Friday, November 28, 2008

Attempt?

A California Court of Appeals recently decided a case that involved the difference between a completed crime and an attempt to commit that crime.

The case is People v. Love, 166 Cal.App.4th 1292, 83 Cal.Rptr.3d 428 (Cal. App. 2008), and here are the facts that gave rise to the issue:
[Ms. Love] worked as a receptionist for dentist Hamid N. (Dr. Hamid) during February and March 2005. Rosa D. (Rosa), a patient of Dr. Hamid, noticed on her credit card statement a charge of $91.98 for flowers she had not ordered. An investigator determined that the purchase was made from Dr. Hamid's office computer on Valentine's Day, a date on which defendant worked. Defendant's brother . . . testified that he had asked defendant to order the flowers on his behalf; they were delivered to a woman he was dating. Defendant admitted ordering the flowers in a recorded phone conversation with her mother.

Another patient of Dr. Hamid, Sadiq M., discovered that someone had charged to his credit card a $500 Victoria's Secret gift card without his knowledge or consent. Investigators traced the order, finding it had been placed on March 25, 2005, in Dr. Hamid's name and listed his office address. The credit card company placed a hold on the purchase, preventing the gift card from being issued.
People v. Love, supra.

There were other, similar events. Ms. Love was eventually charged with 13 counts of “identity theft-based offenses . . . arising from abuse of her position of trust as a dental receptionist.” People v. Love, supra. We’re only concerned with one of those counts: Count 8, which was based on the March 25, 2005 charge for a Victoria’s Secret gift card.

In Count 8, Ms. Love was charged with “fraudulent use of access cards or account information” in violation of California Penal Code § 484g(a):
Every person who, with the intent to defraud, . . . uses, for the purpose of obtaining money, goods, services, or anything else of value, an access card or access card account information that has been . . . obtained . . in violation of Section 484e or 484f,. . . is guilty of theft. If the value of all money, goods, services, and other things of value obtained in violation of this section exceeds four hundred dollars ($400) in any consecutive six-month period, then the same shall constitute grand theft.
Sections 484e and 484f criminalize the act of using another person’s access card or access card information without their permission. Another section of the California Penal Code defines “access card” as “any card, plate, code, account number, or other means of account access that can be used . . . to obtain money, goods, services, or any other thing of value, or . . . to initiate a transfer of funds, other than a transfer originated solely by a paper instrument.’” California Penal Code § 484d(2).

So, in Count 8 Ms. Love was essentially charged with theft. She claimed she could not be charged with the completed crime of theft because the credit card company put a hold on the purchase: “Defendant contends that, because the credit card company cancelled the order and prevented the Victoria's Secret gift card from being issued pursuant to her use of Sadiq's credit card, her actions amounted to `at best’ an attempted theft under section 484g.” People v. Love, supra. So she’s saying that since she never got the $500 Victoria’s Secret gift card, she did not actually “obtain” money, goods, or “anything else of value” that did not really belong to her and could, at most, be charged with attempting to do so.

As I may have noted before, an attempt is what the law calls an inchoate, or incomplete, crime. When you charge someone with attempt, you by definition concede that they did not actually succeed in completing a crime; instead, you are pLovecuting them for trying to commit the crime. Often, attempt charges arise from situations – like this one – in which the would-be perpetrator’s effort to commit a crime is frustrated by outside forces. Even though the would-be perpetrator’s failure to commit the crime is not due to any change of heart on his or her part, we still cannot convict them of committing the crime they were intending to commit. It’s a basic, albeit implicit, premise of criminal law that you can only be convicted of, and punished for, what you actually succeed in doing.

To avoid having to let someone like this go scot free, Anglo-American law came up with the idea of prosecuting them for what they actually did . . . for trying to commit a crime (but failing). The charge we use to do that is attempt. As I tell my students, there is no free-standing offense of “attempt.” Instead, you necessarily attempt to commit a real, complete crime: the target crime. An attempt charge is always phrased like this: "Doe attempted to commit [the target crime]." If, therefore, you try to hire a hitman to kill your rich uncle and wind up “hiring” an undercover police officer, you have attempted to solicit the crime of murder and can be prosecuted for that.

(Actually, you could also be charged with attempting to commit murder, on the grounds that you would have been guilty of murder if the person you hired had really been a hitman and had actually killed your rich uncle. If all that happened, you would be guilty as an accomplice to the murder, which means you'd be guilty of murder.)


Here, Ms. Love is arguing that she tried to commit theft, but failed. So she’s claiming she can only be convicted of the attempt, which will carry a lesser penalty than actually committing theft. (It’s another premise of criminal law that we can’t punish you as severely for trying and failing to commit a crime as we can if you succeed.)

Unfortunately for Ms. Love, this court didn’t buy her argument:
Section 484g, subdivision (a). . . may be broken down into two elements: (1) that defendant `use[ ]’ the access card or account information, and (2). . . do so `for the purpose of obtaining money, goods, services, or anything else of value.’ . . .

The evidence at trial satisfied the first element of section 484g, subdivision (a)-defendant `use[d]’ the card. Merriam-Webster's New Collegiate Dictionary defines `use’ in such a context as `to put into action or service: avail oneself of: employ. . . . Defendant `use[d]’ or `put into . . . service’ Sadiq's access card information by entering it into an Internet Web page to place an order. The conduct described by the plain language of the statute is completed regardless of whether the object is obtained. . . .

The evidence also satisfied the second element that defendant's `use[ ]’ was `for the purpose of obtaining money, goods, services, or anything else of value.’ The obvious and undisputed purpose behind entering Sadiq's access card information into the Internet was to acquire the Victoria's Secret gift card.

Because the evidence established both elements described plainly in section 484g, subdivision (a), we find there was sufficient evidence to convict defendant of the completed offense.
People v. Love, supra.

Ms. Love lost because the crime defined by this statute is itself a type of inchoate crime. That is, it criminalizes PART of the conduct involved in actually carrying out a type of theft. One of the things we have seen in modern criminal law (especially in the United States) is a tendency to divide crimes up into parts, so that you can be charged for (and convicted of) each part. The implicit premise of this statute is that you (a) commit one crime by using the card for the purpose of obtaining money, goods, etc. and (b) commit another crime if you go further and actually obtain those items. So statutes like this are at once free-standing attempt provisions (that is, they don't require a target crime, as such) and provisions that can increase the liability imposed for what is, in effect, theft.

Wednesday, November 26, 2008

Laptops and Borders . . . Again

I’ve done a couple of posts on the rules that govern Customs searches of laptops travelers are carrying into or out of the United States. In those posts, I explained that the rules evolved to deal with luggage and other “containers.”

As I also explained, the traditional rule – in the U.S. and elsewhere – is that Customs agents can search us and whatever we carry as we enter into or leave the country.

The premise is that the sovereign has the right to know what is coming into and out of the country. The default target of the border search rule is contraband: child pornography, drugs and other items the possession of which is illegal in and of itself. But it can also encompass other items – such as terrorist materials, weapons, etc. Whatever a traveler is carrying that is illegal to possess can be seized in a border search.


I did a presentation last week at which we talked about a related issue I did a post on: your ability to take the 5th Amendment privilege against self-incrimination and refuse to give up encryption key so border agents can access the contents of your encrypted laptop computer. As I explained there, a Vermont federal court judge held that the act of producing the encryption key constitutes incriminating “testimony” within the compass of the 5th Amendment privilege. If that decision is upheld on appeal (and I’m assuming it is being appealed), then it means you can effectively put the contents of your hard drive beyond the reach of Customs agents (unless and until they’re given encryption-cracking software or can send laptops off somewhere to have the encryption cracked, but we’ll get back to that).

At the presentation last week, someone who seems knowledgeable said Customs agents are seizing encrypted laptops and not giving them back. According to this gentleman, the legal basis for their doing this is a rule that lets Customs agents seize locked luggage you refuse to open. I found that possibility interesting on several levels.

For one thing, I wasn’t sure Customs agents can, and have, seized luggage under this theory. I assumed they simply got the bag or luggage or other container open, somehow (which nearly happened to me in Brussels a few years ago when the zipper of a nearly new bag jammed the night before I left . . . but a very clever Customs agent managed to get it to work where I had been unable to).

I checked the federal regulations governing what Customs agents are authorized to do, and found two pertinent provisions. Section 148.21 of title 19 of the Code of Federal Regulations provides as follows:
A Customs officer has the right to open and examine all baggage, compartments and vehicles brought into the United States . . . . To the extent practical, the owner or his agent shall be asked to open the baggage, compartment or vehicle first. If the owner or his agent is unavailable or refuses to open the baggage, compartment, or vehicle, it shall be opened by the Customs officer.
A similar provision appears in §1462 of Title 19 of the Code of Federal Regulations:
If such owner, agent, or other person shall fail to comply with his demand, the officer shall retain such trunk, traveling bag, sack, valise, or other container or closed vehicle, and open the same, and, as soon thereafter as may be practicable, examine the contents, and if any article subject to duty or any article the importation of which is prohibited is found therein, the whole contents and the container or vehicle shall be subject to forfeiture.
So the regulations explicitly authorize a Customs officer to open luggage or another container if the owner refuses to do so. Customs officers can simply break into the bag or container, which means they will be able to determine what’s inside. Having done so, they can either give the mutilated bag back to its owner (who may or may not be going on his or her way, depending on what they find inside) or seize the bag and its contents for forfeiture.

Other regulations provide for the “summary forfeiture” of illegal drugs; that simply means they’ll be taken and deemed forfeitable property. See 19 Code of Federal Regulations § 162.45a. In other instances, the government has to serve notice and follow certain procedures to forfeit the property; this option applies when the property is not contraband (illegal in itself) but is subject to forfeiture for some other reason. 19 Code of Federal Regulations § 162.49.


Okay, let’s get back to laptops. If someone is crossing the border with an unencrypted laptop, a Customs officer can simply boot it up and look through the files himself. It’s analogous to an unlocked suitcase.

If someone is crossing the border with a laptop the hard drive of which is encrypted, then things become more interesting. If the owner of the laptop refuses to either use the key to give the Customs agent access to its contents or give the key to the agent so he can access it himself, that refusal should trigger the application of the provisions quoted above.

In other words, it would authorize the Customs agent to “open the container” himself . . . except he can’t, as things stand now. If the Vermont federal judge’s decision stands, then the owner of the laptop can cite the 5th Amendment privilege against self-incrimination as his or her basis for refusing to give up the encryption key as long as he or she can show that doing so would not only be “testimony,” it would be “incriminating” testimony. (To be able to take the 5th, you also have to be “compelled” to give testimony that incriminates you, but we’ll assume that can be satisfied here; in the Vermont case, the laptop owner was subpoenaed by a federal grand jury, so compulsion was not a problem.)


If we assume the owner of the laptop can, in fact, take the 5th and refuse to give up the encryption, then we seem to be at an impasse not contemplated by the drafters of the federal regulations governing what Customs agents can do at the border. They can’t search the encrypted hard drive, and if they can’t search it, they can’t seize the laptop for forfeiture because they won’t know what, if any, illegal items it contains.

According to the gentleman who raised this issue at my presentation, Customs agents confronted with this impasse are simply seizing encrypted laptops . . . which seem to disappear indefinitely. I have heard some rumors about encrypted laptops being seized, but I have no personal knowledge of that nor do I have any authoritative sources to cite on that. But for the sake of analysis, let’s assume this is, in fact, happening.

If it is happening, is it legal? I don’t see how it can be. If the laptops are seized to be held until Customs agents have the ability to crack their encryption and access their contents, it seems to me that is an illegal forfeiture of the property. That is, it seems to me the government is in effect depriving you of your property for good; forfeiture, of course, is a formal or informal process by which the government takes property away from the owner . . . permanently. Here, the government’s seizure of an encrypted laptop is not technically that kind of forfeiture because it is not inevitably a permanent seizure of the property; the premise is that the property is being seized until the government can open it.

The provisions I quoted above implicitly authorize that kind of a seizure, although at a much lower level. That is, a Customs officer could seize, say, a really secure metal (titanium) briefcase intending to open it later, when he gets the necessary tools and/or assistance. That kind of seizure, though, differs in a significant respect from the kind of seizure we’re hypothesizing and analyzing here.

In this seizure of an encrypted laptop, there is no certainty that the laptop will be returned to its owner because the owner has no way of knowing when, or if, Customs agents will be able to crack its encryption and access its contents. In the luggage seizure scenario, the person knows they will at some point get their bag back, along with any non-contraband and/or otherwise non-illegal items it contained. In the encrypted laptop scenario, the owner may never get the laptop back, or may get it back at such a distant point in time that it has ceased to be of any use. (We also have the related issue of the seizure of the laptop’s depriving its owner of the possession and use of the data it contains.)


As I said, I don’t know if any of this is really happening, but if it is, it seems to me it could be challenged as constituting an illegal forfeiture.

Sunday, November 23, 2008

"Willfully"

A recent case from North Carolina highlights the role mens rea – or intent – plays in a criminal prosecution.

The case is State v. Ramos, 2008 WL 4906318 (N.C. App. 2008), and here, according to the court, are the facts that resulted in charges against being filed against Ms. Ramos:
Defendant was hired as a community outreach coordinator by the Latin American Resource Center (`LARC’) on 15 May 2005. Her supervisor was LARC's director and founder, Aura Camacho-Maas. . . .

One of [her] responsibilities was to write grant proposals. . . . One . . . was supposed to be completed by 1 August. . . . On 1 August, the proposal was not complete, and defendant and Camacho-Maas had to work until midnight to get the proposal done.

Camacho-Maas assigned defendant a second proposal. . . [It] required [her] to access computer files related to LARC's teacher apprenticeship program (`TAP’). When . . . the proposal was still not completed, Camacho-Maas and defendant . . . had to work on the grant proposal together.

Camacho-Maas told defendant she was being terminated because she was unable to do the work required for her position. When Camacho-Maas asked defendant for her keys . . . defendant refused to hand them over until she received her paycheck. Camacho-Maas explained . . . she would receive her paycheck at the end of the month, and defendant left the building. Camacho-Maas . . . told the receptionist defendant had been terminated and was not to enter the building without Camacho-Maas being present. . . .

[A short time later,] Camacho-Maas realized the receptionist and defendant were . . . coming out of defendant's office. Camacho-Maas . . . went into defendant's office, sat down at defendant's computer, and discovered the TAP files were missing from LARC's server. Camacho-Maas had seen the TAP files on the server earlier that day. . . . Only LARC employees have access to the TAP files, and Camacho-Maas had not authorized anyone to move or remove the TAP files. Camacho-Maas called the police. . . .
State v. Ramos, supra.

When the detective assigned to the case met with Ms. Ramos, she admitted she had
copied files onto her flash drive. Detective Williams asked defendant to accompany him to the police station so he could copy the contents of the flash drive. A member of the Raleigh Police Department's cybercrimes unit found approximately 304 LARC files on defendant's flash drive, 80% of which were TAP files that were `either deleted or deleted and overwritten.’
State v. Ramos, supra.

Ms. Ramos was charged with damaging a computer in violation of a North Carolina statute: “It is unlawful to willfully and without authorization alter, damage, or destroy a computer, computer program, computer system, computer network, or any part thereof.” North Carolina Statutes § 14-455(a). At her trial on the charge, the court gave the jury this instruction on what was required to find her guilty of the charge:
The defendant, Geraldine Lewis Ramos, has been charged with the misdemeanor of damaging a compute [sic] system or computer network, or any part thereof.

For you to find the defendant guilty of this offense the State must prove two things:

First, that the defendant damaged a computer system or computer network or any part thereof by deleting a file or files from the computer system or computer network.

Second, that the defendant did so without authorization. A person is without authorization when although the person has the consent or permission of owner [sic] to access a computer system or computer network the person does so in a manner which exceeds the consent or permission.

If you find from the evidence beyond a reasonable doubt that on or about August the 15th, 2005 the defendant, without authorization, damaged a computer system or computer network, it would appeal [sic] your duty to return a verdict of guilty.
State v. Ramos, supra.

She was convicted and appealed, arguing that the instruction was insufficient because it didn’t tell the jury they had to find she acted “willfully” in order to convict her. State v. Ramos, supra. The prosecution argued that there was no error because the court instructed the jury they had to find that she acted “without authorization.” According to the prosecution, “without authorization” and “willfully” are synonymous. State v. Ramos, supra. The North Carolina Court of Appeals did not agree:
Our General Assembly defined `authorization for purposes of computer-related crimes . . . as meaning `having the consent or permission of the owner, or of the person licensed or authorized by the owner to grant consent . . . to access a computer, computer system, or computer network in a manner not exceeding the consent. . . `[W]ilful’ . . . means the wrongful doing of an act without justification or excuse, or the commission of an act purposely and deliberately in violation of law.’ . . . One may act `without authorization,’ but still not act willfully. For example, a person who accidentally deletes files is not acting willfully, but has deleted the files without authorization.
State v. Ramos, supra.

The issue of willfulness was essential in deciding whether Ms. Ramos was guilty of the charge because, as she explained, she believed Camacho-Maas had authorized her
to delete files amounting to her own work. Defendant testified that, at the time of her termination, defendant told Camacho-Maas, `since my work is no good I guess you won't mind if I take my work off computer [sic].’ According to defendant, Camacho-Maas responded, `. . . that the work was not good, and it was no consequence.’ Defendant testified that Camacho-Maas followed defendant into her office while defendant was deleting the files. Defendant testified Camacho-Maas “didn't say anything, but she knew what I was doing at that time, reason [sic] I walked back down to the room.” Defendant claimed that the only files that she deleted were:

[t]he . . . research that I had done for the curriculum. I deleted part of the grant which was the grant that I had written. I think that was about three, three files, but it was not the TAP file.

TAP file was in the server. It was a server and, in order for, to go into the server. She had already worked in the server, so I could not [sic] to go into the TAP file.
State v. Ramos, supra.

From this, the North Carolina Court of Appeals held it was error for the trial court not to have instructed the jury on the issue of willfulness:
Based on this testimony, the jury could reasonably find that defendant intended only to delete files she believed -- according to the State, incorrectly -- Camacho-Maas had consented to her deleting. . . . A jury could further find, based on defendant's testimony that she did not intend to delete the TAP files and did not believe she could enter the TAP files while Camacho-Maas was working on them, that any deletion of the files was accidental. Thus, the record contains evidence that would allow a jury to find that she deleted files without authorization, but not willfully. The trial court's failure to include willfulness in its instructions cannot, therefore, be deemed harmless error.
State v. Ramos, supra. Personally, I cannot understand why the trial court did not instruct the jury on willfulness. It is a basic, historic principle of criminal law that you cannot be convicted of a crime unless you acted with the mens rea – the criminal intent – required for the commission of that crime.

Friday, November 21, 2008

Password-protection and the 4th Amendment

On November 3, I wrote about a decision in which a court held that the use of EnCase forensic software was a search under the 4th Amendment. This post is about a related but slightly different issue: whether the use of password-protection on computer files establishes a 4th Amendment expectation of privacy in those files.

As I explained in an earlier post, the 4th Amendment gives us a right to be free from “unreasonable” searches and seizures. As I also explained there, a “search” violates a reasonable expectation of privacy in a place or a thing. If something isn’t private, then it isn’t a search for law enforcement officers to explore it.

A case I’ve mentioned before – U.S. v. Andrus, 483 F.3d 711 (10th Cir. 2007) – dealt with whether the use of password-protection on files establishes a reasonable expectation of privacy in those files. In the Andrus case, a father consented to the search of his son’s laptop. The laptop files were password-protected; since the father didn’t know the son’s password, he couldn’t have accessed the files.

So the issue was whether his consent to the search of the files – which an investigator accessed by using EnCase to bypass the operating system – was valid. As I explained in an
earlier post,, consent to search can be valid in either of two ways: the person has actual authority to consent to the search (he owns the laptop or uses a laptop owned by someone else); or the police officers reasonably, but mistakenly, believed the person had authority to consent.

Since the father wasn’t able to access the computer himself, he didn’t have actual authority to consent to the search. So the issue was whether the police reasonably believed he had authority to consent to the search.

As I explained in the earlier post, to have a reasonable expectation of privacy in a thing, you have to have a subjective expectation of privacy that society is prepared to regard as objectively reasonable. As the Andrus court noted, the
inquiry into whether the owner of a highly personal object has indicated a subjective expectation of privacy traditionally focuses on whether the subject suitcase, footlocker, or other container is physically locked. . . . Determining whether a computer is `locked,’ or whether a reasonable officer should know a computer may be locked, presents a challenge distinct from that associated with other types of closed containers. Unlike footlockers or suitcases, where the presence of a locking device is generally apparent by looking at the item, a `lock’ on the data within a computer is not apparent from a visual inspection of the outside of the computer, especially when the computer is in the `off’ position prior to the search.
U.S. v. Andrus, supra.

The Andrus court explained that in deciding whether someone has apparent authority to consent to a search of a computer, courts have looked at the officers’ “knowledge about password protection as an indication of whether a computer is ‘locked’ in the way a footlocker would be.” U.S. v. Andrus, supra.

As the Andrus court noted, another federal court held that apparent authority did not exist when “a live-in girlfriend . . . told police she and her boyfriend shared the household computer but had separate password-protected files that were inaccessible to the other.” U.S. v. Andrus, supra. Since the police were on notice that she couldn’t access the files, they couldn’t have reasonably believed she had the authority to consent to a search of the files.


In the Andrus case, the officers knew Andrus’ (91-year-old) father owned the house where both lived and paid the Time Warner bills for Road Runner service to the house. The court noted that the father didn’t tell them he didn’t use the computer (though there was some evidence he’d told them he didn’t know how to use it). The real issue, though, was on whom the burden of clarifying the status of password-protection on the computer fell:
Andrus argues his . . .password protection indicated his computer was `locked’ to third parties, a fact the officers would have known had they asked . . . [his father] prior to searching the computer. Under our case law, however, officers are not obligated to ask questions unless the circumstances are ambiguous. In essence, by suggesting the onus was on the officers to ask about password protection prior to searching the computer, despite the absence of any indication that [his father’s] access to the computer was limited by a password, Andrus necessarily submits there is inherent ambiguity whenever police want to search a household computer and a third party has not affirmatively provided information about . . . password protection. Andrus' argument presupposes, however, that password protection of home computers is so common that a reasonable officer ought to know password protection is likely.
U.S. v. Andrus, supra. The court noted Andrus had not offered “any evidence to demonstrate a high incidence of password protection among home computer users.” It therefore held that the father had apparent authority to consent to the search.

There was a dissent. The dissenting judge noted that the majority of the judges had conceded that is password protection were
`shown to be commonplace, law enforcement's use of forensic software like EnCase . . . may well be subject to question.’ . . . But the fact that a computer password `lock’ may not be immediately visible does not render it unlocked. . . . [U]nlike the locked file cabinet, computers have no handle to pull. But, like the padlocked footlocker, computers do exhibit outward signs of password protection: they display boot password screens, username/password log-in screens, and/or screen-saver reactivation passwords.
U.S. v. Andrus (dissenting opinion).
The dissent found that the “burden on law enforcement” to ascertain whether or not a computer is password protected is “minimal,” requiring only a “simple question or two”.
Accordingly, . . . given the case law indicating the importance of computer password protection, the common knowledge about the prevalence of password usage, and the design of EnCase or similar password bypass mechanisms, the Fourth Amendment . . . mandate[s] that in consent-based, warrantless computer searches, law enforcement personnel inquire or otherwise check for the presence of password protection and, if a password is present, inquire about the consenter's knowledge of that password and joint access to the computer.
U.S. v. Andrus (dissenting opinion).

I tend to agree with the dissent. It seems to me police don’t have to ask about password-protection if they only intend to turn the computer on and look through its contents; doing that simply gives them access to files ANYONE could examine on the computer. If, though, they intend to use EnCase “or similar password bypass” software, it seems to me the burden should be on them to find out if, in so doing, they’re about to override passwords that have been installed to establish a heightened expectation of privacy.

In other words, if the officers know that the techniques they’re using COULD bypass passwords or other privacy-protection measures, then the onus is on them to determine whether those measures have, in fact, been installed on the computer. If so, it seems to me they cannot use these techniques unless they obtain a search warrant specifically authorizing them to do this.

Wednesday, November 19, 2008

Corporate Identity Theft Revisited

Last year I did a post in which I speculated on whether we really need corporate identity theft statutes (among other things). As you may know, most identity theft (and identity fraud) statutes make it a crime to steal a real person’s – a human being’s – identity.

I think they take this approach because the theft of the identities of real human beings has been the problem the law and other aspects of our societies have been dealing with since it became apparent that you can misappropriate what statutes usually refer to as “personal identifying information.” Most, if not all, of the identity theft/fraud statutes do not explicitly say they only apply to individuals, but they achieve that effect by defining “personal identifying information” as things like Social Security numbers, birth dates, mother’s maiden name, driver’s license numbers, etc.

In the earlier post, I talked about a case in which a paralegal effectively stole the identity of a law firm, a corporate entity. Since she was charged with grand larceny, the issue of identity theft did not (and presumably could not have) come up.

After I wrote that post, the Georgia Court of Appeals decided a case involving corporate identity theft. The case is Lee v. State, 283 Ga. App. 826, 642 S.E.2d 876 (2007) and here are the facts:
Lee used to work for Snelling Personnel Services, a company that provides temporary workers for businesses. Lee had received payroll checks from Snelling and had kept in contact with the company to update his file, most recently in August 2004. On December 6, 2004, someone using the fictitious name of James Strobridge ordered 500 Snelling payroll checks from NEBS Business Forms in Massachusetts. The order was placed from Lee's cellular telephone and the address to which the checks were to be shipped is Lee's home address of 17 Mikell Street in Statesboro.

Four days later, on December 10, a second call was made from Lee's telephone to NEBS, inquiring about the status of the order. That same day, the shipment of the 500 payroll checks to be delivered to Lee's house arrived in Statesboro. The delivery driver, however, recognized that the Mikell Street address is a private residence and he knew that Snelling's office is actually located on South Zetterower Avenue; so he delivered the shipment to the business office on South Zetterower.

No one at Snelling had ordered the checks, which contain the number of a Snelling bank account that, on average, carries an $80,000 balance. Snelling's branch manager called the police. Upon discovering that the fraudulent order had been placed from Lee's phone and was to be sent to his address, the police arrested Lee.
Lee v. State, supra.

Lee was charged with identity fraud under Georgia Code § 16-9-121. At the time, this statute read as follows:
A person commits the offense of identity fraud when without the authorization or permission of a person with the intent unlawfully to appropriate resources of or cause physical harm to that person, or of any other person, to his or her own use or to the use of a third party he or she:

(1) Obtains or records identifying information of a person which would assist in accessing the resources of that person or any other person; or

(2) Accesses or attempts to access the resources of a person through the use of identifying information.
The language in the opinion is a little murky, but I gather that Lee argued he could not be guilty of identity fraud because, as I noted earlier, the crime is normally considered to be committed only when someone misappropriates the identity of a real person. Here, the identity that was stolen was that of a corporation – Snelling.

I think Lee must have made this argument because the Georgia Court of Appeals explained that
the applicable definition of `person’ for all of Title 16 is found in [Georgia Code] § 16-1-3(12), which states that: `”‘Person’ means an individual, a public or private corporation, an incorporated association, government, government agency, partnership, or unincorporated association.”’ Accordingly, Snelling is a `person’ under the identity fraud statute, and there is sufficient evidence from which a rational trier of fact could have found beyond a reasonable doubt that Lee is guilty of identity fraud in that he attempted to access Snelling's resources through the use of its bank account information and the fraudulent payroll checks.
Lee v. State, supra. The court therefore affirmed his conviction.

I actually think that’s a good outcome. Lee could probably also have been charged with fraud, but it seems to me that identity fraud (or identity theft) really captures what he did: He misappropriated and misused Snelling’s “Identifying information.” In a footnote the court noted that under Georgia Code § 16-9-120(4)(D) and (E), “the term `identifying information’ as used in the identity fraud statute includes checking and savings account numbers.” Lee v. State, supra.

Since I actually this is a good outcome, I’m mystified by the fact that it won’t work anymore, at least not in Georgia. Effective May 24, 2007, the Georgia legislature changed the state’s identity theft statute so it now reads as follows:
(a) A person commits the offense of identity fraud when he or she willfully and fraudulently:

(1) Without authorization or consent, uses or possesses with intent to fraudulently use, identifying information concerning an individual;

(2) Uses identifying information of an individual under 18 years old over whom he or she exercises custodial authority;

(3) Uses or possesses with intent to fraudulently use, identifying information concerning a deceased individual;

(4) Creates, uses, or possesses with intent to fraudulently use, any counterfeit or fictitious identifying information concerning a fictitious individual with intent to use such . . . information for the purpose of committing or facilitating . . . a crime or fraud on another person; or

(5) Without authorization or consent, creates, uses, or possesses with intent to fraudulently use, any counterfeit or fictitious identifying information concerning a real individual with intent to use such . . . information for the purpose of committing or facilitating the commission of a crime or fraud on another person.
Georgia Code § 16-9-121 (as revised). As you can see from the definition of "person" quoted above, the law regards an "individual" as a human being, i.e., not as a corporate or other artificial legal entity.

I wonder why the Georgia legislature changed the statute. The original version could be used to prosecute identity theft/fraud directed at an individual; its advantage what that it could also be used to prosecute the kind of corporate identity theft at issue in the Lee case. Since I can’t find an explanation in the legislative history of the act that revised the statute, or anywhere else, I guess I’ll just have to wonder.

Maybe the Georgia legislature decided we should NOT criminalize corporate identity theft/fraud. I really can’t imagine why, though.

Monday, November 17, 2008

Identity Theft or Defamation - Revisited

A few months ago I did a post on a case from Wisconsin: State v. Baron, 2008 WL 2201778 (Wisconsin Court of Appeals).

As I explained in that post, the issue in the case was whether the defendant had committed defamation or identity theft.
He was prosecuted for identity theft, but the facts of the case seemed more to establish defamation than identity theft.

As I explained in that post, the defendant in the Baron case gained access to his boss’ computer without being authorized to do so and used that access to forward embarrassing emails. When he forwarded the emails, he was pretending to be his boss. State v. Baron, supra. He later told he sent the emails so people could see that his boss really wasn’t “golden.” State v. Baron, supra.


Whether the charge against Baron was identity theft or defamation was crucial. As I explained earlier, we have a First Amendment right to criticize the conduct of public officials. Baron’s boss qualified as a public official. Therefore, if what he did was really defamation, he had a valid First Amendment defense, which would result in the case’s being dismissed. If what he did was identity theft, then the First Amendment would presumably not be a defense.

The Wisconsin Court of Appeals held it was identity theft, not defamation. The court found that because the identity theft statute made it a crime, among other things, to use another person’s personal identifying information to “harm” their reputation, it was an identity theft statute, not a defamation statute. Essentially, the court held that the use of another person’s identity was an element that served to differentiate this crime from defamation. In defamation, you publish comments that can, or do, damage someone’s reputation, but don’t use their identity to do so.

At the time, I said I thought the Wisconsin Court of Appeals was right, but there’s been a development that is making me re-think that: the Wisconsin Supreme Court agreed to review the Court of Appeals’ decision. I got an email from someone asking me why I thought the Wisconsin Supreme Court has done this . . . since it seemed, at least at first glance, that the Court of Appeals’ decision was correct.

That email made me think about the Court of Appeals’ decision again. That court said the charge against Baron was identity theft because while it encompasses causing harm to someone’s reputation, the fact you use someone else’s identity to do so differentiates it from defamation. Now I’m not sure if I agree with that.

The reason you have a First Amendment defense to a charge of defaming a public official is because being the recipient of such criticism is part of their job. It’s also because such criticism is a valid, important part of our society; we need to be able to criticize what public officials do, if only to keep them honest.

It doesn’t matter, as far as the applicability of the First Amendment defense is concerned, that Baron allegedly used his boss’ name when he sent the emails. The Supreme Court has held that the First Amendment right to free speech includes the right to speak anonymously (concealing your identity) and pseudonymously (using a different identity). This only makes sense, especially in the context of criticizing public officials; it can help reduce the possibility of retaliation by an unscrupulous public official.

The problem I see here is that, assuming the facts alleged in the opinion (and set out in the earlier post) are correct, Baron didn’t use an alias to criticize his boss’ conduct in office. We’ll assume, for the sake of analysis, that his forwarding the emails in question constituted First Amendment-protected criticism of his boss. Even if that is true, it seems to me that what he allegedly did falls outside the scope of the First Amendment defense because he didn’t just exercise his right to pseudonymously criticize a public official; he did that, but to do so he used another person’s identity in a way he must have known would harm his reputation.

Causing harm to someone’s reputation is defamation. Does incorporating a defamation offense into an identity theft offense statute transform it into identity theft (only)? I’m not sure.
I checked the statute Baron is being prosecuted under. Until 2003, it was a regular identity theft statute; by that I mean it made it a crime to use someone else’s personal identifying information to fraudulently obtain money or goods or services of other things of value. Wisconsin Statutes section 943.201(2)(c). In 2003 the Wisconsin legislature passed an act that added the “harm the reputation” provision to the statute.

That made me wonder why they did that. I couldn’t find any of what the law calls legislative history (reports of debates during the legislative process or setting out the reasons for adopting a particular bill), so I’m pretty much on my own here.

The “harm the reputation” provision is, as far as I can tell, unique. I’m working on a law review article on another topic, and I spent the day reviewing identity theft statutes in the various states. I didn’t see any that have a provision like this; they all define identity theft (a) the way Wisconsin used to do (only) or (b) by making it a crime to use someone’s personal identifying information to commit a crime or (c) by combining (a) and (b). I didn’t see any that include what is really a defamation alternative.

Now, a few states criminalize defamation, so if there are states with identity theft statutes that fall into the (b) or (c) categories, one could argue that the statutes at least implicitly encompass committing identity theft in order to commit the crime of defamation. I wasn’t working on that, so I didn’t check. Even if such statutes exist, I don’t think they resolve what we’re dealing with here for two reasons: One is that criminal defamation is almost never prosecuted; the other is that criminal defamation is almost always a misdemeanor. Neither of those is a legal, doctrinal reason for differentiating those statutes from what Wisconsin has done, but they at least, I think, support an argument that these hypothetical state statutes were not meant to encompass the use of identity theft to commit defamation.

So we’re back to why Wisconsin does this . . . did this on purpose back in 2003. I wonder if this was, in fact, a way of penalizing defamation.

In a law review article I published last year, I analyzed whether we should begin criminalizing defamation in order to address the expanded latitude the Internet gives us to use words and images to inflict emotional “harm” on each other. In writing it, I used news stories I found about two Wisconsin cases in which people used the Internet to defame others in particularly nasty ways. In both instances, the perpetrator pretended to be the victim in order to carry out the defamation. One of them pretended to be his former boss (bad to be a boss, it seems) and went onto a website for married women looking to have sex with other men. He posted an entry in her name, using her address, etc. . . . which apparently caused her a lot of embarrassment and a fair amount of fear (that the people who were responding to the ad might show up at her house).

At the time, a Wisconsin prosecutor said something like “people are being hurt in new and different ways.” As I recall, either he or a legislator called for the criminalization of defamation. I checked the Wisconsin statutes and found that the state has a criminal defamation statute that makes it a crime to defame someone in their “business or occupation”. Wis. Stat. Ann. § 941.01. That’s not a general defamation statute; consequently, it couldn’t have been used to prosecute the two cases I used in that law review article.

So, that leads me to wonder – and this is speculation, nothing more – if the “harm the reputation” alternative was added to the identity theft statute as a way of criminalizing more general defamation. In the Baron case, the Court of Appeals’ decision says he was also charged with criminal defamation, but the state voluntarily dismissed those charges, no doubt because of the First Amendment defense I outlined earlier. (It might also have been because the information in the emails he forwarded was true, and truth is a defense under the Wisconsin defamation statute.) The more I think about this case, the more I think that’s all he really did.

I’m not sure. I’m certainly not an expert on Wisconsin law. But I wonder if the Wisconsin Supreme Court took the case because they, too, wonder if Baron is being prosecuted for nothing more than defamation while being denied the right to present a First Amendment defense. I guess we’ll find out, probably next year.

Friday, November 14, 2008

Identity "Theft"

In a case decided last summer, the U.S. Court of Appeals for the First Circuit considered the level of mens rea – or intent – required by the federal identity theft statute.

The case is United States v. Godin, 534 F.3d 51 (1st Cir. 2008), and here are the rather unusual facts that led to Cori Godin’s being charged with identity theft:
In 2006, Godin defrauded eight banks and credit unions (collectively, the `banks’). She opened accounts using fabricated social security numbers, closed some accounts, and then deposited checks drawn on the closed accounts into the still open accounts. Godin then withdrew funds from the falsely inflated accounts. In this manner, Godin defrauded the banks of approximately $40,000.

Godin fabricated seven different social security numbers by altering the fourth and fifth digits of her own social security number. Godin's social security number is 004-82-XXXX. Of the seven fabricated numbers, only one, number 004-44-XXXX, belonged to another person. Godin opened an account at Bank of America with the fabricated 004-44-XXXX number but provided the bank with her correct name, address, date of birth, driver's license number, and telephone number.
U.S. v. Godin, supra. Godin was charged with violating 18 U.S. Code § 1028A(a)(1), which makes it a crime to “knowingly” transfer, possess, or use, “without lawful authority, a means of identification of another person” in the course of perpetrating a felony under state or federal law. The government claimed she used “a means of identification of another” in committing bank and social security fraud; Godin pled guilty to the 16 bank and social security fraud counts with which she was also charged.

But she moved to dismiss the § 1028A(a)(1) charge, arguing that she could not have acted “knowingly” within the meaning of the statute; the district court denied her motion, she went to trial and was convicted. On appeal, she raised the issue she had raised in her motion to dismiss.

Godin’s argument, essentially, was that to convict her the government had to prove beyond a reasonable doubt that she “knowingly” used the identity of another person, but failed to do so. Remember, this is not a case where she misappropriated personal identifying information (like Social Security numbers) belonging to someone else; instead, she cloned her Social Security number to create new numbers. Godin said that as far as she knew, none of the cloned numbers belonged to a real person; more precisely, she said she did NOT know that any of them belonged to a real person.


At trial, the district court instructed the jury that to convict Godin on the §1028A(a)(1) charge, the government had to prove beyond a reasonable doubt that she (i) "knowingly used a means of identification without lawful authority” (ii) “during and in relation to” committing bank and social security fraud and (iii) that the means of identification belonged to another person. U.S. v. Godin, supra. To prove its case, the government called two witnesses:

The first was employed by Bank of America and testified that Godin used number 004-44-XXXX to open an account but gave the bank her correct name, address, phone number, driver's license number, and date of birth. The government then called a Special Agent for the Social Security Administration [who] testified that by searching a secure and password-protected Social Security Administration database, he determined that social security number 004-44-XXXX was assigned to a man who resided in Maine. The Agent also testified that he could not tell by looking at the number that it belonged to another person because there are millions of unassigned numbers.
U.S. v. Godin, supra.

The issue the Court of Appeals had to decide was whether “knowingly” applied to the fact that this “means of identification” belonged to another person. At trial, the district court specifically instructed the jury that the government “is not required to prove that she knew the means of identification actually belonged to another person.” U.S. v. Godin, supra.


The Court began its analysis by noting that three federal courts of appeal (the Fourth, Eighth and Eleventh Circuits) have held that knowingly does not apply to the fact that the means of identification belongs to another person. Only the D.C. Court of Appeals had held that it does. The First Circuit then analyzed the proper interpretation of “knowingly” as an adverb included in the statute, the legislative history of the statute (which wasn’t that helpful), and the canons used to construe statutes. After all that, it concluded that the statute is inherently ambiguous on this point. U.S. v. Godin, supra.

If a statute contains a `grievous ambiguity,’ the ambiguity must be resolved in the defendant's favor. United States v. Councilman, 418 F.3d 61 (1st Cir.2005); United States v. Santos, 128 S.Ct. 2020 (2008) (`The rule of lenity requires ambiguous criminal laws to be interpreted in favor of the defendants subjected to them.’). . . . Using all methods of statutory construction available to us, we are unable to ascertain whether Congress intended`“knowingly’ to extend to `of another person.’

The language of § 1028A is ambiguous. The ambiguity cannot be resolved by the statutory structure, the title, or the legislative history. We hold that the rule of lenity applies, and the scienter requirement must stretch to “of another person.” Thus, the District Court instructed the jury in error.
U.S. v. Godin, supra. The Court of Appeals then held that based on the evidence presented at trial, a “rational fact-finder could not find beyond a reasonable doubt that Godin knew the false social security number was assigned to another person.” U.S. v. Godin, supra. It reversed her conviction and remanded the case to the district court, instructing that court to dismiss the § 1028A(a)(1) count against Godin. In other words, she won.

I find the Godin case interesting because I think it points up the inherent ambiguity in how we conceptualize the crime of “identity theft.” What we call identity theft is not “theft" in the traditional sense because the victim is not completely deprived of his/her identity; as I assume we all know, theft has historically been a zero-sum phenomenon. I take your laptop, which means I have it and you do not; in legal terms, I (completely) deprive you of the possession and use of your property. That’s what theft has always been.


We have, as I’ve noted here before, expanded our conception of theft to encompass the copying of data. If an employee, copies a password file belonging to his employer before leaving the company, that’s not traditional theft because the company still has the passwords. The problem is, so does the ex-employee. The value of the passwords – of the copied data – has been diminished, which the law is beginning to realize. So, in at least some circumstances, we have to expand our conception of theft so it’s no longer zero-sum; we have to in order to criminalize the misappropriation of some quantum of another’s property.
In its analysis of 18 U.S. Code § 1028A’s legislative history, the Godin court found that Congress mean the statute to be a theft statute – that it was “intended only to punish `thieves,’ or those who knowingly use another's identification.” U.S. v. Godin. I think the government implicitly recognized that in the Godin prosecution, because it only charged her with one count of identity theft . . . which was based on the fact that, coincidentally, one of the Social Security numbers she cloned happened to belong to a real person.
I think an issue the Godin decision implicitly raises is whether the “identity theft” crime is really meant to be a “theft” crime (which means no charge can be brought unless the defendant misappropriated a real person’s identifying information) or a “fraud” crime.

If it’s mean to be a fraud crime (and some states call it “identity fraud” instead of “identity theft”), then it wouldn’t matter whether someone like Godin used identification documents that did, or did not, belong to a real person. All that would matter is that she used identifying documents that did not legitimately belong to her to trick banks or credit card companies or others out of money or property.
It seems to me the best argument for construing “identity theft” as a “theft” crime is the argument that we already have fraud statutes (like the bank and social security fraud statutes used to charge Godin with the other 16 counts) and don’t really need another.

When someone is charged with fraud, the victim is the person or entity who was tricked out of money or property – the banks and credit card companies in this case. When someone is charged with theft, the victim is the person who lost some quantum of their property. In this case and cases like it, so this argument would go, the government already has the tools it needs to seek justice for the fraud victims; the identity theft statutes let it seek justice for the indirect victims, for the people whose identities were misappropriated and used to commit fraud.

Wednesday, November 12, 2008

Not-Harassment (2)

Not long ago, I did a post (“Not-Harassment”) on a New York case in which the court threw out harassment charges against an 18-year-old boy who used MySpace to declare his love for a 14-year-old girl.

This post is about a somewhat similar decision from an Ohio Court of Appeals. I focus on the decision not so much for its substance, as for what I think are some very good observations about the law’s limits in controlling what we say about each other online.

The case is State v. Ellison, 2008 WL 4531860 (Ohio Court of Appeals 2008). You can find the opinion online here: Search for Ellison or for the docket number: C-070875. The decision issued on October 10, so you can find it that way, as well.

Here are the facts that led to Ripley Ellison’s being charged with, and convicted of, telecommunications harassment:
Ellison and Savannah Gerhard were childhood friends but had a falling out during seventh grade. According to Ellison, the fallout occurred when her younger brother accused Gerhard of molesting him. The Hamilton County Department of Job and Family Services (JFS) investigated the claim and determined that it did not have enough evidence to substantiate that the abuse had occurred.

As teenagers, Ellison and Gerhard attended the same high school. During the summer of 2007, Ellison posted on her Internet `MySpace’ page a picture of Gerhard that was captioned `Molested a little boy,’ and she stated in her personal profile that she hated Gerhard. Ellison allowed for public, rather than private, viewing of her MySpace page.

After hearing about the posting . . . Gerhard used the Internet to view Ellison's MySpace page. Gerhard had previously observed a short remark by Ellison on a contemporary's MySpace page that also referred to the molestation accusation. But Ellison never directly communicated these postings to Gerhard, who also had a MySpace account.

Gerhard complained to authorities at her school about the postings. Ellison removed them from her MySpace page at the request of the school's resource officer investigating Gerhard's complaint. Ellison was then charged criminally for telecommunications harassment under R.C. 2917.21(B).

At a bench trial, Gerhard confirmed that Ellison had never directly communicated with her over the Internet and that she had sought out the postings. She added, however, that she had felt `harassed’ by the postings and that she had overheard Ellison make a similar remark about her at school.

Ellison testified that she believed her brother's accusations against Gerhard were true. And she gave the following explanation for posting the offensive material: `I think that other people need to know how she is. And she denies everything, but a lot of people believe that she did it. And I was told that she did it. And so I think that other people have a right to know.’
State v. Ellison, supra.

Ellison appealed her conviction, and the Court of Appeals threw it out. The Court of Appeals began its analysis by pointing out that the Ohio telecommunications statute – which makes it a crime to “make . . . a telecommunication . . . with purpose to abuse, threaten, or harass another person” – required what the law calls a “specific intent” to harass. State v. Ellison, supra (citing Ohio Revised Code § 2917.21(B)).

As the court explained, this meant the prosecution had to prove it was Ellison’s “specific purpose to harass. The burden is not met by establishing only that the defendant knew or should have known that her conduct would probably cause harassment. The legislature has created this substantial burden to limit the statute's scope to criminal conduct, not the expression of offensive speech.” State v. Ellison, supra. The court then held that the prosecution had not discharged this obligation:
[T]he state had the burden of establishing beyond a reasonable doubt that Ellison's specific purpose in making the telecommunication was to harass Gerhard. The state argued that Ellison's posting the `rumor’ after JFS found the allegation unsubstantiated showed a purpose to harass. But JFS's conclusion did not mean that dissemination of the allegation could not serve the legitimate purpose of warning others of what Ellison believed to be criminal behavior. Moreover, it was undisputed that Ellison never directed a telecommunication to Gerhard despite the opportunity to do so. These facts rendered the state's position untenable. No rational trier of fact, viewing the evidence in the light most favorable to the state, could have been convinced of Ellison's specific intent to harass Gerhard when she made the telecommunication.
State v. Ellison, supra. So the court reversed her conviction and “discharge[d] Ellison from further prosecution.” State v. Ellison, supra.

I think the Court of Appeals was absolutely correct in the conclusions it reached and in throwing out the conviction. But what I found particularly interesting and insightful were the comments Court of Appeals Judge Painter offered in a concurring opinion:
It is a scary thought that someone could go to jail for posting a comment on the Internet. If so, we could not build jails fast enough.

The statute on telecommunications harassment is the successor to the former telephone-harassment law. It is designed to prohibit harassing or threatening calls. Of course the calls may now be made over a traditional phone line, a cellular phone, or the Internet. But posting an annoying -- but nonthreatening -- comment on a website is not a crime under this statute. It might well be a civil wrong, but it is not jailable. The First Amendment would not allow punishment for making a nonthreatening comment on the Internet, just as it would not for writing a newspaper article, posting a sign, or speaking on the radio.

Monday, November 10, 2008

Too Much Hearsay

In several recent posts, I’ve explained what hearsay is and written about how courts apply the exceptions to the rule . . . exceptions that let certain types of hearsay be admitted into evidence.

This post is about a case in which the prosecution admitted too much hearsay into evidence, which led to the reversal of a murder conviction.


The case is Thomas v. State, 2008 WL 4629572 (Florida Court of Appeals 2008). Here’s how the Court of Appeals summarized the facts and what happened at trial:
Chaka Baldwin, [Steven]Thomas's girlfriend of four years, was stabbed to death. No physical evidence tied him to the crime, but the State presented circumstantial evidence in support of its contention that Mr. Thomas was the murderer. One piece of circumstantial evidence was an email written by Natalie Zepp to Michelle McCord, both employees of the apartment complex where Ms. Baldwin and Mr. Thomas shared an apartment. Defense counsel made hearsay objections, not only to the introduction of the email as a whole, but also to the introduction of statements within the email that Ms. Zepp, the employee who wrote the email, reported Ms. Baldwin made to her.
Thomas v. State, supra.
Here’s the text of that email:
This resident called and says that she's had someone (Steven Thomas) living in her ap[artmen]t for the past year that is not on the lease and now she wants him out but he refuses to leave. What can we do? [H]er number is (754)2241958, but I asked that she call you back tomorrow morning as well.
Thomas v. State, supra. The italicized portions of the email are the parts the defense particularly objected to, as being inadmissible hearsay. The rest of the email consists of statements describing matters of which Ms. Zepp had first-hand knowledge and could, had the prosecution so desired, have testified to those matters at trial. These portions of the email did, and could, come in under the business records exception to the hearsay rule, which I wrote about in an earlier post. As the Court of Appeals explained,
Michelle McCord, the recipient of the email, testified that one of her duties as the property manager of Campus Walk Apartments was to keep track of records pertaining to the individual apartments. She inspected the email written by Ms. Zepp, and testified that it was a record kept in the ordinary course of business at Campus Walk Apartments. She testified that the record was made at or near the time the information it contained was provided by a person with knowledge. Finally, she testified it was a regular practice of Campus Walk Apartments to keep records such as the email. . . . After the trial judge determined that `clearly this email is within the firsthand knowledge of Ms. Zepp’ and `it's clearly within her duty to try to assist tenants,’ the trial judge ruled: `assuming the other requirements for the business record are met, I will admit that part of the record.’
Thomas v. State, supra.

The defense strongly objected to the inclusion of the underlined statements, arguing that “Ms. Baldwin's statement [to Ms. Zepp] constituted a separate layer of hearsay -- hearsay within hearsay-which could not come in without qualifying under an exception of its own.” Thomas v. State, supra. In making that argument, the defense relied on a Florida statute which says “[h]earsay within hearsay is not excluded . . . provided each part of the combined statements conforms with an exception to the hearsay rule”. Florida Statutes § 90.805.


According to the defense, while the rest of the email could come in under the business records exception, the underlined statements could not; the only way they could come in, the defense said, was if another exception to the hearsay rule applied to these statements . . . and it did not. The prosecution argued that all of the information in the email was “within the personal knowledge of Ms. Zepp”, so it did not constitute hearsay within hearsay. Thomas v. State, supra.

The Court of Appeals agreed with the defense: “The trial court erred in admitting the underlined portions of the email. While the employee who wrote the email had firsthand knowledge of Ms. Baldwin's desire to evict -- and could presumably . . . have so testified -- there was no evidence that she had personal knowledge of any of the surrounding circumstances.” Thomas v. State, supra. That is, there was no evidence showing she had personal knowledge of the relationship and living arrangements between Ms. Baldwin and Mr. Stevens and whether he was refusing to leave her apartment. As the Court of Appeals explained, the email contained two levels of hearsay:
The email is itself hearsay because it is an out-of-court statement being offered for the truth of the matters asserted. . . . It is Ms. Zepp's account of what Ms. Baldwin told her. Its accuracy depends both on Ms. Zepp's veracity and on Ms. Baldwin's veracity. Within the email -- the first tier of hearsay -- lies another layer of hearsay: the statement made by Ms. Baldwin to Ms. Zepp, viz., `that she's had someone (Steven Thomas) living in her ap[artmen]t for the past year that is not on the lease and . . . refuses to leave.’ There was no evidence Ms. Zepp had firsthand knowledge of these matters. Rather, her `knowledge’ that Ms. Baldwin `had someone (Steven Thomas) living in her ap[artmen]t for the past year . . . and . . . refuses to leave’ was hearsay. She was recounting statements she said she heard Ms. Baldwin make. Ms. Baldwin's statements were not . . . business records themselves. As recounted by Ms. Zepp, they were not admissible, because they did not qualify for an exception to the hearsay rule in their own right.
Thomas v. State, supra.

The Court of Appeals not only found that the admission of the email was error, it also found that it constituted reversible error, i.e., error requiring the reversal of Thomas’ murder conviction:
The hearsay was used . . . to prove motive, a critical component of the State's case, a case that relied solely on circumstantial evidence. The State used hearsay to show a possible reason for Mr. Thomas's wanting to kill his live-in girlfriend of four years. No other evidence tended to show that Ms. Baldwin had asked him to move out and that he had refused to leave.

Not even Ms. Baldwin's `best friend[ ] . . . testified . . . to any problems in the couple's relationship. In fact, the best friend testified she was scheduled to take Mr. Thomas to an appointment the morning after Ms. Baldwin was murdered. The State's . . . argument on appeal rings hollow against the background of its argument to the jury emphasizing that Ms. Baldwin wanted Mr. Thomas to move out but he refused, thus making the hearsay `a feature of its . . .closing argument.’ . . . Because there is a reasonable possibility that admission of Ms. Baldwin's hearsay statement that `[Mr. Thomas] refuses to leave’ contributed to Mr. Thomas's conviction, we are constrained to reverse for a new trial.
Thomas v. State, supra.

This decision issued on October 21, 2008, so there obviously has not been time for a new trial. From what the court says about the evidence the prosecution relied on in this trial, it sounds as if the loss of these parts of Ms. Zepp’s email may make it difficult for the prosecution to get a conviction if it tries again.

Friday, November 07, 2008

"Transmit"

Section 1030(a)(5)(A) of Title 18 of the U.S. Code makes it a federal crime “knowingly" to cause the transmission of "a program, information, code, or command. and as a result" intentionally cause "damage" to a computer.

(Until September 26, this provision was codified as 18 U.S. Code § 1030(a)(5)(A)(i). An Act that went into effect last month reordered some of the sections of § 1030 and made some substantive changes to the statute, but didn’t alter the substance of this one.)

This provision was at issue in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Circuit Court of Appeals 2006). As I noted in an earlier post, § 1030(g) lets one who has been the victim of a violation of the criminal provisions of § 1030 bring a civil suit to recover damages for the injury he/she/it sustained. In the Citrin case, Jacob Citrin’s former employer sued him to recover damages for his allegedly violating what is now § 1030(a)(5)(A).

Here is how the Seventh Circuit Court of Appeals described the facts in the case:
Citrin was employed by the plaintiffs -- affiliated companies engaged in the real estate business we'll treat as one . . . and call `IAC’ -- to identify properties IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets.

Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop to IAC, he deleted all the data in it -- not only the data that he had collected but also data that would have revealed to IAC improper conduct in which he had engaged before he decided to quit. Ordinarily, pressing the `delete’ key on a computer (or using a mouse click to delete) does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands. Such `deleted’ files are easily recoverable. But Citrin loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery. . . . IAC had no copies of the files Citrin erased.
International Airport Centers, L.L.C. v. Citrin, supra. Citrin moved to dismiss IAC’s § 1030(a)(5)(A) cause of action for what the law calls “failure to state a claim.” When a defendant makes such a motion, the court assumes the facts set out in the complaint (the pleading that starts the case) are true, and then decides whether those facts show a violation of the statute on which the plaintiff’s claim is based.

In his motion to dismiss, Citrin argued that “merely erasing a file from a computer is not a `transmission” under § 1030(a)(5)(A). The Illinois federal district court agreed with him, and dismissed the suit. IAC appealed to the Seventh Circuit Court of Appeals which, at least initially, seemed to agree with the lower court: ”Pressing a delete . . . key in fact transmits a command, but it might be stretching the statute too . . . to consider any typing on a computer keyboard to be a . . . `transmission’ just because it transmits a command to the computer.” International Airport Centers, L.L.C. v. Citrin, supra.

The Seventh Circuit then proceeded to consider whether deleting files is a “transmission” within the compass of what is now § 1030(a)(5)(A):
There is more here, however: the transmission of the secure-erasure program to the computer. We do not know whether the program was downloaded from the Internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire. Oddly, the complaint doesn't say; maybe IAC doesn't know -- maybe all it knows is that when it got the computer back, the files in it had been erased. But we don't see what difference the precise mode of transmission can make. In either the Internet download or the disk insertion, a program intended to cause damage (not to the physical computer, of course, but to its files -- but `damage’ includes `any impairment to the integrity or availability of data, a program, a system, or information, 18 U.S.Code § 1030(e)(8)) is transmitted to the computer electronically. The only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer. The difference vanishes if the disk drive into which the disk is inserted is an external drive, connected to the computer by a wire, just as the computer is connected to the Internet by a telephone cable or a broadband cable or wirelessly.

There is the following contextual difference between the two modes of transmission, however: transmission via disk requires that the malefactor have physical access to the computer. By using the Internet, Citrin might have erased the laptop's files from afar by transmitting a virus. Such long-distance attacks can be more difficult to detect and thus to deter or punish than ones that can have been made only by someone with physical access, usually an employee. The inside attack, . . . while easier to detect may also be easier to accomplish. Congress was concerned with both types of attack: attacks by virus and worm writers . . . which come mainly from the outside, and attacks by disgruntled programmers who . . . trash the employer's data system on the way out (or threaten to do so . . . to extort payments), on the other. If the statute is to reach the disgruntled programmer, . . . it can't make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.
International Airport Centers, L.L.C. v. Citrin, supra.

IMHO, the Court of Appeals then makes a wrong turn. It bases its conclusion that § 1030(a)(5)(A) was intended to reach "the disgruntled programmer” on two other provisions of § 1030: the ones that criminalize “outsider” hacking (obtaining unauthorized access to a computer system) and “insider” hacking (exceeding one’s authorized access to a computer system). The court decides Citrin exceeded his authorized access to the IAC-provided laptop:
Citrin's breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC's agent -- he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship. `Violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship’. . . .
International Airport Centers, L.L.C. v. Citrin, supra.


The court reaches this conclusion even though, as Citrin pointed out, his “employment contract authorized him to `return or destroy’ data in the laptop when he ceased being employed by IAC”. It reaches this conclusion by deciding “it is unlikely, to say the least, that the provision was intended to authorize him to destroy data he knew the company had no duplicates of and would have wanted to have -- if only to nail Citrin for misconduct.” International Airport Centers, L.L.C. v. Citrin, supra. At that point, the court decides this isn’t an “exceeding authorized access” (“insider” hack) case at all; it decides it’s really an “unauthorized access” case because Citrin had lost his right to access the IAC computer.

That, I think, was the court’s first error. As I pointed out in an earlier post, the task of deciding precisely when an “insider” exceeds his or her access to a computer system can be a difficult one. Usually, courts look to written policies the victim company has in place, policies that define what the employee can and cannot do while on the company’s computer system.

Here, the employment contract says Citrin could destroy data before returning the IAC laptop, and that is precisely what he did. We may think a reasonable person would know not to destroy so MUCH data, but as I explained in my
earlier post, it can be difficult to tell precisely when an employee steps over the line. And since this suit is brought under a criminal statute, the court, I submit, should adhere strictly to the mens rea set out in the statute . . . which is “intentionally”. Intentionally is the mens rea for both the “unauthorized access” and “exceeds authorized access” crimes, so it applies regardless of which crime the Court of Appeals decides Citrin committed. And you simply cannot prove someone acted “intentionally” if all you can show is that he SHOULD have known that what he did violated his employment contract; you have to show he actually knew that. ("Should have known" is a negligence standard and, as such, is a much lower level of mens rea than intentionally.)

The other error I think the court made is that it didn’t consider what this particular crime – the now § 1030(a)(5)(A) crime – was meant to encompass. I found a Senate report that explains what this new section of § 1030 (which is also known as the Computer Fraud and Abuse Act, or CFAA) was meant to do:
Computer abuse crimes under the current statute must be predicated upon the violator's gaining `unauthorized access’ to the . . . computers. However, . . . the most severe forms of computer damage are often inflicted upon remote computers to which the violator never gained `access’ in the commonly understood sense of that term. Instead, those computers are damaged when a malicious program or code is replicated and transmitted to them by other computers infected by the violator's original transmission.

The new subsection 1030(a)(5) of the CFAA . . . makes it clear that one who transmits a destructive program or code with harmful intent is criminally responsible for the resultant damage to all affected computers, without regard to . . . `unauthorized access.’ . . .
Senate Report No. 101-544, The Computer Abuse Amendments Act of 1990 (October 19, 1990), 101ST Cong., 2d Sess. 1990, 1990 WL 201793. It seems to me the language in this report clearly establishes that § 1030(a)(5)(A) was not intended to be any kind of “access” crime but, instead, a transmission of malware crime.