Friday, May 01, 2009


In an earlier post, I explained that the federal system and every U.S. state – and many other countries – criminalize what is commonly known as hacking.

As I explained there, U.S. statutes, anyway, tend to define hacking as “accessing” a computer without being authorized to do so. And as I noted in another post, the federal system – and at least some states – also make it a crime to access a computer without authorization in order to commit fraud.

I just ran across a recent case that involved a charge of computer crime under Colorado law. What I find interesting about the case is that the statute the defendant was charged under doesn’t define computer crime in terms of “access.” It uses a different term, but we’ll get to that in a moment. First I need to describe how the prosecution arose and what the charges were.

The case is People v. Robb, 2009 WL 1013744 (Colorado Court of Appeals 2009). Bruce Robb was convicted of one count of securities fraud and one count of computer crime, and appealed his conviction to the Colorado Court of Appeals. Here are the facts that led to his being charged with both crimes:
Kidztime was created by owners and associates of an affiliate of the Children's Cable Network (CCN). Kidztime was intended to provide nonviolent television programming for children. . . . to air on various cable stations in different geographical locales throughout the United States. Each Kidztime franchise was . . . an independent partnership.

Capital Funding paid commissions to its independent sales offices for selling general partnership interests in Kidztime and CCN. The . . . offices would contact Capital Funding with sales leads for potential investors. Prospective partners were provided with a sales brochure that included information about the partnership and with a partnership agreement. The brochure was known as the `green brochure.’ Computers were used as part of this process, including generating copies of the green brochure that were sent to potential investors. . . .

Beginning in 1995, Robb worked . . . as one of Capital Funding's first commissioned salespersons. Robb left . . . to pursue another job opportunity . . .was asked to return as a salesperson for Kidztime, which he did. Shortly thereafter, Robb . . . became a lead salesperson at an independent sales office in Colorado, where he supervised a team responsible for sales of partnership interests. . . .

In Robb's role as salesperson, he contacted people to tell them about investment opportunities with Kidztime. Robb followed the same script all the salespeople used when giving his sales pitch. If he found an interested prospective investor, that person's name was given to a staff member at Capital Funding, who would send out a copy of the green brochure to the potential investor. Robb received at least a fifteen percent commission for the units he succeeded in selling. . . .

The premise of the business model . . . was that local affiliates would generate revenue through advertising, which would fund . . . the programming . . . . Under . . . the partnership agreement, approximately eighty-five percent of the money raised was dedicated to fundraising expenses and . . . acquiring the programming. The remaining fifteen percent would serve as working capital for the affiliate. However, very few advertisements were sold. Because of this, the affiliates quickly ran out of money and could not continue to pay the leased access costs. After the advertising plan failed, the owners and operators of the organization attempted to conduct event-based marketing. . . . [but] very little money was generated . . . and the affiliates ran out of money.

In 2001, a . . . grand jury charged fourteen codefendants, including Robb, in an . . . indictment relating to the fraudulent sale of partnership interests during . . . . 1995-1998.
People v. Robb, supra. Robb was convicted and appealed, arguing that the evidence presented at trial was insufficient to show that he committed either securities fraud or computer crime. We, though, are only concerned with the computer crime charge, which was brought under this statute:
Any person who knowingly uses any computer, computer system, computer network, or any part thereof for the purpose of . . . executing any scheme or artifice to defraud; obtaining money, property, or services by means of false or fraudulent pretenses. . . commits computer crime.
Colorado Statutes § 18-5.5-102(1). A related statute defines “`to use’” as “to instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer . . . or computer network.” Colorado Statutes § 18-5.5-101(10). As I explained in the post I did on hacking as access, many states define “access” – as in gaining unauthorized access to a computer – in essentially the same way.

In his appeal, Robb claimed the evidence presented at trial “was insufficient to establish that he `used’ a computer or . . . network as the term `use” is defined in . . .Colorado's computer crime statute”. People v. Robb, supra. The Court of Appeals agreed:
The evidence of Robb's use of a computer is sparse and shows that his interaction with computers at Capital Funding and Kidztime was remote and attenuated at best. Robb testified on direct examination that he was computer illiterate and did not even have a computer in his office, with the exception of a short period . . . before a computer left behind by the last person using the office was removed. He testified that he did not use that computer and . . . never even turned it on. On cross-examination, the prosecution did not ask Robb any questions about computer use. Nor have the People pointed us to any other evidence in the record (including documentary evidence such as emails) indicating that Robb used a computer or even directed the use of a computer. . . .

Indeed, the People's theory on appeal, as it was at trial, appears to be that evidence that other personnel in the organization actually used computers was sufficient evidence to convict Robb of computer crime, given his role as a salesperson. Thus, the record reflects that when Robb, in his role as a salesman, identified potential investors interested in purchasing a Kidztime unit, he gave those names to other staff members at Capital Funding. However, there is no evidence that Robb used a computer to do so. A staff person sent the potential investors materials about Kidztime, including the green brochure, which were apparently generated by a computer. However, according to [one witness], Robb and the other salespeople were not involved in generating those materials or sending them out to investors. . . . [T]he computer crime charge against Robb was not prosecuted on a complicity theory (nor was the jury so instructed). Thus, the People were required to prove beyond a reasonable doubt that he personally `used’ a computer as that term is defined in the statute, rather than that he simply aided and abetted others who may have actually used a computer in the sales process.
People v. Robb, supra. The Court of Appeals therefore held that the evidence was not
“sufficient to prove use of a computer, where Robb simply provided information about prospective investors to another person, who sent out computer-generated materials to those prospects.” People v. Robb, supra. It therefore reversed Robb’s conviction on this count (but it affirmed his conviction on the securities fraud count).

I think the Court of Appeals clearly reached the right result, in terms of the evidence the state offered to prove the computer crime charge. What I find interesting about the case is, as I noted before, that the Colorado statute predicated criminal liability on “using” a computer, rather than “accessing” a computer to commit fraud. Given the structure of the charge and the fact that the related statute defined “uses” in essentially the same way as other statutes define “accessing” a computer, the difference in terminology was really irrelevant; the crime and the conduct involved in committing the crime were the same as in “access” crimes.

I wonder, then, why the Colorado legislature changed the statute Robb was prosecuted under. The indictment against Robb (and his codefendants) was returned in 2001, but it was based on conduct that occurred from 1995-1998. So he had to be charged under the version of the computer crime statute that was in effect during that period. That’s the version quoted above.

In 2000, the state legislature rewrote the state’s computer crime statute, replacing “uses” with “accesses” in MOST of its provisions. (The exceptions are a section that makes it a crime to transmit malware and another section that makes it a crime to “use” a software application to circumvent limits on the online purchase of event tickets.) I can’t find any legislative history or articles or news stories that tell me why they made the revisions. My guess, and it’s only a guess, is that the legislature wanted to make the terminology used in Colorado’s computer crime statute consistent with the terminology in other U.S. computer crime statutes. So for all the appropriate crimes, they substituted “access” for “use.”

No comments: