Cybercrime Roundup: Bitcoin, Cat Pictures, and Defining Loss under the CFAA

Whose Authorization Matters—The Third-Party Accounts of Former Employees
Two district courts in Virginia have parsed out a distinction regarding email access to the third-party accounts of former employees: following the employee’s termination, who is allowed to access the account and whose permission is required? The answer depends on how personal the account was.

First, the Western District of Virginia denied the defendant’s motion to dismiss in Hoofnagle v. Smith-Wythe Airport Commission, et al. Hoofnagle previously worked at Mountain Empire Airport, which during his employment, did not provide him with a work email. In order to communicate with vendors and customers, Hoofnagle unilaterally created a Yahoo! account, which he used both for business and personal purposes.

According to the deposition, Hoofnagle understood that he was speaking for the airport when he used that email address, which was “held out to the public as an official contact for the Airport.”

Mountain Empire Airport fired Hoofnagle after he signed an inflammatory email to Sen. Tim Kaine with his official title. Responding to a letter Sen. Kaine sent Hoofnagle (presumably itself responding to original correspondence by Hoofnagle) after the Newtown school shooting, Hoofnagle wrote:

Dear, Mr. Kain [sic]. I own over 9 AR platform rifles and 30 some various other rifles and shotguns, a dozen handguns, I suggest you stick up for rights of all gun owners in Va. In my opinion you and your kind (Liberals) ARE a CANCER to this state and COUNTRY, therefore I have gone to the voting polls every Nov. to try and eradicate you and your kind from public office, and will continue to do so. We do not have a gun problem, We have an IDIOT PROBLEM, go deal with that, and not the competent gun owner. Here is the Va. NRA tollfree # 1-800-672-3888. Now you can join the NRA. So you can be apart [sic] of something with some substance and character…Charles H. Hoofnagle. Airport Operations Manager Mt. Empire Airport in south west Va. 276-685-1122

After he was fired, an agent of the airport accessed Hoofnagle’s Yahoo! account without Hoofnagle’s permission. Hoofnagle brought several claims against the airport, including violation of the Stored Communications Act (SCA), which criminalizes “intentionally access[ing] without authorization a facility through which an electronic communication service is provided” or “intentionally exceed[ing] an authorization to access that facility,” and by doing so “obtain[ing], alter[ing], or prevent[ing] authorized access to a wire or electronic communication while it is in electronic storage in such system.”

In dealing with the airport’s defense, the court stated that,

[a]s the individual who used his personal information to create the account and establish a password, Hoofnagle was clearly the person duly authorized by Yahoo! to use and access the account, not the Airport or the Commission.

Holding that there were genuine issues of material fact, this portion of the airport's motion to dismiss was denied.

Ten months later in the Eastern District of Virginia, a court ruled on a similar motion to dismiss.

Estes Forwarding Worldwide (EFW), a transportation logistics company, fired Marcelo Cuellar. During his employment, Cuellar created a Google Drive account because EFW was not allowed to install their own IT infrastructure in the particular operations location where Cuellar worked.
According to the complaint,

[e]ach day, [Cuellar] and other EFW employees on site used the [a]ccount to record information such as the shipment being handled, the routing decisions being made, the selection of vendors, and cost information.”

One late night over a year after he was fired, Cuellar accessed the account at his home in Washington State. He created an archive of all the spreadsheets on the account. In addition, he changed the password and removed two contact points for EFW from the account, both a recovery phone number and a secondary email address.

The next morning, he accessed the account again—this time from his job at AES Logistics, one of EFW’s competitors. Cuellar downloaded the archive he previously created and then deleted the account.

EFW filed suit against Cuellar, claiming, among other things, a violation of the Computer Fraud and Abuse Act (CFAA).
In his motion to dismiss, Cuellar argued that “because he created the account, ‘[i]t was the authorization of Google, and not EFW, that mattered for purposes of determining [his] access rights under the CFAA.’” For this argument, Cuellar relied heavily on Hoofnagle.

However, the court distinguished Cuellar’s case from Hoofnagle’s in two ways. First, where Hoofnagle unilaterally created the Yahoo! account, Cuellar’s Google Drive account was created “within the scope of his employment for, and at the direction of, EFW.” According to the court, Cuellar’s account was therefore not a “personal account.” Second, Cuellar did not use the account for personal matters during the time of his employment, as Hoofnagle did. Therefore, the account was not as personal as Hoofnagle’s in two ways—its creation and its use.

This distinction provides both a fine line and some guidance for employees and employers, at least within Virginia.

Loss, as Defined in the CFAA
In a January decision, the Eleventh Circuit weighed in on the conversation as to what constitutes “loss” under the Computer Fraud and Abuse Act. The CFAA defines loss as:

any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offenses, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

Both the Sixth and the Fourth Circuits have read that definition “to include the cost of responding to the offense, irrespective of whether there was an interruption of service.”

The Sixth Circuit explained its reading as follows:

“[l]oss is defined in the disjunctive—it includes “any reasonable cost to any victim including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program system, or information to its condition prior to the offense.” 18 U.S.C. § 1030(e)(11). It also encompasses “any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. If a plaintiff is able to establish a loss of at least $5,000 in value, whether that be composed solely of costs identified in the first clause, or solely costs identified in the second clause, or a combination of both, then he may recover under the statute.

However, not all courts agree with that reasoning, and some district courts require the loss to result from a disruption of service. One such court, the Southern District of Florida, explained their reading of the definition as follows,

This Court...concludes that all loss must be as a result of “interruption of service.” Otherwise, it would appear that the second half of the “loss” definition is surplusage. If loss could be any reasonable cost without any interruption of service, then why would there even be a second half to the definition that limits some costs to an interruption of service. Rather, the better reading (though reasonable minds surely can differ until the Court of Appeals decides the issue) appears to be that all “loss” must be the result of an interruption of service.This conclusion is supported by the legislative intent in the CFAA, a criminal statute, to address interruption of service and damage to protected computers.

The Eleventh Circuit took up the issue in Brown Jordan v. Carmicle. Brown Jordan, a furniture manufacturer and retailer, transitioned between one email service to another, sending out a generic password for the employees’ new accounts in order to aid in the transition. Using this password, Christopher Carmicle accessed the email accounts of other employees, including his supervisors. He preserved the emails by screenshotting them on his iPad. By reading the emails, Carmicle discovered an undisclosed management buyout of a portion of Brown Jordan’s business.

Upset about the plan, Carmicle wrote the Board of Directors claiming that illegal activity had occurred, including the plan for a management buyout. After receiving the letter, the board hired an investigator, to whom Carmicle disclosed that he had accessed various email accounts.

When Brown Jordan brought suit against Carmicle for violating the CFAA, among other things, one of Carmicle’s defenses was that Brown Jordan did not incur a loss because their service was not interrupted.

The Eleventh Circuit agreed with the other appellate courts, holding that:

The plain language of the statutory definition includes two separate types of loss: (1) reasonable costs incurred in connection with such activities as responding to a violation, assessing the damage done, and restoring the affected data, program system, or information to its condition prior to the violation; and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. See 18 U.S.C. § 1030(e)(11). The statute is written in the disjunctive, making the first type of loss independent of an interruption of service. Yoder, 774 F.3d at 1073. Contrary to the assertion of the court in Continental Group, this interpretation does not reduce “interruption of service” to surplusage. See Cont’l Grp., 622 F. Supp.2d at 1371. “Loss” includes the direct cost of responding to the violation in the first portion of the definition, and consequential damages resulting from interruption of service in the second.

Extortionist Identified by Digital Footprint and Cat Pictures

Recently, the Sixth Circuit handed down an opinion highlighting a bizarre extortion attempt by Michael Mancil Brown. In 2012, Brown attempted to extort PricewaterhouseCoopers, the Williamson County Democratic and Republican parties, and the public by demanding one million in bitcoin to prevent the release of Mitt Romney’s previously unreleased tax records.

The Sixth Circuit opinion begins with an Austin Powers reference:

When criminal-law cases imitate art, they do not always choose its highest form. In Austin Powers: International Man of Mystery, Dr. Evil develops a plan to steal a nuclear warhead and to hold the world hostage for $1 million. This was not, Dr. Evil’s deputy pointed out, all that much money for a 1990s global crime enterprise. But it was enough for an anonymous extortionist in today’s case, who apparently was familiar with the move and who chose some features of it as signatures of his 2012 crime. Assuming the nom de guerre “Dr. Evil,” the individual demanded $1 million in Bitcoin in exchange for an encryption key to Mitt Romney’s unreleased tax returns. The extortionist claimed to have stolen Romney’s returns from PricewaterhouseCoopers, and he posted a taunting, digitally altered image of Mike Myers’s Dr. Evil, wearing a Secret Service badge, in the lobby of the accounting firm’s offices in Franklin, Tennessee.

The choice of a pseudonym is not near as interesting as how the Secret Service caught him.

The offices of PricewaterhouseCoopers and the Williamson County Democratic and Republican parties received padded envelopes with a letter and a flash drive, claiming to contain an encrypted file of Romney’s tax returns and demanding the one million in bitcoin.

Once PricewaterhouseCoopers determined that their network had not been breached and the integrity of Romney’s tax returns had not been compromised, those envelopes and their contents were turned over to the Secret Service.

All three envelopes contained a letter and a flash drive with the file “Romney1040-Collection.7z”. However, the unallocated space was not entirely blank. One held the text string “5276 dolphin Kathryn” and another the text string “4154 dolphin KnightMB.” There were also two photos of cats.

A Google search of “KnightMB” led to an email, knightmb@knightmb.dyns.org, that a Michael Brown from Tennessee used to post online. Confirming a Michael Brown lived in Franklin, the Tennessee DMV also revealed that he had a spouse named Kathryn. Various other digital breadcrumbs connected Brown to KnightMB, including YouTube videos by a “KnightMB” with Brown in them.

According to the Sixth Circuit’s opinion, the Secret Service used a trap-and-trace order to determine that Brown had connected via Tor to the same German IP address used to make previously discovered posts on Pastepin, a website that permits anonymous publication.

Those posts included directions to a downloadable file, “Romney1040-Collection.7z”, descriptions of the contents of the envelopes sent to the various offices, and an image of Dr. Evil superimposed on the lobby of PricewaterhouseCoopers’ Franklin office.

Upon execution of the search warrant for Brown’s house and computer, the Secret Service found a slew of incriminating evidence, including that the file “Romney1040-Collection.7z” had been stored on Brown’s computer.

However, his spouse and daughter helped with the final mystery—the cat photos.

The anonymous cats pictured on the Democratic party thumb drive belonged, they said, to a neighbor, Janine Bolin. Ms. Bolin corroborated that those were her cats, Tripper and Valentine, and that Brown had once helped her with some computer problems.

The court writes:

Brown denied any involvement. He told the Secret Service that someone else must have been in his house and manipulated his computer to do all of those incriminating things. He couldn’t say who, but he did say he had seen two unknown black men sitting at his computer at different times.

On appeal, Brown argued that the Secret Service used false statements to obtain a warrant and the district court improperly denied him a Franks hearing to challenge the warrant’s validity.

The bulk of the alleged false statements are that the affidavit omitted:

(1) that many presumably innocent people use TOR, (2) that the cats pictured on the thumb drives did not appear to be at his house, (3) that Brown runs an internet business, which means many users besides Brown use his IP address, (4) that the Secret Service did not know when or how the text strings got on the extortionist’s thumb drives, and (5) that Brown sometimes spelled “advice” correctly, even though he had misspelled it (as “advise”) during the insurance company incident in the same was the “Dr. Evil” letter misspelled it.

The court held that probable cause would still exist if all of those items were added to the warrant, stating that

[a]ll that’s needed for probable cause “is a fair probability that contraband or evidence of a crime will be found in a particular place.” United States v. Miller, 314 F.3d 265, 268 (6th Cir. 2002) (quotation omitted). That is a “practical, common-sense decision,” Illinois v. Gates, 462 U.S. 213, 238 (1983), based on “the totality of the circumstances, not line-by-line scrutiny” of the affidavit, United States v. Thomas, 605 F.3d 300, 307 (6th Cir. 2010).

Brown’s convictions were upheld, but the sentencing was overturned on other grounds and thus remanded for resentencing.

Illegally Exchanging Bitcoin

On May 2^nd, Jason Klein pled guilty to one count of conducting an unlicensed and unregistered money transmitting business. His crime? Exchanging bitcoin without a license.

Bitcoin (a cryptocurrency based on blockchain, a distributed ledger that allows a network of computers to contribute to it as well as verify it, negating the need for a central authority) is regulated at both the state and federal level. In Missouri, Klein was required to obtain a license as a money transmitter. Based on a 2013 guidance from the Treasury Department, he was also required to register with the Financial Crimes Enforcement Network.

Klein did neither of these. Instead, he advertised on websites that he would exchange bitcoins for cash. He performed these exchanges in person five times. Unbeknownst to him, the buyers were undercover IRS agents. Klein added at 10 percent commission rate for the in-person exchanges.

While other cases have involved illegally exchanging bitcoin, this is the first to feature it on its face as the sole crime. Notably, both the information and the plea agreement reference an unnamed co-conspirator not charged in this case.

The bitcoin regulatory framework has been a patchwork effort by states, and some state legislation has faced significant opposition from groups like EFF. Last September, the House of Representatives passed a simple resolution toted as the first financial technology (FinTech) resolution. Sponsored by Rep. Adam Kinzinger of Illinois, the nonbinding resolution acknowledged:

[E]merging payment options, including alternative non-fiat currencies, are leveraging technology to improve security through increased transparency and verifiable trust mechanisms to supplant decades old payment technology deployed by traditional financial institutions; and [B]lockchain technology with the appropriate protections has the potential to fundamentally change the manner in which trust and security are established in online transactions through various potential applications in sectors including financial services, payments, health care, energy, property management, and intellectual property management.

Among other things, the resolution called for the United States to:

develop a national policy to encourage the development of tools for consumers to learn and protect their assets in a way that maximizes the promise customized, connected devices hold to empower consumers, foster future economic growth, create new commerce and new markets; prioritize accelerating the development of alternative technologies that support transparency, security, and authentication in a way that recognizes their benefits, allows for future innovation, and responsibly protects consumers’ personal information;

The resolution received significant bipartisan support, passing 385 to 4. However, it’s unlikely that any legislation on the matter will surface in the near future, especially as some experts are now questioning government support of blockchain payments in the wake of the WannaCry ransomware attack, which only allowed for payment in bitcoin.