"Crime" vs. "Cybercrime"
This is a follow-up to Atis’ comments on my last post, the one about the woman who was prosecuted for “computer crime” after she allegedly called into an automated unemployment office system and falsely indicated that she wasn’t working when, in fact, she was. The result was that she, apparently, got unemployment benefits when she should not have.
She was charged with computer crime, as I explained in that last post, to “access” a computer or computer system to commit theft.
I called the post “Computer Crime?” because while I can certainly see that what she did fit within the language of the statute, I don’t see why it was charged as computer crime, instead of plain old, garden variety crime.
As I noted in that post, and as I’ve said before, we have a well-developed repertoire of crimes because we, as a species, have had a lot of experience with crime. Crime, as I’ve explained in a number of law review articles, is an internal threat to social order and, as such, is something societies have to control if they are to survive and prosper.
They control crime – we cannot now, or in the foreseeable future, eliminate it, given human intelligence and the ability it creates to contumaciously refuse to follow rules – by defining certain behaviors and/or results as proscribed – “crimes” – and by defining other behaviors as acceptable. They do the latter through a process of socializing their members into the values and norms of that particular culture, which usually works well enough that only a subset of the populace will commit “crimes.”
Societies control the commission of crimes, as we all know, by having a dedicated, professional force that tracks down people who commit crimes and send them through the justice system, where they are tried, convicted or plead guilty and are then given certain sanctions. I’ve written in recent posts about the varied purposes of imposing those sanctions, so I’m not going to get into that here.
Here I want to elaborate on what I said in response to Atis’ first comment: As I noted above, and in response to Atis, what the defendant in the Colorado case allegedly did clearly fit within the state’s “computer crime” statute: If we accept the facts outlined in the opinion I cited in that last post, we see that the defendant called into the automated system for the purpose of obtaining money to which she was not lawfully entitled. The statute makes it a crime to “access” a computer system to commit theft. Since theft consists of purposely obtaining money or property that doesn’t rightfully belong to you, her alleged conduct qualifies and we have a literal violation of the statute.
My question, though, is “why computer crime?” Why not theft or fraud? Theft I defined above. Fraud is obtaining property from someone by tricking them into giving it to you. It seems to me her alleged conduct fits very nicely into fraud – she used the system to trick the state unemployment agency into giving her money to which she was not lawfully entitled (allegedly). It is true that she did not directly deceive an individual; she instead indirectly deceived the individuals who run the agency, but I don’t really see why that makes a difference.
As I noted in my last post, there was a British case in which the court found that it is not possible to “defraud a machine,” but I don’t think that issue comes up in the U.S. under a basic fraud statute. The reason I don’t think it comes up is, as I noted in my post on the British case, U.S. fraud statutes are “result” statutes, that is, they focus on the result, which is that someone uses deceit to get money or property to which they are not lawfully entitled. If our statutes focused on the “conduct” element of defrauding a human being, then the machine issue might be a problem . . . though I still think it should not, because it is humans who are ultimately defrauded out of their property. (Now, if and when we start dealing with sentient non-biological entities, it might be a problem.)
As I noted in my comments to Atis and in my last post, I also think there are good reasons to go with the generic, fraud charge rather than the computer crime charge.
One is that the computer’s role in a case like this is peripheral. This is not a case – like a denial of service or malware or hacking case – in which the computer plays a central role. The “harm” in the latter cases directly implicates the computer or computer system; the “harm” in the case above is the wrongful acquisition of property from a human-run agency.
Another reason is, I submit, that using the generic, traditional charge is less likely to cause problems at trial and on appeal. The appeal in this case dealt with whether she had “accessed” the computer system, and the conviction was reversed and the case was sent back for a new trial because of a disconnect between the language used in the charging document and the jury instructions . . . which, I submit, could probably have been avoided if she’d simply been charged with fraud.
Yet another reason is that I don’t think we need to keep creating new “crimes” when we have crimes defined that encompass the “harm” inflicted in a particular situation. As I explained above, we have two generic crimes – theft and fraud – either of which encompasses the “harm” allegedly inflicted in this case. So why not use them?
As I’ve argued in law review articles and in my latest book, I think the law has, for some very basic reasons, become distracted by the effects of technology . . . with the result that we tend to adopt technologically-specific crime laws (and other laws, as well). I think that distorts our proper focus. The focus of criminal law is discouraging and sanctioning the infliction of particular, socially-intolerable “harms.” It has not been on the method used to inflict “harm.”
So we have, for example, outlawed homicide – the killing of another human being. We have not outlawed homicide by gun, homicide by knife, homicide by poison, homicide by strangulation, homicide by beating, and so on. There’s no reason to – our concern is the “harm,” not the method.
Now, method is a legitimate concern in certain instances, such as when deadly force is used. That’s why we have the distinct offenses of “theft” (I take your laptop when you’re not looking) and “robbery” (I use a gun and forcibly take your laptop away from you). One encompasses the distinct “harm” inflicted or risked by the use of deadly force in committing an otherwise lesser crime. I can see the argument that computers play a similar role in certain kinds of cases, have, indeed, made a similar argument in a slightly different context. You can commit a lot more fraud with a computer and a 419 email than you can in person on by calling victims.
But the better way to do that, I think, is the way many systems deal with the use of deadly force – guns – in the commission of crimes: make it an aggravating factor at sentencing. That way you keep the focus of your criminal offense laws on the proper thing – the “harm” being inflicted – but you still encompass the heightened risk or heightened injury the perpetrator was able to inflict because he or she used a gun or a computer.
Computer Crime??
On May 15, the Colorado Court of Appeals decided People v. Rice, 2008 WL 2053490, which, IMHO, is an odd "computer crime" case.
(The opinion doesn't seem to be online -- yet?-- at the Colorado Court of Appeals site, I'm afraid.)
Here are the facts that led to the defendant’s – Nina Rice’s – being charged with and convicted by a jury of “computer crime” under Colorado law:[D]efendant made biweekly unemployment benefits claims by calling an automated phone system, the CUBLine, maintained by the Department. An employee of the Department testified that the CUBLine is a `computerized system, which uses interactive voice response technology.’ . . . . [A[n unemployment benefits claimant identifies . . . herself by entering a Social Security number and a personal identification number using numbers on a telephone when prompted by the system. The system then asks the claimant a number of questions related to `weekly eligibility requirements, such as ... did you work during the weeks you are claiming?’ The claimant responds by pressing `1’ for `yes’ and `9’ for `no.’ This procedure is described in a brochure that was admitted into evidence at trial and, according to the record, was given to defendant to review before she made her first biweekly claim. When the computer system determines a claimant is eligible for unemployment benefits, a computer prints a check that is automatically sent to the claimant. Typically, an eligible claimant completes a claim and receives a check without interacting with a person.
The evidence showed that defendant used the CUBLine to make biweekly claims for unemployment benefits. Each time the computer system asked if she worked during the week for which she was claiming benefits, defendant entered `9’ for `no,’ even though she was, in fact, working.
People v. Rice, supra.Here are the charges and what happened at trial:Defendant was charged by information with the crimes of theft and computer crime. The theft count alleged that defendant intended to permanently deprive the Department of money, and the computer crime count alleged that she accessed a computer for the purpose of obtaining money from the Department or committing theft. At trial, she testified that she believed the money she received from her unemployment claims belonged to her and had been withheld from her paychecks issued by her previous employer.
The jury was unable to reach a verdict on the theft count and found defendant guilty of computer crime.
People v. Rice, supra.And here is the offense she was convicted of – computer crime under Colorado Statutes § 18-5-5-102(c)-(d):
A person commits computer crime if the person knowingly . . .
(c) Accesses any computer, computer network, or computer system, or any part thereof to obtain, by means of false or fraudulent pretenses, representations, or promises, money; property; services; passwords or similar information through which a computer, computer network, or computer system or any part thereof may be accessed; or other thing of value; or
(d) Accesses any computer, computer network, or computer system, or any part thereof to commit theft. . . .
People v. Rice, supra.I, for one, don’t understand why they didn’t charge her with fraud, since it seems to me that’s the crime she committed, if the facts as alleged are true. Fraud is, as I’ve said before, obtaining money or property by deceiving someone. Here, the defense could argue that she deceived a machine, but as I wrote in an earlier post I don’t think that would be a problem . . . because the fraud works because people are ultimately deceived.Anyway, that wasn’t an issue in the case. After being convicted, Ms. Rice appealed, arguing that “she did not `access’ a computer” under the statute quoted above “by making a phone call and pressing telephone buttons in response to the CUBLine questions.” People v. Rice, supra.She lost. Here is how the court of appeals parsed the term “access:”In construing a statute, our primary purpose is to ascertain and give effect to the intent of the General Assembly. . . . We look first to the language of the statute itself, giving words and phrases their plain and ordinary meaning. . . . We read words and phrases in context, and construe them according to their common usage. . . .
`Access’ is not defined in the Colorado Criminal Code. However, it is a term of common usage, and persons of ordinary intelligence need not guess at its meaning. We, therefore, begin with the dictionary definition in determining the plain and ordinary meaning of `access.’ . . . Black's Law Dictionary . . . defines the word `access as `[a]n opportunity or ability to enter, approach, pass to and from, or communicate with.’
[W[e conclude defendant accessed, within the ordinary meaning of the term, a computer system, because she communicated with the CUBLine by inputting data in response to computer-generated questions. Also, the CUBLine was described in testimony at trial sufficient to support a finding that it was a `computer system’ as that term is defined in section 18-5 .5-101(6). . . .
People v. Rice, supra.
What do you think? Is this "computer crime" or not? I tend to see no reason to use specialized computer crime statutes when, as I noted above, the conduct alleged would fit nicely into a traditional offense category, such as fraud. Aside from anything else, it seems to me that would have avoided the need for this issue to be raised and considered on appeal. It also seems to me there's no need to use boutique criminal statutes when a traditional one suffices (but I could be wrong).
The case also demonstrates that it's a really good idea to define "access" in a statute that criminalizes unauthorized "access" or the use of "access" to commit fraud. That, too, can make things simpler.
(Oh, the court did reverse Ms. Rice's conviction and order a new trial, because of a conflict, basically, between the charges in the indictment and the prosecution's closing argument and the jury instructions.)
Sentencing: "Harm" and Punishment
This post is about how we decide what kinds of penalty to impose on someone who commits a cybercrime. Part of the problem in reconciling the "harm" the person committed (which can be actually or potentially very severe) with their personal characteristics (e.g., non-violent, no prior criminal record, etc.).
In a recent post, I outlined the goals of sentencing: incapacitation, deterrence, rehabilitation and retribution. ("Why?", May 16, 2008.)
In sentencing offenders, judges are to consider (i) those goals, (ii) the “harm” inflicted by the crimes the defendant committed and (iii) the defendant’s personal characteristics insofar as they impact on how a particular sentence would comport with the “harm” inflicted and the goals of sentencing.
Sentencing is not an easy task, even when real-world crimes like murder and rape and arson and robbery are involved. But sentencing for real-world crimes is, I submit, much easier than sentencing for cybercrime, at least for the moment.
We have had at least two thousand years’ experience in learning how to sentence people for crimes that cause tangible “harms” in the real, physical world. As I noted in that recent post, the ancient principle of lex talionis demanded simple equivalence between the “harm” caused and the punishment inflicted on the offender. So, in the phrase we all know, the lex talionis called for an “eye for an eye,” and so on.
Writing in the eighteenth century, English lawyer William Blackstone explained why the lex talionis principle really isn’t workable in practice:
The difference of persons, place, time, provocation, or other circumstances, may enhance or mitigate the offence; and in such cases retaliation can never be the proper measure of justice. If a nobleman strikes a peasant, all mankind will see, that if a court . . awards a return of the blow, it is more than just compensation. On the other hand, retaliation may sometimes be too easy a sentence; as, if a man maliciously should put out the remaining eye him who had loft one before, it is too slight a punishment for the maimer to lose only one of his. . . . Besides, there are many crimes, that will in no shape admit of these penalties, without manifest absurdity and wickedness. Theft cannot be punished by theft, defamation by defamation, forgery by forgery, adultery by adultery, and the like.
Blackstone’s Commentaries.
The difficulty of ascertaining what punishment is proper for cybercrimes – which tend to inflict intangible “harms” – is something we are still struggling with.
A few years ago, someone argued – facetiously, I hope – that we should apply the death penalty to “hackers” and those who spread worms and viruses. The premise was that death is an appropriate penalty because of the extreme financial losses these crimes can, and do, cause.
Even if the article was serious, the proposal cannot be implemented in the United States, anyway, because the U.S. Supreme Court has held that the death penalty can only be imposed for crimes involving serious physical “harm.” So far, in a move reminiscent of the lex talionis, the Court has limited the death penalty to serving as a punishment for homicide, but it is currently considering whether it can also be imposed for raping a child. However that case comes out, though, death is not going to be used as a punishment in economic crime cases. The Supreme Court has held that the Eighth Amendment prohibition on cruel and unusual punishment bars the imposition of “too much” punishment, and death for economic damage would be “too much.”
That leaves us to think about how courts should use the “other” available penalties – imprisonment, fines, probation and restitution – in sentencing cybercriminals. I can’t begin to cover all the issues this problem raises here, so I’m going to use a recent cybercrime case as an example to consider what should and should not be taken into account in sentencing a cybercriminal.
According to a Department of Justice Press Release, in March, 2006, Christopher Maxwell pled guilty to one count of violating 18 U.S. Code section 1030 by intentionally causing or intending to cause damage to a computer and one count of conspiring to do so in violation of 18 U.S. Code section 371. (Section 371 makes it a crime to conspire to commit a federal offense). Here’s how the Press Release describes the crimes:
[A] botnet is created when a hacker executes a program . . . that seeks out computers with a security weakness it can exploit. The program will then infect the computer with malicious code so that it becomes . . . a robot drone for the hacker . . . controlling the botnet. . . . Botnets can range in size . . . to tens of thousands of computers doing the bidding of the botherder.
MAXWELL and two unnamed co-conspirators created the botnet to fraudulently obtain commission income from installing adware on computers without the owners' permission. . . . [B]y controlling someone's . . .computer, the botherder can remotely install the adware and collect the commission all without the computer owner's permission or knowledge. In this case, the government alleges that MAXWELL and his co-conspirators earned $100,000 in fraudulent payments from companies that had their adware installed. . . .
[A]s the botnet searched for . . . computers . . . it infected the computer network at Northwest Hospital in . . .Seattle. The increase in computer traffic as the botnet scanned the system interrupted . . .hospital computer communications. These disruptions affected the hospital's systems in numerous ways: doors to the operating rooms did not open, pagers did not work and computers in the intensive care unit shut down. By going to back up systems the hospital was able to avoid any compromise in the level of patient care.
Following MAXWELL's indictment in February, 2006 the investigation revealed that the botnet had also damaged U.S. Department of Defense computer systems at the Headquarters 5th Signal Command in Manheim, Germany and the Directorate of Information Management in Fort Carson, Colorado. More than 400 computers were damaged at a cost of $138,000 to repair.
According to a news story, Maxwell’s botnet also caused more than $50,000 in damage to the computer system at a California school. According to investigators, Maxwell’s botnet attacked more than 441,000 computers during the two weeks it was in operation. (The other conspirators were juveniles, which is why they're not named in the Press Release.)The conspiracy count was punishable by up to 5 years in prison and a $250,000 fine. The damaging a computer count was punishable by up to 10 years in prison and a fine of $250,000.The federal prosecutor wanted Maxwell sentenced to serve 6 years in prison. She said the sentence was warranted by deterrence: “There is a hacker community. They will know immediately what sentence you impose."
According to one news story, Maxwell, “holding back tears,” pled for probation instead of prison: "`I am a 21-year-old boy with a good heart and I made a mistake,’ he told the judge. `I never realized how dangerous a computer could be. I thank God no one was hurt.’"The judge agreed with the prosecutor that the need for deterrence warranted a prison term, but didn’t go as far as the prosecutor wanted. She cited Maxwell’s age and lack of previous criminal history in sentencing him to serve 37 months and to pay $114,000 in restitution to the hospital and $138,000 in restitution to the Department of Defense. I suspect that will take a while.What do you think? Should the judge have maxed out (no pun intended) and sentenced him to serve 15 years? Should she have gone with the prosecutor and sentenced him to 6 years? Or is 37 months enough?If the sentence is meant to deter others from following his lead, there may be a problem. Studies have shown that deterrence is not simply a function of harsh the penalty is. It’s a function of two things: the severity of the punishment I’ll get if I’m caught; and the likelihood I’ll get caught. If I’m not likely to get caught, or if I think I’m not likely to get caught, even a really severe penalty isn’t likely to deter me from committing crimes if I can make money by doing so.If you could make, say, $1,000,000 in the next two months by committing crimes for which you could be sentenced to 25 years in jail IF you got caught, but your chances of getting caught are 1%, would you be deterred or would you go for it? What if you could make $100,000 with a 10% chance of getting caught and prosecuted?
Imposture (Revisited)
At the end of 2006, I did a post on online imposture. In that post, I was talking about pretending to be someone else by posting information or messages in their name. I was primarily concerned with whether that would qualify as defamation and, if so, if that would provide the victim with adequate redress.Here, I want to talk about something different.
In my last post – on the juvenile charged with harassment – the facts indicated that another juvenile had pretended to be the principal of her school in creating a MySpace profile. Given that the students were in middle school, I’m willing to guess that the profile created in the principal’s name was probably too amateurish and juvenile to convince anyone he created it.But that raises an interesting possibility: creating a MySpace or Facebook page in someone’s else’s name and using it to embarrass them and maybe even cause major damage to their reputation and career. It could be a really insidious, nasty thing to do, because it might well take the victim a long time to find out what had been done . . . by which time the damage would have been done. Then the victim would be in the position of having to convince anyone who’s seen the fake MySpace or Facebook page that it was, in fact, created by someone else for malicious purposes. I’ve found some indication that this has already been done. According to this site, it was done to Yaron London, an Israeli “media star.” The site doesn’t tell me much about what was done, but does indicate that he was embarrassed by comments on the page that was created without his knowledge. And I find posts on various sites in which people report that this has happened to them though, again, they don’t provide much detail about the “harm” the imposture caused. And I found a story from last year that talks about MySpace and Facebook imposters and about what the victim can do, in terms of getting the fake site taken down. My interest in this phenomenon goes to the possibility of criminal liability. One of the stories I found about Facebook and MySpace imposture refers to it as “identity theft.” It could be identity theft, I suppose, but not in the scenario I set out above.The crime of identity theft is not about imposture; instead, it’s usually about fraud. Here, for example, is how Connecticut defines identity theft: A person commits identity theft when such person intentionally obtains personal identifying information of another . . . without the authorization of such other person and uses that information to obtain or attempt to obtain, money, credit, goods, services, property or medical information in the name of such other person without the consent of such other person.
Connecticut General Statutes Annotated § 531-129a(a). Except for “medical information,” the statute is criminalizing the use of somebody else’s identity for financial gain, which is a kind of fraud.A few states break identity theft into two categories, as in this Arkansas statute: (a) A person commits financial identity fraud if, with the intent to:
(1) Create, obtain, or open a credit account, debit account, or other financial resource for his or her benefit or for the benefit of a third party, he or she accesses, obtains, records, or submits to a financial institution another person's identifying information for the purpose of opening or creating a credit account, debit account, or financial resource without the authorization of the person identified by the information; or
(2) Appropriate a financial resource of another person to his or her own use or to the use of a third party without the authorization of that other person, the actor:
(A) Uses a scanning device; or
(B) Uses a re-encoder.
(b) A person commits nonfinancial identity fraud if he or she knowingly obtains another person's identifying information without the other person's authorization and uses the identifying information for any unlawful purpose, including without limitation:
(1) To avoid apprehension or criminal prosecution;
(2) To harass another person; or
(3) To obtain or to attempt to obtain a good, service, real property, or medical information of another person.
Arkansas Code § 5-37-227. The statute defines “identifying information” as including the following: Social security number; driver's license number; checking or savings account number; credit or debit card number; personal or electronic identification number; digital signature; or “[a]ny other number or information that can be used to access a person's financial resources”. Arkansas Code § 5-37-227.It seems this statute could encompass the scenario I outlined above, since it, unlike most identity theft statutes, reaches harassment as well as using someone’s identity for financial gain. Massachusetts is the only state I can find that has a similar statute. Massachusetts General Laws 266 § 37E.I’m not sure it really could encompass the scenario, though, because of the way the statute defines “identifying information.” Identifying information seems to be limited to financial information. The Massachusetts statute looks like it might, since it defines identifying information as “any name or number that may be used, alone or in conjunction with any other information, to assume the identity of an individual, including any name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, credit card number or computer password identification.” Massachusetts General Laws 266 § 37E. I’m also not sure if when the statutes refer to harassing “another person” (which both do) they mean harassing the victim of the identity theft or a third person; I tend to think they mean harassing a third person (but I could be wrong). If I’m right, then neither statute could be used to prosecute the kind of imposture I hypothesized above.The more important question is “should we use criminal law to reach this kind of conduct?” On the one hand you can, as I noted above, cause a lot of “harm” to someone by essentially using MySpace or Facebook to frame them. My law school, like other law schools and, I assume, other professional schools and undergraduate programs, makes a great effort to warn our students that they put on MySpace or Facebook pages can come back to haunt them. Both bar associations and potential employers troll the sites to find information that discredits a bar applicant or potential employee. If you framed someone, you could, in the law school context, prevent them from being able to sit for the bar examination and/or to find a job. That’s pretty nasty.I tend, though, to believe we can’t use criminal law to handle every nasty maneuver that crops up. In the United States, we already have, IMHO, way too many crimes and lock up way too many people. We can’t keep going along that path. Aside from anything else, it takes a lot of resources – a lot of money and personnel – to enforce criminal law and to punish offenders. I also wonder if this is to some extent a transitional problem. I wonder if, as time passes, we will become less credulous, more jaded consumers of the information posted online.
Harassment, MIddle School Style
I’ve written recently – and not so recently – about how the law deals with people who "annoy, alarm and harass" each other, but that post, and an earlier one, were both about adult conduct.
Magistrate Marcia Linsky of the Allen County (Indiana) Superior Court sent me a link to a recent opinion from the Indiana Supreme Court that deals with a very different kind of harassment. . . harassment by a middle school student.
According to the Indiana Supreme Court’s opinion, this is what resulted in the student's being charged with harassment:
When the 2005-06 school year began, A.B. was a student at Greencastle Middle School, where Shawn Gobert had been principal for thirteen years. Sometime before February 2006, she transferred to a different school. In February 2006, Mr. Gobert learned from some of his students of a vulgar tirade posted on MySpace that apparently targeted his actions in enforcing a school policy. As appropriate for a . . . prudent school administrator, Mr. Gobert investigated. With the assistance of others, including some students, he discovered that a `Mr. Gobert’ profile” had been created on a MySpace Internet web page, purportedly by him, and on which A.B. had posted a vulgarity-laced tirade directed against him. In fact, another juvenile, R.B., a friend of A.B. and at the time a student at Greencastle Middle School, had created this false `Mr. Gobert’ MySpace private `profile’ and allowed access to it by twenty-six designated `friends,’ one of whom was A.B. A.B. then made her posting about Mr. Gobert on this private `profile’. Thereafter, . . . A.B. created her own MySpace `group’ page, accessible by the general public, and titled with a vulgar expletive directed against Mr. Gobert and Greencastle schools.
As a result, delinquency proceedings were initiated against A.B. The . . . petition . . . charged A.B. with nine counts. Three . . . were dismissed at the fact-finding hearing. The remaining counts each allege conduct by A.B., a minor, that if committed by an adult would constitute Harassment . . . . The various surviving counts allege her use of a computer network to harass Mr. Gobert. Counts I and V allege that A.B. used a computer network to transmit the following:
`hey you piece of greencastle s* *t. what the f* *k do you think of me know (sic) that you cant [sic] control me? huh? ha ha ha guess what ill [sic] wear my f* *king piercings all day long and to school and you cant [sic] do s* *t about it.! ha ha f* *king ha! stupid b* *tard!
Counts III and VII each allege Harassment based on A.B.'s transmission of “die ... gobert ... die;” and Counts IV and VIII are based on A.B.'s transmission of `F* *K MR. GOBERT AND GC SCHOOLS!’
The Indiana Supreme Court, not me, edited the post so the “expletives are identified symbolically.” I think we get the idea, though, even with the edits. (I do like how A.B. refers to him as “Mr.” Gobert in that last one.) Before we get into the legal issues, I want to note something: what happened here is an example of what has happened in lots of schools in at least several countries. When I was I school, the only ways we could take out our frustrations with our teachers was by drawing obnoxious cartoons and making up scandalous stories about them. Whatever we did had a very limited circulation, and so had a very limited impact. Cyberspace lets anybody with a computer and Internet access become a “publisher,” so students can be a lot more creative in the ways they take out their frustrations and their expressions of frustration can enjoy a very wide circulation, especially if they’re interesting. Now, let’s talk harassment. Here’s the statute A.B. was charged with violating:
A person who, with intent to harass, annoy, or alarm another person but with no intent of legitimate communication . . . uses a computer network . . . or other form of electronic communication to communicate with a person or transmit an obscene message or indecent or profane words to a person; commits harassment, a Class B misdemeanor.
Indiana Code § 35-45-2-2(a)(4). A.B. was adjudicated delinquent for violating the statute and appealed. Since, as the Indiana Supreme Court noted, “in juvenile delinquency adjudication proceedings, the State must prove every element of the offense beyond a reasonable doubt”, we are essentially dealing with a criminal case. If you look at the Indiana harassment statute, you will see that its structure is analogous to that of a “threat” statute. That is, it requires that the perpetrator (i) have sent harassing communications to the victim (ii) with the intent to harass that that specific person and (iii) for no legitimate purpose. That has traditionally been how harassers have conducted themselves; they have called, emailed and otherwise communicated directly with their victim for the deliberate purpose of annoying and/or alarming that person. As the Indiana Supreme Court pointed out, what A.B. did doesn’t fit within the elements of the statute: The allegedly harassing communications by A.B. identified in Counts I, III, V, and VII were postings by A.B. on her friend's MySpace `private profile’ site. This . . . site, . . . could not be seen by the general public except for those . . . accepted as `friends’ by the creator of the `profile.’. . . Mr. Gobert was able to view it only because R.B., the student who created the `profile,’ . . .authorized him to access the `profile’ during his investigation. . . . [T[here was no evidence . . . A.B. expected that Mr. Gobert would see or learn about A.B.'s messages. . . .
The analysis differs as to Counts IV and VIII, which refer to A.B .'s remarks on her MySpace `group’ page. Because this site was publicly accessible, it may be reasonably inferred that A.B. had a subjective expectation that her words would likely reach Mr. Gobert. This alone, however, does not establish the intent element specified in the Harassment statute. . . .While A.B. titled her `group’ page with the vulgar expletive, her own posting on the page elaborated as follows:
[R.B.] made a harmless joke profile for Mr. Gobert. and [sic] some retarded b* *ch printed it out and took it to the office. [R.B .] is expelled, has to go to court, might have to go to girl [sic] school, and has to take the 8th grade over again! that's [sic] just from the school, her paretns [sic] have grounded her, and took [sic] her computer, she cant [sic] be online untill [sic] 2007! GMS is full of over reacting idiots!
Other than the title and this posting on A.B.'s `group’ page, there was no other evidence relevant to the issue of her intent as to Counts IV and VIII. And the content of the posting presents strong evidence that A.B. intended her `group’ page as legitimate communication of her anger and criticism of the disciplinary action of Mr. Gobert and the Greencastle Middle School against her friend. . .
The court therefore held that the prosecution had failed to prove beyond a reasonable doubt that A.B. sent the communications with the intent to harass Mr. Gobert and for no legitimate purpose. I think the court is absolutely correct. I also think the evidence failed to prove another element, the first of the three I noted above: the statute requires that the harassing communication be sent TO the victim. A.B. did not do that. She merely posted them online, where they COULD be seen by the victim.
As I wrote in an earlier post, the Sixth Circuit Court of Appeals threw out threat charges against a Michigan college student some years ago for essentially the same reason: Jake Baker was charged with threatening a classmate by posting violent fantasies online, fantasies in which he raped and killed her. The Sixth Circuit said it wasn’t a threat because Baker did not send the communications directly to her. Seems to me we have the same problem here, too.
Having Absolutely Nothing To Do With Cybercrime
A friend of mine just sent me the link to a recent decision issued by the U.S. Court of Appeals for the Seventh Circuit.
It’s an appeal in a civil case and has nothing to do with cybercrime. It does involve some First and Fourth Amendment claims but, all in all, it's not the kind of case students go to law school to handle.
If you want to read a really funny opinion – with some equally funny pictures – about a neighborhood squabble gone very bad, check it out.
Click on this link. Then search the opinions using this case number: 06-3176
You can download the pdf file and see what I mean.
Why?
I assume everyone has seen the stories about the indictment in the Megan Meier suicide case. I did a post on the case last fall, because it at once outraged and mystified me.
(How could an adult get involved in all this?)
If you want a review of the facts and my take on the permissibility (not) of charges, check out that earlier post.Here, I want to talk about something different.
I want to talk about why the woman who set the events in motion that led to Megan’s suicide has been charged in a federal indictment with (a) gaining unauthorized access to “a computer used in interstate and foreign commerce, namely the MySpace servers located in Los Angeles” and (b) conspiring to gain such unauthorized access to the MySpace servers for the purpose of inflicting emotional distress (harassment) on Megan. U.S. v. Lori Drew, Indictment, N.D. California 2008.
The unauthorized access charges were brought under the basic federal cybercrime statute, 18 U.S. Code section 1030, which I have written about before. If you want an outline of what can be charged under the statute, check out this post. The conspiracy charge was brought under the basic federal conspiracy statute 18 U.S. Code section 371, which makes it a crime to conspire to commit a federal offense.
My “why” questions (don’t expect answers) have two parts. The first goes to the propriety of bringing these charges. As I said in my earlier post on Megan’s suicide, it’s a horrible tragedy and I cannot understand what was in Lori Drew’s mind, but I don’t think it warrants criminal charges. And the local prosecutor simply was not able to bring charges because the facts didn’t warrant them. So now the federal government has gotten into this.
The people who created the Constitution and our federal system intended that criminal law be enforced firstly and foremost at the state and local level. They intended that because crime and the imposition of criminal liability are matters that resonate with local concerns, local mores, local attitudes. They also didn’t want too much power centralized in the federal government.
Over the last century, the number of federal crimes has exploded. I’m not getting into whether that is a good thing or a bad thing. It’s a fact, and it means federal prosecutors have access to a broad statute like section 1030 which can, maybe, be shoehorned into a prosecution like this. I think the charges can be, as they have been, put together in a fashion that will survive a motion to dismiss based on the premise that “this ain’t a crime,” but I don’t think they make sense in terms of law or policy.
Last January, I raised the grand jury investigation into Megan’s death with the students in my cybercrime class and we analyzed how section 1030 COULD be used against Lori Drew. It really doesn’t make sense, though: the statue was intended to criminalize hacking, both the general, exploratory kind of hacking and the kind that involves stealing or destroying data in a system you’re not suppose to have access to. Here, IMHO, it’s being used in a really distorted manner. There’s also the minor matter of diverting federal resources to a case that, I would argue, belongs in a state court if it belongs anywhere.
Okay, that’s the first part of “why.” Here’s the second: The stories say (and I haven’t parsed the figure out myself, using the statute and sentencing guidelines and all that) Lori Drew faces up to 20 years in prison if she is convicted of the charges in the 4-count indictment. Why?
The imposition of criminal liability and punishment – imprisonment – in our system is based on achieving four goals:- Incapacitation: We lock you up so you can’t re-offend.
- Deterrence: We lock you up to teach you a lesson so you won’t re-offend when we let you go, and we lock you up to convince others not to follow your example and commit the crime(s) you did.
- Rehabilitation: This used to be very important, but is a minor theme now. Basically, if we have time and it seems easy, we’ll try to rehabilitate you so you don’t re-offend.
- Retribution: This is the oldest reason for punishment. The ancient law, the lex talionis, called for an “eye for an eye, tooth for tooth” and so on. So, we lock you up to exact pain from you for what you did.
Does it make sense to lock Lori Drew up for 20 years? Would doing that achieve any or all of these goals?
This goes to an issue I often raise with my students: overcharging. If Missouri had a harassment statute that would have encompassed what Ms. Drew allegedly did, then it seems to me it would be perfectly appropriate to charge her with that crime, convict her if the evidence established that she committed it and then punish her "enough" to achieve whichever of the above goals were driving the prosecution. So, in our hypothetical, she's convicted of harassment under state law and, what?, maybe fined, maybe given 30 days in jail, put on probation for a few years, required to work at suicide prevention center or some other appropriate place. That would make sense to me.
I just don't see the sense in, as the saying goes, "making a federal case out of it", especially not when it could mean 20 years in jail.
Faithless Friends and Good Faith Mistakes
This post is based on some questions that were emailed me . . . questions about a private citizen searching your private property, finding evidence and then taking it to the police. The questions and my thought on each follow.
B gives C access to a computer server containing illicit materials. C turns over what he finds to the authorities, who find out that A is leasing the server. The authorities seize the server and search A's house. A claims to have never given access to B or C and there is no evidence otherwise. Can the search warrant and its fruits be suppressed?I think A loses on the 4th Amendment issue. In analyzing this question, I’m assuming A did, in fact, give B access to the server and that the information C turns over to law enforcement, combined with whatever efforts they make to connect A to the material, gave them probable cause to get the search warrant, i.e., gave them probable cause to believe they would find illicit material on the server and in A’s house.
(If probable cause was lacking, then the search warrant should not have issued, and that should mean the evidence would be suppressed . . . unless the court finds that the good faith exception applies. U.S. v. Leon, 468 U.S. 897 (1984). Under the Leon good-faith exception to the 4th amendment’s exclusionary rule, evidence will not be excluded when police officers reasonably rely on a search warrant issued by a judge, even if that search warrant is later declared invalid. This means that even if the court were to determine that the warrant was not based on probable cause, the evidence would not be suppressed if the officers who executed the warrant did so in the good faith belief that it was supported by probable cause, since it was issued by a judge who decided probable cause existed).
So the issue basically becomes whether the evidence should be suppressed because A gave B access to the server, but did not intend that B would give C access, and never intended that B (or C) would betray him by taking evidence to law enforcement.
The answer, almost certainly, is no. I talked about this general issue in an earlier post. I won’t repeat everything I said there here; I’ll just note that for Fourth Amendment purposes, basically you assume the risk of being betrayed when you give someone access to your “stuff” . . . whether it’s your house or your car or your computer or your server. So by giving B access to the server, A assumed the risk that B would use that access to find evidence and himself betray A and/or that B would do so indirectly, by giving C access to the evidence (which set in motion the possibility that C would then betray A, if, indeed, C can be said to be in a position to betray A, since we don’t know if there was any connection between them.)
What if C hacked in to the server and gained access to it by illegal means? He saw illicit material, copied it and gave the copy to law enforcement officers. They used the copies plus what C told them (i.e., where C got the stuff) to secure a warrant to seize the server. Could the search later be deemed illegal, if C wasn't supposed to be in that server anyway?
There was a case in the city where I live: A burglar broke into an apartment to rob it, found child pornography, went to the police and told them what he'd found. They used what he said to get a search warrant, searched the apartment, found child pornography, and prosecuted the person who lived in that apartment . . . and prosecuted the burglar for burglarizing the apartment. This scenario is a variation of the scenario above.
Basically, if a private person – your friend or a stray burglar who happens to break into your home and finds incriminating evidence – decides to turn on you, you’re out of luck. The 4th Amendment only applies to state action, i.e., to searches and seizures conducted by law enforcement agents and by people who are acting on their behalf.
So in the local case, the 4th Amendment would only be implicated if the police had put the burglar up to breaking into the apartment to see if he could find child pornography so they could then use what he found to get the warrant, and so on. If he acted on his own, then we don’t have state action and the 4th Amendment doesn’t apply . . . until the law enforcement officers enter the apartment. If they have a valid search warrant, that entry is constitutional. In the case posited above, the entry into the apartment with the search warrant would only be a problem if the police had instructed C to hack in illegally.
If you want to read about some cases where the scenario set out above pretty much happened, but the person who hacked someone's computer did not get charged with a crime, see this post.
Searching a Pastor's Computer
In State v. Young, 974 So.2d 601 (Fla. App. 2008), a Florida court of appeals had to decide whether a search of a minister’s office was valid under the Fourth Amendment.
As I’ve mentioned before, consent is an exception to the Fourth Amendment’s warrant requirement. That is, if someone consents to have their property searched, officers do not need to get a search warrant; the consent in effect waives the requirement of a warrant.
To be valid, consent must be voluntary (not coerced) and must be given by someone with authority to consent to the search. Someone who owns or uses property can give valid consent to a search.
“Use” means that the person who consents either is the sole user of the property or is a joint user of the property. Spouses, for example, can each consent to the search of the property they share and the consent will justify the search (unless the other spouse is present and refuses to consent).
Young was the pastor of a small church in Florida. According to the Florida court of appeals' opinion, the church provided Young with a desktop computer and a private office. Although the computer was provided to Young for use in connection with his duties at the church, there was no official policy regarding the use of the computer or others' access to it. . . . This office had a special lock that could not be opened with the Church's master key. Three keys to Young's office existed. Young kept two of the keys, and the church administrator kept the third key, which she stored in a locked credenza drawer in her office.
State v. Young, supra.
As to the events leading to the search, and to Young’s being charged with "viewing child pornography", according to the Florida Times-Union, it all began when the church’s administrator got a call from the church's Internet service provider. The caller said spam had been linked to the church's Internet protocol address. The church administrator then ran a “spybot” program on the church's computers. When she ran the program on Young's computer, she saw “some very questionable [w]eb site addresses.” The church administrator then contacted a member of the staff parish and an information technology person to set up a time to have the computer examined. State v. Young, supra. Later, the chairperson of staff parish relations, Kenneth Moreland, contacted Richard Neal, district superintendent of the Church, to tell him what had happened. State v. Young, supra. After discussing the matter with the bishop and getting approval for the decision, Neal instructed Moreland to contact law enforcement officials and allow them to see the computer. The next morning Neal instructed Young not to return to the church until the two could meet and discuss the situation. When officers arrived at the church, Moreland unlocked Young's office and signed `consent to search' forms for the office and computer. Young arrived at the church during the morning when the officers were there. Moreland and an officer instructed Young to leave the property immediately, and he complied.
State v. Young, supra.
The officers apparently found incriminating evidence that, at least in part, consisted of websites Young had bookmarked on his office computer. They interviewed him, he made incriminating statements, and charges were filed, after which he because he moved to suppress evidence found in his office. The court held a hearing on the motion.
The officers who searched the computer testified that they understood Moreland to be a “representative of the church” whose authority to consent was based on instructions from a church supervisor. State v. Young, supra.
Neither of them talked to Moreland's supervisor or asked Moreland further questions about his authority before the search began. One officer said she had spoken with Neal after she was inside Young's office. At the time, she knew Neal had never used Young's computer, did not work in Young's office, and did not keep property there. (Remember, joint use is a basis for being able t consent.) Neal testified to the same effect. Moreland testified that he did not work in Young's office and did not keep belongings there. Neal, though, testified that he had authority to consent to the search and to instruct Young to stay away from the church under the Church’s Book of Discipline, by which Young had agreed to be bound when he was ordained.
State v. Young, supra.
The issue in the case was whether the search of the computer in Young’s office was valid as a consent search. I get the sense that the viability of the charges (whatever they were) against Young depended on the evidence found there, so the issue was crucial. The trial court found that none of the church personnel had authority to consent to the search of Young’s office, and the court of appeals agreed.
The church personnel who consented clearly did not use the office jointly with Young; and they apparently made that clear to the officers, so the officers could not have believed they had the authority to consent to a search of his office. As the court of appeals explained, although the church owned the computer, Young was the sole regular user. Although the church administrator performed maintenance on the computer, there was no evidence that she or anyone other than Young stored personal files on the computer or used it for any purpose other than maintenance. There was no policy informing Young that others at the church could enter his office and view the contents of his computer. The only way to access the computer to view its contents was to enter through the locked office door. It is clear under these circumstances that the church trusted Young to use the computer appropriately and that it gave no indication that the computer would be searched by anyone at the church. The fact that Young violated this trust does not detract from a proper analysis of whether he had a legitimate reason to expect that others would not enter his office and inspect the computer.
State v. Young, supra.
The evidence found in Young’s office was suppressed, and so were the incriminating comments he made to the officers, because they derived from (were the fruit of the poisonous tree of) the illegal search of his office. I assume the charges, whatever they were, were dismissed.
Ineffective Assistance of Counsel
A while back, I did a post on the Trojan horse defense, which is basically a cyber-version of an old defense: Some Other Dude Did It, or the SODDI defense.
In this post, I want to talk about how a defense lawyer’s failure to raise a similar defense was found to constitute ineffective assistance of counsel.
The case is People v. Patterson, 2008 WL 886203 (Mich. App., April 1, 2008), and I’ll talk about the facts and charges in a minute.
First, I want to outline what a convicted defendant has to establish in order to win on an ineffective assistance of counsel claim: The benchmark in evaluating a claim that trial counsel was ineffective is whether counsel's conduct so undermined the proper functioning of the adversarial process that the trial cannot be relied on as having produced a just result. Strickland v. Washington, 466 U.S. 668, 686 (1984. The defendant must show, first, that counsel's performance was deficient. This requires a showing that counsel made errors so serious that he was not functioning as the `counsel’ guaranteed by the Sixth Amendment. Second, the defendant must show prejudice. This requires proof that counsel's errors were so serious as to deprive the defendant of a fair trial, i.e., a trial whose result is reliable.
People v. Patterson, supra. Here are the facts in the Patterson case: This case stems from an investigation that Patterson had stalked an ex-girlfriend. Deputy Cuatt was a part of a team that executed a warrant to search defendant's residence. Cuatt has expertise in computers, which was needed so that evidence purportedly on a computer in the home would not be lost. Police located an old computer . . . in a small room and two hard drives. The computer was powered on even though no one was home. . . . Police seized the computer and Deputy Cuatt eventually subjected both hard drives to certain forensic programs. One . . . had a large amount of adult pornography on it. The same hard drive had four pictures of young girls who were obviously under the age of eighteen. The hard drives also contained photographs of defendant, family members, and friends, as well as e-mail to and from defendant.
People v. Patterson, supra. Mr. Patterson was charged with possessing child sexually abusive material, in violation of a Michigan statute. He was convicted, but moved to have the conviction set aside and a new trial ordered. At the hearing on the motion for a new trial, Mr. Patterson testified that he had sent trial counsel a list of witnesses he wanted called at trial. According to defendant, several witnesses would have testified that he did not live alone and that a number of people, who either lived with him or assisted him because of his physical limitations, had access to the computer. Defendant also testified that some of those people were no longer friends and they had a reason sabotage his computer.
People v. Patterson, supra.
So according to Mr. Patterson, he wanted his defense attorney to raise a SODDI defense. At the hearing, his defense attorney, when asked why he decided not to call witnesses to show that others had had access to the computer, said he told Mr. Patterson “that the witnesses would . . . probably assert their 5th Amendment rights against self-incrimination.” People v. Patterson, supra. The trial court denied the motion for a new trial because it found that the defense attorney had “employed a proper trial strategy in not calling witnesses, even though he never contacted any of the dozen or more witnesses offered by defendant.” People v. Patterson, supra.
The Michigan Court of Appeals disagreed: [T]rial counsel knew weeks before the trial that many others had access to the computer containing the illegal pictures yet failed to investigate or produce these individuals as defense witnesses. On these facts alone, we conclude that counsel's conduct fell far below an objective standard of reasonableness. . . . . We also conclude defendant was prejudiced. . . . Testimony that others were present in his home and had access to the computer would have created a reasonable probability that the result would have been different, especially considering that even the trial prosecutor was somewhat surprised by the jury's finding of guilt. Given that the prosecutor's case rested entirely on the premise that defendant was the only person who could have put the illegal images on the computer, and where defendant's trial counsel thought defendant lived alone, counsel's failure to investigate the witness list was ineffective and extremely prejudicial.
People v. Patterson, supra. I can certainly understand why the court of appeals reached this result, but here’s an aspect of this case that really puzzles me.
First, the prosecutor, who had the burden of proving the case beyond a reasonable doubt, presented no witness to testify that the Defendant put the child sexually abusive images on the computer found in his home. The People called only two witnesses: the officer who analyzed the computer and an expert who gave an opinion about the age of the children whose images were on the computer. The officer acknowledged that there was no way for him to determine how the images became stored on the computer or who did so.
People v. Patterson, supra. If that’s all the prosecution presented, it clearly did not meet its burden of proving beyond a reasonable doubt that Mr. Patterson was responsible for the images’ being on the computer. All the defense needed to do was to move for a judgment of acquittal, based on the prosecution’s failure.
The defense did not do that, apparently because the defense attorney thought he had to prove that other people, maybe even specific other people, were responsible for the images’ being on the computer. That gets it backwards: As anyone who’s familiar with the O.J. Simpson murder trial knows, all the defense has to do is to raise “doubt” about the prosecution’s claim that the defense is guilty. Here, it was a slam dunk, since the prosecutor didn’t offer ANY evidence from which a reasonable juror could find that Mr. Patterson was the person who put the images on the computer. Makes you wonder what will happen at the new trial the court of appeals ordered.
"Counts" and "Crimes"
This is a follow-up to my last post, which talked about a prosecutor’s discretion in deciding how many charges to file against a defendant.
In that post, I talked a bit about how the prosecutor in that case increased the number of charges against Mr. Cline after his first conviction was thrown out and the case was remanded for a new trial. The prosecutor said he increased the number of counts because there had been a problem – a duplicity problem – in the first indictment.
I want to talk here about what the issues that can arise in deciding whether a particular charge – a “count” – charges, essentially, too “much” crime or too little. Let’s start with a basic premise of bringing criminal charges.
Defendants are usually charged in an indictment, which is a set of charges returned by a grand jury, but they can also be charged in an information, which is an essentially identical set of charges that is produced by a prosecutor without the assistance of a grand jury.
In any charging document, each specific “charge” – each accusation that a defendant committed a “crime”, is set out in a separate “count.” So, an indictment will have a “Count I,” a “Count II, and so on, each of which charges a different crime. There are two kinds of challenges a defendant can raise to how a prosecutor has structured the charges in the counts in an indictment or information.
One is what is called “duplicity.” Duplicity essentially consists of charging two or more crimes in a single count. That’s the reason the prosecutor in the Cline case gave for adding all those charges the second time. The rationale was that in the first indictment some of the counts charged Mr. Cline with sending two emails to harass a particular victim; since each act of sending a harassing email was a separate crime under the statute at issue, that indictment was duplicitous, i.e, it improperly combined “crimes” in a single count.
The other problem is called “multiplicity.” Multiplicity is often described, in a phrase I like, as “impermissibly fractionating a single course of conduct into multiple offenses.” It means that the prosecution breaks one crime up into pieces, and charges the pieces in different counts of an indictment or information.
The reason duplicity and multiplicity are a problem is that both undermine the fairness of the proceeding. With duplicity, the defendant has to defend against a count that has two or more crimes in it; and that can make it difficult for the defense to figure out how to structure their case (do we defend against all of them or only one of them?). It can also make it difficult for the defendant who has been acquitted to raise double jeopardy if he’s charged again.
Assume a defendant was acquitted on a Count that charged crimes A and B. The prosecution then charges him again, in a new indictment, with Crime B. He says that’s double jeopardy. The prosecution says “no, they acquitted you of Crime A. We can still pursue Crime B.” The problem with multiplicity is even simpler. It means that the prosecution is taking one crime and turning it into several crimes. Assume, for example, someone is arrested for possessing an illegal drug. The drug comes in tablet form, and the person arrested had 5,000 tablets of the drug. He is charged in an indictment with 5,000 counts of illegally possessing the drug . .. one count per tablet. He can argue that the counts are multiplicitous because they break one crime (possessing “the drug”) into 5,000 counts (possessing 5,000 iterations of “the drug”). IMHO, that could would be seriously multiplicitous, which means the prosecutor would be told to revise it into a single count.
Okay, let’s get to cybercrime. In U.S. v. Davenport, 519 F.3d 940 (9th Circuit Court of Appeals 2008), Davenport was charged both with possessing child pornography and with receiving child pornography. The charges were based on the same images. Let’s make things simple and say that he was charged with “receiving” 10 images of child pornography (it was a lot more) and with “possessing” the same 10 images.
Davenport argued that the charges were multiplicitous . . . that they turned what should be, at most, 10 crimes into 20 crimes (10 of possessing + 10 of receiving). He said the charges were multiplicitous because they punished the same conduct. Davenport said, basically, that you can’t “possess” something without having first “received” it, so the act of possession necessarily encompasses the act of receiving the item possessed. Davenport was essentially arguing that “receipt” is a “lesser included offense” of possession.
A lesser included offense is a “smaller” crime the elements of which are contained within a larger crime. Trespass is a lesser included offense of burglary: Trespass is knowingly and unlawfully entering premises (a house, a business); burglary is knowingly and unlawfully entering premises for the purpose of committing a crime (theft, arson, murder, etc.) once inside. So, if a defendant is charged with both criminal trespass and burglary for the same course of conduct, i.e., for breaking into the same building to commit a crime inside, he can argue that the charge is multiplicitous, because it breaks a single “crime” into two pieces. And the defendant should win, which means the prosecution has to decide whether to charge trespass OR burglary.
What about Davenport? What do you think? Is “receipt” a lesser included offense of “possession”, or are they two different crimes?
(Spoiler: In the Davenport case, the Ninth Circuit Court of Appeals held that receipt IS a lesser included offense of possession, so Davenport could not be charged, and convicted of multiple counts of both based on the same images. At least one other federal court has reached the same conclusion.)(If you’re interested in reading the Davenport opinion, you can find it on the Ninth Circuit’s website. Click on the “opinions” link on the left-hand side of the page and go to the opinions issue for March. You’ll find Davenport listed as having been issued on March 20, 2008; the docket number is 06-30596.)
Prosecutorial Discretion, Charges & Sentences
In this post, I want to talk about the discretion a prosecutor has in deciding what – or, more precisely, how much – to charge someone with. I also want to talk about how that decision can impact on the sentence a convicted defendant receives.
To do that, I want to use a recent decision of the Second District of the Ohio Court of Appeals: State v. Cline, 2008 WL 1759091.
You can read all of the facts in the opinion, which you can access via the link, above.
Basically, in 1999 and 2000 James Cline repeatedly harassed and stalked several women, relying on email for much of the harassment.
As a result of these activities, he was indicted (charged) on “eighty-six counts, including telecommunications harassment, conspiracy to commit aggravated arson, criminal mischief, intimidation of a crime witness/victim, menacing by stalking, and unauthorized use of a computer.” State v. Cline, supra. He went to trial and was convicted, but the Ohio Court of Appeals reversed his conviction because it found he had not adequately waived his constitutional right to counsel and ordered that he be given a new trial. (I’m not sure what was going on with that, but that’s not the issue we’re concerned with.)
After the Court of Appeals reversed Cline’s conviction, and before his new trial on these charges could start, “the State indicted Defendant on an additional two hundred and fifty-five counts of telecommunications harassment.” State v. Cline, supra. In other words, the prosecution got a new charging document – a new indictment – and in it they added an extra 250 counts.
The telecommunications harassment counts were based on his having used emails to harass at least some of his victims; each of the new counts was based on his sending an email to a victim. That’s an important, but often overlooked, issue in criminal law.
First of all, prosecutors have a great deal of discretion in deciding what charges they will bring. In some cases, the decision is pretty obvious: If A kills B, then the charge will be murder – one count because murder is killing a human being and one human being (B) was killed. The same basic principle holds for car theft (steal 1, that’s 1 count, etc.) and other more straightforward crimes. It can become a lot more complicated when you get into cases like online harassment when the harassment involves emails. If hypothetical defendant X harasses victim Y by sending Y 1,000 harassing emails, is that 1 crime (single victim harassed = one crime) or 1,000 crimes (1,000 discrete acts of harassment = 1,000 crimes)? As I suspect you can already see, the answer to that question can have serious implications for sentencing, because while sentencing is not based merely on the number of counts the defendant was convicted of, that’s obviously a very significant factor in sentencing. So if, in my hypothetical, the prosecutor charges X with one count of harassment, he’s likely to fact a significantly lighter sentence than if he’s charged with 1,000 counts.
Cline tried to challenge the additional counts by claiming what’s called prosecutorial vindictiveness. Basically, prosecutors have a great deal of discretion in charging, but they can’t use that discretion improperly, simply to “punish” someone for exercising their rights, say. Cline argued that he was being “punished” for winning on his appeal. The Court of Appeals rejected his argument, basically because it bought the prosecution’s claim that the additional counts were added because, in preparing for the second trial, they discovered that they’d made an error by NOT breaking the counts up the first time.
(All of that gets us into the legal intricacies surrounding charging, which I’m not going to get into here. Basically, it’s improper for a prosecutor to take one crime and break it into parts; it’s also improper for a prosecutor to charge two crimes in a single count. The prosecution in the Cline case said they added the counts because they decided they’d made the latter error the first time.)
Cline went to trial and “was found guilty of four counts of unauthorized use of a computer, two counts of conspiracy to commit aggravated arson, one count of menacing by stalking, one count of criminal mischief, one count of intimidation of a crime witness/victim, and one hundred seventy-six counts of telecommunications harassment.” State v. Cline, supra. The trial court imposed the maximum sentence on most of the counts, and imposed sentences that ran consecutively on 48 of the counts (which means he had to serve the time imposed for each one in sequence, which elongates the ultimate time served). The total sentence imposed on him was imprisonment for “fifty-eight and one-half years”, a pretty stiff sentence.
Cline argued that the sentence was excessive, noting that since he was 39 when he was sentenced, the 58+ year sentence is effectively a life sentence. He also pointed out that “of the one hundred and eighty-five counts he was found guilty of committing, one hundred and eighty of those, including all of the telecommunications harassment charges and the four unauthorized use of a computer charges, are low level felonies of the fifth degree.” State v. Cline, supra. This means that, individually, the sentence for each count would be quite low; but when you have those sentences run consecutively, and you’re talking about almost 200 counts, you can get a substantial sentence.
The Court of Appeals found that the sentence was not excessive, given (i) Cline’s lack of remorse, (ii) his having engaged in “strikingly similar” conduct in the past and (iii) the sheer magnitude of the harassing emails he sent and phone calls he made. State v. Cline, supra. It does seem to have been a truly egregious case. If you want to find out how egregious, take a look at the opinion using the link above.
I’m going to do another post on sentencing in cybercrime cases, generally, but I want to throw out a couple of thoughts before I end this post. What do you think of the sentence in the Cline case? Is 58+ years too much or just right for someone who used hundreds of emails (maybe thousands) to harass women who had broken up with him?
What issues should we consider when we’re sentencing computer criminals? Does it matter that computer criminals are (usually, Cline seems to have made some threats about arson) nonviolent? How do we weigh the “harm” inflicted on a victim – is emotional distress a “harm” significant enough to major jail time?
Texas Online Harassment Statute Held Unconstitutional
In 2005, Nikolai Ivanov Karenev was charged with using email to harass his wife, Elena.
He was, more precisely, charged with one count of harassment by means of an electronic communication. Karenev v. State, ___ S.W.3d ___, 2008 WL 902799 (Tex. App. 2008).
The specific language of the charge was “`sending harassing and/or threatening e-mail to Elena with the intent to harass, annoy, alarm, abuse, torment, or embarrass [her.]’” Karenev v. State, supra.
According to the appellate court’s opinion, Elena was Nikolai Karenev’s wife, who had filed for divorce in October of 2004. The email messages were sent in Bulgarian, which was apparently the native language of both Nikolai and Elena.
At trial, the translation of the emails relied on by the prosecution was challenged by the defense, but that is not the issue that concerns us. Nikolai was convicted of sending harassing and/or threatening emails to Elena with the intent noted above, i.e., “to harass, annoy, alarm, abuse, torment or embarrass” her. The quoted language, and the charge, came from a Texas harassment statute: Section 42.07(a)(7) of the Texas Penal Code, which reads as follows:
(a) A person commits an offense if, with intent to harass, annoy, alarm, abuse, torment, or embarrass another, he: . . . (7) sends repeated electronic communications in a manner reasonably likely to harass, annoy, alarm, abuse, torment, embarrass, or offend another.
A jury convicted Nikolai of violating the statute and he appealed, arguing that this portion of the Texas harassment statute was unconstitutional. Karenev v. State, supra. He specifically argued that the statute was unconstitutional because it was void for vagueness. In an earlier decision, another Texas Court of Appeals described the issues such a challenge raises:It is well-established that criminal laws must be sufficiently clear in at least three respects. First, a person of ordinary intelligence must be given a reasonable opportunity to know what is prohibited. Second, the law must establish determinate guidelines for law enforcement. Finally, where First Amendment freedoms are implicated, the law must be sufficiently definite to avoid chilling protected expression. `When a statute is capable of reaching First Amendment freedoms, the doctrine of vagueness ‘demands a greater degree of specificity than in other contexts.’ Greater specificity is required to preserve adequately the right of free expression because `[u]ncertain meanings inevitably lead citizens to steer far wider of the unlawful zone than if the boundaries of the forbidden areas were clearly marked.’ Moreover, when a vagueness challenge involves First Amendment considerations, a criminal law may be held facially invalid even though it may not be unconstitutional as applied to the defendant's conduct.
Long v. State, 931 S.W.2d 286 (Texas Court of Criminal Appeals 1996).
In ruling on Nikolai’s challenge, the Karenev court cited a federal decision issued by the Fifth Circuit Court of Appeals: Kramer v. Price, 712 F.2d 174 (5th Cir. 1983). In the Kramer case, the court held that the “words `annoy’ and `alarm’ were inherently vague”, an issue many have raised in regard to statutes like this. I have often used harassment statutes that are predicated on “annoying” someone in my classes, asking the students to tell me when someone crosses the line from simply being annoying (and we all know there are a lot of annoying people out there) to magically becoming criminally annoying so that they can be prosecuted for their conduct. We usually wind up agreeing that “annoy” is not an appropriate term upon which to predicate criminal liability.
I would also go along with the Kramer court ‘s holding that “alarm” suffers from pretty much the same problem, unless the statute includes terms to make it clear what “alarm” means and how it rises to the level at which criminal liability is appropriate. A stalking statute might, for example, include language describing a course of action – like repeatedly following someone, showing up at their house at odd hours, repeatedly telephoning them, etc. – and couple that with the term “alarm.” There, "alarm" would probably not be void for vagueness because the context in which it is used would put a reasonable person on notice as to what they should avoid doing if they don’t want to be charged with stalking.
The Karenev court said pretty much the same thing about the statute under which Nikolai was charged:
If (a)(7)(A) is viewed in isolation, it appears to suffer the same flaws denounced by Kramer. The words `annoy’ and `alarm’ . . . are now joined by . . . `harass,’ `abuse,’ `torment,’ and `embarrass’ But, all these terms are joined with a disjunctive “or,” and thus do nothing to limit the vagueness originally generated by `annoy’ and `alarm.’ Moreover, the additional terms are themselves susceptible to uncertainties of meaning.
Karenev v. State, supra. In other words, you could be charged with and convicted for engaging in conduct that alarmed OR annoyed OR harassed OR abused OR torments OR embarrassed someone. That means, as I’ve told my students when we’ve discussed statutes like this, that a prosecutor could charge someone with violating the statute for simply “annoying” someone else, and that won’t work.
In 1971, the U.S. Su 
This is a follow-up to Atis’ comments on my last post, the one about the woman who was prosecuted for “computer crime” after she allegedly called into an automated unemployment office system and falsely indicated that she wasn’t working when, in fact, she was. The result was that she, apparently, got unemployment benefits when she should not have.
