After Brian Matthew Rich “entered into a conditional plea
agreement” with the U.S. Department of Justice, he appealed. Brief of Appellant, United States v. Rich, 2015 WL 860788 (U.S. Court of Appeals for the 4th Circuit 2015).
The brief he filed on appeal begins by explaining how, and why, the
prosecution arose:
The essential facts of this case are
undisputed. LendingTree LLC operates a mortgage brokering business that
connects consumers interested in securing a mortgage loan with lenders willing
to provide such loans. The model works as follows: A consumer seeking a
mortgage loan initiates the process by submitting personal and financial data
through online forms at LendingTree's website. This information, known as a
`mortgage lead,’ is then provided to a set of lenders who ostensibly compete
with each other to provide a loan to the consumer on favorable terms. . . .
To receive mortgage leads from
LendingTree, a lender must become a member of the LendingTree Network. Doing so
requires the lender to undergo a financial review, sign a contract, and pay a
fee to LendingTree. After joining, a lender must then pay another fee for each
mortgage lead it receives and yet another fee for each loan that it closes
based on a LendingTree lead. . . .
Steve Rosene, a co-defendant in this
case, was a part owner of Newport Lending Group (`NLG’). At all relevant times,
NLG was a member of the LendingTree Network. . . . As a result, LendingTree
provided NLG and Rosene with log-in credentials (consisting of a username and
password) that permitted remote access to Lender Web Apex (`Apex’), a computer
system through which lenders receive their mortgage lead information from
LendingTree. . . .
Beginning in approximately 2005, Rosene
entered into a side agreement with Jarrod Beddingfield, a LendingTree
employee. . . . As an employee, Beddingfield was authorized to access the
Apex system using administrator log-in credentials. . . . In exchange for
payments from Rosene, Beddingfield provided Rosene with mortgage leads and
preferential treatment that Rosene was not entitled to receive based on NLG's
status within the LendingTree Network. . . . In addition, Beddingfield provided
username and password information that permitted Rosene to gain
administrator-level access to the Apex system, where he was able to obtain
additional mortgage lead data. . . .
Brian Rich and Marcus Avritt were
co-owners of Chapman Capital, Inc., which also operated under the business name
of Home Loan Consultants. . . . Beginning in late 2006, Chapman paid Rosene to
provide mortgage leads. . . . In January 2007, Chapman increased its monthly
payments to Rosene in exchange for username and password information that
permitted Chapman to log in to LendingTree's Apex system to retrieve mortgage
lead information. . . .
In May 2007, Beddingfield was laid off
from his position at LendingTree. . . . Several months later, in January 2008,
the company discovered that its Apex system had been accessed in a manner
inconsistent with company policy. . . . As a result, LendingTree disabled the
administrator log-in credentials that Beddingfield had previously provided to
Rosene. . . . Beginning on January 7, 2008, attempts to access the Apex system
using those credentials were unsuccessful. . . .
Brief of Appellant, supra
at *4.
Rich’s appellate brief goes on to explain that
[b]ased on these facts, a grand jury in
the Western District of North Carolina indicted Avritt, Beddingfield, Rich, and
Rosene for several charges arising under 18 U.S. Code § 1030, often
referred to as the Computer Fraud and Abuse Act (`CFAA’). . . . [A] person violates §
1030(a)(2) if he `intentionally accesses a computer without authorization
or exceeds authorized access, and thereby obtains . . information from any protected computer.’ 18
U.S. Code § 1030(a)(2)(C). A related provision, § 1030(a)(4), creates
a separate offense for any person who, `knowingly and with intent to defraud,
accesses a protected computer without authorization, or exceeds authorized
access, and by means of such conduct furthers the intended fraud and obtains
anything of value.’ Id. § 1030(a)(4).
The indictment charged all four
defendants with conspiring to violate both § 1030(a)(2)(C) and §
1030(a)(4) by using `compromised’ administrator log-in credentials to
access LendingTree's Apex computer system. . . . In addition, the indictment
charged Rich (along with Avritt and Rosene) with 26 substantive counts of
violating § 1030(a)(2)(C) and 26 substantive counts of violating §
1030(a)(4). . . .The substantive counts were based on alleged access to the
Apex system on 26 specific dates between November 15, 2007, and January 4,
2008. . . .
Rich moved to dismiss the indictment
for `failure to state an offense’ under Federal Rule of Criminal Procedure
12(b)(3)(B). He argued, among other things, that the facts alleged in the
indictment did not establish a violation of the CFAA, as interpreted by WEC
Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of Appeals
for the 4th Circuit 2012). . . .
The district court denied Rich's motion
because it concluded that `the indictment sufficiently alleges the essential
elements of the offenses.’ . . . In reaching that conclusion, however, the
court did not address the scope of § 1030 under this Court's decision
in WEC Carolina. . . .
Brief of Appellant, supra
at *5.
The brief also explains that the U.S. District Court Judge
who had the case ultimately “imposed a low-end sentence of 24 months” on Rich.
Brief of Appellant, supra at *5.
In his appeal, Rich argued that his case
presents a question about the scope of
the Computer Fraud and Abuse Act (`CFAA’) that was left unanswered by WEC
Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of
Appeals for the 4th Circuit 2012). The CFAA makes it a criminal offense for a
person to `access[ ] a computer without authorization’ for the purpose of
`obtain[ing] . . . information’ or furthering a fraudulent scheme. 18 U.S.
Code §§ 1030(a)(2)(C), (a)(4). In WEC Carolina, this Court
`adopt [ed] a narrow reading’ of the CFAA's `unauthorized access element,
holding that it was not satisfied where an employee obtained information from
his company's computers and provided it to a third party in violation of
company policy. WEC Carolina Energy Solutions LLC v. Miller, supra.
Brief of Appellant, supra
at *1.
Rich’s brief goes on to argue that this
case presents a functionally equivalent
scenario. In addition to providing confidential company information, a
LendingTree employee also shared a password that allowed third parties
(including the defendant, Brian Rich) to obtain additional information directly
from the company's computer network. This Court should conclude that such
shared-password access does not satisfy the CFAA's `unauthorized access’
element and that, therefore, the facts alleged here do not constitute a CFAA
offense.
A contrary holding would convert the
CFAA from an anti-hacking statute into a criminal prohibition on commonplace
activities such as allowing a friend or family member to log in to your
Facebook account. Congress cannot have intended the statute to have such a
tremendously broad reach. See WEC Carolina Energy Solutions LLC v.
Miller, supra, at 206 (rejecting CFAA interpretation that would produce
`far-reaching effects unintended by Congress’); see also United
States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (rejecting
CFAA interpretation that would convert `millions of ordinary citizens’ into
CFAA criminals).
Brief of Appellant, supra
at *1 - *2.
Later, the brief develops this argument in more detail:
[a]pplying the reasoning of WEC
Carolina Energy Solutions LLC v. Miller, supra, this Court should conclude that accessing a computer using a
password shared by an employee of the computer's owner - the fact pattern
alleged in this case - does not violate the CFAA. In WEC Carolina,
the Court held that the scope of the CFAA's `unauthorized access’ element was
sufficiently ambiguous that the rule of lenity required the Court to `adopt a
narrow reading.’ WEC Carolina Energy Solutions LLC v. Miller, supra.
Likewise, here, the statute does `not
clearly criminalize[ ]’ shared-password access because a person who uses a
password shared by an agent or employee of the computer owner is acting with
`authorization,’ as that word is commonly understand. [ sic] WEC Carolina Energy Solutions LLC v. Miller, supra. In addition to the rule of
lenity, at least two other principles of statutory interpretation support the
conclusion that the CFAA's `unauthorized access’ element does not cover
shared-password access. First, a contrary holding would produce absurd results,
most notably by criminalizing a wide swath of innocuous conduct such as a
husband allowing his wife to check his email account or a parent logging in to
monitor her children's activities on social media sites like Facebook or
Snapchat.
Second, because the statute fails to
provide the public with fair notice that shared-password access violates the
`unauthorized access’ provisions, such a broad interpretation would render
those provisions unconstitutionally vague as applied here. See United
States v. Drew, 259 F.R.D. 449 (U.S. District Court for the Central District of California 2009) (holding that the government's broad
interpretation of § 1030(a)(2)(C) renders that
provision unconstitutionally vague). Thus, under the canon of constitutional avoidance, the Court should adopt the narrower interpretation.
As suggested by WEC Carolina,
this Court should hold that the CFAA's `unauthorized access’ element prohibits
computer hacking, such as the use of a worm or virus to access a computer
without the permission of an agent or employee of the computer owner.
Accordingly, the Court should reverse Rich's conviction and remand for
dismissal of the indictment.
Brief of Appellant, supra
at *7 - *8.
Unfortunately for Rich, the U.S. Court of Appeals for the 4th
Circuit did not buy his arguments. United States v. Rich, supra. The Court of Appeals began its very brief
opinion by explaining, initially, that
`[w]here, as here, a district court's
denial of a motion to dismiss an indictment depends solely on a question of
law, we review the district court's ruling de novo.’ United States v.
Bridges, 741 F.3d 464 (U.S. Court of Appeals for the 4th Circuit 2014).
A federal indictment must contain the elements of the offense charged, fairly
inform the defendant of the charge, and enable the defendant to plead double
jeopardy as a defense to future prosecutions for the same offense. United States v. Resendiz–Ponce, 549 U.S. 102, 108 (2007); see Federal Rule of CriminalProcedure 7(c)(1).
Rich's sole challenge to the indictment
is that it failed to allege that the conspirators lacked authorization to
access LendingTree's network. With respect to this element, the indictment was
required to allege that the conspirators agreed to either access a protected
computer without authorization or exceed authorized access. See United
States v. Moussaoui, 591 F.3d 263, 296 (U.S. Court of Appeals for the
4th Circuit 2010) (stating elements of conspiracy); 18 U.S.C. §
1030(a)(2)(C) (stating requirements of CFAA).
United States v. Rich,
supra.
The Court of Appeals then addressed the specifics of Rich’s
argument:
Rich argues that the factual summary
accompanying his plea agreement indicates that the conspirators accessed
LendingTree's network solely through administrator log-in credentials validly
possessed by a coconspirator, and that such “password sharing” does not violate
the CFAA. See WEC Carolina Energy Sols. LLP v. Miller, 687
F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012) (holding
CFAA criminalizes obtaining or altering information individual lacked
authorization to obtain or alter). We cannot consider this factual summary in
reviewing the denial of a motion to dismiss, but must instead constrain our
review `to the allegations contained in the indictment'. United States
v. Engle, 676 F.3d 405 (U.S. Court of Appeals for the 4th
Circuit 2012).
We decline to reach Rich's argument regarding
the scope of the CFAA because even assuming, per arguendo, that Rich's interpretation is correct, the indictment was
sufficient to state an offense.
The indictment alleges that the
conspirators `accessed without authorization and exceeded authorized access to
one or more LendingTree Network protected computers . . . through the use of compromised LendingTree administrator
log-in credentials.’ To the extent Rich argues that the indictment allows
for the possibility that a coconspirator possessed valid log-in credentials,
this possibility does not render the indictment deficient. The indictment clearly
states that the access was `unauthorized’ and that the log-in credentials used
were `compromised.’
Because we find that the indictment sufficiently
alleges that the conspirators intended to access LendingTree's network without
authorization, we conclude that the district court did not err in denying
Rich's motion to dismiss.
United States v. Rich,
supra. The court therefore affirmed
the judgment of the district court. United States v. Rich, supra.
No comments:
Post a Comment