Cybercrime Roundup: The CFAA, Dog Sniffs, and Broken Hearts

9th Circuit and the CFAA

This summer the 9th Circuit released two significant opinions on the Computer Fraud and Abuse Act (CFAA), which prohibits acts of computer trespass by those who are not authorized users or who exceed authorized use.

Nosal II

On July 5th, the court decided Nosal II—focusing on the meaning of accessing a protected computer “without authorization” in the CFAA.

IT'S OUR SIXTH BIRTHDAY! Support Lawfare so we can continue bringing you articles like this one.

David Nosal, who worked at an executive search firm, decided to leave and start a competing business, taking two other employees with him. Nosal wanted to use the firm’s data to help his own business. Nosal’s network credentials were revoked when he left. However, before the two other employees left, they logged into the network and downloaded privileged information in order to use it at the new business.

This activity was the basis for Nosal I, where the court examined the “exceeds authorized access” language in CFAA. The government argued that the employees exceeded authorized access when they used the information for purposes other than work, which violated the firm’s terms of use. The court relied on the principle of lenity and held that violating terms of use does not exceed authorized access.

After the other two employees left the firm, Nosal used his executive assistant’s credentials to log into the firm’s network and access privileged information. The government brought charges against those actions in Nosal II.

While the firm denied Nosal access, the executive assistant, a legitimate account holder, provided Nosal with her individual authorization. The question in the case came down to whose authorization mattered—the owner’s or the legitimate account holder’s? Deciding 2-1 in favor of the owner’s authorization controlling, the majority heavily relied on Brekka—which held that a person is acting “without authorization” when their employer revokes their access to use a computer and they do it anyway—and failed to see novelty in the issue at hand.

[Access] “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statue by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door. (at 4)

While the majority distinguished the access in this case from routine password sharing—for example, asking a spouse to log in to an email account and print a boarding pass—the rule of the case does not include a safeguard from criminalizing such access.

Judge Reinhardt dissented, arguing that either the owner or a legitimate account holder should be able to authorize use. Emphasizing lenity, he argued that the rule should be narrowly tailored to hacking.

In a recently published law review article, Orin Kerr uses agency to create a rule that addresses the concerns of both the majority and dissent: “Third-party access outside the agency relationship is unauthorized access.”

We may not have heard the last from Nosal II yet. On August 18th, Nosal filed a petition for rehearing en banc.

Facebook v. Power Ventures

On July 12th, after the Nosal II opinion, the court released its opinion in Facebook v. Power Ventures—once again focusing on the “without authorization” language.

Power Ventures, a company that allowed customers to aggregate all their social media on a single site, created a campaign that used Facebook users’ log-in credentials to create events, post photos and statuses, and send messages and emails that promoted their website. Wanting Power Ventures to instead use their third-party platform Facebook Connect, Facebook sent Power Ventures a cease and desist letter and blocked their IP address. However, Power Ventures continued to access Facebook’s computers.

The court—comprised of a different panel of judges than Nosal II—held that Power Ventures violated the CFAA when they continued to access Facebook’s computers after Facebook sent the cease and desist letter. While the initial consent that Power Ventures received from Facebook users (legitimate account holders) was sufficient for initial access, that consent was trumped by Facebook’s revocation of permission. However, the court left open the question of “whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.”

Sextortion Guilty Plea

In yet another sextortion case, Ryan Vallee pled guilty to a 33-count superseding indictment in the District of New Hampshire. The counts included interstate threats (18 U.S.C. § 875(d)), computer hacking to steal information (18 U.S.C. §§ 1030(a)(2)(C), (c)(2)(B)), computer hacking to extort (18 U.S.C. § 1030(a)(7)), aggravated identity theft (18 U.S.C.§ 1028A), and cyberstalking (18 U.S.C. § 2261A(2)(B)).

The indictment lists 11 victims, who ranged in age from 15 to 19 years old.

Vallee hacked into victims' accounts primarily by guessing the answers to their security questions and then changing the passwords. Once he had control of their accounts, he used a spoofing app to text the victims and demand sexually explicit photos in exchange for regaining access to their accounts. On at least several occasions, he sent victims explicit photos of themselves and threatened to post them online if the victims did not send him additional photos. Vallee also threatened to change their profile picture to an explicit photo and delete their accounts. In one case, he created a fake Facebook that was very similar to his victim’s name. On that account, he posted sexually explicit images of the victim and sent friend requests to his victim’s friends. On another victim’s facebook account, he posted embarrassing photos and texts and sent messages to the victim’s friends including the same embarrassing information.

He also hacked several victims’ Amazon accounts. He used the threat of making purchases on their accounts in order to get sexually explicit photos of them. In one instance, he purchased sex-related items on one victim’s account and had them shipped to her house.

Threatening to re-hack accounts or hack additional accounts, Vallee terrorized his victims and repeatedly ignored their pleas for him to stop. At times, he demanded conversations and in-person meetings. Vallee threatened one victim that he would post sexually explicit photos of her in public, rather than just on the internet. On several occasions, Vallee sent explicit photos of one victim to another victim.
Vallee is scheduled to be sentenced on December 1st, 2016.

Mona Sedky, one of the prosecutors in the case, was featured in a Lawfare Podcast on Prosecuting Sextortion.

Chinese National Sentenced in Hack of Defense Contractors

In the Central District of California, Chinese citizen and resident Su Bin was sentenced to 46 months in prison for conspiracy in a six-year Chinese operation that stole designs for cutting edge U.S. military aircraft by hacking into defense contractors networks. Working with two others, Su Bin functioned as both a strategist and an analyst, deciding whom to target and what files were important and explaining the significance of those files.

Su Bin pled guilty on March 23, 2016.

In the press release, Eileen Decker, the U.S. Attorney for the Central District of California, said that this case demonstrated the Department’s commitment to prosecuting hackers, wherever they may be. Su Bin was residing in China when the complaint was filed and consented to be conveyed to the United States.

Sniffing It Out

The FBI’s first K-9 trained to detect electronics started work at the Newark office this summer. The dog alerts at the smell of a chemical present in all electronic storage devices. While she has already found digital media that FBI agents could not find despite a thorough search, her training raises some Fourth Amendment questions.

The body of Fourth Amendment law built around dog-sniffing cases heavily relies on narcotics-sniffing dogs’ ability to exclusively detect contraband. Since a person does not have a reasonable expectation to privacy of contraband, the sniff frequently does not constitute a search and therefore falls outside the Fourth Amendment. As such, no warrant or probable cause is required. Narcotics-sniffing dogs are almost always used to gather information before, and often in support of, obtaining a warrant.

However, a digital media-sniffing dog is unlikely to get the same treatment. Since electronic storage devices as a whole are not contraband and it would be unlikely to know if a particular device contained contraband prior to obtaining it, the dogs are sniffing for innocent information. Therefore, it is highly likely that the officers will have to obtain a warrant before using this dog. This is not lost on the FBI, as they mentioned search warrants three times in their brief podcast on the subject (linked above). With a warrant, the usefulness of a K-9 electronics sniffer is undeniable. One of only seven in the world, the Newark dog is happy to travel and the FBI is offering her services to federal, state, and local agencies.

Newfound Romance, Social Media, and Old Fashioned Fraud

In the Southern District of Texas, Kunle Mutiu Amoo and Lanre Sunday Adeoba pled guilty to conspiracy to commit wire fraud. The men, both Nigerian citizens living outside of the Houston area, used romance to scam a woman, resulting in her loss of approximately 2 million dollars.

Using Facebook, the defendants worked in concert and posed as a Parisian with a South African construction company. They befriended the victim and wooed her with professions of love and the promise of a life together. Eventually, they began asking for wire transfers and cashier's checks. In addition to the standard fare, the defendants convinced the victim to mail them six iPhones, among other things.

After a lengthy saga about bringing alleged proceeds from a South African construction contract into the United States, the victim was eventually shown a portion of the cash that had her name stamped on every bill. In order to clean it, the defendant asked for another $420,000. Unable to come up with the money, the victim turned to her accountant, who took her to the FBI.

According to the FBI, romance scams, or confidence frauds, lead to the largest amount of financial loss of “internet-enabled crimes." While digital safeguards may help protect us, our hearts can still lead us astray.

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of the U.S. Department of Justice or the U.S. Government.