Tag: Computer Crime

January 27, 2024 Computer Crime

Can one be liable for hacking by depositing fake checks into an ATM?

ATM fraud

If a person uses an ATM to deposit fraudulent checks, is the person liable for computer fraud? A recent criminal case answers that question, at least as far as Virginia state law would address the situation.

Depositing checks

Defendant deposited four checks at an ATM. These checks were later identified as forgeries or linked to a closed account, leading to the bank losing around $937. Security footage confirmed defendant’s involvement. During subsequent police interrogation, defendant acknowledged depositing the checks but denied knowing the man on whose account they were drawn, or the checks’ origins. At trial, she claimed her stepfather had given them to her, and that she believed he had earned them from construction work. Her mother supported this claim. The man on whose account the checks were drawn denied writing the checks, suspecting they were stolen from his truck.

Convicted for computer fraud, but…

At trial, defendant was convicted of multiple offenses, including uttering forged checks, obtaining money by false pretenses, computer fraud (under Virginia Code § 18.2-152.3), and failure to appear, resulting in a lengthy prison sentence. On appeal, a three-judge panel reversed her conviction for computer fraud, finding the evidence insufficient to show that the she acted “without authority” in using the ATM do deposit the checks.

The appellate court saw it differently

The government asked the court to reconsider the question en banc (i.e., with the full court, not just the three judge panel). The full court likewise determined the conviction for computer fraud should be reversed.

The court held that the term “without authority” in the statute specifically pertained to the use of a computer or network, not necessarily the intent or outcome of such use. It concluded that defendant, as a bank customer, had the right to use the ATM. Her actions, albeit for fraudulent purposes, did not equate to using the ATM without authority. Accordingly, the court reversed her conviction for computer fraud, differentiating between the unlawful purpose of an action and the unauthorized use of a computer or network as defined by the statute.

Wallace v. Commonwealth, — S.E.2d —, 2024 WL 236297 (Ct. App. Va., January 23, 2024) [Link to Opinion]

See also:

July 25, 2023 Blockchain, Computer Crime

Hackers stole cryptocurrency but the insurance company did not have to pay

hackers cryptocurrency insurance

Insurance and loss

Plaintiffs had a homeowners insurance policy with defendant insurance company. The policy covered personal property owned or used by the plaintiffs with a maximum limit of $359,500 for direct physical loss due to certain perils, including theft. In June 2021, hackers accessed plaintiffs’ computer and stole crypto tokens from their crypto wallets on two blockchain networks, amounting to approximately $750,000. Plaintiffs reported the incident and filed an insurance claim with defendant. Defendant only paid $200 on the claim because of a special limit of liability found in the policy.

Thinking that to be a pretty insufficient payment for such a dramatic loss, plaintiffs sued, alleging breach of contract and unreasonable denial of coverage under a Minnesota statute. Defendant moved for judgment on the pleadings. (“Judgment on the pleadings” in US federal court refers to a ruling made by the court based solely on the parties’ written pleadings and documents, without the need for a trial, when there are no genuine issues of material fact in dispute.) The court granted the motion.

Not direct and physical

Defendant had argued that the theft of digital assets (crypto tokens) did not constitute a “direct physical loss” under the policy, and thus, the claim was not covered. The court analyzed the language of the insurance policy, stating that “direct physical loss” required a distinct, demonstrable, and physical alteration to the covered property. Since crypto tokens are purely digital and lack physicality, according to the court, they do not meet the requirements for “direct physical loss” under Minnesota law.

Plaintiffs claimed that the policy’s language was ambiguous, but the court rejected this argument, applying the ordinary meaning of “direct physical loss” as required by Minnesota law.

The court also addressed plaintiffs’ statutory claim for bad-faith denial of coverage under Minnesota Statute § 604.18. To succeed in this claim, plaintiffs needed to prove that defendant lacked a reasonable basis for denying coverage and acted in reckless disregard of this fact. But since defendant did not breach the policy, the court found that the bad-faith claim failed as well.

Rosenberg v. Homesite Insurance Agency, Inc., 2023 WL 4686412 (D. Minn., July 21, 2023)

From the archives: 

Exploiting blockchain software defect supports unjust enrichment claim

August 29, 2011 Privacy

Using remote tracking software to find stolen laptop may have violated federal wiretap statute

Clements-Jeffrey v. City of Springfield, Ohio, 2011 WL 3678397 (S.D. Ohio August 22, 2011) [PDF copy of opinion]

Services that help track down stolen laptops and other lost mobile hardware are indispensable. Consider, for example, the year-long saga of Jeff Blakeman who used MobileMe to help recover his MacBook Pro that a TSA agent stole from checked luggage. Or how Joshua Kaufman used the remote recovery application Hidden to snap pics of the creepy dude who made off with his MacBook.

It is hard to not rejoice when one reads stories about laptop thieves being brought to justice. And we generally feel no pangs of conscience over whether the apprehended criminal had any privacy rights that were violated when he was being monitored with the software.

But what if the person being tracked did not steal the device, and did not know that it was stolen? Do we then care about whether the remote tracking process violated that person’s privacy? If so, how should that privacy right stack up against the theft victim’s right to get his or her property back?

A recent case from Ohio shows how the privacy right of the innocent user can constrain the rightful owner from using all means of what we might call “remote self help.” The court applied the Electronic Communications Privacy Act (“ECPA”) in a way that should cause users and purveyors of theft recovery services to reevaluate their methodologies.

Hot communications using hot property

The facts of the case were salacious and embarassing. Plaintiff bought a non-functioning laptop for $60 from one of her students (she was a substitute teacher at an “alternative” high school). After she got the computer working, she used it to have sexually explicit communications with her out-of-state boyfriend — they even got naked in front of their webcams with one another.

As it turns out, however, the student who sold plaintiff the laptop had stolen it. The teacher claimed she did not know it was purloined. The original, rightful owner of the laptop had installed Absolute Software’s LoJack for Laptops on the device. After it was stolen, and after it had made its way into plaintiff’s hands, Absolute began its work of locating the machine and gathering information about its whereabouts and its user.

In this process, one of Absolute’s employees obtained real-time access to what was happening on the stolen computer. He was able to collect keystrokes of the sexually explicit communications, and gather three screen shots of plaintiff and her boyfriend, both naked, fooling around on the webcam.

Absolute turned the information — including the X-rated screen shots — over to the police. Plaintiff was arrested and handcuffed. The criminal court dismissed the case against her.

But plaintiff (and her boyfriend) sued. They brought several claims against the police for violation of their constitutional rights, and claims against Absolute for, among other things, violation of the ECPA. Absolute moved for summary judgment on the ECPA claim but the court denied the motion. The court found that Absolute could not show, as a matter of law, that it should not be liable for the interception of the explicit communications.

Legitimate privacy expectation, even on a stolen computer

Subject to certain exceptions, the ECPA prohibits one from surreptitiously intercepting or disclosing the contents of any wire, oral or electronic communications of another. The defendants first argued that plaintiff could not put forward a valid ECPA claim because she did not have a legitimate expectation of privacy in these communications.

The court rejected this argument, finding that plaintiff’s belief as to her privacy was reasonable both subjectively and objectively. She felt safe enough to engage in the explicit communications (subjective belief), and she demonstrated that she had no reason to suspect the laptop was stolen (objective belief). Had she known or had reason to know it was stolen, her claim of privacy would have been subordinated to the possessory interest of the owner. (As an aside, there was some interesting evidentiary wrangling that went on a few weeks ago about defendants’ expert witnesses opining on internet privacy. Read more about that at Bow Tie Law.)

Public policy did not come to the rescue

Absolute next argued that certain exceptions to liability for violation of the ECPA should protect it. The court rejected each of these arguments. It found that the exception for those acting “under color of law” to track down “computer trespassers” did not apply, because Absolute was a private entity, not one acting under color of law. The court also rejected Absolute’s argument that it could divulge the intercepted contents as a provider of an electronic communications service. The court found that Absolute did not provide an “electronic communications service to the public” as defined by the ECPA.

So Absolute was left with one final argument, namely, that public policy should shield it from liability for the unauthorized interception and disclosure of the keystrokes and screen shots. Absolute argued that the legal owner of the stolen laptop should be able to take steps to locate and recover that property, and that the rights of the property owner must trump those of a thief.

The court declined to implement such a per se rule, noting that:

It is one thing to cause a stolen computer to report its IP address or its geographical location in an effort to track it down. It is something entirely different to violate federal wiretapping laws by intercepting the electronic communications of the person using the stolen laptop.

In so many words, the court was saying that Absolute went too far in collecting the contents of the communications being made on the stolen computer. Had the information collection stopped at IP addresses and other non-content information, the remote tracking efforts may not have run afoul of the ECPA.

October 4, 2010 Computer Crime

Palin email hacker conviction survives motion for acquittal

U.S. v. Kernell, No. 08-CR-142 (E.D. Tenn. September 23, 2010)

A federal jury convicted defendant for a number of crimes related to his hacking into Sarah Palin’s Yahoo email account in September 2008. One of the crimes the jury convicted him of was the “destruction or alteration of a record or document with the intent to obstruct an investigation” (a violation of 18 USC 1519).

After hacking into Palin’s account, but before the formal FBI investigation began, defendant deleted some Palin family pictures he had downloaded from the account, uninstalled his web browser, and defragmented his hard drive.

Defendant moved for a “judgment of acquittal”, arguing that the evidence was insufficent to support his convictions. The court denied the motion.

The court found that the Government offered sufficient proof to support the conviction. Even though defendant preserved (did not destroy) his computer, spoke with an FBI agent investigating the matter and advised his friends to be truthful in what they said about the case, the court looked to the totality of the evidence as supporting defendant’s guilt.

Given that defendant deleted images from his computer that he had downloaded from Palin’s account, and had run web searches on “legalities email” and “soppenaing [sic.] ip addresses”, a rational jury could find him guilty. So the jury verdit stood.

February 5, 2009 Computer Crime, Employment

Probable cause existed to arrest employee for criminal data tampering

Deng v. Sears, Roebuck & Co., 552 F.3d 574 (7th Cir. January 5, 2009).

Employee Deng got a bad review from his employer Sears, Roebuck & Co. Disaffected, he took disability leave but continued to come into the office. On one of these visits, he deleted a bunch of data relating to work he had been doing. It cost Sears more than $40,000 to restore that data.

Sears called the police to report the data deletion, and Deng was arrested a year and a half later in Massachusetts (which is where he had fled). Deng was charged with violation of 720 ILCS 5/16D-3(a)(3), the Illinois law that prohibits tampering with computer files without the permission of the files’ owner. The criminal court dismissed the charges at the preliminary stage because a witness failed to appear.

Deng then filed a federal civil action against Sears for malicious prosecution. After his case was thrown out at the district court level, he sought review with the Seventh Circuit. On appeal, the court affirmed the dismissal of Deng’s suit. Among the things Deng was required to prove was that his arrest was made without probable cause. The court found that probable cause existed.

Deng had argued that he was authorized to delete the data, since statistical modelers like him were expected from time to time to free up disk space and get rid of unneeded data. One problem with this argument, however, was that Deng was on disability leave. Nothing in the record showed that the remaining Sears employees thought the data was no longer needed. After all, they spent significant sums to restore it. Moreover, because Deng was on disability leave, he had no authority to do anything with the data, let alone get rid of it. Finally, Deng’s fleeing after the troubles began was an indicator to authorities that he had done something wrong. Probable cause requires an objective analysis. Flight added to the impression that a crime had been committed.

Tennessee lawyer Jack Burgin also discusses this case at his blog Our Own Point of View.

October 21, 2008 Computer Crime, Privacy

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

Scroll to top