Computer Crimes
INTRODUCTION
From Internet shopping to the electronic filing of taxes and the daily running of government and industry, we are all dependent upon computer networks that easily could be crippled by acts of cybercrime. Our personal or corporoate information can be stolen.
In 2001, the U.S. formed a Critical Infrastructure Protection Board (CIPB) when President Bush signed an executive order on critical infrastructure protection. On September 18, 2002, the board released a report entitled "National Strategy to Secure Cyberspace." As a result of that report, and as damage caused by internet crime increased, the U.S. government established established the FBI's Regional Computer Intrusion Squads (also called CHIP units), whose puposed is to investigate violations of the Computer Fraud and Abuse Act. FBI computer teams also focus on copyright and trademark violations, theft of trade secrets and economic espionage, theft of computer and high tech components, fraud, and other Internet crime. In addition to the 13 FBI Regional computer teams, there are 60 specialized computer teams that are focused on specific computer crimes.
STATUTES
UNAUTHORIZED COMPUTER ACCESS (Intruders/Hackers) A. 18 U.S.C. § 1030
The explosive growth of the Internet has resulted in information becoming an increasingly valuable commodity. The main anti-intruder law is 18 U.S.C. § 1030. This statute was first enacted as the "Computer Fraud and Abuse Act of 1996." Effective October 26, 2001, Congress modified the 1996 Act. The most significant changes were: (1) increasing penalties for hackers who damage computers; (2) clarifying the intent element of such crimes; and (3) providing that damage caused to separate computers can be aggregated for purposes of satisfying the statute's jurisdictional threshold. As presently written, 18 U.S.C. § 1030 creates six felony offenses and five misdemeanors. Example violations of section 1030 would include: Hacking into a protected computer to steal information; Destroying data or damaging hardware on protected computers by transmitting commands (e.g. virus or worm); "Denial of Service" attacks against protected computer; and Extortion based on threat to crash protected computer. Attempts are also covered, under 1030(b). 18 U.S.C. § 1030(a)(2) prohibits unlawful access to confidential data or information. A violation of this subsection is misdemeanor with a punishment range of not more than one year imprisonment and/or a $100,000 fine. However, if this offense was committed for purposes of commercial advantage or private financial gain, and the value of the information obtained exceeds $5,000, the offense becomes a felony with a penalty range of not more than five years imprisonment and/or a $250,000 fine. 18 U.S.C. § 1030(c)(2)(B). The Department of Justice takes these crimes very seriously, and will devote every resource possible to tracking down those who seek to attack technological infrastructures. The 2001 Act increased the punishment for a violation of § 1030(a)(5)(A)(i) - intentionally causing damage - from not more than five years imprisonment to not more than ten years imprisonment and/or a $250,000 fine. The punishment for a violation of § 1030(a)(5)(A)(ii) - recklessly causing damaging - is not more than five years imprisonment and/or a $250,000 fine. A second violation (including a violation after a prior felony conviction for a state computer hacking crime) carries a more severe maximum punishment. See 18 U.S.C. §§ 1030(c)&(e)(10). A violation of § 1030(a)(5)(A)(iii) - causing damage - carries only a misdemeanor level of punishment. 18 U.S.C. § 1030(c)(2)(A). Note: The 2002 Cyber Security Enhancement Act increases penalties for those who "knowingly or recklessly" cause or attempt to cause death or serious injury through a cyberattack, in violation of Section 1030(a)(5)(A)(i). "Protected computer" is broadly defined in § 1030(e)(2) of the statute. Essentially, there are three groups of protected computers: 1) any computer that is "exclusively for the use of a financial institution or the United States Government;" 2) any computer that is used part-time by a financial institution or the United States Government, if the offense affects that use; or 3) any computer "which is used in interstate or foreign commerce of communication." This last group might include any computer hooked to the Internet. Computers in foreign countries are now included in the new expanded 2001 Act definition.
The new definition of "damages" in § 1030 does not include a reference to loss amount. "Damage" is now defined in 18 U.S.C. § 1030 (e)(8) as "any impairment to the integrity or availability of data, a program, a system, or information." Under this definition, the government need not prove that the defendant intended to cause $5,000 worth of damage. Rather, the government must prove one of the requisite mens rea with respect to causing damage and then must establish that the damage caused was $5,000 or greater, or falls within one of the other statutorily defined categories qualifying as damage. See 18 U.S.C. § 1030(a)(5)(B). In United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000) (analyzing the previous version of § 1030), the Ninth Circuit found that "damage" includes any loss that was a foreseeable consequence of the criminal conduct, including costs necessary to "resecure" the computers. The Court further held that the government could prove the $5,000 amount by putting on evidence of the hourly wage of the victim company's employees and the number of hours they spent to fix the computer problem. The broad definition of "loss" used in Middleton was adopted by Congress in the new 2001 law. "Loss" is defined in 1030(e)(11) as: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. The new 2001 Act also provides that the government may aggregate "loss resulting from related course of conduct affecting 1 or more other protected computers" which occurs to one or more persons during a one year period. 18 U.S.C. § 1030(a)(5)(B). Note that there is not a loss minimum if the computer is "used by or for a government entity in furtherance of the administration of justice, national defense, or national security." 18 U.S.C. § 1030(a)(5)(B)(v).
18 U.S.C. § 1030(a)(6) prohibits trafficking in computer passwords while the "Access Device Fraud Act" at 18 U.S.C. § 1029 prohibits both trafficking and possession of unauthorized computer passwords. Section 1030(a)(6) establishes trafficking in computer passwords as a misdemeanor and requires that the government prove: 1) that the accused knowingly obtained and transferred or disposed of passwords to another; 2) that the accused did so with the intent to defraud; and 3) that this conduct affected interstate or foreign commerce or that the computer is used by the United States Government. Although "password" is not defined in 18 U.S.C. § 1030 or the main statute dealing with passwords, 18 U.S.C. § 1029, the Senate Committee defined password to include "a set of instructions or directions for gaining access to a computer." The Committee indicated that the password was to be broadly construed to cover more than a single word. (See S. Rep. No. 432, 99th cong., 2d Sess.9 (1986).)
18 U.S.C. § 1030(a)(7) prohibits computer extortion, which carries up to five years imprisonment and fine for the first offense. The elements of this offense are: 1) to transmit in interstate or foreign commerce a communication that contains a threat to cause damage to a protected computer; and 2) that the threat is made with the intent to extort money or other thing of value from any person or entity. This section was enacted in response to actual cases where intruders would break into others' computer systems and encrypt their data so that the computer system was rendered inoperable and then demand money for the key to unencrypt the information.
The 2003 Sentencing Guideline amendments addresses the harm and invasion of privacy that can result from offenses involving the misuse of, or damage to, computers. It implements the directive in section 225(b) of the Homeland Security Act of 2002, which required the Commission to review, and if appropriate amend, the guidelines and policy statements applicable to persons convicted of offenses under 18 U.S.C. § 1030. First, the amendment adds a new specific offense characteristic at § 2B 1.1(b)(13) with three alternative enhancements of two, four, and six levels. Second, the amendment modifies the rule of construction relating to the calculation of loss in protected computer cases. This change was made to incorporate more fully the statutory definition of loss at 18 U.S.C. § 1030(e)(11), added as part of the USA PATRIOT Act, and to clarify its application to all 18 U.S.C. § 1030 offenses sentenced under § 2B 1.1. Third, the amendment expands the upward departure note in § 2B 1.1. That note provides that an upward departure may be warranted if an offense caused or risked substantial non-monetary harm, including physical harm. The amendment adds a provision that expressly states that an upward departure would be warranted for an offense under 18 U.S.C. § 1030 involving damage to a protected computer that results in death. Fourth, the amendment modifies § 2B2.3, to which 18 U.S.C. § 1030(a)(3) (misdemeanor trespass on a government computer) offenses are referenced, and § 2B3.2, to which 18 U.S.C. § 1030(a)(7) (extortionate demand to damage protected computer) offenses are referenced, to provide enhancement relating to computer systems used to maintain or operate a critical infrastructure, or by or for a government entity in furtherance of the administration of justice, national defense, or national security. Finally, the amendment references offenses under 18 U.S.C. § 2701 (unlawful access to stored communications) to § 2B 1.1.
THE DEFENSE FOCUS:
Regardless of the type of computer crime, the defense focus is always the same:
- HOW was the computer used? (What crime was allegedly committed?)
- WHEN was the computer used? (What was the time span? What was the date of offense? Statute of limitations issue? Correct charging statute?)
- WHERE was the computer located? (Business, home, library, military base, etc. Does the court have jurisdiction?)
-WHO used the computer? (Can the prosecutor prove identity? Can they affirmatively link the defendant to the keyboard?)
- WAS the search and seizure of the computer conducted in a lawful manner?
Hackers Defense:
The Trojan Horse: In one case that was being watched by computer security experts, Aaron Caffrey, 19, was acquitted in October 2003 in the United Kingdom on charges of hacking into the computer system of the Houston Pilots, an independent contractor for the Port of Houston, in September 2001. Caffrey had been charged with breaking into the system and crippling the server that provides scheduling information for all ships entering the world's sixth-largest port. Although authorities traced the hack back to Caffrey's computer, he said that someone must have remotely planted a program, called a "trojan," onto his computer that did the hacking and that could have been programmed to self-destruct. In two other cases, British men were accused of downloading child pornography but their attorneys successfully argued that trojan programs found on their computers were to blame. Some legal and security experts say the trojan defense is a valid one because computer hijacking occurs all the time and hackers can easily cover their tracks. "I've seen cases where there is a similar defense and it could work or not work based on corroborating evidence: such as how technical the defendant is, said Jennifer Stisa Granick, clinical director of the Sanford Law Center for Internet and Society. It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime is much more difficult, she said. Someone other than the computer owner could use the machine, either by gaining physical access or remotely installing trojan software that was slipped onto the computer via an e-mail sent to the computer owner or downloaded from a malicious Web site, they said. The defense is likely to become more widespread especially given the increasing use of "spyware" programs that can be used by hackers to steal passwords and essentially eavesdrop an a computer user. The emergence of spyware will only enhance these claims,
Spyware Programs: Software programs that surreptitiously enter personal computers have grown in recent years, and while many are not clearly illegal, they pose cybersecurity and privacy challenges that require government, industry, and consumers to respond, according to a report released November 18, 2003, by the Center for Decmocracy and Technology (CDT). A wide range of "spyware" programs exist today, complicating legal and regulatory solutions. Those programs include "snoopware" and "trespassware." "Snoopware" includes programs surreptitiously installed by a third party that track keystrokes and web sites visited, or capture passwords and other information and pass them back to the third party. "Trespassware" includes adware and other applications bundled with desired software, which deliver advertisements or otherwise hijack a user's computer without collecting information on the user. Such programs exist in a legal gray zone, CDT said. "Snoopware" poses severe privacy risks, but it also appears to be relatively uncommon. Of primary concern to CDT is trespassware, which appears to be far more common, based on complaints posted on the Web. "Trespassware" programs sometimes hobble computer performance, prompting users to mistakenly call software or ISP help desks, unaware of the hidden program causing the problem. In addition, the programs are notoriously difficult to remove, remaining even when the host program with which it entered a computer is uninstalled.
ILLEGAL CAPTURE, TRAFFICKINGS AND POSSESSION OF COMPUTER ACCESS DEVICES AND PASSWORDS, 18 U.S.C. § 1029 and 18 U.S.C. § 1030.
18 U.S.C. § 1029 prohibits trafficking and possession of unauthorized computer passwords. While the majority of this statute is directed at credit card and cellular phone fraud, the term "access devices" has been interpreted to include computer passwords. The statute makes it a felony for an individual who, knowingly and with intent to defraud, possesses, traffics, or uses an unauthorized or counterfeit access device; or produces, traffics in, has control or custody of, or possesses device making equipment. There are numerous sections to this statute and the requirements of proof vary among them. Section 1029(a)(3) prohibits a person from knowingly, and with the intent to defraud, possessing fifteen or more devices, which are counterfeit or unauthorized access devices. Intruders frequently collect and trade password information on systems they have compromised. Possession of such passwords provides verification that the intruder has gained access to various computer systems and is often used for bragging rights. Intruders frequently install "sniffers" so that they can collect additional passwords. A sniffer, which is a software program that intruders secrete on a compromised computer system, records the log-on name and passwords of valid users. Intruders retrieve and use this information to masquerade as the valid user. If a sniffer is placed on a large computer network, it can collect literally hundreds of passwords. Use of such an illegally placed sniffer could constitute a felony violation of the Wiretap Act. A recent § 1029(a)(3) case was US. v. Fitzgerald, N.D. Cal., No. CR-02-0406 ( 2003). Shawn Webb Fitzgerald was indicted on charges of possessing unauthorized access devices and possession of counterfeit mail keys. Fitzgerald was accused of stealing mail around the San Francisco Bay Area from December 2001 through April 2002. In the plea agreement, Fitzgerald admitted stealing bank statements with checking account numbers and related information; credit card statements with account numbers; stockbrokerage statements with account information; and other materials. Prosecutors accused Fitzgerald of possessing 15 or more credit cards, bank and brokerage account number, electronic serial numbers, or other means of account access. He pled guilty to two counts of violating 18 U.S.C. § 1029(a)(3). He received 105 months in prison. Another intruder trick is to download or copy the password file from a targeted computer system. This file is designed to hold all of the authorized users' passwords in one central repository. For security reasons the passwords are automatically encrypted and maintained in the file in this encrypted state. Unfortunately, there are a number of software programs such as "Crack" that will decrypt these password files. These cracking programs are readily and freely available over the Internet. As noted in Section III above, § 1030(a)(6) criminalizes trafficking, with the intent to defraud, in passwords "or other similar information through which a computer may be accessed" if such trafficking affects interstate commerce or the computer is used by or for the United States government. A first offense is a misdemeanor and a subsequent offense is a felony.
IDENTITY THEFT:
Title 18, U.S.C. § 1028, The Identity Theft and Assumption Deterrence Act, was enacted October 30, 1998. This statute essentially created a new crime - Identity Theft - which recognized that computers can be used to create documents that allow a user to assume the identity of another or even create fraudulent identities. This practice has already resulted in considerable monetary loss to businesses and financial institutions and can have profound and long-lasting effects on the victim's credit rating. The statutory penalty provisions vary depending on the type of identification used, produced, or obtained and the number of identification documents involved in the offense. The U.S. Sentencing Commission on May 1, 2000, sent to Congress Computer Crimes Course several amendments to the federal sentencing guidelines that significantly increased penalties for a number of computer crimes. See U.S.S.G § 2B 1.1(b)(9). The Sentencing Commission voted to increase penalties for criminals who steal another person's means of identification and then use that stolen document to commit additional crimes, such as obtaining fraudulent loans or credit cards. In so doing, the Commission recognized that the individual whose identity is stolen is also a victim of the fraud, just as is the bank or credit card company. In the same amendment, the Commission also increased penalties for the cloning of wireless telephones in response to the Wireless Telephone Protection Act of 1998. On May 20, 2000, a 23-year old convicted felon told a Senate panel how he created phony documents using a computer at a public library and public government records online. "The availability of false identification on the Internet is a ... growing problem, to which we plan to devote additional resources and attention," Secret Service Director Brian Stafford testified before the Senate Governmental Affairs Committee's investigative subcommittee. There are three levels of fake ID procurement, subcommittee investigators found in a five-month undercover inquiry. First, some Web sites sell bogus, real-looking documents in the customer's name. Others sell high-quality computer files, called templates, that allow customers to make their own phony documents. The fake IDs often contain holograms, bar codes, magnetic stripes, and other security features added to genuine documents to prevent counterfeiting. On July 24, 2001, the FTC settled with an individual that had sold internet access to software used to make false identity documents. Templates and software were used to produce fake drivers licenses for California, Georgia, Florida, Maine, Nevada, New Hampshire, New Jersey, Utah, Wisconsin, and New York. The web site sold 45 days of access to the templates for $29.99. The site also provided access to birth certificate templates, programs to create bar codes, and a program to falsify Social Security numbers. On January 6, 2003, six firms that used the Internet to sell driver's permits were selling worthless documents to unsuspecting consumers, according to charges filed by the Federal Trade Commission as part of "Operation License for Trouble," and enforcement sweep targeting sellers of bogus documents. Federal Trade Commission v. Carlton Press Inc., S.D.N.Y., No. 03-CV 0226-RLC, 1/16/03. A federal jury in Los Angeles on December 4, 2003, found a former Global Crossing computer technician guilty of eight felony counts related to a web site where he posted Social Security numbers and other personal information of thousands of Global Crossing employees. U.S. v. Sutcliffe, C.D. Cal., No. CR 02-350(A)-AHM, 12/4/03. It may have been the first conviction under the federal statute, 18 U.S.C. § 1028(a)(7), prohibiting online posting of Social Security numbers with the intent to aid and abet identity theft.
CYBERSTALKING
There is no universally accepted definition of cyberstalking. The term is normally used to refer to the use of the Internet, e-mail, or other electronic communications devices to stalk another person. Stalking generally involves harassing or threatening behavior that an individual engages in repeatedly, such as following a person, appearing at a person's home or place of business, making harassing phone calls, leaving written messages or objects, or vandalizing a person's property. A cyberstalker may send repeated, threatening, or harassing messages by the simple push of a button; more sophisticated cyberstalkers use programs to send messages at regular or random intervals without being physically present at the computer terminal. A cyberstalker's true identity can be concealed by using different ISPs and/or by adopting different screen names. More experienced stalkers can use anonymous remailers that make it all-but-impossible to determine the true identity of the source of an e-mail or other electronic communication. A number of law enforcement agencies report they currently are confronting cyberstalking cases involving the use of anonymous remailers. Anonymity leaves the cyberstalker in an advantageous position. Unbeknownst to the target, the perpetrator could be in another state, around the corner, or in the next cubicle at work. The perpetrator could be a former friend or lover, a total stranger met in a chat room, or simply a teenager playing a practical joke. The veil of anonymity often encourages the perpetrator to continue these acts. Los Angeles and New York, have both seen numerous incidents of cyberstalking and have specialized units available to investigate and prosecute these cases. For example, Los Angeles has developed the Stalking and Threat Assessment Team. Similarly, the New York City Police Department created the Computer Investigation and Technology Unit.
FEDERAL CYBERSTALKING LAWS
Under 18 U.S.C. 875(c), it is a federal crime, punishable by up to five years in prison and a fine of up to $250,000, to transmit any communication in interstate or foreign commerce containing a threat to injure the person of another. Section 875(c) applies to any communication actually transmitted in interstate or foreign commerce - thus it includes threats transmitted in interstate or foreign commerce via the telephone, e-mail, beepers, or the Internet. Title 18 U.S.C. 875 is not an all-purpose anti-cyberstalking statute. First, it applies only to communications of actual threats. Thus, it would not apply in a situation where a cyberstalker engaged in a pattern of conduct intended to harass or annoy another (absent some threat). Also, it is not clear that it would apply to situations where a person harasses or terrorizes another by posting messages on a bulletin board or in a chat room encouraging others to harass or annoy another person. The Fifth Circuit recently considered one of the first Internet threat cases prosecuted under this statute. United States v. Morales, 272 F.3d 284 (5th Cir. 2001). Defendant high school student was convicted of making interstate threatening communication, based on Internet "chat room" conversation in which he threatened to kill fellow students. Defendant appealed. The Court of appeals, held that: (1) general-intent requirement of governing statute was satisfied since defendant admitted to sending threat in order to see how recipient would react; (2) question of whether message was "true threat" as opposed to political hyperbole was for jury; (3) fact that message was sent to third party rather than to fellow students did not preclude prosecution; and (4) government did not have to prove that defendant intended message to be threat, only that statement was made knowingly and intentionally. Certain forms of cyberstalking also may be prosecuted under 47 U.S.C. 223. One provision of this statute makes it a federal crime, punishable by up to two years in prison, to use a telephone or telecommunications device to annoy, abuse, harass, or threaten any person at the called number. The statute also requires that the Computer Crimes Course perpetrator not reveal his or her name. See 47 U.S.C. 223(a)(1)(C). Although this statute is broader than 18 U.S.C. 875 - in that it covers both threats and harassment - Section 223 applies only to direct communications between the perpetrator and the victim. Thus, it would not reach a cyberstalking situation where a person harasses or terrorizes another person by posting messages on a bulletin board or in a chat room encouraging others to harass or annoy another person. Moreover, Section 223 is only a misdemeanor, punishable by not more than two years in prison. On November 22, 2004, James Robert Murphy, 38, of Columbia, South Carolina, was sentenced to 5 years of probation, 500 hours of community service, and more than $12,000 in restitution for two counts of Use of a Telecommunications Device (the Internet) with Intent to Annoy, Abuse, Threaten or Harass. Murphy was indicted for sending harassing e-mails to a Seattle residence and to employees of the City of Seattle. He pleaded guilty to two counts in June 2004 in violation of 47 U.S.C. 223. He is the first person to be convicted under the statute. Murphy hid his identity with special e-mail programs and created the "Anti Joelle Fan Club" (AJFC) and repeatedly sent threatening e-mails from this alleged group. The Interstate Stalking Act, signed into law by President Clinton in 1996, makes it a crime for any person to travel across state lines with the intent to injure or harass another person and, in the course thereof, places that person or a member of that person's family in reasonable fear of death or serious bodily injury. See 18 U.S.C. 2261A. Although a number of serious stalking cases have been prosecuted under Section 2261A, the requirement that the stalker physically travel across state lines makes it largely inapplicable to cyberstalking cases. However, on September 10, 2002, in United States v. Bowker, docket number 01-CR-441-ALL, N.D. Ohio, the defendant was convicted under § 2261A and sentenced to eight years in prison. Mr. Bowker sent obscene e-mails, made threatening telephone calls, and stole mail from the victim. The victim was a TV reporter in West Virginia; the defendant resided in Ohio. Finally, President Clinton signed a bill into law in October 1998 that protects children against online stalking. The statute, 18 U.S.C. 2425, makes it a federal crime to use any means of interstate or foreign commerce (such as a telephone line or the Internet) to knowingly communicate with any person with intent to solicit or entice a child into unlawful sexual activity. This new statute does not reach harassing phone calls to minors absent a showing of intent to entice or solicit the child for illicit sexual purposes.