Wednesday, November 03, 2010

Hacking and Chess

This post is about a recent decision from the U.S. District Court for the Northern District of California: U.S. v. Alexander, 2010 WL 3238961 (2010).

As this news story explains, “Gregory Alexander, of Everett, Wash[ington] was indicted in July 2009 and charged with breaking into the e-mail account of Randall Hough . . . on at least 34 occasions.”

According to that same news story, the alleged “breaking into the e-mail account” arose from a “feud” between the United States Chess Federation and “two of its former board members.” If you want to learn a lot more about what the feud was about and how it apparently resulting in the charges against Alexander, I suggest you check out this story, which predates the filing of the indictment against Alexander.

According to the opinion we’re going to examine, the indictment alleged that

on thirty-four separate occasions, Alexander accessed, without authorization, the Yahoo! email account of Randall Hough, one of the board members of the United States Chess Federation (`USCF’). These thirty-four intrusions into Hough's account correspond with the thirty-four counts of violations of the [Computer Fraud and Abuse Act, 18 U.S. Code § 1030] and also form the basis for the aggravated identity theft charge. Although none of the factual background related to this allegedly criminal conduct is included in the indictment, the government, in its late-filed opposition to Alexander's motions, describes how Alexander's actions were part of an internal power struggle among the USCF board members.

U.S. v. Alexander, supra. As you may have gathered from that paragraph, Alexander filed several pre-trial motions seeking various things from the court and the government. U.S. v. Alexander, supra. The indictment against him says that he “was a resident of Everett, Washington, and worked in the Internet Technology offices of the University of Washington” and that he “also served as a volunteer web developer who maintained and moderated the Chess Discussion Forum on the website known as” Indictment, U.S. v. Alexander, 2009 WL 4704875 (2009).

The indictment, as the paragraph quoted above noted, charged Alexander with 34 counts of violating the basic federal computer crime statute, 18 U.S. Code § 1030(a)(2)(C) and with 1 count of aggravated identity theft in violation of 18 U.S. Code § 1028A(a)(1). Indictment, U.S. v. Alexander, supra. Alexander only moved to dismiss the identity theft count, but in ruling on that motion to dismiss the judge noted some other problems with the indictment. U.S. v. Alexander, supra.

To understand why the judge dismissed that count, and what the other problems were, we need to start with the 18 U.S. Code § 1030 charges against Alexander: He is charged (in 34 counts) with violating “18 U.S. Code § 1030(a)(2)(C) and [§1030](c)(2)(B)(ii). U.S. v. Alexander, supra.

Section 1030(a)(2)(C) makes it a crime to intentionally access a computer without authorization or by exceeding authorized access and thereby obtain “information from any protected computer”. As I’ve noted in earlier posts, a “protected computer” is a computer that is used in interstate or foreign commerce; any computer hooked to the Internet qualifies as a protected computer. As we will see below, § 1030(c)(2)(B)(ii) makes it a felony to commit the § 1030(a)(2)(C) offense if certain requirements are met.

This is where the federal judge to whom this case is assigned found problems with the indictment. As she explained, the

indictment filed by the government in this case is as factually and legally deficient as any the court has seen in its experience. Counts 1 through 34 charge Alexander with accessing another individual's Yahoo! email account and thereby obtaining information [in violation of 18 U.S. Code § 1030(a)(2)(C)]. . . . A violation of subparagraph (a)(2) is a misdemeanor, see 18 U.S. Code § 1030(c)(2)(A), unless the government proves that

(I) the offense was committed for purposes of commercial advantage or private financial gain;

(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

(iii) the value of the information obtained exceeds $5,000.

Id. § 1030(c)(2)(B). If the government establishes any one of those three aggravating circumstances, a violation of subsection (a)(2) is a felony, punishable by a fine or imprisonment not more than five years.

U.S. v. Alexander, supra.

The judge then found that the indictment included

only one allegation that could possibly be construed as alleging a violation of [18 U.S. Code § (a)(2)(C)]. Paragraph 7 of the indictment states that `Gregory Alexander intentionally and without authorization accessed a protected computer, to wit: the email server operated by Yahoo administering the e-mail account, by means of interstate communications, and thereby obtained information from said protected computer, . . . All in violation of 18 U.S. Code §§ 1030(a)(2) and (c)(2)(B)(ii).’

Although the indictment purports to allege a violation of the [statute’s] felony provision, subsection (c)(2)(B)(ii), nowhere does it allege the statutory language of that provision, nor does it include any factual allegations from which it could be inferred that Alexander's computer intrusions were `in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or any State.’ In other words, it fails to allege any tortious or criminal conduct that would invoke subsection (c)(2)(B)(ii). This obvious facial shortcoming in the indictment, for which the government, at the hearing on the motion, had no explanation, requires that the court construe counts 1 through 34 as charging Alexander with misdemeanor violations of [§ 1030]. In fact, the government conceded as much at the hearing.

U.S. v. Alexander, supra.

The federal judge then explained that since she had found that

the indictment only alleges misdemeanor violations of [§1030], the court must dismiss count 35. Count 35 of the indictment charges Alexander with aggravated identity theft in violation of 18 U.S. Code § 1028A(a)(1).

U.S. v. Alexander, supra. She noted that 1028A(a)(1) provides as follows:

Whoever, during and in relation to any felony violation enumerated in subsection (c), knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person shall, in addition to the punishment provided for such felony, be sentenced to a term of imprisonment of 2 years.

U.S. v. Alexander, supra (emphasis in the opinion).

And the judge explained that a

felony violation of . . . 18 U.S. Code § 1030, is among the felony violations enumerated in 18 U.S. Code § 1028A(c) that can serve as a predicate for a prosecution for aggravated identity theft. However, counts 1 through 34 of the indictment only allege misdemeanor violations of [§1030]. Accordingly, count 35 must be dismissed, as it fails to include any allegations that the identity theft engaged in by Alexander was committed `during and in relation to any felony violation. . . . '

U.S. v. Alexander, supra.

She then dismissed Count 35 and held that

within thirty (30) days of the date of this order, the government must inform defendant and the court whether it intends to seek a superseding indictment or proceed on the remaining thirty-four misdemeanor counts for violations of [§1030].

U.S. v. Alexander, supra.

It’s been over two months since the judge entered this order. But since I don’t have access to the current docket in the case, I don’t know if the government decided to seek a superseding indictment (i.e., a replacement indictment that might include allegations that Alexander’s conduct was committed in violation of the Constitution, federal or state law. And I can’t find any news stories that mention whether the government is going for a superseding indictment on intends to proceed on this one.

No comments: