Adressing CFAA Weaknesses by using wire fraud statute

Fighting Computer Crime by Combining Federal and State Law


With the advent of the computer age, legislatures have been struggling to redefine the law to fit crimes perpetrated by computer age criminals. Although copyright law is effective for civil litigation, many computer crimes resemble more traditional offenses such as trespass and theft. In 1978, Florida became the first state to pass criminal statutes specifically directed towards computer crime, an act quickly followed by all other states.1 However, computer crimes remain an enigma. A Lexis search of all jurisdictions reported only thirty-six published opinions mentioning computer crimes, and half of those were cases addressing separate legal issues.2 Yet, the government estimates that over $500 million a year is lost due to specific computer crimes.3 With the advent of the internet and the ease of telecommunications many potential computer crimes have moved beyond the jurisdiction of individual states. The Federal Government must now shoulder the burden of enforcement and prevention. Although existing federal statutes enable prosecution of computer crimes, these statutes have proven inadequate. This paper examines the weakness in federal legislation used for computer crime, the inadequacies of states to fully enforce computer crimes, and suggests a union of state law and federal jurisdiction as a possible solution.

 

I. The Inadequacy of Federal Legislation

The Computer Fraud and Abuse act of 19864 (CFAA) was intended to be the chief weapon for a federal assault on computer crimes. The statute criminalizes six activities: (1) the unauthorized access of a computer to obtain information of national secrecy with an intent to injure the United States; (2) the unauthorized access of a computer to obtain protected financial information; (3) the unauthorized access of a computer intended for the exclusive use of the federal government; (4) the unauthorized interstate access of a computer system with an intent to defraud; (5) the unauthorized interstate access of computer systems that results in at least $1000 aggregate damage; and (6) the fraudulent trafficking in computer passwords affecting interstate commerce.5 However, CFAA is rarely used and has received little attention from Federal prosecutors.

Since its enactment, there has been one successful prosecution under CFAA. In 1991, the Second Circuit upheld the conviction of a college graduate student who released a virus on the internet causing several governmental computer systems to crash.6 The court refrained from a broad interpretation of CFAA, and instead limited their scope to discussing the intent requirement in the statute. Although the Circuit Court upheld the conviction, the court’s narrow construction has limited CFAA for future prosecution.

The weakness in CFAA results from Congress’ original purpose to narrow the statute to fraud and abuse only against the federal government. Although the act also criminalizes unauthorized interstate access of computer systems, this section only encompasses cases involving “federal interest computers,” which are defined specifically in the act.7 Congress wanted to allow the states more leeway in enforcing state criminal statutes, but failed to comprehend the exponential increase in private interstate computer activity. Even if CFAA is construed broadly by another court, the $1000 minimum damage amount in subsection (5) will force prosecutors to estimate the worth of various forms of intellectual property, a problem already evident under other criminal statutes. Stealing confidential information, such as prospective business plans or personal information, may have incredible subjective value, but worth little to an uninterested party. Because of its narrow scope, prosecutors have avoided CFAA, and instead relied on the more effective, Wire Fraud Statute and the National Stolen Property Act.

The Federal Wire Fraud Statute proscribes the use of wire communications in interstate or foreign commerce to further a scheme to defraud.8 A scheme to defraud is wronging one in his property rights by dishonest methods or schemes, usually through depriving someone something of value by trick, deceit, chicane, or overreaching.9 While the statute has been used for computer crimes, the application is often a stretch.

One of the first cases applying computer crime to the Wire Fraud Statute was United States v. Seidlitz.10 In Seidlitz, the defendant helped prepare software developed for a government project in Maryland. Following his resignation, Seidlitz later downloaded software from the project by breaking into the government’s security system.11 The court upheld the government’s theory that the defendant had devised a scheme to defraud in obtaining the software. According to the court, the scheme was based on Seidlitz defrauding the government’s computer–there were no individuals being defrauded.

In a more recent case, United States v. Riggs12, two students broke into a computer owned by Bell South Telephone in order to steal emergency services software. One of the students accessed the computer through the phone lines, acquired the software, and then disguised his unauthorized access by using account codes of current employees. He then transferred the code through modem to another state where his accomplice edited the code to conceal its origin and published the text in a computer newsletter. Similar to Seidlitz, the government proved that the two defendants had devised a scheme to defraud by downloading information, rather than defrauding individuals.

Wire Fraud has also been used where the perpetrators never even physically or electronically acquired the property. In United States v. Schreier, the defendant schemed to acquire airplane tickets through American Airlines by fraudulently rearranging frequent flyer miles through the airline’s computer system. The court held that the Wire Fraud Statute does not require that the defendant actually acquire the property, only if any person actually obtains the property. Furthermore, because of the fraud, American Airlines now had an economic liability -they owed someone a free ticket.13 In this case, the information was merely transferred from one account to another, yet the defendant never actually received the tickets. Schreier seems to follow the same logic of well settled law that fraudulently obtaining money through electronic transfers is wire fraud.14 Thus, the holding may limit prosecution under wire fraud where property has no objective tangible value, but is still valuable to the owner.

Establishing the concept of property for computer code as applied to the Wire Fraud Statute, has raised some serious questions in the courts. Most notably, whether or not the information stolen was something of value or was something tangible. When someone steals software from a computer system, the thief only acquires a copy, thus they are not depriving the owner of title to the information, only the rights to sole ownership and possible future profits.15 Both Riggs and Seidlitz concerned information of value, and the defendants had intent to use the information for profit. Consequently, if fraudulently acquiring property has no economic gain or loss to the parties, Wire Fraud may be unusable.

The Supreme Court has yet to rule on the applicability of the Wire Fraud Statute to computer crimes, but has addressed the issue of pure intellectual rights in Mail Fraud. In United States v. McNally16, the court held that mail fraud is limited to schemes aimed at causing deprivations of money or property. A few months later, the court modified its reasoning in United States v. Carpenter17, ruling that there is a property interest if the scheme deprives one of “exclusive use” to their information. These contrasting opinions predict an unclear future for defining intangible property rights in Wire Fraud. Craig M. Bradley argues that future cases may require an economic gain to the defendant or economic loss to the victim.18 Bradley points out that if “exclusive use” is the standard, “exclusive use” may be violated without any clear scheme to defraud. For example, if the defendant in Carpenter were to come home and explain to his family about the article he was going to write, he would still be depriving his employer of exclusive use over the article. However, the loss of confidential information is only a deprivation of a property interest if the loss threatens the victim with economic harm.19 Bradley argues that to maintain consistency in the law, an economic interest must be a requirement for fraud.20 The Sixth Circuit agreed with Bradley’s reasoning. In a subsequent case, the Circuit Court interpreted McNally and Carpenter as limiting Mail Fraud to schemes that have as their goal the transfer of something of economic value to the defendant.21

Requiring an economic gain or loss in Wire Fraud will limit the statute’s application to some computer crimes. If a thief downloaded a personal journal from another computer, the journal will probably not have any economic value to the defendant or victim, yet the act is still criminal. Downloading a personal journal without consent is theft, just as stealing a journal from a desk is theft. However, the actual journal has real property value in its pages and binding, while the computer version has none.

Additionally, the traditional notion of fraud seems to exclude some computer crimes. Congress’ original intent with Mail Fraud contemplated wronging one in his property rights by dishonest methods or schemes.22 With common law theft, however, there is no dishonesty to another party before acquiring the property-the property is merely taken without consent. Downloading computer information without authorization seems to resemble theft more then fraud, while breaking into a computer system resembles trespass more than a scheme to defraud. Even though simple trespass and theft may fit into Wire Fraud, a court would probably not find a scheme to defraud if the defendant in Riggs had only planned the scheme through electronic mail and then physically picked the lock at Bell South to steal certain documents. In response to maintaining a tighter fit between traditional theft and computer theft, federal prosecutors have attempted to use the National Stolen Property Act as a basis for conviction.

The National Stolen Property Act (NSPA) criminalizes interstate transportation of stolen or fraudulently obtained property in excess of $1000.23 The Riggs court also convicted the defendants under NSPA. However, the classification of intangible property is in more jeopardy under NSPA than Mail Fraud. The Supreme Court suggested in United States v. Dowling, that NSPA does not apply to the taking of purely intangible property.24 Riggs distinguished Dowling on the ground that the Supreme Court never construed the meaning of “goods, wares or merchandise.” The court noted that NSPA literally applied to theft of a tangible medium where intangible property was attached to it, such as a chemical formula written on a piece of paper. The court then reasoned that using a modem to steal the information, rather than taking an actual data disk or printout, should be no different – even though the information was stored inside a computer rather than on a disk, it was still “transferable and accessible.”25 The 10th Circuit disagreed with Riggs. In United States v. Brown, the Circuit Court held that stolen computer software did not constitute goods, wares, or merchandise as applied under NSPA.26 However, the Brown interpretation allows inequitable results by punishing theft differently depending on the worth of physical property. For example, if X uses his own diskette to steal a computer file worth $ 1000, and Y steals a diskette worth $ 1 containing a file worth $ 999. Under Brown, X may be prosecuted under the NSPA for theft of $ 1000 worth of property, while Y may not be prosecuted under the NSPA at all. Yet, both acts result in the same economic loss. The battle between the Riggs and Brown view is not over, and further differences in interpretation will only lead to a complete abandonment of using NSPA for computer crimes.

Another area that both NSPA and Wire Fraud fail to cover is the viewing of computer data. If someone breaks into a computer system and then views certain information, such an act is still criminal and can be equally effective at obtaining wanted information- just as if Riggs had broken into South Bell and looked through file cabinets, rather than physically stealing the files. Although crimes of this type may fall under other areas, common law trespass would be more effective, since the more obvious criminal act is breaking into the computer system, not defrauding the owner.

The use of NSPA has been more sparse then Wire Fraud in prosecuting computer crimes, and like Wire Fraud, will continue to challenge federal prosecutors and courts in fighting computer crime. However, the federal government is not alone in fighting computer crime, states have also enacted statutes addressing this new technology. Although state laws attack computer crimes in more practical ways, they carry a heavier burden of enforcement.

 

II. The Inadequacy of State Jurisdiction and Resources

State statutes are generally more practical in fitting computer crime with other traditional statutess.Some academics argue that state law is currently adequate to handle computer crime and that further federal legislation is unnecessary.27 In reality, states do not have to enact specific computer crime law – defining property rights and other computer lingo may be enough to use existing statutes against theft, destruction of property, and trespass for prosecution.28 However, as the internet continues to expand and crimes continue to become more interstate, state legislation will be less effective. Determining proper venue for the crime is bound to become an issue. Only one published case has ruled on venue from county to county in the same state, but none has specifically addressed jurisdiction between sovereigns.29 Furthermore, contrasting laws between states pose greater problems. For example, if a casino in Las Vegas decided to run a roulette wheel through the internet so users could play live – using their credit cards as money, the casino may escape liability. The gambling operation is perfectly legal in Nevada, while illegal under Wisconsin law. In Wisconsin the gambler can be prosecuted, because state law only requires that a “bet” be made.30 Prosecuting the Las Vegas casino in Wisconsin is another difficulty, yet the casino is clearly criminal by an extension of their gambling into Wisconsin through the internet. Furthermore, Wisconsin officials will be inhibited at stamping out casino gambling, since prosecuting every individual is more difficult and less effective than prosecuting the source of the gambling. Criminal conduct originating out of state carries a greater burden of prosecution due to extra travel, availability of witnesses, and accessibility to information. In an era of budget limitations, state legislatures may be unwilling to cough up additional resources for interstate crime, especially if they see interstate computer crime as a federal issue.

State courts may also be ineffective. Computer technology is often difficult to understand and it is important to consider the ramifications for setting precedent in computer law. Because federal judges are sparse and have smaller case loads, they will be more able to envision the national scope of computer crime. A unified law makes prosecution more efficient and more likely, thus also increasing deterrence for future computer criminals.

Jurisdictional enigmas will continue to haunt prosecution of computer crimes as long as state statutes remain diverse. Problems such as difficulty in proving venue and extraditing criminals will only lead to some criminals escaping the law due to inadequate resources. The expanding scope of private interstate computer crime clearly points to the federal government as the ultimate enforcer. However, Congress first needs to learn from the states in enacting proper statutes that attack computer crimes more traditionally and more vigorously. The next section suggests a union between these two issues: federal jurisdiction and state law.

 

III. Combining State and Federal Strengths through Federal Legislation

To enable more diligent prosecution of computer crimes, Congress must rehabilitate federal computer crime law. Current manipulation of Wire Fraud, a narrow vision of CFAA, and contrasting opinions of property value in the National Stolen Property act only serve to inhibit the government in successful prosecution of serious crimes. First, Congress must address all possible crimes that may be committed interstate through a computer. Although crimes such as theft and trespass are usually considered local crimes, computer activity elevates these crimes to an interstate level – legislation should handle them at an interstate level. To supersede state criminal statutes, federal statutes should address all traditional state crimes applicable to computer activity limiting the crimes to computers so as not to usurp other areas state jurisdiction.31 Allowing prosecutors to charge crimes more relevant to actual conduct will limit the potential for absurd charging decisions and confusing precedent. Furthermore, federal attention to computer crimes will assure jurisdictional certainty and will relieve states from the burdens of complex investigation and extradition of those who may reside in other states.

Federal agents are better equipped to investigate interstate computer criminals. In addition to the vast technical resources of the federal government, there are government agents in every state, reducing the overhead cost of investigating interstate crime. If a crime is committed in Wisconsin by a casino in Las Vegas through the internet, federal agents in Nevada are in a better position to respond more quickly and more effectively than Wisconsin investigators.

Furthermore, to gradate crimes of damage and theft for sentencing requirements, confusing damage assessments must be amended to allow alternatives. Because estimating the actual worth of intellectual property is controversial, much time and resources will be spent on judging the worth of property stolen or damaged. Instead, a sentencing structure could be gradated based on the number of bytes transferred or destroyed in addition to monetary thresholds. For example, the threshold for theft of computer property at level 1 in the federal guidelines could be $100 or 100 kilobytes, subject to the prosecutor’s choice.

In addition to federal legislation, the reporting of computer crime must be encouraged. One method may be federal regulation of computer security requirements and diligent reporting of criminal activity to insurance companies. However, regulation may not be necessary. As losses continue to rise because of computer fraud and theft, insurance companies may demand more security, and reports of crimes from clients in exchange for more coverage and lower rates.

Conclusion

As the climate of interstate computer use continues to change, the law needs to adapt. Current federal statutes, such as the Computer Fraud and Abuse Act, Wire Fraud, and the National Stolen Property Act, are inadequate to handle what should be more typical state law crimes of trespass and theft. While state statutes remain more practical, their effectiveness is limited to state jurisdiction and state resources. Federal legislation encompassing state computer crime statutes will overcome the difficulties existing in current federal legislation, However, with the advent of new technologies such as artificial intelligence, computer crime legislation is bound to encounter new roadblocks. If current law is unsettled, future law will be disastrous.

Notes

 

1 Fla. Stat. Ann. §815
2 Lexis search done on 5/2/95 for all state and federal courts using “Computer Crime” as a search key
3Dierks, Michael P. “Computer Network Abuse,” 6 Harv. J.Law and Tech 307, 319.
4 18 U.S.C. §1030.
5 Id. at §1030(a)(1)-(a)(6).
6 United States v. Morris, 928 F.2d 504 (2nd Cir. 1991).
7 18 U.S.C. §1030(e)(2).
8 18 U.S.C. §1343.
9 United States v. McNally, 483 U.S. 350, 358 (1987).
10 589 F.2d 152 (4th Cir. 1978), cert. denied, 441 U.S. 922 (1979).
11 To “download” means to acquire information electronically through the telephone lines or remotely from a separate computer.
12 739 F.Supp 414 (N.D. Ill. 1990),
13 908 F.2d 645 (10th Cir. 1990), cert. denied, 111 S. Ct. 787 (1991).
14 See United States v. Kroh, 896 F2d 1524 (1990); United States v. Lagerquist, 820 F.2d 969 (8th Cir. 1987); United States v. Levy, 579 F.2d 1332 (5th Cir. 1978).
15 See U.S. v. Prows, 1995 U.S. App. LEXIS 6548, 16 (The court found Wire Fraud in that fraudulently obtaining software from the Wordperfect company with intent to sell deprived the company of software, and indirectly of profits
16 107 S.Ct., 2875, 2881 (1987).
17 108 S.Ct. 316, 320 (1987).
18 Bradley, Craig M. “The Essence of Mail Fraud” 79 J. Crim. L. 573.
19 International News Service v. Associated Press, 248 U.S. 215, 236 (1918).
20 Bradley, 79 J. Crim. L. 573, 581..
21 United States v. Baldinger, 838 F.2d 176 (6th Cir. 1988).
22Bradley, 79 J. Crim. L. 573, 581.
23 18 U.S.C. §2314.
24 110 S.Ct. 669 (1990).
25 Riggs, 739 F.Supp. at 421.
26 925 F,2d 1301, 1308 (10th Cir. 1991).
27 Dierks, Michael P. “Computer Network Abuse” 6 Harv. J. Law and Tec 307.
28 Wisconsin provides a good example of statutory language that avoids the use of fraud as an element. “Whoever willfully, knowingly, and without authorization (1) Modifies data; (2) Destroys data; (3)Access data; (4) takes possession of data; (5) copies data; (6) discloses access codes. Wis. Stats. §943.70(2)(b)(1-6). See also Minn. Stat. 609.89 for statutes that resemble traditional common law crimes.
29 The Pennsylvania Supreme Court held that “venue may lie at the location of the central computer” Commonwealth v. Katsafanas, 464 A.2d 1270 (Penn. 1982).
30 Wis. Stats. §945.02
31 Wisconsin provides a good example of statutory language that would work well on the federal level “Whoever willfully, knowingly, and without authorization (1) Modifies data; (2) Destroys data; (3)Access data; (4) takes possession of data; (5) copies data; (6) discloses access codes. Wis. Stats. §943.70(2)(b)(1-6)

Composed by Jeff Sloan – email jsloan@bitstream.net

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s