Wednesday, November 14, 2012

Unauthorized Access, Identity Theft and the “Account Slurper”


After being charged with (i) conspiring to “access a computer without authorization or [by exceeding] access, and thereby obtain[ing] information from a protected computer, in furtherance of a criminal act in violation of New Jersey Statutes 2C:20–31(a), . . . 18 U.S. Code § 1030(a)(2)(C) and . . . 18 U.S. Code § 371” and (ii) knowingly transferring, possessing, and using, “without lawful authority, means of identification of other persons . . .  in violation of 18 U.S. Code § 1028(a)(7)”, Andrew Auernheimer moved to dismiss the charges.  U.S. v. Auernheimer, 2012 WL 5389142 (U.S. District Court for the District of New Jersey 2012).

(Section 1030 of Title 18 of the U.S. Code is known as the Computer Fraud and Abuse Act, or CFAA.  The opinion tends to refer to the § 1030 offenses as CFAA offenses, and I include some of those references in this opinion.)

This according to the opinion, is how the case arose:

In June 2010, [Auernheimer] and former co-defendant, Daniel Spitler, created a computer program, the `Account Slurper’ (`Program’), designed to exploit AT & T's automated feature which linked iPad 3G users' e-mail addresses to their unique iPad 3G Integrated Circuit Card Identifiers (`ICC–ID’). . . .

Specifically, the Program `was designed to mimic the behavior of an iPad 3G so that AT & T's servers were fooled into believing that they were communicating with an actual iPad 3G and wrongly granted the [Program] access to AT & T's servers.’ (Superseding Indictment at Count 1, ¶ 8a.)

Between June 5, 2010 and June 9, 2010, [Auernheimer’s] and Spitler's Program gained unauthorized access to AT & T's servers and obtained approximately 120,000 ICC–ID/e–mail address pairings from iPad 3G customers, including thousands of customers in New Jersey. (Superseding Indictment at Count 1, ¶¶ 9, 27d.)

Subsequently, [Auernheimer] and Spitler disclosed the stolen ICC–ID/e–mail address pairings to Gawker, an Internet magazine, and sent e-mails to members of various news organizations offering `to describe the method of theft in more detail.’ (Superseding Indictment at Count 1, ¶¶ 11, 12, 24 & n. 4, 27c.)

U.S. v. Auernheimer, supra.

(According to the story you can find here, last year Daniel Spitler pled guilty to both counts in the Superseding Indictment.)

Auernheimer made several arguments in his motion to dismiss the Superseding Indictment against him, but we are only concerned with two of the:  The first was that  Count One of the indictment, which charged him with conspiring to violate 18 U.S. Code § 1030, “poses a merger problem resulting in double jeopardy”.  U.S. v. Auernheimer, supra.  His other argument was that “Count Two is improperly pled because under 18 U.S. Code § 1028(a)(7), the offense cannot be `in connection with’ a past crime”.  U.S. v. Auernheimer, supra.

The district court judge who has this case began her analysis of the first argument by noting that under the 5th Amendment’s

Double Jeopardy Clause, a defendant may not be charged or punished twice for the same offense. U.S. Const. Amend. V (`nor shall any person be subject for the same offense be twice put in jeopardy of life or limb’). A `merger problem tantamount to double jeopardy’ occurs `where the facts or transactions alleged to support one offense are also the same used to support another.’ United States v. Cioni, 649 F.3d 276 (U.S. Court of Appeals for the 4th Circuit 2011). . . .

For example, in Cioni, the 4th Circuit found that a merger problem arose where `the indictment [did] not allege facts sufficient to indicate that [ ] two crimes were based on distinct conduct’ and instead were `actually based on [defendant's] single unsuccessful attempt to access [an] electronic e-mail account.’ . . . The 4th Circuit clarified that `[i]f the government had proven that [defendant] accessed [the] e-mail inbox and then used the information from that inbox to access another person's electronic communications, no merger problem would have arisen.’ 

U.S. v. Auernheimer, supra.

As noted above, Count One of the indictment charges Auernheimer with conspiring to

access a computer without authorization or to exceed authorized access, and thereby obtain information from AT & T's servers (in violation of the CFAA, punishable as a felony), in furtherance of a New Jersey criminal statute, New Jersey Statutes § 2C:20–31(a).

[Auernheimer] argues that `Count One violates the Double Jeopardy Clause because it improperly aggravates a CFAA misdemeanor into a felony.’ . . . . Specifically, [he] asserts that the object of the conspiracy -- the CFAA offense -- relies on proof of the same facts and conduct as the felony aggravator—N.J.S.A. 2C:20–31(a). 

U.S. v. Auernheimer, supra.

The district court judge did not buy Auernheimer’s argument, noting that as the


The CFAA requires two elements to establish a violation: (1) defendant `intentionally accesses a computer without authorization or exceeds authorized access’ and (2) defendant `thereby obtains . . . information from any protected computer.’ 18 U.S. Code § 1030(a)(2)(c).

A CFAA violation is generally a misdemeanor; however, it is punishable as a felony if the offense is `committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.’ 18 U.S. Code § 1030(c)(2)(B)(ii).

U.S. v. Auernheimer, supra.

She then explained that in this case, “the Superseding Indictment alleges that the CFAA violation was in furtherance of a New Jersey felony criminal statute,” i.e., New Jersey Statutes § 2C:20–31(a), which meant “the offense is elevated to a felony.”   U.S. v. Auernheimer, supra.  The judge pointed out that an offense under

§ 2C:20–31(a) requires three elements to establish a violation: (1) defendant purposely or knowingly accessed data; (2) defendant accessed the data `without authorization, or in excess of authorization;’ and (3) defendant `knowingly or recklessly discloses or causes to be disclosed any data . . . or personal identifying information.’ . . .

Although there is an overlap of facts for the first two elements of each offense, New Jersey Statutes § 2C:20–31(a)  requires the additional component that defendant `knowingly or recklessly discloses or causes to be disclosed any data . . . or personal identifying information.’ Hence, an essential New Jersey Statutes § 2C:20–31(a) element requires proof of conduct not required for a CFAA offense.

The Government specifically alleges in the Superseding Indictment that [Auernheimer] and his coconspirators `knowingly disclosed approximately 120,000 stolen ICC–ID/email address pairings for iPad 3G customers . . . to the internet magazine Gawker.’

U.S. v. Auernheimer, supra.  The judge therefore denied Auernheimer’s motion to dismiss Count One.  U.S. v. Auernheimer, supra.

She then took up Auernheimer’s motion to dismiss Count Two, which charges him with identity theft in violation of 18 U.S. Code § 1028(a)(7).  U.S. v. Auernheimer, supra. Section 1028(a)(7) states that

`[w]hoever . . . transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law . . . shall be punished as provided in [18 U.S. Code § 1028(b)]’. . . .  

Auernheimer argued that § 1028(a)(7) requires

violations to be `in connection with’ a present or future criminal activity and not a past criminal act. . . . Based on this interpretation, [he] argues that Count Two improperly pleads a § 1028(a)(7) violation because [his] alleged transfer, possession, and use of others' identification commenced after the CFAA violation was complete. . . .

U.S. v. Auernheimer, supra.

Again, the judge was not persuaded.  She noted, first, that Auernheimer’s

interpretation of § 1028(a)(7) is contrary to the statute's legislative history and is unsupported by case law. As the Government points out, Congress amended the statute in 2004 to include the words `in connection with’ to `broaden the reach of section 1028(a)(7).’ House of Representatives Report No. 108–528, at 10 (2004), available at 2004 WL 1260964, at *10 (stating that the phrase `in connection with’ would serve to `make possible the prosecution of persons who knowingly facilitate the operations of an identity-theft ring . . . but who may deny they had the specific intent to engage in a particular fraud scheme[, and] it will provide greater flexibility for the prosecution of section 1028(a)(7) offenses’).

Neither the face of the statute nor legislative history indicates that the statutory phrase `in connection with’ necessitates a temporal restriction for § 1028(a)(7) violations.

U.S. v. Auernheimer, supra.

The judge also pointed out that

the two cases to which [Auernheimer] cites do not lend support for his argument that the phrase `in connection with’ requires an allegation of a present or future crime and not a past crime. See U.S. v. Sutcliffe, 505 F.3d 944 (U.S. Court of Appeals for the 9th Circuit 2007) (analyzing § 1028(a)(7) violation pursuant to pre–2004 Amendment language which did not include the phrase `in connection with’); U.S. v. Villanueva–Sotelo, 515 F.3d 1234 (U.S. Court of Appeals for the District of Columbia Circuit 2008) (referencing the amended § 1028(a)(7) in passing, but not indicating that Congress intended only to prosecute those engaging in present or future crimes).

However, even using [Auernheimer’s] interpretation of the statute, the Superseding Indictment alleges that at least part of [his] unauthorized computer access overlapped with his possession and transfer of persons' identification, from June 2, 2010 through June 15, 2010. . . .

U.S. v. Auernheimer, supra.

The judge therefore held that “the Superseding Indictment sufficiently and properly pleads a § 1028(a)(7) violation; thus [Auernheimer’s] Motion fails with respect to this argument.”  U.S. v. Auernheimer, supra.

For these and other reasons, the judge denied Auernheimer’s motion to dismiss either or both of the counts in the Superseding Indictment, which means the prosecution is still viable.  U.S. v. Auernheimer, supra.

If you would like to read more about the crimes with which Auernheimer is charged and about Account Slurper, check out the story you can find here.  

No comments:

Post a Comment