A recent decision by the U.S. District Court for the District of Maryland upheld the Maryland Commercial Electronic Mail Act (MCEMA), Md. Code Com. Law § 14-3001 (2002). The challenge was made by an out-of-state advertising network arguing that the statute violates the dormant commerce clause of the United States Constitution. Plaintiff was an ISP who sued website operators claiming that operators were generating unsolicited commercial emails in violation of the Maryland Anti-Spam statute.

The court held that the benefits to ISPs and users in reducing strains on system and irritation from clutter created by unwanted messages clearly outweighed any burdens on interstate commerce, and that in enacting the CAN-SPAM, Congress expressly accorded states right to regulate false and misleading email transmissions. The court relied on Washington v. Heckel, 24 P.3d 404 (Wash. 2001), in which the Washington Supreme Court upheld that state’s nearly identical anti-spam statute against a dormant commerce clause challenge.

Beyond Systems, Inc. v. Keynetics, Inc., 2006 WL 687156, D.Md.,2006., Feb 14, 2006 (sorry, could not find readily available PDF of opinion, if you have a link, please share it)

Interesting materials on the technical and legal fight against spam - the 2006 MIT Spam Conference was held this week and the organizers have already posted webcasts of the events. Coming soon are ISOs of DVDs with materials and higher quality video streams.

Florida Attorney General Charlie Crist issued last week subpoenas targeting five different Caller ID spoofing sites. Four of the subpoenas are directed at the domain name registrars in an effort to unmask the identities of the site operators, while the fifth one is directed at one such site operator, Tricktel.com, with demand to reveal business records and the identifies of any Florida customers.

"People use Caller ID to protect themselves from unwanted calls and contact from those who would do them harm," Crist said in a press release. "It is wrong for individuals or businesses to deceive our citizens, and this cannot be allowed to continue unchecked."

In the interest of disclosure, Florida AG Crist is also the Republican candidate for governor of Florida.

Federal Investigation

Florida’s probe comes after a broader federal investigation was launched by the FCC a month earlier. The FCC issued letters to at least three Caller ID spoofing sites demanding detailed information on the structure of their business and the names of every customer that has used the services, the dates, and number of phone calls made. Wired News has reported that at least one of those services, Telespoof.com, has complied and turned over its customer records to the FCC after FCC had issued a formal subpoena.

Privacy and Legal Implications

The debate on the legality of these sites is raging. Lawyers for the Caller ID spoofing services claim that they are primarily used for lawful aims. "We’re talking about private investigators, skip tracers, law enforcement agencies, attorneys, others who are legitimately trying to locate people to enforce their rights or in many cases the rights of the public, There are lots of legitimate uses of this." Also, Chris Hoofnagle, an attorney with the Electronic Privacy Information Center, says he thinks Caller ID spoofing has legitimate uses, and would rather see fraudsters prosecuted for their crimes than have spoofing sites categorized as burglar tools. Mr. Hoofnagle argues that the right thing to do is to prosecute the underlying fraud, and not the tools that have legitimate uses (e.g. calling a police tip line, or a newspaper story.)

On the other hand, it has been reported that criminals have used the sites while making pretext phone calls to extract private information like bank account and SSNs out of consumers and companies. Experts say the services have also been used to target businesses that rely on Caller ID for authentication — Western Union’s money-transfer service has been particularly vulnerable, as are T-Mobile voicemail boxes in their default configuration.

From Winnebago County, Illinois: war-driving can get you in jail; or at least fined. Very much like the person who got fined $250 for using an unsecured wireless hotspot.  According to the prosecution, "our residents need to know that it is a crime, punishable by up to a year in jail, to access someone else’s computer, wireless system or Internet connection without that person’s approval."

Kauchak, the freeloader, was arrested in January in a park when local law enforcement caught him in the early hours of the night when he was sitting in a car with a computer. The Rockport Register Star story does not provide many details, but it is interesting to understand how the police officer actually understood that Kauchak was using someone else’s Internet connection. Also, the article does not indicate whether which statute was violated, but presumably it would be the 720 ILCS 5/16F-3 (aka Illinois Wireless Service Theft Prevention Act) which makes it a Class 4 felony offense if wireless service with value of more than $300 has been obtained unlawfully without the consent of the wireless service provider.

Theft of Wireless Service Statutes

Many similar statutes are passed by other states (e.g. Pennsylvania)- in many cases to protect parties who run wireless access points for their private use but are unable to secure them properly, in other cases the driver behind the statute is protection of large Internet service providers who want to ensure that everybody pays their own DSL bill instead of stealing or providing Internet for free.

Update, May 23, 2007: another similar case - this one is from Michigan.

The newsworthiness of such stories declines by the day. The laptop-filled-with-personal-data theft du jour is from Fidelity Investments. In a report confirmed by Fidelity, a laptop containing personal information (names, SSNs, birthdates, addresses) of approximately 200,000 Hewlett-Packard employees has been stolen last week. A statement by Fidelity specifically indicates that the data had been running on an application with a license which was to expire one day after the theft. Thus, "the scrambled data would be difficult to interpret and generally unusable."

This is an interesting comment by Fidelity - even if the data is really unusable after the software license expires (which Fidelity doesn’t seem to suggest) they seem to put high emphasis on the fact that the thief had only one day to open the software and extract the data - plenty of time if there are no security restrictions such passwords to hack or encryptions to break (which Fidelity does not indicate were present.)

A groundbreaking case in the area of Internet crimes came down last week from the Ninth Circuit Court of Appeals. The question presented to the court was whether a suspect’s membership to a website that displays child pornography provides a probable cause to search/seize his computer.

Mr. Gourde was a paying member of a child pornography website for a total of two months before it was shut down by the FBI. The site had in its possession illegal images and after the FBI obtained a list of all site members, agents applied for search warrants for the computers of the members. Months after the site had been shut down, agents found over 100 illegal child pornography images in Gourde’s computer. He was charged with, among other things, with possession of child pornography under 18 U.S.C. §§ 2252(a)(4)(B), (b)(2), and 2256.

Gourde moved to suppress the images, claiming that the FBI did not have a probable cause to search his computer. The district court disagreed; Gourde pleaded guilty, but reserved his right to appeal. A three-judge panel of the Ninth Circuit reversed in 2004. In rehearing the case en banc, the Ninth Circuit reversed its earlier ruling by a 9-2 vote. In an opinion authored by Judge McKeown, the Court held three factors critical to the correct determination that there was a probable cause. First, even though the site contained legal images, it was focused on illegal child pornography. Second, it was significant that Gourde remained a paid subscriber for two months and until the site was shut down by the FBI. Third, due to the nature of computers and because it is impossible (for average user, at least) to permanently delete an image from a computer, there was a likelihood that there would be evidence left on Gourde’s computer.

While at the end of this case justice prevailed, this case bears a hint of a slippery slope. It is not hard to conceive a scenario in which law enforcement could obtain warrant solely based on a user’s membership of a site which has some sort of illegal content. In an extreme example, someone posting child pornography images to eBay, for instance, could give a probable cause to search millions of users’ computers because they might have downloaded some of this content. As the dissents point out, the government could have easily obtained evidence about whether Gourde had in fact downloaded illegal images before applying for a warrant (Judge Reinhardt; presumably he meant feds checking the server logs to establish who downloaded what).

U.S. v. Gourde, 03-30262 (9th Cir., Mar. 9, 2006)

Adware company DirectRevenue has settled the class action lawsuit brought last year in the state of Illinois. Under the settlement terms,

• DirectRevenue will destroy any personally identifiable information about computer users including Social Security Numbers, bank account information, email addresses, etc. and must no longer collect such information.

• DirectRevenue will force users to affirmatively accept installation of their software and disclose information about the functionality of the software separate from the EULA.

• DirectRevenue is prohibited from installing software by Active X, security exploits or any other method that does not require users’ affirmative consent.

• DirectRevenue will not distribute software at sights targeted to children.

No cash settlement is included for class members, but it allows individuals to file claims against DirectRevenue for damages. Settlement agreement and notice of proposed settlement.

[Via ZDNet -]

For third straight year, the Department of Homeland Security, which is charged with setting the government’s cybersecurity agenda has been given a grade of F.

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

The Washington Post has more.

In a recent unpublished opinion, the Second Circuit Court of Appeals held that lost profits resulting from a misappropriation of proprietary information are not recoverable in a civil action brought under the Computer Fraud and Abuse Act (CFAA).

Under CFAA a recoverable loss is "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." 18 U.S.C. 1030(e)(11). The plaintiff alleged that two employees of defendant misappropriated confidential proprietary information from plaintiff’s computers and used the information to compete. The court held that the plain language of the statute treats lost revenue separately from incurred costs. Recovery of revenue is permissible only if it were connected to an interruption in service. Because there was no interruption of service in this case, the plaintiff’s alleged loss of $10M did not fall under CFAA’s loss definition.

The court also rejected plaintiff’s claim that $8,000 in travel expenses relating to "responding to an offense" or "conducting a damage assessment" do not fall under CFAA because the costs were too attenuated. According to the court, the statutory language "consistently has been construed to refer to costs associated with ‘investigating and remedying damage to a computer, or a cost incurred because the computer’s service was interrupted,’ not costs incurred investigating business losses unrelated to actual computers or computer services."

Nexans Wires S.A. v. Sark-USA Inc., 2d Cir., No. 05-3820, 2/13/06. Opinion here.

An interesting opinion by the Federal Court of Appeals for the Seventh Circuit written by Judge Posner came down last week. The case is about a former employee who went and wiped information from his company-issued laptop after he was no longer employed by the company. International Airport Centers (the employer) claimed that using a secure file deletion utility violated federal hacking laws and the court agreed.

Jacob Citrin was employed by IAC for some time and eventually he decided to quit IAC but continue to work in the same field for himself, a choice IAC claims violated the terms of his employment contract. When IAC tried to access Citrin’s company laptop which he had surrendered, they discovered that he had used a secure delete utility which essentially deletes a file and then overwrites it a number of times with random data so that it is unrecoverable even by well-qualified forensics experts.

IAC then brought suit against Citrin claiming that his secure deletion violated provisions of the Computer Fraud and Abuse Act (CFAA). Under CFAA, anybody who accesses a networked computer "without authorization" can be held civilly and criminally liable. Although the CFAA was meant to provide a tool for criminal prosecution against hackers, it has been used with increased frequency in labor and employment disputes where, most often, a terminated employee accesses confidential or proprietary company information.  The present case is unique because of the nature of Citrin’s act - IAC doesn’t claim that Citrin accessed confidential company information; instead IAC claims that secure-deleting company information was the unauthorized access which should give rise to CFAA violation.

The Seventh Circuit held for IAC by drawing two important conclusions which may have lasting implications. First, Judge Posner held that deleting files on a computer meets the standard of "damage" under CFAA. Second, he wrote that once Citrin chose to do business for himself, his implicit authorization to access IAC’s computer was no longer valid and thus his access was "unauthorized." The court was not persuaded by Citrin’s argument that his employment contract with IAC allowed him to delete "confidential" information when he left the company, but the court rejected this by saying that it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have.

Full opinion here.

« Previous entries