18 U.S. Code 1030 extensively deals ‘with fraud and related activity in connection with computers’. According to this code, obtaining information by accessing a computer without authorization or by exceeding authorized access is restricted. The statute further states that information obtained in such a manner can be used against the country to the advantage of any foreign nation. Briefly, the code restricts obtaining any information from the records of a financial institution, a protected computer, any department, or agency of the United States. It rules that accessing a computer without authorization or that exceeds authorized access and obtaining anything of value other than used of the computer will be tantamount to willful fraud. Specific clauses of the code prevent any person from accessing a protected computer to extort money, commit or try to commit loss or damage to such a computer.
According to various subsections of the code, punishment for unauthorized or exceeding authorized access shall be: a) a fine or a prison sentence not exceeding ten years, or both b) imprisonment for a period not exceeding twenty years, or both c) a fine or a prison sentence not exceeding one year, or both. A fine under this code or imprisonment for a period not exceeding five years will be the punishment if the offence is committed for financial gain or commercial advantage, or for criminal or tortuous actions. Apart from the other authorized agencies, the United States Secret Service is empowered to investigate offences under this code. Subsections under this code also authorize the Federal Bureau of Investigation to carry out primary investigations into espionage and foreign counter-intelligence cases, as well as cases involving unauthorized disclosure of classified information pertaining to national defense and foreign relations, or ‘restricted data’ as defined under the Atomic Energy Act of 1954 and offenses affecting the United States Secret Service, as authorized by the Treasury Secretary and the Attorney General.
The court that looks into cases of violation of this code is vested with powers to order forfeiture of the culprits’ personal property that was used or intended to be used in furtherance of the commission of such action or properties derived out of such violations. These provisions shall be governed by section 413 of the United States’ Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C.853), excluding subsection (d) of the section. The Computer Fraud and Abuse Act was enacted into law by the United States Congress in 1984 with the intention to address computer-related offences and abate hacking of computer systems. This act has compelling federal interests, as the protected computers of the federal government, including those of vital financial institutions, are used in interstate and international commerce. This act was further amended in 1998, 1994, 1996, and in 2001 by the USA Patriot Act, and in 2002 and 2008 by the Identity Theft Enforcement and Restitution Act. This act is encompassing because it punishes not only the one who commits or attempts to commit the offence, but also the ones who conspire with the offender (School).
Although the Computer Fraud and Abuse Act (CFAA) is fully toothed to address every lacunae that may affect computers from accessing without authorization or by exceeding authorized access, judicial oversight at times weakens its effective operation. As in any other democracies where there are divisions of powers, the United States Constitution also prescribes separation of powers, whereby independent courts are empowered to review and restrain the actions of legislative and administrative arms of the government. According to Rule X of the House of Representatives, the Committee on the Judiciary is vested with powers to determine the laws and programs under its jurisdiction, as per the ‘intent of Congress’. This committee shall decide as to whether particular sections of these laws need to be improved, curtailed, continued, or eliminated. The 112th Congress resolved that this committee shall review and identify inefficient or wasteful programs and will eliminate them. This committee shall, for the purposes of administration and effective execution of laws under its jurisdiction, review the operations of all federal agencies under them (Judiciary, 2011).
The 112th Congress re-introduced a bill for the post of Inspector General to be appointed by the Chief Justice of the Supreme Court to look into any alleged misconduct or abuse of power on the part of judges. Powers of such Inspector General shall include detection, exposure, and deterrence of all problems in the judiciary system that may require oversight from the Congress. He or she may recommend changes in laws that govern the judicial branch in order to restore accountability of judiciary to the citizens. The Inspector General shall not, in any way, interfere in the merits of any judicial decision. His/her powers shall be limited to alleged misconduct under the Judicial Conduct and Disability Act of 1980, which permits preferring complaints against a federal judge or a personnel of the federal judiciary. According to Rep. F. James Sensenbrenner, Member of Senate Judiciary Committee, American public will be relieved to see that “there is oversight over those entrusted with the great responsibility of interpreting the laws of the land” (Champagne, 2011)
All the foregoing apart, hackers had been having their way. The year 2005 would go down in the history of the United States as the year of data breach. More than forty five million customer accounts of well-known financial institutions, such as Citigroup, Bank of America Wachovia, third-party service providers, and a host of other data broker companies, were compromised in less than eight months. This caused consumers, media, and the government to look for ways to protect data. Criminals posing as legitimate customers fraudulently purchased compiled data of around 145,000 credit card reports, addresses, and social security numbers of consumers from Choicepoint, a company that re-sells consumer data. Bank of America reported having lost backup tapes that contained individual account details of nearly 1.2 million federal employees. DSW Shoe Warehouse lost details such as drivers’ license numbers and credit and debit card checking account to hackers from its database of 175 stores. This affected 1.4 million customers. Various other entities, such as Warner, MCI; LexisNexis, and Ameritrade, also lost their data to hackers (Seanhoneywill, 2006).
Surveys indicate that privacy is increasingly becoming a major concern for American internet users. Although the Congress has been enacting several privacy-related bills, the results have been limited. A stage has come where some people advocate EU-style privacy laws, while others think along the lines of legislation supported by self-regulation. As most of the industry groups also suffer, the state and federal legislatures have planned several new bills to tackle the increasing security of customer data. The Gramm-Leach-Bailey Act (GLB), otherwise known as the Financial Services Modernization Act of 1999, has had only limited or modest impact on the practices of financial institutions. Although there had not been any expressive change in the privacy choices after the enactment of GLB, it is praiseworthy that financial privacy notices are found to be satisfactory (Sheng).
Discount Shoe Warehouse (DSW) reported the theft of credit card, debit card, and checking information of about 1.4 million customers in March 2005. The Federal Trade Commission (FTC) charged DSW with data security failure that led hackers to access the sensitive credit card, debit card, and checking account information. FTC further claimed that DSW’s failure was an unfair practice that violated federal law. Subsequently, an Ohio attorney sued DSW and ordered them to contact all its affected customers. DSW Inc. agreed to settle the Federal Trade Commission charges in December 2005. They also agreed to put in place a comprehensive information security system that would be audited by an independent security professional every other year for twenty years (Release, 2005).
In June 2006, Tracy Key, an Ohio resident, sued DSW for breach of contract and violation of Ohio consumer protection laws. Key’s allegation was that the data theft left her at an enhanced risk of identity theft. A federal court in Ohio dismissed her claims on DSW, stating that an increased risk of identity theft was not sufficient to sustain her charge. The court dismissed her case, stating that Key did not produce evidence that any third party was going to use her personal or financial information to prove that she faced any imminent injury (Key v. DSW, 2006)
In June 2005, MasterCard International reported that around 40 million credit card accounts of all brands had been exposed to fraud. They confirmed that their investigators had identified and traced this intrusion to CardSystems Solutions of Tucson, Ariz. that handles more than $15 billion in payments. MasterCard’s investigation further revealed that information was extracted by an intruder who had managed to place a computer code into the CardSystems network. MasterCard had begun investigations based on information from banks that detected similar instances. While the process of investigation and analysis was on, a California credit card account holder filed a lawsuit against MasterCard, CardSystems, and Visa in the California Superior Court. He alleged that these companies did not give sufficient notice of the security breach to customers, as stipulated under California law. The plaintiff required free access to credit-monitoring services and also separate notices sent to individual customers whose accounts information had been breached. Further, the complainant modified his demand to include unspecified monetary compensation to all members. However, the plaintiff’s motion was denied by the court (Jr., 2005)
According to FTC, CardSystems failed to take reasonable security measures to protect the interests of tens of millions of consumers. CardSystems maintained needless information in a way that compromised consumers’ financial information. FTC ruled that companies that deal with consumers’ sensitive information must ensure that the data is securely kept. It held that CardSystems’ failure in providing reasonable security for confidential consumer information constituted unfair practices and violation of federal law that resulted in millions of dollars in fraudulent purchases. FTC settled the matter with CardSystems, regulating them to implement exhaustive information security measures and also to get their operations audited every other year by independent security professionals for a period of 20years. FTC’s settlement of this case ended in similar lines as in previous cases. The affected consumers had to find their own way to get relief (Commission, 2006).
In 2005, US universities had become targets of security breaches, forcing them to notify all concerned to monitor their personal accounts for any possible hacking. Dozens of universities disclosed breach of their information security systems. Computerization of university business processes and enhanced opportunities for social engineering have made their information security system vulnerable. The California State University warned all their stakeholders about a possible risk of their personal information being compromised. As a measure of judiciary oversight, authorities enacted the California Security Breach Notification Act, which mandates notification of California residents in the event of any information security breach (Cline, 2005).
A network breach at Stanford Career Development Center on May 11, 2003, prompted the university to report the breach to the FBI. The university informed that the breach may have put nearly 10,000 people’s personal security information at risk. They alerted about 9,600 students and 300 recruiters who had registered with the university. This was also a case of accessing the university’s internal computer system without authorization (Musil, 2003)
The database of about 270,000 past students of the University of Southern California was breached in July 2005. The breach affected the university’s online application database that included names and social security numbers. Although there was no precise tracking facility in the university, they were confident that the hackers were not able to download multiple records (Reuters, 2005).
AOL Line Inc
AOL inadvertently posted around 20 million bundled internet search records of their members on their website on July 30, 2006. This database comprised sensitive information, viz. members’ names, social security numbers, addresses, telephone numbers, credit card numbers, user names, passwords, as well as financial bank information of around 658,000 AOL members. Although they realized their mistake and removed the database from their website in ten days, this data had been already downloaded and re-posted on other websites. Plaintiffs preferred class action against AOL for disclosing confidential information on the website in violation of California consumer statutes. However, the judge denied plaintiffs motion to stay. AOL’s motion for judgment on the pleading was granted in part and denied in part; and the plaintiffs claim for damages was denied (California, 2010)
Electronic surveillance is governed by two statutes, such as the Federal Wiretap Act and and the Pen/Trap Statute. The first one was enacted as part of the Electronic Communications Privacy Act of 1986. AOL was sued in California for violation of the Electronic Communication Privacy Act 1. While non-compliance with these statues will result in questions of civil and criminal liability, Act Title III will attract liability in suppression of evidence. Computer crime cases require real-time electronic surveillance. Monitoring the hacker’s activity as he breaches the victim’s computer is a must. In cellular telephones cases, cell-site information is required to determine the location at the time of a call (Government)
Guidance Software Inc., contrary to their claims made on their website, failed to implement inexpensive and readily available security systems to secure customers’ data, according to FTC. FTC also alleged that the company caused avoidable risks to credit card information by storing it permanently in readable text unmindful of the risks involved. The commission, thus, ordered settlement, requiring Guidance Software to implement comprehensive information security system, as well as get the new program audited every other year by independent third-party security professionals for 10 years. The commission voted to accept the proposed consent by 5-0 votes (Govt, 2006)
The Federal Trade Commission charged Guidance Software Inc. with failure to protect personally identifiable customer information. Guidance’s inadequacy was exploited by a hacker to view their customer information. Although Guidance found out the breach and notified its customers, FTC maintained that Guidance had not taken appropriate measures to secure its customers’ data. FTC also alleged that the company had misled its customers by stating that it had taken all steps, including encryption to safeguard their interest. The Commission believed, the company had violated the provisions of the Federal Trade Commission Act and were punishable under its relevant clauses (Guidance).
The original indictment of Riggs focused on a fraud that was considered narrow. Although the government claimed Riggs scheme was to use computers to steal the E911 text file, it dropped the case when it was convinced otherwise. The superseding indictment came heavily on Riggs. He was charged with stealing computerized files by gaining unauthorized access to others’ computers, copying sensitive files, and publishing them in a hacker publication. The court indicted Riggs and Neidorf with violation of the Federal Wire Fraud Statute 18 U.S.C. Section 1343. According to the government, the “Phoenix Project” of Riggs and Neidorf was to disseminate hacking tutorials. The newsletter, “PHRACK,” published by them was to distribute information to the hackers. Neidorf claimed that though he advocated illegal activity, it did not attract any criminal liability. The court rejected his argument and concluded, “For the foregoing reasons, Neidorf's motion to dismiss the superseding indictment is denied” (United States of America v. Plaintif, v., 1990).
The Chicago US.Attorney’s office framed Riggs and Neidorf with counts of wire fraud, 18 USC 1343, interstate transportation of stolen property, 18 USC 2314, and computer fraud 18 USC 1030. But for computer fraud, the other two counts were general in nature (Godwin)
In the year 1988, Morris, a first-year graduate, received permission to use computers at Cornell. On November 2, 1988, Morris selected a computer at the Massachusetts Institute of Technology to release a worm. The worm multiplied affecting many computers, which cost the university from $200 to more than $53,000. Morris was found guilty of violating code 18 USC 1030 by the jury. He was sentenced to a fine of $10,050, and 400 hours of community service. The District Court analyzed the case at length and finally concluded, “For the foregoing reasons, the judgment of the District Court is affirmed” (United States of America, Appellee, v. Robert Tappan Morris, 1990).
This case came up during a civil discovery proceeding. The district court ruled that under the terms of the Stored Communication and Computer Fraud, a defendant’s access to the messages had been authorized. The Court held that storing e-mails did not come under the Wiretap Act. Therefore, the court dismissed the case, which led the plaintiffs appeal. The appellate court stated that “stored Communications Act provides a cause for action against anyone who intentionally accesses without authorization of a facility through which an electronic communication service is provided” (Gelman, Cyberlaw, 2003).
The appeal from IAC came up as a result of the dismissal of their suit against Citrin. Citrin was employed by the plaintiffs’ company called “IAC.” Citrin was provided with a laptop to record data that he might gather for identifying potential acquisition of targets during the course of his work. As Citrin wanted to run his own business, he decided to quit in breach of his employment contract. Before handing over the laptop to the company, Citrin deleted all data he had gathered during the course of his service, including whatever data he had gathered to further his own interest while in service, which he did not want to reveal to the company. When this became an issue, Citrin said, as per the employment contract, when he ceased to be an employee of the company, he had to return or destroy the data in the laptop. The purpose of the understanding may have been not to overload with data that may have no further value once Citirn leaves, or it could also have been that the data had been limited to confidential information. The appellate court felt, there may or may not be a dispute here, but the issue could not be resolved on this appeal.
The judge dismissed the IAC’s federal claim, and along with it the judgment was reversed with directions to reinstate the suit, including the supplemental claims (International Airport Centers LLC., et al., Plaintiffs v./ Jacob Citrin, Defendant-Appellee, 2005).
In another case, without any formal agreement, LVRC Holdings hired Brekka who owned and operated EBSN and EBSF. LVRC was aware of Brekka’s businesses. While in LVRC, Brekka had to travel frequently, and so he was assigned a computer at LVRC headquarters. Brekka used this computer to transfer LVRC’s as well as his own mails to his personal computers. In August 2003, LVRC discussed possibilities of Berkka taking an ownership share in LVRC.
After the negotiations broke down, Brekka left his job, leaving LVRC computer in as is condition. Later on LVRC found that Brekka was accessing its website. LVRC sued Brekka alleging that he had violated the Computer Fraud and Abuse Act (CFAA). LVRC could not sustain their complaint because they could not prove that Brekka acted without authorization. The district court held that Brekka had authorization to transmit documents. The district court awarded the case in favor of Brekka. The Ninth Circuit affirmed the ruling of the district court, too.
Robbins v. Lower Merion School District was dubbed as “webcam Gate” scandal. The suit alleged that while the children were in the privacy of their homes, the school surreptitiously activated web cameras which were integrated in laptops provided by the school and used by the children in their homes. The suit alleged that the district infringed on its students’ privacy rights. After a preliminary hearing, the judge ordered the district to stop its secret operation and pay the plaintiffs’ attorney fees. Although the school had photographed Blake Robbins in his bed, the Federal Bureau of Investigation, US Attorney’s Office, and Montgomery County District Attorney established that there was no criminal intent involved in the case. The case prompted the Senate to introduce draft legislation.
Lore Drew was convicted on Nov 26, 2008, by a federal jury on three of four counts of unauthorized computer access. Drew was acquitted under three counts, thus raising widespread objection in the public on the use of criminal responsibility for violating website terms of service. The case was about the suicide of 13-year old Megan Meier after she had an argument with 16-year old Josh Evans, who was a fictional creation of Lore Drew on MySpace. Using false information for creating fictional accounts is a violation of the MySpace terms of service. The jury found that Drew’s subsequent visits to the MySpace site were “unauthorized access” under the terms of CFAA. This case has been acclaimed as very creative use of CFAA that target hacking and trademark theft (Kozlowski, 2008)
The question, “Does an employee violate the computer fraud and abuse act when he is permitted to use company computers but does so in a manner that violates company policies?” was raised in the United States Court of Appeals for the Ninth Circuit. The response was that “En banc review is necessary to maintain uniformity of this Court’s decisions and to resolve questions of exceptional importance.” This question has divided courts around the country. In a ruling on this issue, a unanimous three-judge panel of the Court of Appeals for the Ninth Circuit split by adopting a narrow construction of the CFAA. The United States Government filed a charge against Nosal. The accusation centered on complaints that the defendant David Nosal and his associates misused proprietary information from their employer. The district court denied the motion initially, and the government preferred to appeal. Review was needed to clarify not just Section 1030(a)(4), but the scope, as well as Section 1030(a)(2). Also, review of the constitutionality of the CFAA was necessary. This is a question that merits en banc review. The conclusion was that for the reasons stated, re-hearing en banc should be granted (Nosal).
Sony requested for a temporary restraining order, which was granted by the US District Court for the Northern District of California. This prevented Hotz from distributing the jailbreak. The Court also ordered Hotz to hand over computers and storage media used for creating the jailbreak to Sony’s lawyers. The Court later issued an approval to Sony’s lawyers, allowing them to access all the IP addresses of people who logged into Geohot’s blog. This was done for establishing jurisdiction. Sony planned to make San Francisco a venue for the case. Later, Hotz and Sony reached a settlement out of court. The settlement included a permanent injunction against Hotz from doing any more hacking (Wikipedia, Sony Computer Entertainment America v. George Hotz).
Nosal and his co-conspirators exceeded their authorized access to their company’s computer system. This was aimed at defrauding their employer and assisting Nosal to set up a business. The appellate court reviewed the judgment of the district court and concluded that when a person has not received permission to use the computer, for any purpose, or when an employee accesses a computer in excess of his authorization, that constitutes violation of CFAA (Appeals)
Drake and his co-defendant were tried before a jury of wire fraud under 18 USC Section 1343. The trial court returned a guilty verdict on all counts to Drake. Drake preferred appeal against his conviction based on: a) the verdict of the jury was without the support of presented evidence b) the trial court did not permit prejudicial cross-examination. The cross examination questions were improper because facts were assumed and were not in evidence (briefs).
The United States v. Bradley Manning is a court-martial case. Bradley Manning was alleged to have delivered government documents to people who were not entitled to receive them. The transferred confidential documents ran into hundreds. The media alleged that many of the documents listed in the charge were the same as that was published by WikiLeaks. The charge sheet included everything that pointed to treason.The Federal Statute says that espionage is a criminal offense. If anybody willfully posses and releases information relating to the national defense could cause damage to the country. Ellsberg was the first American who underwent prosecution under the Espionage Act. On December 16, 2010, House Judiciary Committee Chairman John Conyers (D-Michigan) held a meeting. It was about, “The Espionage Act and the Legal and Constitutional Issues Raised by WikiLeaks.” Was this aiming to push to overhaul the 1917 statute? (Katsantonis, 2012)
The subpoenas served by the FBI to a Cambridge resident to give testimony in the Grand Jury and another one served on David House, one of the founders of the Bradley Manning Support Network shows how seriously and actively the present administration is pursuing the ‘whistle blowing site’. President Obama administration is very actively pursuing this all important WikiLeak case (Wales)
JSTOR is a non-profit organization that permits online access to journals and archives. JSTOR did not permit to download or export content from its computer servers with automated computer programs. JSTOR’s computers were also used in interstate and foreign commerce. Aaron Swartz is a fellow at Harvard University’s Center for Ethics. Although Harvard provided his access to JSTOR’s services, Aaron chose to go with MIT computer networks to steal about 4,000,000 articles from JSTOR. Between September 24, 2010, and January 6, 2011, Swarts broke into a restricted computer closet at MIT. He accessed MIT’s network without authorization from a switch within that closet. He connected to JSTOR’s archive of digitized journal articles through MIT’s computer network. Finally, with the help of JSTOR, MIT blocked Swartz by denying IP address on MIT’s network. Aaron Swartz did everything in violation of Title 18 USC Sections 1343 and 2, 1030(a)(5)(B), (c)($)(A)(i)(1),(VI)&2 (United States District Court v. Aaron Swarts)
Adekeye began his job with Cisco. He was a good planner with the dubious distinction of being the most prosecuted man in the channel. He challenged Cisco’s exclusion partners. He allegedly hacked Cisco’s partner portal in 2006. For this, the US prosecutors indicted him. He was also charged with stealing intellectual property and trade secrets of Cisco. The US Secret service investigated him for allegedly violating CFAA regulations. They alleged that Adekeye stole information and software by using a current employee status. The judge found that Mr. Adekeye’s conduct violated the Federal Anti-Hacking Statute (WALSH, 2011)
Pulte Homes, Inc dismissed their employee Roberto Baltierra for alleged misconduct and poor performance. But this charge was not accepted by the Laborer’s International of North America (LIUNA). They said that Baltierra was dismissed on flimsy reasons, such as wearing a union shirt, and decided to retaliate by flooding Pulte’s communication lines with emails and telephone calls. They even hired auto-dialing agencies to generate volume of calls. On finding their communication lines being bombarded by LIUN, Pulte filed a suit alleging that LIUNA is violating CFAA. The jury dismissed the case assigning reason of non-jurisdiction. Pulte appealed. The appellate court pronounced verdict stating, “We affirm in part and reverse in part the order dismissing Pulte’s complaint, affirm the denial of the preliminary and remand for proceedings consistent with this opinion. Pulte’s argument on violence and destruction also was dismissed (District).
Sergey Aleyniko, a former Goldman Sachs computer programmer, was placed under arrest at Newark Liberty International Airport on July 3, 2009. The arrest followed an accusation of a security breach he might have perpetrated while working for Goldman Sachs. He faced charges of illegally duplicating software codes used for trading on commodity and stock markets. In December 2010, the court ruled that he was guilty of stealing sensitive trade information and transporting stolen property, and sentenced him to 97 months in prison. Three weeks prior to sentencing, Aleynikov was put in jail at the behest of the government, since he was considered to be prone to flight after divorcing his wife. Oral argument on his appeal was later heard by the US Court of Appeals and his conviction was reversed after a judgment of acquittal entered.
Nada Nadim Prouty, a Lebanese by birth, was a former American intelligence professional. Her brother-in-law, Talal Khalil Chahin, was an owner of the La Shish restaurants in Michigan. Chahin was alleged to have engaged in such activities as tax evasion, bribery, and extortion. This investigation further led to investigate Nadim Prouty. The investigators allegedly found that Nadim, her sister, and her friend had committed immigration fraud in 1989. She pleaded guilty of sham marriage and unauthorized use of an FBI computer. Although the case required the judge to revoke her US citizenship, he withheld her deportation on account of perceived threat to her life and safety in her native country.