Category Archives: Computer Crime

What is a reasonable cost that should count as loss under the Computer Fraud and Abuse Act?

1st Rate Mortg. Corp. v. Vision Mortgage Services Corp., 2011 WL 666088 (E.D.Wis. Feb. 14, 2011)

The Computer Fraud and Abuse Act (CFAA) is a popular weapon that employers use against former employees who steal information on the job. But since the employees just use their credentials to get information off the server, there really is no security breach that occurs in those inside jobs.

So you might tend to agree that the employer overreacts when, after discovering the nefarious acts of its employees, it conducts a thorough and expensive security analysis of its whole system. Just delete the offending employees’ accounts and move on, right?

And this overreaction shouldn’t give the employer something to sue over that it would not have had if it reacted reasonably to the threat, don’t you think? After all, plaintiffs have a duty to mitigate their damages.

The defendants (accused former employee information thieves) in a recent federal case in Wisconsin argued along these lines in their summary judgment brief. But the court did not buy it at the summary judgment stage – whether a CFAA plaintiff’s reaction to alleged theft is “reasonable” should be answered by the jury.

The CFAA allows a plaintiff to recover its “loss.” And courts have interpreted the term “loss” to include the cost of responding to a security breach. But the statute says that loss includes the “reasonable cost to any victim.”

In this case, defendants argued that the employer’s overreaction in doing a system-wide analysis caused the employer to incur an unreasonable (and therefore uncompensable) cost. The court held, however, that “[w]hat matters is whether the employer’s reaction was reasonable, not whether it was strictly necessary to continuing in business.” A jury may well conclude the reaction and its related costs were appropriate.

Decision suggests that sexting by minors would violate federal child porn laws

Clark v. Roccanova, 2011 WL 665621 (E.D. Ky. February 14, 2011)

Is there a violation of the federal laws against child pornography when the accused himself is a minor? A Kentucky federal court says yes.

Three 14-year-old boys allegedly “coerced, enticed and persuaded” a 14-year-old girl to make a sexually explicit video. Later the three boys transmitted the video over the internet. The girl filed a civil suit against the boys for violations of 18 USC §§2251 and 2252.

The defendants moved to dismiss, arguing that the statutes covered only the conduct of adults. The court rejected that argument. It found that nothing in the plain language of the statutes, nor in the legislative history, supported such an interpretation.

Both statutes prohibit creation, possession and transmission of child pornography by any “person.” While “person” is not defined in 18 U.S.C. §2256, the statute’s definition of “identifiable minor” begins by stating that a minor is a “person.” 18 U.S.C. § 2256(9)(A). The court found that indicates that “person” is meant to refer to an individual of any age, not just an adult.

Emails on laptop not protected by the Stored Communications Act

Thompson v. Ross, 2010 WL 3896533 (W.D. Pa. September 30, 2010)

Messages from Yahoo and AOL email accounts saved on laptop computer were not in “electronic storage” as defined by Stored Communications Act.

Plaintiff’s ex-girlfriend kept his laptop computer after the two of them broke up. The ex-girlfriend let two of her co-workers access some email messages stored on the computer. Plaintiff filed suit under the Stored Communications Act. Defendants moved to dismiss. The court granted the motion.

Under the Stored Communications Act (at 18 U.S.C. 2701), one is liable if he or she accesses without authorization a facility through which an electronic communication service is provided and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

The court held that the Stored Communications Act did not cover the email messages because they were not in “electronic storage” as defined at 18 U.S.C. 2510(17)(B). In relevant part, that section defines “electronic storage” as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The court looked to the plain language of the statute, finding that the definition was not met because the messages were not stored by an electronic communication service. It rejected plaintiff’s arguments that the fact the messages were in “backup storage” extended the scope of the definition.

Enhanced by Zemanta

Palin email hacker conviction survives motion for acquittal

U.S. v. Kernell, No. 08-CR-142 (E.D. Tenn. September 23, 2010)

A federal jury convicted defendant for a number of crimes related to his hacking into Sarah Palin’s Yahoo email account in September 2008. One of the crimes the jury convicted him of was the “destruction or alteration of a record or document with the intent to obstruct an investigation” (a violation of 18 USC 1519).

After hacking into Palin’s account, but before the formal FBI investigation began, defendant deleted some Palin family pictures he had downloaded from the account, uninstalled his web browser, and defragmented his hard drive.

Defendant moved for a “judgment of acquittal”, arguing that the evidence was insufficent to support his convictions. The court denied the motion.

The court found that the Government offered sufficient proof to support the conviction. Even though defendant preserved (did not destroy) his computer, spoke with an FBI agent investigating the matter and advised his friends to be truthful in what they said about the case, the court looked to the totality of the evidence as supporting defendant’s guilt.

Given that defendant deleted images from his computer that he had downloaded from Palin’s account, and had run web searches on “legalities email” and “soppenaing [sic.] ip addresses”, a rational jury could find him guilty. So the jury verdit stood.

Divorce attorney did not conspire to violate the Electronic Communications Privacy Act

Court declines to recognize secondary liability for civil ECPA violation, holding that defendant’s divorce lawyer could not be a conspirator in a civil action alleging email interception.

Garback v. Lossing, 2010 WL 3733971 (E.D.Mich. September 20, 2010)

Plaintiff sued his ex-wife’s attorney for violation of the Electronic Communications Privacy Act. He claimed that his ex-wife, her attorney and some other defendants (including a computer forensics firm) acted together to violate the ECPA by “hacking” into plaintiff’s email account. The ex-wife allegedly used information gathered in this process to negotiate a more favorable divorce settlement.

The defendant attorney moved to dismiss for failure to state a claim upon which relief may be granted. The court granted the motion.

The court found that in plaintiff’s “inartful” pleading, he had failed to allege that the defendant attorney had actually intercepted or knowingly used information obtained in violation of the ECPA. Plaintiff argued that this failure was not fatal, however, in that he had alleged that the defendant attorney conspired to intercept emails.

Rejecting this argument, the court observed that “normally federal courts refrain from creating secondary liability that is not specified by statute.” Finding no textual support in the ECPA for such secondary liability, the court declined to read ECPA’s scope so expansively. The court found the statute as being clear on who may be liable: those who intercept communications and those who get ahold of those communications knowing they were illegally obtained. So the ECPA claim failed and plaintiff was given leave to replead.

Lack of unauthorized access kills Computer Fraud and Abuse Act claim

Oce North America, Inc. v. MCS Services, Inc., No. 10-984, 2010 WL 3703277 (D.Md. September 16, 2010)

Plaintiff makes sophisticated commercial grade printers. It also produces complex software that is used to diagnose problems with the printers and to set the functionality of the machines.

A field engineer who used to work for plaintiff allegedly copied some of the software onto his laptop when he worked for plaintiff. Later he went to work for one of the defendant companies, a competitor to plaintiff that also services plaintiff’s machines. Other employees of the defendant allegedly used copies of the software to do their work for defendant.

Plaintiff sued for, among other things, violation of the Computer Fraud and Abuse Act (CFAA), which prohibits unauthorized access to protected computers. Defendants moved to dismiss. The court granted the motion.

The court held that plaintiff failed to allege that the field engineer’s access to the computer containing the software was unauthorized, because he accessed it and copied it to his laptop while he still worked for plaintiff. And that access was authorized.

As for the other defendants, the court held that the defendant company’s access to the software on the various laptops was not unauthorized. The critical point in this portion of the CFAA analysis was on whether access to the actual computer (not access to the software) was unauthorized. The defendant employees allowed access to the laptops onto which the diagnostic software was allegedly installed. So the CFAA claim failed on this basis.

Doctor’s wiretapping case under ECPA heads to trial

McCann v. Iroquois Memorial Hospital, No. 08-3420 (7th Cir. September 13, 2010)

Mystery of how doctor’s dictation machine got turned on to record conversation between doctor and hospital employee is a question for the jury and should not have been decided on summary judgment.

Two hospital employees — Dr. Lindberg and the director of physician services, Ms. McCann — had a conversation behind the doctor’s closed office door that the two of them thought was private. In their conversation, the two of them criticized hospital administration. But they did not know that the doctor’s dictation machine was recording what they said.

Dictaphone was cylinder dictation machine from...
Image via Wikipedia

How that machine got turned on is a mystery. Dr. Lindberg had been dictating radiology reports a few minutes before Ms. McCann arrived, so he may have accidentally left the machine running. But the recording of the conversation started in mid-sentence, which discredits that theory.

A member of the hospital’s transcription staff, Ms. Freed, is alleged to have come into the room during this conversation to pick up some papers, and Dr. Lindberg and Ms. McCann believe she surreptitiously turned on the machine. That would seem a plausible explanation, given that Ms. Freed supposedly had an axe to grind with Dr. Lindberg.

The recorded conversation made its way to the transcription staff, and after it was typed out, Ms. Freed forwarded it to the hospital’s CEO. Dr. Lindberg and Ms. McCann filed suit against Ms. Freed and others under the Electronic Communications Privacy Act. They claimed that by secretly turning on the dictation machine and forwarding the transcript, Ms. Freed violated the statute.

The district court granted the defendants’ motion for summary judgment. Plaintiffs sought review with the Seventh Circuit. On appeal, the court reversed in part, finding there was a genuine issue of material fact as to whether Ms. Freed was in the room and secretly turned on the dictation machine.

The court of appeals held that whether Ms. Freed was in the office on the date the recording was made was merely the subject of a “swearing contest,” and that summary judgment is not appropriate to resolve such a contest. The lower court had based its grant of summary judgment largely on the contents of the recording. At the end of the conversation, one can hear the office door close as Ms. McCann leaves. But one cannot hear the door shut with Ms. Freed would have left, during the conversation and after she allegedly turned on the dictation machine.

Viewing the facts in the light most favorable to the plaintiffs, the court found that the absence of such a sound did not prove that Ms. Freed was not there: “[N]othing in the record tells us whether the door could have been closed silently; . . . [Ms.] Freed who was conscious that she was intruding (and, perhaps, that she was being taped) may have closed the door softly to be inconspicuous.”

So the court found that whether Ms. Freed was responsible for making the recording — and by extension whether Ms. Freed intentionally intercepted the conversation between Dr. Lindberg and Ms. McCann in violation of the ECPA — was an issue for the jury, and not one for summary judgment.

play="true" align="" loop="true" quality="high"
TYPE="application/x-shockwave-flash"
PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer">

Lack of knowledge of interception causes ECPA claims against website owners to fail

Zinna v. Cook, No. 06-1733, 2010 WL 3604386 (D. Colo. September 7, 2010)

Plaintiff sued for violation of the Electronic Communications Privacy Act (ECPA) claiming that defendants intercepted his email messages and posted them to a website called ColoradoWackoExposed.com. Defendants moved for summary judgment. The court granted the motion.

It found that although similarities between messages and website content suggested that emails had been intercepted, there was no evidence showing the interception was “contemporaneous” with the messages’ transmission. (Several federal circuits require such contemporaneity. But see the Seventh Circuit’s recent opinion in U.S. v. Szymuszkiewicz for a different take.)

The court also held there was insufficient evidence to show that defendants knew the information posted on the website came about via any unlawful interception. The plaintiff’s assertions that defendants had worked with a non-party wiretapper failed to convince the court of this knowledge.

YouTube video maker who threatened judge must stay jailed awaiting trial

U.S. v. Jeffries, No. 10-CR-100, 2010 WL 3619946 (E.D. Tenn. September 13, 2010)

Defendant created and posted a video to YouTube in which he allegedly sang a song that threatened to bomb the car of a judge scheduled to hear his child custody case. Though he did not mention the judge by name, he said the song was “for you judge” and said “do not tell me I cannot curse.” (The judge had previously admonished defendant for swearing in the courtroom.)

The feds charged defendant with one count of transmitting in interstate commerce a threat to injure and kill.

Recognizing that defendant was a danger to society, the government filed a motion asking the court to order he stay in custody until trial. The court granted the motion.

The court weighed four factors in making this determination. First, the charged offense was a crime of violence (18 U.S.C. 16 defines a crime of violence as one containing an element of threatened use of force against another). Second, the evidence as to defendant’s dangerousness was great — the YouTube video was about killing and car-bombing, after all. Third, the defendant’s character (especially in the past few months) made him a risk — he had attacked a doctor, had alcohol problems, and got kicked out of military housing for firing a weapon during a dispute. Fourth, defendant was a danger to the community and to his family — he was living with his wife and children when he had fired the gun into the air.

Ohio record pirating statute preempted by Copyright Act

State v. Boyd, 2010 WL 3565414 (Ohio App. 1 Dist. September 15, 2010)

Defendant was convicted under Ohio state criminal law for selling pirated DVD movies on a street corner. This apparently was the first ever prosecution under a law — a “record pirating statute” — enacted in 1976 (which was two years before the Copyright Act took effect). Defendant sought review of his conviction with the state appellate court. On appeal, the court reversed the conviction.

The court held that the state record pirating statute (R.C. 1333.52) was preempted by Section 301 of the Copyright Act (17 U.S.C. 301).

It was not clear which subsection of the record pirating statute defendant had been accused of violating. The statute provides:

No person shall purposely do either of the following: (1) Transcribe, without the consent of the owner, any sounds recorded on a phonograph record, disc, wire, tape, film, or other article on which sounds are recorded, with intent to sell or use for profit through public performance any product derived from the transcription. . . .

and

No person shall purposely manufacture, sell, or distribute for profit any phonograph record, tape, or album of phonographic records or tapes unless the record and the outside cover, box, or jacket of the record, tape, or album clearly and conspicuously discloses the name and street address of the manufacturer of the record, tape, or album, and the name of the performer or group whose performance is recorded. . . .

The Copyright Act expressly preempts certain state-law actions. Section 301 states that all legal or equitable rights that are equivalent to any of the exclusive rights conferred by the Copyright Act and that come within the subject matter of copyright . . . are governed exclusively by the Copyright Act.

In this case, there was no dispute that the movies were within the subject matter of federal copyright law. The more detailed analysis came in examining the question of whether the work was governed exclusively by the Copyright Act. That inquiry looks to see whether there is a qualitatively different “extra element” in the state law claim beyond what is required to show copyright infringement.

The court looked to two similar Ohio cases in which defendants had engaged in similar conduct. In State v. Perry, the Ohio supreme court found that the statute supporting the prosecution for “unauthorized use of property” by uploading and downloading computer software to an internet bulletin board service was preempted. In State v. Moning, the court held that a computer crime statute that prohibited the unauthorized access to data in a database was not preempted. The unauthorized access provided the extra element in that case.