Computer Crime - Carnegie Mellon University

advertisement
Apple v. Samsung News
• All claims of Apple’s patent 7,844,915 (scroll v.
gesture) were found invalid when re-examined by the
Patent Office.
• On November 23, 2015, Apple appealed to the
Federal Circuit.
• On December 3, 2015, Samsung agreed to pay
Apple $548 million by December 14.
• However, Samsung may get a partial refund
depending on the result in the Federal Circuit.
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Computer Crime
Michael I. Shamos, Ph.D., J.D.
Institute for Software Research
School of Computer Science
Carnegie Mellon University
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
N.Y. Constitution, § 9.1
Computer Crime
• Interfering with the use of computers
– trespass into a computer system or database
– manipulation or theft of data
– sabotage of equipment and data
– extortion by threat to a computer system
• Using computers to commit other crimes
– harassment
– fraud
– hate crimes
– promoting terrorism
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Civil v. Criminal Law Comparison
Civil (Tort)
Criminal
Standard
of proof
Preponderance
of the evidence
Beyond reasonable
doubt
Penalty
Money damages,
injunction
Fines, imprisonment
Lawyers
Private (parties
hire their own
attorneys)
Public (public
prosecutor, public
defender)
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Classification of Crimes
• An act can have both civil and criminal
consequences, e.g. O.J. Simpson.
Acquitted of murder but liable for wrongful
death
Felonies
Misdemeanors
Serious crimes, punishable
by death or prison for more
than one (1) year and/or
fines.
Non-serious (petty) crimes
punishable by jail for less
than one(1) year and/or
fines.
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Federal Computer Crime Laws
• Computer Fraud and Abuse Act of 1986 (CFAA)
• Electronic Communications Privacy Act of 1986
(ECPA)
• Electronic Espionage Act of 1996 (EEA)
• Communications Decency Act 1996 (CDS)
• Child Pornography Prevention Act (CPPA)
• Digital Millennium Copyright Act of 1998
• Children's Online Privacy Protection Act (COPPA)
• Health Insurance Portability And Accountability Act
(HIPAA)
• USA Patriot Act
• and others …
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
State Computer Crime Laws
• Often versions of federal laws where interstate
commerce is not involved (so federal prosecution
would not be possible)
• Specialized crimes
–
–
–
–
–
–
spam (e.g. West Virginia)
“deceiving a machine” Alaska Stat. §11.46.985
computer trespass (Washington)
tampering with an electronic voting machine (Texas)
introduction of false data into a bank computer (Idaho)
cyberstalking (Rhode Island)
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Criminal Jurisdiction
• When can a state exercise criminal jurisdiction?
– Conduct in the state that is an element of the offense
– Conduct outside that is an attempt to commit inside
– Conduct outside that is conspiracy to commit inside the
state + an overt act in the state
– Omission to perform a legal duty imposed by the state
– Offense is based on a state statute that prohibits
conduct outside the state that bears a reasonable
relation to a legitimate interest of the state and the
actor knows or should know that his conduct is likely to
affect that interest.
18 Pa. C.S. § 102
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Hageseth v. Sup. Ct of San Mateo,
Cal. App. (1st Dist., May 21, 2007)
• Hageseth was a licensed physician in Colorado
• McKay, a California resident, visited
www.usanetrx.com, an online pharmacy, and
ordered generic Prozac, a prescription drug
• usanetrx is located outside the U.S.
• McKay was asked to fill out an online questionnaire
about his health
• The answers were sent to JRB Health Solutions
which had headquarters in Florida and a server in
Texas
• JRB fowarded the answers to Hageseth in Colorado
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Hageseth v. Sup. Ct of San Mateo,
Cal. App. (1st Dist., May 21, 2007)
• Hageseth reviewed the answers and issued an online
prescription to JRB’s server in Texas
• JRB sent the prescription to Gruich Pharmacy in
Mississippi, which mailed the drug to McKay in
California
• McKay took the drug, drank alcohol and committed
suicide by carbon monoxide poisoning
• Investigation revealed the drug in his blood
• Hageseth was charged in California with practicing
medicine without a license, a felony
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Hageseth v. Sup. Ct of San Mateo,
• At all material times, Hageseth was in Colorado and
never communicated with anyone in California
• Hageseth moved to dismiss for lack of person
jurisdiction over him
• [NOTE: the question here is NOT whether he
practiced medicine in California without a license, but
whether California has jurisdiction to try him. He
might not be found guilty.]
• The appeals court refused to dismiss the case
• Commission of a public offense within California,
commenced outside the state, consummated within
its boundaries by someone outside the state, creates
liability for punishment
Hageseth v. Sup. Ct of San Mateo,
• The Court of Appeals relied on the “detrimental effect”
theory of jurisdiction, articulated by Justice Holmes, in
Strassheim v. Daily, 221 U.S. 280 (1911):
• “If … Daily did the acts that led Armstrong to betray
his trust, … and induced by fraud the payment by the
State, the usage of the civilized world would warrant
Michigan in punishing him, although he never had set
foot in the State until after the fraud was complete.
Acts done outside a jurisdiction, but intended to
produce and producing detrimental effects within it,
justify a State in punishing the cause of the harm as if
he had been present at the effect, if the State should
succeed in getting him within its power.”
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Strict Construction
• Problem: criminal statutes are “strictly construed.”
• If the act is not expressly made criminal by statute, it
is not criminal (exception: “common law crimes,” like
murder)
• The words of a criminal statute are not expanded to
cover related or analogous behavior (Soviet Union
has a “law of analogy”)
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Commonwealth v. Lund
• Lund was charged with the theft of keys, computer cards,
computer printouts and using computer time without authority
at Virginia Polytechnic Institute (VPI)
• Statutes reads: “Any person who: … commits simple larceny
not from the person of another of goods and chattels of the
value of $100 or more, shall be deemed guilty of grand
larceny …"
• Lund was found guilty at trial
• He appealed on the grounds that computer time is not
“goods” or “chattels”
• Virginia Supreme Court agreed. 232 N.E.2d 745 (Va. 1977)
• “The phrase "goods and chattels" cannot be interpreted to
include computer time and services in light of the often
repeated mandate that criminal statutes must be strictly
construed.”
Can Software Commit a Crime?
• Jayson Reynoso wanted to declare bankruptcy
• To save legal costs, he licensed a program from
Frankfort Digital Services that prepared bankruptcy
forms for $219
• Reynoso used Frankfort’s “Ziinet Bankruptcy Engine”
to prepare his bankruptcy filing
• Frankfort advertised that:
“Ziinet is an expert system and knows the law. Unlike
most bankruptcy programs which are little more than
customized word processors the Ziinet engine is an expert
system. It knows bankruptcy laws right down to those
applicable to the state in which you live. Now you no
longer need to spend weeks studying bankruptcy laws.”
In re Reynoso
• Where the bankruptcy forms provided a space for the
signature and social security number of any nonattorney petition preparer, the software generated the
response: “Not Applicable.”
• The bankruptcy trustee found errors in the forms and
learned that Reynoso had used Ziinet
• The trustee began legal proceedings against
Frankfort (One of many around the country, as it
turned out)
• The bankruptcy court found that Frankfort, through its
software, was a petition preparer, imposed fines and
enjoined further use of Ziinet
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
In re Reynoso
477 F.3d 1117 (9th Cir. 2007)
• Frankfort appealed to the 9th Circuit, arguing that
“creation and ownership of a software program used
by a licensee to prepare his or her bankruptcy forms
is not preparation of a document for filing under the
statute”
• The appeals court stated, “We hold that the software
at issue in this case qualifies as such”
• “Frankfort’s system touted its offering of legal advice
and projected an aura of expertise concerning
bankruptcy petitions; and, in that context, it offered
personalized – albeit automated – counsel. … We
find that because this was the conduct of a nonattorney, it constituted the unauthorized practice of
law
People ex rel. Vacco v. World
Interactive Gaming Corp. et al.
• “ex rel.” (ex relatione, upon relation) means
“acting through.” Vacco was the NY Attorney General
• no lottery or … book-making, or any other kind of
gambling, … except pari-mutuel betting on horse races
as may be prescribed by the legislature … shall
hereafter be authorized or allowed within this state.
NY Const. Art. 1, Sec. 9
• World Interactive Gaming Corp. (WIGC) is a Delaware
corp. with offices in NY.
• Golden Chips Casino, Inc. (GCC) is an Antigua corp.
wholly owned by WIGC.
• GCC operated an Internet casino using servers in
Antigua.
• GCC advertised in the US; ads were seen in NY
Antigua
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
People ex rel. Vacco v. World
Interactive Gaming Corp. et al.
• Users had to enter a home address; GCC checked for
Nevada
• Users transferred money to a bank in Antigua. They could
gamble. Gambling is legal in Antigua.
• NYers could gamble by lying about their address
• NY Attorney General sought an injunction against WIGC,
GCC to stop their activities
• Held, NY has jurisdiction. When New Yorkers transfer
money to GCC, they are gambling in NY. Doesn’t matter
where GCC is.
• "traditional jurisdictional standards have proved to be
sufficient to resolve all civil Internet jurisdictional issues"
• Injunction issued
714 N.Y.S.2d 844 (N.Y.Sup. 1999)
Computer Fraud and Abuse Act
• Prohibits certain acts against “protected computers”
that affect interstate commerce. 18 U.S.C. § 1030.
• ''protected computer'' means a computer – exclusively for the use of a financial institution or the
United States Government … ; or
– which is used in interstate or foreign commerce or
communication
• including a computer located outside the United
States that is used in a manner that affects
interstate or foreign commerce or communication of
the United States
• Also provides for a civil action (private lawsuit) by
anyone injured by a violation
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
What’s a Computer?
• an “electronic, magnetic, optical, electrochemical, or
other high speed data processing device performing
logical, arithmetic, or storage functions, and includes
any data storage facility or communications facility
directly related to or operating in conjunction with
such device,
but such term does not include an automated
typewriter or typesetter, a portable hand held
calculator, or other similar device.
18 U.S.C. §1030(e)
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Acts Prohibited on Protected
Computers, 18 U.S.C. §1030
• OBTAINING INFORMATION
Accessing a computer without authorization or
exceeding authorized access, and obtaining
• information contained in a financial record of a
financial institution;
• information from any department or agency of the
United States; or
• information from any protected computer if the
conduct involved an interstate or foreign
communication;
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Acts Prohibited on Protected
Computers, 18 U.S.C. §1030
• USE IN FRAUD
Knowingly and with intent to defraud, accessing a
protected computer without authorization, or
exceeding authorized access, to further the intended
fraud and obtain anything of value, unless the object
of the fraud and the thing obtained consists only of
the use of the computer and the value of such use is
not more than $5,000 in any 1-year period
• crimes investigated by FBI and Secret Service
• PA: “Unlawful use of computer” 18 Pa. C.S. § 3933
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Acts Prohibited on Protected
Computers, 18 U.S.C. §1030
• DAMAGING A COMPUTER
• knowingly causing the transmission of a program,
information, code, or command, and as a result of
such conduct, intentionally causing damage without
authorization, to a protected computer;
• intentionally accessing a protected computer without
authorization, and as a result of such conduct,
causing damage
• “damage” means any impairment to the integrity or
availability of data, a program, a system, or
information (covers viruses, denial of service)
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
CFAA as a Civil Tool
•
•
•
•
PharMerica, Inc. v. Arledge (M.D. Fla. Mar. 21, 2007)
PharMerica is a huge pharmaceutical company
Arledge was a top member of its management team
On March 9, 2007, Arledge resigned to become VP at
Omnicare, PharMerica’s main competitor
• Omnicare is three times the size of PharMerica
• Two days before leaving, Arledge deleted 475 files from
his hard drive
• He copied the files to a USB drive and emailed them to
his own AOL account
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Major Ideas
• Criminal statutes are strictly construed
• Computers can be used at a great distance to commit
crimes
• This causes jurisdictional problems if the original
statutes did not contemplate out-of-state acts
• In general, crimes committed by computer have been
treated jurisdictionally in the same manner as other
crimes
• The Computer Fraud and Abuse Act prohibits acts
against certain computer systems, particularly those
used in interstate commerce, e.g. the Internet
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Q&A
LAW OF COMPUTER TECHNOLOGY
FALL 2015
COPYRIGHT © 2015 MICHAEL I. SHAMOS
Download