Wednesday, April 10, 2013

Harassment and Unlawful Use of Encryption

“Following a bench trial,” Steven C. Kucharski was convicted of two counts of electronic harassment in violation of 720 Illinois Statutes §135/1-2 and one count of unlawful use of encryption in violation of 720 Illinois Statues § 5/16D-5.5.  People v. Kucharski, __ N.E.2d __, 2013 WL 1281844 (Illinois Court of Appeals 2013).  (The opinion notes that the harassment statute was later “amended by Pub. Act 96–1551, art. 5, § 5–5 (eff. July 1, 2011)”).  People v. Kucharski, supra.

According to the opinion, the victim in the case testified at trial that Kucharski had been

her boyfriend for 2 1/2 years. They broke up prior to August 2009 and they were not on good terms. While they were dating, [he] created a MySpace account for her because she was `kind of computer illiterate.’ 

She and [Kucharski] but nobody else, knew the password to that account. She was not aware that an email account was set up in association with the MySpace account. When [they] broke up, she changed the password on the MySpace account `probably about five times just to make sure.’

People v. Kucharski, supra.

On August 21, she noticed her MySpace page had a picture of her in a thong along with her name, address, phone numbers, and other information about her family. The items about her family included `stuff about Kentucky, me being a slut, about my father, things like that.’ She had not made these changes to her MySpace account and did not know when they were made. . . . 

The photo . . . of her in a thong, was taken by [Kucharski] with his cell phone about five to six months prior. She gave [him] permission to take the photo. However, when they broke up, she asked him to remove the photo from his cell phone. She did not give anyone permission to post the photo on MySpace. . . .

She noticed her MySpace page was again altered about two hours later on the same day. The photo and all her personal information was removed -- her page was essentially deleted. She had not deleted the page. She was unable to delete the page herself because her password had been changed.

A review of [the version of the page introduced into evidence] reveals the following. A box in the upper left corner . . . includes the victim's name below the word `Whore’ and also states `Mood: slut.’ The box includes the photo of the backside of the victim, who is bending forward and wearing only a thong. 

Next to the photo, it states: `Need a blow job? My dad buys them for my boyfriends.’ Another box states `Whore's Interests’ and includes the victim's address and phone number. 

People v. Kucharski, supra.

Hecht followed up by calling Kucharski’s home phone and telling the person who answered that he needed to talk to him, after which the investigation was “turned over to Detective David Chiesa”, who was trained in computer investigations.  People v. Kucharski, supra.  He spoke with the victim and then sent a search warrant to

MySpace to obtain information regarding the victim's MySpace account. People's Exhibit No. 2 were the documents he received from MySpace. . . . MySpace accounts can be identified by a web address, also known as a universal resource locator, which is a numerical designation assigned to the account. 

The number associated with the materials he received was * * * * *9311. . . . [The] . . . email address associated with the MySpace account. . . . was ` * * *’

Chiesa . . . subpoenaed, from Comcast, the Internet protocol (IP) addresses associated with the victim's MySpace account. . . . He explained that an IP address is a series of numbers separated by dots or decimal points, which identifies an individual computer on the Internet at a specific time. 

At any given time on the Internet, no IP addresses are the same. He testified that the subpoenaed information showed that, at certain dates and times, certain computers had accessed the victim's MySpace account.

Specifically, between August 18 and 21, 2009, two IP addresses had accessed the victim's MySpace account. The first . . . accessed [it] on August 18, 2009, at 1:15 a.m. and at 1:18 a.m. and on August 21, 2009, at 5:23 p.m. and 5:27 p.m., all times being PST. The subscriber associated with this IP address was Paul Kucharski, [Kucharski’s] father, at a service address that was the same as [Kucharski’s] home address.

People v. Kucharski, supra.

Paul Kucharski testified for the defense, giving his home address and stating that he

lived there with his wife, his son the defendant, and a younger son. He remembered that a police officer contacted him in mid-August 2009. After he spoke to the officer, he spoke to his younger son. 

His younger son, who was proficient on a computer, then `went and proceeded to go to the computer and take away some stuff off the computer, to the best of my knowledge.’ He testified that his younger son had shown him pictures of the victim provocatively dressed prior to August 2009.

People v. Kucharski, supra.

After both sides rested, the judge considered the evidence and found that

(1) [Kucharski] set up the MySpace account for the victim, it was her account, and only the victim and [he] knew the password; (2) a computer at the residence where [Kucharski] lived had accessed the victim's MySpace account; (3) the photo on People's Exhibit No. 3 was taken by [Kucharski]  on his cell phone; and (4) the alteration to the MySpace posting was clearly done to harass the victim.

The [judge] noted the victim changed her MySpace password five times after she broke up with [Kucharski], yet the password was still changed without her knowledge, which prevented her from accessing the account. `This suggested someone who was intimately familiar with the details of the account, such as the individual who had set it up.’. . .

[The judge] further noted that the MySpace page was taken down within a couple of hours after the victim called [Kucharski] [and] found that [Kucharski’s] father's testimony was not credible and was simply `a father trying to help out his son.’

People v. Kucharski, supra.  The judge therefore, as noted above, found Kucharski guilty on both charges. People v. Kucharski, supra.

On appeal, Kucharski argued, among other things, that the evidence was insufficient to convict him of harassment because “there was no evidence that he changed the password and, even if he had, it was his MySpace account.”  People v. Kucharski, supra.

As to the first issue, the Court of Appeals found that the evidence outlined above, plus other evidence presented at trial, was sufficient to support the conviction.  As to the second issue, it rejected his argument that it “was a shared MySpace account, belonging to both him and the victim, which meant he could not “have changed the password `of any person’”, which, I assume, means he was claiming there was no “victim.” People v. Kucharski, supra.  The court noted that the trial judge found the account belonged only to the victim, and “decline[d] to disturb that determination.”  People v. Kucharski, supra.

Finally, Kucharski argued that his conviction for unlawful use of encryption was based on insufficient evidence, i.e., that the prosecution did not prove the elements of the crime beyond a reasonable doubt.  People v. Kucharski, supra. The Court of Appeals agreed.  People v. Kucharski, supra.

It began its analysis of the issue by noting that 720 Illinois Statues § 5/16D-5.5 makes it a crime to “knowingly use or attempt to use encryption, directly or indirectly, to . . . commit, facilitate, further, or promote any criminal offense.”  The Court of Appeals explained that Kucharski

argues that he was not proved guilty beyond a reasonable doubt of unlawful use of encryption. The State argues that, by changing the victim's password, [Kucharski] knowingly used encryption to further the criminal offense. . . . 

To determine whether there was sufficient evidence to support a conviction of unlawful use of encryption, we need to consider whether changing the victim's password could be considered `encryption’ within the meaning of the statute. 

People v. Kucharski, supra.

It then noted that the statute defines encryption

very broadly to include any `protective or disruptive measure’ that impedes access to data on a computer. Although the statute states that it is not limited to `cryptography, enciphering, encoding, or a computer contaminant,’ any other forms of encryption should take color from those terms. 

`Cryptography’ means the enciphering and deciphering of messages in secret code or cipher; `enciphering’ means to convert a message into cipher; and `encoding’ means to convert from one system of communication into another. See Merriam–Webster Online Dictionary, available at . . .  

‘”Computer contaminant” means any data * * * that * * * has the capability to: (1) contaminate, corrupt, consume, damage, destroy, disrupt, modify, record or transmit * * * any other data * * * contained in a computer * * * without the knowledge or consent of the person who owns the data.’ 720 Illinois Statutes § 5/16D–5.5(a).   

‘”Computer contaminant” includes, without limitation: (1) a virus, worm, or Trojan horse; * * * or (3) any other similar data, [or] information * * * that is designed * * * to prevent, impede, delay, or disrupt the normal operation or use of any component, device, equipment, system, or network.’ Id.

People v. Kucharski, supra.

The Court of Appeals then found that

[t]hese four terms inherently include some type of data transformation, manipulation, or destruction. Placing a password on a document does not involve any transformation, manipulation, or destruction of data.

The legislative history [of the statute] shows that Representative Crespo stated that `[b]y encryption we mean altering a file using a secret code to prevent law enforcement from tracking down the person sending the file from the computer. The [statute] basically provides a tool for law enforcement to go after criminals who hide behind computers and encryption to commit their crimes.’ See 95th Ill. Gen. Assem., House Proceedings, May 25, 2007, at 50–51 (statements of Representative Crespo).

In this case, changing the password did not alter a file or prevent law enforcement from tracking down [Kucharski]. Accordingly, we hold that, under the circumstances in the present case, changing the password was not `encryption’ within the meaning of the encryption statute. 

People v. Kucharski, supra.

The court therefore affirmed Kucharski’s convictions for electronic harassment but reversed his conviction for unlawful use of encryption.  People v. Kucharski, supra.

No comments: