|
10/6. There is no federal criminal statute that bans "pretexting to fraudulent
obtain phone records", or words to that effect.
However, information that has been disclosed regarding the HP spying scandal, and
similar investigations, and in various hearings, indicates that there is a wide range
of activities that are associated with spying operations. Many of these activities might
violate various federal criminal statutes.
1. Federal Computer Fraud and Abuse Act (CFAA). The Computer Fraud and Abuse Act (CFAA), as amended, is codified at
18 U.S.C. § 1030. It is sometimes referred to as the computer hacking statute. Although, the
term "hacking" does not appear in the statute. Rather, it addresses unauthorized
access to certain computers and electronic storage systems.
Subsection (a)(2) contains a very broad criminal ban. It criminalizes
intentionally accessing a computer without authorization if any of three
conditions are met. The third, interstate commerce, may be met by using the
internet to access the computer system.
The statute provides that "(a) Whoever ... (2) intentionally accesses a computer
without authorization or exceeds authorized access, and thereby obtains--
(A) information contained in a financial record of a
financial institution, or of a card issuer as defined in
section 1602 (n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are
defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(B) information from any department or agency of the United
States; or
(C) information from any protected computer if the conduct
involved an interstate or foreign communication;"
Subsection (5) is also noteworthy. It provides that anyone who:
"(A)(i) knowingly causes the transmission of a program,
information, code, or command, and as a result of such
conduct, intentionally causes damage without
authorization, to a protected computer;
(ii) intentionally accesses a protected computer
without authorization, and as a result of such
conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer
without authorization, and as a result of such
conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii)
of subparagraph (A), caused (or, in the case of an
attempted offense, would, if completed, have caused) --
(i) loss to 1 or more persons during any 1-year period
(and, for purposes of an investigation, prosecution,
or other proceeding brought by the United States only,
loss resulting from a related course of conduct
affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential
modification or impairment, of the medical
examination, diagnosis, treatment, or care of 1 or
more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for
a government entity in furtherance of the
administration of justice, national defense, or
national security;"
Subsection (5) is also important because the CFAA also contains a private
right of action, but only when there are violations of Subsection (5).
It should be noted too that there is some overlap between this statute and
the federal Stored Communications Act (SCA), and various state statutes.
The testimony at the HCC hearings of September 28 and 29, and the records
released by the HCC, reflect that HP's investigators and pretexters extensively
used phone calls to customer service representatives (CSR) of wireless carriers
to fraudulent obtain customer phone records. Phone companies use computer
systems to storage phone records. But, it might be a stretch to argue that
inducing a CSR in a two way voice communication to access stored phone records,
or to change account information, violates the CFAA.
However, the complaint filed by the California Department of Justice on
October 4, 2006, the civil complaint filed by Verizon Wireless on September 28,
2006, as well as other civil complaints not summarized here, allege facts
regarding investigators' fraudulently gaining access to customer's phone
records, and account information, via carriers' online account systems. Moreover,
there are allegations that investigators not only used this method to obtain
records, but also to change account information, such as user ids and passwords,
and to terminate certain services. (TLJ is not aware of any allegations that any
investigator obtained information, or changed information, by making a phone
call to a computer system that interacts with the caller by means of voice
recognition software, and/or the touchtone keys.)
Moreover, information disclosed regarding the HP scandal indicates that HP's scheme
included sending, under fraudulent circumstances, e-mail to a target of its
investigation, that included undisclosed software code that would transmit
information back to the investigators regarding who opened an attachment to
that e-mail. Various witnesses and members at the HCC/SOI hearings characterized
this as "spyware" or "tracers".
These practices may give rise to a violation of the CFAA, in several ways:
(1) by unauthorized access to protected computer storage systems to obtain
information therein, (2) by unauthorized access to protected computers to alter
or destroy data, and (3) by unauthorized transmission of code to a protected
computer.
The first two practices present more compelling cases for prosecution under
§ 1030(a)(2). The pretexters arguably intentionally access a computer without
authorization or exceed authorized access, and thereby obtain information
from a protected computer, and the practice involves an interstate
communication. (And, it should be noted that the California DOJ has already
criminally charged five persons associated with the HP scandal with criminal
violation of its related state statute.)
The e-mail tracer practice may give prosecutors reason to pause.
Nevertheless, the argument would be this. An e-mail sender has implied
authorization to send an e-mail, and to have that e-mail enter the in-box of the
e-mail program on the computer of
the recipient. However, there is no implied authorization to hide an undisclosed
tracer program in an e-mail attachment.
HP obtained no actual authorization from CNET or its reporters. Hence, the argument
might proceed, HP intentionally exceeded authorized access to a computer within the meaning
of § 1030(a)(2). Moreover, (had the scheme worked) HP would have obtained information
from the computer in the form of the secret sending out of a message indicating that the
attached file had been opened, and by which account. § 1030(a)(2) requires no damage to
any computer, or to any person.
There is a problem with proceeding under § 1030(a)(5) to prosecute
pretexters who only obtain information, or use e-mail tracers. This subsection
requires damage to a protected computer. (On the other hand, pretexters who
change account information, or terminate services, arguably do damage a
protected computer.)
In conclusion, Section 1030 presents federal prosecutors with ways to
charge people who engage in a variety of different pretexting related practices.
2. Federal Wire Fraud. If federal prosecutors do bring criminal charges against
persons involved in the HP scandal, this may be one of the most used sections.
18 U.S.C. § 1343 pertains to "Fraud by wire, radio, or television". It
provides that "Whoever, having devised or intending to devise any scheme or artifice
to defraud, or for obtaining money or property by means of false or fraudulent
pretenses, representations, or promises, transmits or causes to be transmitted
by means of wire, radio, or television communication in interstate or foreign
commerce, any writings, signs, signals, pictures, or sounds for the purpose of
executing such scheme or artifice, shall be fined under this title or
imprisoned not more than 20 years, or both. If the violation affects a
financial institution, such person shall be fined not more than $1,000,000 or
imprisoned not more than 30 years, or both."
HP's pretexters used telephones to contact wireless carriers. That is, they
"transmitted by means of a wire". The indictment or complaint would likely
allege that telling lies to dupe carriers into disclosing information that they
cannot disclose by law (see,
47
U.S.C. § 222) is intent to defraud within the meaning of the wire fraud statute.
The interstate commerce clause is easily met if the carrier's call service center is
in one state, and the pretexter is in another. However, it may prove significant that HP
used no pretexters in the state of California. It used pretexters in other states,
and particularly, states where carriers' call centers are located.
Also, HP personnel cannot escape liability on the basis that they did not make the calls.
18 U.S.C. § 1349 provides that "Any person who attempts or conspires to commit any
offense under this chapter shall be subject to the same penalties as those prescribed for
the offense, the commission of which was the object of the attempt or conspiracy."
3. Federal Mail Fraud. The testimony
at the HCC/SOI hearings of September 28 and 29, and the records released by the HCC,
do not reflect that HP, or its investigators and pretexters, used the U.S. Mail.
However, use of mail is an important tool of other pretexters. For example,
witnesses for wireless carriers testified on September 29 that after they learned of
large scale pretexting and data brokering in 2005, they tightened their
procedures for releasing information. One change was to only provide certain
records by mailing them to the customer. The pretexter in this situation cannot
get the records recited over the phone.
This hearing also revealed the a response of pretexters to this tactic is to pretext
to get the customer's address changed (to a false address used by the pretexter), and
to have phone records mailed to that address.
This tactic may constitute a violation of the federal mail fraud statute. First,
18 U.S.C. § 1341 pertains to "Frauds and Swindles". It provides that
"Whoever, having devised or intending to devise any scheme or artifice to
defraud, or for obtaining money or property by means of false or fraudulent
pretenses, representations, or promises, or to sell, dispose of, loan,
exchange, alter, give away, distribute, supply, or furnish or procure for
unlawful use any counterfeit or spurious coin, obligation, security, or other
article, or anything represented to be or intimated or held out to be such
counterfeit or spurious article, for the purpose of executing such scheme or
artifice or attempting so to do, places in any post office or authorized
depository for mail matter, any matter or thing whatever to be sent or
delivered by the Postal Service, or deposits or causes to be deposited any
matter or thing whatever to be sent or delivered by any private or commercial
interstate carrier, or takes or receives therefrom, any such matter or thing,
or knowingly causes to be delivered by mail or such carrier according to the
direction thereon, or at the place at which it is directed to be delivered by
the person to whom it is addressed, any such matter or thing, shall be fined
under this title or imprisoned not more than 20 years, or both. If the
violation affects a financial institution, such person shall be fined not more
than $1,000,000 or imprisoned not more than 30 years, or both."
Then,
18 U.S.C. § 1342 provides that "Whoever, for the purpose of conducting,
promoting, or carrying on by means of the Postal Service, any scheme or device mentioned
in section 1341 of this title or any other unlawful business, uses or assumes, or
requests to be addressed by, any fictitious, false, or assumed title, name, or
address or name other than his own proper name, or takes or receives from any
post office or authorized depository of mail matter, any letter, postal card,
package, or other mail matter addressed to any such fictitious, false, or
assumed title, name, or address, or name other than his own proper name, shall
be fined under this title or imprisoned not more than five years, or both."
4. Federal Identification Fraud.
18 U.S.C. § 1028 pertains to "Fraud and related activity in connection with
identification documents, authentication features, and information". Much of
this section is inapplicable in the context of pretexting. However, two
prohibitions are important.
It provides, in part, that "Whoever, in a circumstance described in subsection
(c) of this section" either "(1) knowingly and without lawful authority produces
an identification document, authentication feature, or a false identification document"
or "(7) knowingly transfers, possesses, or uses, without lawful authority, a means
of identification of another person with the intent to commit, or to aid or abet, or in
connection with, any unlawful activity that constitutes a violation of Federal law, or
that constitutes a felony under any applicable State or local law" "shall be
punished as provided in subsection (b) of this section".
The "circumstance described in subsection (c)" includes "in or affects
interstate or foreign commerce".
The testimony at the HCC hearings of September 28
and 29, and the records released by the HCC, do not reflect that HP, or its
investigators and pretexters, used false identification documents. The
pretexters called people over the phone and lied about their identity, or
fraudulently accessed online account systems. This did
not involved identity documents.
However, witnesses from the carriers testified at the September 29 hearing
that one heightened security feature is to require customers who want to change
certain account information to visit service centers in person and present
identification. Hence, if a pretexter goes in person, with a fake
identification document, pretends to be another person, and for example, changes
a password for online access to account information, that may constitute a
criminal violation under Section 1028.
However, the other basis for a Section 1028 violation quoted above may
implicate some persons involved in the HP scandal.
That is, the pretexters who made the fraudulent calls to the carriers had to
have been given some personal information about the accounts for which they
sought call information. And this information may have come from HP.
That is, someone at HP may have knowingly transferred to the pretexters "a
means of identification of another person with the intent to commit, or to aid
or abet, or in connection with, any unlawful activity that constitutes a
violation of Federal law", within the meaning of this statute.
The definitional subsection provides that the phrase "means of identification"
means "any name or number that may be used, alone or in conjunction with any other
information, to identify a specific individual, including any -- (A) name, social security
number, date of birth, official State or government issued driver’s license or identification
number, alien registration number, government passport number, employer or taxpayer
identification number;"
One document released by the HCC states that "DeLia supplied ARG with Social
Security Numbers for all subjects of pretexting".
5. Federal Access Device Fraud. Access device fraud is codified at
18 U.S.C. § 1029. This section is often used to prosecute financial
crimes, such as credit card fraud. However, it is drafted broadly enough to
reach a range of other activities.
There are numerous prohibitions that relate to people who "knowingly and with
intent to defraud" use either "counterfeit access devices" or
"unauthorized access devices".
For example, subsection (a)(1) provides, in part, that "Whoever ... knowingly and
with intent to defraud produces, uses, or traffics in one or more counterfeit access
devices ... shall, if the offense affects interstate or foreign commerce, be punished as
provided in subsection (c) of this section ..."
But, the term access device encompasses not only credit cards and electronic
devices, but also numbers, and any other means of accessing an account.
Moreover, the statute not only extends to theft of money, but also to theft of
services and anything else of value.
Phone company customers have accounts with their carriers. To access data
from those accounts one needs account information. The unauthorized use of this
information, to access the account, with intent to defraud, may fall within the
scope of the statute.
Specifically, subsection (e)(1) provides, in part, that "the term ``access device´´
means any card, plate, code, account number, electronic
serial number, mobile identification number, personal identification number,
or other telecommunications service, equipment, or instrument identifier, or
other means of account access that can be used, alone or in conjunction with
another access device, to obtain money, goods, services, or any other thing of
value, ..."
6. Federal Stored Communications Act (SCA). The SCA is codified at
18
U.S.C § 2701-2712 (Chapter 121 of Part I of Title 18). The basic prohibition is at
Section 2701. It provides, in part, as follows:
"whoever --
(1) intentionally accesses without
authorization a facility through which an electronic communication service is
provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access
to a wire or electronic communication while it is in electronic storage in such
system shall be punished ..."
Chapter 121 has no definition of "electronic communication service". However,
it incorporates the definitions found in Chapter 119, at
18 U.S.C. § 2510.
§ 2510(12) provides that an "``electronic communication´´ means any transfer of
signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted
in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical
system that affects interstate or foreign commerce, but does not include ... any wire or
oral communication ..."
Then, § 2510(15) provides that "``electronic communication service´´ means
any service which provides to users thereof the ability to send or receive wire
or electronic communications".
The SCA may be violated by a pretexting scheme in various
ways. For example, one tactic of investigators may be to access an account for
the purpose of terminating a service, or blocking messages for a particular
service. For example, if the investigator is frustrated by the target's
infrequent use of cell phone voice communications, he might gain access to the
target's account to stop e-mail or text messaging service, to induce the target
to talk on the phone, and thus create a record of phone calls that can latter be
obtained by other pretexting tactics. Or, the investigator may change a
password, to prevent the target from gaining access to his own account.
In these hypothetical scenarios, the investigator "intentionally accesses without
authorization", within the meaning of the statute. Moreover, what he accesses is a
"facility through which an electronic communication service is provided", as
the statute defines this term. Finally, he both "prevents authorized access"
to "a wire or electronic communication while it is in electronic storage in such
system". That is, he is preventing the target from accessing his e-mail or text
messages.
Secondly, hypothetically, if a pretexter also uses the personal and account information
that it has obtained to actually obtain the content of stored
communications, this is an obvious violation of the SCA. However, many
investigators may be willing to engage in any amount of deceit to obtain call
records, account information, and transactional data, but draw the line at
obtaining the content of communications, either stored, or in transit in real
time, because of the history of federal prosecutions.
Finally, there is the argument that obtaining access, via online account
systems, of call records stored by wireless carriers, is also a violation of the
SCA. The argument is that these phone call records are a communication from the
carrier to its customer held in electronic storage.
7. § 521 of the Gramm Leach Bliley GLB Act. There is a specific criminal ban of
pretexting to obtain financial records. The testimony at the HCC hearings of September 28
and 29, and the records released by the HCC, do not reflect that HP, or its investigators
and pretexters, accessed financial records. However, pretexting of financial records is
common, and the Federal Trade Commission (FTC) has
brought actions pursuant to this ban.
Section 521 of the Gramm Leach Bliley (GLB) Act is codified at
15 U.S.C. § 6821. Subsection (a) contains the prohibition of obtaining customer
information by false pretenses. It provides that "It shall be a violation of this
subchapter for any person to obtain or attempt to obtain, or cause to be disclosed or
attempt to cause to be disclosed to any person, customer information of a financial
institution relating to another person -- (1) by making a false, fictitious, or fraudulent
statement or representation to an officer, employee, or agent of a financial institution;
(2) by making a false, fictitious, or fraudulent statement or representation to a customer
of a financial institution; or (3) by providing any document to an officer, employee, or
agent of a financial institution, knowing that the document is forged, counterfeit,
lost, or stolen, was fraudulently obtained, or contains a false, fictitious,
or fraudulent statement or representation."
Subsection (b) contains the prohibition on solicitation of a person to obtain customer
information from financial institution under false pretenses. It provides that "It
shall be a violation of this subchapter to request a person to obtain customer information
of a financial institution, knowing that the person will obtain, or attempt to obtain,
the information from the institution in any manner described in subsection (a) of this
section."
15 U.S.C. § 6823 provides for criminal enforcement. It states that "Whoever
knowingly and intentionally violates, or knowingly and intentionally attempts to violate,
section 6821 of this title shall be fined in accordance with title 18 or imprisoned for
not more than 5 years, or both."
8. Federal Racketeer Influenced and Corrupt Organizations (RICO). The
federal RICO is codified at
18 U.S.C. §§ 1961-1968. This is a criminal statute that is used to put
mobsters in prison.
The RICO can apply only when certain underlying crimes enumerated in the statute are
involved. However, these enumerated offenses include wire fraud, mail fraud, identification
fraud, and access device fraud, all of which are discussed above, and may be involved in
schemes to pretext for phone records, depending upon the facts of the scheme. Hence,
prosecution under the RICO may be appropriate for some spying schemes.
18 U.S.C. § 1961 provides, part that, that "``racketeering activity´´ means ...
any act which is indictable under any of the following provisions of title 18, United
States Code ... section 1028 (relating to fraud and related activity in connection with
identification documents), section 1029 (relating to fraud and related activity in
connection with access devices), ... section 1341 (relating to mail fraud), section 1343
(relating to wire fraud) ...". (Parentheses in original.)
18 U.S.C. § 1962(a)-(c) contain the prohibitions. Subsection (a) provides, in part,
that "It shall be unlawful for any person who has received any income derived,
directly or indirectly, from a pattern of racketeering activity ... in which such person
has participated as a principal ... to use or invest, directly or indirectly, any part of
such income, or the proceeds of such income, in acquisition of any interest in, or the
establishment or operation of, any enterprise which is engaged in, or the activities of
which affect, interstate or foreign commerce."
Subsection (c) provides that "It shall be unlawful for
any person to conspire to violate any of the provisions of subsection (a), (b),
or (c) of this section."
18 U.S.C. § 1963 provides criminal penalties.
9. Communications Decency Act (CDA). The relevant portion of the CDA is
codified at
47 U.S.C. § 223. Most of its provisions pertain to use of telephones in an
obscene or indecent manner, or in connection with sending obscene or
pornographic material.
However, there is one subsection, 47 U.S.C. § 223(a)(1)(C), for which indecency is
not an element, and which may implicate some pretexting activity.
It provides that "Whoever ... in interstate or foreign communications ... makes
a telephone call or utilizes a telecommunications
device, whether or not conversation or communication ensues, without disclosing
his identity and with intent to annoy, abuse, threaten, or harass any person at
the called number or who receives the communications ... shall be fined
under title 18 or imprisoned not more than two years, or both".
The elements are (1) interstate nexus, (2) use of a telephone, (3) failure to
disclose identity, and (4) intent to abuse the callee. The core practice of
phone pretexters is use of a phone, and pretending to be either the customer, or
a phone company employee. This is "without disclosing his identity".
The fourth element, intent to abuse, may present an obstacle to prosecutions. Pretexter
defendants would no doubt argue that "abuse" means harassment, as in the case of
making obscene phone calls. On the other hand, prosecutors might argue that stealing
confidential records from phone companies, and thereby harming their relations with
customers, and their reputations, is abuse of the phone companies. It may also be
significant that some of the subsections of Section 223 reference only "harass",
while other include "harass", "abuse" and other terms. Courts would
therefore likely construe the word "abuse" to mean something
different from the word "harass".
One thing that is notable about this section is that there is no law
enforcement exemption. Most other federal criminal statutes the
might be implicated by pretexting contains a law enforcement exemption. Thus, if
agents of a rogue law enforcement are in need of being prosecuted for pretexting,
this section might provide the basis.
There is another application of this statute that should not be overlooked --
use of actual obscenity by pretexters. Wireless carriers record many customer
service calls. They have also brought civil actions against pretexters. In some
of these actions the carriers have attached as exhibits transcripts of calls
involving pretexting. Some of these transcripts reflect indecent language,
usually late in the conversation, by the pretexter. This may only reflect the
low moral character of persons associated with pretexting. Or, it may be a final
tactic, in an otherwise unsuccessful pretexting effort, to intimidate a customer
service representative into divulging information. Whatever, the case, these transcripts
provide federal prosecutors yet another opportunity for bringing criminal charges.
10. Destruction of Records. One characteristic of HP's spying effort
was its enormous scope. Numerous person within HP were involved. Numerous outside
businesses, in many states, employing numerous individual investigators, were
also involved. Moreover, the investigations took place over a long period of
time, and the information collected required considerable analysis.
The extensive, and dispersed, nature of this scheme meant that many records
were collected, created, aggregated, summarized, communicated and stored.
Whenever there is activity that violates criminal laws, and creates potential
civil liability, there are incentives on the part of the participants to destroy
records. The more records there are, the greater the likelihood that some will
be destroyed.
In the HP matter, the California DOJ filed papers on October 4, 2006, that
allege that one of the persons who engaged in pretexting activities, Bryan
Wagner, after learning of the investigation, destroyed his computer.
18 U.S.C. § 1519 provides in full that "Whoever knowingly alters, destroys,
mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document,
or tangible object with the intent to impede, obstruct, or influence the investigation or
proper administration of any matter within the jurisdiction of any department or
agency of the United States or any case filed under title 11, or in relation
to or contemplation of any such matter or case, shall be fined under this
title, imprisoned not more than 20 years, or both."
11. Witness Tampering. One might wonder whether Bryan Wagner was
instructed to destroy his computer. One might wonder what efforts might have
been undertaken to limit the incriminating testimony obtained from witnesses.
The relevant federal criminal statute is codified at
18
U.S.C. § 1512.
Perhaps it is the case that persons who commit crimes associated with spying
and pretexting may prove prosecutable for their criminal efforts to cover up
their crimes.
|
