11/28/2010 8:49:00 PM
Table of Contents
COMPUTER FRAUD AND ABUSE ACT .............................................................................................................. 2
ECONOMIC CRIMES ................................................................................................................................................ 5
THREATS AND HARASSMENT ............................................................................................................................ 6
VICE CRIMES ............................................................................................................................................................ 6
CHILD EXPLOITATION CRIMES ......................................................................................................................... 7
ENTRAPMENT/TRAVELER CASES .................................................................................................................... 7
SENTENCING GUIDELINES (PG 278 OF THE BOOK) ................................................................................... 8
4TH AMENDMENT.................................................................................................................................................... 8
ENCRYPTION ........................................................................................................................................................ 11
THE 4TH AMENDMENT IN THE NETWORK CONTEXT.............................................................................. 11
STATUTORY PRIVACY PROTECTIONS ......................................................................................................... 12
THE WIRETAP ACT (“TITLE III”) ................................................................................................................... 13
THE PEN REGISTER STATUTE ........................................................................................................................ 14
STORED COMMUNICATIONS ACT .................................................................................................................. 14
SCOPE OF FEDERAL POWER VS. STATE POWER ...................................................................................... 16
INTERNATIONAL COMPUTER CRIMES......................................................................................................... 17
FISA STUFF ............................................................................................................................................................ 19
Computer Fraud and Abuse Act

Access and Authorization
o Computer Access- two types
 Virtual- access when you get into the computer by user’s perception
 Physical- just visiting a website is access (majority view)
 Assume everything is access and focus on authorization
o Authorization

Three ways access can be unauthorized
 Circumventing code/ “code based”

Without Authorization- bypassing a wall by wrong
means, guessing a password, exploiting a weakness in a
program contrary to its intended use


The Authorization given applies to specific
computer/files and not the entire network
Contract violation

Unauthorized access can be defined by terms of service,
but are subject to the void for vagueness doctrine



Breach of duty of loyalty?
Limitations must be on what a person can obtain/alter,
but employers MUST limit use
Social Norms


Disloyal employee
7th Cir sys that breaching duty of loyalty to employer is
exceeding authorization (Nosal)

9th Cir- (Brekka) Adopts code based only- if you work
for the company, and use the computer to harm your
employer, that’s not exceeding access

The Computer Fraud and Abuse Act- 18 USC §1030
o (e) Definitions of key terms
 “Protected computer” is basically any computer now
 “Exceeds authorized access”- accessing a computer with authorization
and using that access to alter information that the person is not entitled
to obtain/alter

“Damage”- any impairment to the integrity/availability of the data,
program, system, or information
 “Loss”- any reasonable cost to any victim, including consequential
damages incurred because of interruption of service
 Must have a nexus to the intrusion
 Look at hours worked x hourly rate
o (a) Violations of the statute (based on trespass regime of unauthorized access)
 Prohibits access to a protected computer without authorization and/or
exceeding authorized access to a protected computer
 (1) Hacking to obtain classified government secrets

(2) Obtaining information plus unauthorized access

Obtaining information includes mere observation of the
data



Type of data is irrelevant
Protected computer is basically any computer
Normally a misdemeanor with one year max
punishment

Felony with 5 year max if
o Committed for commercial advantage/ private

commercial gain
o In furtherance of a criminal act OR
o Value of information exceeds $5,000
o Multiple convictions can trigger a felony
violation and up to 10 years in prison
(3) Trespass to US government computers

 Always a misdemeanor
 No requirement that any information be obtained
 Only for access without authorization
(4) Fraud

unauthorized access plus computer misuse that furthers
a fraud
o Property-based approach

This section doesn’t apply ONLY IF the object of the
fraud is the use of the computer and value of the use is
no more than $5,000.

(5) Computer misuse that results in damage and intentionally
damaging

Mens Rea- unauthorized access must be intentional, but
damages don’t have to be

(A) Knowingly causes damage without authorization
o Damage is the thing that is not authorized
 Sending something to the server
that causes damage
o Can be misdemeanor or felony

(B) Intentional access without authorization that
recklessly causes damages
o Doesn’t require loss
o Requires recklessly impairing integrity of
availability of information

(C) Intentional access without authorization that causes
damages and loss
o Strict liability beyond intentional access without
authorization
 Can only be a misdemeanor
o Requires impairing integrity or availability of
information and causing financial loss


(A) and (B) are a felony if
o $5000 or more of loss, physical injury,
modification of medical diagnosis, threat to
public health, US government computers for
administering justice, damage to 10 or more
computers.
(6) Password Trafficking

(7) Extortion

Prohibits extorting money or property by threats to
cause damage to computers
 5 year felony
o (b) Attempting to violate this statute is a crime as well
o (g) Authorizes civil lawsuits under this statute
Economic Crimes

General Property Crimes
o Theft/Fraud- taking with intent to permanently deprive
o Possessing stolen property- knowingly possessing property that is stolen
o Transporting stolen property- across state lines

Electronic Espionage Act
o Trade Secrets
 Punishes stealing, copying without authorization, downloading,
uploading, etc. of a trade secret with intent to convert it for the
economic benefit of someone other than the owner

Trade secret- information with economic value because it is not
generally known, and the owner has taken reasonable measures to
keep that information a secret
 Not something tangible- must be something about the product
that gives it credence
o Fraudulent Documents
 Deals with fake passports, IDs, government docs generally made by
computers
 Treats these items like contraband- no possession
o Access Device Fraud
 Any card/number/code that can be used to help obtain goods and
services
 Prohibits using, possessing trafficking, etc. to use
counterfeit/unauthorized access devices with the intent to defraud

Copyright Law
o Protects rights in original works in tangible mediums for limited times
o Only protects the expression of the idea, not the idea itself
o Fair use allows de minimus infringement.
 Basically small use that’s not economically harmful
o Criminal Law factors
 Defendant infringed the copyright
 Acted willfully
 Defendant must know that what he is doing is unlawful
 Engaging in the business to want/try for a profit is enough
 Sometimes must prove certain dollar value of loss
 Felony is total loss of $2500 or more


Actual profit not required, just that you want to/are trying to make a
profit
Intent to profit is just an enhancement to the punishment
Threats and Harassment

Interstate threat to kidnap or injure the person of another (felony) 18 USC 875(c)
o Transmission in interstate/foreign commerce
o Threat – serious expression of intent to harm, aimed at achieving some goal
o Remember no protection for a true threat- where the speaker means to
communicate a serious expression of an intent to commit an act of unlawful
violence to a person/group
 Look at language itself, context, testimony by recipient


Threats to harm property/ threats to damage a computer [10 USC 1030(a)(7)]
Harassment statute- Crime to make a telephone call/use telecom device without
disclosing identity and intent to annoy

Cyber stalking- intent to place another in state of reasonable fear of death or serious
bodily injury to them, immediate family, spouse/gf, and uses any instrumentality of
interstate commerce
Vice Crimes

Wage Wire Act prohibits being in the business of taking bets if taking bets is illegal
under state law
o This also prohibits transmission of information assisting in the placing of bets
as well as the bets themselves
o Very hard to enforce because of jurisdictional issues

Obscenity
o Can punish distribution, but not possession (except for child porn)
o Obscenity test
 If the average person, using contemporary community standards,
would find that the work appeals to the prurient interest
 Whether the work depicts/describes sexual conduct in a patently
offensive way (Community standard)
 Whether it lacks serious literary, artistic, political, or scientific value
Child Exploitation Crimes

Receipt, Distribution, and Possession of Digital Contraband
o 18 USC 2252(a)
 (1)Prohibits knowingly sending child pornography in interstate
commerce
 (2) Prohibits exchange of possession of child porn
 (3) Prohibits selling/possession with intent to sell
 (4) Prohibits possession on federal property
o To prosecute, must show
 The images possessed depicted real minors (not virtual images) AND
 Possession requires knowledge and control
 That the defendant knew the images he possessed depicted real minors
 Use of direct and circumstantial evidence of actual knowledge
or willful blindness
Entrapment/Traveler Cases

Enticement
o Persuading minor to travel interstate to engage in an illegal sexual act
o Using means of interstate commerce to persuade/attempt to persuade minor to
engage in an illegal sexual act
 Persuade = actually convince
 Attempt= substantial step towards persuading

Entrapment Defense
o Entrapment is a jury question
o Defendant has the burden to show he was induced, then the government has
the burden to show BRD that the defendant was not induced or that he was
predisposed to commit the crime
 Inducement- opportunity to commit the crime plus some excessive
pressure
 Predisposition- evidence from defendant’s past to show he was
unusually inclined to commit the crime
o Basically- Did the government’s conduct cause the crime?
Sentencing Guidelines (Pg 278 of the book)

Special skill enhancement
o You are more liable if you use your special skills to exploit people
o Special computer skill- extraordinary knowledge of how computers work and
how to bypass security systems
o Test- Special skill as compared to society at large

Computer Misuse Cases/Economic Crimes
o Offense level starts at 6
o Punishment based on amount of economic loss (reasonably foreseeable $$
harm)
 Remember that in 1030 crimes, unforeseeable $$ harms are included
in loss
o Guilty plea- deduct 2 points

Child porn
o Start with 18 points (for just possession) or 22 (for distribution, receipt, or
possession w/ intent to sell)

Special circumstances of supervised release must be reasonably related to factors
(Factors to argue- not binding)
o Nature of the circumstances of offense/defendant’s record
o Adequate deterrence to criminal conduct
o Protecting the public from future crimes
o Can't be greater deprivation of liberty than reasonably necessary to achieve
goal
4th Amendment

Search- invasion into someone’s reasonable expectation of privacy
o Must be objectively and subjectively reasonable
o Presumptively unreasonable if no warrant unless exception applies
 Exigency, Consent, SITLA, Border searches, Plain view
o Test for government action
 Whether government knew of and acquiesced in the search

Whether private person intended to assist law enforcement or had
some other specific motivation
o Things that are visible on the outside are not protected by 4A, just like a
container

Seizure- meaningful interference with an individual’s possessory interest in that
property
o Data seizures
 Copying serial numbers is not a seizure- no interference with
possessory interest in property
 Pen register- seizure of number dialed


4th amendment protects the information, not just the media that it’s on.
Sniffing for a password is not a seizure because no violation of
possessory interest

If a private actor conducts a computer search, three options for what the police can
access
o Only the entirety of the file(s) previously searched/exposed
o The entire physical device (5th Cir rule)
o Only the information exposed (meaning parts of files seen)

Exceptions to the Warrant Requirement
o Knock and talk
o Exigency- degree of urgency and time it would take to get a warrant
 Generally, for computer crimes, there can be a warrantless seizure but
not a warrantless search because once you have the data, it’s not going
anywhere
o Consent- what a typical reasonable person would believe the scope of the
consent is
 3rd party consent- common authority is enough, but password
protection defeats common authority
 Also invalid where 1st party is present and objects
 Apparent authority- search may still be reasonable if officers
reasonably believed at the time of the search that the 3P had authority
to consent
 Password protection is the same as a locked trunk
o SITLA- can search the person and his wingspan pursuant to lawful arrest
 Can search pagers pursuant to lawful arrest (exigency)

Probably can't search a cell phone incident to arrest because too much
information and not necessary for cop’s safety
o Border Searches- Warrantless searches at the border are permissible under
sovereignty grounds. No cause or warrant needed.
o Workplace Searches
 Private Sector- 4th Amendment applies, employees have a reasonable
expectation of privacy except things that are open to the public
 Employers can consent usually under 3P doctrine or police
need a warrant
 Public sector- Government workers have a REP unless




Others have access to the same space
Legitimate workplace regulations can deprive employees of
privacy rights  this is critical to the inquiry
Court must determine whether the search was reasonable in
scope, work related, and justified by non-law enforcement
needs
Search Warrants
o Probable cause requirement applies to any computers in the home
 Fair probability that contraband/evidence of a crime will be found in a
particular place
o Must be sufficiently particular
 Test
 Whether PC exists to seize all items of a particular type
described in the warrant
 Whether the warrant sets out objective standards by which
executing officers can differentiate items subject to seizure
from those which are not AND
 Whether the government was able to describe the items more


particularly in light of the information available to it at the time
the warrant was issued
Also: Must be more particular than “all computers”, but can just list
category of electronically stored evidence that the police are looking
for
Good faith exception: Error in approval of the warrant doesn’t require
suppression if officers relied on the warrant in good faith
o Plain View exception- can seize evidence unrelated to the justification of the
search if the incriminating nature of the evidence is apparent.
 Subjective standard- As long as the officer is looking for evidence
described in the warrant, evidence beyond the scope of the warrant is
admissible. (Majority view)
 Objective standard- If the warrant gives the authority to open and look
at each file, there is no violation of privacy regardless of the officer’s
subjective motivations.
Encryption

The 5th amendment applies to prevent a person from incriminating themselves by
entering a password if
o There is legal force applied
o The information is incriminating
o The conduct/statement is testimonial
 Typing a password to decrypt can be testimonial

Assume this is the law everywhere
The 4th Amendment in the Network Context

Ways to conceptualize
o Internet as letters- communications over the internet are like sent letters
 Outside of the letter is not protected because it’s exposed
 Contents of the letter are protected
 Exception- Pen Register is not a search because no REP in numbers
dialed
o Internet as speech- no 4th amendment rights because you are speaking out loud
with no REP

For Content Information and privacy, all judicial opinions have been stricken, but
some factors to balance
o User perception
o ISP practice
o Analogy to telegraphs, etc.
o Terms of service of the ISP
o Legislation

Kerr’s view: Communications networks are substitutes for what happens in the real
world. The 4th amendment should be technology neutral.
o Means there should be 4th amendment protection for content information, but
not non-content because it would be public.
Statutory Privacy Protections

First question: is the Surveillance Prospective or Retrospective?
o Prospective- real time during transit/ in the course of transmission
 Wiretapping goes here
o Retrospective- access to stored communications kept in ordinary course of
business by a 3rd party provider

Second question: Content or Non-Content Information?
o Content- substance of the message
o Non-Content- information used to deliver communication and network
generated information
Prospective
Retrospective
Contents
Wiretap Act
(18 U.S.C. § 2510-22)
Stored Comm. Act
(18 U.S.C. § 2701-11)
Non-Content
Pen Register Statute
(18 U.S.C. § 3121-27)
Stored Comm. Act
The Wiretap Act (“Title III”)

Remember this only applies to real time content (repeated access in transit) access
o Real time- repeated accesses in transit

Prohibits the interception of communications without a court order
o Very high burden to meet (higher than probable cause)
o Most of the time, exceptions are used instead

Delineation between wire and electronic communications
o Wire- communications that contain the human voice and sent over a wire
(basically telephone)
o Electronic- doesn’t contain a human voice
o Basically this Act applies as soon as communication is sent into the network
and ends when delivered to the end user
 The only suppression remedy is for the telephone and not electronics

If Surveillance Tool is programmed to pick up contents, it must comply with the
Wiretap Act.
o If programmed to pick up dialing, routing, addressing, or signaling (DRAS)
information, the tool must comply with the pen/trap statute

Lingering Policy Question
o How much protection should be offered for each type of surveillance?



Too low  fishing expedition, too high  harmful to investigation
Key is to balance privacy and law enforcement needs
Exceptions to the Court Order Requirement
o Consent- Any party to a communication can consent to monitoring
 Only one party’s consent is needed
 Defining “party”- easy to figure out for the phone, for the internet,
either look at who the communication is addressed to or who can
consent to the communication
 Must be consent in fact, but can be inferred from actual notice
o Provider Exception- The network can provide monitoring to uphold the
integrity of the network
 Basic standard is reasonableness in protecting the integrity of the
network
 Exception is very narrow and has to be provider driven
 The government can't direct the provider to monitor
 Motive of the provider basically needs to be protection of
property
o Trespasser Exception [18 USC 2511(i)]
 Allows a person acting under color of state law to intercept
communications of a trespasser if
 Owner/operator of the protected computer authorizes the
interception
 The person acting is lawfully engaged in an investigation
 Person has reasonable grounds to believe the contents of the
trespasser’s communications will be relevant to the
investigation AND
 He only acquires communications transmitted to or from the
trespasser
The Pen Register Statute


If dialing, routing, addressing, addressing, or signaling information, use Pen Register
For collecting non-content information in real time
o Remember no 4th amendment protection for this information

Can't use a pen register or trap device without a court order
o Remedies for violations of this are criminal misdemeanors
o No suppression remedies for a violation though

If there was a court order, was it done properly?
o Identification, Certification that the information is relevant, Issued by
magistrate

The Exceptions are almost the same as those for the Wiretap Act, but apply to private
actors as well
o Consent- allows caller ID
o Provider- extra broad to prevent unlawful/abusive use of service
Stored Communications Act
(See Chart on pg. 517)


Governs privacy of records held by 3rd party ISPs
Any time the government want to get information on an internet user from an ISP, it
must comply with the SCA

Content Information-
o Remote Computing Service vs. Electronic Communications Service
 RCS- Providing computer storage to the public by means of an ECS
 Maybe only a subpoena/court order plus notice is needed to
access RCS
 For retrieved email, public ISP is RCS


Except in the 9th Circuit where all email is ECS until it
expires in the normal course
ISP storing/processing communications is RCS if available to
the public



If not available to the public, its neither an ECS or RCS
(4th amendment protection is all you get)
ECS- Any service that allows users to send/receive wire or electronic
communications
 Requires a warrant to access
 Internet user using the ISP to send/receive communications
makes ISP an ECS
 For unopened email, ISP is ECS
No protection for remotely stored files held by non-public provider
 Ex- Private Law Firm. Only a 4th amendment question

Non- Content Information
o General records of information regarding a customer/subscriber
o Specific types of information- name, address, billing credit card, length of
service, logs of session times, list of assigned IP addresses

Compelled Disclosure 18 USC 2703
o Thresholds to Compel
 Basic subscriber information- subpoena
 Session logs/IP addresses-subpoena
 Other records- 2703(d) order


Contents held by an ECS
 Warrant needed if held for less than 180 days, treat as RCS if
held for more
Content held by an RCS
 Subpoena with notice OR
 2703(d) order with notice OR

“Specific and articulable facts” order

Can delay notice by 90 days with showing of good
cause
 Warrant without notice.
o Preservation Request
 Allows the government to request that a provider preserve records
already created pending legal process. Only applies to records already
created

Voluntary Disclosure 18 USC 2702
o Non-public provider can disclose any stored materials at will
o Public provider



Can’t disclose content(e-mails, documents, etc.) unless
 Consent of addressee, intended recipient, or his agent
 Provider exception from Wiretap Act
 Exigent circumstances
 Inadvertently obtained and appear to pertain to a crime
Can't disclose non-content/records (subscriber information, etc.) unless
 Consent by customer/subscriber
 Disclosure to someone non-governmental
 Exigency
 Provider exception
If the information is content and non-content, must satisfy both
exceptions
Scope of Federal Power vs. State Power

Federal
o Constitutionally- Congress can regulate purely personal use if it affects
interstate commerce in the aggregate (Rational basis)
 Local production of child porn substantially affects interstate
commerce
o Substantive Power- Basically the internet allows inference of interstate
movement
 So crimes by be committed in a method affecting interstate commerce
and not in interstate commerce

State
o Substantive Limits- Constitution/Dormant Commerce Clause


What states can/can't regulate is based on what other states/Fed is
doing
 States can enact concurrent criminal statutes (mirroring 1030 or
child porn)
 Can have computer crimes statutes is
 Identical to state/federal regulations
 Somehow applies to purely intrastate commerce
 Can't enact new types of laws
Pike Balancing Test- State can't regulate intrastate transactions if the
impact on interstate commerce outweighs the local benefits
o Procedural Limits
 Federal statutory laws that impose explicit limit on state law procedure
 State Statutes can be more restrictive than the Federal statute
 State Constitutions
 Must follow 4th amendment rules
 Practical Investigatory Issues
 State court order is only binding in that state
 Out of state evidence collection

Voluntary assistance


Other state can open up an investigation
Give to Feds
International Computer Crimes

To get jurisdiction over someone internationally for computer crimes (one or both)
o Intended effect doctrine- If the person abroad intended and actually caused
detrimental effects within the US, there is jurisdiction to bring charges in the
US.
o Extraterritoriality- For charge someone with an international computer crime,
Congress must have intended it to apply to computers in foreign commerce
 Can be inferred thru intent to be enforced outside the US

International Evidence Collection
o Procedurally
 Only a 4th amendment question

You have 4th amendment rights abroad only if you have a voluntary
connection to the US (basically resident aliens and citizens)
 If the US is on a join venture with a foreign government, as long as the
laws of the foreign government are reasonably complied with, and
doesn’t shock the conscience, its not a 4th amendment problem
(admissible).
o Substantively
 Rogatory Letters
 Request from tribunal in one country to tribunal in another
 Very slow process- 6-12 months

Treaties
 Extradition



Requires the crime to be a crime in both countries.
Must be a felony in the US and should carry the
potential penalty of at least 1 year in prison
Mutual Legal Assistance Treaties




Imposes mutual legal obligations on evidence collection
US has MLAT with 45 countries
o No extradition if prosecution would violate US
constitutional law.
24 Hour Contact Points
 Each country has 24 hour access to computer crime agents and
prosecutors to  evidence collection in an emergency (US and
most of Western Europe plus Canada and South Korea and
Japan)
Policy Proposals
 Uniform substantive laws for extradition and dual criminality
MLAT. Also to avoid safe havens and synchronize legal
assistance


 One world government? European law? US law?
Very broad substantive and procedural laws
 Effects on domestic power? Privacy?
Council of Europe Cybercrime Convention
 Enacts something similar to US law (1030, etc.)
FISA Stuff

Can conduct surveillance on foreign agent without a warrant if it meets the test
o Foreign agent- spies, terrorists, foreign embassy officials
o Test: Probable cause that the person is agent of foreign power, significant
purpose is for foreign intelligence power

FISA Pen Register Statute- same idea but for national security purpose, not for a
criminal case

“Protect America Act”
o FISA warrants not needed to monitor targets reasonably believed to be located
outside of the US

Can get email from Gmail server of people believed to be outside the
US