Tuesday, February 13, 2007

Jurisdiction, Fraud and the Fake Soldier

In law, jurisdiction is a court’s ability to act in a case, i.e., to hear evidence and enter a judgment. In criminal law it’s a court’s power to adjudicate the charges brought against someone.

People often wonder if jurisdiction is a problem in cybercrime cases because the conduct involved in committing a cybercrime can cross sovereign borders. That is, as we all know, cybercrime can be committed state-to-state in the United States, say, or across two or more different countries.

This is significant because jurisdiction has historically been based on someone’s physical presence in a particular sovereign entity (nation-state or, in a federal system like the U.S. in a constituent state of a nation-state). The idea goes way, way back in history.

At English common law, jurisdiction to prosecute was based on having custody of the alleged offender; it really didn’t matter how the officials got hold of that person as long as they had him. This historical principle still runs through much of our law of jurisdiction, so jurisdiction in civil and criminal cases is often predicated on one’s “presence” in the jurisdiction that seeks to prosecute.

What we have done, though, is to dramatically expand what “presence” is. It can be physical presence or it can be an attenuated version of physical presence: the notion that by engaging in conduct outside a state or nation-state one had a particular, foreseeable “effect” within that sovereign entity.

This attenuated, expanded notion of “presence” emerged in civil law as a byproduct of the expansion of interstate commerce across state (and national) boundaries last century; it has since migrated into criminal law. So what you see in modern criminal law are statutes that give the courts of a sovereign the ability to prosecute someone whose conduct resulted in the infliction of “harm” inside the state, even though the perpetrator was never actually “in” that state. Here’s an example, from Arkansas: “A person may be convicted under a law of this state of an offense committed by his or her . . . conduct . . . if. . . [e]ither the conduct or a result that is an element of the offense occurs within this state”. Arkansas Code § 5-1-104(a)(1).

To show you how a provision like that works, let’s consider a recent case from Arkansas, Powell v. State, 2007 WL 104103 (Arkansas Court of Appeals, January 17, 2007). Here are the facts, as given by the court of appeals:
Christopher Joe Powell . . . . a resident of Georgia, met Vanneise Collins, a resident of Drew County, Arkansas, on an internet website for singles. Over the course of several months, the two engaged in lengthy e-mail and telephone communications, striking up a romance. The romance culminated in three face-to-face meetings in Georgia, and ultimately, a marriage proposal. Throughout the course of their romance, [Powell] made certain representations about himself that proved to be wholly fabricated, such as his being unmarried, being in the army, and being deployed in Iraq during portions of the time he and Collins were in contact. Collins made concrete marriage plans, such as putting a deposit down on a wedding dress and mailing out wedding invitations. All the while, Collins sent [Powell] money when he asked, via Western Union, for a variety of reasons, including new golf clubs, property taxes on inherited property, medical bills, a new military dress uniform, and to `grease palms’ while being separated from his unit in Iraq. [Powell] obtained about $15,000 from Collins. When she began to doubt him, she verified that there was no record of him being in the military and eventually went to the police.
Powell v. State, 2007 WL 104103 (Arkansas Court of Appeals, January 17, 2007).

Powell was charged with, and convicted of, theft and computer fraud.
  • The theft charge was based on a statute that defines “theft” as using “deception” to obtain the property of another person. Arkansas Code § 5-36-103.
  • The computer fraud charge was based on a statute that defines “computer fraud” as using a computer or computer network to “devise” or execute a “scheme or artifice to defraud, i.e., to obtain “money, property, or a service with a false or fraudulent intent, representation, or promise. Arkansas Code § 5-41-103.
They may seem like the same offense, but the law would distinguish them on the premise that each contains a element the other does not. So the theft charge does not require the use of a computer and the computer fraud charge reaches conduct that is slightly different from theft, i.e., it requires false representations. (That’s essentially it, though it is a little more complicated.)

In his appeal, Powell didn’t focus on the similarity of the charges but on the issue of jurisdictoin: Powell claimed " the trial court erred in asserting jurisdiction over this matter, contending that all elements of the offenses charged occurred outside the territorial jurisdiction of Arkansas.” Powell v. State, 2007 WL 104103 (Arkansas Court of Appeals, January 17, 2007). The Court of Appeals noted it was “undisputed that appellant never entered the State of Arkansas until such time as he was arrested and transported to Arkansas to answer the criminal charges of theft and computer fraud in Drew County.” Powell v. State, supra.

Powell actually had a pretty creative argument. Here is what he said:
Appellant claims that . . . these crimes are defined by the conscious act of the wrongdoer. Cousins v. State, 202 Ark. 500, 151 S.W.2d 658 (1941), provides that if a crime covers only the conscious act of the wrongdoer, regardless of its consequences, the crime takes place and is punishable only where he acts. Therefore, appellant argues that the conduct of obtaining the property of another by deception and accessing a computer system or network, occurred in Georgia.

He argues that he only sent an e-mail from Georgia through the network to Arkansas, which the complainant then accessed in Arkansas. The scheme was devised in Georgia, and the money was obtained in Georgia. . . . He claims that because the legislature defines these offenses as the purpose of the wrongdoer, all elements of the crimes occurred in Georgia, outside the territorial jurisdiction of Arkansas.
Powell v. State, supra.

The Arkansas Court of Appeals, not surprisingly, disagreed:
The State alleges that Ark.Code Ann. § 5-1-104(a)(1) controls because the State can show that the conduct or result that is an element of the offense occurred within Arkansas. We agree. Appellant sent e-mail correspondence to Collins and contacted her by telephone while she was in Arkansas. During the course of those communications, appellant actively deceived Collins into sending him money. Moreover, appellant caused Collins to access her computer by virtue of his e-mail correspondence, for the purpose of obtaining money with a false or fraudulent intent, representation, or promise. The deception and promises were his extensive fabrications. We hold, therefore, that substantial evidence existed to support the trial court's finding that it had jurisdiction in the instant case.
Powell v. State, supra.

The Court of Appeals therefore affirmed Powell’s conviction, which presumably means he will now serve the sentence the trial court imposed on him: “eight years' imprisonment for theft of property, five years' imprisonment suspended for theft of property, six years' imprisonment for computer fraud, and three years' imprisonment for failure to appear for trial on August 24, 2005.”

The approach the Arkansas court took in this case is common in other US cases, both state and federal, and is the predominant approach in cybercrime cases internationally. Any other result would let someone commit cybercrimes with complete impunity, as long as they targeted people in another country.

No comments: