Cybercrime

1
Cybercrime
Interstate Cyberstalking and Threatening
Communications
Presented by John Arsenault and Suresh Sampath
University of Oregon School of Law
2
What is internet fraud?

• A broad term encompassing any sort of scam or
  fraud depriving victims of money or property
  through deceit using the internet
• 2006 internet fraud losses in the U.S. approached
  almost 200 million dollars
• Common examples of internet fraud
• Auction Fraud
• Investment Fraud
• Credit Card Fraud
• Business Opportunity / Charity Fraud

3
What is internet fraud?

• Generally governed by the federal wire fraud
  statute (See also state specific statutes)
• 18 U.S.C. 1343

4
18 U.S.C. 1343

• Whoever, having devised or intending to devise
  any scheme or artifice to defraud, or for
  obtaining money or property by means of false or
  fraudulent pretenses, representations, or
  promises, transmits or causes to be transmitted
  by means of wire, radio, or television
  communication in interstate or foreign commerce,
  any writings, signs, signals, pictures, or sounds
  for the purpose of executing such scheme or
  artifice,
• shall be fined under this title or imprisoned not
  more than 20 years, or both. If the violation
  affects a financial institution, such person
  shall be fined not more than 1,000,000 or
  imprisoned not more than 30 years, or both.

5
Types of internet fraud?

• Auction fraud
• Seller fails to pay or deliver
• Seller misrepresents the condition of an item
• Seller sells a counterfeit item to unsuspecting
  victims
• Seller sells a rock in box to victim while taking
  the buyers money

6
Types of internet fraud?

• Investment Fraud
• Through email spam, a stock is told to be a great
  buy or that it must be quickly sold (benefits
  short sellers)
• Message board and news group posting on finance
  websites
• CNBC
• Raging Bull
• Google
• Yahoo

7
Types of internet fraud?

• Business Opportunity fraud
• Work at home jobs
• Pyramid or ponzi schemes
• Fraudulent money order scams
• Leaves victim culpable for the money orders
• Open jobs with processing fees
• Reshipping scams
• Charity Fraud
• Takes advantage of events or sympathies related
  to charities

8
Types of internet fraud?

• Click Fraud
• Undermines value of internet advertising

9
Types of internet fraud?

• Payment card fraud
• A billion dollar industry - unlawful and
  fraudulent uses of payment cards
• What about fraud involving payment cards, but not
  involving transactions?
• What about fraud involving cell phones used as
  payment?
• What about fraud involving interception of key
  fobs and other access devices?

10
Access Device Fraud - 18 U.S.C. 1029

• What is prohibited - knowingly or with intent to
  defraud (in interstate or foreign commerce of
  course)
• Produces, uses, or traffics counterfeit access
  devices (a)(1).
• Traffics in or uses a device during any one year
  period and aggregating value through the device
  over 1000 (a)(2).
• Possesses fifteen or more counterfeit or
  unauthorized access devices (a)(3).
• Has or traffics in device-making equipment
  (a)(4).
• Effects transactions to receive payment of
  anything of value during a one-year period
  aggregating value through the device over 1000
  (a)(5).
• Without the issuers authorization, A. offering
  an access device, or B. selling information
  regarding an application to obtain an access
  device (a)(6).

11
Access Device Fraud - 18 U.S.C. 1029

• What is prohibited - knowingly or with intent to
  defraud (in interstate or foreign commerce of
  course)
• Traffics, possesses, or produced a
  telecommunication instrument that has been
  modified to obtain unauthorized access of service
  (a)(7).
• Traffics in or has control of a scanning receiver
  (a)(8).
• Uses, produces, or traffics, has control or
  possesses hardware or software, knowing it has
  been configured to insert or modify
  telecommunication signals to obtain
  telecommunications service without authorization
  (a)(9).
• Without the authorization of the credit card
  system members or its agents, causes or arranges
  for another person to present to the member or
  its agent, for payment, 1 or more evidences or
  records of transactions made by an access device
  (a)(10).

12
Access Device Fraud

• What is an access device?
• any card, plate, code, account number, electronic
  serial number, mobile identification number,
  personal identification number, or other
  telecommunications service, equipment, or
  instrument identifier, or other means of account
  access that can be used, alone or in conjunction
  with another access device, to obtain money,
  goods, services, or any other thing of value, or
  that can be used to initiate a transfer of funds
  (other than a transfer originated solely by paper
  instrument) 1029(e)(1).

13
Access Device Fraud

• What do access devices include?
• Credit/debit cards
• Account numbers
• Key fobs
• Personal Identification Numbers
• Credit card access equipment (magnetizers,
  scanners)
• Computers
• Long Distance Phone cards
• Biometric information??
• Access devices are pretty much anything that
  allows you access to your bank account or an
  account with potential monetary value

14
Access Device Fraud

• U.S. v. Jiang, S.D.N.Y. Feb. 28, 2005
• Jiang placed keystroke loggers on several Kinkos
  computers in NY state.
• He pled guilty to access device fraud because he
  possessed over 15 computer usernames and
  passwords belonging to other persons, also to
  access their bank and financial services
  accounts, open on-line bank accounts in their
  names, and transfer the funds to the unauthorized
  accounts

15
Access Device Fraud

• United States v. Mantovani et al., Dist. N.J.,
  June 29 (2004)
• The shadowcrew group of hackers shared and
  distributed the personal information of thousands
  of individuals through their website.
• Included was the banking and financial
  information of the victimized individuals, which
  was also posted to and then bought and sold
  between criminals.
• 1.7 million credit cards were shared by the
  shadowcrew, leading to losses in excess of 4
  million dollars.

16
Access Device Fraud

• 18 U.S.C. 1029 (c) Penalties
• (1) Generally. The punishment for an offense
  under subsection (a) of this section is
• (A) in the case of an offense that does not occur
  after a conviction for another offense under this
  section
• (i) if the offense is under paragraph (1), (2),
  (3), (6), (7), or (10) of subsection (a), a fine
  under this title or imprisonment for not more
  than 10 years, or both and
• (ii) if the offense is under paragraph (4), (5),
  (8), or (9) of subsection (a), a fine under this
  title or imprisonment for not more than 15 years,
  or both
• (B) in the case of an offense that occurs after a
  conviction for another offense under this
  section, a fine under this title or imprisonment
  for not more than 20 years, or both and
• (C) in either case, forfeiture to the United
  States of any personal property used or intended
  to be used to commit the offense.

17
Access Device Fraud

• What types of access devices may also qualify
  under the statutory definition?
• Etrade accounts
• Ebay/Paypal accounts
• Stolen cell phone associated with a bank account
  that can conduct transactions
• Long Distance cards

18
Interstate Threatening Communications and
Cyberstalking
19
Interstate Threatening Communications and
Cyberstalking

• The statute governing threatening communications
  is 18 U.S.C. 875.

20
Interstate Threatening Communications and
Cyberstalking

• Whoever transmits in interstate or foreign
  commerce any communication containing any demand
  or request for a ransom or reward for the release
  of any kidnapped person, shall be fined under
  this title or imprisoned not more than twenty
  years, or both (a).
• Whoever, with intent to extort from any person,
  firm, association, or corporation, any money or
  other thing of value, transmits in interstate or
  foreign commerce any communication containing any
  threat to kidnap any person or any threat to
  injure the person of another, shall be fined
  under this title or imprisoned not more than
  twenty years or both (b).

21
Interstate Threatening Communications and
Cyberstalking

• Whoever transmits in interstate or foreign
  commerce any communication containing any threat
  to kidnap any person or any threat to injure the
  person of another, shall be fined under this
  title or imprisoned not more than five years, or
  both (c).
• Whoever, with intent to extort from any person,
  association, or corporation, any money or other
  thing of value, transmits in interstate or
  foreign commerce any communication containing any
  threat to injure the property or reputation of
  the addressee or of another or the reputation of
  a deceased person or or threat to accuse the
  addressee or any other person of a crime, shall
  be fined under this title or imprisoned not more
  than two years, or both (d).

22
18 U.S.C. 875 Interstate Communications

• Extortion related to kidnapping
• Requires specific intent to extort, U.S. v.
  Heller, 579 F.2d 990 (6th Cir. 1975).
• Extortion
• Threatening Communications
• Threatening to kidnap
• Threatening to injure property or defame

23
875(c) Threatening Communications

• Intent to communicate
• Communication in interstate commerce
• The communication is reasonably perceived by the
  recipient as threatening
• Threat of harm to a person. U.S. v. DeAndino,
  958 F.2d 146 (6th Cir. 1992) (although not
  necessarily a specific person).

24
875(c) Threatening Communications

• Intent requirement for 875(c)
• Intent to communicate
• Reasonably perceived by recipient as threat of
  bodily harm
• Subjective intent to threaten is not required.
  U.S. v. Morales, 272 F.3d 284 (5th Cir. 2001).
• Intent to make an interstate communication is
  also not required. U.S. v. Darby, 37 F.3d 1059
  (4th Cir. 1994).

25
875(c) Threatening Communications

• Interstate commerce requirement
• An internet communication need only travel out of
  state to fulfill interstate commerce prong. U.S.
  v. Kammersell 196 F.3d 1137 (10th Cir. 1999).
• Interstate commerce
• The prosecution must prove that a communication
  was in interstate commerce under a 18 U.S.C.
  875 action. U.S. v. Oxendine, 531 F.2d 957 (9th
  Cir. 1976).
• A communication need not be made for the purposes
  of commerce or business, but must merely be made
  through an instrumentality of interstate commerce
  to create federal jurisdiction. U.S. v. Holder,
  302 F.Supp. 296 (D.C. Mont. 1969).

26
U.S. v. Kammersell, 196 F.3d 1137 (10th Cir. 1999)

• Facts D logged onto AOL IM from home in UT. D
  sent a bomb threat to his girlfriends computer
  in Ogden UT, hoping that this would enable her to
  leave work early. The bomb threat was transmitted
  through interstate telephone lines from his
  computer in UT, to an AOL server in VA, and then
  back to UT at his girlfriends terminal in Ogden.
  Every AOL IM automatically goes from the state of
  origin to AOLs main server in VA before going to
  its final destination.
• Holding The Court concluded that the plain
  language of the statute interpreted literally
  would allow federal jurisdiction since an
  interstate transmission occurred. The Court cited
  a 2nd Circuit case, Kelner, which found so long
  as the crime involved a necessary interstate
  element, the statute must be treated as valid.

27
U.S. v. Morales, 272 F.3d 284 (5th Cir. 2001)

• Facts D, a TX high school student, entered an
  internet chatroom with a stranger in Washington,
  and told him that he planned on shooting and
  killing students at his TX high school. He was
  convicted. D argued on appeal that he didnt make
  the statements with an intent to intimidate and
  that the trial court erred in failing to provide
  a jury instruction requiring proof that D either
  communicated the threat to the target or intended
  a third-party to communicate the threat to the
  target.

28
U.S. v. Morales, 272 F.3d 284 (5th Cir. 2001)

• Issue 1 Were Ds statements a true threat?
• Holding 1 Yes. A communication is a threat if in
  its context it would have a reasonable tendency
  to create apprehension that its originator will
  act according to its tenor. The threat must be
  made knowingly which means voluntarily and
  intelligently and not by mistake or accident. To
  distinguish political hyperbole from a true
  threat, in order to convict, a fact finder must
  determine that the recipient of the in-context
  threat reasonably feared it would be carried out.

29
U.S. v. Morales, 272 F.3d 284 (5th Cir. 2001)

• Issue 2 Can communications, as a matter of law,
  constitute a true threat when they are made to a
  third party with no connection to the target?
• Holding 2 Yes. The Court found that the language
  of 18 U.S.C. 875 doesnt require intent to
  communicate the threat to the specific victim.
• Issue 3 Is the prosecution required to prove
  that the defendant subjectively intended to make
  a threat through his communication?
• Holding 3 No. 18 U.S.C. 875(c) contains no
  specific intent requirement. Thus only a general
  intent to communicate is required to be proven.

30
U.S. v. Alkhabaz, 103 F.3d 1492 (6th Cir. 2001)

• Facts D posted stories depicting sexual violence
  to a usenet group. One of these stories involved
  the torture, rape, and murder of a young woman
  who shared the same name as one of Ds classmates
  at the University of Michigan. Some time after, D
  and his friend (computing from Ontario Canada)
  exchanged email messages expressing an interest
  in sexual violence.
• D was arrested under 18 U.S.C. 875 for sending
  threatening interstate communications. The
  District Court dismissed the indictment against
  D, finding that his stories and messages did not
  constitute true threats and were protected
  speech. The government appealed the dismissal of
  the indictment.

31
U.S. v. Alkhabaz, 103 F.3d 1492 (6th Cir. 2001)

• Reasoning 18 U.S.C. 875(c) contemplates
  general intent, requiring proof that a reasonable
  person would have taken Ds statement as a
  serious expression to inflict bodily harm.
• The court found a literal application of the
  statute swept too broadly and set a standard to
  distinguish speech from a threat.
• Holding to constitute a communication
  containing a threat under 875(c), a
  communication must be such that a reasonable
  person (1) would take the statement as a serious
  expression of an intention to inflict bodily harm
  (the mens rea), and (2) would perceive such
  expression as being communicated to effect some
  change or achieve some goal through intimidation
  (the actus reus).

32
Cyberstalking Statute, 18 U.S.C. 2261A

• Whoever . . . uses any interactive computer
  service, or any facility of interstate or foreign
  commerce to engage in a course of conduct that
  causes substantial emotional distress to that
  person or places that person in reasonable fear
  of the death of, or serious bodily injury to, any
  of the persons described in clauses (i) through
  (iii) of subparagraph (B)
• (B) . . .
• (i) . . . person
• (ii) a member of the immediate family . . . of
  that person or
• (iii) a spouse or intimate partner of that person

33
Cyberstalking Statute, 18 U.S.C. 2261A

• History Behind 18 U.S.C. 2261A
• Enacted as part of Violence Against Women Act of
  1994 (VAWA).
• Created the federal crime of stalking, largely in
  response to highly publicized murder of actress
  Rebecca Shaeffer.

34
Cyberstalking Statute, 18 U.S.C. 2261A

• U.S. v. Bowker, 372 F.3d 365 (6th Cir. 2004).
• Facts A television reporter, Tina Knight, began
  to get a number of emails suggesting that the
  sender was interested in her. He started sending
  letters to the TV station where she worked and to
  Tinas parents home. The station manager told D
  that his letters were unwelcome. D agreed to stop
  contacting Knight. He broke the agreement and
  began contacting Knight. His tone became more
  aggressive and he sent letters suggesting that he
  would come find her in person. Knight began to
  fear that she would be raped by D. D was arrested
  and tried on various counts, including a charge
  of cyberstalking.

35
Cyberstalking Statute, 18 U.S.C. 2261A

• U.S. v. Bowker, 372 F.3d 365 (6th Cir. 2004).
• D argued that 18 U.S.C. 2261 overbroadly
  included certain protected speech. The Court
  rejected this challenge as it found that D hadnt
  pointed to anything in particular. The court also
  rejected Ds vagueness challenge, finding that
  the reasonable person standard in objectively
  discerning threatening behavior would apprise the
  reasonable person reading the statute of what
  conduct was prohibited. Further, it found
  harassment and intimidation to be words of common
  understanding.

36
Cyberstalking Statute, 18 U.S.C. 2261A

• U.S. v. Bell, 303 F.3d 1187 (9th Cir. 2002).
• course of conduct means a pattern of conduct
  comprised of two or more acts.