Tuesday, February 13, 2007

Jurisdiction, Fraud and the Fake Soldier

In law, jurisdiction is a court’s ability to act in a case, i.e., to hear evidence and enter a judgment. In criminal law it’s a court’s power to adjudicate the charges brought against someone.

People often wonder if jurisdiction is a problem in cybercrime cases because the conduct involved in committing a cybercrime can cross sovereign borders. That is, as we all know, cybercrime can be committed state-to-state in the United States, say, or across two or more different countries.

This is significant because jurisdiction has historically been based on someone’s physical presence in a particular sovereign entity (nation-state or, in a federal system like the U.S. in a constituent state of a nation-state). The idea goes way, way back in history.

At English common law, jurisdiction to prosecute was based on having custody of the alleged offender; it really didn’t matter how the officials got hold of that person as long as they had him. This historical principle still runs through much of our law of jurisdiction, so jurisdiction in civil and criminal cases is often predicated on one’s “presence” in the jurisdiction that seeks to prosecute.

What we have done, though, is to dramatically expand what “presence” is. It can be physical presence or it can be an attenuated version of physical presence: the notion that by engaging in conduct outside a state or nation-state one had a particular, foreseeable “effect” within that sovereign entity.

This attenuated, expanded notion of “presence” emerged in civil law as a byproduct of the expansion of interstate commerce across state (and national) boundaries last century; it has since migrated into criminal law. So what you see in modern criminal law are statutes that give the courts of a sovereign the ability to prosecute someone whose conduct resulted in the infliction of “harm” inside the state, even though the perpetrator was never actually “in” that state. Here’s an example, from Arkansas: “A person may be convicted under a law of this state of an offense committed by his or her . . . conduct . . . if. . . [e]ither the conduct or a result that is an element of the offense occurs within this state”. Arkansas Code § 5-1-104(a)(1).

To show you how a provision like that works, let’s consider a recent case from Arkansas, Powell v. State, 2007 WL 104103 (Arkansas Court of Appeals, January 17, 2007). Here are the facts, as given by the court of appeals:
Christopher Joe Powell . . . . a resident of Georgia, met Vanneise Collins, a resident of Drew County, Arkansas, on an internet website for singles. Over the course of several months, the two engaged in lengthy e-mail and telephone communications, striking up a romance. The romance culminated in three face-to-face meetings in Georgia, and ultimately, a marriage proposal. Throughout the course of their romance, [Powell] made certain representations about himself that proved to be wholly fabricated, such as his being unmarried, being in the army, and being deployed in Iraq during portions of the time he and Collins were in contact. Collins made concrete marriage plans, such as putting a deposit down on a wedding dress and mailing out wedding invitations. All the while, Collins sent [Powell] money when he asked, via Western Union, for a variety of reasons, including new golf clubs, property taxes on inherited property, medical bills, a new military dress uniform, and to `grease palms’ while being separated from his unit in Iraq. [Powell] obtained about $15,000 from Collins. When she began to doubt him, she verified that there was no record of him being in the military and eventually went to the police.
Powell v. State, 2007 WL 104103 (Arkansas Court of Appeals, January 17, 2007).

Powell was charged with, and convicted of, theft and computer fraud.
  • The theft charge was based on a statute that defines “theft” as using “deception” to obtain the property of another person. Arkansas Code § 5-36-103.
  • The computer fraud charge was based on a statute that defines “computer fraud” as using a computer or computer network to “devise” or execute a “scheme or artifice to defraud, i.e., to obtain “money, property, or a service with a false or fraudulent intent, representation, or promise. Arkansas Code § 5-41-103.
They may seem like the same offense, but the law would distinguish them on the premise that each contains a element the other does not. So the theft charge does not require the use of a computer and the computer fraud charge reaches conduct that is slightly different from theft, i.e., it requires false representations. (That’s essentially it, though it is a little more complicated.)

In his appeal, Powell didn’t focus on the similarity of the charges but on the issue of jurisdictoin: Powell claimed " the trial court erred in asserting jurisdiction over this matter, contending that all elements of the offenses charged occurred outside the territorial jurisdiction of Arkansas.” Powell v. State, 2007 WL 104103 (Arkansas Court of Appeals, January 17, 2007). The Court of Appeals noted it was “undisputed that appellant never entered the State of Arkansas until such time as he was arrested and transported to Arkansas to answer the criminal charges of theft and computer fraud in Drew County.” Powell v. State, supra.

Powell actually had a pretty creative argument. Here is what he said:
Appellant claims that . . . these crimes are defined by the conscious act of the wrongdoer. Cousins v. State, 202 Ark. 500, 151 S.W.2d 658 (1941), provides that if a crime covers only the conscious act of the wrongdoer, regardless of its consequences, the crime takes place and is punishable only where he acts. Therefore, appellant argues that the conduct of obtaining the property of another by deception and accessing a computer system or network, occurred in Georgia.

He argues that he only sent an e-mail from Georgia through the network to Arkansas, which the complainant then accessed in Arkansas. The scheme was devised in Georgia, and the money was obtained in Georgia. . . . He claims that because the legislature defines these offenses as the purpose of the wrongdoer, all elements of the crimes occurred in Georgia, outside the territorial jurisdiction of Arkansas.
Powell v. State, supra.

The Arkansas Court of Appeals, not surprisingly, disagreed:
The State alleges that Ark.Code Ann. § 5-1-104(a)(1) controls because the State can show that the conduct or result that is an element of the offense occurred within Arkansas. We agree. Appellant sent e-mail correspondence to Collins and contacted her by telephone while she was in Arkansas. During the course of those communications, appellant actively deceived Collins into sending him money. Moreover, appellant caused Collins to access her computer by virtue of his e-mail correspondence, for the purpose of obtaining money with a false or fraudulent intent, representation, or promise. The deception and promises were his extensive fabrications. We hold, therefore, that substantial evidence existed to support the trial court's finding that it had jurisdiction in the instant case.
Powell v. State, supra.

The Court of Appeals therefore affirmed Powell’s conviction, which presumably means he will now serve the sentence the trial court imposed on him: “eight years' imprisonment for theft of property, five years' imprisonment suspended for theft of property, six years' imprisonment for computer fraud, and three years' imprisonment for failure to appear for trial on August 24, 2005.”

The approach the Arkansas court took in this case is common in other US cases, both state and federal, and is the predominant approach in cybercrime cases internationally. Any other result would let someone commit cybercrimes with complete impunity, as long as they targeted people in another country.

Sunday, February 04, 2007

Can you trust your network?

As you may know, law enforcement officers are using file-sharing programs like Limewire to search people’s hard drives for child pornography.

This summary of facts from a recent case – United States v. O’Rourke, 2007 WL 104901 (U.S. District Court for the District of Arkansas – gives you an idea how this works:
Defendant O'Rourke came to the attention of the FBI on January 3, 2005, when Special Agent Robin Andrews conducted an undercover investigation of people involved in the possession and distribution of child pornography. . . . Conducting a search through the peer-to-peer Internet file sharing software known as `Limewire,’ Agent Andrews downloaded images of child pornography from Defendant's computer. . . . The FBI was able to identify Defendant through his Internet Protocol address and a subpoena of his Internet Service Provider, and subsequently obtained a search warrant for Defendant's home and computer. . . . The search warrant was executed on February 22, 2005, and Defendant's computer was found to contain 46 movie files and several hundred still images of child pornography. . . . The Government alleges that these movies and images were saved on Defendant's hard drive and were available to be downloaded over the Internet by others using Limewire software. . . .

The Government seized Defendant's computer and presented evidence to a federal grand jury. The grand jury indicted Defendant. . . .
Here’s a summary of what happened in a similar case involving a search by a state officer:
[T]his case began on February 28, 2005, when at 4:35 p.m., Trooper Robert Erderly of the Pennsylvania State Police was logged onto a computer located at the Pennsylvania State Police barracks in Indiana, Pennsylvania. . . .

Installed on the computer. . . was a file-sharing software program called Phex. Trooper Erdely used the Phex program to search for files on the Gnutella network.. BearShare and LimeWire are other such file-sharing software programs. . . .

The Gnutella network, BearShare, Phex and LimeWire share all types of files, including music, movie, photograph/still image, and text files. . .

On February 28 2005, the defendant, Arthur Abraham, was logged on to his computer at his residence at 3129 West Queen Lane, Philadelphia, Pennsylvania, and running a peer-to-peer file-sharing program called BearShare, version 4.6.3. . . .Once BearShare is installed, any file a person chooses to share is available to anyone on the Gnutella network. Every computer that is running this Gnutella network can participate in the sharing of the files. In order to install . . . the BearShare program . . . the defendant had to have accepted the terms of an end user software licensing agreement. With this agreement, the user acknowledges that he is using a file sharing program which can be used both to download files and to send files out over the Internet, i.e. share files. . . .

Returning to . . . February 28, 2005, the. . . defendant had to have his computer on and be using the "share the files in the library" option . . . when Trooper Erdely did his search because Trooper Erdely found the file being shared and was able to download it from the defendant's computer. . . .

Trooper Erdely knew that there was a movie file that was being shared across the Internet which is named Hindoo. Utilizing the Phex program, he searched the word Hindoo and got a number of hits. Once the result of Trooper Erdely's search came up, the Internet Protocol ("IP") addresses of those sharing the files on which Trooper Erdely got a hit were visible.

One of the IP addresses from one of Trooper Erdely's hits was an IP address belonging to Verizon Internet service. The IP was . . . The complete name of the file being shared by IP was (Hussyfan)(pthc) (r@ygold) (babyshivid) Hindoo4.mpg. Exhibit 5, unnumbered page 2.

Trooper Erdely obtained a state court order compelling Verizon to tell him who was the subscriber with the IP address Verizon informed Trooper Erdely that the subscriber of that service at that date and time was . . . Arthur Abraham of 3129 West Queen Lane, Philadelphia, Pennsylvania 19129.

Trooper Erdely downloaded the file "Hindoo" that IP address was sharing onto a CD Rom. The file on the CD Rom that Trooper Erdely downloaded from IP address contains child pornography as prohibited by law. . . .

On March 17, 2005, a warrant was obtained to search the defendant's house at 3129 West Queen Lane, Philadelphia, Pennsylvania 19129. . . .
United States v. Abraham, 2006 WL 3052702 (U.S. District Court for the Western District of Pennsylvania 2006).

I find many things interesting about how law enforcement officers are using file-sharing programs to hunt for child pornography, but the one I want to focus on here wasn’t raise in the opinions in either of these cases, nor was it raised in the four other similar cases that are reported in Westlaw.

The issue is the Fourth Amendment which, as I’ve noted before, protects us from the government’s conducting “unreasonable” searches and seizures. The issue that would determine the applicability of the Fourth Amendment to the conduct of Agent Andrews and Trooper Erdely is whether what they did resulted in a “search” or a “seizure.”

As I’ve said before, a Fourth Amendment search is law enforcement’s intruding into a place, or an activity, in which the person has a “reasonable expectation of privacy.” You have a reasonable expectation of privacy in a place – your home, say – if (a) you think it’s private (subjective expectation) and (b) society agrees it is reasonable for you to think that (objective expectation). The home, of course, is clearly private – we all think our homes are private and our society emphatically agrees. That doesn’t mean law enforcement officers can’t search our homes; it just means they have to get a search warrant to do so.

The computers in both of these cases were in homes. Was it, then, a search for the law enforcement officers to access the hard drives on the computers to locate and copy a file or files (which, arguably, is a seizure)?

On the one hand, you could argue it was a search because we have an intrusion – a virtual kind of intrusion – by law enforcement into someone’s home. On the other hand, you can argue this is not a search because O’Rourke and Abraham both “opened the door” for law enforcement officers to “enter” their computers by installing and using the file-sharing software.

That is, as to the second argument, you can argue that (a) neither O'Rourke nor Abraham could have had a subjective expectation of privacy in their hard drives because they knew they were using file-sharing software and were online and (b) regardless of what they thought, society would not accept the notion that their hard drives were private given their use of that software. Society, in other words, would see their using the file-sharing software as the equivalent of my (hypothetically) putting my favorite marijuana plant (purely hypothetical) on a table next to the large window on the front of my house and pulling back the curtains so it could get plenty of sun. It would not be a search for a police officer to walk by and see the marijuana plant -- I gave up any expectation of privacy I had with regard to the plant by putting it on public display.

I assume none of the defendants raised the Fourth Amendment argument because they thought it would fail . . . or maybe they did raise it unsuccessfully and the courts simply did not issue a published opinion on that issue. I can see why the second argument would probably prevail . . . there's a long line of cases which say that if you engage in criminal activity with other people, don't complain if one of them turns out to be a snitch or, worse yet, an undercover FBI agent.

It seems to me, thought, that the second argument against law enforcement's using file-sharing software to explore people's hard drives raises a larger, perhaps more difficult issue: If I link my computer to a network, have I lost any Fourth Amendment expectation of privacy in the contents of my hard drive?

Healthy paranoia . . .

I don’t know about you, but for a while, a couple of weeks ago, I was being bombarded with emails telling me I’d won the UK National Lottery . . . which was pretty astonishing, given that I hadn’t played.

The emails were, of course, a scam . . . scam spam. The initial email says you’ve won a million or three British pounds in the lottery, and all that needs to be done now is to arrange for transfer of the funds to you, the lucky winner. I didn’t follow up on any of the emails, of course, but from what I’ve seen online the ultimate goal is to get you to send personal and bank account information to the scammers, who will presumably then use that to clean out any accounts you happen to have.

Seems pretty obvious, doesn’t it? They all – all of the 419 and other spam scams – seem pretty obvious to those of us who congratulate ourselves on being too clever to be taken in, but they must be working on some subset of the population or they wouldn’t keep cropping up in new and more or less creative guises.

And that brings me to my point. According to Wikipedia, Barnum’s Law is “You’ll never go broke underestimating the intelligence of the American public.” I’d modify that a bit for our online environment, so that it emphasizes complacency instead of intelligence (or the lack thereof).

What I find interesting about the UK lottery and all the other online scams is that ANYONE would be foolish enough to trust something that comes to them out of the blue from a purely unknown source . . . and yet people do. I’m reminded of a story I heard a few days ago, from a law enforcement officer who deals with cybercrime. He told me about overhearing another officer, who works with online fraud, having a conversation with an online fraud victim. That officer had apparently heard too much from victims of transparently fraudulent online scams because at one point he said to the victim, “I know $3,000 is a lot of money, sir . . . that’s why I wouldn’t sent it to Romania.”

Why would anyone do that? Why would anyone send money out into the ether to an unknown someone in an unknown someplace and not expect to be scammed?

It goes back to my comment about complacency. The picture accompanying this post is, obviously, the interior of a prison. The point is crime control: For roughly a century and a half, we have been relying exclusively on cadres of professional law enforcement officers to keep crime under control in our societies.

We do not, indeed, cannot, eliminate crime; our goal therefore is simply to keep it within manageable levels so citizens can go about their daily, legitimate activities with relatively little risk of being victimized. We control crime by having dedicated professionals who apprehend criminals (most of whom are notably inept when it comes to evading identification and capture), who are charged, tried, convicted and sentenced to serve time in places like the prison in the picture. The premise is that this controls crime by (i) deterring and incapacitating the particular criminal for the time he/she is locked up and (ii) deters others from emulating his/her criminal activity by making an example of this person. It’s not a perfect strategy, but it has worked satisfactorily in the real-world since it became the dominant model well over a century ago.

The problem for the online environment is that the dominance of this law enforcement crime control model in the real-world means that the average individual takes absolutely no responsibility for crime control. That is the police’s job, not mine – if my house is robbed because (hypothetically) I was foolish enough to leave my front door unlocked when I went to work, I can still call the police and they will still make a good-faith effort (maybe not their best effort, but an effort) to find the thief. The point is that my lack of responsibility, my failure to take even minimal precautions to protect my property, is irrelevant. In the civil law of torts, we have a doctrine called assumption of the risk, which can negate liability; so, basically, if I go bungee jumping knowing I have a fractured vertebrae, and wind up a paraplegic, I can’t recover from the bungee jumping people because I assumed the risk of my injury.

We don’t have that principle in criminal law, because a crime is an offense against the state, not against the victim. That being the case, the victim’s stupidity or irresponsibility is irrelevant – the state still needs to go after the criminal for the reason I noted above: to deter/incapacitate him/her and to deter others from following his/her example.

The result of all that, I submit, is a level of complacency. Most of us give little, if any, thought to the threat of being victimized by a criminal as we go about our daily lives. We may have alarm systems in our houses and cars and offices, but that, again, is a type of delegation – I don’t have to think about security, I delegate it to the professionals who will take care of it for me.

Then we go online.

There isn’t anyone to whom we can delegate the responsibility for protecting us when we are online. Unless and until there is (which I’m not sure I want to see – I tend to like the idea that cyberspace is a raucous place with varied experiences, good and bad), we will have to take care of ourselves online. And that brings me back to the title of this post: healthy paranoia.

My sense is that people sixty, eighty, a hundred years ago were much less complacent and much more likely to be skeptical of strangers and their strange offers . . . and that the same was true for much of human history. Now, part of that would have bee a function of pure provincialism – the stranger coming to a small town/village would have been met with suspicion by people who seldom encountered anyone they had not known for years. But I also think much of it, particularly in more urbanized societies, was due to sad experience with face-to-face fraudsters. “The Big Con” by David Maurer, a book that was originally published in 1940 and was reprinted recently, describes the various types of scams real-world con artists used on civilians in the first several decades of the twentieth-century. Many of the scams had their roots in scams that went back centuries.

The success of those scams throughout history tells us there have always been, and no doubt will always be, people who fall for what is clearly too-good-to-be-true. I suspect, though, that the combination of the online environment and our pretty much surrendering responsibility for protecting ourselves from crime has led us, as a population, to be more susceptible to con artists than people were in the past.

If you don’t believe me, consider the story I described above: The person sent $3,000 to someone he knew nothing about in a country (Romania) known for harboring cybercrime . . . and expected a local police officer to get the money back and bring the perpetrator to justice. None of that computes, none of that works, none of that makes any sense at all . . . except, maybe the last part. This person, I would argue, did not exercise health paranoia in assessing the too-good-to-be-true offer from Romania because he assumed (i) that it was legitimate and (ii) that if it was not, law enforcement would take care of it.

It wasn’t, they can’t . . . and somehow people have to realize that.