Wednesday, June 23, 2010

ID Theft and Threatening the VP

I’m sure you’ve see the stories about Barry Ardolf, the Minnesota man who is accused, as Wired notes, of “hacking into his neighbor’s computer and sending a threatening e-mail to Vice President Joe Biden”. Ardolf had apparently entered into a plea deal with prosecutors under which he would serve 2 years, but abandoned the deal earlier this week. The Wired story says he faces “a maximum” of “seven years imprisonment” if he’s convicted on the charges against him.

That’s really what I want to focus on in the post – the charges, or actually one of the charges, against him. If you go to the Wired article, you can download the information (a charging document returned by a prosecutor without a grand jury) against Ardolf: U.S. v. Ardolf, Information, U.S. District Court for the District of Minnesota (CR10-159 DWF) (filed June 7, 2010).

The information contains two counts: Count 1 charges Ardolf with aggravated identity theft in violation of 18 U.S. Code § 1028A. Here’s what the count says:

On or about February 22, 2009, in the District of Minnesota, the defendant, BARRY VINCENT ARDOLF, did knowingly possess and use, without lawful authority, a means of identification of another person, to-wit: the name of VICTIM A, a known adult male, during and in relation to a felony enumerated in 18 U.S. Code § 1028A(c), to-wit: unauthorized access to a protected computer under 18 U.S. Code § 1030, all in violation of Section 1028A(a)(1) of Title 18 of the United States Code.

U.S. v. Ardolf, supra. Count 2 charges Ardolf with violating 18 U.S. Code § 871(a) by “knowingly and willfully mak[ing] a threat to take the life of, to kidnap, and to inflict bodily harm upon the Vice President . . . specifically, causing an email to be sent to the Vice President that” contained such a threat. U.S. v. Ardolf, supra. If you want to see what the email said, or what the relevant portions of the email said, check out the information via the Wired story, or you can probably read about it in many news stories.

Our concern isn’t with Count 2. This post is about the charge in Count 1. When I first saw news stories that said Ardolf was being charged with identify theft in this case, I was surprised. As I’ve noted in earlier posts, the crime of “identity theft” doesn’t criminalize imposture, i.e., doesn’t make it a crime to “use” someone else’s identity without their knowledge and permission. The modern identity theft crime is a financial crime; the “harm” it targets is using someone else’s personally identifying information to enrich yourself. That, of course, is not what Ardolf is accused of doing.

According to a pretty detailed story in the Twin Cities’ Pioneer Press, prosecutors say a

couple living near Ardolf reported him to police for inappropriately touching one of their children, so to retaliate, he created e-mail accounts in their names, hacked into their wireless computer routers and sent threats, child pornography and other vile messages.

The story says that in February of 2009, the neighbor complained to police that someone was using an anonymous email account in his name to send child pornography his co-workers. The story also says the emails “took a more ominous turn May 6” when one of the victim’s email addresses “was used to send a threat to Vice President Joe Biden, Gov. Tim Pawlenty, Minnesota State Rep. Tim Sanders and a Blaine police captain.” That’s when the FBI got involved and the investigation that led to the federal charges began.

As I noted in the post I did on imposture and identity theft, conventional identity theft statutes really don’t encompass what Ardolf did, i.e., using another person’s identity to send a threat. Unlike many state identity theft statutes, which approach identity theft as a financial/fraud crime, the federal identity theft statute – 18 U.S. Code § 1028 – has one provision that might have been used to charge Ardolf. (You can find the statute here.)

Section 1028(a)(7) makes it a federal crime to use, “without lawful authority, a means of identification of another person with the intent to commit . . . any unlawful activity that constitutes a violation of Federal law”. Section 1028(d)(7) defines “means of identification” so broadly I think it clearly encompasses using someone’s name and probably their wireless network. (As you may have read, news stories, including the Pioneer Press article, say Ardolf seems to have hacked into the wireless network of one, and maybe two, of his neighbors and used those networks in sending his messages, child pornography and threats.)

But prosecutors didn’t use this provision. Instead, they charged Ardolf under 18 U.S. Code § 1028A(a)(1), which you can find here. Section 1028A creates the crimes of “aggravated identity theft”. Section 1028A(a)(1) provides as follows:

Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.

Section 1028A(a)(2) says that anyone who uses someone’s identity without being authorized to do so “during and in relation to any terrorism-related felony enumerated in section 2332b(g)(5)(B)” of Title 18 of the U.S. Code shall be sentenced to serve 5 years in addition to the penalty imposed for the terrorism offense. As federal courts have noted, the provisions of § 1028A(a) are essentially sentence enhancement provisions; they provide for enhanced penalties when someone uses a stolen identity to commit a felony, in much the same way as other statutes enhance penalties for using firearms to commit a crime.

As you can see from the language of Count 1 quoted above, Ardolf is charged with violating 18 U.S. Code § 1028A(a)(1) by using someone else’s identity “without lawful authority” to gain unauthorized access to a “protected computer” in violation of 18 U.S. Code § 1030(a)(1). U.S. v. Ardolf, supra. Section 1028A(c)(4) incorporates the provisions of the other sections of Chapter 47 of Title 18 of the U.S. Code that relate “to fraud and false statements”. Section 1030 of Title 18 of the U.S. Code is (i) part of Chapter 47 and (ii) is entitled “fraud and related activity in connection with computers”, so it’s a § 1028A(a)(1) predicate crime, i.e., a § 1028A(a)(1) charge can be based on violating § 1030.

As I’ve noted, § 1030 is the basic federal computer crime statute and, as such, criminalizes gaining unauthorized access to a “protected computer.” As I believe I’ve also noted, a “protected computer” is a computer that is either used by the U.S. government or in a manner that affects interstate or foreign commerce. 18 U.S. Code § 1030(g)(2).

Count 2 of the Ardolf information doesn’t specify which provision of § 1030 Ardolf is alleged to have violated, but the charge has to be based on a violation of § 1030(a) because that section contains all of the criminal provisions of the statute (which you can find here). My guess is that the § 1028A(a)(1) charge is based on a claim that Ardolf violated either § 1030(a)(5)(B) or § 1030(a)(5)(C). § 1030(a)(5)(B) makes it a federal crime to intentionally access a protected computer “without authorization, and as a result of such conduct” recklessly cause “damage.” § 1030(a)(5)(C) makes it a federal crime to intentionally access a protected computer “without authorization, and as a result of such conduct” cause “damage and loss.”

The sections differ in two respects: To convict someone of violating § 1030(a)(5)(B), the prosecution has to show that he (i) intentionally accessed a computer without being authorized to do so and thereby (ii) recklessly caused (iii) damage. Section 1030(g)(8) defines “damage” as “any impairment to the integrity or availability of data, a program, a system or information”. From the little I know about the specific facts in the Ardolf case, I suspect prosecutors will be able to prove all three elements beyond a reasonable doubt. To show that a perpetrator “recklessly” caused damage, prosecutors must show that he (i) “was aware of a substantial and unjustifiable risk . . . that the result required for the offense [“damage”] would be caused by (his) actions” and (ii) “consciously disregarded that risk”. U.S. Court of Appeals for the 3d Circuit Manual of Model Jury Instructions – Criminal § 5.08. So the prosecution doesn’t have to show that the defendant intended to cause damage.

To convict someone of violating § 1030(a)(5)(C), the prosecution must prove that he (i) intentionally accessed a computer without being authorized to do so and (ii) caused damage and loss. The only mens rea for this offense is the intent to gain unauthorized access to a computer; someone who does that and causes damage without intending to or even realizing they might do so can still be held liable here IF they caused damage AND “loss.” Haeji Hong, Hacking through the Computer Fraud and Abuse Act, 1998 UCLA Journal of Law & Technology 1. In other words, the statute holds a person strictly liable for causing damage and loss.

The definition of “damage” is the same as the one quoted above. Section 1030(g)(11) defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense,” and any “consequential damages incurred because of interruption of service”. From the little I know of the facts in the Ardolf case, I can’t speculate as to whether prosecutors could prove “loss” as well as damage.

We may find out. As I noted above, Ardolf bailed on the plea offer, so we might very well see a trial. And as the Wired story notes, he was charged by information, not indictment, which means prosecutors might follow up with an indictment, which might contain even more charges.


Nick42 said...

1030 has been updated since I last looked at it, but couldn't he simply be charged under 1030(a)(2)(C) as someone who:

"(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...

(C) information from any protected computer; "

Also, does there need to be an intent to access without authorization, or merely an intent to access? It's been my general impression that mens rea has been watered down in federal court to the extent that a defendant no longer need to have an intent to do wrong, but merely the intent to carry out whatever act has been criminalized.

Anonymous said...

That guy ended up being indicted on June 24.

Barry Vincent Ardolf faces two counts of aggravated identity theft, one count of making threats to the president and successors to the presidency, one count of unauthorized access to a protected computer, one count of possession of child pornography, and one count of distribution of child pornography.

Anonymous said...

The trial began today, I managed to to avoid being chosen as a juror. I am just now learning the details, he looks like a real weasel as does his defense attorney.

Anonymous said...

He pleaded guilty to everything, two days into trial. No plea deals. No acceptance of responsibility reduction. The prosecutor said he reserved the right to seek up to the statutory maximum.