COMPUTER CRIMES – HURLEY, 2012
I. 18 USC 1030 Important Terms (1030 arguments come down to who can make the best analogy)
A. Computer: (defined on pg. 698) Mitra (Easterbrook) Every cell phone and cell tower, every iPod, every wireless base station and many another gadget is a computer.
B. Protected Computer: (defined on pg. 698) Includes a computer which is used in interstate or foreign commerce or communication, including a computer located outside the US that is used in a manner that affects interstate commerce or communication in the US. Any computer that can be regulated by congress’s power to regulate interstate commerce.
C. Obtaining Information: Includes the mere observation of data, accordingly, most hacking will be in violation of 1030(a)(2).
D. 1030 Sentencing Chart
Offense
Max Penalty w/o Enhancement
Possible Enhancements of Max
(a)(2)
1 year. (c)(2)(a)
5 years if not first offense. (c)(2)(C)
5 years if for (i) commercial gain; (ii) furthering a crime or tortious act; (iii) information obtained worth > 5K. (c)(2)(B).
(a)(3)
1 year. (c)(2)(a)
5 years if not first offense. (c)(2)(C)
5 years if for (i) commercial gain; (ii) furthering a crime or tortious act; (iii) information obtained worth > 5K. (c)(2)(B).
(a)(4)
5 years. (c)(3)(a)
10 years if not first offense (c)(3)(A)
(a)(5)(A) Intentional
1 year. (c)(4)(G)
10 years if offense causes (I) loss to during 1 year period of 5K in value; (II) impairment of medical care; (III) physical injury; (IV) a threat to public health or safety; (V) damages to crime fighting computer; (VI) damages to 10+ computers. (c)(4)(B)(i).
20 years if not a first offense. (c)(4)(C).
20 years if attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation.
Life if attempts to cause or knowingly or recklessly causes death from conduct in violation.
(a)(5)(B) Reckless
1 year. (c)(4)(G)
5 years if offense causes (I) loss to during 1 year period of 5K in value; (II) impairment of medical care; (III) physical injury; (IV) a threat to public health or safety; (V) damages to crime fighting computer; (VI) damages to 10+ computers. (c)(4)(A)(i).
20 years if not a first offense. (c)(4)(C)
(a)(5)(C)
Strict Liability
1 year. (c)(4)(G)
10 years if not a first offense. (c)(4)(D)
(a)(6)
1 year. (c)(2)(a)
5 years if not first offense. (c)(2)(C)
5 years if for (i) commercial gain; (ii) furthering a crime or tortious act; (iii) information obtained worth > 5K. (c)(2)(B).
(a)(7)
5 years. (c)(3)(a)
10 years if not a first offense. (c)(3)(A)
II. Access:
A. State v. Riley (1993): Riley used his computer to dial Telco’s general access number and enter 6-digit numbers representing customer access codes every 40 seconds for hours at a time.
1. Access: “to approach . . . or otherwise make use of any resource of a computer, directly or by electronic means.”
2. H: Riley was approaching the switch each time he entered the general access number, followed by a random 6-digit number representing a customer access code.
3. But see Allen: Access: Until defendant proceeds beyond the initial banner and entered appropriate passwords, he could not be said to have had the ability to make use of the computers or obtain anything. (“Knocking on the door,” is not enough. Allen requires getting inside.)
III. AUTHORIZATOIN
A. Possibly interpretations of “without authorization” and “exceeds authorization. (pg. 69)
1. Code-Based Theory: w/o authorization is limited to the circumvention of code based restrictions by outsiders, like in Morris. Exceeds would cover some kind of contract-based or norms-based breach by insiders. There support for the insider/outsider distinction in the legislative history.
2. Pre-existing Relationship: The only difference is whether the use has some preexisting relationship with the computer and prohibited acts are the same under each standard. “The definition of exceeds authorized access is textually meaningless; it states that a person exceeds authorized access when shoe does what she is not entitled to do, which simply restates the test for access w/o authorization.” Kerr.
3. Exceed Authorized Access by using a computer in an unauthorized manner.
B. Without Authorization Case Law:
1. United States v. Morris (1991)(Code-based interpretation): Morris transmits a worm through a bug in the mail system, a bug in the finger demon program, through the trusted host feature, and a p/w-guessing program.
a. Intended Function Test: Providers implicitly authorized users to use their computers to perform the intended functions, but implicitly do not authorize users to exploit weaknesses in the programs that allow them to perform unintended functions.
b. Correctly Guessing or Using Stolen PW: Guessing a password is something like picking a lock and using a stolen PW is something like making a copy of the key w/o the owners permission.
2. Brekka (9th):
a. A person is w/o authorization when the person accesses a computer w/o any permission at all.
C. US v. NOSAL: Employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal.
1. Government: “accesser is not entitled so to obtain or alter…” The government reads “so” to mean “in that manner,” which means a user a user exceeds authorized access when he uses a computer in an unauthorized manner.
2. Defendant: 1030 is a Hacking Statute: Difference between “without access” and “exceeds authorized access” is a concern about external and internal hacking. Legislative history supports a insider/outsider distinction.
3. COURT:
a. Rejects Government’s Co
establish “the transmission of a program, information, code, or command under §1030(a)(5)(A). Transmission of the program to delete content. Pushing the delete button “transmits a command, but stretches the statute too far.”
C. US v. Carlson: (mens rea for 5K in damages felony enhancement) ∆, die-hard Phillies fan sent 1,168 emails to 6 Phillies sports writers and 5,000 emails to one address at the Phillies. (1030(a)(5)(a)) Intentionally).
1. Intentionally = performing an act deliberately and not by accident. A person acts intentionally when the consequences of his actions were ∆s conscience objective. Intent is subjective and must be based on outward manifestations, words, conduct and other circumstances.
2. H: ∆’s internet savvy, combined w/ his actions could rationally be used as circumstantial evidence to conclude that Carlson intended the consequences of his actions.
D. US v. Sablan (Damage enhancements under (c)(4)(A) are SL): After being fired, ∆ went back to the bank where she worked and deleted or damaged bank computer files.
1. H: The felony enhancements found in §1030(c)(4)(A)(i) are strict liability.
I. PROPERTY CRIMES
A. People v. Johnson (1990): D said to potential customer: “you can call the whole world for $8.00.” Selling AT&T credit card number. Defendant argues that the charge of possessing stolen property is facially insufficient because he did not posses the actual card, arguing that the numbers themselves are not tangible property.
1. Property: any money, personal property, real property, computer data, computer program, thing in action, evidence of debt or contract, or any article, substance or thing or value…which is provided for a charge or compensation.
2. H: Card number has inherent value and qualifies as a “thing of value” under the definition of property.
3. Issues
a. Is this a thought crime? Can knowing the number be possession of stolen property? Every Anglo-American crime must include a guilty act. LaFave.
b. Three phases for addressing the rule: (1) accessing, (2) possessing, (3) use.
c. Stolen because he had the number? Had the number and intended to use the number
B. United States v. Farraj (2001): Tried to sell Orick 400 page trial plan. Emailed 80 pages of the plan to defendants’ attorneys and offered to sell the entire plan. Violation of 18 USC §2314: liability to whoever: “transports, transmits, or transfers in interstate or foreign commerce any good, wares, merchandise, securities, or money, of the value of $5,000 or more, knowing the same to have been stolen, converted, or taken by fraud…”. Defendant argues § 2314 only applies to tangible goods, not information.
