Wednesday, October 05, 2011

Identity Theft and “Receiving” a Password

As Wikipedia notes, identity theft is basically “a form of fraud . . . in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name.” This post is about an identity theft case involving a juvenile and an email password.

The case is In re Rolando S., 197 Cal.App.4th 936, 129 Cal.Rptr.3d 49 (California Court of Appeals 2011) and this, very generally, is how it arose:

[Rolando S.] was one of several recipients of an unsolicited text message providing the password to the victim's email account. [He] used the victim's email password and account to gain access to her Facebook account, where he posted, in her name, prurient messages on two of her male friends' pages (walls) and altered her profile description in a vulgar manner. The victim found out about the messages and informed her father, who removed the messages from her account and later called the police.

In re Rolando S., supra.

Rolando S. “admitted to the police that he posted the messages from the victim's Facebook account and altered her profile.” In re Rolando S., supra. A juvenile petition was then filed against him, alleging that he committed one count of identity theft under California Penal Code § 530.5(a). In re Rolando S., supra.

Section 530.5(a) provides as follows:

Every person who willfully obtains personal identifying information, as defined in subdivision (b) of Section 530.55, of another person, and uses that information for any unlawful purpose . . . without the consent of that person, is guilty of a public offense, and upon conviction . . . shall be punished by a fine, by imprisonment in a county jail not to exceed one year, or by both a fine and imprisonment, or by imprisonment in the state prison.

Section 530.55(b) of the California Penal Code defines “personal identifying information” as:

any name, address, telephone number, health insurance number, taxpayer identification number, . . . state or federal driver's license, or identification number, social security number, . . . employee identification number, professional or occupational number, mother's maiden name, . . . , PIN (personal identification number) or password, alien registration number, government passport number, date of birth, . . . unique electronic data including information identification number assigned to the person, address or routing code, telecommunication identifying information or access device, information contained in a birth or death certificate, or credit card number of an individual person, or an equivalent form of identification.

After a hearing, the juvenile court judge “found beyond a reasonable doubt” that Rolando S. “had committed the crime charged and sustained the petition.” In re Rolando S., supra. The judge ordered him “committed to the Kings County Juvenile Academy Alpha Program for 90 days to a year, and put him on probation.” In re Rolando S., supra.

Rolando S. appealed this determination and sentence, arguing “that because he made no effort to obtain the password, instead passively receiving the text message on his cell phone `without his prior knowledge or consent,’ he did not `willfully’ obtain the victim’s email account password for purposes of the [identity theft] statute.” In re Rolando S., supra. The prosecution focused its argument “on asserting that [Rolando S.] `obtained’ the password, and evidenced his willfulness by using the password, rather than deleting it when he received it.” In re Rolando S., supra.

The Court of Appeals did not agree. It noted, first, that California Penal Code § 7(1) states that “willfully” when “applied to the intent with which an act is done or omitted, implies simply a purpose or willingness to commit the act, or make the omission referred to”. In re Rolando S., supra. The court then found that Rolando S.

freely accepted the password information provided in the text message. While the text message itself was unsolicited, no evidence suggests [he] was forced to remember the password or otherwise keep a record of it so that he could use it later, as he admitted to doing. On the record before us, we conclude that [Rolando S.] willfully obtained the password information from the text message, knowing that he was continuing to possess the password, intending to do so, and was a free agent when securing the password for his future use.

In re Rolando S., supra. The court also noted that Rolando S. used the email password

he willfully obtained from the text message to then willfully obtain the victim's Facebook account password. . . . The victim's father testified [her] Facebook password was being changed dozens of times over several weeks and it was only after they deleted her email account that they were able to regain control over her Facebook account.

[Rolando S.] admitted to Officer Lucio that he used the email account password he received from the text message to gain access to the victim's Facebook account. By resetting [her] Facebook account password himself using the above-described process, [he] would have been able to log in to her account and pose as the victim as he posted on her friends' walls and on her profile. . . .

Not only did [Rolando S.] willfully obtain the email password from the text message, he also willfully obtained the Facebook account password by purposely using the email account as a vehicle to alter the Facebook account password.

In re Rolando S., supra.

Rolando S. also claimed “his conduct fails to satisfy the second element of § 530.5(a), that he `use[d] [the victim's] information for any unlawful purpose.’” In re Rolando S., supra. He argued “that at most he `possibly defamed’ the victim, but asserts that civil torts do not constitute an `unlawful purpose’ for purposes of the statute. In re Rolando S., supra.

The prosecution argued that “civil torts constitute an unlawful purpose,” and Rolando S.’s “conduct amounted to libel under [California] Civil Code § 45.” In re Rolando S., supra. Rolando S. argued that the state legislature intended to limit “any unlawful purpose” to “strictly criminal conduct”, but the Court of Appeals did not agree. In re Rolando S., supra.

After extensively reviewing legislative history in an attempt to ascertain the extent to which the state legislature intended to limit the scope of “unlawful purpose” as used in Penal Code § 530.5(a), the court found that it “has expressed no intent to limit the scope of `unlawful purposes’ constituting the underlying conduct for an identity theft offense.” In re Rolando S., supra. The court then explained that

[c]rimes are strictly creatures of penal statutes, and require both a prohibited act and a punishment. . . . Our Supreme Court has defined the term `unlawful’ to include wrongful conduct which is not criminal. In determining the scope of the term, it held that an act is `unlawful . . . if it is proscribed by some constitutional, statutory, regulatory, common law, or other determinable legal standard. Korea Supply Co. v. Lockheed Martin Corp., (2003) 29 Cal.4th 1134, 131 Cal. Rptr.2d 29, 63 P.2d 93. Under this definition, unlawful conduct includes acts prohibited by the common law or nonpenal statutes, such as intentional civil torts.

In re Rolando S., supra.

California Civil Code § 45 defines “the civil tort of libel” as

a false and unprivileged publication by writing, printing, picture, effigy, or other fixed representation to the eye, which exposes any person to hatred, contempt, ridicule, or obloquy, or which causes him to be shunned or avoided, or which has a tendency to injure him in his occupation.

The Court of Appeals found that (i) libel is “an intentional tort” under California law and (ii) Rolando S. committed libel by publishing material that “clearly exposed the victim to hatred, contempt, ridicule and obloquy with his actions.” In re Rolando S., supra.

While that would have been enough to establish that Rolando S. committed identity theft, the Court of Appeals went one step further. It explained that

[e]ven assuming that a civil intentional tort failed to constitute an `unlawful purpose for purposes of § 530.5, [Rolando S.’s] conduct was sufficient to satisfy § 530.5 based on his conduct constituting a criminal offense under § 653m(a) [of the California Penal Code].

In re Rolando S., supra.

The court then explained that Penal Code § 653m(a) “states in pertinent part: `Every person who, with intent to annoy . . . makes contact by means of an electronic communication device with another and addresses to or about the other person any obscene language . . . is guilty of a misdemeanor.’” In re Rolando S., supra. It also noted that Penal Code § 653m(c) “states in pertinent part: `Any offense committed by use of an electronic communication device or medium, including the Internet, may be deemed to have been committed when and where the electronic communication or communications were originally sent or first viewed by the recipient.’” In re Rolando S., supra.

The Court of Appeals therefore affirmed the judgment against Rolando S. because his

fraudulent posts as the victim would have shown up on her personal Facebook page. He also altered her profile on her personal Facebook page. Section 653m(c) makes clear the offense is committed as of sending the communication. Therefore, appellant willfully obtained the victim's Facebook password and then used that information for the unlawful purpose of violating § 653m(a).

In re Rolando S., supra.

No comments: