Tuesday, June 13, 2006

E-hijacking

According to a story posted on FleetOwner late last year, a shipment of computer tapes containing banking records belonging to Citigroup was "e-hijacked" as it was in transit to an Experian credit bureau in Texas.

The tapes were being shipped via UPS but, the story says, were diverted in transit. It says the shipment's electronic manifest was altered while the shipment was in transit, so that the tapes were delivered to an address other than the address for which they were destined. The story also says that the manifest was restored to its original form after the tapes were delivered, to make it appear that standard procedures had been followed. It does not explain how the alteration and mis-delivery were discovered.

A couple of months later, UPS issued a denial, saying that the tapes were not e-hijacked. UPS maintained that the boxes containing the tapes broke open in transit and the contents were "inadvertently thrown away."

I tend to suspect that the original story was true and that the tapes were, in fact, e-hijacked, but I tend to be cynical about these things. And I could be wrong -- it's been known to happen.

If something like this did happen, it would raise some interesting legal issues, so let's assume, for the sake of discussion, that things went as the original story said -- that someone altered the UPS manifest and the tapes were mis-delivered to, say, a warehouse where people responsible for the alteration took delivery of them and then disappeared. It would be quite easy to rent or "borrow" a warehouse for this purpose, I suspect.

Some of the stories about this reported e-hijacking focused on how it was done, on whether it took an army of "outside" hackers to alter the manifest or whether it was done by an "insider" who might or might not have had some outside help. I tend to lean to the "insider" theory, if only because it would be much simpler, much cleaner than having to mount an external attack. If I were doing something like this (which, of course, I would not, but it is always interesting to play crook in one's mind), I would use an insider because I think that would minimize the chance of the alteration's being spotted. If you used outside hackers, their efforts to crack the system and their ultimate success in doing so might be noticed, might call attention to what was going on. I'd definitely go with the insider, myself . . . but that is not what I want to talk about.

Being a lawyer, I am fascinated by what, if any, "crime" our hypothetical e-hijackers would have committed.

The original story assumed that this ehijacking constituted "theft," but I am not so sure. Legally, "theft" consists of taking someone's property with out their consent; theft statutes often note that the thief takes the property with the intent to deprive the owner of its possession and use. We more commonly refer to theft as "stealing."

Here, our (hypothetical) e-hijackers did not take the property from anyone without consent. They (hypothetically) took the tapes from UPS, to which Citigroup had given them for the purposes of shipment; that is what's called a bailment, and it basically means that UPS stands in Citigroup's shoes. So, if our hypothetical hijackers had pulled a "Sopranos"-style hijacking and had men with guns stop the truck, order the driver out, order him to open the cargo area, held him at bay with rifles and then go into the truck and take the boxes with the tapes over his protests, we would have "theft."

That's not what happened. What happened (hypothetically) is that UPS consensually handed the tapes over to our (hypothetical) e-hijackers, not realizing that they were being mis-delivered. (The premise of the original story is that UPS thought it was delivering the tapes to Experian, which was their legitimate destination.) It's not stealing if you voluntarily hand over property to someone who, unbeknownst to you, is not authorized to receive it.

English common law had to deal with this problem many centuries ago: People being charged with theft made a similar argument when what they had done was to trick the victim into giving them property/money -- the twelfth-century version of selling the Brooklyn Bridge. Courts finally recognized that, in fact, this was not theft . . . but they still perceived it as being "wrong." So they created a new kind of crime: larceny-by-trick (or theft-by-trick), which has come down to us as "fraud." Like the thief, the fraudster gets property to which he/she is not legitimately entitled; unlike the thief, the fraudster does not take the property but, instead, convinces the victim to hand it over. So, it seems more likely that our (hypothetical) e-hijackers committed fraud.

Who, though, did they defraud? We said above that since Citigroup gave the tapes to UPS for the purpose of delivering them to Experian, UPS essentially stood in Citigroup's shoes while it had the tapes. That is, UPS effectively represented the "owner" of the property while it was in transit to Experian. Okay, that tells us who the "owner" of the property was at the moment it was (hypothetically) diverted from Experian to the (hypothetical) e-hijackers. But who, precisely, did they defraud? Who did they trick? The deception that, at least hypothetically, resulted in the transfer of possession of the tapes from UPS to the e-hijackers was not directed at a person; it was directed at a computer, more specifically, at the UPS computer which issued/processed the manifest for the shipment. If this story were true, and if, as seems unlikely, the e-hijackers were apprehended, would it be permissible to charge them with fraud based on their having deceived a computer?

Logically, I see no reason why we could not construct such a charge . . . but I suspect that if we did so, the defendants would move to dismiss, arguing that the law is and always has been that "fraud" consists of deceiving a person so that person hands property over to the fraudster. I'm not sure, at this point, that we actually need to revise our fraud laws to encompass this scenario, but I think it is an issue we might want to consider . . . because if e-hijacking really did not occur in this instance, it will.


No comments: