Wednesday, May 11, 2011

SpoofCard, Unauthorized Access and Harassing Phone Calls

This post involves a service with which you may or may not be familiar: SpoofCard. This is how SpoofCard describes its services in its FAQ:

SpoofCard offers the ability to change what someone sees on their caller ID display when they receive a phone call. Simply dial SpoofCard's toll free number or local access number in your country and then enter your PIN. You'll then be prompted to enter the destination number followed by the phone number to appear on caller ID. . . .

The case is U.S. v. Cioni, __ F.3d __, 2011 WL 1491060 (U.S. Court of Appeals for the 4th Circuit 2011). Elaine Cioni was charged with conspiracy to commit the other crimes alleged against her in violation of 18 U.S. Code § 371 (Count 1), obtaining information through unauthorized access to computers (Counts 2 & 4), making harassing phone calls in violation of 47 U.S. Code § 223(a)(1)(C) (Count 5) and obtaining access to stored electronic communications in violation of 18 U.S. Code § 2701 (Count 6). U.S. v. Cioni, supra. (No, I can’t find out what Count 3 was, or what happened to it.)

According to the 4th Circuit, the process that led to Cioni’s being charged began “in the summer of 2005,” when she “began having an affair with Bruce Enger, her former supervisor at Long & Foster Realty in Northern Virginia. U.S. v. Cioni, supra. Cioni suspected “she was not the only one with whom Enger was having an affair”, but after she relocated to Chattanooga to take a new job, and the “affair ended, Cioni and Enger remained on speaking terms and occasionally communicated by telephone or e-mail.” U.S. v. Cioni, supra. In March of 2007, Enger began receiving harassing calls from an

unknown source. The calls were made to several of Enger's telephone numbers, including those of his office, mobile telephone, his wife Maureen's telephone, and the telephones of several of his business associates. . . . [T]he person making the call spoke in a distorted male voice and revealed private information regarding Enger's work and personal life. For example, on August 24, 2007, the . . . person called Enger on his Blackberry and said, `I know where you are . . . [be]cause I'm there too. I followed you.’

At other times, the caller recited the contents of Enger's password protected e-mail accounts and [said that] `we're watching every move you make’ and copies of damaging e-mails would be sent to Enger's family while he was travelling. Occasionally the calls made threats . . . telling him, for example, he need[ed] to get on out of Dodge.’ Caller identification indicated that the calls originated from telephone numbers familiar to Enger, such as his home telephone number or his daughter's cell phone number, but in fact they originated from other telephones. Although Enger sought to avoid the calls by changing his telephone numbers several times, these efforts were unsuccessful, and the harassing calls continued through May 2008.

At Enger's prompting, . . . Long & Foster, sought to identify the caller's identity. [Its] investigation focused on Craig Scott, a former employee who Long & Foster believed had a motive for retaliating against company officials, as well as the technical knowledge necessary to carry out the campaign. Between March and September 2007, Long & Foster gathered evidence. . . . and provided [it] to local authorities, who charged Scott with making the harassing calls and improperly accessing Enger's e-mail. The charges . . . were later dismissed because of a lack of supporting evidence. The investigation nonetheless had a catastrophic impact on Scott, who lost his job and his marriage in the process.

U.S. v. Cioni, supra.

Long & Foster then went to the FBI, which conducted “an extensive investigation” and “ultimately determined” that the calls weren’t being made by Scott but by Cioni and her

friend, Sharon Thorn. . . . Cioni and Thorn used . . . `SpoofCard,’ which enabled them to mask their telephone numbers and voices, and make downloadable audio recordings of their calls. SpoofCard's billing records . . . indicated over 300 calls were made from Cioni's telephones using . . . SpoofCard's features, and more than 220 were made to Enger's various numbers.

Inspired by Paris Hilton's reported use of similar technology to access Lindsay Lohan's voicemail, Cioni used SpoofCard to access Enger's voicemail, listened to messages, deleted messages, and left disguised messages. Payment for many of the SpoofCard calls was made electronically from computers at Cioni's home and workplace, using a credit card belonging to Cioni.

U.S. v. Cioni, supra.

The FBI also found Cioni had “accessed or attempted to access numerous e-mail accounts belonging to Enger,” his wife, their children and several of his business associates. U.S. v. Cioni, supra. The FBI discovered “Cioni gained access to many of these e-mail accounts by using an online service known as `,’ which, for a fee, acquired third-parties' e-mail passwords surreptitiously.” U.S. v. Cioni, supra. Cioni made some of the payments to with Thorn’s credit card, which she used with Thorn’s permission. U.S. v. Cioni, supra.

Cioni was indicted on the charges noted above and “following a four-day trial, was convicted on all counts.” U.S. v. Cioni, supra. She made various arguments on appeal, but I’m only going to focus on the ones that challenged the sufficiency of the evidence. If you want to read the full opinion, you can find it here.

Cioni claimed the evidence wasn’t sufficient to prove beyond a reasonable doubt that she conspired (§ 371) to violate access email accounts in violation of § 1030(a) in furtherance of a violation of §2701. U.S. v. Cioni, supra. The 4th Circuit disagreed:

[T]he evidence showed Cioni, in concert with Sharon Thorn, hired and thus conspired with hackers to surreptitiously obtain passwords to various e-mail accounts; that these hackers did provide Cioni with the passwords; and that Cioni used [them] to access several e-mail accounts. In one instance, Cioni used a hacker-provided password to download a third party's e-mail inbox and sent e-mail folders that contained unread e-mails. Thorn participated in the conspiracy by permitting Cioni to use [her] credit card to purchase the passwords and . . . `hide the paper trail.’ In addition, Count 1 alleged Cioni conspired to access e-mail accounts and voice mail[s], in furtherance of accessing unread e-mail messages and making calls to `harass, annoy, and harm’ Enger and his family.

The evidence showed Cioni did, without authorization, access Enger's voicemail, including unopened messages, and obtained information she used to taunt Enger and his family, for instance, referring to the Engers' recent travel and Cioni's feigned surveillance of them. Viewing this evidence in the light most favorable to the government, it was sufficient to show Cioni conspired to access computers and electronic storage facilities containing unopened e-mails for the purpose of accessing other computers and harassing, annoying, and harming Enger and his family.

U.S. v. Cioni, supra.

With regard to Count 6 (unlawful access to stored communications), Cioni argued that “while she did illegally access unopened voicemails . . . in violation of § 2701(a), the record contains no proof she did so in furtherance of’ making harassing telephone calls, in violation of 47 U.S. Code § 223.” U.S. v. Cioni, supra. The Court of Appeals again disagreed, noting that the evidence in the record showed Cioni made

harassing telephone calls to Bruce Enger and his family, taunting them with facts about their recent travel and her alleged surveillance of them, information she obtained by her unlawful access to Enger's voicemail. The illegal access to voicemail thus facilitated the harassing telephone calls by supplying the ammunition that made the calls harassing and threatening.

U.S. v. Cioni, supra.

Cioni did persuade the court to reduce her convictions on Counts 2 and 4 from felonies to misdemeanors. U.S. v. Cioni, supra. The counts charged unauthorized access to computers in violation of 18 U.S. Code § 1030(a)(2)(C), which is a misdemeanor offense unless the crime was committed “in furtherance of any criminal or tortious act in violation” of state or federal law. 18 U.S. Code § 1030(c)(2)(B)(ii). If you want to read more about that, check out the post you can find here.

Cioni argued that the same conduct was used as the factual basis for (i) charging the § 1030(a)(2)(C) offense and for (ii) alleging her commission of the § 2701(a) crime that was used to make § 1030(a)(2)(C) crime a felony. U.S. v. Cioni, supra. In Count 2, the conduct was accessing Maureen Enger’s email account and viewing her email; in Count 4, the conduct was attempting to access Patricia Freeman’s email in furtherance of “attempting to obtain Patricia Freeman’s unopened email” in violation of § 2701(a). U.S. v. Cioni, supra. (According to Cioni’s brief on appeal, evidence at trial showed Enger had an affair with Freeman. Appellant’s Brief, U.S. v. Cioni, 2010 WL 2984309.)

The Court of Appeals found that since the same conduct was used as the factual basis for the charges in Counts 2 and 4 and to enhance the offenses charged in those counts from a misdemeanor to a felony, the felony convictions could not stand. U.S. v. Cioni, supra. It therefore vacated the felony convictions and remanded the matter to the district court for the entry of misdemeanor convictions on those counts. U.S. v. Cioni, supra.

After reading this opinion, I wondered if SpoofCard has, or might, be charged as an accomplice in a case like that. So I checked their FAQ, and found this entry under “Is SpoofCard Legal?”:

Each of the capabilities of SpoofCard is legal in the US. However, certain uses may be illegal depending on which state you are calling from or to. . . . Before using . . . SpoofCard, you should determine whether the use you will make of the service is legal in the state where you are calling from and the state where the party you are calling is located. . . .

SpoofCard cannot monitor conversations to determine whether they are being legally spoofed or recorded. SpoofCard disclaims any and all liability or responsibility for your use of the Card's spoofing or recording capability.

No comments: