Information Security

Information SecurityLegal Considerations

Dr. Randy Kaplan

2

Computer Crime

• Legal Considerations

• Law enforcement has always lagged behind technology

• The computer offers a new venue for committing crimes - one that is almost unlimited

3

Computer Crime

• Legal Considerations

• In the history of the Computer Fraud and Abuse Act 1980 is considered the “dawn of the computer age.”

• There are documented cases of computer crime as far back as 1960

4

Computer Crime

• 1984

• Comprehensive Crime and Control Act of 1984

• Provisions to address unauthorized access and use of computers and computer networks

• Congress wanted to provide a “clearer statement” of this activity

5

Computer Crime

• This clarification was for -

• Law enforcement

• Those who own and operate computers

• Those who may be tempted to commit crimes by unauthorized access

6

Computer Crime

• Consider the environment at the time

• Mainframe (large scale computers) still prevalent

• Lots of minicomputers

• 2 years after the IBM PC was introduced - MS-DOS was the operating system of the day

7

Computer Crime• Most computer crime of the day

consisted of gaining access to computer systems to -

• use data contained on these computers to the perpetrator’s advantage

• do damage

• simply have access to the computer resource

8

Computer Crime

• Congress made it a felony to access classified information in a computer without authorization

• Access to financial records or credit histories stored in a financial institution was a misdemeanor

• It was also a misdemeanor to trespass into a government computer

9

Computer Crime

• Congress did not add these provisions to existing laws

• Rather, they created a new statute, 18 U.S.C. Section 1030.

10

Computer Crime

• After Section 1030 was enacted -

• Congress continued to investigate problems associated with computer crime to determine whether federal laws required revision

• Throughout 1985 both the House and Senate held hearings on potential computer crime bills

11

Computer Crime

• In 1986, the work of Congress culminated in the Computer Fraud and Abuse Act (CFAA)

• Enacted in 1986

• Amended 18 U.S.C. Section 1030

12

CFAA

• Congress attempted to strike a balance

• Federal government’s interest in computer crime

• Interest of States to proscribe and punish these offenses

13

CFAA

• Congress addressed federalism concerns

• Limit federal jurisdiction

• Only cases with a compelling federal interest

• Where the computers of the federal government or certain financial institutions are involved or -

14

CFAA

• the crime itself is interstate in nature

15

CFAA

• The CFAA clarified a number of provisions in the original section 1030

• Criminalized additional computer-related acts

16

Damage or Destruction of Data

• Penalize those who intentionally damage or destroy data belonging to others

• Penalize those who steal property via computer that occurs as part of a scheme to defraud

17

Damage or Destroy

• Penalize those who intentionally damage or destroy data belonging to others

• Covers activities like:

• DNOS attacks

• Distribution of malicious code

18

Password Trafficking

• Congress also included a provision criminalizing the trafficking passwords and similar items

Amendments

• CFAA amended

• 1988

• 1989

• 1990

• 1994

• CFAA amended

• 1996

• 2001

• 2002

20

Types of Criminal Activities

• CFAA identifies seven types of criminal activities

• Obtaining National Security Information

• Compromising the confidentiality of a computer

• Trespassing in a Government computer

21



• Accessing a Computer to defraud and obtain value

• Knowing Transmission and Intentional Damage

• Intentional Access and Reckless Damage

22



• Intentional Access and Damage

• Trafficking of Passwords

• Extortion Involving Threats to Damage Computer

23

Civil Action

• The CFAA allows victims, under certain circumstances, who suffer specific types of loss or damage for compensatory damages and other injunctive or other equitable relief

24

Key Terms

• Two terms are common to most prosecutions under section 1030

• Protected Computer

• Authorization

25

Protected Computer

• “protected computer”

• a statutory term of art that has nothing to do with the security of the computer

26

Protected Computer


• protected computer refers to computers that are used in interstate or foreign commerce (e.g. Internet) and computers of the federal government and financial institutions

27

Protected Computer


• did not appear in the CFAA until 1996

• Congress was attempting to correct deficiencies identified in earlier versions of the statute

28

Protected Computer


• In 1994 Congress amended the CFAA

• Protect any computer used in interstate commerce or communication as opposed to a “Federal Interest Computer”

29

Protected Computer


• Protect any computer used in interstate commerce or communication as opposed to a “Federal Interest Computer”

• Expands the scope of the act

• Include certain non-governmental computers

30

Protected Computer


• The 1994 amendment inadvertently removed protections for computers that were government and financial computers not used in interstate commerce

31

Protected Computer


• In 1996 “protected computer” defined as

• a computer used by the federal government or financial institution OR

• a computer used in interstate or foreign commerce

32

Protected Computer• “protected computer”

• This definition did not explicitly cover -

• an attacker within the U.S. attacks a computer system located abroad

• individuals in a foreign country routing communications through the U.S. as they hacked abroad

33

Authorization

• Criminal offenses will usually involve

• access without authorization

• exceed authorized access

• The term “without authorization” is not defined in the Act

• One court found its meaning to be elusive

34

“Exceeds Authorized Access”

• Defined by the CFAA

• To access a computer with authorization

• Use this access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter

35

Insiders

• The legislative history of the CFAA reflects an expectation

• Persons who exceed authorized access are likely to be insiders

• Persons who act without authorization are likely to be outsiders

36

Insiders

• As a result of this expectation -

• Congress restricted the circumstances under which an insider could be held liable for violating section 1030

37

Insiders

• “Insiders who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage.”

38

Outsiders

• Breaking into a computer

• can be punished for any intentional, reckless, or other damage they cause by their tresspass

39

Outsiders

• Have not rights to use a protected computer system and they should there be subject to a wider range of criminal prohibitions

• Those who act without authorization can be convicted under any of the access offenses contained in the CFAA

40

Authorization

• The universe of individuals who lack any authorization to access a computer is relatively easy to define

• Determining whether individuals who possess some legitimate authorization to access a computer have exceeded that authorized access may be more difficult

41

Exceeds Authorized Access

• To access a computer with authorization and to use such access to obtain or alter information in the computer accessor is not entitled so to obtain or alter

42

Scope of Authorization

• Hinges upon the facts of each case

• Simple prosecution -

• a defendant without authorization to access a computer may intentionally bypass a technological barrier that prevented her from obtaining information on a computer network

43


• Many cases will involve exceeding authorized access

• Establishing the scope of authorized access will be more complicated

• The extent of authorization my depend on an employment agreement

44


• May depend on

• terms of service notice

• log-on banner outlining the permissible purposes for a accessing a computer or computer network

45

Scope of Authorization• In one case

• an insider

• limited authorization to to use a system

• strayed far beyond the bounds of his authorization

• The court treated him as acting without authorization

46


• United States vs. Morris

• Convicted under a previous version of Section 1030(a)(5) which punished “intentionally accessing a Federal interest computer without authorization.”

47

Morris’s Crime

• Created an Internet program known as a worm which spread to computers across the country and caused damage

• To enable the word to spread Morris exploited vulnerabilities in two processes he was authorized to use - sendmail and fingerd

48

Morris’s Appeal

• Morris argued that because he had authorization to engage in certain activities such as sending electronic mail on some university computers he merely exceeded authorized access rather than having gain unauthorized access

49

Morris’s Appeal

• The Second Circuit rejected Morris’ argument on three grounds

• (1) It held that the fact that the defendant had authorization to use certain computers on a network did not insulate his behavior when he gained access to other computers that were beyond his authorization

50

Morris’s Appeal

• Congress did not intend an individual’s access to one federal interest computer to protect him from prosecution no matter what other federal interest computers he accesses

51

Morris’s Appeal

• (2) The court held that although Morris may have been authorized to use certain generally available functions - such as email or user query services on the system victimized by the worm

52

Morris’s Appeal

• Morris misused that access in such a way to support a finding that his access was unauthorized

53

Morris’s Appeal

• The court wrote:

• Morris did not use either of those features in any way to related to their intended function

• He did not send or read mail nore discover information about other users

54

Morris’s Appeal

• He found holes in both programs that permitted him a special and unauthorized access route into other computers

55

Morris’s Appeal• Lastly,

• The court held that even assuming the defendant’s initial insertion of the worm exceeded his authorized access

• Evidence demonstrated that the worm was designed to spread to other computers and gain access to those computers without authorization

56

Authorization

• Authorized is a fluid concept

• Even when authorization exists, it can be withdrawn or it can lapse

• A court may invoke agency law to determine whether a defendant possessed or retained authorization to access a computer

57

Sidebar

• Agency Law pertains to the law that applies when an agent is authorized to act on behalf of another

58

Shurgard

• Employees were found to have acted without authorization when they access their employer’s computers to appropriate trade secrets for the benefit of a competitor

59

Shurgard

• The court applied principles of agency law

• They concluded that the employees authorized access to the employer’s computer ended when they became agents of the competitor

60

Authorization

• It makes some sense to avoid the authorization requirement when charging a criminal given the fluidity of its definition

61

Obtaining National Security Information

• Infrequently used

• Punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient or willfully retaining the information

62

Section 1030(a)(1)Whoever -(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954 with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully

63

Section 1030(a)(1)

communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver or transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the offer or employer of the United States entitled to receive it …

shall be punished as provided in subsection (c) of this section.

64

Computer Access

• Knowingly access a computer without or in excess of authorization

• Proof that the defendant knowingly accessed a computer without authorization or in excess of authorization

65

Computer Access• Covers -

• Completely unauthorized individuals who intrude into a computer containing national security information

• Also insiders with limited privileges who manage to access portions of a computer or computer network to which they have not been granted access

66

Obtain National Security Information

• Requires that the information obtained is national security information

• For example - information from a defense department or department of energy computer

67

Injure the U.S.

• Requires proof that the defendant has reason to believe that the national security information obtained could be used to the injury of the U.S. or to the advantage of any foreign nation

68

Injure the U.S.

• National security information is classified +

• Defendant knows that the information is classified =

• Sufficient to establish the offense

69

Willful

• Communication, Delivery, Transmission, or Retention

• In order to prove this the defendant must have -

• communicated, delivered, or transmitted to any person not entitled to receive it

70

Willful

• In order to prove this the defendant must have -

• communicated, delivered, or transmitted to any person not entitled to receive it

• attempted to communicate …

• caused it to be communicated …

• willfully retained ...

71

Penalties

• Punishable by a fine, imprisonment for not more than 10 years, or both

• A second violation is punishable by a fine, imprisonment for not more than 20 years or both

72

Charges

• Rarely occurs

• Lack of prosecution may be because similarity between 1030(a)(1) and 793(e)

• In a situation where both are applicable, prosecutors may tend towards 793(e) for which guidance and precedent are more prevalent

73

Charges

• However -

• Leandro Aragoncillo

• FBI intelligence analyst

• Ft. Monmouth Information Technology Center

• Charged with section 1030(a)(1) violation

74

Charges

• However -

• Admitted that he has used his FBI computer to access classified documents

• Used FBI’s automated case system

• Transmitted information to former and current officials of the Philippine government

75

1030(a)(1) and 793(e)

• Overlap but,

• Do not reach the exactly the same conduct

• Section 1030(a)(1) requires proof that the individual knowingly accessed a computer without or in excess of authority and

76

1030(a)(1) and 793(e)

• thereby obtained national security information and

• subsequently performed some unauthorized communication or other improper act with that data

77

1030(a)(1) and 793(e)

• 1030(a)(1) focuses on -

• possession

• control

• subsequent transmission

• of information as does 793(e)

• but also

78

1030(a)(1) and 793(e)

• focuses on the improper use of a computer to obtain the information itself

79

1030(a)(1) and 793(e)

• Existing espionage laws like 793(e)

• provide solid ground for prosecution of individuals that attempt to peddle information to foreign governments

80

1030(a)(1) and 793(e)

• If a computer is involved in the process of obtaining, communicating, or transmitting the information, then

• Prosecutor’s should consider charging a violation of section 1030(a)(1)

81

Section 808 of the USA Patriot Act

• Added section 1030(a)(1) to the list of crimes that are considered to be “Federal Crime[s] of Terrorism” under 18 U.S.C. Section 2332b(g)(5)(B)

• This addition affects prosecutions under 1030(a)(1) in three ways

82


• Statute of limitation for (a)(1) now extended to 8 years

• Statute of limitation is eliminated for offenses that resulted in, or created a foreseeable risk of, death or serious bodily injury to another person

83


• Second

• Term of supervised release after imprisonment for any offense that resulted in or created foreseeable risk of death or serious bodily injury of another person can be any term of years or life

• Formerly for 1030(a)(1) this term was 5 years

84


• Third -

• Any offenses under the section 2332b(g)(5)(B) to 18 U.S.C. Section 1961(1) making them predicate offenses for prosecution under the Racketeer Influenced and Corrupt Organizations Act (RICO)

85


• Third -

• As a result, any RICO enterprise which may include terrorist groups that carries out acts of cyberterrorism in violation of 1030(a)(1) can now be prosecuted under the RICO statute

86

Compromising Confidentiality

• 1030(a)(2)

• Punishes unauthorized access of different types of information and computers

• Violations of this section are misdemeanors unless aggravating factors exist

87


• 1030(a)(2)

• Some intrusions may vilate more than one subsection

• Example -

• a computer intrusion into a federal agency’s computer might be covered under at least two subsections

88


• 1030(a)(2)

• No monetary threshold for a violation

• Recognizes the fact that some invasions of privacy do not lend themselves to monetary valuation

• Still warrant federal protection

89


• Examples

• Downloading sensitive personnel information from a company’s computer via an interstate communication

• Gathering personal data from the National Crime Information Center would both be serious violations of privacy

90


• Examples

• These do not lend themselves to a dollar valuation of the damage

91


• Even though there is no monetary threshold under 1030(a)(2),

• the value of the information obtained is important when determining whether a violation constitutes a misdemeanor or felony

92


Title 18, United States Code, Section 1030(a)(2)provides:

Whoever– (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains– (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 68et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication ... shall be punished as provided in subsection (c) of this section.

93


• Intentionally Access a Computer

• Requires that the defendant actually be the one to access a computer without authorization rather than merely receive information that was accessed

94


• Example

• If A obtains information in violation of 1030(a)(2) and forwards it to B, B has not violated this section even if B knew the source of the information

95


• Obtained Information

• expansive term

• includes viewing information without downloading or copying

96



• Information stored electronically can be obtained not only by actual theft but by mere observation of the data

97



• The crux of the offense under subsection 1030(a)(2)(C) … is the abuse of a computer to obtain the information

98



• Information includes intangible goods

• This issue was raised by the Tenth Circuit’s decision in U.S. vs Brown

99



• In Brown the appellate court held that purely intangible intellectual property, such as a computer program did not consitiute goods or services that can be stolen or converted

100



• In 1996 amendments to section 1030(a)(2) would “ensure that the theft of intangible information by the unauthorized use of a computer is prohibited in the same way theft of physical items are protected

101


• Financial Institution or COnsumer Reporting Agency

• To prove a violation of section 1030(a)(2)(A), obtaining information related to the Fair Credit Reporting Act (FCRA), the violation must be willful.

102


• Financial Institution or COnsumer Reporting Agency

• To prove willfulness under the FCRA, the government must show that the defendant knowingly and intentionally committed an act in conscious disregard for the rights of a consumer

103


• Department or Agency of the United States

• No court has addressed -

• whether a company working as a private contractor for the government constitutes a “department or agency of the United States”

104



• The argument that private contractors are intended to be covered by this section may be undercut by section 1030(a)(3)

105



• 1030(a)(3) includes language permitting prosecution of trespass into government systems and non-government systems, if ...

106



• if such conduct affects that use by or for the Government of the United States

• The existence of this language suggests that if congress had intended to extend the reach of 1030(a)(2) it would have done so

107


• Protected Computer

• defined in section 1030(e)(2) and was discussed previously

108


• A violation of this sectioon must involve an actual interstate or foreign communication and not merely the use of an interstate communication mechanism

• The intent of this subsection is to protect against the interstate or foreign theft of information by computer

109


• It is not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer

• Using the Internet or connecting by telephone to a network may not be sufficient to charge a violation of this subsection

110


• Penalties

• Misdemenor

• Punishable by a fine or a one-year prison term unless aggravating factors apply

111


• Penalties

• A felony if -

• committed for commercial advantage or private financial gain

• committed in furtherance of any criminal or tortious act in violation of the Constitution or

112


• Penalties

• A felony if -

• committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the U.S. or of any state, or

• the value of the information obtained exceeds $5000

113


• Penalties

• A felony if -

• Punishable by a fine, up to five years’ imprisonment, or both

114

Trespassing in a Government Computer

• 18 U.S.C. Section 1030(a)(3)

• Protects against “trespasses” by outsiders into federal government computers -

• even when no information is obtained during such trespasses

115

Trespassing in a Government Computer• Section 1030(a)(2) applies to many

of the same cases in which section 1030(a)(3) could be charged

• In these cases, section 1030(a)(2) may be the preferred charge

• This is because a first offense may be charged as a felony if certain aggravating factors are present

116

Trespassing in a Government ComputerTitle 18, United StateCode, Section 1030(a)(3)

provides: Whoever–

(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States …. shall be punished as provided in subsection (c) of this section.

117


• Intentionally Access

• The meaning of this term under this section is identical to the meaning under section 1030(a)(2)

118


• Without Authorization

• By requiring that the defendant act without authorization to the computer

• Not criminalize merely exceeding authorized access to a computer

119



• section 1030(a)(3) does not apply to situations in which employees merely “exceed authorized access” to computers in their own department

120



• Congress also offered that section 1030(a)(3) applies “where the offender’s act of trespass is interdepartmental in nature”

121


• Nonpublic Computer of the United States

• Nonpublic includes most government comptuers

• But not Internet servers that, by design, offer services to members of the general public

122

Trespassing in a Government Computer• Nonpublic Computer of the United

States

• Example

• A government agency’s database server is probably nonpublic while the same agency’s web servers and domain name servers are “public”

123


• Affected U.S.s’ Use of Computer

• Demonstrating that the attacked computer is affected by an intrusion should be simple

124



• Almost any network intrusion

• affects the government’s use of its computers

• because ...

125

Trespassing in a Government Computer• Affected U.S.s’ Use of Computer

• because any intrusion potentially affects the confidentiality and integrity of the government’s network

• often requires substantial measures to reconstitute the network

126



• In Sawyer vs. Department of Air Force

• It was not necessary to demonstrate that the intruder obtained any information from the computer or,

127




• that the intruder’s trespass damaged any information from the computer

128




• It is not even necessary to show that the intruder’s conduct “adversely” affected a government’s computer

129



• Under 1030(a)(3) there are no benign intrusions into government computers

130


• Penalties

• Violations of this subsection are punishable by -

• a fine and

• up to one year in prison unless …

131

Trespassing in a Government Computer• Penalties

• Violations of this subsection are punishable by -

• the individual has been previously convicted of a 1030 offense

• In this case the punishment increases to a maximum of 10 years in prison

132

Trespassing in a Government Computer• Relationship to other statutes

• not charged often

• 1030(a)(2) applies in many of the same cases

• 1030(a)(2) may be preferred because sentencing enhancements sometimes allow 1030(a)(2) to be charged as a felony on the first offense

133

Accessing to Defraud and obtain value

• 1030(a)(4)

• When deciding how to charge a computer hacking case, prosecutor’s should consider 1030(a)(4) as an alternative to 1030(a)(2) where evidence of fraud exists

134


• 1030(a)(4)

• This section is a felony

• (a)(2) is a misdemeanor unless certain aggravating factors apply

135


• Prosecutors may also want to consider charges under the wire fraud statute

• Section 1343 requires proof of many elements similar to those needed for section 1030(a)(4)

• Carries stiffer penalties

136


Title 18, United State Code, Section 1030(a)(4)provides:

Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

137


• With Intent to Defraud

• not defined by 1030

• little case law under 1030 exists as to its meaning

• interpretation of phrase an issue for the courts Title 18, United StateCode, Section 1030(a)(4)

provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

138



• might require proof of “law fraud”

• or may allow proof of dishonesty or wrongdoing to suffice

Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

139



• Law Fraud

• false representation

• in reference to a material fact

• made with knowledge of falsity

• with intent to deceive andTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

140



• Law Fraud

• with intent to deceive and

• action taken in reliance upon the representation


141



• “to defraud”

• Supreme Court rejected notion -

• every scheme or artifice

• calculated to injure or depriveTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

142



• “to defraud”

• of property wrongfully

• constitutes fraud

• (Fasulo v. U.S. 1926) Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

143


• Broader alternative can be found in Shurgard Storage Centers v Safeguard Self Stoage, Inc. (2000)


144


• Civil case involving 1030(a)(4)

• Court favored an expansive interpretation of “intent to defraud”

• Deny’s motion to dismiss by defendant


145


• Court holds that the word fraud simply means wrongdoing

• Does not require proof of the elements of common law fraud


146


• Access furthered the intended fraud

• Unauthorized or exceeding access can further a fraud in several ways


147



• defendant alters or deletes records on a computer

• receives something of value from an individual

• individual relies on the accuracy of the altered or deleted records


148



• U.S. vs Butler (2001)

• Defendant altered credit reporting agency’s records to improve credit ratings of his coconspirators

• Coconspirators used improved credit ratings to purchase goods


149



• U.S. vs. Sadolsky (2000)

• Used employer’s computer to credit amounts for returned merchandise to his personal credit card Title 18, United StateCode, Section 1030(a)(4)


150



• defendant obtains information from a computer

• uses information to commit fraudTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

151



• U.S. vs Lindsley (2001)

• Defendant accessed a telephone company’s computer without authorization

• obtained calling card numbers

• used numbers to make free long distance calls


152



• defendant uses computer to produce falsified documents

• documents are later used to defraud


153



• U.S. vs. Bae

• Defendant used a lottery terminal to produce back-dated tickets with winning numbers

• Turned those tickets in to collect lottery prizes


154


• Obtains anything of value

• easily met if the defendant ontained money, cash, or a good or service with measurable value


155



• More complex issues

• Defendant obtains only the use of a computer

• Defendant obtains only information Title 18, United StateCode, Section 1030(a)(4)


156



• More complex issues

• Defendant obtains only the use of a computer

• Defendant obtains only information Title 18, United StateCode, Section 1030(a)(4)


157



• Use of the computer as a thing of value

• The statute recognizes that the use of a computer can constitute a thing of valueTitle 18, United StateCode, Section 1030(a)(4)


158



• Use of the computer as a thing of value

• This element is only satisfied if the value of such is > than $5,000 Title 18, United StateCode, Section 1030(a)(4)


159



• This condition will only be met in rare cases

• When the statute was written it was common for computer time to be rented Title 18, United StateCode, Section 1030(a)(4)


160



• Data or information as a thing of value

• (a)(4) has no minimum dollar amount

• (a)(5) does have such a valueTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.

161




• Legislative history suggests that some computer data or information alone is not valuable enough to qualify Title 18, United StateCode, Section 1030(a)(4)


162




• If all that is obtained are the results of port scans, or the names and IP addresses of other servers, it may not count as something of value


163



• U.S. vs. Czubinsku (1997)

• case turned on the specific facts

• the court’s discussion can be instructive


164



• Czubinski employed as a Contact Representative in the Boston office of the Taxpayer Services Division of the IRS

• Czubinski routinely accessed taxpayer-related information from an IRS computer system


165



• Czubinski’s access IRS computers using a valid password

• IRS rules plainly forbid employess to access taxpayer files outside the course of their official dutiesTitle 18, United StateCode, Section 1030(a)(4)


166



• Czubinski’s access IRS computers using a valid password

• IRS rules plainly forbid employess to access taxpayer files outside the course of their official dutiesTitle 18, United StateCode, Section 1030(a)(4)


167



• Based on these actions, Czubinski was indicted and convicted for wire fraud and computer fraud


168



• On appeal, Czubinski argued that his conviction for violating section 1030(a)(4) should be overturned

• He did not obtain anything of value

• The First Circuit agreed with Czubinski


169



• The First Circuit stated that the value of the information is relative to one’s needs and objectives; here, the government had to show that the information was valuable to Czubinski in light of a fradulent scheme


170



• The government failed, however, to prove that Czubinski intended anything more than to satisfy idle curiosity


Information Security

Documents

Transcript of Information Security