Cybercrimes Fall 2013- Professor Mulligan
A. BROAD OVERVIEW OF COURSE
1. Substantive (Ch 2, 3, & 4) = using a computer to commit a crime – What crimes have been committed that the govt can charge in ct?
2. Procedural (Ch 5 & 6) =What rules must officers follow to collect evidence and identify the suspect?
a. 4th amendment (if stand-alone computer –> constit’l)
b. Statutory Privacy Law (if computer network–> statutory)
3. Jurisdictional Disputes (Ch 7&8) = What agency has j/d as well as the ability to collect evidence?
B. Physical Crimes vs. Computer Crimes: e.g., robbing a jewelry store vs hacking the account
1. Substantive Issues = what harms caused? victim’s trauma; Morally culpable?; Deterrence?
2. Procedural Issues = Investigations follow 2 steps (1) Tracing communications back to their source, and (2) Recovering & analyzing computer used in the offense
3. Jurisdictional Issues
SUBSTANTIVE COMPUTER CRIMES
I. Intro
A. Two Categories of Substantive Computer Crime Law
1. computer misuse crimes= intentional interference with proper functioning of computer (ex. hacking, viruses), SPAM
2. traditional crimes that occur online/using computers = traditional criminal offenses facilitated by computers; i.e., information crimes with obvious physical world counterparts (ex. gambling, pornography, internet fraud)
B. Computer Crime v. Traditional
1. computer crime usually threatens economic interests more than physical
2. computer crime much more likely to cross state boundaries; most traditional crime is dealt with by the states
C. Two themes
1. Translating criminal law concepts, which were developed over hundreds of years in the physical world, into a digital world.
· Rivalrousness- two people can’t use same thing- doesn’t exist in internet world because can make a copy and both people can use it at once.
2. Public/private handshake
D. Hypos:
-physical crime- Frank robs a jewelry store at gunpoint and steals $5k worth of jewelry and pawns it for $800; internet crime- Frank hacks into an online store’s server and copies and sells a bunch of credit card numbers. $40k are racked up on credit cards before cards are cancelled.
· PC victim- jewelry store
· Computer crime victims- credit card company/insurance, hassle for people with cards stolen
· Violence element is absent in computer crime, but harms are very different; so maybe physical crime is worse because there is violence, but monetary impact and harm circle is much more far reaching in CC
COMPUTER MISUSE CRIMES
I. COMPUTER MISUSE CRIMES
A. The Basics: general overview notes
1. 2 ways they can occur
a. user exceeds his own privileges: “insider”: has some privileges/rights
b. user denies privileges to others: may be an “outsider”: no access rights
2. Question is: what do we want to criminalize? and why??
3. Who do we want to criminalize?
a. Malicious hacker- wants to steal credit card numbers: economic and havoc wreaking (just wants to f stuff up)
b. Punk kids- want a challenge, one that just engages in mischievous amusement
c. Noble minded hacker (like Alex from U Mich video)- increase security by showing can hack and find loopholes. Idealistic hacker- thinks information should be free (no JSTOR fees, for ex)
4. What are you doing? Least hacking to most hacking:
a. Violate terms of use, do something they tell you not to do with no technical barriers (like Match.com says not to lie, but there is no software to keep you from lying about your age)
b. Circumventing a technical limit without messing with another computer (masking your IP address)
c. Accessing a computer in a way that someone is allowed to but you are not allowed to (ie cracking a password- sophisticated or unsophisticated- have computer run program to get password, or just guessing)
d. “real hacking”-accessing a computer in a way no one should
e. As we move forward, think about these things, which actions should be criminalized, what actors should be criminalized.
5. Most Common Statutes
i. unauthorized access statutes
ii. computer fraud statutes
iii. computer damage statutes
6. Why Punish? (what’s the harm? Unintentional or indirect harms? Who is the victim? Does intent to profit matter? How distinguish malicious vs. non-malicious hacking?)
a. utilitarian: deter of harmful conduct, incapacitation, rehabilitation (looks forward)
b. retribution: just deserts; restore moral order (looks back)
7. How or When to Punish
a. Property-based view: the computer is not yours, so if you break in you should be punished; if you want access, you need permission
b. Harm-based view: the mere fact of breaking in does not create harm; need to have some financial losses
i. financial losses usually relate to security measures taken after the fact to prevent future hacking
B. PROPERTY-BASED APPROACH TO COMPUTER MISUSE –
1. Tresspass / Burglary / Theft- traditional property crimes
a. not a good fit for computer crimes
i. cf. computer misuse statutes hinge liability on authorized access, not whether we can define some arbitrary property interest or if owner was deprived of some sort of right
b. Trespass & Burglary = NEVER used to prosecute computer crimes. (too narrowly focused on physical world rather than interference w/ property rts)
i. Hacking: exceeding privileges on a another’s computer = exceeding privileges on physical land (but doesn’t work because do not physically enter computer)
c. THEFT has been used to prosecute computer misuse: idea is that by upsetting intended privileges, defendant took property belonging to another
i. Theft = the taking of a “thing” with purpose of depriving another of its bounty (incl includes larceny, embezzlement, conversion, fraud, and false pretenses):
ii. Difficulties: (1) defining a property interest; (2) identify when the property has been taken (“intent to deprive” or “intent to defraud”)
d. U.S. v. Seidlitz (4th Cir. 1978) : a person who develops WYLBUR and then quits to start own firm and gets back into the system and takes the software for his own use can be convicted under the federal wire fraud statute because the software source code is property: CO invested substantial sums to create and modify the software and enjoyed competitive advantage because of it and took steps to prevent outsiders access; When D took, he deprived company of the economic benefits from exclusive use of the software:
i. when is information property: when it has monetary value
ii. Wire fraud req “intent to defraud”= knowing conduct + intent to deceive (deceived computer into giving him access when logged in w/ stolen pw)
iii. Wire fraud statute= 18 USC§ 1343-“whoever…having devised…any scheme for obtaining money or property by false or fraudulent pretenses….”
1. Question to answer when using statute is what is property?
iv. Code wasn’t copyrighted, there are no patents on the software (didn’t do that in ‘70’s), Wylbur was written by Stanford U.- OSI company using software so in public domain, but he accessed the phones, etc so the problem isn’t so much that you took it but HOW you got in- you broke into something- trespassed.
v. Criminal trespass (16-7-21 GA): intentionally damages any property of another without consent or knowingly and maliciously interfere with possession or use of property of another person without consent of that person (summary).
vi. Don't need to prove D attempted to sell or use stolen data to establish fraudulent intent: D arg only acquired data to show weakness in system
vii. courts have found that computer usage, data, and a password can all be considered property
e. State v. McGraw (Ind 1985): employee did NOT commit theft by using his work computer for his own business by storing records on it; his use cost the city (employer) nothing and did not interfere with its use by others.
i. dissent: time/use are of value when using a computer system, and employee denied the city both time and use
ii. key is LOSS: employer in Seidlitz could have suffered economic loss when deprived of exclusive use (even though they could still use the program) but employer in McGraw did not lose anything of value, even though in BOTH cases the defendants gained a benefit
iii. which hacker box to put McGraw in? Probably just violating terms of use
iv. Intent: did not have intent to deprive employer of anything, and in fact didn’t. When deprivation of property is not a natural and usual consequence of defendant’s use, cannot infer intent. (Seidlitz may have had intent to compete and deprive of exclusive use)
v. Reason by analogy: the harm is more like tresspass, a de minimis civil matter, similar to and employee using employer’s bookshelf to temporarily store books; at most may be a conversion but is not theft.
2. Conversion: unlike theft, does not require intent to deprive of use; in US v. Girard (2d Cir 1979) a DEA agent DID convert property when he downloaded files of undercover agents and planned to sell them to drug dealers; diff is the intent and the possible loss- what is key in this is that if this information was told verbally, then him telling would probably not be a problem, so it doesn’t really fit with any other above models.
a. But Kerr summarized it well- p 27- when something of value is lost or taken in a way, then court applying theft law or computer misuse generally concluded that property had in fact been taken and D liable; when no harm resulted, courts tended to find that no property was taken. So again, key is harm or loss.
b. Why might this way of thinking be a problem???/
i. Contradictions in the law, lack of conceptual clarity, and more difficult to apply in the future.
ii. Appropriateness of punishment
iii. Abandoning the rule of law- when torture definition of property to mean it has to be harmful, then run the risk of putting people in prison who are unlikeable bc you are doing what you feel based on subjective harm
iv. Lack of fair notice, or vagueness problems
C. UNAUTHORIZED ACCESS STATUTES
1. enacted by federal gov’t and all fifty states: common building block is unauthorized access to a computer. Basic offense usually supplemented by other elements w/ additional prohibitions, such as computer fraud and damage statutes
2. 18 USC § 1030: The Computer Fraud & Abuse Act (CFAA)
a. seven crimes: 1030(a)
(a)(1): accessing or exceeding access to obtain classified info to injure US or foreign power; never been used- not that important
(a)(2): accessing w/o authorization OR exceeding authorized access and obtaining information: most commonly used; information must be (A) financial record; (B) info from US gov’t;
(C) info from any protected computer or involving interstate or foreign communication: these are low hurdles only limitation is w/o access (broad definitions of protected computers and information) and most hackers will violate this section; mens rea required is intent; felony IF over 5K in loss (see below), can be misdemeanor even with no loss (“just looking”)(obtaining info has nothing to do with downloading)
(a)(3): accessing gov’t computers w/o authorization; rarely used; no info needs to be taken (simple trespass); only applicable to offenders completely outside the gov’t with no authority to access (drops exceeding access clause); always a misdemeanor, unless prior conviction- hacking
(a)(4): federal computer fraud statute: combines (a)(2) with wire fraud statute ; felony- FRAUD
(a)(5): federal computer damage statute; key is calculating the loss-
(A) Knowingly causes the transmission of a program… intentionally causes damage without authorizations
(a)(6): prohibits pw trafficking; based on federal credit card fraud statute
(a)(7): prohibits extortion & threats to cause damage to computers
b. attempts are covered- so don’t try to do these things (like saying attempted murder bad)
c. statutory maximum punishments for (a) & (b); violations of 1030(a)(2) punished by 1030(c)(2)
i. 18 USC1040(a)(2)- punishment- violations of 1030 (a)(2) are punished by 1030 (c)(2)- unless additional elements are proved one is charged with a misdemeanor- max punishment is fine or one year or less in prison. Cannot be convicted of another offense or attempting to commit another offense under the CFAA to qualify for “mere” misdemeanor.
e. definitions: under (2), basically any computer w/internet access is a “protected computer” for (a)(2)(C) (“used in or affecting commerce”
g. civil remedy; where most cases arise- if you meet one of the i-v conduct (you can do this if you are a private company that has been harmed)- can get injunctive or other equitable relief
i. loss…during 1 year period… more than $5000 (damages limited to economic)
ii. modification/impairment of medical exam, diagnosis, treatment or care
iii. Physical injury to a person
iv. Threat to public health or safety
v. damage to a US computer involved in justice, defense, security.
3.
RIZED ACCESS OR EXCEEDING AUTHORIZATION
ii. Contract Based: access conditioned on a user’s promise to abide by terms of service; weaker than code
1. U.S. v. Nosal (NDCA, 2009)(52): an employee with an improper purpose acts without or in excess of authorization when he accesses information that he is otherwise permitted to access within scope of employment but at time of access does so with the intent to defraud, i.e. in a manner that is (a) inconsistent with employer’s interest, or (b) in violation of a contractual duty (confidentiality agreement). Employee was not authorized initially to access employer’s computer with the intent to defraud employer. The fact that they accessed information with “nefarious intent” rendered access “without authorization” or in excess of.
a. Scope of authorization was implicitly limited by the employment relationship which created ongoing duties of confidentiality and non-competition and also the employee was bound by confidentiality agreements. Breach of these duties of loyalty rendered access unauthorized.
b. Scope of CFAA expanded in civil claims to cover EE who misappropriates information for competitor’s use, and no reason not to also use it in criminal
c. Issue is whether this is hacking under CFAA
d. Held that phrase “exceeds authorized access” in CFAA does not extend to violations of use restrictions- if Congress wants to incorporate misappropriation into CFAA, must say so (p 59)
e. Dissent- uses US v. Rodriguez- SSA employee accesses personal info for non0business reasons when he is only permitted to access for business reasons.
f. Three interpretive possibilities:
a. You only have authorization to access records when they are for a business purpose and other access for another purposes exceeds authorizations (exceeds authorized access) (Rodriguez)
b. You always have authorization to access the records, but can only use the records for a business purpose
i. Use for a disallowed purpose retroactively makes this a CFAA violation or
ii. Once you have authorization, use cant retroactively eliminate it (Nosal)
c. Clarification of above: Rodriguez said that no authorization to look at; calls with questions gains authorization to look at that file; could argue he only gained authorization when he gets the call, but also only gain authorizations when permitted USE. Nosal- always looking at cleient lists for working purposes are ok. Copy them for BAS PURPOSE; Kozinski majority says later use for bad purpose doesn’t make access unauthorized; dissent says bad use makes access unauthorized- I AGREE w/ DISSENT!
iii. By Social Norms: widely shared attitudes or behaviors; implicit contractual restrictions (e.g., employee loyalty)
1. Two views on “authorization”:
a. Broad Interpretation: employee’s authorized access is terminated once an employee acts with adverse or nefarious interests and against the duty of loyalty imposed on an employee in an agency relationship (Nosal)
b. Narrow Interpretation: unauthorized only when initial access is not permitted in the first instance: (LVRC)
a. “W/O authorization”= (a)(2)(C)no right to access at all, limited or otherwise;
b. “Exceeds authorized access” = (e)(6)if has permission to access, but uses that access to obtain or alter info that he is not permitted to obtain or alter. (Difference is that can exceed access if violate employer placed limits on accessing certain info, but still have access to computer.)
7. Examples and notes from class:
a. You write a software program and after 20,00 everyone has SOME authorization to access facebook’s computers. BUT because FB only lets you use your own account, you EXCEED that authorized access if you crack another person’s password.
b. Without v. exceeding: what difference does it make? Subsections (a)(3) and (a)(5)(B-C) forbid :accessing without authorization” but not exceeding authorization. (a)(3) is about government computers (we won’t deal with it much).
c. Obtaining the information doesn’t make much of a difference in the above-confusing- the new law proposes doing away with exceeding access completely
d. TRICKY: (a)(5)(A)
i. Whoever (A) knowingly causes the transmission of a program and as a result intentionally causes damage without authorization shall be punished (paraphrased)
ii. If you exceed authorized access by transmitting a program, but don’t have any authorization to “cause damage” then you can still be liable under (a)(5)(A).
iii. Example: you discover facebook doesn’t sanitize the inputs from the login page and you use that weakness to copy malicious code onto Facebook’s computers which ends up deleting several profiles.
1. You have merely exceeded your authorization to access Facebook’s computers, but you still have “intentionally caused damage without authorization” because you had no authorization to cause damage even though you had authorization to access.
2. Proposed “Aaron’s Law” eliminates the idea of exceeding authorized access entirely.
e. BIG circuit split over whether doing stuff you are told not to do with information you can access without reaching a technical barrier (ie having to break in- your login stuff is enough- SSA example) is a CFAA violation.
f. Scraper tools- nothing more than a computer program that accesses information contained in a succession of webpages stored on the accessed computer; information seen is not graphical interface but the HTML source code.
