Category: Computer Crime

October 21, 2008 Computer Crime, Privacy

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

July 17, 2008 Computer Crime

CFAA requires intent to cause harm, not merely intent to transmit

Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008)

The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq. creates civil liability for anyone who “knowingly causes the transmissions of a program, information, code, or command, and as a result of such conduct intentionally causes damage without authorization, to a protected computer.” Does this mean that the defendant has to intend to cause harm, or does it simply mean that the defendant merely intended to cause the transmission? The U.S. District Court for the District of New Jersey chose the former in the recent case of Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008).

Plaintiff Kalow got hooked on the defendant’s software, which converted and stored plaintiff’s data in a proprietary format. In March 2006 the software stopped working because of a purported “time bomb” that defendant included in the application. To get the program working again, Kalow had to upgrade at a cost of over $15,000.

Kalow sued, and claimed, among other things, violation of the Computer Fraud and Abuse Act. The defendant moved to dismiss, and the court granted the motion with leave to amend.

In its complaint, Kalow had alleged that the defendant “intentionally transmitted a software code” to Kalow’s computer system and that the “software code [that defendant] intentionally transmitted to these computer systems caused damage to them.” The court found that these allegations were insufficient, as Kalow had not actually averred that defendant intended to cause harm.

The court rejected Kalow’s reliance on the case of Shaw v. Toshiba America Information Systems, Inc., 91 F.Supp.2d 926 (E.D.Tex.1999), concluding that the plaintiffs therein not only pled that the defendants knowingly had transmitted code, but that the defendants “knew [it] would cause the loss and corruption of data….” The court similarly rejected Kalow’s reliance on North Texas Preventive Imaging, LLC v. Eisenberg, No. 96-0071, 1996 U.S. Dist. LEXIS 19990, observing that the 1994 amendments to the CFAA embodied Congress’s aim to emphasize harmful intent and resultant harm rather than just unauthorized access.

July 1, 2008 Computer Crime, Miscellaneous

Accused blogger did not cause substantial emotional distress

Ramsey v. Harman, — S.E.2d —-, 2008 WL 2415127 (N.C.App. June 17, 2008)

Defendant Harman maintained a blog on which she put up some posts accusing plaintiff Ramsey’s daughter of being a bully. Harman also posted this:

With all the bulling [sic] and harassing that goes on in our school system. Then the trouble that went on Friday at Madison Middle. The first student in that age group that came to mind was [plaintiff]’s daughter. Wasn’t this the student that harassed the Cantrell child? And we wonder why some kids hate to go to school…..

Ramsey apparently took great offense, filing suit against Harman for “stalking” under North Carolina law, and sought a “civil no-contact order” (like a restraining order) against Harman. The trial court granted the no-contact order and Harman sought review with the state appellate court. On appeal, the court reversed.

Harman argued that the lower court erred in finding that she had violated the state’s anti-stalking law (N.C. Gen. Stat. §50C-1(6)). She also argued the order violated her First Amendment rights. Because the court found there was insufficient evidence to support a violation of the statute, it did not need to rule on the constitutional issue.

The main question before the court was whether Harman’s blog posts were intended to cause, and indeed did cause, “substantial emotional distress” to Ramsey and her daughter. The court found there was no such showing. There were no threats of physical harm, and the only evidence as to the effect on the plaintiff’s daughter was that she was “embarrassed” when teachers at school were reading the blog posts. But there was evidence that the school had blocked access to the website, making the claim implausible to begin with. There were no communications directly between the defendant and the plaintiff, and the plaintiff’s daughter’s name was never mentioned. Moreover, there was evidence that the posts were made in retaliation over a disagreement between the Harman and Ramsey which had taken place on a political website, and over an alleged threatening phone call Harman had gotten from some of Ramsey’s family members.

June 14, 2008 Computer Crime

Company may be liable under Computer Fraud and Abuse Act for targeting and directing competitor’s employee to violate the Act

Binary Semantics Limited v. Minitab, Inc., No. 07-1750, 2008 WL 763575 (M.D. Pa. March 20, 2008)

Plaintiff Binary Semantics Limited is a company with expertise in promoting and selling software in India. Defendant Minitab, Inc. is a software development company that for several years had an agreement with Binary whereby Binary would promote and sell Minitab’s software in India. Minitab eventually decided that it would eliminate Binary’s services and sell directly in the Indian market.

Minitab allegedly contacted several of Binary’s employees and induced them to turn over some of Binary’s trade secrets and other information that would help Minitab hold its own in India. One of these Binary employees was a woman named Asha.

Asha

After Asha turned over the information to Minitab, Binary filed suit against Minitab, some of Minitab’s employees, and Asha, alleging, among many other things, violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 (“CFAA”). Minitab moved to dismiss the CFAA claim pursuant to FRCP 12(b)(6), arguing that none of its employees had violated the Act, but that Binary’s own employee, Asha, had. The court denied the motion to dismiss as to the CFAA claim.

Binary was required to plead four elements under the CFAA: (1) that Minitab accessed a protected computer, (2) without authorization or by exceeding such authorization as was granted, (3) knowingly and with intent to defraud, and (4) as a result furthered the intended fraud and obtained something of value.

In denying the motion to dismiss, the court found that Binary’s allegations were sufficient to state a claim against Minitab, even though it was actually Asha’s conduct that allegedly brought about the offense. Specifically, the complaint alleged that Minitab targeted Asha and that Asha did indeed access a protected computer. Further, the information retrieved eventually made its way to Minitab.

It was not a situation where Minitab merely received the information from a protected computer. Rather, the complaint sufficiently alleged that the unauthorized access was an action undertaken at the direction of Minitab. Therefore, Minitab could be held liable for the conduct.

May 17, 2008 Computer Crime

What’s the story on the MySpace suicide indictment?

The media has given a lot of attention to the indictment by a federal grand jury in Los Angeles of the mother who allegedly set up a bogus MySpace account to harass one of her daughter’s 13 year old friends. That friend later hung herself in the closet, purportedly because of the harassment.

But what’s the basis of the indictment? It’s not for homicide, nor even harassment. It’s for criminal violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, a subject which we’ve covered a number of times here on Internet Cases. In so many words, the defendant is accused of accessing MySpace’s servers without authorization, namely, in violation of the site’s terms of service.

Orin Kerr covers the governmnet’s theory in detail over at the Volokh Conspiracy, and also spells out why he thinks the case should fail.

March 19, 2008 Computer Crime

CD-ROM is not a computer

GWR Medical, Inc. v. Baez, No. 07-1103, 2008 WL 698995 (E.D.Pa. March 13, 2008)

Now there’s a revelation in that headline.

Plaintiff GWR Medical terminated defendant Baez’s position with the company. Baez took with him a CD-ROM containing training materials and, the company alleged, trade secrets. When Baez wouldn’t return the CD, GWR sued him in federal court for violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. (“CFAA”).

Baez moved to dismiss the CFAA claim, and the court granted the motion. It held that a CD-ROM did not meet the definition of “computer” under the CFAA, and thus the claim could not stand.

The CFAA provides, among other things, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information” violates the law. GWR asserted that Baez’s violation occurred when he kept the CD-ROM after he was terminated, thereby exceeding the authorization previously given to him.

A “computer” is defined in the CFAA [at 18 U.S.C. § 1030(e)(1)] as follows:

An electronic, magnetic, optical, electrochemical, or other high speed data processing device that performs logical, arithmetic or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include an automated typewriter or typesetter, a portable hand held calculator, or similar device.

Electrochemical? Say what? And thank goodness we don’t have to hear about CFAA lawsuits brought for sneaking in late at night to use the automated typewriter. Hey man, come back with my calculator!

In any event, the parties each presented expert testimony on the question of whether a CD-ROM constitutes a computer. The court parsed the definition into three requirements: (1) “[a]n electronic, magnetic, optical, electrochemical, or other high speed data processing device;” (2) “performing logical, arithmetic, or storage functions;” which (3) “includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” If at least one of these requirements were not met, then the CD-ROM fell outside the definition.

Central to the court’s conclusion was the requirement that a computer process information. It found that the lack of the capacity to process information was fatal to GWR’s assertion that the CD-ROM met the statutory definition. Instead, the disc was analogous to a compilation of documents and training materials. Accordingly, the court dismissed the CFAA claim.

February 18, 2008 Computer Crime

MySpace friend request results in criminal charges

People v. Fernino, — N.Y.S.2d —-, 2008 WL 382348 (N.Y.City Crim.Ct. February 13, 2008)

An order of protection, issued by a New York family court, required that defendant Fernino have no contact with a certain Delgrosso. After Fernino added Delgrosso as a “friend” on MySpace, she was charged with contempt of court for allegedly violating the order of protection.

Fernino moved to dismiss the criminal complaint against her, arguing that even if the allegations were true, the purported “contact” through “friending” Degrosso would not support a conviction on the charges. The court denied the motion to dismiss.

Finding that adding Delgrosso as a friend in the social networking context was prohibited “contact,” the court cited to People v. Kochanowski, 186 Misc.2d 441, 442 (App Term, 2nd Dept 2000) and People v. Johnson, 208 A.D.2d 1051 (3rd Dept 1994). In Kochanowski, the appellate court affirmed the harassment conviction of a defendant who participated in building a bogus Web site containing, among other things, alluring pictures of his ex-girlfriend. In Johnson, the court held that the defendant committed aggravated harassment by responding to a personal ad in the victim’s name, causing the person placing the ad to contact the victim.

In this case, the court observed that even though Delgrosso could have simply denied the friend request, it was still a form of contact. It found that the form of communication was no different from the defendant having a third party say to Delgrosso, “Your former friend wants to communicate with you. Are you interested?”

It should also be noted that the court cited approvingly to Wikipedia for a description of MySpace and to Alexa for information about MySpace’s popularity.

Mark Fass of the New York Law Journal has more on this case here. The MyCrimeSpace blog has its take on the case here.  Also found on MyCrimeSpace is this article from last year about a poor chap in the UK who was found to have violated a restraining order for friending his ex-wife on Facebook.

January 29, 2008 Computer Crime, First Amendment

Court rejects constitutional challenges to obscenity statutes in prosecution of adult website owner

U.S. v. Little, No. 07-170, 2008 WL 151875 (M.D. Fla. January 16, 2008)

The operator of the Max Hardcore website was indicted under 18 U.S.C. §§1462 and 1465 for distributing allegedly obscene video files which agents downloaded in Tampa, Florida. Max Hardcore moved to dismiss the indictment, raising a number of constitutional challenges to the prosecution. The court rejected each of the defendant’s arguments and denied the motion.

Statutes not facially unconstitutional

The court declined to accept the defendant’s argument that because of the evolving nature of substantive due process law, prior Supreme Court decisions upholding the federal obscenity statutes were no longer valid. It also refused the defendant’s argument that the constitutional right to privately posses obscene materials should translate into a corresponding right to distribute such material.

Statutes not unconstitutional as applied

The defendant also launched a couple of challenges to the application of the Miller test, set forth in the Supreme Court’s decision of Miller v. California, 413 U.S. 15, 93 S.Ct. 2607 (1973). Under the Miller test, the finder of fact determines whether material is obscene by applying the following test: (a) Whether “the average person, applying contemporary community standards’” would find that the work taken as a whole, appeals to prurient interest; (b) whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable state law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political or scientific value.

Max Hardcore’s challenge to the Miller test dealt with the requirement that the works at issue be “taken as a whole.” The defendants argued that because of the interconnected nature of the Web, it would be impossible to know what the term “taken as a whole” means, and it would similarly be impossible to determine the community standards against which the works should be evaluated. At the very least, the defendant argued, the entire Max Hardcore site should be considered the work “taken as a whole,” and not just the individual video files.

With little analysis, the court sided with the government, holding that the individual files – and not the whole website – should be the works “taken as a whole.” And the court concluded that the absence of a universal community standard was okay. Citing to U.S. v. Bagnell, 679 F.2d 826 (11th Cir. 1982), it held that “[i]t is constitutionally permissible to subject defendants in obscenity prosecutions to varying community standards of the various judicial districts into which they transmit obscene material.”

January 28, 2008 Computer Crime, Litigation

Damage under CFAA must involve some diminution of the system to be actionable

Garelli Wong & Assoc. v. Nichols, No. 07-6227, 2008 WL 161790 (N.D. Ill. January 16, 2008)

A recent decision from the U.S. District Court for the Northern District of Illinois presents a pretty typical fact pattern (employee leaves with sensitive data to work for a competitor), but also gives some useful guidance on the scope of the Computer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (CFAA).

Plaintiff Garelli Wong and Associates provides temporary placement for accounting professionals. When defendant Nichols worked for Garelli, he signed an NDA and learned a lot about the company’s clients, employees and strategy.

So when Garelli learned that Nichols allegedly copied a bunch of information before jumping ship, it sued. In addition to breach of contract, Garelli claimed Nichols violated the CFAA.

Nichols moved to dismiss the CFAA claim pursuant to Fed. R. Civ. P. 12(b)(6). The court granted the motion. It held that the CFAA requires a plaintiff to plead both damage and loss, and that Garelli failed to sufficiently plead both.

The CFAA defines “damage” as “impairment to the integrity or availability of data, a program, a system, or information.” Citing approvingly to the unpublished case of ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005), which held that the word “integrity” required “some diminution in the completeness or useability of data or information on a computer system,” the court sided with Nichols. He had contended that CFAA liability does not arise merely by copying data. A violation of the CFAA requires more — some adverse effect on the system.

Garelli’s loss allegation essentially got Twomblied. The court found that Garelli’s allegations of loss — essentially a formulaic recitation of the CFAA’s $5,000 threshold language — did not provide the grounds of the entitlement to relief with more than labels and conclusions.

January 28, 2008 Computer Crime, Evidence

Social networking evidence presents challenge in prosectuion over alleged threats made after Virgina Tech shootings

U.S. v. Voneida, 2008 WL 189667 (M.D. Pa. January 18, 2008)

Professor Goldman kindly emailed me a copy of the U.S. District Court for the Middle District of Pennsylvania’s decision in the case of U.S. v. Voneida. This criminal prosecution arose out of some postings that defendant Voneida is alleged to have made on his MySpace page about last April’s Virginia Tech shootings.

The court approached the case with all the awe for the Internet suitable for 1994:

[Voneida’s statements] did not occur in a moment, like words being spoken; nor were they sent from one place to another once and only once, like mailing a letter, broadcasting a message over television or radio, or even sending an email. Rather, Defendant’s comments were communicated, and had the potential to reach an audience, for at least nine days. This is one of the ways in which speech on the internet, and on social networking sites in particular, challenges existing methods of legal analysis.

In this case, the feds claimed that Voneida’s postings ran afoul of 18 U.S.C. 875(c), which prohibits the transmitting in interstate commerce of “any threat to injure the person of another.” Voneida filed a motion in limine requesting that several pieces of evidence be excluded at trial.

One of the pieces of evidence that Voneida wanted kept out was an email message that a student in Pennsylvania sent to university authorities to report the postings. The court denied Voneida’s request on this point.

The court held that in determining whether Voneida’s statements were “true threats,” it would be instructive for the jury to consider the effect of the statements on their audience. Addressing this point, the court observed the following about an online “audience”:

Even if [the student who reported the postings] was an unintended viewer, the context of the internet and social networking sites like Myspace.com may make her part of Defendant’s audience regardless of his intent to reach her as opposed to others. As a part of his audience, her response to his comments is relevant and properly considered when evaluating whether they are “true threats.”

A few more facts would be interesting. What if a social network participant adjusts his profile settings to allow only “friends” see the content? Would the so-called “audience” still be the world at large? To what extent can a publisher technologically constrain his or her audience?

Scroll to top