Category: Computer Crime

September 21, 2009 Computer Crime, Evidence

MySpace drinkin’ photos causing real life problems again

Last time it was probation being revoked. This time it’s children being taken away. A recent Texas case shows how irresponsible social media use can have some unpleasant consequences.

Mann v. Department of Family and Protective Services, 2009 WL 2961396 (Tex. App. September 17, 2009)

Appellant had her baby taken away by state protective services. She sought review with the court claiming, among other things, that the state had presented “no evidence that [Appellant] engaged in endangering conduct.”

Woo hoo

The court found otherwise, agreeing with the lower court that Appellant had endangered the child. Among the evidence it considered were photos from Appellant’s MySpace account with the following captions, unedited to preserve their original ebullience:

 

  • At Ashley House Dranking it Up
  • Me Helping Ashley Stand Up, Were Both Drunk
  • Me Dancing my ass off, I can dance when I drunk
  • Yall see how much we Dranked plus the one’s that droped on the floor
  • We were all fucked up

Oh, by the way, Appellant was under 21.

The court held that “[t]his evidence could lead a reasonable factfinder to firmly believe that appellant engaged in underage drinking on these two occasions, despite knowing that she was under the legal drinking age.”

Photo courtesy Flickr user Mercury98 under this Creative Commons license.

August 13, 2009 Computer Crime, First Amendment

Is banning sex offenders from social networking sites constitutional?

Mashable and others are reporting on a law that the governor of Illinois signed earlier this week, banning use of social networking sites by convicted sex offenders. The big criticism of that law seems to be that it may be unconstitutional. That question is worth thinking about.

The most likely constitutional challenge will be that the law is too broad. For a law to prohibit certain speech and not run afoul of the First Amendment, it must be narrowly tailored to serve a compelling government interest. Clearly there is a compelling government interest in protecting children and other victims of sex crimes from perpetrators. So the real analysis comes from examining whether this restriction on the use of social networking sites is narrowly tailored to serve that purpose.

What the law says

Let’s back up and take a look at what the new law actually says. In short, it requires any sex offender that is on parole, supervised release, probation, conditional release or court supervision to “refrain from accessing or using a social networking website.” Note that the restriction is not a lifetime ban, but just a restriction to be in effect during the sentence.

There are a number of terms to unpack.

There is a prohibition on “accessing” and “using.” This is kind of redundant, because the statute defines “access” as “to use, instruct, communicate with, store data in, retrieve or intercept data from, or otherwise utilize any services of a computer.” (The redundant part comes from the fact that to “use” is part of the definition of “access”.)

The most important definition for our discussion is that of a “social networking website”:

“Social networking website” means an Internet website containing profile web pages of the members of the website that include the names or nicknames of such members, photographs placed on the profile web pages by such members, or any other personal or personally identifying information about such members and links to other profile web pages on social networking websites of friends or associates of such members that can be accessed by other members or visitors to the website. A social networking website provides members of or visitors to such website the ability to leave messages or comments on the profile web page that are visible to all or some visitors to the profile web page and may also include a form of electronic mail for members of the social networking website.

This is a tortured definition plagued by a couple of runon sentences, but in essence, a social networking website, as defined under Illinois law, is any site that has:

  • profile pages that contain
  • identifying information such as names, usernames or photographs, and which are
  • linked to other profile pages of “friends or associates” that can be
  • accessed by other members or visitors to the website, and
  • provides the ability to leave messages or comments on the profile visible to others

In a rather strange style for legislative writing, the definition says that a social networking site “may also include” direct messaging. That’s weird to say in a statute — does it have to include direct messaging to be considered a social networking site? One could argue either way. So that part of the definition does nothing to assist.

How one can run afoul of the law

By merely accessing a social networking site, a sex offender violates this new law. He or she doesn’t have to actually use any of the social networking functionality, all that is necessary is to merely retrieve data from the computer on which the site is stored. Clearly it would be verboten to use MySpace and Facebook. But also off limits would be LinkedIn and Focus. Flickr? YouTube? No way, even if the offender is just going there to passively view content for completely benign purposes.

The constitutional problem

Remember, the law has to be narrowly tailored to meet the compelling state interest. That means that if there is some less restrictive alternative than the law as enacted to fix the problem, the law is too broad and therefore unconstitutional. It would certainly seem that there is something less restrictive than a prohibition on merely visiting a website with social media functionality. A good start would be more aggressively targeting the actual online conduct that might put people at risk — actual online interaction through social media.

But it is far from clear. The Seventh Circuit (which is the federal appellate court that would hear a constitutional challenge to an Illinois law) has held that a convicted sex offender can lawfully be prohibited from visiting a city park. See Doe v. City of Lafayette, 377 F.3d 757 (7th. Cir. 2004). In a city park there is plenty of conduct one can undertake which is not unlawful or does not threaten others. And the court held that restriction was not unconstitutional. There is plenty of conduct one can engage in on a “social networking site” as defined by the statute that is not harmful as well.

Is the comparison between a city park and a social networking site justified?

Keyboard image courtesy Flickr user striatic under this Creative Commons License.

August 12, 2009 Computer Crime, Evidence

Conviction for sending intimidating MySpace message overturned

Marshall v. State, 2009 WL 2243467 (Ind. App. July 28, 2009)

Gotta love the facts of this case from my home state of Indiana.

Marshall and Goodman traded cars with one another, but that deal went sour. Marshall then got into an altercation with Goodman’s mother (named Lee) and Marshall was arrested. She was also ordered to have no contact with either Goodman or Lee. Three days after her arrest, Marshall sent the following (redacted) private message through MySpace to Goodman:

Dont think that you are gonna get away from this s***. you can’t hide forever and one of these days when you are out and about … you know thy aint going to pin nothing on me. Cant prove s***. aint gonna and I am just waiting for that day. You want a war? ? ? Your gonna get it now f*****. I don’t know YET who told you the s*** in my blogs or was feedin you info on me but you can rest assured that I am gonna f*** them uptoo when I found out. And I WILL find out. The s*** aint done and you better know that. Its only a matter of time.

The b**** you know I can be.

(Ed. note: stay classy, Ms. Marshall!)

Based on this message, Marshall was convicted of felony intimidation against Lee. The prosecution had argued that Marshall committed this crime by communicating a threat to knowingly injure Lee, with the intent that Lee be placed in fear of retaliation for calling the police.

Marshall sought review of her conviction with the Indiana Court of Appeals. On appeal, the court reversed the conviction.

The court held that the prosecution failed to prove its allegations of intimidation against Lee, because the message was sent to Goodman’s ( and not Lee’s) MySpace account. Even though an intimidating communication may be indirect, the state had to prove that Marshall must have known or had reason to know that her communication would reach Lee. In this case, there was no such proof.

The MySpace message was not addressed to Lee, nor was she mentioned by name. Accordingly, there was no evidence that Marshall knew or had reason to know that Goodman would show the message to his mother.

Photo courtesy Flickr user subewl under this Creative Commons license.

August 3, 2009 Computer Crime

Drinkin’ photos on MySpace send man to prison

Lesson of the day: don’t post pictures of yourself on MySpace holding a beer if the conditions of your probation don’t let you drink alcohol or use the internet.

Defendant Pressley pled guilty to some ugly crimes and was sentenced to a lifetime of probation. As part of the deal, he promised not “to consume or drink any substance containing alcohol,” and to “not possess, use or have personal access to any computer or similar equipment that has internet capability without prior written permission of [his] Probation Officer.”

In July 2007, Pressley’s probation officer paid him a visit. There in Pressley’s house was a vodka bottle two-thirds empty (or as I like to say, one-third full) and a laptop having a desktop icon with Pressley’s name. (It’s not clear what that icon was, but it sounds like a profile icon for Windows XP.)

The state filed a petition to revoke Pressley’s probation. The trial court granted the petition and sentenced him to ten years in prison. Pressley appealed. On review, the court affirmed the prison sentence.

The most intriguing argument that Pressley made to the appellate court was that the lower court erred in admitting photos of Pressley holding a beer. According to Pressley’s wife’s testimony, the photos came from her MySpace page. One of the other pictures had a caption, as if written by the defendant, that said, “Me and my wife.” The court found that these pictures were relevant to whether Pressley violated the terms of his probation.

Good thing you’d never see anything like this over at Sorry I Missed Your Party.

July 2, 2009 Computer Crime

What the Lori Drew acquittal should mean for service providers

You know the story of Lori Drew — the mom from Missouri who was accused of setting up a bogus MySpace profile impersonating an adolescent boy. Lori acted as this fake “Josh” to stir up romantic feelings in young Megan Meier who, after being dumped by “Josh,” took her own life.

A terrible thing of course. And someone needed blaming. So federal prosecutors chose to go after Lori Drew. The jury convicted her of violating the Computer Fraud and Abuse Act (the federal anti-hacking statute), but today the judge acquitted her. Seems like a good decision, as the theory on which the prosecution based its case — that Lori violated the site’s terms of service by saying she was someone other than she is and thereby exceeded her authority — was shaky at best. The big problem with that theory was that such a reading would make most of us criminals. I’m sure you don’t mean to tell me you’ve never signed up for an online service using something other than your real name or accurate contact information.

Most smart people can agree that the Computer Fraud and Abuse Act was not the right way to punish this “crime.” Various states have enacted legislation to handle cyberbullying and are already prosecuting people in state court. But the problem is not going to go away. People will still do foolish things on the internet.

And to the extent that foolishness is criminal, the individual should pay a criminal price. The individual.

Using the Computer Fraud and Abuse Act to go after this conduct put the contractual relationship between the end user and the provider (i.e., Lori Drew and MySpace) under the microscope where it did not belong. The court and jury had to scrutinize that contractual relationship and the resulting authority (or lack thereof). They had to do that because there was no other way the government was going to win a CFAA prosecution otherwise.

Focusing on that relationship in this context did not make sense. MySpace didn’t have anything to do with this other than being a passive intermediary. Why should the inquiry at trial have gone to those kinds of questions? Why should the intermediary have been bothered? It shouldn’t have.

The bad act was (I guess we have to again say “allegedly was” now that she’s been acquitted) between Lori Drew and Megan Meier. That’s the space where the factual focus and legal analysis belonged. Not in the legal relationship between Lori Drew and MySpace.

Now that we have a sensible legal outcome in this case, hopefully prosecutors will take some more principled approaches and leave the intermediaries out of it.

June 23, 2009 Computer Crime

Unauthorized software downloads did not violate Computer Fraud and Abuse Act

Cassetica Software, Inc. v. Computer Sciences Corp, 2009 WL 1703015 (N.D.Ill. 2009)

Cassetica Software made an application available for download on the web and entered into a license agreement for that application with Computer Sciences Corporation (CSC). Cassetica alleged that CSC continued to download the application after the license agreement expired.

download

So Cassetica sued in federal court, alleging a number of causes of action, including violations of the Computer Fraud and Abuse Act, 18 USC 1030 et seq. (CFAA). CSC moved to dismiss pursuant to FRCP 12(b)(6) for failure to state a claim. The court granted the motion, finding that Cassetica did not plead either damage or loss as required by the CFAA.

What the CFAA requires

Interpreting the CFAA differently that at least one other judge in the Northern District of Illinois has (cf. Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008)), Judge Kendall held that Cassetica was required to plead either damage or loss as such terms are defined in the CFAA. (In Garelli Wong, the court held that both damage and loss must be pled.)

Under the CFAA, “damage” is defined as “any impairment to the integrity or availability of data, a program, a system, or information.” “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

Insufficient damage allegations

The bare allegations of damage in the complaint were not enough. The court found that Cassetica did not allege any facts that would plausibly suggest that the software downloads — authorized or not — caused a diminution in the computers or usability of [Cassetica’s] computerized data.” The court went on to observe that “[c]ritically absent from the Complaint are allegations that CSC’s downloads resulted in lost data, the inability to offer downloads to its customers, or that the downloads affected the availability of the software.”

Insufficient loss allegations

Cassetica’s complaint also failed to plead loss. The allegations primarily dealt with the lost fees Cassetica would have received had the alleged unauthorized downloading not taken place. Because Cassetica did not allege that it lost revenues as a result of an interruption in service caused by CSC, its claim for lost revenue fell outside the CFAA’s definition of “loss.”

Download picture courtesy Flickr user soren_nb under this Creative Commons license.

March 17, 2009 Computer Crime, Litigation

Facebook message was not witness tampering

Maldonado v. Municipality of Barceloneta, 2009 WL 636016 (D. Puerto Rico March 11, 2009)

Diaz was a defendant in a federal case in which Febus was a witness for the plaintiff. Diaz invited Febus to join a Facebook group, but Febus declined. Later Diaz sent a message through Facebook which, after translation, read as follows:

If you want to see the evidence that exists against the municipality let me know so that you can inform yourself well and please consult with a lawyer your civil responsibilities as far as defamation. Soon we will be filing a lawsuit and you could be included. My only request is that you are objective when mentioning my name.

Febus sought a protective order under the federal witness tampering statute, 18 U.S.C. 1512 which provides, in relevant part, that “[w]hoever knowingly uses intimidation, threatens, or corruptly persuades another …, or attempts to do so, … with [the] intent to … cause or induce any person to … withhold testimony … from an official proceeding[,]” is guilty under the statute.

The court denied the motion for protective order, finding that there was no evidence, neither raised by the plaintiff nor observable through inference, that Diaz intended to intimidate Febus. “This court can only see one threat in his Facebook message: the threat of future litigation. This is an insufficient basis for finding witness tampering.”

February 5, 2009 Computer Crime, Employment

Probable cause existed to arrest employee for criminal data tampering

Deng v. Sears, Roebuck & Co., 552 F.3d 574 (7th Cir. January 5, 2009).

Employee Deng got a bad review from his employer Sears, Roebuck & Co. Disaffected, he took disability leave but continued to come into the office. On one of these visits, he deleted a bunch of data relating to work he had been doing. It cost Sears more than $40,000 to restore that data.

Sears called the police to report the data deletion, and Deng was arrested a year and a half later in Massachusetts (which is where he had fled). Deng was charged with violation of 720 ILCS 5/16D-3(a)(3), the Illinois law that prohibits tampering with computer files without the permission of the files’ owner. The criminal court dismissed the charges at the preliminary stage because a witness failed to appear.

Deng then filed a federal civil action against Sears for malicious prosecution. After his case was thrown out at the district court level, he sought review with the Seventh Circuit. On appeal, the court affirmed the dismissal of Deng’s suit. Among the things Deng was required to prove was that his arrest was made without probable cause. The court found that probable cause existed.

Deng had argued that he was authorized to delete the data, since statistical modelers like him were expected from time to time to free up disk space and get rid of unneeded data. One problem with this argument, however, was that Deng was on disability leave. Nothing in the record showed that the remaining Sears employees thought the data was no longer needed. After all, they spent significant sums to restore it. Moreover, because Deng was on disability leave, he had no authority to do anything with the data, let alone get rid of it. Finally, Deng’s fleeing after the troubles began was an indicator to authorities that he had done something wrong. Probable cause requires an objective analysis. Flight added to the impression that a crime had been committed.

Tennessee lawyer Jack Burgin also discusses this case at his blog Our Own Point of View.

January 12, 2009 Computer Crime, Employment, Trade Secrets

No CFAA claim where no impairment of system or data

Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2008)

When defendants Pettit and Harper worked for plaintiff Andritz, Inc., they had company-issued laptops with which they accessed proprietary information. After defendants resigned, they allegedly took that proprietary information and gave it to defendant-competitor SMC.

Andritz sued in federal court, alleging violation of the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss for failure to state a claim. The court granted the motion.

The CFAA claim failed because the plaintiff did not allege the type of “loss” or “damage” required to sustain such a claim. The loss that plaintiff alleged was that defendants took proprietary information and used it to poach customers.

But the CFAA requires there be an impairment of the computer system or data accessed. Because the plaintiff “still had access to the data just as it had before [d]efendants’ actions,” there was no violation of the CFAA.

Similar cases: Sam’s Wines & Liquors, Inc. v. Hartig and Garelli Wong & Assoc. v. Nichols.

Laptop photo courtesy Flickr user maveric2003 via this Creative Commons license.

October 23, 2008 Computer Crime

No damage under Computer Fraud and Abuse Act for merely copying customer list

Sam’s Wines & Liquors, Inc. v. Hartig, 2008 WL 4394962 (N.D.Ill. September 24, 2008)

Hartig worked for Sam’s Wines & Liquors and had access to a password-protected customer list. Hartig left Sam’s in June 2005 and went to work for Plinio Group. Some two and a half years after leaving Sam’s, Hartig sent an email to customers appearing on Sam’s list, soliciting business for Plinio.

Sam’s claimed that Hartig used his password to access and copy the customer list prior to the time he resigned. So Sam’s sued Hartig for a number of things, including violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030 et seq. Hartig moved to dismiss the CFAA claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court granted the motion.

Hartig put forth three arguments why the CFAA claim should be thrown out. First, he argued that Sam’s had not and could not adequately allege that Hartig accessed a protected computer without authorization, or that he exceeded his authorized access. Second, he argued that Sam’s had not and could not allege that it suffered “damage” under the CFAA from Hartig’s conduct. Finally, he argued that Sam’s had not and could not allege that it suffered “loss” under the CFAA from Hartig’s conduct.

The court held that Sam’s adequately pled unauthorized access to a protected computer (applying the agency principles Judge Posner set forth in Intl. Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006)). It also held that the expenses Sam’s incurred in responding to Hartig’s alleged conduct were properly pled as “loss” under the CFAA. But the claim failed on the damage element: merely accessing the information and allegedly using it while working for a competitor was not “impairment to the integrity or availability of data, a program, a system, or information.”

See Garelli Wong & Assoc., Inc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008) for a similar analysis.

Scroll to top