issue as one of first impression.  The court concluded that the disruption alleged here was sufficient to support the “interruption of service” requirement in the CFAA.

The court found that the defendant’s alleged “intentional disruption of even a portion of the online auction” constituted an interruption of the service of the site. Although the auction system was not taken offline by defendant’s alleged activities, the court found that thwarting individual transactions and the resulting denial of service to plaintiffs and their customers was an interruption as envisioned by the statute.

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

Computer Fraud and Abuse Act case against hard drive destroying director goes forward

Deloitte & Touche LLP v. Carlson, 2011 WL 2923865 (N.D. Ill. July 18, 2011)

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the “without authorization” element to be adequately pled.

Court upholds criminal intimidation conviction over threats to distribute sexually explicit photo

State v. Noll, 2011 WL 2418895 (Ind. App. June 14, 2011) (Not selected for publication)

Defendant used a sexually explicit photo of the victim in an attempt to gain leverage in an intra-family dispute. She handed an envelope containing the photo to the victim, and indicated she would begin distributing the photo if certain demands were not met.

Defendant was convicted of intimidation under Indiana law. She sought review of her conviction. On appeal, the court affirmed.

One of the arguments that defendant made on appeal was that there was no intimidation because distribution of the photo to persons such as the victim’s husband or co-workers would not subject her to hatred, contempt, disgrace or ridicule as required by the Indiana statute. Defendant pointed out that the victim had posted the sexually explicit photo of herself at issue on the web five years earlier. So in essence, defendant argued, further distribution would do the victim no harm.

The court rejected this argument, finding:

The fact that [victim] already publicized the material herself certainly merits consideration, but is not alone determinative because publicizing material to a particular audience does not necessarily mean that further, targeted, publication would not lead to hatred, contempt, disgrace, or ridicule. In other words, we consider [victim’s] posting of these photographs online in the past as it might mitigate reputational consequences of [defendant] mailing the photographs to others. Although internet websites are of an unusually public and long-lasting nature, we also recognize that making an obscure set of photographs available online is qualitatively different in nature from directly mailing the same photographs as hard-copies addressed to a particular individual or company. [Victim’s] husband or employer could have discovered [victim’s] prior internet posting of the photographs, but a direct mailing is certain to reach them.

The court similarly rejected defendant’s argument that because the victim had posted the photo on the web before, she had no reasonable expectation of privacy in the photo and thus could not be the subject of intimidation. The court disagreed with the analogy to the Fourth Amendment expectation of privacy because in this case, the privacy interest was the victim’s, not the defendant’s. So use of such an analogy might “misdirect [the court] from the determinative issue of whether she would be exposed to reputational consequences.”

Violent posts on social media profile determined to be threats

This is a post by Jonathan Rogers. Jon is a licensed attorney in California, with a focus on technology and entertainment law. You can reach him by email at jon@jonarogers.com or follow him on Twitter at @jonarogers.

Holcomb v. Com., — S.E.2d —, 2011 WL 2183100 (Va.App., Jun 07, 2011)

Appellant challenged his conviction over posts he made to MySpace on his profile page, arguing that they did not constitute the knowing communications of a threat. He argued that MySpace posts were not the type of communication contemplated by the statute, and his postings did not constitute a threat. Appellant posted violent original lyrics which were clearly about his child’s mother.

Appellant had been convicted under a provision of Virginia law that provides:

Code § 18.2–60(A)(1):

Any person who knowingly communicates, in a writing, including an electronically transmitted communication producing a visual or electronic message, a threat to kill or do bodily injury to a person, regarding that person or any member of his family, and the threat places such person in reasonable apprehension of death or bodily injury to himself or his family member, is guilty of a Class 6 felony.

Appellant argued that he did not knowingly communicate the posts within the meaning of the statute because he posted them through his profile, which was available for anyone to view, as opposed to a communication aimed directly at the victim. The court found that there was no requirement that a threat be communicated directly to the intended victim. It instead focused on the fact that an “electronically transmitted communication” produced a “visual or electronic message” that could be viewed by anyone accessing the MySpace profile. It was enough that the victim was able to identify herself based on the references in his posts and that the appellant knew the victim had access to the profile. In fact, the court found, he knew she had viewed it previously.

Appellant’s second argument was that the posts were not threats under the statute. He argued they were lyrics which he had a history of writing and posting on his profile. The court disagreed, finding that because of specific references to the victim, and the unusual subject matter of the lyrics, the post contained statements that would place the victim in “reasonable apprehension of death or bodily injury.” The court pointed to actions taken by the victim, including moving in with her parents, and her testimony that she felt scared after seeing the postings.

The court found the online postings to MySpace where threats which placed apprehension in the victim. So the court upheld the convictions.

CFAA violation where employee’s access to work computer violated fiduciary duty to employer

Plaintiff former employer sued defendant former employee for violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, alleging that defendant, while still in the employ of plaintiff, accessed confidential business information and destroyed other important data. Defendant moved to dismiss the CFAA claim. The court denied the motion.

Defendant had argued that the complaint failed to establish that access to the work computer was had without authorization. He assserted that plaintiff did not allege that at any time while defendant was employed by plaintiff his access to his work-issued computer was restricted, or that plaintiff ever told him that he was no longer permitted to access the computer.

But the plaintiff had alleged that defendant’s access violated the fiduciary duty defendant owed. The court held that under Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006), allegations of a breach of duty are enough to properly allege that defendant lost his authorization to access his company computer.

Compare this holding (and Citrin) with the Ninth Circuit’s holding in LVRC Holdings v. Brekka.

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.

Court says law firm did not eavesdrop on employee phone calls

Bowden v. Kirkland & Ellis, 2011 WL 1211555 (7th Cir. April 1, 2011)

Two former employees of a law firm sued the firm for violation of the Electronic Communications Privacy Act, 18 USC 2510 et seq. and for violation of the Illinois Eavesdropping Act, 720 ILCS 5/14-2. The district court granted summary judgment in favor of the law firm. The former employees sought review with the Seventh Circuit. On appeal, the court affirmed the grant of summary judgment.

The court held that the former employees’ evidence of eavesdropping raised no more than a “theoretical possibility” of a violation. Even one of the strongest experts in the case triple hedged his testimony, saying the records “could indicate the potential that interception may have occurred.” So the grant of summary judgment was proper.

The plaintiffs had also raised an electronic discovery issue, namely a claim that the law firm spoliated evidence by destroying a server that contained phone records relevant to the case. The court rejected that argument, finding no credible evidence that the destruction was undertaken in bad faith.