Information Security
description
Transcript of Information Security
![Page 1: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/1.jpg)
Information SecurityLegal Considerations
Dr. Randy Kaplan
![Page 2: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/2.jpg)
2
Computer Crime
• Legal Considerations
• Law enforcement has always lagged behind technology
• The computer offers a new venue for committing crimes - one that is almost unlimited
![Page 3: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/3.jpg)
3
Computer Crime
• Legal Considerations
• In the history of the Computer Fraud and Abuse Act 1980 is considered the “dawn of the computer age.”
• There are documented cases of computer crime as far back as 1960
![Page 4: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/4.jpg)
4
Computer Crime
• 1984
• Comprehensive Crime and Control Act of 1984
• Provisions to address unauthorized access and use of computers and computer networks
• Congress wanted to provide a “clearer statement” of this activity
![Page 5: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/5.jpg)
5
Computer Crime
• This clarification was for -
• Law enforcement
• Those who own and operate computers
• Those who may be tempted to commit crimes by unauthorized access
![Page 6: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/6.jpg)
6
Computer Crime
• Consider the environment at the time
• Mainframe (large scale computers) still prevalent
• Lots of minicomputers
• 2 years after the IBM PC was introduced - MS-DOS was the operating system of the day
![Page 7: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/7.jpg)
7
Computer Crime• Most computer crime of the day
consisted of gaining access to computer systems to -
• use data contained on these computers to the perpetrator’s advantage
• do damage
• simply have access to the computer resource
![Page 8: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/8.jpg)
8
Computer Crime
• Congress made it a felony to access classified information in a computer without authorization
• Access to financial records or credit histories stored in a financial institution was a misdemeanor
• It was also a misdemeanor to trespass into a government computer
![Page 9: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/9.jpg)
9
Computer Crime
• Congress did not add these provisions to existing laws
• Rather, they created a new statute, 18 U.S.C. Section 1030.
![Page 10: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/10.jpg)
10
Computer Crime
• After Section 1030 was enacted -
• Congress continued to investigate problems associated with computer crime to determine whether federal laws required revision
• Throughout 1985 both the House and Senate held hearings on potential computer crime bills
![Page 11: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/11.jpg)
11
Computer Crime
• In 1986, the work of Congress culminated in the Computer Fraud and Abuse Act (CFAA)
• Enacted in 1986
• Amended 18 U.S.C. Section 1030
![Page 12: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/12.jpg)
12
CFAA
• Congress attempted to strike a balance
• Federal government’s interest in computer crime
• Interest of States to proscribe and punish these offenses
![Page 13: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/13.jpg)
13
CFAA
• Congress addressed federalism concerns
• Limit federal jurisdiction
• Only cases with a compelling federal interest
• Where the computers of the federal government or certain financial institutions are involved or -
![Page 14: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/14.jpg)
14
CFAA
• the crime itself is interstate in nature
![Page 15: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/15.jpg)
15
CFAA
• The CFAA clarified a number of provisions in the original section 1030
• Criminalized additional computer-related acts
![Page 16: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/16.jpg)
16
Damage or Destruction of Data
• Penalize those who intentionally damage or destroy data belonging to others
• Penalize those who steal property via computer that occurs as part of a scheme to defraud
![Page 17: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/17.jpg)
17
Damage or Destroy
• Penalize those who intentionally damage or destroy data belonging to others
• Covers activities like:
• DNOS attacks
• Distribution of malicious code
![Page 18: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/18.jpg)
18
Password Trafficking
• Congress also included a provision criminalizing the trafficking passwords and similar items
![Page 19: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/19.jpg)
Amendments
• CFAA amended
• 1988
• 1989
• 1990
• 1994
• CFAA amended
• 1996
• 2001
• 2002
![Page 20: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/20.jpg)
20
Types of Criminal Activities
• CFAA identifies seven types of criminal activities
• Obtaining National Security Information
• Compromising the confidentiality of a computer
• Trespassing in a Government computer
![Page 21: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/21.jpg)
21
Types of Criminal Activities
• CFAA identifies seven types of criminal activities
• Accessing a Computer to defraud and obtain value
• Knowing Transmission and Intentional Damage
• Intentional Access and Reckless Damage
![Page 22: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/22.jpg)
22
Types of Criminal Activities
• CFAA identifies seven types of criminal activities
• Intentional Access and Damage
• Trafficking of Passwords
• Extortion Involving Threats to Damage Computer
![Page 23: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/23.jpg)
23
Civil Action
• The CFAA allows victims, under certain circumstances, who suffer specific types of loss or damage for compensatory damages and other injunctive or other equitable relief
![Page 24: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/24.jpg)
24
Key Terms
• Two terms are common to most prosecutions under section 1030
• Protected Computer
• Authorization
![Page 25: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/25.jpg)
25
Protected Computer
• “protected computer”
• a statutory term of art that has nothing to do with the security of the computer
![Page 26: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/26.jpg)
26
Protected Computer
• “protected computer”
• protected computer refers to computers that are used in interstate or foreign commerce (e.g. Internet) and computers of the federal government and financial institutions
![Page 27: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/27.jpg)
27
Protected Computer
• “protected computer”
• did not appear in the CFAA until 1996
• Congress was attempting to correct deficiencies identified in earlier versions of the statute
![Page 28: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/28.jpg)
28
Protected Computer
• “protected computer”
• In 1994 Congress amended the CFAA
• Protect any computer used in interstate commerce or communication as opposed to a “Federal Interest Computer”
![Page 29: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/29.jpg)
29
Protected Computer
• “protected computer”
• Protect any computer used in interstate commerce or communication as opposed to a “Federal Interest Computer”
• Expands the scope of the act
• Include certain non-governmental computers
![Page 30: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/30.jpg)
30
Protected Computer
• “protected computer”
• The 1994 amendment inadvertently removed protections for computers that were government and financial computers not used in interstate commerce
![Page 31: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/31.jpg)
31
Protected Computer
• “protected computer”
• In 1996 “protected computer” defined as
• a computer used by the federal government or financial institution OR
• a computer used in interstate or foreign commerce
![Page 32: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/32.jpg)
32
Protected Computer• “protected computer”
• This definition did not explicitly cover -
• an attacker within the U.S. attacks a computer system located abroad
• individuals in a foreign country routing communications through the U.S. as they hacked abroad
![Page 33: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/33.jpg)
33
Authorization
• Criminal offenses will usually involve
• access without authorization
• exceed authorized access
• The term “without authorization” is not defined in the Act
• One court found its meaning to be elusive
![Page 34: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/34.jpg)
34
“Exceeds Authorized Access”
• Defined by the CFAA
• To access a computer with authorization
• Use this access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter
![Page 35: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/35.jpg)
35
Insiders
• The legislative history of the CFAA reflects an expectation
• Persons who exceed authorized access are likely to be insiders
• Persons who act without authorization are likely to be outsiders
![Page 36: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/36.jpg)
36
Insiders
• As a result of this expectation -
• Congress restricted the circumstances under which an insider could be held liable for violating section 1030
![Page 37: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/37.jpg)
37
Insiders
• “Insiders who are authorized to access a computer, face criminal liability only if they intend to cause damage to the computer, not for recklessly or negligently causing damage.”
![Page 38: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/38.jpg)
38
Outsiders
• Breaking into a computer
• can be punished for any intentional, reckless, or other damage they cause by their tresspass
![Page 39: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/39.jpg)
39
Outsiders
• Have not rights to use a protected computer system and they should there be subject to a wider range of criminal prohibitions
• Those who act without authorization can be convicted under any of the access offenses contained in the CFAA
![Page 40: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/40.jpg)
40
Authorization
• The universe of individuals who lack any authorization to access a computer is relatively easy to define
• Determining whether individuals who possess some legitimate authorization to access a computer have exceeded that authorized access may be more difficult
![Page 41: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/41.jpg)
41
Exceeds Authorized Access
• To access a computer with authorization and to use such access to obtain or alter information in the computer accessor is not entitled so to obtain or alter
![Page 42: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/42.jpg)
42
Scope of Authorization
• Hinges upon the facts of each case
• Simple prosecution -
• a defendant without authorization to access a computer may intentionally bypass a technological barrier that prevented her from obtaining information on a computer network
![Page 43: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/43.jpg)
43
Scope of Authorization
• Many cases will involve exceeding authorized access
• Establishing the scope of authorized access will be more complicated
• The extent of authorization my depend on an employment agreement
![Page 44: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/44.jpg)
44
Scope of Authorization
• May depend on
• terms of service notice
• log-on banner outlining the permissible purposes for a accessing a computer or computer network
![Page 45: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/45.jpg)
45
Scope of Authorization• In one case
• an insider
• limited authorization to to use a system
• strayed far beyond the bounds of his authorization
• The court treated him as acting without authorization
![Page 46: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/46.jpg)
46
Scope of Authorization
• United States vs. Morris
• Convicted under a previous version of Section 1030(a)(5) which punished “intentionally accessing a Federal interest computer without authorization.”
![Page 47: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/47.jpg)
47
Morris’s Crime
• Created an Internet program known as a worm which spread to computers across the country and caused damage
• To enable the word to spread Morris exploited vulnerabilities in two processes he was authorized to use - sendmail and fingerd
![Page 48: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/48.jpg)
48
Morris’s Appeal
• Morris argued that because he had authorization to engage in certain activities such as sending electronic mail on some university computers he merely exceeded authorized access rather than having gain unauthorized access
![Page 49: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/49.jpg)
49
Morris’s Appeal
• The Second Circuit rejected Morris’ argument on three grounds
• (1) It held that the fact that the defendant had authorization to use certain computers on a network did not insulate his behavior when he gained access to other computers that were beyond his authorization
![Page 50: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/50.jpg)
50
Morris’s Appeal
• Congress did not intend an individual’s access to one federal interest computer to protect him from prosecution no matter what other federal interest computers he accesses
![Page 51: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/51.jpg)
51
Morris’s Appeal
• (2) The court held that although Morris may have been authorized to use certain generally available functions - such as email or user query services on the system victimized by the worm
![Page 52: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/52.jpg)
52
Morris’s Appeal
• Morris misused that access in such a way to support a finding that his access was unauthorized
![Page 53: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/53.jpg)
53
Morris’s Appeal
• The court wrote:
• Morris did not use either of those features in any way to related to their intended function
• He did not send or read mail nore discover information about other users
![Page 54: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/54.jpg)
54
Morris’s Appeal
• He found holes in both programs that permitted him a special and unauthorized access route into other computers
![Page 55: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/55.jpg)
55
Morris’s Appeal• Lastly,
• The court held that even assuming the defendant’s initial insertion of the worm exceeded his authorized access
• Evidence demonstrated that the worm was designed to spread to other computers and gain access to those computers without authorization
![Page 56: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/56.jpg)
56
Authorization
• Authorized is a fluid concept
• Even when authorization exists, it can be withdrawn or it can lapse
• A court may invoke agency law to determine whether a defendant possessed or retained authorization to access a computer
![Page 57: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/57.jpg)
57
Sidebar
• Agency Law pertains to the law that applies when an agent is authorized to act on behalf of another
![Page 58: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/58.jpg)
58
Shurgard
• Employees were found to have acted without authorization when they access their employer’s computers to appropriate trade secrets for the benefit of a competitor
![Page 59: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/59.jpg)
59
Shurgard
• The court applied principles of agency law
• They concluded that the employees authorized access to the employer’s computer ended when they became agents of the competitor
![Page 60: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/60.jpg)
60
Authorization
• It makes some sense to avoid the authorization requirement when charging a criminal given the fluidity of its definition
![Page 61: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/61.jpg)
61
Obtaining National Security Information
• Infrequently used
• Punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient or willfully retaining the information
![Page 62: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/62.jpg)
62
Section 1030(a)(1)Whoever -(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954 with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully
![Page 63: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/63.jpg)
63
Section 1030(a)(1)
communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver or transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the offer or employer of the United States entitled to receive it …
shall be punished as provided in subsection (c) of this section.
![Page 64: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/64.jpg)
64
Computer Access
• Knowingly access a computer without or in excess of authorization
• Proof that the defendant knowingly accessed a computer without authorization or in excess of authorization
![Page 65: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/65.jpg)
65
Computer Access• Covers -
• Completely unauthorized individuals who intrude into a computer containing national security information
• Also insiders with limited privileges who manage to access portions of a computer or computer network to which they have not been granted access
![Page 66: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/66.jpg)
66
Obtain National Security Information
• Requires that the information obtained is national security information
• For example - information from a defense department or department of energy computer
![Page 67: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/67.jpg)
67
Injure the U.S.
• Requires proof that the defendant has reason to believe that the national security information obtained could be used to the injury of the U.S. or to the advantage of any foreign nation
![Page 68: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/68.jpg)
68
Injure the U.S.
• National security information is classified +
• Defendant knows that the information is classified =
• Sufficient to establish the offense
![Page 69: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/69.jpg)
69
Willful
• Communication, Delivery, Transmission, or Retention
• In order to prove this the defendant must have -
• communicated, delivered, or transmitted to any person not entitled to receive it
![Page 70: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/70.jpg)
70
Willful
• In order to prove this the defendant must have -
• communicated, delivered, or transmitted to any person not entitled to receive it
• attempted to communicate …
• caused it to be communicated …
• willfully retained ...
![Page 71: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/71.jpg)
71
Penalties
• Punishable by a fine, imprisonment for not more than 10 years, or both
• A second violation is punishable by a fine, imprisonment for not more than 20 years or both
![Page 72: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/72.jpg)
72
Charges
• Rarely occurs
• Lack of prosecution may be because similarity between 1030(a)(1) and 793(e)
• In a situation where both are applicable, prosecutors may tend towards 793(e) for which guidance and precedent are more prevalent
![Page 73: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/73.jpg)
73
Charges
• However -
• Leandro Aragoncillo
• FBI intelligence analyst
• Ft. Monmouth Information Technology Center
• Charged with section 1030(a)(1) violation
![Page 74: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/74.jpg)
74
Charges
• However -
• Admitted that he has used his FBI computer to access classified documents
• Used FBI’s automated case system
• Transmitted information to former and current officials of the Philippine government
![Page 75: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/75.jpg)
75
1030(a)(1) and 793(e)
• Overlap but,
• Do not reach the exactly the same conduct
• Section 1030(a)(1) requires proof that the individual knowingly accessed a computer without or in excess of authority and
![Page 76: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/76.jpg)
76
1030(a)(1) and 793(e)
• thereby obtained national security information and
• subsequently performed some unauthorized communication or other improper act with that data
![Page 77: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/77.jpg)
77
1030(a)(1) and 793(e)
• 1030(a)(1) focuses on -
• possession
• control
• subsequent transmission
• of information as does 793(e)
• but also
![Page 78: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/78.jpg)
78
1030(a)(1) and 793(e)
• focuses on the improper use of a computer to obtain the information itself
![Page 79: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/79.jpg)
79
1030(a)(1) and 793(e)
• Existing espionage laws like 793(e)
• provide solid ground for prosecution of individuals that attempt to peddle information to foreign governments
![Page 80: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/80.jpg)
80
1030(a)(1) and 793(e)
• If a computer is involved in the process of obtaining, communicating, or transmitting the information, then
• Prosecutor’s should consider charging a violation of section 1030(a)(1)
![Page 81: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/81.jpg)
81
Section 808 of the USA Patriot Act
• Added section 1030(a)(1) to the list of crimes that are considered to be “Federal Crime[s] of Terrorism” under 18 U.S.C. Section 2332b(g)(5)(B)
• This addition affects prosecutions under 1030(a)(1) in three ways
![Page 82: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/82.jpg)
82
Section 808 of the USA Patriot Act
• Statute of limitation for (a)(1) now extended to 8 years
• Statute of limitation is eliminated for offenses that resulted in, or created a foreseeable risk of, death or serious bodily injury to another person
![Page 83: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/83.jpg)
83
Section 808 of the USA Patriot Act
• Second
• Term of supervised release after imprisonment for any offense that resulted in or created foreseeable risk of death or serious bodily injury of another person can be any term of years or life
• Formerly for 1030(a)(1) this term was 5 years
![Page 84: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/84.jpg)
84
Section 808 of the USA Patriot Act
• Third -
• Any offenses under the section 2332b(g)(5)(B) to 18 U.S.C. Section 1961(1) making them predicate offenses for prosecution under the Racketeer Influenced and Corrupt Organizations Act (RICO)
![Page 85: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/85.jpg)
85
Section 808 of the USA Patriot Act
• Third -
• As a result, any RICO enterprise which may include terrorist groups that carries out acts of cyberterrorism in violation of 1030(a)(1) can now be prosecuted under the RICO statute
![Page 86: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/86.jpg)
86
Compromising Confidentiality
• 1030(a)(2)
• Punishes unauthorized access of different types of information and computers
• Violations of this section are misdemeanors unless aggravating factors exist
![Page 87: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/87.jpg)
87
Compromising Confidentiality
• 1030(a)(2)
• Some intrusions may vilate more than one subsection
• Example -
• a computer intrusion into a federal agency’s computer might be covered under at least two subsections
![Page 88: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/88.jpg)
88
Compromising Confidentiality
• 1030(a)(2)
• No monetary threshold for a violation
• Recognizes the fact that some invasions of privacy do not lend themselves to monetary valuation
• Still warrant federal protection
![Page 89: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/89.jpg)
89
Compromising Confidentiality
• Examples
• Downloading sensitive personnel information from a company’s computer via an interstate communication
• Gathering personal data from the National Crime Information Center would both be serious violations of privacy
![Page 90: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/90.jpg)
90
Compromising Confidentiality
• Examples
• These do not lend themselves to a dollar valuation of the damage
![Page 91: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/91.jpg)
91
Compromising Confidentiality
• Even though there is no monetary threshold under 1030(a)(2),
• the value of the information obtained is important when determining whether a violation constitutes a misdemeanor or felony
![Page 92: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/92.jpg)
92
Compromising Confidentiality
Title 18, United States Code, Section 1030(a)(2)provides:
Whoever– (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains– (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 68et seq.); (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication ... shall be punished as provided in subsection (c) of this section.
![Page 93: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/93.jpg)
93
Compromising Confidentiality
• Intentionally Access a Computer
• Requires that the defendant actually be the one to access a computer without authorization rather than merely receive information that was accessed
![Page 94: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/94.jpg)
94
Compromising Confidentiality
• Example
• If A obtains information in violation of 1030(a)(2) and forwards it to B, B has not violated this section even if B knew the source of the information
![Page 95: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/95.jpg)
95
Compromising Confidentiality
• Obtained Information
• expansive term
• includes viewing information without downloading or copying
![Page 96: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/96.jpg)
96
Compromising Confidentiality
• Obtained Information
• Information stored electronically can be obtained not only by actual theft but by mere observation of the data
![Page 97: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/97.jpg)
97
Compromising Confidentiality
• Obtained Information
• The crux of the offense under subsection 1030(a)(2)(C) … is the abuse of a computer to obtain the information
![Page 98: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/98.jpg)
98
Compromising Confidentiality
• Obtained Information
• Information includes intangible goods
• This issue was raised by the Tenth Circuit’s decision in U.S. vs Brown
![Page 99: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/99.jpg)
99
Compromising Confidentiality
• Obtained Information
• In Brown the appellate court held that purely intangible intellectual property, such as a computer program did not consitiute goods or services that can be stolen or converted
![Page 100: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/100.jpg)
100
Compromising Confidentiality
• Obtained Information
• In 1996 amendments to section 1030(a)(2) would “ensure that the theft of intangible information by the unauthorized use of a computer is prohibited in the same way theft of physical items are protected
![Page 101: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/101.jpg)
101
Compromising Confidentiality
• Financial Institution or COnsumer Reporting Agency
• To prove a violation of section 1030(a)(2)(A), obtaining information related to the Fair Credit Reporting Act (FCRA), the violation must be willful.
![Page 102: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/102.jpg)
102
Compromising Confidentiality
• Financial Institution or COnsumer Reporting Agency
• To prove willfulness under the FCRA, the government must show that the defendant knowingly and intentionally committed an act in conscious disregard for the rights of a consumer
![Page 103: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/103.jpg)
103
Compromising Confidentiality
• Department or Agency of the United States
• No court has addressed -
• whether a company working as a private contractor for the government constitutes a “department or agency of the United States”
![Page 104: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/104.jpg)
104
Compromising Confidentiality
• Department or Agency of the United States
• The argument that private contractors are intended to be covered by this section may be undercut by section 1030(a)(3)
![Page 105: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/105.jpg)
105
Compromising Confidentiality
• Department or Agency of the United States
• 1030(a)(3) includes language permitting prosecution of trespass into government systems and non-government systems, if ...
![Page 106: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/106.jpg)
106
Compromising Confidentiality
• Department or Agency of the United States
• if such conduct affects that use by or for the Government of the United States
• The existence of this language suggests that if congress had intended to extend the reach of 1030(a)(2) it would have done so
![Page 107: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/107.jpg)
107
Compromising Confidentiality
• Protected Computer
• defined in section 1030(e)(2) and was discussed previously
![Page 108: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/108.jpg)
108
Compromising Confidentiality
• A violation of this sectioon must involve an actual interstate or foreign communication and not merely the use of an interstate communication mechanism
• The intent of this subsection is to protect against the interstate or foreign theft of information by computer
![Page 109: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/109.jpg)
109
Compromising Confidentiality
• It is not to give federal jurisdiction over all circumstances in which someone unlawfully obtains information via a computer
• Using the Internet or connecting by telephone to a network may not be sufficient to charge a violation of this subsection
![Page 110: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/110.jpg)
110
Compromising Confidentiality
• Penalties
• Misdemenor
• Punishable by a fine or a one-year prison term unless aggravating factors apply
![Page 111: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/111.jpg)
111
Compromising Confidentiality
• Penalties
• A felony if -
• committed for commercial advantage or private financial gain
• committed in furtherance of any criminal or tortious act in violation of the Constitution or
![Page 112: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/112.jpg)
112
Compromising Confidentiality
• Penalties
• A felony if -
• committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the U.S. or of any state, or
• the value of the information obtained exceeds $5000
![Page 113: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/113.jpg)
113
Compromising Confidentiality
• Penalties
• A felony if -
• Punishable by a fine, up to five years’ imprisonment, or both
![Page 114: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/114.jpg)
114
Trespassing in a Government Computer
• 18 U.S.C. Section 1030(a)(3)
• Protects against “trespasses” by outsiders into federal government computers -
• even when no information is obtained during such trespasses
![Page 115: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/115.jpg)
115
Trespassing in a Government Computer• Section 1030(a)(2) applies to many
of the same cases in which section 1030(a)(3) could be charged
• In these cases, section 1030(a)(2) may be the preferred charge
• This is because a first offense may be charged as a felony if certain aggravating factors are present
![Page 116: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/116.jpg)
116
Trespassing in a Government ComputerTitle 18, United StateCode, Section 1030(a)(3)
provides: Whoever–
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States …. shall be punished as provided in subsection (c) of this section.
![Page 117: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/117.jpg)
117
Trespassing in a Government Computer
• Intentionally Access
• The meaning of this term under this section is identical to the meaning under section 1030(a)(2)
![Page 118: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/118.jpg)
118
Trespassing in a Government Computer
• Without Authorization
• By requiring that the defendant act without authorization to the computer
• Not criminalize merely exceeding authorized access to a computer
![Page 119: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/119.jpg)
119
Trespassing in a Government Computer
• Without Authorization
• section 1030(a)(3) does not apply to situations in which employees merely “exceed authorized access” to computers in their own department
![Page 120: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/120.jpg)
120
Trespassing in a Government Computer
• Without Authorization
• Congress also offered that section 1030(a)(3) applies “where the offender’s act of trespass is interdepartmental in nature”
![Page 121: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/121.jpg)
121
Trespassing in a Government Computer
• Nonpublic Computer of the United States
• Nonpublic includes most government comptuers
• But not Internet servers that, by design, offer services to members of the general public
![Page 122: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/122.jpg)
122
Trespassing in a Government Computer• Nonpublic Computer of the United
States
• Example
• A government agency’s database server is probably nonpublic while the same agency’s web servers and domain name servers are “public”
![Page 123: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/123.jpg)
123
Trespassing in a Government Computer
• Affected U.S.s’ Use of Computer
• Demonstrating that the attacked computer is affected by an intrusion should be simple
![Page 124: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/124.jpg)
124
Trespassing in a Government Computer
• Affected U.S.s’ Use of Computer
• Almost any network intrusion
• affects the government’s use of its computers
• because ...
![Page 125: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/125.jpg)
125
Trespassing in a Government Computer• Affected U.S.s’ Use of Computer
• because any intrusion potentially affects the confidentiality and integrity of the government’s network
• often requires substantial measures to reconstitute the network
![Page 126: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/126.jpg)
126
Trespassing in a Government Computer
• Affected U.S.s’ Use of Computer
• In Sawyer vs. Department of Air Force
• It was not necessary to demonstrate that the intruder obtained any information from the computer or,
![Page 127: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/127.jpg)
127
Trespassing in a Government Computer
• Affected U.S.s’ Use of Computer
• In Sawyer vs. Department of Air Force
• that the intruder’s trespass damaged any information from the computer
![Page 128: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/128.jpg)
128
Trespassing in a Government Computer
• Affected U.S.s’ Use of Computer
• In Sawyer vs. Department of Air Force
• It is not even necessary to show that the intruder’s conduct “adversely” affected a government’s computer
![Page 129: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/129.jpg)
129
Trespassing in a Government Computer
• Affected U.S.s’ Use of Computer
• Under 1030(a)(3) there are no benign intrusions into government computers
![Page 130: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/130.jpg)
130
Trespassing in a Government Computer
• Penalties
• Violations of this subsection are punishable by -
• a fine and
• up to one year in prison unless …
![Page 131: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/131.jpg)
131
Trespassing in a Government Computer• Penalties
• Violations of this subsection are punishable by -
• the individual has been previously convicted of a 1030 offense
• In this case the punishment increases to a maximum of 10 years in prison
![Page 132: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/132.jpg)
132
Trespassing in a Government Computer• Relationship to other statutes
• not charged often
• 1030(a)(2) applies in many of the same cases
• 1030(a)(2) may be preferred because sentencing enhancements sometimes allow 1030(a)(2) to be charged as a felony on the first offense
![Page 133: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/133.jpg)
133
Accessing to Defraud and obtain value
• 1030(a)(4)
• When deciding how to charge a computer hacking case, prosecutor’s should consider 1030(a)(4) as an alternative to 1030(a)(2) where evidence of fraud exists
![Page 134: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/134.jpg)
134
Accessing to Defraud and obtain value
• 1030(a)(4)
• This section is a felony
• (a)(2) is a misdemeanor unless certain aggravating factors apply
![Page 135: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/135.jpg)
135
Accessing to Defraud and obtain value
• Prosecutors may also want to consider charges under the wire fraud statute
• Section 1343 requires proof of many elements similar to those needed for section 1030(a)(4)
• Carries stiffer penalties
![Page 136: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/136.jpg)
136
Accessing to Defraud and obtain value
Title 18, United State Code, Section 1030(a)(4)provides:
Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 137: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/137.jpg)
137
Accessing to Defraud and obtain value
• With Intent to Defraud
• not defined by 1030
• little case law under 1030 exists as to its meaning
• interpretation of phrase an issue for the courts Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 138: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/138.jpg)
138
Accessing to Defraud and obtain value
• With Intent to Defraud
• might require proof of “law fraud”
• or may allow proof of dishonesty or wrongdoing to suffice
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 139: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/139.jpg)
139
Accessing to Defraud and obtain value
• With Intent to Defraud
• Law Fraud
• false representation
• in reference to a material fact
• made with knowledge of falsity
• with intent to deceive andTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 140: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/140.jpg)
140
Accessing to Defraud and obtain value
• With Intent to Defraud
• Law Fraud
• with intent to deceive and
• action taken in reliance upon the representation
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 141: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/141.jpg)
141
Accessing to Defraud and obtain value
• With Intent to Defraud
• “to defraud”
• Supreme Court rejected notion -
• every scheme or artifice
• calculated to injure or depriveTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 142: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/142.jpg)
142
Accessing to Defraud and obtain value
• With Intent to Defraud
• “to defraud”
• of property wrongfully
• constitutes fraud
• (Fasulo v. U.S. 1926) Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 143: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/143.jpg)
143
Accessing to Defraud and obtain value
• Broader alternative can be found in Shurgard Storage Centers v Safeguard Self Stoage, Inc. (2000)
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 144: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/144.jpg)
144
Accessing to Defraud and obtain value
• Civil case involving 1030(a)(4)
• Court favored an expansive interpretation of “intent to defraud”
• Deny’s motion to dismiss by defendant
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 145: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/145.jpg)
145
Accessing to Defraud and obtain value
• Court holds that the word fraud simply means wrongdoing
• Does not require proof of the elements of common law fraud
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 146: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/146.jpg)
146
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• Unauthorized or exceeding access can further a fraud in several ways
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 147: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/147.jpg)
147
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• defendant alters or deletes records on a computer
• receives something of value from an individual
• individual relies on the accuracy of the altered or deleted records
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 148: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/148.jpg)
148
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• U.S. vs Butler (2001)
• Defendant altered credit reporting agency’s records to improve credit ratings of his coconspirators
• Coconspirators used improved credit ratings to purchase goods
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 149: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/149.jpg)
149
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• U.S. vs. Sadolsky (2000)
• Used employer’s computer to credit amounts for returned merchandise to his personal credit card Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 150: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/150.jpg)
150
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• defendant obtains information from a computer
• uses information to commit fraudTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 151: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/151.jpg)
151
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• U.S. vs Lindsley (2001)
• Defendant accessed a telephone company’s computer without authorization
• obtained calling card numbers
• used numbers to make free long distance calls
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 152: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/152.jpg)
152
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• defendant uses computer to produce falsified documents
• documents are later used to defraud
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 153: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/153.jpg)
153
Accessing to Defraud and obtain value
• Access furthered the intended fraud
• U.S. vs. Bae
• Defendant used a lottery terminal to produce back-dated tickets with winning numbers
• Turned those tickets in to collect lottery prizes
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 154: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/154.jpg)
154
Accessing to Defraud and obtain value
• Obtains anything of value
• easily met if the defendant ontained money, cash, or a good or service with measurable value
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 155: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/155.jpg)
155
Accessing to Defraud and obtain value
• Obtains anything of value
• More complex issues
• Defendant obtains only the use of a computer
• Defendant obtains only information Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 156: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/156.jpg)
156
Accessing to Defraud and obtain value
• Obtains anything of value
• More complex issues
• Defendant obtains only the use of a computer
• Defendant obtains only information Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 157: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/157.jpg)
157
Accessing to Defraud and obtain value
• Obtains anything of value
• Use of the computer as a thing of value
• The statute recognizes that the use of a computer can constitute a thing of valueTitle 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 158: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/158.jpg)
158
Accessing to Defraud and obtain value
• Obtains anything of value
• Use of the computer as a thing of value
• This element is only satisfied if the value of such is > than $5,000 Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 159: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/159.jpg)
159
Accessing to Defraud and obtain value
• Obtains anything of value
• This condition will only be met in rare cases
• When the statute was written it was common for computer time to be rented Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 160: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/160.jpg)
160
Accessing to Defraud and obtain value
• Obtains anything of value
• Data or information as a thing of value
• (a)(4) has no minimum dollar amount
• (a)(5) does have such a valueTitle 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 161: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/161.jpg)
161
Accessing to Defraud and obtain value
• Obtains anything of value
• Data or information as a thing of value
• Legislative history suggests that some computer data or information alone is not valuable enough to qualify Title 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 162: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/162.jpg)
162
Accessing to Defraud and obtain value
• Obtains anything of value
• Data or information as a thing of value
• If all that is obtained are the results of port scans, or the names and IP addresses of other servers, it may not count as something of value
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 163: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/163.jpg)
163
Accessing to Defraud and obtain value
• Obtains anything of value
• U.S. vs. Czubinsku (1997)
• case turned on the specific facts
• the court’s discussion can be instructive
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 164: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/164.jpg)
164
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• Czubinski employed as a Contact Representative in the Boston office of the Taxpayer Services Division of the IRS
• Czubinski routinely accessed taxpayer-related information from an IRS computer system
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 165: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/165.jpg)
165
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• Czubinski’s access IRS computers using a valid password
• IRS rules plainly forbid employess to access taxpayer files outside the course of their official dutiesTitle 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 166: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/166.jpg)
166
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• Czubinski’s access IRS computers using a valid password
• IRS rules plainly forbid employess to access taxpayer files outside the course of their official dutiesTitle 18, United StateCode, Section 1030(a)(4)
provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 167: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/167.jpg)
167
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• Based on these actions, Czubinski was indicted and convicted for wire fraud and computer fraud
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 168: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/168.jpg)
168
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• On appeal, Czubinski argued that his conviction for violating section 1030(a)(4) should be overturned
• He did not obtain anything of value
• The First Circuit agreed with Czubinski
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 169: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/169.jpg)
169
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• The First Circuit stated that the value of the information is relative to one’s needs and objectives; here, the government had to show that the information was valuable to Czubinski in light of a fradulent scheme
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.
![Page 170: Information Security](https://reader033.fdocuments.in/reader033/viewer/2022052603/56814e64550346895dbc03c2/html5/thumbnails/170.jpg)
170
Accessing to Defraud and obtain value
• U.S. vs. Czubinsku (1997)
• The government failed, however, to prove that Czubinski intended anything more than to satisfy idle curiosity
Title 18, United StateCode, Section 1030(a)(4)provides: Whoever– (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any -year period … shall be punished as provided in subsection (c) of this section.