Sex Crimes, Cell Phones and the Computer Fraud and Abuse Act

If anyone deserves a longer sentence, it is a sex offender who victimizes minors. But no one would ever have anticipated that a sex offender would receive extra prison time for using a basic cell phone in the furtherance of his crime. Last week the Eight Circuit Court of Appeals upheld the enhanced sentence of the defendant Neil Kramer who pleaded guilty to transporting a female minor in interstate commerce with the intent to engage in criminal sexual activity, Title 18, U.S.C. § 2423(a). Kramer’s prison sentence was increased by an extra 2 1/3 years because he had used his cell phone to make calls and text messages to the victim for a six-month period leading up to the offense. U.S. v. Kramer, 2011 WL 383710 (8th Cir. Feb. 8, 2011). In total Kramer was sentenced to over 13 years in prison.

Under the Federal Sentencing Guidelines, the sentencing judge is permitted to increase the sentence for the crime to which Kramer pled guilty if a computer, as that term is defined by Title 18, U.S. C. § 1030 (e)(1) of the Computer Fraud and Abuse Act (“CFAA”), is used to facilitate the offense. Based on its finding that the cell phone is a computer, the court increased Kramer’s sentence by 28 months.

This case illustrates the breadth with which the federal courts are interpreting the definition of a computer. Indeed, the Circuit Court quoted Steve Wozniak, the founder of Apple Computer, for the proposition that “Everything has a computer in it nowadays.” Id. at *1. This case not only has ramifications for increasing the length of prison sentences for federal crimes, but it also expands the reach of the CFAA, the federal computer crime statute, to ordinary cell phones.

Kramer appealed his sentence claiming “(1) that application of the enhancement was procedural error because a cellular telephone, when used only to make voice calls and send text messages, cannot be a “computer” as defined in 18 U.S.C. § 1030(e)(1), and (2) that even if a phone could be a computer, the government’s evidence was insufficient to show that his phone met that definition.” Id. The Appeals Court, however, disagreed and affirmed Kramer’s sentence.

First, the court rejected Kramer’s argument that a basic cell phone that was only used to make calls and text messages could not be a computer because it did not access the Internet. The court relied on the “exceedingly broad language” of § 1030(e)(1) that “’[i]f a device is “an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer.” Id. at *2. The court also held that “there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet.” Id.

Second, the court found that the government provided sufficient evidence that the cell phone was a computer. That proof consisted of “the phone’s user’s manual and a printout from Motorola’s website describing the phone’s features.” Id. at *3. Thus, the court found that the evidence showed that in making calls the phone’s “processor performs arithmetic, logical, and storage functions.” Id. The court also found that “the phone keeps track of the ‘Network connection time,’ which is ‘the elapsed time from the moment [the user] connect[s] to [the] service provider’s network to the moment [the user] end[s] the call by pressing [the end key]’” and that “[t]his counting function alone is sufficient to support a finding that the phone is performing logical and arithmetic operations when used to place calls.” Id.

As to the phone’s texting function, the court further found that the phone performed the following computer functions: (1) “the phone stores sets of characters that are available to a user when typing a message” and “[a]s the user types, the phone keeps track of the user’s past inputs and displays the ‘entered text,’. . . i.e., the message being composed,” (2) “t]he user may also delete characters previously entered, either ‘one letter at a time’ or all at once,” and (3) “the phone allows the users to ‘set different primary and secondary text entry modes, and easily switch between modes as needed when [they] enter data or compose a message,’ including “iTAP” mode which uses ‘software’ to ‘predict[ ] each word’ as it is entered.” Id.

It is hard to argue with the logic of this decision in light of the broad definition of a “computer” as set forth in the CFAA and thus is likely to be followed by other courts.

How Do You Sue an Unknown Hacker Who Steals Data through the Company Web Site

In Liberty Media Holdings, LLC. v. Does 1-59, 2011 WL 292128 *3 (S.D.Cal. Jan. 25, 2011) unknown individuals hacked into Liberty Media Holdings’ web servers and obtained “certain motion pictures” that it “reproduced and distributed . . . onto their local hard drives and other storage devices.” Not knowing the identity of these hackers Liberty Media Holdings filed a “John Doe” lawsuit alleging violations of three federal statutes: the Electronic Stored Communications Privacy Act, 18 U.S. C. §§ 2701 and 2702, violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030 and copyright infringement in violation of 17 U.S.C. § 501.

What the case describes is a fairly typical scenario – unknown individuals hack into the company web site and steal valuable data. There is no indication of the identity of the hackers. The only traces left behind are Internet Protocol (“IP”) addresses assigned to the hackers, the Internet Service Providers (“ISP”) that provided the hackers with Internet access and the dates and times of the intrusions.

Rather than wait for law enforcement to investigate and prosecute, something that may or may not happen, taking the aggressive approach outlined by this case can have the same remedial impact as a criminal prosecution in stopping the illegal activity. It also does not preclude the matter from also being referred at any time to law enforcement. Here, what Liberty Media Holdings did can be adopted as a template by any company victimized by a computer hacker. It filed a lawsuit against the unknown hackers as John Doe defendants and then moved for immediate discovery to subpoena the ISPs “to identify the users of the IP addresses during the dates and times” found on its web site. Id. at 1.

In analyzing Liberty Media Holding’s request, the court relied on Columbia Ins. Co. v., 185 F.R.D. 573, 577 (N.D. Cal. 1999) that had “recognized that “(s)ervice of process can pose a special dilemma for plaintiffs in cases … in which the tortious activity occurred entirely on-line. The dilemma arises because the defendant may have used a fictitious name and address in the commission of the tortious acts.” ‘[W]hether discovery to uncover the identity of a defendant is warranted,” Columbia Ins. Co. required the plaintiff to meet the following three standards:

First, . . . identify the missing party with sufficient specificity such that the Court can determine that (the) defendant is a real person or entity that could be sued in federal court .

Second, . . . identify all previous steps taken to locate the elusive defendant.

Third, . . . establish to the Court’s satisfaction that plaintiff’s suit against (the) defendant could withstand a motion to dismiss … Plaintiff must make some showing that an act giving rise to civil liability actually occurred and that the discovery is aimed at revealing specific identifying features of the person or entity who committed the act.
Id., at 578-580.

Here, the court found that Liberty Media Holdings met all three criteria. First, the court found that it had sufficiently identified the defendants through the unique IP addresses and the ISPs that had provided the unknown defendants with their Internet access. The court also found that “the requested discovery is necessary for Plaintiff to determine the names and addresses of each Defendant who performed the allegedly illegal and infringing acts.” Id at *2.

Second, the court found that other than the IP addresses and their ISPs “there are no other measures Plaintiff could take to identify the Defendants.” Id.

Third, the court found that Liberty Media Holdings had three viable claims against the unknown hacker defendants for violations of the Electronic Stored Communications Privacy Act, the CFAA and Copyright Infringement. Thus, the court granted Liberty Media Holdings’ motion to take immediate discovery by issuing subpoenas against the ISPs and various cable operators for the identity of the names belonging to the IP addresses.

In short, any company that is victimized by an unknown hacker can provide these exact same justifications for immediate discovery to identify the hacker through an IP address by subpoenaing the ISP associated with the IP address.