Category Archives: Computer Crime

Do certain mobile apps violate the Computer Fraud and Abuse Act?

[This is a guest post by attorney Caroline Belich. Caroline is a Chicago native, former Michigan State volleyball player, and recent admitee to the California bar with particular interest in the First Amendment.]

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030). The CFAA is a federal statute that is often used against hackers. Applying this rationale here, federal prosecutors may argue that the app makers essentially hacked users cellphones.

However, some legal experts believe that criminal charges against the app makers are unlikely. Supporting this belief is the fact that many criminal charges against companies result in non-prosecution or deferred prosecution agreements in exchange for concessions of wrongdoing or monetary payments.

But while criminal charges are doubtful, civil lawsuits by users and causes of action brought by the Federal Trade Commission (FTC) may not be. First, consumers may sue app makers for failure to notify under privacy rights claims. Second, the FTC could allege unfair and deceptive trade practices by makers for failure to inform users how their personal information is being employed. Recently, Google settled with the FTC regarding its social network, Buzz, where allegations were made about violations of users’ privacy.

In light of the potential for privacy rights violations and deceptive trade practices, the FTC has advocated a “Do Not Track” option for web browsers and cellphone users, similar to the “Do Not Call” list for telemarketing. But app makers strongly oppose this idea, of course, for various reason. First, it could obstruct their ability to collect data about their users’ utilization of their product. Second, the option could frustrate financial opportunities with third parties seeking the invaluable consumer statistics. And the third justification is best depicted by Facebook’s privacy policy – while a user may be giving away his own information, he’s not giving away that of his friends… as long as his friends haven’t shared the info with “everyone.”

So even if these criminal investigations do not come to fruition, at least the possibility is making the public aware of their rights involving smartphone products so that industry standards may be created or laws requiring notification may be made.

Sexting minor’s lawsuit against website moves forward despite her violation of federal law

Doe v. Peterson, 2011 WL 1120172 (E.D.Mich. March 24, 2011)

When plaintiff Jane Doe was seventeen years old, she took some nude photos of herself and sent them over the internet to her boyfriend. Somehow the photos ended up on an adult website owned by defendants. Doe brought a civil cause of action against defendants for violation of the federal child pornography laws and for intrusion upon seclusion, public disclosure of private facts, intentional infliction of emotional distress, and negligence.

The defendants pled an interesting affirmative defense to Doe’s claims — in pari delicto. A plaintiff’s actions that are found to be in pari delicto are just as bad or worse than what the plaintiff is suing over, so in cases like that the court will not award relief. Doe moved to strike this affirmative defense. The court granted the motion.

Although the court found that “it seems clear that [Doe was] guilty of violating federal laws prohibiting the production and distribution of child pornography,” it held that as a matter of law the doctrine of in pari delicto was not available to the defendants as an affirmative defense.

The court refused to allow “broad common-law barriers to relief where a private suit serv[ed] important public purposes.” Doe was a member of the class sought to be protected by the statute she had violated, and was not equally culpable as defendants allegedly were in permitting the distribution of the images. In this respect, it was not clear that Doe was of greater or equal fault than defendants, so the in pari delicto defense did not apply.

School didn’t violate eighth grade hacker’s due process rights by suspending him over denial of service attack

Harris ex rel. Harris v. Pontotoc County School Dist., — F.3d —, 2011 WL 814972 (5th Cir., March 10, 2011)

Back in 2008, when Derek Harris was in eighth grade, he got suspended and had to attend “alternative school” for violating the school district’s technology use policy. School officials accused Derek of possessing a keylogger program, of launching a denial of service attack on the school’s network (from the computer his mom used in her job as secretary for the elementary school’s principal), and bypassing security to access the DOS prompt. (Kudos to the kid for getting in trouble for two kinds of “D-O-S” nefariousness!)

Derek’s parents, on his behalf, sued the school in federal court, arguing that the suspension and transfer to alternative school violated his due process rights under the Fourteenth Amendment to the Constitution. The school district moved for summary judgment. The court granted the motion.

It quickly dispensed with the argument that sending Derek to an alternative school violated his rights. It observed that a school district may not withdraw the right to a public education on grounds of misconduct absent fundamentally fair procedures to determine whether the misconduct has occurred. Since transferring him to an alternative education program did not deny access to public education, it did not violate his Fourteenth Amendment rights.

The court likewise held that the suspension was proper and did not violate Derek’s constitutional interests. It reviewed the suspension in light of the 1975 Supreme Court case of Goss v. Lopez, which requires that a student being suspended be given oral or written notice of the charges against him and, if he denies them, an explanation of the evidence the authorities have and an opportunity to present his side of the story.

In this case, the court found that Derek was notified of the charges on the day he was suspended. He had numerous opportunities to meet with school officials, to hear some of the charges, and to explain and respond. The processes he was afforded, the court found, were sufficient to satisfy the Fourteenth Amendment.

Mom violated wiretap law by bugging daughter’s teddy bear to eavesdrop on dad

Lewton v. Divingnzzo, 2011 WL 692292 (D.Neb. Feb. 18, 2011)

Defendant thought her ex-husband was abusing their daughter during visitations. To prove these allegations in the custody case, defendant sewed an electronic recording device into the little girl’s favorite teddy bear. After the daughter returned from visiting with her father, the mom would unstitch the teddy bear and download the recorded conversations onto her computer.

She tried using the transcribed recordings as evidence in the state court custody proceeding. But the judge would not let them into evidence because they violated Nebraska law. The father and others whose conversations were recorded via the teddy bear sued the mom under the federal Electronic Communications Privacy Act.

Both sides moved for summary judgment. The court ruled in favor of the father, finding that the surreptitious recording did not fit into any exception of the ECPA.

The ECPA provides a private right of action to any person whose wire, oral or electronic communication is intercepted, disclosed or intentionally used in violation of the ECPA. Looking to Eighth Circuit authority, the court observed that the ECPA prohibits all wiretapping that is not specifically exempted by the statute.

No doubt this was a tough case – a parent fearing for the safety of his or her child might have strong reasons to resort to eavesdropping to protect the child. But the court was hamstrung – “[w]hile the notion that a parent or guardian should be able to listen to a child’s conversations to protect the child from harm may have merit as a matter of policy, it is for Congress, not the courts, to alter the provisions of the statute.”

The court ordered the defendant and her father (who had transcribed the recordings) to pay $10,000 to each of the offended plaintiffs. The defendant’s lawyer who had distributed the recordings to the guardian ad litem and others was found to have violated the ECPA but was not ordered to pay any money damages.

What is a reasonable cost that should count as loss under the Computer Fraud and Abuse Act?

1st Rate Mortg. Corp. v. Vision Mortgage Services Corp., 2011 WL 666088 (E.D.Wis. Feb. 14, 2011)

The Computer Fraud and Abuse Act (CFAA) is a popular weapon that employers use against former employees who steal information on the job. But since the employees just use their credentials to get information off the server, there really is no security breach that occurs in those inside jobs.

So you might tend to agree that the employer overreacts when, after discovering the nefarious acts of its employees, it conducts a thorough and expensive security analysis of its whole system. Just delete the offending employees’ accounts and move on, right?

And this overreaction shouldn’t give the employer something to sue over that it would not have had if it reacted reasonably to the threat, don’t you think? After all, plaintiffs have a duty to mitigate their damages.

The defendants (accused former employee information thieves) in a recent federal case in Wisconsin argued along these lines in their summary judgment brief. But the court did not buy it at the summary judgment stage – whether a CFAA plaintiff’s reaction to alleged theft is “reasonable” should be answered by the jury.

The CFAA allows a plaintiff to recover its “loss.” And courts have interpreted the term “loss” to include the cost of responding to a security breach. But the statute says that loss includes the “reasonable cost to any victim.”

In this case, defendants argued that the employer’s overreaction in doing a system-wide analysis caused the employer to incur an unreasonable (and therefore uncompensable) cost. The court held, however, that “[w]hat matters is whether the employer’s reaction was reasonable, not whether it was strictly necessary to continuing in business.” A jury may well conclude the reaction and its related costs were appropriate.

Decision suggests that sexting by minors would violate federal child porn laws

Clark v. Roccanova, 2011 WL 665621 (E.D. Ky. February 14, 2011)

Is there a violation of the federal laws against child pornography when the accused himself is a minor? A Kentucky federal court says yes.

Three 14-year-old boys allegedly “coerced, enticed and persuaded” a 14-year-old girl to make a sexually explicit video. Later the three boys transmitted the video over the internet. The girl filed a civil suit against the boys for violations of 18 USC §§2251 and 2252.

The defendants moved to dismiss, arguing that the statutes covered only the conduct of adults. The court rejected that argument. It found that nothing in the plain language of the statutes, nor in the legislative history, supported such an interpretation.

Both statutes prohibit creation, possession and transmission of child pornography by any “person.” While “person” is not defined in 18 U.S.C. §2256, the statute’s definition of “identifiable minor” begins by stating that a minor is a “person.” 18 U.S.C. § 2256(9)(A). The court found that indicates that “person” is meant to refer to an individual of any age, not just an adult.

Emails on laptop not protected by the Stored Communications Act

Thompson v. Ross, 2010 WL 3896533 (W.D. Pa. September 30, 2010)

Messages from Yahoo and AOL email accounts saved on laptop computer were not in “electronic storage” as defined by Stored Communications Act.

Plaintiff’s ex-girlfriend kept his laptop computer after the two of them broke up. The ex-girlfriend let two of her co-workers access some email messages stored on the computer. Plaintiff filed suit under the Stored Communications Act. Defendants moved to dismiss. The court granted the motion.

Under the Stored Communications Act (at 18 U.S.C. 2701), one is liable if he or she accesses without authorization a facility through which an electronic communication service is provided and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

The court held that the Stored Communications Act did not cover the email messages because they were not in “electronic storage” as defined at 18 U.S.C. 2510(17)(B). In relevant part, that section defines “electronic storage” as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The court looked to the plain language of the statute, finding that the definition was not met because the messages were not stored by an electronic communication service. It rejected plaintiff’s arguments that the fact the messages were in “backup storage” extended the scope of the definition.

Enhanced by Zemanta

Palin email hacker conviction survives motion for acquittal

U.S. v. Kernell, No. 08-CR-142 (E.D. Tenn. September 23, 2010)

A federal jury convicted defendant for a number of crimes related to his hacking into Sarah Palin’s Yahoo email account in September 2008. One of the crimes the jury convicted him of was the “destruction or alteration of a record or document with the intent to obstruct an investigation” (a violation of 18 USC 1519).

After hacking into Palin’s account, but before the formal FBI investigation began, defendant deleted some Palin family pictures he had downloaded from the account, uninstalled his web browser, and defragmented his hard drive.

Defendant moved for a “judgment of acquittal”, arguing that the evidence was insufficent to support his convictions. The court denied the motion.

The court found that the Government offered sufficient proof to support the conviction. Even though defendant preserved (did not destroy) his computer, spoke with an FBI agent investigating the matter and advised his friends to be truthful in what they said about the case, the court looked to the totality of the evidence as supporting defendant’s guilt.

Given that defendant deleted images from his computer that he had downloaded from Palin’s account, and had run web searches on “legalities email” and “soppenaing [sic.] ip addresses”, a rational jury could find him guilty. So the jury verdit stood.

Divorce attorney did not conspire to violate the Electronic Communications Privacy Act

Court declines to recognize secondary liability for civil ECPA violation, holding that defendant’s divorce lawyer could not be a conspirator in a civil action alleging email interception.

Garback v. Lossing, 2010 WL 3733971 (E.D.Mich. September 20, 2010)

Plaintiff sued his ex-wife’s attorney for violation of the Electronic Communications Privacy Act. He claimed that his ex-wife, her attorney and some other defendants (including a computer forensics firm) acted together to violate the ECPA by “hacking” into plaintiff’s email account. The ex-wife allegedly used information gathered in this process to negotiate a more favorable divorce settlement.

The defendant attorney moved to dismiss for failure to state a claim upon which relief may be granted. The court granted the motion.

The court found that in plaintiff’s “inartful” pleading, he had failed to allege that the defendant attorney had actually intercepted or knowingly used information obtained in violation of the ECPA. Plaintiff argued that this failure was not fatal, however, in that he had alleged that the defendant attorney conspired to intercept emails.

Rejecting this argument, the court observed that “normally federal courts refrain from creating secondary liability that is not specified by statute.” Finding no textual support in the ECPA for such secondary liability, the court declined to read ECPA’s scope so expansively. The court found the statute as being clear on who may be liable: those who intercept communications and those who get ahold of those communications knowing they were illegally obtained. So the ECPA claim failed and plaintiff was given leave to replead.

Lack of unauthorized access kills Computer Fraud and Abuse Act claim

Oce North America, Inc. v. MCS Services, Inc., No. 10-984, 2010 WL 3703277 (D.Md. September 16, 2010)

Plaintiff makes sophisticated commercial grade printers. It also produces complex software that is used to diagnose problems with the printers and to set the functionality of the machines.

A field engineer who used to work for plaintiff allegedly copied some of the software onto his laptop when he worked for plaintiff. Later he went to work for one of the defendant companies, a competitor to plaintiff that also services plaintiff’s machines. Other employees of the defendant allegedly used copies of the software to do their work for defendant.

Plaintiff sued for, among other things, violation of the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to protected computers. Defendants moved to dismiss. The court granted the motion.

The court held that plaintiff failed to allege that the field engineer’s access to the computer containing the software was unauthorized, because he accessed it and copied it to his laptop while he still worked for plaintiff. And that access was authorized.

As for the other defendants, the court held that the defendant company’s access to the software on the various laptops was not unauthorized. The critical point in this portion of the CFAA analysis was on whether access to the actual computer (not access to the software) was unauthorized. The defendant employees allowed access to the laptops onto which the diagnostic software was allegedly installed. So the CFAA claim failed on this basis.