Table of Contents

Computer Fraud and Abuse Act

Economic Crimes

Threats and Harassment

Vice Crimes

Child Exploitation Crimes

Entrapment/Traveler Cases

Sentencing Guidelines (Pg 278 of the book)

4th Amendment

Encryption

The 4th Amendment in the Network Context

Statutory Privacy Protections

The Wiretap Act (“Title III”)

The Pen Register Statute

Stored Communications Act

Scope of Federal Power vs. State Power

International Computer Crimes

FISA Stuff

Computer Fraud and Abuse Act

  • Access and Authorization
  • Computer Access- two types
  • Virtual- access when you get into the computer by user’s perception
  • Physical- just visiting a website is access (majority view)
  • Assume everything is access and focus on authorization
  • Authorization
  • Three ways access can be unauthorized

Circumventing code/ “code based”

  • Without Authorization- bypassing a wall by wrong means, guessing a password, exploiting a weakness in a program contrary to its intended use
  • The Authorization given applies to specific computer/files and not the entire network

Contract violation

  • Unauthorized access can be defined by terms of service, but are subject to the void for vagueness doctrine
  • Breach of duty of loyalty?
  • Limitations must be on what a person can obtain/alter, but employers MUST limit use

Social Norms

  • Disloyal employee
  • 7th Cir sys that breaching duty of loyalty to employer is exceeding authorization (Nosal)
  • 9th Cir- (Brekka) Adopts code based only- if you work for the company, and use the computer to harm your employer, that’s not exceeding access
  • The Computer Fraud and Abuse Act- 18 USC §1030
  • (e) Definitions of key terms
  • “Protected computer” is basically any computer now
  • “Exceeds authorized access”- accessing a computer with authorization and using that access to alter information that the person is not entitled to obtain/alter
  • “Damage”- any impairment to the integrity/availability of the data, program, system, or information
  • “Loss”- any reasonable cost to any victim, including consequential damages incurred because of interruption of service

Must have a nexus to the intrusion

Look at hours worked x hourly rate

  • (a) Violations of the statute (based on trespass regime of unauthorized access)
  • Prohibits access to a protected computer without authorization and/or exceeding authorized access to a protected computer

(1) Hacking to obtain classified government secrets

(2) Obtaining information plus unauthorized access

  • Obtaining information includes mere observation of the data
  • Type of data is irrelevant
  • Protected computer is basically any computer
  • Normally a misdemeanor with one year max punishment
  • Felony with 5 year max if
  • Committed for commercial advantage/ private commercial gain
  • In furtherance of a criminal act OR
  • Value of information exceeds $5,000
  • Multiple convictions can trigger a felony violation and up to 10 years in prison

(3) Trespass to US government computers

  • Always a misdemeanor
  • No requirement that any information be obtained
  • Only for access without authorization

(4) Fraud

  • unauthorized access plus computer misuse that furthers a fraud
  • Property-based approach
  • This section doesn’t apply ONLY IF the object of the fraud is the use of the computer and value of the use is no more than $5,000.

(5) Computer misuse that results in damage and intentionally damaging

  • Mens Rea- unauthorized access must be intentional, but damages don’t have to be
  • (A) Knowingly causes damage without authorization
  • Damage is the thing that is not authorized

Sending something to the server that causes damage

  • Can be misdemeanor or felony
  • (B) Intentional access without authorization that recklessly causes damages
  • Doesn’t require loss
  • Requires recklessly impairing integrity of availability of information
  • (C) Intentional access without authorization that causes damages and loss
  • Strict liability beyond intentional access without authorization
  • Can only be a misdemeanor
  • Requires impairing integrity or availability of information and causing financial loss
  • (A) and (B) are a felony if
  • $5000 ormore of loss, physical injury,modification of medical diagnosis, threat to public health, US government computers for administering justice, damage to 10 or more computers.

(6) Password Trafficking

(7) Extortion

  • Prohibits extorting money or property by threats to cause damage to computers
  • 5 year felony
  • (b) Attempting to violate this statute is a crime as well
  • (g) Authorizes civil lawsuits under this statute

Economic Crimes

  • General Property Crimes
  • Theft/Fraud- taking with intent to permanently deprive
  • Possessing stolen property- knowingly possessing property that is stolen
  • Transporting stolen property- across state lines
  • Electronic Espionage Act
  • Trade Secrets
  • Punishes stealing, copying without authorization, downloading, uploading, etc. of a trade secret with intent to convert it for the economic benefit of someone other than the owner
  • Trade secret- information with economic value because it is not generally known, and the owner has taken reasonable measures to keep that information a secret

Not something tangible- must be something about the product that gives it credence

  • Fraudulent Documents
  • Deals with fake passports, IDs, government docs generally made by computers
  • Treats these items like contraband- no possession
  • Access Device Fraud
  • Any card/number/code that can be used to help obtain goods and services
  • Prohibits using, possessing trafficking, etc. to use counterfeit/unauthorized access devices with the intent to defraud
  • Copyright Law
  • Protects rights in original works in tangible mediums for limited times
  • Only protects the expression of the idea, not the idea itself
  • Fair use allows de minimus infringement.
  • Basically small use that’s not economically harmful
  • Criminal Law factors
  • Defendant infringed the copyright
  • Acted willfully

Defendant must know that what he is doing is unlawful

Engaging in the business to want/try for a profit is enough

  • Sometimes must prove certain dollar value of loss

Felony is total loss of $2500 or more

  • Actual profit not required, just that you want to/are trying to make a profit
  • Intent to profit is just an enhancement to the punishment

Threats and Harassment

  • Interstate threat to kidnap or injure the person of another (felony) 18 USC 875(c)
  • Transmission in interstate/foreign commerce
  • Threat – serious expression of intent to harm, aimed at achieving some goal
  • Remember no protection for a true threat- where the speaker means to communicate a serious expression of an intent to commit an act of unlawful violence to a person/group
  • Look at language itself, context, testimony by recipient
  • Threats to harm property/ threats to damage a computer [10 USC 1030(a)(7)]
  • Harassment statute- Crime to make a telephone call/use telecom device without disclosing identity and intent to annoy
  • Cyber stalking- intent to place another in state of reasonable fear of death or serious bodily injury to them, immediate family, spouse/gf, and uses any instrumentality of interstate commerce

Vice Crimes

  • Wage Wire Act prohibits being in the business of taking bets if taking bets is illegal under state law
  • This also prohibits transmission of information assisting in the placing of bets as well as the bets themselves
  • Very hard to enforce because of jurisdictional issues
  • Obscenity
  • Can punish distribution, but not possession (except for child porn)
  • Obscenity test
  • If the average person, using contemporary community standards, would find that the work appeals to the prurient interest
  • Whether the work depicts/describes sexual conduct in a patently offensive way (Community standard)
  • Whether it lacks serious literary, artistic, political, or scientific value

Child Exploitation Crimes

  • Receipt, Distribution, and Possession of Digital Contraband
  • 18 USC 2252(a)
  • (1)Prohibits knowingly sending child pornography in interstate commerce
  • (2) Prohibits exchange of possession of child porn
  • (3) Prohibits selling/possession with intent to sell
  • (4) Prohibits possession on federal property
  • To prosecute, must show
  • The images possessed depicted real minors (not virtual images) AND
  • Possession requires knowledge and control
  • That the defendant knew the images he possessed depicted real minors

Use of direct and circumstantial evidence of actual knowledge or willful blindness

Entrapment/Traveler Cases

  • Enticement
  • Persuading minor to travel interstate to engage in an illegal sexual act
  • Using means of interstate commerce to persuade/attempt to persuade minor to engage in an illegal sexual act
  • Persuade = actually convince
  • Attempt= substantial step towards persuading
  • Entrapment Defense
  • Entrapment is a jury question
  • Defendant has the burden to show he was induced, then the government has the burden to show BRD that the defendant was not induced or that he was predisposed to commit the crime
  • Inducement- opportunity to commit the crime plus some excessive pressure
  • Predisposition- evidence from defendant’s past to show he was unusually inclined to commit the crime
  • Basically- Did the government’s conduct cause the crime?

Sentencing Guidelines (Pg 278 of the book)

  • Special skill enhancement
  • You are more liable if you use your special skills to exploit people
  • Special computer skill- extraordinary knowledge of how computers work and how to bypass security systems
  • Test- Special skill as compared to society at large
  • Computer Misuse Cases/Economic Crimes
  • Offense level starts at 6
  • Punishment based on amount of economic loss (reasonably foreseeable $$ harm)
  • Remember that in 1030 crimes, unforeseeable $$ harms are included in loss
  • Guilty plea- deduct 2 points
  • Child porn
  • Start with 18 points (for just possession) or 22 (for distribution, receipt, or possession w/ intent to sell)
  • Special circumstances of supervised release must be reasonably related to factors (Factors to argue- not binding)
  • Nature of the circumstances of offense/defendant’s record
  • Adequate deterrence to criminal conduct
  • Protecting the public from future crimes
  • Can't be greater deprivation of liberty than reasonably necessary to achieve goal

4th Amendment

  • Search- invasion into someone’s reasonable expectation of privacy
  • Must be objectively and subjectively reasonable
  • Presumptively unreasonable if no warrant unless exception applies
  • Exigency, Consent, SITLA, Border searches, Plain view
  • Test for government action
  • Whether government knew of and acquiesced in the search
  • Whether private person intended to assist law enforcement or had some other specific motivation
  • Things that are visible on the outside are not protected by 4A, just like a container
  • Seizure- meaningful interference with an individual’s possessory interest in that property
  • Data seizures
  • Copying serial numbers is not a seizure- no interference with possessory interest in property
  • Pen register- seizure of number dialed
  • 4th amendment protects the information, not just the media that it’s on.
  • Sniffing for a password is not a seizure because no violation of possessory interest
  • If a private actor conducts a computer search, three options for what the police can access
  • Only the entirety of the file(s) previously searched/exposed
  • The entire physical device (5th Cir rule)
  • Only the information exposed (meaning parts of files seen)
  • Exceptions to the Warrant Requirement
  • Knock and talk
  • Exigency- degree of urgency and time it would take to get a warrant
  • Generally, for computer crimes, there can be a warrantless seizure but not a warrantless search because once you have the data, it’s not going anywhere
  • Consent- what a typical reasonable person would believe the scope of the consent is
  • 3rd party consent- common authority is enough, but password protection defeats common authority

Also invalid where 1st party is present and objects

  • Apparent authority- search may still be reasonable if officers reasonably believed at the time of the search that the 3P had authority to consent

Password protection is the same as a locked trunk

  • SITLA- can search the person and his wingspan pursuant to lawful arrest
  • Can search pagers pursuant to lawful arrest (exigency)
  • Probably can't search a cell phone incident to arrest because too much information and not necessary for cop’s safety
  • Border Searches- Warrantless searches at the border are permissible under sovereignty grounds. No cause or warrant needed.
  • Workplace Searches
  • Private Sector- 4th Amendment applies, employees have a reasonable expectation of privacy except things that are open to the public

Employers can consent usually under 3P doctrine or police need a warrant

  • Public sector- Government workers have a REP unless

Others have access to the same space

Legitimate workplace regulations can deprive employees of privacy rights this is critical to the inquiry

Court must determine whether the search was reasonable in scope, work related, and justified by non-law enforcement needs

  • Search Warrants
  • Probable cause requirement applies to any computers in the home
  • Fair probability that contraband/evidence of a crime will be found in a particular place
  • Must be sufficiently particular
  • Test

Whether PC exists to seize all items of a particular type described in the warrant

Whether the warrant sets out objective standards by which executing officers can differentiate items subject to seizure from those which are not AND

Whether the government was able to describe the items more particularly in light of the information available to it at the time the warrant was issued

  • Also: Must be more particular than “all computers”, but can just list category of electronically stored evidence that the police are looking for
  • Good faith exception: Error in approval of the warrant doesn’t require suppression if officers relied on the warrant in good faith
  • Plain View exception- can seize evidence unrelated to the justification of the search if the incriminating nature of the evidence is apparent.
  • Subjective standard- As long as the officer is looking for evidence described in the warrant, evidence beyond the scope of the warrant is admissible. (Majority view)
  • Objective standard- If the warrant gives the authority to open and look at each file, there is no violation of privacy regardless of the officer’s subjective motivations.

Encryption

  • The 5th amendment applies to prevent a person from incriminating themselves by entering a password if
  • There is legal force applied
  • The information is incriminating
  • The conduct/statement is testimonial
  • Typing a password to decrypt can be testimonial
  • Assume this is the law everywhere

The 4th Amendment in the Network Context

  • Ways to conceptualize
  • Internet as letters- communications over the internet are like sent letters
  • Outside of the letter is not protected because it’s exposed
  • Contents of the letter are protected
  • Exception- Pen Register is not a search because no REP in numbers dialed
  • Internet as speech- no 4th amendment rights because you are speaking out loud with no REP
  • For Content Information and privacy, all judicial opinions have been stricken, but some factors to balance
  • User perception
  • ISP practice
  • Analogy to telegraphs, etc.
  • Terms of service of the ISP
  • Legislation
  • Kerr’s view: Communications networks are substitutes for what happens in the real world. The 4th amendment should be technology neutral.
  • Means there should be 4th amendment protection for content information, but not non-content because it would be public.

Statutory Privacy Protections

  • First question: is the Surveillance Prospective or Retrospective?
  • Prospective- real time during transit/ in the course of transmission
  • Wiretapping goes here
  • Retrospective- access to stored communications kept in ordinary course of business by a 3rd party provider
  • Second question: Content or Non-Content Information?
  • Content- substance of the message
  • Non-Content- information used to deliver communication and network generated information

Prospective / Retrospective
Contents / Wiretap Act
(18 U.S.C. § 2510-22) / Stored Comm. Act
(18 U.S.C. § 2701-11)
Non-Content / Pen Register Statute
(18 U.S.C. § 3121-27) / Stored Comm. Act

The Wiretap Act (“Title III”)

  • Remember this only applies to real time content (repeated access in transit) access
  • Real time- repeated accesses in transit
  • Prohibits the interception of communications without a court order
  • Very high burden to meet (higher than probable cause)
  • Most of the time, exceptions are used instead
  • Delineation between wire and electronic communications
  • Wire- communications that contain the human voice and sent over a wire (basically telephone)
  • Electronic- doesn’t contain a human voice
  • Basically this Act applies as soon as communication is sent into the network and ends when delivered to the end user
  • The only suppression remedy is for the telephone and not electronics
  • If Surveillance Tool is programmed to pick up contents, it must comply with the Wiretap Act.
  • If programmed to pick up dialing, routing, addressing, or signaling (DRAS) information, the tool must comply with the pen/trap statute
  • Lingering Policy Question
  • How much protection should be offered for each type of surveillance?
  • Too low  fishing expedition, too high  harmful to investigation
  • Key is to balance privacy and law enforcement needs
  • Exceptions to the Court Order Requirement
  • Consent- Any party to a communication can consent to monitoring
  • Only one party’s consent is needed
  • Defining “party”- easy to figure out for the phone, for the internet, either look at who the communication is addressed to or who can consent to the communication
  • Must be consent in fact, but can be inferred from actual notice
  • Provider Exception- The network can provide monitoring to uphold the integrity of the network
  • Basic standard is reasonableness in protecting the integrity of the network
  • Exception is very narrow and has to be provider driven

The government can't direct the provider to monitor

Motive of the provider basically needs to be protection of property

  • Trespasser Exception [18 USC 2511(i)]
  • Allows a person acting under color of state law to intercept communications of a trespasser if

Owner/operator of the protected computer authorizes the interception

The person acting is lawfully engaged in an investigation

Person has reasonable grounds to believe the contents of the trespasser’s communications will be relevant to the investigation AND

He only acquires communications transmitted to or from the trespasser

The Pen Register Statute

  • If dialing, routing, addressing, addressing, or signaling information, use Pen Register
  • For collecting non-content information in real time
  • Remember no 4th amendment protection for this information
  • Can't use a pen register or trap device without a court order
  • Remedies for violations of this are criminal misdemeanors
  • No suppression remedies for a violation though
  • If there was a court order, was it done properly?
  • Identification, Certification that the information is relevant, Issued by magistrate
  • The Exceptions are almost the same as those for the Wiretap Act, but apply to private actors as well
  • Consent- allows caller ID
  • Provider- extra broad to prevent unlawful/abusive use of service

Stored Communications Act