Apple v. Samsung News • All claims of Apple’s patent 7,844,915 (scroll v. gesture) were found invalid when re-examined by the Patent Office. • On November 23, 2015, Apple appealed to the Federal Circuit. • On December 3, 2015, Samsung agreed to pay Apple $548 million by December 14. • However, Samsung may get a partial refund depending on the result in the Federal Circuit. LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Computer Crime Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS N.Y. Constitution, § 9.1 Computer Crime • Interfering with the use of computers – trespass into a computer system or database – manipulation or theft of data – sabotage of equipment and data – extortion by threat to a computer system • Using computers to commit other crimes – harassment – fraud – hate crimes – promoting terrorism LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Civil v. Criminal Law Comparison Civil (Tort) Criminal Standard of proof Preponderance of the evidence Beyond reasonable doubt Penalty Money damages, injunction Fines, imprisonment Lawyers Private (parties hire their own attorneys) Public (public prosecutor, public defender) LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Classification of Crimes • An act can have both civil and criminal consequences, e.g. O.J. Simpson. Acquitted of murder but liable for wrongful death Felonies Misdemeanors Serious crimes, punishable by death or prison for more than one (1) year and/or fines. Non-serious (petty) crimes punishable by jail for less than one(1) year and/or fines. LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Federal Computer Crime Laws • Computer Fraud and Abuse Act of 1986 (CFAA) • Electronic Communications Privacy Act of 1986 (ECPA) • Electronic Espionage Act of 1996 (EEA) • Communications Decency Act 1996 (CDS) • Child Pornography Prevention Act (CPPA) • Digital Millennium Copyright Act of 1998 • Children's Online Privacy Protection Act (COPPA) • Health Insurance Portability And Accountability Act (HIPAA) • USA Patriot Act • and others … LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS State Computer Crime Laws • Often versions of federal laws where interstate commerce is not involved (so federal prosecution would not be possible) • Specialized crimes – – – – – – spam (e.g. West Virginia) “deceiving a machine” Alaska Stat. §11.46.985 computer trespass (Washington) tampering with an electronic voting machine (Texas) introduction of false data into a bank computer (Idaho) cyberstalking (Rhode Island) LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Criminal Jurisdiction • When can a state exercise criminal jurisdiction? – Conduct in the state that is an element of the offense – Conduct outside that is an attempt to commit inside – Conduct outside that is conspiracy to commit inside the state + an overt act in the state – Omission to perform a legal duty imposed by the state – Offense is based on a state statute that prohibits conduct outside the state that bears a reasonable relation to a legitimate interest of the state and the actor knows or should know that his conduct is likely to affect that interest. 18 Pa. C.S. § 102 LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Hageseth v. Sup. Ct of San Mateo, Cal. App. (1st Dist., May 21, 2007) • Hageseth was a licensed physician in Colorado • McKay, a California resident, visited www.usanetrx.com, an online pharmacy, and ordered generic Prozac, a prescription drug • usanetrx is located outside the U.S. • McKay was asked to fill out an online questionnaire about his health • The answers were sent to JRB Health Solutions which had headquarters in Florida and a server in Texas • JRB fowarded the answers to Hageseth in Colorado LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Hageseth v. Sup. Ct of San Mateo, Cal. App. (1st Dist., May 21, 2007) • Hageseth reviewed the answers and issued an online prescription to JRB’s server in Texas • JRB sent the prescription to Gruich Pharmacy in Mississippi, which mailed the drug to McKay in California • McKay took the drug, drank alcohol and committed suicide by carbon monoxide poisoning • Investigation revealed the drug in his blood • Hageseth was charged in California with practicing medicine without a license, a felony LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Hageseth v. Sup. Ct of San Mateo, • At all material times, Hageseth was in Colorado and never communicated with anyone in California • Hageseth moved to dismiss for lack of person jurisdiction over him • [NOTE: the question here is NOT whether he practiced medicine in California without a license, but whether California has jurisdiction to try him. He might not be found guilty.] • The appeals court refused to dismiss the case • Commission of a public offense within California, commenced outside the state, consummated within its boundaries by someone outside the state, creates liability for punishment Hageseth v. Sup. Ct of San Mateo, • The Court of Appeals relied on the “detrimental effect” theory of jurisdiction, articulated by Justice Holmes, in Strassheim v. Daily, 221 U.S. 280 (1911): • “If … Daily did the acts that led Armstrong to betray his trust, … and induced by fraud the payment by the State, the usage of the civilized world would warrant Michigan in punishing him, although he never had set foot in the State until after the fraud was complete. Acts done outside a jurisdiction, but intended to produce and producing detrimental effects within it, justify a State in punishing the cause of the harm as if he had been present at the effect, if the State should succeed in getting him within its power.” LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Strict Construction • Problem: criminal statutes are “strictly construed.” • If the act is not expressly made criminal by statute, it is not criminal (exception: “common law crimes,” like murder) • The words of a criminal statute are not expanded to cover related or analogous behavior (Soviet Union has a “law of analogy”) LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Commonwealth v. Lund • Lund was charged with the theft of keys, computer cards, computer printouts and using computer time without authority at Virginia Polytechnic Institute (VPI) • Statutes reads: “Any person who: … commits simple larceny not from the person of another of goods and chattels of the value of $100 or more, shall be deemed guilty of grand larceny …" • Lund was found guilty at trial • He appealed on the grounds that computer time is not “goods” or “chattels” • Virginia Supreme Court agreed. 232 N.E.2d 745 (Va. 1977) • “The phrase "goods and chattels" cannot be interpreted to include computer time and services in light of the often repeated mandate that criminal statutes must be strictly construed.” Can Software Commit a Crime? • Jayson Reynoso wanted to declare bankruptcy • To save legal costs, he licensed a program from Frankfort Digital Services that prepared bankruptcy forms for $219 • Reynoso used Frankfort’s “Ziinet Bankruptcy Engine” to prepare his bankruptcy filing • Frankfort advertised that: “Ziinet is an expert system and knows the law. Unlike most bankruptcy programs which are little more than customized word processors the Ziinet engine is an expert system. It knows bankruptcy laws right down to those applicable to the state in which you live. Now you no longer need to spend weeks studying bankruptcy laws.” In re Reynoso • Where the bankruptcy forms provided a space for the signature and social security number of any nonattorney petition preparer, the software generated the response: “Not Applicable.” • The bankruptcy trustee found errors in the forms and learned that Reynoso had used Ziinet • The trustee began legal proceedings against Frankfort (One of many around the country, as it turned out) • The bankruptcy court found that Frankfort, through its software, was a petition preparer, imposed fines and enjoined further use of Ziinet LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS In re Reynoso 477 F.3d 1117 (9th Cir. 2007) • Frankfort appealed to the 9th Circuit, arguing that “creation and ownership of a software program used by a licensee to prepare his or her bankruptcy forms is not preparation of a document for filing under the statute” • The appeals court stated, “We hold that the software at issue in this case qualifies as such” • “Frankfort’s system touted its offering of legal advice and projected an aura of expertise concerning bankruptcy petitions; and, in that context, it offered personalized – albeit automated – counsel. … We find that because this was the conduct of a nonattorney, it constituted the unauthorized practice of law People ex rel. Vacco v. World Interactive Gaming Corp. et al. • “ex rel.” (ex relatione, upon relation) means “acting through.” Vacco was the NY Attorney General • no lottery or … book-making, or any other kind of gambling, … except pari-mutuel betting on horse races as may be prescribed by the legislature … shall hereafter be authorized or allowed within this state. NY Const. Art. 1, Sec. 9 • World Interactive Gaming Corp. (WIGC) is a Delaware corp. with offices in NY. • Golden Chips Casino, Inc. (GCC) is an Antigua corp. wholly owned by WIGC. • GCC operated an Internet casino using servers in Antigua. • GCC advertised in the US; ads were seen in NY Antigua LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS People ex rel. Vacco v. World Interactive Gaming Corp. et al. • Users had to enter a home address; GCC checked for Nevada • Users transferred money to a bank in Antigua. They could gamble. Gambling is legal in Antigua. • NYers could gamble by lying about their address • NY Attorney General sought an injunction against WIGC, GCC to stop their activities • Held, NY has jurisdiction. When New Yorkers transfer money to GCC, they are gambling in NY. Doesn’t matter where GCC is. • "traditional jurisdictional standards have proved to be sufficient to resolve all civil Internet jurisdictional issues" • Injunction issued 714 N.Y.S.2d 844 (N.Y.Sup. 1999) Computer Fraud and Abuse Act • Prohibits certain acts against “protected computers” that affect interstate commerce. 18 U.S.C. § 1030. • ''protected computer'' means a computer – exclusively for the use of a financial institution or the United States Government … ; or – which is used in interstate or foreign commerce or communication • including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States • Also provides for a civil action (private lawsuit) by anyone injured by a violation LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS What’s a Computer? • an “electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device. 18 U.S.C. §1030(e) LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Acts Prohibited on Protected Computers, 18 U.S.C. §1030 • OBTAINING INFORMATION Accessing a computer without authorization or exceeding authorized access, and obtaining • information contained in a financial record of a financial institution; • information from any department or agency of the United States; or • information from any protected computer if the conduct involved an interstate or foreign communication; LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Acts Prohibited on Protected Computers, 18 U.S.C. §1030 • USE IN FRAUD Knowingly and with intent to defraud, accessing a protected computer without authorization, or exceeding authorized access, to further the intended fraud and obtain anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period • crimes investigated by FBI and Secret Service • PA: “Unlawful use of computer” 18 Pa. C.S. § 3933 LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Acts Prohibited on Protected Computers, 18 U.S.C. §1030 • DAMAGING A COMPUTER • knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization, to a protected computer; • intentionally accessing a protected computer without authorization, and as a result of such conduct, causing damage • “damage” means any impairment to the integrity or availability of data, a program, a system, or information (covers viruses, denial of service) LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS CFAA as a Civil Tool • • • • PharMerica, Inc. v. Arledge (M.D. Fla. Mar. 21, 2007) PharMerica is a huge pharmaceutical company Arledge was a top member of its management team On March 9, 2007, Arledge resigned to become VP at Omnicare, PharMerica’s main competitor • Omnicare is three times the size of PharMerica • Two days before leaving, Arledge deleted 475 files from his hard drive • He copied the files to a USB drive and emailed them to his own AOL account LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Major Ideas • Criminal statutes are strictly construed • Computers can be used at a great distance to commit crimes • This causes jurisdictional problems if the original statutes did not contemplate out-of-state acts • In general, crimes committed by computer have been treated jurisdictionally in the same manner as other crimes • The Computer Fraud and Abuse Act prohibits acts against certain computer systems, particularly those used in interstate commerce, e.g. the Internet LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS Q&A LAW OF COMPUTER TECHNOLOGY FALL 2015 COPYRIGHT © 2015 MICHAEL I. SHAMOS