Thursday, May 22, 2008

Computer Crime??

On May 15, the Colorado Court of Appeals decided People v. Rice, 2008 WL 2053490, which, IMHO, is an odd "computer crime" case.

(The opinion doesn't seem to be online -- yet?-- at the Colorado Court of Appeals site, I'm afraid.)

Here are the facts that led to the defendant’s – Nina Rice’s – being charged with and convicted by a jury of “computer crime” under Colorado law:

[D]efendant made biweekly unemployment benefits claims by calling an automated phone system, the CUBLine, maintained by the Department. An employee of the Department testified that the CUBLine is a `computerized system, which uses interactive voice response technology.’ . . . . [A[n unemployment benefits claimant identifies . . . herself by entering a Social Security number and a personal identification number using numbers on a telephone when prompted by the system. The system then asks the claimant a number of questions related to `weekly eligibility requirements, such as ... did you work during the weeks you are claiming?’ The claimant responds by pressing `1’ for `yes’ and `9’ for `no.’ This procedure is described in a brochure that was admitted into evidence at trial and, according to the record, was given to defendant to review before she made her first biweekly claim. When the computer system determines a claimant is eligible for unemployment benefits, a computer prints a check that is automatically sent to the claimant. Typically, an eligible claimant completes a claim and receives a check without interacting with a person.

The evidence showed that defendant used the CUBLine to make biweekly claims for unemployment benefits. Each time the computer system asked if she worked during the week for which she was claiming benefits, defendant entered `9’ for `no,’ even though she was, in fact, working.
People v. Rice, supra.

Here are the charges and what happened at trial:
Defendant was charged by information with the crimes of theft and computer crime. The theft count alleged that defendant intended to permanently deprive the Department of money, and the computer crime count alleged that she accessed a computer for the purpose of obtaining money from the Department or committing theft. At trial, she testified that she believed the money she received from her unemployment claims belonged to her and had been withheld from her paychecks issued by her previous employer.

The jury was unable to reach a verdict on the theft count and found defendant guilty of computer crime.
People v. Rice, supra.

And here is the offense she was convicted of – computer crime under Colorado Statutes § 18-5-5-102(c)-(d):
A person commits computer crime if the person knowingly . . .

(c) Accesses any computer, computer network, or computer system, or any part thereof to obtain, by means of false or fraudulent pretenses, representations, or promises, money; property; services; passwords or similar information through which a computer, computer network, or computer system or any part thereof may be accessed; or other thing of value; or

(d) Accesses any computer, computer network, or computer system, or any part thereof to commit theft. . . .
People v. Rice, supra.

I, for one, don’t understand why they didn’t charge her with fraud, since it seems to me that’s the crime she committed, if the facts as alleged are true. Fraud is, as I’ve said before, obtaining money or property by deceiving someone. Here, the defense could argue that she deceived a machine, but as I wrote in an earlier post I don’t think that would be a problem . . . because the fraud works because people are ultimately deceived.

Anyway, that wasn’t an issue in the case. After being convicted, Ms. Rice appealed, arguing that “she did not `access’ a computer” under the statute quoted above “by making a phone call and pressing telephone buttons in response to the CUBLine questions.” People v. Rice, supra.

She lost. Here is how the court of appeals parsed the term “access:”
In construing a statute, our primary purpose is to ascertain and give effect to the intent of the General Assembly. . . . We look first to the language of the statute itself, giving words and phrases their plain and ordinary meaning. . . . We read words and phrases in context, and construe them according to their common usage. . . .

`Access’ is not defined in the Colorado Criminal Code. However, it is a term of common usage, and persons of ordinary intelligence need not guess at its meaning. We, therefore, begin with the dictionary definition in determining the plain and ordinary meaning of `access.’ . . . Black's Law Dictionary . . . defines the word `access as `[a]n opportunity or ability to enter, approach, pass to and from, or communicate with.’

[W[e conclude defendant accessed, within the ordinary meaning of the term, a computer system, because she communicated with the CUBLine by inputting data in response to computer-generated questions. Also, the CUBLine was described in testimony at trial sufficient to support a finding that it was a `computer system’ as that term is defined in section 18-5 .5-101(6). . . .
People v. Rice, supra.

What do you think? Is this "computer crime" or not? I tend to see no reason to use specialized computer crime statutes when, as I noted above, the conduct alleged would fit nicely into a traditional offense category, such as fraud. Aside from anything else, it seems to me that would have avoided the need for this issue to be raised and considered on appeal. It also seems to me there's no need to use boutique criminal statutes when a traditional one suffices (but I could be wrong).

The case also demonstrates that it's a really good idea to define "access" in a statute that criminalizes unauthorized "access" or the use of "access" to commit fraud. That, too, can make things simpler.

(Oh, the court did reverse Ms. Rice's conviction and order a new trial, because of a conflict, basically, between the charges in the indictment and the prosecution's closing argument and the jury instructions.)


Atis said...

I think it IS computer crime looking at the context: fraud using computer systems. And in my mind it is of no importance she connected to this system using "such an oldshool or trivial technique" as phone. She used computer system to steal the money. Otherways - if there was no computer system behind the line - she couldn't get that money, right? Or i missed something?

Susan Brenner said...

You're right, of course . . . it is computer crime as it is literally defined by the statute.

My reservation about the charge is that we developed certain categories of computer crime because we needed them to define criminal activity that either didn't fit at all (denial of service attacks) or didn't fit well (hacking) within existing crime categories. DoS attacks don't fit because they're not theft or extortion or anything we had already criminalized. Hacking could be prosecuted as "trespass," since in a sense you're "going" somewhere you're not supposed to be . . . but since it's not a physical intrusion, it makes sense to devise a new crime.

As I noted in the post, it seems to me theft is theft and fraud is fraud, and if you can charge an existing, traditional offense, I don't see why you don't use that.

There's also the related policy issue, which is that computer crime statutes were developed to be used against activity in which the computer played a really central role. I just don't see that here,

But, as I've said before, I could be wrong . . .

Atis said...

well, i understand what you are saying - sometimes we make new crime categories just because we have defined existing ones too narrow. in this case i agree with you. it is better to "push forward" borders of existing crime definitions than each time make a new provisions.