Crime in the Suites: An Analyis of Current Issues in White Collar Defense
Archive for the ‘Cybersecurity’ Category
Jan 29
2014

Can Violating Social Media Terms of Use Make You Guilty of Violating the CFAA?

LinkedIn has filed a suit against John Does in response to a spate of “data scraping” perpetrated by unknown individuals, in violation of the website’s terms and conditions.This is the latest federal case in the Northern District of California in which a tech company seeks to enforce its contractual provisions through the criminal statute Computer Fraud and Abuse Act (CFAA).

Starting in May 2013, unidentified individuals unleashed automated software programs which bypassed LinkedIn’s security measures in order to create thousands of new member accounts.  Once established, these new accounts could be used to view millions of LinkedIn member profiles.  The software bots copied personal information off of those viewable pages, which contain extensive personal information.  Although we can’t know exactly what the information was used for until the perpetrators are identified, these individuals could potentially use this personal information to steal members’ identities or conduct phishing or other scams.

LinkedIn has since disabled the bot-created accounts and implemented additional security measures to prevent a similar incident.   The company instituted the “John Does” lawsuit in order to use the legal discovery process to serve subpoenas which may help identify the attackers.  LinkedIn based its legal complaint, in part, on violations of the CFAA. But is the CFAA a sound legal basis on which LinkedIn can bring its claims?

The CFAA states that whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer” violates the CFAA and commits a crime. In this case, the bots created LinkedIn member accounts in order to view other LinkedIn member accounts and gather information.  According to LinkedIn, the use of bots violates the terms and conditions that each user must agree to when opening an account.  Did the drafters of the CFAA intend to reach this type of conduct? If LinkedIn is right, what appears to be conduct supporting a traditional breach of contract may become fodder for a potential criminal violation.

The Ninth Circuit addressed a somewhat similar issue in United States v. Nosal, a case in which a former employee, David Nosal, convinced some of his former colleagues to help him start a business by downloading customer lists from the former employer’s computer network.  Although the employees had unrestricted access to the lists, their use of the lists violated the employer’s policy prohibiting the use of work computers for non-business purposes.  The Department of Justice indicted Nosal under the CFAA for aiding and abetting this action. Nosal filed a motion to dismiss, which the district court granted.  On appeal to the Ninth Circuit, the government argued that the CFAA applied to the employees’ use of the customer listseven though their access to the lists was permitted.

The Ninth Circuit rejected the government’s argument, stating that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.  If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”

Is the conduct in the LinkedIn complaint different?  Clearly, the bots are not authorized users like the defendant in Nosal.  But what does seem analogous is that the the bots accessed authorized files by opening thousands of accounts in a manner which violated LinkedIn’s terms of use contract.

Last year in a different data scraping case Craigslist Inc. v. 3TapsInc., the district court declined to grant a motion to dismiss CFAA claim, stating that “[t]he relationship between a website’s terms of use and the CFAA is somewhat unclear in light of Nosal.” We will continue to monitor both Craiglist and LinkedIn and report back here on whether the courts will permit the use of the CFAA to enforce a violation of a website’s terms of use.

Dec 18
2013

The Bitcoin Bubble Hasn’t Burst Yet, But The First Signs Of Trouble Are Brewing

By: Karl Smith and Casselle Smith 

The value of Bitcoin, the hottest and most widely traded virtual currency, plunged a little over a week ago, after China’s central bank issued a statement that the government is banning financial institutions from trading in the virtual currency.The price of a single Bitcoinfell from roughly $1200 on December 5th to less than $600, early morning December 8th. Thereafter it recovered somewhat selling for around $700 as of December 16.  At the time of this posting (12/18), the price had fallen once again to $571.

This time last year, Bitcoin were selling for roughly $13 apiece. Economists and financial experts have struggled to explain the meteoric rise price to investors and to a public increasingly interested in the virtual currency.  In many ways, the soaring price for Bitcoin looks like a classic bubble: Speculators pay out of the nose for Bitcoin, hoping to unload them to an “even greater fool” who will come along later with the same plan. At first blush, this type of bubble appears to resemble a pyramid scheme that must inevitably collapse once all potential speculators have bought in.

Bitcoin, however, has important features that differentiate them from other bubble-prone assets.  The fact that the crash coincided with a change in policy from the Chinese government makes it even more likely that the special features of Bitcoin have played an important role in their use.

The design of Bitcoin allows for almost completely secure and anonymous transactions.   Users don’t have to trust that a bank or other financial intermediary will keep their information secret. For the most part, the very nature of a Bitcoin transaction does this. Consequently, the currency has attracted substantial interest from users engaged in illicit transactions.  Some of these are of the kind familiar to American readers. The website Silk Road, for example, specialized in selling narcotics and accepting Bitcoin as payment; it has been shuttered by U.S. law enforcement.

The Chinese government’s ban on Bitcoin arose from a different sort of illicit transaction that is less familiar to Americans because it are designed to get around regulations that the United States does not impose… Here’s the rub: the Chinese government limits its citizens’ ability to invest outside of the country because it wishes to provide a large pool of capital available to Chinese industries.  Since Chinese investors have limited choice, Chinese banks can offer them paltry rates of return that guarantee that the value of their investments will fail to keep up with inflation.  Naturally, Chinese investors wanted a way out, and many of them turned to Bitcoin.

Chinese investors would buy Bitcoin using the local currency, the Yuan. They would then transfer the Bitcoin to a bank or other financial institution outside of China and have that institution sell the Bitcoin and invest the proceeds outside of China. When the investor was ready to cash in, she would simply instruct the financial institution to sell the foreign investments, use the proceeds to buy Bitcoin, and then transfer the Bitcoin back to her.

This loophole allowed Chinese investors to earn higher rates of return without being caught by the authorities. For a time, the Chinese government allowed the loophole to remain open. On Wednesday, however, the Chinese government banned financial institutions and, importantly, online platforms like Biadu.com, from doing any business in Bitcoin.  Baidu is a Chinese search engine that, like Google,forms the backbone of how users connect online. Without Baidu’s help,finding someone to buy or sell Bitcoin in the first place becomes exponentially more difficult.

Fear that the Chinese market for Bitcoin would dry up seemed to lead speculators to dump the currency following the announcement.  It also exposes the fundamental weakness of Bitcoin: while they allow enormous anonymity for users, connecting with a broadbase of other users requires using a platform which almost necessarily does not seek anonymity. If it did, potential users would not know of their existence.

Regulators don’t have to crackdown on users themselves but simply on the websites and platforms that connect them.

There is no readily apparent US or European analogue to the Chinese monetary policy that motivated the country’s crackdown. Hence, China’s stance does not necessarily indicate that an international sea change is afoot with respect to the legal nature of Bitcoin and other emerging virtual currencies. Nonetheless, to the extent that Bitcoin’s surge in value was precipitated by Chinese investors’ thirst for international investment capabilities, the recent crash highlights the currency’s deep vulnerability to changes in financial regulation around the world.

Karl Smith is the Creator and Chief Curator of Modeled Behavior, a leading international finance and economics blog currently hosted on Forbes. He blogs mostly on macroeconomics, rationality, philosophy, and futurism. 

Dec 11
2013

Taking Advantage of a Video Poker Glitch Can Land you in Jail in Nevada

Last month, federal prosecutors in Nevada filed a motion to dismiss an indictment that shined a bright light on overly broad federal criminal statutes and the abuse of prosecutorial discretion in using them.

John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer.

The indictment alleged that Kane and Nestor used an exploit on video poker machines to defraud casinos and win money that they were not entitled to, which “exceeded their authorized access” on the machines in violation of the CFAA. Kane, who reportedly spent an extremely significant amount of time playing video poker, discovered a bug in the software of the video poker machine that allowed for him, and later his co-defendant Nestor, to achieve large payouts on certain slot machines through a series of moves where he switched games and made bets at different levels. There is absolutely nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access. The court agreed with the defendants and ruled in favor of their motion to dismiss the CFAA count in the indictment.

The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorizationor it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service.

In November, after filing nine stipulations to continue the trial date, the government filed a motion to dismiss the remaining conspiracy to commit wire fraud charges against both Kane and Nestor because “the government has evaluated the evidence and circumstances surrounding court one [wire fraud conspiracy] and determined that in the interest of justice it should not go forward with the case under the present circumstances.”

Although the charges were ultimately dismissed,the issue remains that these charges never should have been brought in the first place. Kane and Nestor had to deal with open criminal charges against them for nearly three years. There are proper uses for statutes such as the CFAA, but the people and the courts should demand that the government only use them for their intended purposes. Prosecutions taking broad and unjustified interpretations of these statutes are not justified.

Jul 05
2013

Andrew Auernheimer Appeals Hacking Conviction

Earlier this week, attorneys for convicted computer hacker Andrew “Weev” Auernheimer filed their opening brief in their appeal to the U.S. Court of Appeals for the Third Circuit to have his conviction overturned.

In 2010, Auernheimer’s co-defendant Daniel Spitler, who agreed to plead guilty in 2011, discovered a flaw in AT&T’s iPad user database, that he used to collect 114,000 email addresses. Auernheimer then disclosed those email addresses to Gawker, who published a redacted form of some of the account information. The disclosure of the email addresses attracted significant media attention and ultimately forced AT&T to change their security protocols.

Last November, Auernheimer was found guilty by a jury after a five day trial of violating the Computer Fraud and Abuse Act (CFAA) and conspiracy to gain unauthorized access to a computer without authorization. He was sentenced in March to 41 months imprisonment to be followed by three years of supervised release.

Auernheimer’s appellate brief focuses on the argument that he did not violate the CFAA because visiting an unprotected public website is not unauthorized access which is required under the statute. Spitler’s program visited the publicly accessible websites and collected the information that was available on those sites. The email addresses that were collected by Spitler’s program were published on publicly accessible websites that did not employ security measures such as passwords. Auernheimer’s lawyers argued that it is irrelevant that AT&T “subjectively wished that outsiders would not stumble across the data.” Spitler’s program did not access any private accounts and according to Aurenheimer’s lawyers, it did not even violate any written prohibitions or Terms of Use on AT&T’s website. His lawyers also stated that no data was taken, deleted or destroyed.

The CFAA prohibits accessing a computer without proper authorization, which is the same statute that Internet activist Aaron Swartz was convicted of violating. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service. Last month “Aaron’s Law” was introduced in Congress, which would amend the CFAA to prevent prosecutors from charging an individual with violation a company’s terms of service and from bringing multiple charges against an individual for the same act.

The government’s brief is due on July 22 and Auernheimer will then have the opportunity to file a reply brief by August 5.

We will know in a matter of months how the Third Circuit will rule on Auernheimer’s appeal and whether his conviction and sentence will be upheld. This case raises some very interesting issues on the scope of computer crime laws and prosecutorial discretion. Is the conduct of Auernheimer the type that we need to devote government resources to send a person with no criminal record to prison for a significant period of time?

tags:
Feb 13
2013

Executive Order: A Start Toward Tackling Cyber Security Problems

President Obama’s February 12 State of the Union address included the announcement of an executive order intended to permit greater sharing of information about possible threats to the nation’s cyber security among private companies and between private companies and the government.

“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in the speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”

The executive order permits businesses to enter voluntary information-sharing agreements in which they provide the government with information about possible cyber threats to the grid. In return, the government is permitted to provide private companies with classified technical information.

This is an admirable goal, and we support the president’s efforts to keep the nation safe in this way. However, it’s not the end of the story.
Last year, legislation was introduced in Congress to provide protection from liability to companies that share information about possible cyber attacks with each other and with the government. That legislation, however, did not pass, and some form of it will be introduced again this year. Sen. Tom Carper (D-Del.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, has pledged to make a cyber security bill a high priority.

One important aspect of possible legislation of this type is whether it contains adequate safeguards to protect privacy.  Last year, privacy advocates pointed out that in the name of protecting the nation against cyber threats, many versions of the bill contained provisions that allowed for “nearly unlimited monitoring of user data.”

If a final bill contains adequate privacy safeguards, we would support it, along with the executive order, as a means of keeping the nation safe.

posted in:
Cybersecurity
Apr 26
2012

U.N. Should Keep Its Hands Off the Internet

In March 2012, a resolution was introduced in the U.S. House of Representatives that would urge the U.S. Permanent Representative to the United Nations to oppose any resolution that would regulate the Internet. It is unfortunate that it turns out to be necessary to forestall Internet regulation at the U.N. level, but that appears to be the case. We support this resolution.

The resolution, House Concurrent Resolution 114, was introduced by Rep. Michael McCaul (R-Tex.) and Rep. Jim Langevin (D-R.I.), co-chairs of the House Cybersecurity Caucus, in response to growing fears that some nations will seek to regulate and censor the Internet. The sponsors cited a September letter from China, Tajikistan, Russia, and Uzbekistan outlining their plan to introduce a United Nations resolution on Internet governance.

Rep. Langevin said in a statement, “The proposals by some nations to gain international approval of policies that could result in Internet censorship would be a significant setback for anyone who believes free expression is a universal right. It must be made clear that efforts to secure the Internet against malicious hacking do not need to interfere with this freedom and the United States will oppose any attempt to blur the line between the two.”

The resolution was referred to the House Committee on Foreign Affairs on March 26, 2012, and no action has occurred on it since then.

Internet freedom has been a hotly debated issue on Capitol Hill in recent months with the Senate’s Protection of Intellectual Property Act (PIPA) and the House’s Stop Online Privacy Act (SOPA) becoming the focus of protests  that eventually helped defeat the bills. 

The Issue of Internet privacy will soon be dealt with at the international level. The World Conference on International Telecommunications (WCIT) is scheduled for December 2012, and countries such as China and Russia are expected to try to expand the authority of the International Telecommunications Union (ITU). The ITU is the United Nations agency that is responsible for worldwide standards in telecommunications, including regulation of the Internet.

The proposals that are expected to be considered could dramatically affect the Internet. Russian Prime Minister Vladimir Putin said last June that his goal is to establish “international control over the Internet” through the ITU. Accordingly, it’s understandable that many Americans fear that other nations could employ a new regulatory scheme to censor the Internet and control access to information. One reason that some of the protesters were so strongly opposed to SOPA and PIPA was the fear that once tools exist for regulating Internet content, they can be prone to abuse.

Internet access improves the quality of life for people across the world and represents a triumph of freedom of expression. Any agreement like the ones expected to be sought at the WCIT could have dramatic chilling effects on the freedom of the Internet. We will keep you up to date on any movement in Congress or in the United Nations regarding Internet freedom.

posted in:
Cybersecurity
Apr 23
2012

Suspect Extradited From Estonia to Face Massive Internet Fraud Charges

One of the features of crimes committed over the Internet is that they may be committed from anywhere in the world where a defendant has access a computer. A current case in New York shows that extradition likewise can reach around the globe.

On April 19, 2012, Anton Ivanov was extradited from Estonia to face charges of conspiracy to commit wire fraud and computer intrusion, among other offenses, in the U.S. District Court for the Southern District of New York. Ivanov is one of a number of defendants accused of a technologically sophisticated scheme that used malware and other techniques to reroute Internet traffic to websites chosen by the defendants because they were paid for driving traffic to those websites. According to the government, more than four million computers located in over 100 countries were infected with the malware as part of the scheme, which allegedly netted millions of dollars for the defendants.

Victims’ computers allegedly became infected with the malware when they visited certain websites or downloaded certain software to view videos online. The malware enabled the defendants to digitally hijack internet searches by changing the DNS server settings on victims’ computers to reroute their searches to “rogue DNS servers” controlled and operated by the defendants. Victims were re-directed to unwanted websites either when they clicked on internet search links that they thought would take them to other websites (what the government refers to as “click hijacking”) or through advertisements that Ivanov and others allegedly substituted for advertisements that were supposed to appear on particular web pages (what the government calls “advertising replacement fraud”). Arrangements have been made to substitute legitimate servers for the rogue servers as a temporary remediation measure so that victims’ computers will not lose their ability to access websites.

Ivanov has not yet indicated what his defense will be to the charges. He faces a maximum sentence of 85 years in prison in the case, which is pending before U.S. District Judge Lewis A. Kaplan. His next court appearance is set for April 23, 2012. Ivanov’s co-defendants in the case include five other Estonian nationals also arrested in November 2011 who are in custody in Estonia, and one Russian national, who remains at large.

As the Internet continues to expand to include a greater portion of the global economy, the ability to reach enormous numbers of computers will create incentives for technologically savvy wrongdoers to manipulate Internet users for illegal purposes. This case shows that the scale on which Internet conduct operates will mean that affiliate marketers and others who direct traffic on the Internet will be the subject of scrutiny by federal authorities. Even companies that are engaged in legitimate Web-based businesses need to be aware of this possible scrutiny.

posted in:
Cybersecurity
Feb 09
2011

Those iPad Hackers Were Probably Seeking Publicity, Not Profit

The two iPad hackers who obtained the personal data of approximately 120,000 iPad users by exploiting a security weakness in AT&T’s resubscription page are now facing federal charges and potential jail time.

After the hackers publicized their activities, the FBI started an investigation that ended with criminal charges against the hackers. The hackers were charged with conspiracy to access a computer without authorization and with fraud for intending to use the personal information that was collected. The charges are that they collected the usernames, e-mail addresses, billing addresses, and passwords of AT&T customers through their computer program and intended to profit from the personal data.

A review of case law under the relevant statute shows that there have been a limited number of cases with these types of charges. Further, the complaint itself alleges that the hackers used the information to e-mail board members of multiple news outlets. The e-mails noted that personal data had been taken from an unsecured AT&T server, adding, “If a journalist in your organization would like to discuss this particular issue with us, I would be happy to describe the method of theft in more detail.”

This suggests that the hackers’ goal was probably publicity rather than profit. They were interested in getting their story out — and any attempt to profit from the data was, at most, a secondary consideration, which may not satisfy the statutory requirement of unauthorized access to a computer “with intent to defraud.”

Moreover, the statute itself exempts any unauthorized access where the only thing obtained was the use of a computer and the value of such use was less than $5,000 per year. Here, although the hackers did discuss selling the information, it is still highly questionable whether their actions reached the requisite dollar threshold. The prosecutors say AT&T has spent approximately $73,000 to remedy the security breach. That cost was not caused by the hackers, however, because the security breach was always there and the hackers merely identified its existence. Either way, AT&T needed to fix the security breach and had to pay that sum in any case.

Despite any weaknesses in the prosecution’s case, the publicity given to the hackers’ feat probably encouraged the authorities to press charges and thereby reassure the public that Internet security is safe and that all violators will be held accountable.

posted in:
Cybersecurity
Dec 01
2010

Not the Right Solution to Online Privacy Concerns

It has been widely reported that the Obama administration will soon announce a proposal designed to strengthen consumer privacy on the Internet. The plan, calling for new laws and a new “watchdog” position to oversee the effort, is expected to be part of an upcoming Commerce Department report.

The concern about online privacy is well founded. Few consumers realize the extent to which their information is collected, bundled and sold to Internet marketers. Most websites employ tracking technologies that gather consumers’ search and spending habits to create detailed dossiers that are then sold to Internet marketers. And there is no comprehensive U.S. law that protects consumer privacy online.

But we question whether a new law is needed. As the nation’s consumer protection agency, the Federal Trade Commission has been successfully prosecuting companies accused of violating consumer privacy both on and off the Internet for many years. The FTC’s mandate against deceptive and unfair practices is broad enough to encompass any conceivable privacy violation.

Moreover, the Obama proposal faces opposition from both privacy advocates, who claim that the plan doesn’t go far enough, and from the Republican-controlled House of Representatives, which is unlikely to support legislation that could strengthen the FTC.

In addition, some privacy advocates have expressed concern that the Obama plan is based on industry self-regulation and is therefore “toothless.” While we agree that leaving the industry to regulate itself is not sufficient, there are viable ways to combine self-regulation and government enforcement. In fact, the wildly popular Do Not Call law is a good example of such a model. The FTC is expected to call on the industry to develop an Internet version, a “do-not-track” tool that people could use to remove themselves from online surveillance by marketers and others. The recommendation will be included in an upcoming FTC report on Internet privacy, expected to be released in December.

The FTC already has a number of tools to protect consumer privacy online. These include holding companies to their privacy promises about how they collect, use and secure consumers’ personal information; enforcing rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information; and ensuring consumer privacy under the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. At this point, a new law and a new set of bureaucrats don’t seem necessary.

posted in:
Cybersecurity
Jul 13
2010

Is NSA Becoming Too Intrusive in Efforts to Stop Cyber-Crime?

The Wall Street Journal has just reported that the National Security Agency is planning to deploy electronic “sensors” in the private computer networks of major companies around the nation. The idea is to detect cyber-attacks by outside forces against companies involved in critical infrastructure like electric or nuclear plants.

Cyber-terrorism is a real threat, and the NSA is the only government agency, probably the only entity of any sort in the nation, that is truly equipped to monitor it. According to the article, national security officials are concerned about possible Chinese and Russian surveillance of our crucial computer networks.

However, the “Big Brother” aspect of this program is inescapable. Like many such programs, it began with a piecemeal effort and with the establishment by the government of co-operative relationships with private industry. But where will the program end? Conceivably, the government will soon routinely gain access to the private data of dozens of companies. Although it will surely pledge not to misuse this information, these pledges can’t always be trusted.

And the article notes that while the government can’t force any company to permit “sensors” to be introduced, it “can provide incentives to urge them to cooperate, particularly if the government already buys services from that company.” That would include pretty much every government contractor – or in other words, every major company.

A few days ago, we noted in this blog that the FBI is now investigating possible instances of white-collar crime by deploying its massive electronic surveillance capacity.

Now, with the NSA’s involvement in cyber-defense, we are again seeing the tentacles of government in the private sector, in the name of a good cause. This is troubling indeed.

posted in:
Cybersecurity
Connect with Us Share

About Ifrah Law

Crime in the Suites is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, healthcare, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen, David Deitch, and associates Rachel Hirsch, Jeff Hamlin, Steven Eichorn, Sarah Coffey, Nicole Kardell, Casselle Smith, and Griffin Finan. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website