Friday, February 27, 2015

The Lottery Terminal, Computer Crime and "Authorization"

After Caryn Aline Nascimento was “convicted of one count of aggravated first-degree theft and one count of computer crime”, she appealed.  State v. Nascimento, 2015 WL 465188 (Court of Appeals of Oregon 2015).  On appeal, Nascimento raised a
single assignment of error to the trial court's denial of her motion for judgment of acquittal of the computer-crime count. Defendant argues that she did not access the lottery terminal `without authorization,’ as required by Oregon Revised Statutes 164.377(4), because, as part of her duties at the store, she was authorized by the store manager to access the machine to sell lottery tickets to paying customers. 
State v. Nascimento, supra.
The Court of Appeals began its analysis of Nascimento’s argument by explaining that in
October 2007, [she] was hired to work at the deli counter in a convenience store. The store had a touch-screen lottery terminal that produced draw-game tickets and was connected by phone line to the Oregon Lottery network. From the terminal, a clerk could print out a ticket for a selected game, and also could print ticket-sales reports.

The store manager trained [Nascimento] on the use of the lottery terminal and authorized [her] to sell lottery tickets to, and validate tickets for customers, because deli clerks would assist at the counter when the counter employee was busy or on break, even though it was not their job. The general manager testified, however, that operating the lottery terminal and cash register was not part of [Nascimento’s] job description as a deli clerk and that [she] did not have authorization to use the terminal. Store policy prohibited employees from purchasing lottery tickets or validating their own lottery tickets while on duty.

About a year after [Nascimento] was hired, the store manager fell a few months behind in reconciling daily lottery ticket sales with the store's cash receipts. In February 2009, she discovered shortfalls in cash receipts for lottery sales of Keno tickets between November 2008 and February 2009, which prompted the general manager to investigate his records and involve the police.

The investigation uncovered that large shortfalls and high-dollar wagers on Keno occurred only during [Nascimento’s] shifts. The store's surveillance video showed that, when no one was around, [she] would leave the deli counter and print out and pocket lottery tickets from the lottery terminal. One of the high-dollar winning tickets printed during [Nascimento’s] shift was redeemed by her by mail, and others were redeemed by her at a local grocery store. 
State v. Nascimento, supra.
The prosecution’s brief on appeal provides more detail on the facts, noting that
[Nascimento] worked as a clerk at the deli counter of the Tiger Mart, a gas station mini-mart. . . . Under her job description set by the store owner, deli clerks were not authorized to operate the store cash registers or the Oregon lottery machines located behind the counter in the store. . . .Unknown to the store owner, the store manager allowed deli clerks occasionally to operate the cash registers and lottery machines as backups when register clerks took breaks or when the store was unusually busy. . . . Company policy prohibited on-duty employees from purchasing or redeeming lottery tickets during their shift. . . .

About one year after [Nascimento] began working, her store manager fell significantly behind in reconciling the daily lottery sales with store cash receipts. . . . Eventually, internal auditing revealed significant shortages in receipts from Keno lottery games - a total of $16,923 between November 2008 and February 2009. . . . Before that period, the store experienced occasional shortages in lottery receipts, but they typically were for less than $20. . . . During the 11/08 to 2/09 span, daily shortages just from Keno sales ranged from $150 to $1300. . . .

The store owner reviewed employee timecards and some store video surveillance tapes and determined that the `severe shortages’ occurred only on Keno lottery receipts during shifts when [Nascimento] had been working. . . . Several of the surveillance videos showed [her] go from her work station behind the deli counter to the cash register and lottery machine (only at times when the register cashier was absent), use the lottery machine, and pocket the tickets. . . . The store owner confronted [Nascimento] with his suspicions and the surveillance videos, and she denied stealing any tickets; the store owner immediately fired her. . . .

The store owner contacted police to investigate these suspected thefts. . . . [Oregon State Police] Detective Owren, of the lottery security section, examined lottery records, store records, and store surveillance videotapes. . . . Lottery records showed an unusually large number of Keno ticket sales during [Nascimento’s] shifts - many of them maximum individual wages of $100 per ticket. . . .

Many of those tickets were printed out back-to-back within seconds of each other, indicating that the same person had printed them. . . . All 82 of the $100 Keno tickets in this 4-month period were printed during [her] shifts. . . . No pattern of large sales of Keno tickets was seen during the times [Nascimento’ was not working at the store. . . .

Detective Owren determined that some of the Keno tickets from the Tiger Mart were redeemed by mail, with the redeemer listing [Nascimento’s] name, address, and Social Security number. . . . Winning tickets paying out more than $600 must be redeemed by mail or in person from the lottery office; those with smaller prizes can be redeemed from any lottery retailer. . . . Clerks at a local Thriftway store near [her] home (and where [Nascimento’s] daughter formerly worked) reported that [she] cashed large lottery tickets at their store several times. (Tr 217, 253, 257). Based on his investigation, Detective Owren believed the loss in lottery sales to the Tiger Mart was $10,030.
Respondent’s Answering Brief, State v. Nascimento, 2012 WL 6892903.
Nascimento was, as noted above, later charged with “one count of computer crime under Oregon RevisedStatutes 164.377(4),” which say that
[a]ny person who knowingly and without authorization uses, accesses or attempts to access any computer, computer system, computer network, or any computer software, program, documentation or data contained in such computer, computer system or computer network, commits computer crime.
State v. Nascimento, supra.
At her trial, when the prosecution rested its case, Nascimento
moved for a judgment of acquittal on the computer-crime count, arguing that her use of the lottery terminal was not `without authorization,’ because she had `implied if not direct authorization to use the machine * * *. And clearly [her] use of the lottery machine itself was with authorization.’ The trial court denied [her] motion.
State v. Nascimento, supra.
As the Court of Appeals noted, in Nascimento’s appeal she
reprises her argument that she was `authorized,’ as that word is used Oregon Revised Statutes 164.377(4), `to use the lottery computer at [the store] because she was specifically given permission to do so by her direct supervisor, trained to do so by her supervisor, and expected to do so as part of her work duties.’

[Nascimento] argues that the statute cannot be applied to her conduct because `Oregon Revised Statutes 164.377(4) does not criminalize committing theft on a computer which a person is otherwise authorized to access’; rather, Nascimento asserts that that act is criminalized only under Oregon Revised Statutes 164.377(2)(c), a crime for which [she] was not charged. [Nascimento] argues that subsection (4) is expressly directed at unauthorized use or access of a computer, that is, the use of the device itself is unauthorized -- it is not directed at taking unauthorized actions on a computer that the person otherwise has authorization to access.
State v. Nascimento, supra (emphasis in the original).
The court went on to explain that the prosecution
does not deny that [Nascimento] had limited, implicit authorization from the store manager to access the lottery terminal to sell tickets to paying customers. However, the state responds that a jury could reasonably conclude that [her] use of the lottery machine was `without authorization’ because `she had no authorization to use the lottery computer to purchase a lottery ticket for herself during her work shift—much less to steal a lottery ticket by printing it and not paying for it.’

The state also points to the legislative history of § 164.377, which it argues demonstrates that the legislature intended to `criminalize instances where someone had authorization to use part of a computer system for some legitimate purpose but instead accessed other portions of the system.’ Citing Tape Recording, House Committee on Judiciary, Subcommittee 1, HB 2795, May 6, 1985, Tape 576 (statement of Sterling Gibson, General Telephone Co.).
State v. Nascimento, supra.
The Court of Appeals goes on the explain that the case,
as argued by [Nascimento], boils down to whether Oregon Revised Statute 164.377(4) encompasses conduct that (1) only involves a person accessing a device itself without authorization or (2) also encompasses using a device, which the person otherwise has authorization to physically access, in a manner contrary to company policy or against the employer's interests.

Under the circumstances of this case, however, we need not resolve that issue. There is evidence in the record that [Nascimento’s] store manager gave [her] limited authorization to physically access the lottery terminal to only sell tickets to, and validate tickets for, paying customers and only when the counter employee was not available to do so.

This is not the case that [Nascimento] tries to make it out to be. This is not a case where [she] had general authorization to be on a computer to carry out her duties, but then used that computer in a manner that violated company policy—such as, to use [her] example, by playing solitaire during work hours.

For [Nascimento’s] duties, the lottery terminal had but one function: to sell and validate lottery tickets. There was evidence from which the jury could conclude that she was authorized to access the physical device itself—the lottery terminal—only to serve paying customers. Thus, even taking [her] construction of the statute, there was sufficient evidence in the record from which the jury could rationally conclude that [Nascimento] accessed the lottery terminal without authorization.
State v. Nascimento, supra.

You can, if you are interested, see a photo of Nascimento in the news story you can access here, which also explains that she was sentenced to “32 months in prison for stealing from two separate local employers.”

Wednesday, February 25, 2015

The 4th Amendment, the Search Warrant, the Network Investigation Technique

After Gary Reibert was charged with “with the receipt and attempted receipt of child pornography (Count I) in violation of 18 U.S.Code § 2252A(a)(2) and (b)(1) and the accessing of a computer in interstate commerce with the intent to view child pornography (Count II) in violation of 18 U.S. Code § 2252A(a)(5)(B) during the period of November 16, 2012, and December 2, 2012”, he filed a motion to suppress certain evidence.  U.S. v. Reibert, 2015 WL 366716 (U.S. District Court for the District of Nebraska 2015).
The motion to suppress “sought to suppress evidence seized as a result of the issuance of a warrant to deploy a Network Investigative Technique (NIT) on a child pornographic website”.  U.S. v. Reibert, supra.  The opinion explains that on November 15, 2012,
Federal Bureau of Investigation Special Agent Jeffrey Tarpinian applied for and obtained a search warrant permitting the deployment of a NIT on a website. . . . Tarpinian noted the investigation concerned alleged violations of several statutes related to child pornography. . . .

Tarpinian explained Website A operated on an anonymity network, `The Onion Router’ (Tor), which protects users' privacy by masking a user's actual IP address. . . . The affidavit detailed an investigation undertaken to find and access Website A on the Tor network. . . . 

Tarpinian averred Website A is `dedicated to the advertisement and distribution of child pornography and the discussion of matters pertinent to the sexual abuse of children,’ extensively described the content of Website A, and explained how users accessed and used Website A. . . .

Tarpinian explained that each time a user of Website A accessed any page in particular sections of Website A, the NIT sent one more communications to the user's computer which would then cause the receiving or activating computer to deliver to a computer known to or controlled by the government data that would help identify the computer accessing Website A, its location, its user, and other information about the computer. . . . Tarpinian disclosed the specific information the NIT would gather and explained the limits of the NIT. . . .
U.S. v. Reibert, supra. 
It goes on to explain that on April 4, 2013, FBI Special Agent Andrea R. Kinzig
applied for and obtained a residential search warrant for Reibert's home at 1309 Kenton Way, Troy, Ohio 45373. . . . In the affidavit in support of the warrant, Kinzig provided extensive detail regarding an investigation into child pornography. . . .

Kinzig explained an internet account with IP address was identified as accessing Website A. . . . [He] described how Website A operated, how individuals accessed it, and what messages and images Website A contained, as in the type of and quantity of child pornography. . . . Further, Kinzig explained how law enforcement officers were able to investigate users of Website A. . . .

[L]aw enforcement discovered the user with the specifically identified IP address accessed pages on Website A that contained twelve separate message threads consisting approximately of 288 images of minors, at least one hundred of which consisted of child pornography images. . . . The content of four of the message threads were detailed extensively, including descriptions of the images found within. . . .

Subsequently, law enforcement learned the IP address was assigned to Reibert's home address. . . . A search on the internet revealed Reibert lived in the Dayton, Ohio, area and he possessed special skills, abilities, and expertise in the area of computer systems. . . . Kinzig stated in her experience, individuals who access child pornography maintain hard copies of child pornographic material. . . .

Kinzig stated the individual using the target IP address displayed characteristics common with individuals who access with intent to view child pornography. . . . The affidavit extensively described how child pornography can be accessed and maintained on computers and related devices. . . . 

Kinzig averred there was probable cause to believe evidence of crimes related to child pornography would be located at the subject premises. . .
U.S. v. Reibert, supra.  The news story you can find here provides background on “Website A” and the events that led to Reibert’s being apprehended.
In moving to suppress the evidence the government acquired by using the NIT, Reibert argued that he was
entitled to a Franks hearing on the issue of whether the affidavit in support of the warrant to employ the NIT failed to include evidence that negated probable cause. He also argues the government conducted a warrantless search of Reibert's computer by employing a NIT and contends he was entitled to present testimony of an expert, Tami Loehrs, on this issue. Further, he states the search warrant permitting the NIT was a general warrant and did not permit a search of Reibert's computer, nor was it a warrant authorizing a search of Reibert's computer.
U.S. v. Reibert, supra. 
As the opinion notes, the affidavit an officer submits to obtain a search warrant must
contain probable cause of four ingredients: time, crime, objects, and place. . . . When reviewing the sufficiency of an affidavit `[a] totality of the circumstances test is used to determine whether probable cause exists. Courts should apply a common sense approach and . . . determine whether probable cause exists.’  U.S. v. Hager, 710 F.3d 830 (U.S. Court of Appeals for the 8th Circuit 2013). . . .
U.S. v. Reibert, supra. 
As this site explains, a “Franks Hearing is a hearing to determine whether a police officer's affidavit used to obtain a search warrant that yields incriminating evidence was based on false statements by the police officer.” IF the defendant shows that the officer’s affidavit included one more false statements and IF the false statements were essential to establishing probable cause, the defendant will be allowed to prove that at a hearing.  If the defendant succeeds in that, then the warrant will be voided and evidence obtained by executing it will be suppressed.
The U.S. District Court Judge rejected Reibert’s Franks argument, holding that the
affidavit in support of the NIT warrant contained sufficient probable cause to issue the NIT warrant. In the affidavit, Tarpinian averred, with detail, the contents of a specific website which contained messages and images related to the sexual exploitation of children and the offenses related to the viewing of such material. . . . Tarpinian explained how a user could access the material. . . .

Tarpinian stated the government would employ a NIT to identify the activating computer accessing the information, its location, and potentially the user of the computer. . . . Tarpinian then provided an explanation of how the NIT functions, the NIT's purpose and necessity, and the information the NIT would collect from activating computers. . . .

Further, Tarpinian explained, based on his training and experience, he believed there existed, on the activating computers, evidence of criminal activity related to the sexual exploitation of children. . . . The NIT was not a general warrant lacking particularity as it noted the specific offenses alleged, described the places to be searched, and described the information to be seized. Upon review of the totality of the circumstances, there existed probable cause to issue the NIT warrant. Contrary to Reibert's argument the NIT violated his right to be secure from unreasonable searches and seizures; law enforcement deployed the NIT pursuant to a search warrant supported by probable cause.
U.S. v. Reibert, supra. 
When Reibert filed his motion to suppress, the U.S. District Court Judge referred it to a U.S. Magistrate Judge, who drafted a Report & Recommendation in which the Magistrate Judge analyzed Reibert’s arguments for suppressing the evidence.  U.S. v. Reibert, supra.  The Magistrate Judge submitted the Report & Recommendation to the District Court Judge, who agreed with
the judge's conclusion that Reibert failed to make the substantial preliminary showing that law enforcement intentionally or recklessly omitted information from the warrant affidavit so as to entitle him to a Franks hearing. [Reibert] argues, in effect, that the government did not disclose in affidavits that it had installed a `trojan, in essence a virus, onto [defendant Reibert's] computer.’ . . .

[Reibert] made an offer of proof on the expert testimony it would proffer in support of that contention. . . . The court has reviewed the offer of proof and agrees with the magistrate judge that it does not satisfy the heavy burden of showing an intentional falsehood or omission. The court finds no error in the magistrate judge's denial of defendant Reibert's motion for a Franks hearing.
U.S. v. Reibert, supra. 
As to Reibert’s argument that the
expert testimony of Tami Loehrs, a purported computer forensics expert, would establish that the court-authorized deployment of the NIT constituted a warrantless search of his computer `that went into [the defendant's] house, modified the workings of his computer, in order to send back data to the government.’ . . . The magistrate judge sustained the government's objection to the expert's testimony on Daubert grounds, but allowed an offer of proof with respect to her testimony. . . .

The court finds no error in the magistrate judge's Daubert ruling. Loehrs conceded that she `had no idea’ whether `the investigative technique returned any more information than it was authorized.’ . . . She also conceded that flash applications are present on many websites and flash applications can reveal the IP and user. . . . Even if allowed, her testimony does little to undermine the information contained in the affidavit that supports the NIT warrant.
U.S. v. Reibert, supra. 

The District Court Judge therefore denied Reibert’s motion to suppress.  U.S. v. Reibert, supra. 

Monday, February 23, 2015

Websense, Jottacloud and the Computer Fraud and Abuse Act

This post examines an opinion a U.S. District Court Judge recently issued in a civil suit:  RLI Insurance Company v. Elisabeth Banks, 2015 WL 400540 (U.S. District Court for the Northern District of Georgia 2015).   The judge begins his opinion by explaining how the suit arose:
On May 20, 2013, the Defendant, Elisabeth Banks, began working for the Plaintiff, RLI Insurance Company (`RLI'), as a Claim Examiner/Manager in [RLI’s] Atlanta, Georgia, office. [Banks] remained employed with [RLI] until March 25, 2014, when [RLI] terminated [Banks’] employment for performance related issues.  [RLI] maintains confidential, proprietary, and trade secret information on its computer systems and network.  

In order to protect this data, the computer system is equipped with software called Websense, which prohibits users from accessing certain websites, such as the cloud data storage site, Dropbox.  Additionally, [RLI] maintains a Code of Conduct and Information Protection Policy for all employees, which both require employees to keep the information confidential.

On January 2, 2014, [Banks] attempted to access Dropbox from [RLI’s] computer network, but her access was denied. [She] then used [RLI’s] computer system to research Dropbox alternatives, and at 8:02 P.M. on January 2, 2014, accessed a cloud data storage website called Jottacloud.

She then uploaded 757 customer claim files and other files containing proprietary information to her personal Jottacloud account between January 2, 2014, and her termination on March 25, 2014.  

On March 24, 2014, [RLI] specifically revoked [Banks’] permission to access the computer network, including the files and information therein.  Roughly twenty minutes after [RLI] revoked [Banks’] access, [she] sent an email from her RLI account to her personal account with eighty-eight confidential RLI emails attached.
RLI Insurance Company v. Elisabeth Banks, supra.
On April 15, 2014, RLI
filed its Verified Complaint on April 15, 2014, seeking damages and injunctive relief on various state law grounds as well as under the federal Computer Fraud and Abuse Act (`CFAA’).

On April 16, 2014, this Court granted [RLI] a temporary restraining order, ordering [Banks] to return all RLI documents in her possession and allow RLI to inspect her Jottacloud account as well as her personal computers, tablets, and other devices. [Banks] now moves to dismiss [RLI’s] claims.
RLI Insurance Company v. Elisabeth Banks, supra.  The article you can find here explains what a Complaint is, and the role it plays in. U.S. civil practice.
And as the article you can find here explains, the CFAA 
is a criminal statute that provides a civil cause of action for anyone whose computer system or network has been damaged or accessed without authorization, provided certain requirements are met. Although traditionally thought of as a form of relief for those who fall victim to computer `hackers,’ the Act has seen increased use in the employer-employee context.
The judge began his analysis of Banks’ motion to dismiss by explaining that a
complaint should be dismissed under Rule 12(b)(6) only where it appears that the facts alleged fail to state a `plausible’ claim for relief.  A complaint may survive a motion to dismiss for failure to state a claim, however, even if it is `improbable’ that a plaintiff would be able to prove those facts; even if the possibility of recovery is extremely `remote and unlikely.’

In ruling on a motion to dismiss, the court must accept the facts pleaded in the complaint as true and construe them in the light most favorable to the plaintiff.  Generally, notice pleading is all that is required for a valid complaint. Under notice pleading, the plaintiff need only give the defendant fair notice of the plaintiff's claim and the grounds upon which it rests.
RLI Insurance Company v. Elisabeth Banks, supra.
He then took up Banks’ argument that the judge should dismiss RLI’s
claims for conversion, breach of the duty of loyalty, breach of fiduciary duty, tortious interference, and violation of the Georgia Computer Systems Protection Act (`GCSPA’) as preempted by the Georgia Trade Secrets Act (`GTSA’). The GTSA preempts all conflicting state laws providing civil remedies or restitution for the misappropriation of trade secrets.  

The Georgia Supreme Court has held that `[f]or the GTSA to maintain its exclusiveness, a plaintiff cannot be allowed to plead a lesser and alternate theory of restitution simply because the information does not qualify as a trade secret under the act.’

It is immaterial whether the information at issue qualifies as a trade secret under the GTSA, `[r]ather the key inquiry is whether the same factual allegations of misappropriation are being used to obtain relief outside the GTSA.’  This Court therefore must address whether the Plaintiff's state law claims rely upon factual allegations of misappropriation of trade secrets.

First, as to the Plaintiff's claim for conversion, the Complaint clearly alleges that the claim is based on the Defendant's alleged misappropriation of `Proprietary Information and Consumer Claim Files.’ The claim for conversion is therefore preempted and should be dismissed. 

Similarly, the claim for breach of the duty of loyalty is based on misappropriation of the same information, and should be dismissed.

The claim for breach of fiduciary duty is also based on the misappropriation of confidential information, and is therefore preempted and should be dismissed. Finally, the GCSPA claim relies on misappropriation of the confidential information as well, and it should be dismissed as preempted.
RLI Insurance Company v. Elisabeth Banks, supra.
Next, the judge took up RLI’s motion to dismiss Banks’
claim for breach of contract, arguing that no contract existed here. As a threshold matter, the Court notes that the claim for breach of contract is not preempted by the GTSA, unlike [Banks’] state law claims.

A claim for breach of contract requires a valid contract, material breach of the terms of that contract, and damages arising from the breach. The Georgia Court of Appeals has held that violations of employee manuals are generally not actionable as a breach of contract.

Where the statements in employee manuals are merely expressions of `certain policies and information concerning employment’ as opposed to language clearly creating a contract, there can be no action for breach of contract.

Here, [RLI] alleges breaches of the Employee Code of Conduct and the Information Protection Policy -- both employee policy manuals.  These manuals simply contain policies and information concerning employment and therefore do not constitute contracts. The claim for breach of contract should therefore be dismissed.
RLI Insurance Company v. Elisabeth Banks, supra.
And, finally, the District Court Judge took up Banks’ motion to dismiss RLI’s
claim for violation of the CFAA on the grounds that [she] was authorized to access the information obtained and that [RLI] has no damages.

The CFAA requires proof that the defendant `intentionally accesses a computer without authorization or exceeds authorized access’ and obtains information from any protected computer.  Additionally, the plaintiff must show a loss of at least $5,000 in a one-year period.  

[RLI] has alleged facts that, if true, would show that [Banks] accessed a computer without authorization when she accessed her email after her computer privileges were revoked and exceeded her authorization when she uploaded files to Jottacloud. [RLI] has also pleaded damages exceeding $5,000. [Banks’] motion to dismiss the CFAA claim should therefore be denied.

RLI Insurance Company v. Elisabeth Banks, supra.
So the judge granted Banks’ motion to dismiss in part and denied it in part, which means that the suit continues, at least for now.  RLI Insurance Company v. Elisabeth Banks, supra.