Category Archives: Computer Crime

New law to criminalize trickery by adult website owners

According to this article, President Bush is expected to sign the Child Protection Safety Act (also known as the Walsh Act), touted as “the most extensive rewriting of federal laws relating to child pornography, sex offender registration and child exploitation in a decade.”

The comprehensive legisltation will establish, among other things, a national sex offender registry, and will provide funding for pilot programs to implement GPS technology in tracking convicted sex offenders.

Of particular importance to website owners is a provision in the act that would make it a crime to “knowingly embed[] words or digital images into the source code of a website with the intent to deceive a person into viewing material constituting obscenity.” Moreover, the act would prohibit adding content to a site with “the intent to deceive a minor into viewing material harmful to minors on the Internet.”

Selling fake software on can get you five years in prison

[Thanks to Tech Law Advisor for alerting me to this case.]

Defendant Banks devised a scheme where he would make copies of various Microsoft products and sell them through to buyers who purchased them cash-on-delivery. After getting orders for at least $300,000 worth of software in this way, the plan began to collapse. Dissatisfied customers turned Banks into the FBI, and a federal grand jury indicted him on several counts, including mail fraud, possessing false securities, and criminal copyright infringement. A jury convicted him, and he got five years in prison.

Banks appealed his conviction and sentence, but the Third Circuit affirmed. On the criminal copyright infringement claim, Banks argued that the government had not introduced sufficient evidence to show that the Microsoft software was protected by copyright.

The criminal provisions of the Copyright Act, at 17 U.S.C. §506 state that

Any person who willfully infringes a copyright shall be punished as provided under [18 U.S.C. §2319], if the infringement was committed– (A) for purposes of commercial advantage or private financial gain; (B) by the reproduction or distribution, including by electronic means, during any 180-day period, of 1 or more copies or phonorecords of 1 or more copyrighted works, which have a total retail value of more than $1,000…. (Emphasis added.)

The court held that evidence introduced at trial through an “antipiracy specialist associated with the Microsoft company” was sufficient to show Microsoft’s ownership of the copyrights in the works. In the specialist’s unrebutted testimony, she stated her “belief” that Microsoft copyrights covered the works at issue. Further, the specialist had testified that Microsoft sent Banks the same type of cease and desist letter as it did to others who were suspected of violating Microsoft’s copyrights.

One is left to wonder why the government did not introduce any of Microsoft’s copyright registration certificates in the course of proving the element of copyright ownership. One would think that that would be the best practice for making such proof. In any event, the question before the court was whether the jury correctly concluded that Microsoft owned the copyrights in the works. The antipiracy specialist’s testimony — even if a bit weak on this point — apparently was enough.

United States v. Vampire Nation, (Slip Op.) — F.3d —, 2006 WL 1679385 (3d Cir., June 20, 2006).

Second Life DoS attacks raise interesting damages issues under Computer Fraud and Abuse Act has run a story about this past weekend’s Denial of Service (“DoS”) attacks on the servers for Second Life, the increasingly popular virtual world. Second Life is a good example of how wildly complex some online virtual worlds have become. Far from being merely for simple entertainment, Second Life supports its own economy (based on a currency called the Linden), and facilitates sophisticated human relationships. [More on Second Life.]

Linden Lab, the purveyor of Second Life, most likely has a strong cause of action under the the Computer Fraud and Abuse Act (“CFAA”) against those responsible for the DoS attacks. What is most interesting about the situation, however, is the way in which the attacks demonstrate how immersion in a virtual world can bring the nature of damages for unlawful online conduct closer to one’s heart.

Traditionally, the nature of damages for violations of the CFAA have been rather predictable, and closely tied to a commercial context. For example, in Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000), the plaintiff successfully pled damage to its computers where former employees allegedly stole trade secrets and handed them over to a competitor. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) the plaintiff could recover the payment of consultant fees it had to incur in order to assess the effect of the defendant’s alleged content scraping. In U.S. v. Mitra, 405 F.3d 492 (7th Cir., 2005), the court upheld a criminal conviction under the CFAA where the defendant sent out a strong radio signal that disabled police communications.

Some of the damages in the Second Life situation could be a bit more off-the-wall. The article quotes Robin Harper, Linden Lab’s vice president of community development and support as saying, regarding the attacks, “It disrupts events. People have weddings planned or a party or something, and it gets in the way.”

These effects are probably not what Congress had in mind when it enacted the CFAA. As more “life” populates virtual worlds, however, the susceptibility to harm is likely to change in form. The Second Life situation could be a harbinger of a transforming aspect of damages.

Loading software onto a computer is a “transmission” under the Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act, at 18 U.S.C. §1030(a)(5)(A)(1), imposes liability upon a person who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”

In the recent Seventh Circuit case of International Airport Centers, L.L.C. v. Citrin, the plaintiff provided one of its employees with a laptop computer for him to use in connection with his work. The employee quit his job to start up a competing business. Before he turned in his laptop, however, he used a “secure-eraser” program to irretrievably delete the files on the laptop. According to the plaintiff’s version of the story, the defendant deleted not only information he had gathered as part of his job, but also information that would have demonstrated his improper conduct.

The plaintiff claimed that this conduct subjected the defendant to liability under the Computer Fraud and Abuse Act, and it filed suit in the U.S. District Court for the Northern District of Illinois. The district court dismissed the Computer Fraud and Abuse Act claim, holding that as a matter of law, the defendant’s alleged conduct did not give rise to a violation of the Act. Specifically, the district court determined that installing the program used to delete the material off the computer did not constitute a “transmission” as contemplated by the Act.

The Seventh Circuit disagreed and reversed the decision of the lower court. Departing from the lower court’s conclusion that a “transmission” under the Computer Fraud and Abuse Act requires some sort of “shipment or delivery of a code or a program,” the court found that the precise mode of transmission of the program onto the computer did not matter. The copying onto the hard drive, whether done through a download over the Internet, or by loading off of a disk, satisified the statutory requirement of “transmission.”

The Court of Appeals sent the case back to the District Court.

International Airport Centers, L.L.C. v. Citrin, (Slip Op.) No. 05-1522 (7th Cir. March 8, 2006).

Computer Fraud and Abuse Act protects independent security contractor

In the case of U.S. v. Millot, the Eighth Circuit has upheld the conviction of a former systems analyst under the federal Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. (“CFAA”). The appellate court affirmed the lower court’s determination that the independent contractor that was hired to fix a security problem caused by the defendant’s conduct was a “victim” as provided for under the CFAA.

When defendant Millot worked for a large pharmaceutical company, he was responsible for disabling remote access to the company’s servers once employees left the company. When Millot himself left the company, he devised a way to maintain remote access to the servers. Using this unauthorized means of access, Millot deleted the account of a high-ranking IT employee.

After Millot left the company, but before he deleted the accounts, the company outsourced all network security responsibilities to IBM. It was therefore up to IBM to restore the account and perform a security audit. IBM employees spent in excess of 400 hours un-doing the damage that Millot had done, and it billed out its employees’ time at $50 per hour, for a total cost of $20,000.

Millot was charged under the CFAA, and the matter proceeded to trial. In its instructions to the jury, the lower court classified IBM as a “victim” under the CFAA. The jury found that the costs incurred in fixing the security problem resulted in damages in excess of $5,000, thus satisfying the $5,000 minimum required for a conviction under the CFAA.

Millot challenged the jury instructions, arguing that the costs incurred by IBM should not have been considered, because the computer system was owned by the company, not IBM. The court rejected this argument:

Although the damage was done to the [company’s] computer system, the [CFAA] does not restrict consideration of losses to only the person who owns the computer system, and the district court properly instructed the jury to consider losses sustained by IBM in determining whether the statutory minimum was met.

The court further held that the evidence put forth to show the costs incurred by IBM was sufficient to support the amount of damages which exceeded the statutory minimum.

U.S. v. Millot, 2006 U.S. App. LEXIS 430 (8th Cir., January 9, 2006).


Kansas Supreme Court overturns conviction because hard drive was searched without valid warrant

Agents of the Kansas State Gaming Agency visited Zeke Rupnick in his office, and questioned him about allegations that he was illegally in possession of confidential business information. The agents seized his laptop computer, and a magistrate in a different county issued a warrant authorizing the search of the hard drive’s contents. Rupnick was convicted of felony computer crime based on the evidence obtained from the laptop.

Before trial, Rupnick sought to suppress the evidence contained on the computer, claiming violation of his Fourth Amendment rights. The trial court denied the motion to suppress. Rupnick sought review with the Kansas Supreme Court, which overturned the conviction.

The court held that the initial seizure of the laptop computer from Rupnick’s office without a warrant was justified, on the basis of probable cause plus the exigent circumstances presented by the possibility that Rupnick could easily delete the relevant data. The later warrant and search of the laptop, however, provided the basis for the reversal of the conviction.

The court began its analysis of the legality of the search by answering the question, which was one of first impression before the court, of whether a warrant must be obtained before the government may search the contents of a personal computer. In answering the question in the affirmative, the court looked to the Tenth Circuit cases of U.S. v. Carey, 172 F.3d 1268 (10th Cir. 1999) and U.S. v. Walser, 275 F.3d 981 (10th Cir. 2001).

In this case, the agents had indeed obtained a warrant before searching the contents of the laptop’s hard drive. However, the warrant failed to comply with the relevant Kansas statute (K.S.A. 22-2503), which requires that the search warrant be executed in the judicial district in which the magistrate judge resides. Because the magistrate that issued the warrant did not reside in the county in which the warrant was executed (i.e., where the search of the hard drive was made), the warrant was invalid, and the search was unlawful.

Despite the government’s argument that the defect in the warrant was a mere “technical irregularity,” the court strictly enforced the statute. The felony conviction was reversed and remanded for further proceedings.

State v. Rupnick, — P.3d —, 2005 WL 3439897 (Kan., December 16, 2005).

[Text of opinion]

Eighth Circuit affirms conviction in Best Buy e-mail extortion case

Defendant Ray was convicted in the U.S. District Court for the District of Minnesota for extortion, and was sentenced to eighteen months in prison for sending e-mail messages to Best Buy threatening to exploit a breach in its computer security. He appealed his conviction to the Eighth Circuit, arguing, among other things, that the evidence presented by the government was insufficient to show that Ray sent the messages.

The court affirmed the conviction, holding that the evidence supported the verdict. In reaching this conclusion, the court noted that Ray had admitted using his computer to log onto the Internet several times a day, and that three of the e-mail messages sent to Best Buy were traced to the IP address he was using at the very time the extortion messages were sent. Other evidence supported the conclusion that Ray was responsible for the messages.

One of Ray’s further arguments was that the prosecutor improperly argued criminal propensity in her closing argument by pointing out that Ray acquired domain names to which he had no legitimate interest after being notified that such conduct was improper. Without determining whether the prosecutor erred in making this argument, the court concluded that such a comment “was not so offensive that it deprived Ray of a fair trial.”

U.S. v. Ray, — F.3d —, 2005 WL 3110595 (8th Cir., Nov. 22, 2005).

Taking counsel from Councilman: E-mail message in transient electronic storage is an “electronic communication” under the ECPA

First Circuit reverses dismissal of indictment for surreptitiously copying third party e-mail messages.

The recent case of U.S. v. Councilman provides valuable insight into the First Circuit’s expansive reading of the definition of “electronic communication” under the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §2510, et seq.

Defendant Councilman worked for Interloc, Inc., an online rare and out-of-print book listing service. Customers of the service were provided with e-mail addresses. Without the customers’ consent, Councilman directed that Interloc’s servers be configured to send Councilman a copy of every message sent to the customers from The copies were intercepted during the split second they were located in temporary storage on Interloc’s server, and before they were sent to the customer’s account.

Councilman was indicted for conspiracy to violate § 2511 of the ECPA by, among other things, unlawfully intercepting electronic communications. The district court dismissed the indictment, holding that the messages, at the moment they were intercepted, did not meet the definition of “electronic communication” found at 18 U.S.C. §2510(12).

A three-judge panel of the First Circuit Court of Appeals affirmed the dismissal of the indictment. The government filed a motion requesting a hearing in banc, which was granted. On rehearing, the full court reversed the district court’s dismissal of the indictment.

Councilman had argued that the e-mail messages he was accused of intercepting, because they were being held in transient storage on the server when copied and sent to him, were not “electronic communications” as defined by the ECPA. The definition of “wire communication” (found at §2510(1) of the pre-USA PATRIOT Act version in effect at the time of the alleged crimes) specifically included electronic storage of communications. The definition of “electronic communication,” however, made no mention of data in electronic storage.

Applying the maxim of statutory construction known as expressio unius est exclusio alterius – which means “the expression of one is the exclusion of others” – Councilman argued that Congress specifically intended the definition of “electronic communication” to exclude data being held in electronic storage. If data in temporary storage on the server was excluded from the definition of “electronic communication,” Councilman argued, the charge of intercepting these e-mail messages in transient storage must fail as a matter of law.

The First Circuit rejected Councilman’s argument, concluding that the term “electronic communication” includes “transient electronic storage that is intrinsic to the communication process.”

To reach this conclusion, the court looked first at the plain text of the statute, scrutinizing Councilman’s argument that the inclusion of data in electronic storage in the definition of “wire communication” necessarily excluded it from the definition of “electronic storage.” The court was not persuaded by Councilman’s arguments that the statute should be construed in this manner. Given the “continuing ambiguity” in the statutory language, the court turned to the legislative history for guidance.

The court examined the various policies and concerns underlying the enactment of the ECPA. It explained that Congress gave a broad definition to “electronic storage” in order to enlarge privacy protections for stored data under the Act. Providing such a broad definition was not for the purposes of excluding e-mail messages stored during transmission. The court further noted that the presence of “electronic storage” in the definition of “wire communications” was to protect voicemail, and was not there to exclude e-mail from the definition of “electronic communication.”

Despite a strong dissent arguing for stricter statutory construction, the court held that the alleged conduct, as a matter of law, fell within the prohibitions of the ECPA. The case was returned to the district court for further proceedings.

U.S. v. Councilman, — F.3d —, 2005 WL 1907258 (1st Cir., August 11, 2005).

[Link to full opinion]

Court rejects constitutional argument in Microsoft trade secret prosecution

New York federal court holds that Economic Espionage Act of 1996 not unconstitutionally overbroad or vague.

In February 2004, defendant Genovese posted a message on his website that the source code for Windows 2000 had been “jacked,” and offered to provide copies of it via FTP to anyone willing to pay a small fee. After Microsoft investigated Genovese’s claims and successfully obtained one of the “jacked” copies, it notified the FBI. Genovese was arrested and charged under the federal Economic Espionage Act of 1996, 18 U.S.C. §1832 et seq. (“EEA”).

Genovese moved to dismiss the indictment, arguing that the EEA was facially overbroad and unconstitutionally vague as applied to him. The court rejected his arguments, and denied the motion to dismiss the indictment.

In holding that the statute was not overbroad, the court determined that Genovese’s alleged conduct, namely, distributing the source code “with intent to convert a trade secret…to the economic benefit of anyone other than the owner thereof” was not protected speech under the First Amendment.

On the question of whether the statute was unconstitutionally vague, the court concluded that the term “trade secret” was defined with “sufficient definiteness” so that an ordinary person in Genovese’s position would understand that trafficking in the Windows source code was prohibited by law. Genovese’s own conduct demonstrated that he knew the source code derived value from not being generally known (namely, by referring to it as “jacked” and by charging a fee for access to it.) Furthermore, the court found that one could infer Genovese knew the code was proprietary and that protective measures taken by Microsoft had been circumvented. Thus, Genovese could “reasonably understand” that his conduct was proscribed by the Act.

U.S. v. Genovese, 2005 WL 1439860 (S.D.N.Y., June 21, 2005).

UPDATE: Genovese pleads guilty. [More here.]

Probation for Maryland man charged with “spamming by proxy”

(Thanks to Inter Alia for alerting me to this story.)

The Baltimore Sun has reported that a Maryland man has pleaded guilty to misusing electronic mail, a misdemeanor in Maryland. The judge sentenced the man to probation for signing up his former supervisor to receive e-mail from other sources without her permission or knowledge. In addition to probation, the court ordered the defendant to perform 100 hours of community service by educating children about the appropriate use of the Internet.