After being charged
with (i) conspiring to “access a computer without authorization or [by
exceeding] access, and thereby obtain[ing] information from a protected computer, in furtherance of a criminal act in violation of New Jersey Statutes 2C:20–31(a), . . . 18 U.S. Code § 1030(a)(2)(C) and . . . 18 U.S. Code § 371” and (ii) knowingly transferring, possessing, and using, “without
lawful authority, means of identification of other persons . . . in violation of 18 U.S. Code § 1028(a)(7)”,
Andrew Auernheimer moved to dismiss the charges. U.S. v.
Auernheimer, 2012 WL 5389142 (U.S. District Court for the District of New Jersey 2012).
(Section 1030 of
Title 18 of the U.S. Code is known as the Computer Fraud and Abuse Act, or
CFAA. The opinion tends to refer to the
§ 1030 offenses as CFAA offenses, and I include some of those references in
this opinion.)
This according to
the opinion, is how the case arose:
In
June 2010, [Auernheimer] and former co-defendant, Daniel Spitler, created a
computer program, the `Account Slurper’ (`Program’), designed to exploit AT
& T's automated feature which linked iPad 3G users' e-mail addresses to
their unique iPad 3G Integrated Circuit Card Identifiers (`ICC–ID’). . . .
Specifically,
the Program `was designed to mimic the behavior of an iPad 3G so that AT &
T's servers were fooled into believing that they were communicating with an
actual iPad 3G and wrongly granted the [Program] access to AT & T's
servers.’ (Superseding Indictment at Count 1, ¶ 8a.)
Between
June 5, 2010 and June 9, 2010, [Auernheimer’s] and Spitler's Program gained
unauthorized access to AT & T's servers and obtained approximately 120,000
ICC–ID/e–mail address pairings from iPad 3G customers, including thousands of
customers in New Jersey. (Superseding Indictment at Count 1, ¶¶ 9, 27d.)
Subsequently,
[Auernheimer] and Spitler disclosed the stolen ICC–ID/e–mail address pairings
to Gawker, an Internet magazine, and sent e-mails to members of various news
organizations offering `to describe the method of theft in more detail.’ (Superseding
Indictment at Count 1, ¶¶ 11, 12, 24 & n. 4, 27c.)
U.S. v. Auernheimer, supra.
(According to the story
you can find here, last year Daniel Spitler pled guilty to both counts in the
Superseding Indictment.)
Auernheimer made
several arguments in his motion to dismiss the Superseding Indictment against
him, but we are only concerned with two of the:
The first was that Count One of
the indictment, which charged him with conspiring to violate 18 U.S. Code §
1030, “poses a merger problem resulting in double jeopardy”. U.S. v.
Auernheimer, supra. His other
argument was that “Count Two is improperly pled because under 18 U.S. Code
§ 1028(a)(7), the offense cannot be `in connection with’ a past crime”. U.S. v.
Auernheimer, supra.
The district court
judge who has this case began her analysis of the first argument by noting that
under the 5th Amendment’s
Double Jeopardy Clause, a defendant may not be charged or punished twice for the same
offense. U.S. Const. Amend. V (`nor shall any person be subject for
the same offense be twice put in jeopardy of life or limb’). A `merger problem
tantamount to double jeopardy’ occurs `where the facts or transactions alleged
to support one offense are also the same used to support another.’ United
States v. Cioni, 649 F.3d 276 (U.S. Court of Appeals for the 4th Circuit 2011).
. . .
For
example, in Cioni, the 4th Circuit found that a merger problem
arose where `the indictment [did] not allege facts sufficient to indicate that
[ ] two crimes were based on distinct conduct’ and instead were `actually based
on [defendant's] single unsuccessful attempt to access [an] electronic e-mail
account.’ . . . The 4th Circuit clarified that `[i]f the government
had proven that [defendant] accessed [the] e-mail inbox and then used the
information from that inbox to access another person's electronic
communications, no merger problem would have arisen.’
U.S. v. Auernheimer, supra.
As noted above,
Count One of the indictment charges Auernheimer with conspiring to
access
a computer without authorization or to exceed authorized access, and thereby
obtain information from AT & T's servers (in violation of the CFAA,
punishable as a felony), in furtherance of a New Jersey criminal statute, New
Jersey Statutes § 2C:20–31(a).
[Auernheimer]
argues that `Count One violates the Double Jeopardy Clause because it
improperly aggravates a CFAA misdemeanor into a felony.’ . . . . Specifically,
[he] asserts that the object of the conspiracy -- the CFAA offense -- relies on
proof of the same facts and conduct as the felony aggravator—N.J.S.A.
2C:20–31(a).
U.S. v. Auernheimer, supra.
The district court judge
did not buy Auernheimer’s argument, noting that as the
Government
correctly points out, the CFAA and New Jersey Statutes § 2C:20–31(a) do
not require the same proof of conduct. . . . Moreover, in this case, the Government does
not rely on the same allegations for the two offenses in the Superseding
Indictment.
The CFAA
requires two elements to establish a violation: (1) defendant `intentionally
accesses a computer without authorization or exceeds authorized access’ and (2)
defendant `thereby obtains . . . information from any protected computer.’ 18
U.S. Code § 1030(a)(2)(c).
A CFAA
violation is generally a misdemeanor; however, it is punishable as a felony if
the offense is `committed in furtherance of any criminal or tortious act in
violation of the Constitution or laws of the United States or of any State.’ 18
U.S. Code § 1030(c)(2)(B)(ii).
U.S. v. Auernheimer, supra.
She
then explained that in this case, “the Superseding Indictment alleges that the
CFAA violation was in furtherance of a New Jersey felony criminal statute,”
i.e., New Jersey Statutes § 2C:20–31(a), which meant “the offense is elevated
to a felony.” U.S. v. Auernheimer,
supra. The judge pointed out that an
offense under
§
2C:20–31(a) requires three elements to establish a violation: (1)
defendant purposely or knowingly accessed data; (2) defendant accessed the data
`without authorization, or in excess of authorization;’ and (3) defendant `knowingly
or recklessly discloses or causes to be disclosed any data . . . or personal
identifying information.’ . . .
Although
there is an overlap of facts for the first two elements of each offense, New
Jersey Statutes § 2C:20–31(a) requires the additional component that
defendant `knowingly or recklessly discloses or causes to be disclosed any data
. . . or personal identifying information.’ Hence, an essential New Jersey
Statutes § 2C:20–31(a) element requires proof of conduct not required for
a CFAA offense.
The
Government specifically alleges in the Superseding Indictment that [Auernheimer]
and his coconspirators `knowingly disclosed approximately 120,000 stolen
ICC–ID/email address pairings for iPad 3G customers . . . to the internet
magazine Gawker.’
U.S. v. Auernheimer, supra. The
judge therefore denied Auernheimer’s motion to dismiss Count One. U.S. v.
Auernheimer, supra.
She then took up Auernheimer’s
motion to dismiss Count Two, which charges him with identity theft in violation
of 18 U.S. Code § 1028(a)(7). U.S. v. Auernheimer, supra. Section
1028(a)(7) states that
`[w]hoever
. . . transfers, possesses, or uses, without lawful authority, a means of
identification of another person with the intent to commit, or to aid or abet,
or in connection with, any unlawful activity that constitutes a violation of
Federal law, or that constitutes a felony under any applicable State or local
law . . . shall be punished as provided in [18 U.S. Code § 1028(b)]’. . . .
Auernheimer argued
that § 1028(a)(7) requires
violations
to be `in connection with’ a present or future criminal activity and not a past
criminal act. . . . Based on this interpretation, [he] argues that Count Two
improperly pleads a § 1028(a)(7) violation because [his] alleged
transfer, possession, and use of others' identification commenced after the
CFAA violation was complete. . . .
U.S. v. Auernheimer, supra.
Again, the judge was
not persuaded. She noted, first, that Auernheimer’s
interpretation
of § 1028(a)(7) is contrary to the statute's legislative history and
is unsupported by case law. As the Government points out, Congress amended the
statute in 2004 to include the words `in connection with’ to `broaden the reach
of section 1028(a)(7).’ House of Representatives Report No. 108–528, at 10
(2004), available at 2004 WL 1260964, at *10 (stating that the
phrase `in connection with’ would serve to `make possible the prosecution of
persons who knowingly facilitate the operations of an identity-theft ring . . .
but who may deny they had the specific intent to engage in a particular fraud
scheme[, and] it will provide greater flexibility for the prosecution of section
1028(a)(7) offenses’).
Neither
the face of the statute nor legislative history indicates that the statutory
phrase `in connection with’ necessitates a temporal restriction for §
1028(a)(7) violations.
U.S. v. Auernheimer, supra.
The judge also
pointed out that
the
two cases to which [Auernheimer] cites do not lend support for his argument
that the phrase `in connection with’ requires an allegation of a present or
future crime and not a past crime. See U.S. v. Sutcliffe, 505
F.3d 944 (U.S. Court of Appeals for the 9th Circuit 2007) (analyzing §
1028(a)(7) violation pursuant to pre–2004 Amendment language which did not
include the phrase `in connection with’); U.S. v. Villanueva–Sotelo, 515
F.3d 1234 (U.S. Court of Appeals for the District of Columbia Circuit 2008) (referencing
the amended § 1028(a)(7) in passing, but not indicating that Congress
intended only to prosecute those engaging in present or future crimes).
However,
even using [Auernheimer’s] interpretation of the statute, the Superseding
Indictment alleges that at least part of [his] unauthorized computer access
overlapped with his possession and transfer of persons' identification, from
June 2, 2010 through June 15, 2010. . . .
U.S. v. Auernheimer, supra.
The judge therefore
held that “the Superseding Indictment sufficiently and properly pleads a §
1028(a)(7) violation; thus [Auernheimer’s] Motion fails with respect to this
argument.” U.S. v. Auernheimer, supra.
For these and other
reasons, the judge denied Auernheimer’s motion to dismiss either or both of the
counts in the Superseding Indictment, which means the prosecution is still
viable. U.S. v. Auernheimer, supra.
If you would like to
read more about the crimes with which Auernheimer is charged and about Account
Slurper, check out the story you can find here.
No comments:
Post a Comment