Imagine a poker player who played an extraordinary amount of video poker and in doing so discovered a software bug that would allow him to achieve significant payouts through a series of unusual moves. These moves would actually manipulate in his favor the games he played and the amount he wagered on those games, but involved nothing more than deciding to play the game in a particular manner, and not anything involving tampering with the video poker machine or its programming. Now imagine being named in a federal indictment for computer fraud because of this seemingly innocent conduct. This is the story currently unfolding in a closely watched case in the U.S. District Court for the District of Nevada.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer. The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities, and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorization or it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to go so far as to charge individuals who have violated a website’s terms of service.
The indictment against Kane and Nestor alleges that they exploited an arcane bug in certain video poker machines to defraud casinos and win money to which they were not entitled and that their actions “exceeded their authorized access” on the machines in violation of the CFAA. As we see it, there is nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access within the meaning of the CFAA. Fortunately for Kane and Nestor, the court agreed with the defendants that this was an example of prosecutorial overreaching and dismissed the CFAA count in the indictment on the ground that the statute did not encompass this innocent conduct.
Kane and Nestor would play video poker machines until they won, at which point a “double up” feature would become available for selection that would allow the player to insert more money and make larger bets. After more money is inserted, the game can be exited and the money value of the best changed to a value that will cause the targeted win to increase to whatever the player desired.
Most prosecutions for this type of fraud involve the use of magnets, or electrical shocks, or some external device, but what makes this case so unique is that this was a software flaw discovered by Kane. There was no external device or manipulation of the machine. The machines were played exactly the way they were intendedto be played and exactly the way the approved software allowed the machine to be played.The conspiracy to commit wire fraud charges are still pending against both Kane and Nestor. In July, the government and the defendants filed a stipulation to continue the trial dates, the ninth such request, which was granted by the court. The defendants are due back in court on November 25, 2013. The filing of the stipulations of continuance may mean that the defendants are cooperating in the investigation, or that they are otherwise attempting to resolve the case without a trial.
The dismissal of the CFAA charges in this case was, in our view, the correct result – a decision that will hopefully check the increasingly aggressive use of this statute by prosecutors to punish conduct that clearly does not fall with its proscriptions. This is a case that could have, and should have, been brought by the casino. There is no doubt that there is a proper place for criminal sanctions to punish and deter those who hack into computers and commit other types of wrongdoing by illegally gaining access to computers. But prosecutors must learn that the statute has its limits, and the courts must remain vigilant to protect those individuals whose conduct simply does not rise to the level of the crimes that the CFAA was designed to cover.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime
Earlier this week, attorneys for convicted computer hacker Andrew “Weev” Auernheimer filed their opening brief in their appeal to the U.S. Court of Appeals for the Third Circuit to have his conviction overturned.
In 2010, Auernheimer’s co-defendant Daniel Spitler, who agreed to plead guilty in 2011, discovered a flaw in AT&T’s iPad user database, that he used to collect 114,000 email addresses. Auernheimer then disclosed those email addresses to Gawker, who published a redacted form of some of the account information. The disclosure of the email addresses attracted significant media attention and ultimately forced AT&T to change their security protocols.
Last November, Auernheimer was found guilty by a jury after a five day trial of violating the Computer Fraud and Abuse Act (CFAA) and conspiracy to gain unauthorized access to a computer without authorization. He was sentenced in March to 41 months imprisonment to be followed by three years of supervised release.
The CFAA prohibits accessing a computer without proper authorization, which is the same statute that Internet activist Aaron Swartz was convicted of violating. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service. Last month “Aaron’s Law” was introduced in Congress, which would amend the CFAA to prevent prosecutors from charging an individual with violation a company’s terms of service and from bringing multiple charges against an individual for the same act.
The government’s brief is due on July 22 and Auernheimer will then have the opportunity to file a reply brief by August 5.
We will know in a matter of months how the Third Circuit will rule on Auernheimer’s appeal and whether his conviction and sentence will be upheld. This case raises some very interesting issues on the scope of computer crime laws and prosecutorial discretion. Is the conduct of Auernheimer the type that we need to devote government resources to send a person with no criminal record to prison for a significant period of time?
President Obama’s February 12 State of the Union address included the announcement of an executive order intended to permit greater sharing of information about possible threats to the nation’s cyber security among private companies and between private companies and the government.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in the speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The executive order permits businesses to enter voluntary information-sharing agreements in which they provide the government with information about possible cyber threats to the grid. In return, the government is permitted to provide private companies with classified technical information.
This is an admirable goal, and we support the president’s efforts to keep the nation safe in this way. However, it’s not the end of the story.
Last year, legislation was introduced in Congress to provide protection from liability to companies that share information about possible cyber attacks with each other and with the government. That legislation, however, did not pass, and some form of it will be introduced again this year. Sen. Tom Carper (D-Del.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, has pledged to make a cyber security bill a high priority.
One important aspect of possible legislation of this type is whether it contains adequate safeguards to protect privacy. Last year, privacy advocates pointed out that in the name of protecting the nation against cyber threats, many versions of the bill contained provisions that allowed for “nearly unlimited monitoring of user data.”
If a final bill contains adequate privacy safeguards, we would support it, along with the executive order, as a means of keeping the nation safe.
In March 2012, a resolution was introduced in the U.S. House of Representatives that would urge the U.S. Permanent Representative to the United Nations to oppose any resolution that would regulate the Internet. It is unfortunate that it turns out to be necessary to forestall Internet regulation at the U.N. level, but that appears to be the case. We support this resolution.
The resolution, House Concurrent Resolution 114, was introduced by Rep. Michael McCaul (R-Tex.) and Rep. Jim Langevin (D-R.I.), co-chairs of the House Cybersecurity Caucus, in response to growing fears that some nations will seek to regulate and censor the Internet. The sponsors cited a September letter from China, Tajikistan, Russia, and Uzbekistan outlining their plan to introduce a United Nations resolution on Internet governance.
Rep. Langevin said in a statement, “The proposals by some nations to gain international approval of policies that could result in Internet censorship would be a significant setback for anyone who believes free expression is a universal right. It must be made clear that efforts to secure the Internet against malicious hacking do not need to interfere with this freedom and the United States will oppose any attempt to blur the line between the two.”
The resolution was referred to the House Committee on Foreign Affairs on March 26, 2012, and no action has occurred on it since then.
Internet freedom has been a hotly debated issue on Capitol Hill in recent months with the Senate’s Protection of Intellectual Property Act (PIPA) and the House’s Stop Online Privacy Act (SOPA) becoming the focus of protests that eventually helped defeat the bills.
The Issue of Internet privacy will soon be dealt with at the international level. The World Conference on International Telecommunications (WCIT) is scheduled for December 2012, and countries such as China and Russia are expected to try to expand the authority of the International Telecommunications Union (ITU). The ITU is the United Nations agency that is responsible for worldwide standards in telecommunications, including regulation of the Internet.
The proposals that are expected to be considered could dramatically affect the Internet. Russian Prime Minister Vladimir Putin said last June that his goal is to establish “international control over the Internet” through the ITU. Accordingly, it’s understandable that many Americans fear that other nations could employ a new regulatory scheme to censor the Internet and control access to information. One reason that some of the protesters were so strongly opposed to SOPA and PIPA was the fear that once tools exist for regulating Internet content, they can be prone to abuse.
Internet access improves the quality of life for people across the world and represents a triumph of freedom of expression. Any agreement like the ones expected to be sought at the WCIT could have dramatic chilling effects on the freedom of the Internet. We will keep you up to date on any movement in Congress or in the United Nations regarding Internet freedom.
One of the features of crimes committed over the Internet is that they may be committed from anywhere in the world where a defendant has access a computer. A current case in New York shows that extradition likewise can reach around the globe.
On April 19, 2012, Anton Ivanov was extradited from Estonia to face charges of conspiracy to commit wire fraud and computer intrusion, among other offenses, in the U.S. District Court for the Southern District of New York. Ivanov is one of a number of defendants accused of a technologically sophisticated scheme that used malware and other techniques to reroute Internet traffic to websites chosen by the defendants because they were paid for driving traffic to those websites. According to the government, more than four million computers located in over 100 countries were infected with the malware as part of the scheme, which allegedly netted millions of dollars for the defendants.
Victims’ computers allegedly became infected with the malware when they visited certain websites or downloaded certain software to view videos online. The malware enabled the defendants to digitally hijack internet searches by changing the DNS server settings on victims’ computers to reroute their searches to “rogue DNS servers” controlled and operated by the defendants. Victims were re-directed to unwanted websites either when they clicked on internet search links that they thought would take them to other websites (what the government refers to as “click hijacking”) or through advertisements that Ivanov and others allegedly substituted for advertisements that were supposed to appear on particular web pages (what the government calls “advertising replacement fraud”). Arrangements have been made to substitute legitimate servers for the rogue servers as a temporary remediation measure so that victims’ computers will not lose their ability to access websites.
Ivanov has not yet indicated what his defense will be to the charges. He faces a maximum sentence of 85 years in prison in the case, which is pending before U.S. District Judge Lewis A. Kaplan. His next court appearance is set for April 23, 2012. Ivanov’s co-defendants in the case include five other Estonian nationals also arrested in November 2011 who are in custody in Estonia, and one Russian national, who remains at large.
As the Internet continues to expand to include a greater portion of the global economy, the ability to reach enormous numbers of computers will create incentives for technologically savvy wrongdoers to manipulate Internet users for illegal purposes. This case shows that the scale on which Internet conduct operates will mean that affiliate marketers and others who direct traffic on the Internet will be the subject of scrutiny by federal authorities. Even companies that are engaged in legitimate Web-based businesses need to be aware of this possible scrutiny.
The two iPad hackers who obtained the personal data of approximately 120,000 iPad users by exploiting a security weakness in AT&T’s resubscription page are now facing federal charges and potential jail time.
After the hackers publicized their activities, the FBI started an investigation that ended with criminal charges against the hackers. The hackers were charged with conspiracy to access a computer without authorization and with fraud for intending to use the personal information that was collected. The charges are that they collected the usernames, e-mail addresses, billing addresses, and passwords of AT&T customers through their computer program and intended to profit from the personal data.
A review of case law under the relevant statute shows that there have been a limited number of cases with these types of charges. Further, the complaint itself alleges that the hackers used the information to e-mail board members of multiple news outlets. The e-mails noted that personal data had been taken from an unsecured AT&T server, adding, “If a journalist in your organization would like to discuss this particular issue with us, I would be happy to describe the method of theft in more detail.”
This suggests that the hackers’ goal was probably publicity rather than profit. They were interested in getting their story out — and any attempt to profit from the data was, at most, a secondary consideration, which may not satisfy the statutory requirement of unauthorized access to a computer “with intent to defraud.”
Moreover, the statute itself exempts any unauthorized access where the only thing obtained was the use of a computer and the value of such use was less than $5,000 per year. Here, although the hackers did discuss selling the information, it is still highly questionable whether their actions reached the requisite dollar threshold. The prosecutors say AT&T has spent approximately $73,000 to remedy the security breach. That cost was not caused by the hackers, however, because the security breach was always there and the hackers merely identified its existence. Either way, AT&T needed to fix the security breach and had to pay that sum in any case.
Despite any weaknesses in the prosecution’s case, the publicity given to the hackers’ feat probably encouraged the authorities to press charges and thereby reassure the public that Internet security is safe and that all violators will be held accountable.
It has been widely reported that the Obama administration will soon announce a proposal designed to strengthen consumer privacy on the Internet. The plan, calling for new laws and a new “watchdog” position to oversee the effort, is expected to be part of an upcoming Commerce Department report.
The concern about online privacy is well founded. Few consumers realize the extent to which their information is collected, bundled and sold to Internet marketers. Most websites employ tracking technologies that gather consumers’ search and spending habits to create detailed dossiers that are then sold to Internet marketers. And there is no comprehensive U.S. law that protects consumer privacy online.
But we question whether a new law is needed. As the nation’s consumer protection agency, the Federal Trade Commission has been successfully prosecuting companies accused of violating consumer privacy both on and off the Internet for many years. The FTC’s mandate against deceptive and unfair practices is broad enough to encompass any conceivable privacy violation.
Moreover, the Obama proposal faces opposition from both privacy advocates, who claim that the plan doesn’t go far enough, and from the Republican-controlled House of Representatives, which is unlikely to support legislation that could strengthen the FTC.
In addition, some privacy advocates have expressed concern that the Obama plan is based on industry self-regulation and is therefore “toothless.” While we agree that leaving the industry to regulate itself is not sufficient, there are viable ways to combine self-regulation and government enforcement. In fact, the wildly popular Do Not Call law is a good example of such a model. The FTC is expected to call on the industry to develop an Internet version, a “do-not-track” tool that people could use to remove themselves from online surveillance by marketers and others. The recommendation will be included in an upcoming FTC report on Internet privacy, expected to be released in December.
The FTC already has a number of tools to protect consumer privacy online. These include holding companies to their privacy promises about how they collect, use and secure consumers’ personal information; enforcing rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information; and ensuring consumer privacy under the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. At this point, a new law and a new set of bureaucrats don’t seem necessary.
The Wall Street Journal has just reported that the National Security Agency is planning to deploy electronic “sensors” in the private computer networks of major companies around the nation. The idea is to detect cyber-attacks by outside forces against companies involved in critical infrastructure like electric or nuclear plants.
Cyber-terrorism is a real threat, and the NSA is the only government agency, probably the only entity of any sort in the nation, that is truly equipped to monitor it. According to the article, national security officials are concerned about possible Chinese and Russian surveillance of our crucial computer networks.
However, the “Big Brother” aspect of this program is inescapable. Like many such programs, it began with a piecemeal effort and with the establishment by the government of co-operative relationships with private industry. But where will the program end? Conceivably, the government will soon routinely gain access to the private data of dozens of companies. Although it will surely pledge not to misuse this information, these pledges can’t always be trusted.
And the article notes that while the government can’t force any company to permit “sensors” to be introduced, it “can provide incentives to urge them to cooperate, particularly if the government already buys services from that company.” That would include pretty much every government contractor – or in other words, every major company.
A few days ago, we noted in this blog that the FBI is now investigating possible instances of white-collar crime by deploying its massive electronic surveillance capacity.
Now, with the NSA’s involvement in cyber-defense, we are again seeing the tentacles of government in the private sector, in the name of a good cause. This is troubling indeed.
At a blue-ribbon Worldwide Cybersecurity Conference in Dallas from May 3 to May 5, 2010, media reports noted that some discussion focused on the use of the term ”cyberwar,” which is often used to refer to the activities of hackers and others who steal online secrets, disrupt computer systems and other infrastructure, and engage in financial fraud online.
Some security specialists think that the term “cyberwar” is simply the wrong word for illegal activities that amount to out-and-out theft and don’t have anything to do with governments or armies. The White House’s cybersecurity coordinator, Howard Schmidt, is one of them. He says “cyberwar” is an inaccurate metaphor. These people aren’t engaged in a war any more than bank robbers are.
The term “cyberwar” is actually defined in online dictionaries as “an assault on electronic communication networks,” and it should be limited to that meaning. As author Jeffrey Carr wrote in Forbes in March, “If everything is considered a war, then you lose the ability to respond appropriately.”