Monday, June 15, 2009

Loss, Aggregation and Multiplicity

This post is about an opinion a federal judge issued a little less than a year ago. It deals with some interesting issues involving the application of the general federal computer crimes statute: 18 U.S. Code § 1030.

The case is U.S. v. Lanam, 2008 WL 2705514 (U.S. District Court for the Eastern District of Michigan 2008), and this is how it arose:
In March 2006, [Kirk] Lanam was indicted on six counts of unauthorized computer intrusion in violation of 18 U.S.C. § 1030(a)(5)(A) (i). The government later voluntarily dismissed three of the six counts.

The remaining three counts asserted that Lanam: (1) accessed the computer system of Total Mortgage Corporation (`Total’) without authorization and entered `ping flood’ commands that rendered Total's telephone system inoperative; (2) accessed Total's computer system without authorization and disabled the `firewall,’ thereby rendering the system vulnerable to subsequent attacks via the Internet; and (3) accessed the computer system of Air Source One, Inc. without authorization in order to gain access to Total's computer system.
U.S. v. Lanam, supra. Lanam went to trial and was convicted on all three counts.

After being convicted, he “move[d] for relief pursuant to” 22 U.S. Code § 2255, which is the federal habeas statute. As Wikipedia explains, habeas corpus “is an action often taken after sentencing by a defendant who seeks relief for some perceived error in his criminal trial.” In his habeas petition, Lanam asked for a new trial based on any or all of three reasons: his attorney was ineffective; the evidence was not sufficient to support the convictions; and the indictment was multiplicitous. We’re not concerned with the first argument; we’ll focus on the other two.

To understand Lanam’s second argument, I need to review the prior and current versions of 18 U.S. Code § 1030(a)(5). Until last September, § 1030(a)(5)(A)(i), the statute Lanam was convicted under, required (i) that the defendant have launched a DDoS attack on a computer system or accessed the system without being authorized to do so AND (ii) that by doing either or both he caused “loss to 1 or more persons during any 1-year period (and . . . loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value”.

Section 1030(a)(b) was revised last September, and one of the revisions eliminated the $5,000 requirement, which means it doesn’t apply to cases brought after September 26, 2008.
Lanam, though, was indicted prior to September 26, 2008, so he was charged under the earlier version of the statute, which means that the caused “loss to 1 or more persons” provision applied to him. In challenging his conviction he initially argued “that the evidence adduced at trial was not sufficient to support the statutory loss element of $5,000 for any of the three counts on which he was convicted.” U.S. v. Lanam, supra.

The federal judge, though, found that § 1030(a)(5) “does not require a $5,000 loss stemming only from the conduct underlying each individual count of unauthorized intrusion. Rather, the statute requires only a total loss of $5,000, which may be aggregated based on the conduct charged and any related course of conduct during a one-year period. U.S. v. Lanam, supra.
Lanam subsequently conceded that §1020(a)(5) only required aggregate loss totaling at least $5,000, but then argued that “the indictment was drafted in such a way that the government was required to prove a $5,000 loss stemming from each particular count.” U.S. v. Lanam, supra.

The federal judge didn’t agree. The judge began by noting that Count One of the indictment against Lanam read as follows:

On or about March 1, 2005 in the Eastern District of Michigan and elsewhere, Kirk Lanam . . . did knowingly cause the transmission of a computer command, and as a result . . . intentionally caused damage without authorization, to a protected computer, by accessing the computer system of Total Mortgage Corporation, which computer was used in interstate commerce, and entering commands that rendered Total Mortgage's telephone system inoperative that caused costs to be incurred . . . over $5,000, all in violation of Title 18, United States Code, [Section] 1030(a)(5)(A)(i).
U.S. v. Lanam, supra. The judge then noted that the other counts were phrased in an essentially identical manner.

The indictment is vague in that it does not explicitly state that the $5,000 loss may be aggregated from a related course of conduct. However, Lanam cites no law to support his contention that the sort of inartful drafting evident in this indictment may work to redefine the statutory elements of a crime.

U.S. v. Lanam, supra. The judge found Lanam was not entitled to a new trial based on this claim because there was “no suggestion that the indictment failed to charge an essential element of the crime or to provide Lanam with fair notice of the charges against him.” U.S. v. Lanam, supra.
Since the judge found the losses resulting from the charges in the indictment “and any related course of conduct during a one-year period” could be aggregated, he rejected Lanam’s second argument for a new trial.

As I noted above, Lanam’s third and final argument was that the counts in the indictment were multiplicitous. As I explained in a post I did last year, multiplicity is an error in the structure of a charging document, such as an indictment. Multiplicity is often described, in a phrase I like, as “impermissibly fractionating a single course of conduct into multiple offenses.” It means the prosecution breaks what is really one crime up into pieces, and charges the pieces in different counts of an indictment. So when a prosecutor creates a multiplicitous indictment, the effect is to multiply the criminal liability the defendant faces in a manner that’s inconsistent with the level of “harm” he or she actually caused.

The federal judge summarily disposed of Lanam’s multiplicity argument:

Lanam . . . argue[s] that if the loss element may be aggregated based on the conduct charged and any related course of conduct within a one-year period, the indictment is multiplicitous and violates . . . the Fifth Amendment. The . . . rule against multiplicity is properly invoked where a single illegal act is charged under more than one count, such that the defendant may be punished twice for the same crime. . . . Lanam's argument . . . is meritless because, although the losses from his conduct may be aggregated, each count of the indictment charged Lanam with committing a separate and discrete act of unauthorized intrusion.

U.S. v. Lanam, supra.
It looks like Lanam ultimately decided this issue was a lost cause. Last September, he filed a motion to appeal the judge’s ruling on the ineffective assistance of counsel issue (only); last September the federal district court granted him a Certificate of Appealability, which a defendant must obtain in order to appeal a federal district court’s ruling on a claim in a habeas petition. Since Lanam didn’t include the multiplicity argument in the issues he intends to appeal, he presumably thought he didn’t have a chance of winning on that issue.

I suspect he didn’t. While I can see the argument that if the government can aggregate the loss resulting from all 3 crimes to satisfy the $5,000 requirement as to each crime, it’s essentially breaking a single crime (which would consist of the sum total of the actions that inflicted the $5,000+ loss) into parts, the argument doesn’t work in the end. The reason it doesn’t work is that when Congress revised 18 U.S. Code § 1030 in 1986, it added a jurisdictional damage requirement of $1,000 to limit the use of the statute:

The [Senate Judiciary] Committee believes this threshold is necessary to prevent the bringing of felony-level charges against every individual who modified another’s computer data. Some modifications or alterations, while constituting `damage’ in a sense, do not warrant felony-level punishment, particularly when almost no effort or expense is required to restore the affected data to its original condition
U.S. Senate Report No. 99-432, 1986 U.S. Code Congressional and Administrative News, pp. 2479-2496 (1986). Since the $1,000 (later $5,000) requirement was simply a threshold requirement for establishing federal jurisdiction to prosecute a person for one of the § 1030(a)(5) crimes, it wasn’t one of the elements of those crimes and therefore couldn’t support a multiplicity claim.

And as noted earlier, last September Congress eliminated any possibility of basing a multiplicity claim on the government’s aggregating the “loss” resulting from a series of crimes to satisfy the jurisdictional requirement by revising § 1030. One revision moved the “loss . . . aggregating at least $5,000 in value” provision that had been in § 1030(a)(5) to 18 U.S. Code § 1030(c). It’s now a sentencing provision; section 1030(c)(4)(A), one who gains unauthorized access to a computer can be sentenced to a fine and/or imprisonment for “not more than 5 years” if the crime caused loss “during any 1-year period” that aggregated “at least $5,000 in value”.

Why did Congress do that?
I can’t say for sure. The revision clearly eliminated any possibility that a defendant could use the multiplicity argument if the government decided to aggregate loss across the counts of an indictment in order to establish the $5,00 loss requirement. Prior to the revision, some argued that the placement of the $5,000 requirement in the part of the statute that defined the unauthorized intrusion and DDoS crimes did, in fact, transform it into an element of the offense. I don’t really buy that argument because it’s clear the loss requirement was added, originally, to limit the use of the statute, which makes it a jurisdictional provision, not an offense element.

Anecdotally, I’ve heard Congress eliminated the $5,000 requirement as a condition for bringing a prosecution in order to give federal prosecutors the ability to use § 1030 against people who gain unauthorized access to computers and/or hit them with DDoS attacks but do not cause $5,000 in loss, not even in the aggregate. I think that’s the real reason Congress made this change; in other words, Congress reversed the position it took in 1986, when it revised the original, 1984 version of § 1030.

Because § 1030 now CAN be used against defendants who violate its provisions but don’t cause $5,000 in loss, does that mean we’ll see it being used a lot more often? I doubt it; I don’t think Congress meant to create the opportunity for a flood of § 1030 prosecutions. I think the goal was to give federal prosecutors the ability to use the statute in particular cases where, in their opinion, circumstances other than the amount of loss inflicted justified bringing a federal prosecution. I suspect they’ll use the new latitude they have carefully. Does that mean a federal prosecutor couldn’t abuse that latitude to prosecute someone under § 1030 when the nature of the “harm” – the loss – really doesn’t justify it? No, it doesn’t. Federal prosecutors have a great deal of discretion in deciding what cases they want to pursue, so such a scenario is at least conceivable. I, though, think it’s unlikely.

1 comment:

Anonymous said...

In this case, it appears that they are aggregating the losses of all charges. On each charge, they are using the same aggregated value. Therefore, the losses from count 1 are used in counts 1, 2, and 3 to meet the $5000 condition. And the same for counts 2 and 3. As a result, the same loss is used 3 times.

Wouldn't this create a multiplicious scenario? Or at least make the 3 charges one crime?

Additionally, it appears that the US Court of Appeals found in Mr. Lanam's favor and remanded the case back to the district court for a new hearing.