Tuesday, March 23, 2010

Cyber-Extortion

I keep looking for good cyber-extortion cases, but I rarely find one. This post is about a man who was recently charged with cyber-extortion, but not under the general federal cybercrime statute: 18 U.S. Code § 1030. I’m writing about this case because it illustrates the very specific types of conduct the general federal cybercrime statutes addresses in its provision on extortion.


According to this U.S. Department of Justice Press Release, on March 6, 2010 Anthony Digati was arrested was arrested on charges of `attempting to extort approximately $200,000 from a New York-based life insurance company by threatening to make false public statements and transmit computer spam in an effort to damage the reputation of the company and cost it millions of dollars in revenue.’ Here’s how the complaint that was used to charge Digati described what he did:

On February 22, 2010, more than a dozen employees, executives, and one board member of the life insurance company (the `Company’) received an e-mail signed `Anthony Digati.’ The e-mail reads, in part, `I HIGHLY suggest you visit this website and contact me afterwards.’ The e-mail provides a website address that leads a viewer to a website created by DIGATI (the `Website’).

The website includes, among other things, the following text:

  1. These things, unless you honor the below claim, WILL HAPPEN on March 8, 2010.
  2. As you have denied my claim I can only respond in this way. You no longer have a choice in the matter, unless of course you want me to continue with this outlined plan. I have nothing to lose, you have everything to lose.
  3. My demand is now for $198,303.88. This amount is NOT negotiable, you had your chance to make me an offer, now I call the shots.
  4. I have 6 MILLION e-mails going out to couples with children age 25-40, this e-mail campaign is ordered and paid for. 2 million go out on the 8th and every two days 2 million more for three weeks rotating the list. Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.
  5. I am a huge social networker, and I am highly experienced. 200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.
  6. I think you get the idea, I am going to drag your company name and reputation, through the muddiest waters imaginable. This will cost you millions in lost revenues, trust and credibility not to mention the advertising you will be buying to counter mine. Sad thing is it’s almost free for me!
  7. The process is in motion and will be released on March 8th, 2010. If you delay and the site goes live, The price will then be $3,000,000.00.

Press Release, supra. According to this news story, Digati “allegedly contacted the company’s customer service phone center in January and expressed dissatisfaction with the performance of his variable universal life insurance” and then contacted the company “by letter in February, demanding the return of his premiums paid to date on the policy”.


Now let’s talk extortion law. As I noted in a post I did earlier this year, in 2008 Congress revised the federal cyber-extortion provision, which is codified as 18 U.S. Code § 1030(a)(7). As I explained in that post, Congress expanded the statute’s scope because prior to the revision it only targeted sending threats to “cause damage” to a computer. I don’t think what the conduct being attributed to Digati would have constituted extortion under the version of the statute.


The revised version of § 1030(a)(7) (which went into effect in 2008 and could therefore apply to what Digati is alleged to have done) makes it a federal crime for one acting with the intent to extort “any money or other thing of value” to transmit interstate commerce “any communication containing” a threat to do any of the following: (i) cause damage to a computer; (ii) obtain information from a computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a computer without authorization or by exceeding authorized access or (iii) demand “money or other thing of value in relation to damage to a” computer where the damage “was caused to facilitate the extortion”.


The second option clearly couldn’t apply to the conduct attributed to Digati because there’s no allegation that he obtained information from a computer without being authorized to do so. And it doesn’t appear that the other options would apply, either. Since both require “damage” to a computer, for either to apply what Digati is alleged to have done would have to constitute his “damaging” a computer. I don’t think we have that here.


Section 1030(e)(8) of Title 18 of the U.S. Code defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” What Digati is alleged to have done clearly constitutes extortion, as I explain below, but I don’t see that it involved any “damage” to a computer. His (alleged) extortion scheme wasn’t predicated on damaging a computer; it was (allegedly) predicated on damaging the company’s “name and reputation.” It seems, then, that he couldn’t be prosecuted under 18 U.S. Code § 1030(a)(7).


But he was charged with extortion, which means he had to be charged under another federal extortion statute. The Press Release, and news stories I’ve seen on the case, say Digati was charged “with one count of extortion through interstate communications.” Press Release, supra. My guess is that he’s charged under 18 U.S. Code § 875(d), a federal statute that makes it a crime for someone to do the following: “with intent to extort from any person, firm, association, or corporation, any money or other thing of value, transmit[] in interstate or foreign commerce any communication containing any threat to injure the property or reputation of the addressee”. (emphasis added). That statute clearly seems to apply here . . . and I don’t think any of the other federal extortion statutes (there aren’t that many) would apply.


So let’s assume Digati is charged under § 875(d). I can see an argument his attorneys (if and when he gets attorneys) could make as to why the charge is flawed and/or why he should not be convicted of it if he goes to trial. As I noted above, Digati earlier contacted the company and asked them to return the payments he’d made on his life insurance premium because he wasn’t satisfied with its performance. The e-mail he allegedly sent to company officials demanded they pay $198,303, “or four times the amount of his total paid premiums.” I don’t know where he got the concept of quadrupling his premiums, but his demand clearly had some basis in what he’d paid the company and his dissatisfaction with what he got for what he paid.


Why do I bring that up, you ask? Well, the § 875(d) crime, unlike the § 1030(a)(7) crime and other extortion offenses, is predicated in part on mere speech. That is, extortion statutes – like § 1030(a)(7) – are usually predicated on threats to injure a person or property; that kind of threat is much more straightforward than the reputational kind of threat criminalized by § 875(d).

In U.S. v. Jackson, 180 F.3d 55 (U.S. Court of Appeals for the Second Circuit 1999), a federal court of appeals noted that “not every threat to make a disclosure that would harm another person’s reputation is wrongful”, i.e., not every such threat comes with the scope of § 875(d). In explaining what kinds of threats can be prosecuted under § 875(d), the court noted that

not all threats to reputation are within the scope of § 875(d). . . . [T]he objective of the party employing fear of . . . damage to reputation will have a bearing on the lawfulness of its use, and . . . it is material whether the defendant had a claim of right to the money demanded.

We . . . view as inherently wrongful the type of threat to reputation that has no nexus to a claim of right. There are significant differences between . . . threatened disclosures of such matters as consumer complaints and nonpayment of dues, as to which the threatener has a plausible claim of right, and . . . threatened disclosures of such matters as sexual indiscretions that have no nexus with any plausible claim of right. In the former category of threats, the disclosures themselves -- not only the threats -- have the potential for causing payment of the money demanded; in the latter category, it is only the threat that has that potential, and actual disclosure would frustrate the prospect of payment. . . .

We conclude that where a threat of harm to a person's reputation seeks money or property to which the threatener does not have, and cannot reasonably believe she has, a claim of right, or where the threat has no nexus to a plausible claim of right, the threat is inherently wrongful and its transmission in interstate commerce is prohibited by § 875(d).

U.S. v. Jackson, supra.


Since Digati’s alleged conduct involved a demand for a sum of money that was apparently rooted in the premiums he had paid the company and believed should be refunded, I could see his defense attorney making an argument under this court’s interpretation of § 875(d). That is, I could see the defense attorney arguing that in engaging in the conduct attributed to him, Digati was acting under a “claim of right,” i.e., he believed he was entitled to the money he allegedly demanded from the company.

I’m not saying the argument would work. I’m just saying I can see its being made.


On another note, I continue to be amused by the press’ referring to crimes like this as “cyber-extortion.” And yes, I know I used that term as the caption for this post, but I had my reasons for doing so.


I chose to write about this case in part to point out that it is not being prosecuted under the federal cyber-extortion provision, § 1030(a)(7), but under § 875(d), a statute that was added to the federal criminal code in 1948 and hasn’t been substantially altered since. There’s a certain irony there: The cyber-specific federal extortion provision, which was added to the federal criminal code in 1984 and was substantially revised in 2008, simply doesn’t address the kind of (allegedly) extortionate conduct at issue in this case. Instead, prosecutors had to rely on a generic extortion statute.


As I’ve noted here and elsewhere, I think we should be cautious about creating new, cyber-specific criminal statutes; I think we should, whenever possible, either rely on existing offenses or update those offenses so they can encompass the use of computer technology to commit an old crime. I think that approach is advisable for two reasons: One is that it avoids cluttering up criminal codes with new and at least arguably superfluous offenses. The other is that it lets us use established offenses, which have been reviewed and analyzed by courts, to prosecute cases; that, in turn, can reduce the possibility of a charge being thrown out because of some defect in the statute itself and/or in the way the crime was charged.

1 comment:

Bon said...

My 6yo laptop was attacked yeterday by someone demanding $60 to clear alleged multiple viruses. My computer is now unusable. I attempted to restor the system to a previous date but the attack has frozed my system tools and they do not function. If I give them a credit card they say I can have the mess cleaned up. I'd like to send them rat poison. Any suggestons?