410 likes | 668 Vues
COMPUTER FRAUD ISSUES. Part 1: The Hack . Government & University vs. Harry . Harry hacks into databases at the FBI and NSA using the University’s computers. Harry has created a virus designed to disrupt strategic Federal computer networks within 72 hours if it is not disabled.
E N D
COMPUTER FRAUD ISSUES Part 1: The Hack
Government & University vs. Harry • Harry hacks into databases at the FBI and NSA using the University’s computers. • Harry has created a virus designed to disrupt strategic Federal computer networks within 72 hours if it is not disabled.
Issues 1.What Federal statutes have been violated? 2. Can Harry’s actions in hacking or creating a virus be construed as a form of terrorism?
Security Statutes WHO: PROTECTS PRIVATE USERS AND PROVIDERS WHAT: PROTECT AGAINST INTERCEPTING PRIVATE MESSAGES WHY: DISCOVER PERPETRATORS WHEN: AFTER DULY AUTHORIZED SEARCH WARRANT, WIRETAP, OR SUBPOENA
Applicable Statutes • COMPUTER FRAUD (18 USC 1030)-Unauthorized access or computer intrusion via theft into a government computer • WIRE FRAUD (18 USC 1343)- Bans use of wire, radio communications to defraud using interstate commerce • INTERSTATE TRANSPORT OF STOLEN PROPERTY (18 USC 2314) • WIRETAPPING STATUTE (18 USC 1029)-Fraudulent use of access devices
Applicable Statutes 5. ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986- (18 USC 2701)- prohibits government from intercepting voice and e-mail without the authorization of one of the parties, or a court order. 6. USA PATRIOT ACT- (PL 107-56) Expands law enforcement powers under other statutes
Computer Fraud Act of 1986 (18 USC 1030) • Criminalizes unauthorized access into or theft of federal interest computers. • Prevent access to classified national defense or foreign relations information, financial information or consumer reporting agency records, or manipulating information on a computer operated on behalf of the United States
Computer Fraud Act Covers: (a)(1)-- computer espionage, (a)(2)--theft of specific types of information, (a)(3)--computer trespass, (a)(4)--computer fraud, (a)(5)--damage to a protected computer, (a)(6)--trafficking in passwords, and (a)(7)--computer extortion.
Elements of Computer Fraud • "Unauthorized access" includes someone who steals another's identity to hack into a protected computer. • The perpetrator must intend to hack into the system or gain access. • Perpetrator must access a "protected computer," i.e. all government computers; operated on behalf of the government; used in interstate or foreign commerce or communications, financial institution computers, and foreign computers. • Must cause some damage.
Causing Damage • Impairment to the integrity or availability of data, a program, a system or information >$5000 in 1 year period • Impairment to medical information • Physical injury to a person • Threatens public health or safety • USA Patriot Act adds “damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security”
Additional Amendments • Increased statutory sentence maximums but eliminated mandatory minimum • Clarified no intent to cause damage • Defined loss for $5000 impairment • “includes any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or other information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service” (Codifies Middleton)
ECPA and Title III • Scope of subpoenas under 2703(c) • Expanded scope: basic subscriber, payment information, “temporarily assigned network address” and “records of session times and durations” • Permits historical tracing of a communication • No content • Voice mail fix • All stored voice is treated like email
Computer Trespasser Exception • New exception to Title III: allows law enforcement to intercept “computer trespasser” with consent of computer owner
USA Patriot Act, Computer Crime and Terrorism • “Federal Crime of Terrorism” • Act calculated to influence or affect the conduct of the Government by intimidation or coercion or to retaliate for Government conduct and • Act violates section 1030(a)(1) or (a)(5)(A)(i) and (B)(ii)-(iv) (intentional conduct and not just monetary damages)
Domestic Terrorism • Based on international terrorism definition • Acts occurring within the territorial US • That are dangerous to human life • That are a violation of the criminal laws and • That appear to be intended to intimidate or coerce a civilian population, influence the policy of a government by intimidation or coercion, or affect the conduct of a government by mass destruction, assassination or kidnapping
Harry vs. Government & University • FBI and NSA trace the hack back to the University of Tech. • The University’s president gives them access to trace the hack to the Computer Lab; allows them to see the student records of Middle Eastern students. • FBI and NSA have been secretly intercepting all of Harry’s and his fiancé's telephone calls and e-mails per U.S. Patriot Act.
Facts University has policies and procedures that • All work developed using University resources and time belong to the University. • Reserve the right to audit and monitor Internet use; • Warn that information flowing through the University's network is not confidential; • Users of University computers are subject to penalties for misuse; • The University's right to conduct inspections, • The University owns the computers and explicitly reserves ownership of data stored within it.
ISSUES 1. Did the FBI and NSA properly trace the hack back to the University? 2. If so, did the University properly give the government access to the computer network and to the student records of Middle Eastern students? 3. Did the FBI violate Harry and the fiance’s rights by wiretapping her phone without a specific warrant; and getting an overly broad subpoena for their e-mails?
USA Patriot Act • 202 Authority to Intercept Voice Communications in Computer Hacking Investigations: Law enforcement can get a wiretap on telephone conversations when investigating Computer Fraud and Abuse Act. Sunset 12/31/05 • Section 209 Obtaining Voice-mail and Other Stored Voice Communications: Law enforcement can get a search warrant to access stored email and attachments; and voicemail.
USA Patriot Act • Section 210 Scope of Subpoenas for Electronic Evidence: Law enforcement can use a subpoena to get session times and durations; as well as temporarily assigned network addresses, i.e. IP address; and means and source of payment, i.e., credit card information. • Section 213 Authority to Delay Notice of the Execution of a Warrant: Law enforcement can delay notifying targets of searches if the court finds reasonable cause to believe endanger of life, flight, evidence tampering, witness intimidation for 7 days, with extensions. Does not delay notice of seizures.
USA Patriot Act • Section 507 Disclosure of Educational Records The Attorney General or Federal officer may apply for an ex parte order requiring an educational agency to collect education records for investigation of terrorism or for official purposes related to investigations that require confidentiality.
USA Patriot Act Section 216 Pen Register & Trap and Trace Statute: Law enforcement can use pen/trap orders to trace communications on the Internet under order that has nationwide effect; and must submit a report when installing monitoring device on a public provider. Can get all dialing, routing, addressing and signaling information.
Theofel v. Farey-Jones • Assume the Gov. subpoena for the ISP to access Harry’s & girlfriend’s email is overly broad. • Overbroad subpoena for ISP re email • Deception to gain entry that is substantial mistake can renders police officer a “trespasser.” • If D have constructive knowledge of illegal subpoena, they may be held liable to 3rd parties.
Response to Issues • Did the FBI and NSA properly trace the hack back to the University? Yes. Probable cause after discovery that they had been hacked to take necessary steps to investigate the hack. 2. If so, did the University properly give the government access to the computer network and to the student records of Middle Eastern students? Yes. Probable cause after discovery that they had been hacked to take necessary steps to investigate the hack, although allege profiling and may have violated students’ civil rights. 3. Did the FBI violate Harry and the fiance’s rights by wiretapping her phone without a specific warrant; and getting an overly broad subpoena for their e-mails? Possibly, under Patriot act, reasonable to extend taps to Harry and girlfriend. Overly broad subpoena may be a problem if they knew that it was invalid and irrelevant information turned over.
Facts University gives the FBI access to Harry’s room without his knowledge and without a warrant, seize the computers, reads through his files and disks.
Issues 1. Did access to Harry’s room without a warrant violate any of Harry’s rights? 2. Did the FBI have probable cause under the exigent circumstance to access Harry’s room without his knowledge and without a warrant? 3. Did the seizure of the computer violate state or federal right? 4. Did reading of the computer files and disk violate Harry’s Fourth Amendment, California Constitution, and/or statutory rights. 5. If so, what are Harry’s remedies? 6. What privacy rights have been invaded by the University and/or FBI.
U.S. v. Bivens • Bivens v. Six Unknown Named Agents, 403 US 398 (1971) • Facts: Fed. Bureau of Narcotics acting under color of federal authority made a warrantless entry into and search of apartment, and subsequent arrest. All acts were done without probable cause. Ct. held that D could recover damages upon proof of injury resulting from the violation. • Fourth Amendment is a limit on federal power regardless of whether the state would prohibit or penalized the action if conducted by a private citizen.
People v. Superior Court • University student was charged with possession of marijuana for sale based on evidence seized from his dormitory room in a warrantless search. • Held: 1) student's dormitory room was protected by Fourth Amendment; 2) housing contract student signed did not waive Fourth Amendment rights; 3) university safety officer could not consent to search of room; and 4) evidence was admissible under inevitable discovery doctrine.
Electronic Communications Privacy Act of 1986 (ECPA), 18 USC 2511 • The provides broad statutory privacy protection for wireless, wire, and electronic communications and storage of digitized text information, such as e-mail. • ECPA prohibits government agents and third parties from intercepting voice and e-mail without the authorization of one of the parties, or a court order. • Statutory damages are limited to $1,000 for most offenses by government officers.
Facts The Government detains Harry without filing charges for 3 days, denying access to a lawyer.
Riverside v. McLaughlin, 111 SCt 1661 (1991) • Class action against the county for violation of Fourth Amendment by failing to provide prompt judicial determination of probable cause. Once you arrest, you must bring promptly before the magistrate for a determination of probable cause. Court held that to bring a defendant before magistrate within 48 hours of arrest was not unreasonable.
U.S. v. Maxwell, 45 MJ 406 (1996) • Violation of the warrant requirement means that the "fruits" of the illegal search are inadmissible in a court of law.
Shartzer v. Israels, 59 Cal Rptr 2d 296 (1996) • Defense counsel (Israel) unlawfully read and disseminated confidential mental health records acquired accidentally, and used in cross examination of Shartzer, causing damage and constituted an invasion of privacy under Article I of California Constitution. Charge of sexual battery of plaintiff Shartzer. Ct. held plaintiff had a reasonable expectation of privacy.
Issues 1. Which of Harry’s rights did the government violate? 2. Did Harry’s detention violate his rights? 3. What remedy does Harry have against the Government? 4. Can the government threaten to take action against him or his fiance if he does not cooperate. 5. Do such threats constitute torture?
Harry’s Interest • Get out of jail, • Negotiate the return of his computer and files, • Avoid expulsion from University, • Protect his fiance and her family, • Dispose of the secrecy order, and • Perfect or dispose of any intellectual property rights in TAISP.
Government’s Interests • Disable the virus, • Collect information about Harry's fiance's father, • Recover TAISP and all copies of the source code; • Punish Harry for hacking into their network, and • Learn how TAISP works, • Learn how Harry hacked into FBI and NSA files.
University’s Interests • Avoid any liability for Harry's actions in using the University's Supercomputer; • Learn how Harry navigated through their network to hack into the government's system; • Assert an interest in TAISP; and • Recognition and grants for Harry's research in artificial intelligence.