Friday, September 18, 2009

"Computer Tampering"

As I may have noted, U.S. states tend to vary in terms of the terms they use to denote various computer crimes.

For example, consider what is generically known as hacking, i.e., accessing a computer without being authorized to do so. Some states, such as California, call that crime “unauthorized access” to a computer. See California Penal Code § 502. Others, such as Arkansas, call it “computer trespass.” See Arkansas Code § 5-41-104. And still others just call it “computer crime.” See Colorado Revised Statutes § 18-5.5-102.

This post isn’t about unauthorized access. It’s about Javier Fimbres, who was convicted of “computer tampering” in violation of Arizona law. State v. Fimbres, 2009 WL 2402039 (Arizona Court of Appeals 2009). Here’s how the Court of Appeals described the facts in the Fimbres case:

Fimbres purchased merchandise at local stores using gift cards that had been altered so that the information encoded in magnetic strips on the backs of the cards corresponded with the numbers of various credit and debit cards. These credit and debit cards belonged to people other than Fimbres, and Fimbres did not have permission to use the cards or access the underlying accounts. During several of the transactions, he presented other cards that were declined before presenting one that was accepted.

State v. Fimbres, supra.

Fimbres was charged with, and ultimately convicted of, “three counts of forgery of a credit card, one count of theft of items with a market value of more than $2,000, three counts of computer tampering, and one count of fraudulent scheme and artifice.” State v. Fimbres, supra. We’re not concerned with the forgery, theft and/or fraudulent scheme counts because both the charges and the evidence presented to support them were pretty straightforward. Our concern is with the “computer tampering” counts.

Computer tampering seems to be Arizona’s omnibus computer crime provision. Section 13-2316 says someone “who acts without authority or who exceeds authorization of use” commits computer tampering by doing any of the following:

1. Accessing, altering, damaging or destroying any computer, computer system or network, or any part of a computer, computer system or network, with the intent to devise or execute any scheme or artifice to defraud or deceive, or to control property or services by means of false or fraudulent pretenses, representations or promises.

2. Knowingly altering, damaging, deleting or destroying computer programs or data.

3. Knowingly introducing a computer contaminant into any computer, computer system or network.

4. Recklessly disrupting or causing the disruption of computer, computer system or network services or denying or causing the denial of computer or network services to any authorized user of a computer, computer system or network.

5. Recklessly using a computer, computer system or network to engage in . . . course of conduct that is directed at another person and that seriously alarms, torments, threatens or terrorizes the person. . . .

6. Preventing a computer user from exiting a site, computer system or network-connected location in order to compel the user's computer to continue communicating with, connecting to or displaying the content of the service, site or system.

7. Knowingly obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system or network that is operated by this state, a political subdivision . . . or a medical institution.

8. Knowingly accessing any computer, computer system or network or any computer software, program or data that is contained in a computer, computer system or network.

Arizona Revised Statutes § 13-2316(A).

The charges against Fimbres were brought under § 13-2316(A)(1). He was charged with committing computer tampering by “`[a]ccessing . . . any computer, computer system or network, or any part of a computer, computer system or network” without being authorized to do so and “with the intent to devise or execute any scheme or artifice to defraud or deceive’”. Arizona Revised Statutes § 13-2316(A)(1).

In the brief Fimbres filed with the Court of Appeals he explained that the prosecution’s theory, “as articulated by the prosecutor in his closing argument,” was as follows:

`When you put the card into the card reader you access the sales terminal, the sales computer of Target. With the intent to execute a scheme, go get merchandise fraudulently. The cards he did not have permission to use.’

Thus, the State's theory was that because Appellant did not have permission to use certain cards, he was guilty of computer tampering for swiping those cards on Target's swiping machine at the checkout counter.

Appellant’s Opening Brief, State v. Fimbres, 2008 WL 5517105.

Fimbres challenged this theory in his appeal. He argued that the prosecution presented

insufficient evidence to support his convictions for computer . . . . He contends that the plain meaning of § 13-2316 demonstrates the statute was enacted solely to criminalize `computer hacking’ and does not encompass other computer-related conduct such as swiping through a credit card reader store gift cards encoded with illegally obtained credit and debit card numbers. Fimbres therefore claims that the evidence presented cannot possibly support a computer-tampering conviction.

State v. Fimbres, supra. I think it was a good argument. As I noted in an earlier post, courts struggle with what it means to “access” a computer. And since the provision Fimbres was charged under appears in what seems to be a generic computer crime statute, his claim that the statute was only intended to criminalize hacking made a fair amount of sense.

The Court of Appeals didn’t agree. It began its analysis of the argument by noting that when it construes a statute its task is to “`fulfill the intent of the legislature that wrote it.’” State v. Fimbres, supra. The court explained that in ascertaining the legislature’s intent it looks “`first to the statute’s language because we expect it to be “the best and most reliable index of the statute’s meaning.”’” State v. Fimbres, supra.

The Court of Appeals held that the “meaning of § 13-2316 is clear and unambiguous and demonstrates that the statute is not limited to . . . computer hacking.” State v. Fimbres, supra. It pointed out that the provision Fimbres was charged under refers to “accessing” a computer with intent to defraud and found that “`[a]ccessing’ a computer” with “intent to defraud is a far broader prohibition than “computer hacking.” State v. Fimbres, supra.

For a store's credit card reader to charge or debit customers' accounts, the reader must . . . be linked to the store's computer system. . . . A defendant who swipes gift cards bearing illegally obtained credit and debit card numbers in a store credit card reader therefore accesses the store's computer system . . . with the intent to execute a scheme to defraud. . . . Accordingly, § 13-2316 encompasses Fimbres's conduct.

State v. Fimbres, supra.

The Court of Appeals’ decision makes sense as long as we assume that what Fimbres did “accessed” the store’s computer system. Arizona uses the definition of “access” I discussed in an earlier post, i.e., it “means to instruct, communicate with, store data in, retrieve data from or otherwise make use of any resources of a computer, computer system or network.” Arizona Revised Statutes § 13-2301(E)(1). I suppose swiping gift cards constitutes “communicating with” a store computer system or, at the very least, “mak[ing] use of” the computer’s resources. If that is true, then the outcome in this case is correct as a matter of what we might call artisan law, i.e., applying the language of a statute to a set of facts.

What I really find interesting about this case is that it illustrates what seems to be a well-established trend in American cybercrime law: adding computer crime charges to what is essentially a traditional crime or crimes. Based on the facts as outlined by the Court of Appeals, Fimbres clearly committed fraud and forgery. (I see the theft charge as a version of fraud because he tricked the store into giving him property; he didn’t take the property from the store without its permission. As I’ve noted before, fraud is basically theft by trickery; I trick you into giving me your property, rather than taking it from you.)

The prosecutor could simply have charged Fimbres with however many counts of fraud and forgery the evidence would support. Instead, he/she added the computer tampering counts. My question is “why?” Did the prosecutor add the computer tampering counts because he/she really believed that the incremental “harms” resulting from Fimbres’ communicating with the store computer or making use of its resources justified the additional charges? Or did the prosecutor add the charges because he/she could, i.e., because the computer tampering statute could be extrapolated to support additional charges in the case?

I’m not accusing the Fimbres prosecutor of malpractice or unethical conduct or anything like that. I’m just wondering whether the general policies that support the imposition of criminal liability justify adding computer crime charges whenever a perpetrator’s conduct minimally implicates the provisions of a computer crime statute. My issue isn’t whether the computer tampering statute could be applied to what Fimbres did; it’s the proper calibration of liability based on the actual “harms” resulting from what a perpetrator did.

No comments: