Monday, May 26, 2008

P2P ID Theft

The use of peer-to-peer file-sharing networks to steal people's identities is not anything new.

A Google search shows people have been writing about it for at least two years.

P2P identity theft has gotten more publicity lately, since the first person to be convicted of using file-sharing networks for identity theft was sentenced by a Seattle federal judge a couple of months ago.

This is how a Department of Justice Press Release describes what Gregory Kopiloff did that got him into trouble:
Using peer to peer programs, including `Limewire,’ KOPILOFF could `search’ the computers of others who were part of the file sharing “network” for federal income tax returns, student financial aid applications, and credit reports that had been stored electronically by other real people on and in their own private computers. KOPILOFF would download those documents onto his own computer, and would then use the identity, and banking, financial, and credit information to open credit accounts over the Internet, in the names of the other real people whose identities he had stolen. KOPILOFF would make fraudulent online purchases of merchandise, have it shipped to various mailboxes in the Puget Sound area, and then would sell the merchandise for about half its retail value.
U.S. Department of Justice, Press Release (March 17, 2008).

The tactics Kopiloff used may have been somewhat outside the norm, but this is one of those instances in which the method used to commit the crime is different, but the crime is not.
Kopiloff was sentenced to serve 51 months in prison after pleading guilty to mail fraud, computer fraud and aggravated identity theft. Only aggravated identity theft could even colorably be described as a new crime. U.S. Department of Justice, Press Release.

Mail fraud has been a crime since 1872. It’s currently codified by 18 U.S. Code §1341. Mail fraud consists of using the mails to execute a scheme to defraud someone or something. When Kopiloff had his fraudulently-purchased merchandise mailed to him, he committed mail fraud. Each time the mail is used for that purpose, it’s a separate crime, so there were probably a lot of mail fraud counts.

He was also charged with computer fraud under 18 U.S. Code § 1030(a)(4). Section 1030 was added to the federal criminal code in 1984, so while it’s not as old as mail fraud, it’s definitely not a new crime. Section 1030(a)(4) makes it a federal crime for someone “knowingly and with intent to defraud” to exceeds the scope of his authorized access to a computer “and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”. According to the facts outlined above, Kopiloff had authorized access to some of the files on his victims’ computers, but he went further, accessing files he was not supposed to be using and stealing information from them. He used that access, and the information he obtained, to consummate fraudulent transactions.

The third charge – aggravated identity theft – is the newest of the three offenses. The crime was created in 2004, when the Identity Theft Penalty Enhancement Act went into effect. The aggravated identity theft statute is 18 U.S. Code § 1028A. Section (a)(1) of 1028A provides as follows:
Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.
Basically, § 1028A is a sentencing enhancement provision. It means that someone who uses another person’s identity in committing any of over 100 federal felonies, including mail fraud, will be sentenced to an additional prison term of 2 years. So to prove this charge, all the federal prosecutor would have to do is prove Kopiloff committed mail fraud and used someone else’s identification documents in doing so.

Kopiloff apparently victimized over 50 people. After he pled guilty to these charges, the judge – who called him “a highwayman in a virtual world” -- sentenced Kopiloff to serve 4 years in prison and pay over $70,000 in restitution.

As to whether that is “enough” punishment, I don’t know. I’d refer you to my earlier post on how we go about deciding what is enough and what is not. In making that decision, the court had the benefit of testimony from at least some of the victims, one of whom said Kopiloff took out
a credit card in her name and charged nearly $4,000. She said it took weeks working with the banks and credit bureaus to sort it out; in the meantime she worried she wouldn't be able to afford Christmas for her two young children.

I don't have the same trust in people that I used to,’ she said
Mike Carter, Man Gets 4 Years in ID Theft, The Seattle Times (March 18, 2008).

No comments: