Friday, November 07, 2008


Section 1030(a)(5)(A) of Title 18 of the U.S. Code makes it a federal crime “knowingly" to cause the transmission of "a program, information, code, or command. and as a result" intentionally cause "damage" to a computer.

(Until September 26, this provision was codified as 18 U.S. Code § 1030(a)(5)(A)(i). An Act that went into effect last month reordered some of the sections of § 1030 and made some substantive changes to the statute, but didn’t alter the substance of this one.)

This provision was at issue in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Circuit Court of Appeals 2006). As I noted in an earlier post, § 1030(g) lets one who has been the victim of a violation of the criminal provisions of § 1030 bring a civil suit to recover damages for the injury he/she/it sustained. In the Citrin case, Jacob Citrin’s former employer sued him to recover damages for his allegedly violating what is now § 1030(a)(5)(A).

Here is how the Seventh Circuit Court of Appeals described the facts in the case:
Citrin was employed by the plaintiffs -- affiliated companies engaged in the real estate business we'll treat as one . . . and call `IAC’ -- to identify properties IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets.

Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop to IAC, he deleted all the data in it -- not only the data that he had collected but also data that would have revealed to IAC improper conduct in which he had engaged before he decided to quit. Ordinarily, pressing the `delete’ key on a computer (or using a mouse click to delete) does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands. Such `deleted’ files are easily recoverable. But Citrin loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery. . . . IAC had no copies of the files Citrin erased.
International Airport Centers, L.L.C. v. Citrin, supra. Citrin moved to dismiss IAC’s § 1030(a)(5)(A) cause of action for what the law calls “failure to state a claim.” When a defendant makes such a motion, the court assumes the facts set out in the complaint (the pleading that starts the case) are true, and then decides whether those facts show a violation of the statute on which the plaintiff’s claim is based.

In his motion to dismiss, Citrin argued that “merely erasing a file from a computer is not a `transmission” under § 1030(a)(5)(A). The Illinois federal district court agreed with him, and dismissed the suit. IAC appealed to the Seventh Circuit Court of Appeals which, at least initially, seemed to agree with the lower court: ”Pressing a delete . . . key in fact transmits a command, but it might be stretching the statute too . . . to consider any typing on a computer keyboard to be a . . . `transmission’ just because it transmits a command to the computer.” International Airport Centers, L.L.C. v. Citrin, supra.

The Seventh Circuit then proceeded to consider whether deleting files is a “transmission” within the compass of what is now § 1030(a)(5)(A):
There is more here, however: the transmission of the secure-erasure program to the computer. We do not know whether the program was downloaded from the Internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire. Oddly, the complaint doesn't say; maybe IAC doesn't know -- maybe all it knows is that when it got the computer back, the files in it had been erased. But we don't see what difference the precise mode of transmission can make. In either the Internet download or the disk insertion, a program intended to cause damage (not to the physical computer, of course, but to its files -- but `damage’ includes `any impairment to the integrity or availability of data, a program, a system, or information, 18 U.S.Code § 1030(e)(8)) is transmitted to the computer electronically. The only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer. The difference vanishes if the disk drive into which the disk is inserted is an external drive, connected to the computer by a wire, just as the computer is connected to the Internet by a telephone cable or a broadband cable or wirelessly.

There is the following contextual difference between the two modes of transmission, however: transmission via disk requires that the malefactor have physical access to the computer. By using the Internet, Citrin might have erased the laptop's files from afar by transmitting a virus. Such long-distance attacks can be more difficult to detect and thus to deter or punish than ones that can have been made only by someone with physical access, usually an employee. The inside attack, . . . while easier to detect may also be easier to accomplish. Congress was concerned with both types of attack: attacks by virus and worm writers . . . which come mainly from the outside, and attacks by disgruntled programmers who . . . trash the employer's data system on the way out (or threaten to do so . . . to extort payments), on the other. If the statute is to reach the disgruntled programmer, . . . it can't make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.
International Airport Centers, L.L.C. v. Citrin, supra.

IMHO, the Court of Appeals then makes a wrong turn. It bases its conclusion that § 1030(a)(5)(A) was intended to reach "the disgruntled programmer” on two other provisions of § 1030: the ones that criminalize “outsider” hacking (obtaining unauthorized access to a computer system) and “insider” hacking (exceeding one’s authorized access to a computer system). The court decides Citrin exceeded his authorized access to the IAC-provided laptop:
Citrin's breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC's agent -- he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship. `Violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship’. . . .
International Airport Centers, L.L.C. v. Citrin, supra.

The court reaches this conclusion even though, as Citrin pointed out, his “employment contract authorized him to `return or destroy’ data in the laptop when he ceased being employed by IAC”. It reaches this conclusion by deciding “it is unlikely, to say the least, that the provision was intended to authorize him to destroy data he knew the company had no duplicates of and would have wanted to have -- if only to nail Citrin for misconduct.” International Airport Centers, L.L.C. v. Citrin, supra. At that point, the court decides this isn’t an “exceeding authorized access” (“insider” hack) case at all; it decides it’s really an “unauthorized access” case because Citrin had lost his right to access the IAC computer.

That, I think, was the court’s first error. As I pointed out in an earlier post, the task of deciding precisely when an “insider” exceeds his or her access to a computer system can be a difficult one. Usually, courts look to written policies the victim company has in place, policies that define what the employee can and cannot do while on the company’s computer system.

Here, the employment contract says Citrin could destroy data before returning the IAC laptop, and that is precisely what he did. We may think a reasonable person would know not to destroy so MUCH data, but as I explained in my
earlier post, it can be difficult to tell precisely when an employee steps over the line. And since this suit is brought under a criminal statute, the court, I submit, should adhere strictly to the mens rea set out in the statute . . . which is “intentionally”. Intentionally is the mens rea for both the “unauthorized access” and “exceeds authorized access” crimes, so it applies regardless of which crime the Court of Appeals decides Citrin committed. And you simply cannot prove someone acted “intentionally” if all you can show is that he SHOULD have known that what he did violated his employment contract; you have to show he actually knew that. ("Should have known" is a negligence standard and, as such, is a much lower level of mens rea than intentionally.)

The other error I think the court made is that it didn’t consider what this particular crime – the now § 1030(a)(5)(A) crime – was meant to encompass. I found a Senate report that explains what this new section of § 1030 (which is also known as the Computer Fraud and Abuse Act, or CFAA) was meant to do:
Computer abuse crimes under the current statute must be predicated upon the violator's gaining `unauthorized access’ to the . . . computers. However, . . . the most severe forms of computer damage are often inflicted upon remote computers to which the violator never gained `access’ in the commonly understood sense of that term. Instead, those computers are damaged when a malicious program or code is replicated and transmitted to them by other computers infected by the violator's original transmission.

The new subsection 1030(a)(5) of the CFAA . . . makes it clear that one who transmits a destructive program or code with harmful intent is criminally responsible for the resultant damage to all affected computers, without regard to . . . `unauthorized access.’ . . .
Senate Report No. 101-544, The Computer Abuse Amendments Act of 1990 (October 19, 1990), 101ST Cong., 2d Sess. 1990, 1990 WL 201793. It seems to me the language in this report clearly establishes that § 1030(a)(5)(A) was not intended to be any kind of “access” crime but, instead, a transmission of malware crime.

No comments: